1 /* 2 * The Sleuth Kit 3 * 4 * Brian Carrier [carrier <at> sleuthkit [dot] org] 5 * Copyright (c) 2007-2010 Brian Carrier. All Rights reserved 6 * 7 * This software is distributed under the Common Public License 1.0 8 */ 9 10 /** \file tsk_base.h 11 * Contains the type and function definitions that are needed 12 * by external programs to use the TSK library. 13 * Note that this file is not meant to be directly included. 14 * It is included by both libtsk.h and tsk_base_i.h. 15 */ 16 17 18 /** 19 * \defgroup baselib Base TSK Library Functions 20 */ 21 22 #ifndef _TSK_BASE_H 23 #define _TSK_BASE_H 24 25 // standard C header files 26 #include <stdio.h> 27 #include <stdlib.h> 28 29 30 /** Version of code in number form. 31 * Upper byte is A, next is B, and next byte is C in version A.B.C. 32 * Lowest byte is 0xff, except in beta releases, in which case it 33 * increments from 1. Nightly snapshots will have upper byte as 34 * 0xff and next bytes with year, month, and date, respectively. 35 * Note that you will not be able to differentiate between snapshots 36 * from the trunk or branches with this method... 37 * For example, 3.1.2 would be stored as 0x030102FF. 38 * 3.1.2b1 would be 0x03010201. Snapshot from Jan 2, 2003 would be 39 * 0xFF030102. 40 * See TSK_VERSION_STR for string form. */ 41 #define TSK_VERSION_NUM 0x030203ff 42 43 /** Version of code in string form. See TSK_VERSION_NUM for 44 * integer form. */ 45 #define TSK_VERSION_STR "3.2.3" 46 47 48 /* include the TSK-specific header file that we created in autoconf 49 * On Win32 (Visual Studio) though, we will not have this file... 50 */ 51 #if !defined(_MSC_VER) 52 #include "tsk3/tsk_incs.h" 53 #endif 54 55 // get some other TSK / OS settings 56 #include "tsk_os.h" 57 58 #ifdef __cplusplus 59 extern "C" { 60 #endif 61 62 63 64 /** 65 * Return values for some TSK functions that need to differentiate between errors and corrupt data. 66 */ 67 typedef enum { 68 TSK_OK, ///< Ok -- success 69 TSK_ERR, ///< System error -- should abort 70 TSK_COR, ///< Data is corrupt, can still process another set of data 71 TSK_STOP ///< Stop further processing, not an error though. 72 } TSK_RETVAL_ENUM; 73 74 75 typedef struct TSK_LIST TSK_LIST; 76 /** 77 * Linked list structure that holds a 'key' and optional 'length'. 78 * Note that the data is stored in reverse sort order so that inserts 79 * are faster. Also note that the length is a negative number. A key of 80 * '6' and a len of '2' means that the run contains 6 and 5. 81 */ 82 struct TSK_LIST { 83 TSK_LIST *next; ///< Pointer to next entry in list 84 uint64_t key; ///< Largest value in this run 85 uint64_t len; ///< Length of run (negative number, stored as positive) 86 }; 87 extern uint8_t tsk_list_find(TSK_LIST * list, uint64_t key); 88 extern uint8_t tsk_list_add(TSK_LIST ** list, uint64_t key); 89 extern void tsk_list_free(TSK_LIST * list); 90 91 92 // note that the stack code is in this file and not internal for convenience to users 93 /** 94 * Basic stack structure to push and pop (used for finding loops in recursion). 95 */ 96 typedef struct { 97 uint64_t *vals; ///< Array that contains the values in the stack 98 size_t top; ///< Index to the top stack entry 99 size_t len; ///< Number of entries in the stack 100 } TSK_STACK; 101 102 extern uint8_t tsk_stack_push(TSK_STACK * stack, uint64_t key); 103 extern void tsk_stack_pop(TSK_STACK * stack); 104 extern uint8_t tsk_stack_find(TSK_STACK * stack, uint64_t key); 105 extern void tsk_stack_free(TSK_STACK * stack); 106 extern TSK_STACK *tsk_stack_create(); 107 108 109 // print internal UTF-8 strings to local platform Unicode format 110 extern void tsk_fprintf(FILE * fd, const char *msg, ...); 111 extern void tsk_printf(const char *msg, ...); 112 113 114 115 /** \name printf macros if system does not define them */ 116 //@{ 117 #ifndef PRIx64 118 #define PRIx64 "llx" 119 #endif 120 121 #ifndef PRIX64 122 #define PRIX64 "llX" 123 #endif 124 125 #ifndef PRIu64 126 #define PRIu64 "llu" 127 #endif 128 129 #ifndef PRId64 130 #define PRId64 "lld" 131 #endif 132 133 #ifndef PRIo64 134 #define PRIo64 "llo" 135 #endif 136 137 #ifndef PRIx32 138 #define PRIx32 "x" 139 #endif 140 141 #ifndef PRIX32 142 #define PRIX32 "X" 143 #endif 144 145 #ifndef PRIu32 146 #define PRIu32 "u" 147 #endif 148 149 #ifndef PRId32 150 #define PRId32 "d" 151 #endif 152 153 #ifndef PRIx16 154 #define PRIx16 "hx" 155 #endif 156 157 #ifndef PRIX16 158 #define PRIX16 "hX" 159 #endif 160 161 #ifndef PRIu16 162 #define PRIu16 "hu" 163 #endif 164 165 #ifndef PRIu8 166 #define PRIu8 "hhu" 167 #endif 168 169 #ifndef PRIx8 170 #define PRIx8 "hhx" 171 #endif 172 //@} 173 174 175 176 /** @name Internal integer types and printf macros*/ 177 //@{ 178 typedef uint64_t TSK_INUM_T; ///< Data type used to internally store metadata / inode addresses 179 #define PRIuINUM PRIu64 180 #define PRIxINUM PRIx64 181 #define PRIdINUM PRId64 182 183 typedef uint32_t TSK_UID_T; ///< Data type used to internally store User IDs 184 #define PRIuUID PRIu32 185 #define PRIxUID PRIx32 186 #define PRIdUID PRId32 187 188 typedef uint32_t TSK_GID_T; ///< Data type used to internally store Group IDs 189 #define PRIuGID PRIu32 190 #define PRIxGID PRIx32 191 #define PRIdGID PRId32 192 193 typedef uint64_t TSK_DADDR_T; ///< Data type used to internally store sector and block addresses 194 #define PRIuDADDR PRIu64 195 #define PRIxDADDR PRIx64 196 #define PRIdDADDR PRId64 197 198 typedef int64_t TSK_OFF_T; ///< Data type used to internally store volume, file, etc. sizes and offsets 199 #define PRIuOFF PRIu64 200 #define PRIxOFF PRIx64 201 #define PRIdOFF PRId64 202 203 typedef uint32_t TSK_PNUM_T; ///< Data type used to internally store partition addresses 204 #define PRIuPNUM PRIu32 205 #define PRIxPNUM PRIx32 206 #define PRIdPNUM PRId32 207 //@} 208 209 210 extern void tsk_version_print(FILE *); 211 extern const char *tsk_version_get_str(); 212 213 214 /*********** RETURN VALUES ************/ 215 216 /** 217 * Values that callback functions can return to calling walk function. 218 */ 219 typedef enum { 220 TSK_WALK_CONT = 0x0, ///< Walk function should continue to next object 221 TSK_WALK_STOP = 0x1, ///< Walk function should stop processing units and return OK 222 TSK_WALK_ERROR = 0x2, ///< Walk function should stop processing units and return error 223 } TSK_WALK_RET_ENUM; 224 225 226 /************ ERROR HANDLING *************/ 227 extern int tsk_verbose; ///< Set to 1 to have verbose debug messages printed to stderr 228 229 /** \name Error Handling */ 230 //@{ 231 232 extern uint32_t tsk_errno; 233 extern const char *tsk_error_get(); 234 extern void tsk_error_print(FILE *); 235 extern void tsk_error_reset(); 236 237 #define TSK_ERR_AUX 0x01000000 238 #define TSK_ERR_IMG 0x02000000 239 #define TSK_ERR_VS 0x04000000 240 #define TSK_ERR_FS 0x08000000 241 #define TSK_ERR_HDB 0x10000000 242 #define TSK_ERR_AUTO 0x20000000 243 #define TSK_ERR_MASK 0x00ffffff 244 245 #define TSK_ERR_AUX_MALLOC (TSK_ERR_AUX | 0) 246 #define TSK_ERR_AUX_MAX 2 247 248 #define TSK_ERR_IMG_NOFILE (TSK_ERR_IMG | 0) 249 #define TSK_ERR_IMG_OFFSET (TSK_ERR_IMG | 1) 250 #define TSK_ERR_IMG_UNKTYPE (TSK_ERR_IMG | 2) 251 #define TSK_ERR_IMG_UNSUPTYPE (TSK_ERR_IMG | 3) 252 #define TSK_ERR_IMG_OPEN (TSK_ERR_IMG | 4) 253 #define TSK_ERR_IMG_STAT (TSK_ERR_IMG | 5) 254 #define TSK_ERR_IMG_SEEK (TSK_ERR_IMG | 6) 255 #define TSK_ERR_IMG_READ (TSK_ERR_IMG | 7) 256 #define TSK_ERR_IMG_READ_OFF (TSK_ERR_IMG | 8) 257 #define TSK_ERR_IMG_ARG (TSK_ERR_IMG | 9) 258 #define TSK_ERR_IMG_MAGIC (TSK_ERR_IMG | 10) 259 #define TSK_ERR_IMG_WRITE (TSK_ERR_IMG | 11) 260 #define TSK_ERR_IMG_CONVERT (TSK_ERR_IMG | 12) 261 #define TSK_ERR_IMG_PASSWD (TSK_ERR_IMG | 13) 262 #define TSK_ERR_IMG_MAX 14 263 264 #define TSK_ERR_VS_UNKTYPE (TSK_ERR_VS | 0) 265 #define TSK_ERR_VS_UNSUPTYPE (TSK_ERR_VS | 1) 266 #define TSK_ERR_VS_READ (TSK_ERR_VS | 2) 267 #define TSK_ERR_VS_MAGIC (TSK_ERR_VS | 3) 268 #define TSK_ERR_VS_WALK_RNG (TSK_ERR_VS | 4) 269 #define TSK_ERR_VS_BUF (TSK_ERR_VS | 5) 270 #define TSK_ERR_VS_BLK_NUM (TSK_ERR_VS | 6) 271 #define TSK_ERR_VS_ARG (TSK_ERR_VS | 7) 272 #define TSK_ERR_VS_MAX 8 273 274 #define TSK_ERR_FS_UNKTYPE (TSK_ERR_FS | 0) 275 #define TSK_ERR_FS_UNSUPTYPE (TSK_ERR_FS | 1) 276 #define TSK_ERR_FS_UNSUPFUNC (TSK_ERR_FS | 2) 277 #define TSK_ERR_FS_WALK_RNG (TSK_ERR_FS | 3) 278 #define TSK_ERR_FS_READ (TSK_ERR_FS | 4) 279 #define TSK_ERR_FS_READ_OFF (TSK_ERR_FS | 5) 280 #define TSK_ERR_FS_ARG (TSK_ERR_FS | 6) 281 #define TSK_ERR_FS_BLK_NUM (TSK_ERR_FS | 7) 282 #define TSK_ERR_FS_INODE_NUM (TSK_ERR_FS | 8) 283 #define TSK_ERR_FS_INODE_COR (TSK_ERR_FS | 9) 284 #define TSK_ERR_FS_MAGIC (TSK_ERR_FS | 10) 285 #define TSK_ERR_FS_FWALK (TSK_ERR_FS | 11) 286 #define TSK_ERR_FS_WRITE (TSK_ERR_FS | 12) 287 #define TSK_ERR_FS_UNICODE (TSK_ERR_FS | 13) 288 #define TSK_ERR_FS_RECOVER (TSK_ERR_FS | 14) 289 #define TSK_ERR_FS_GENFS (TSK_ERR_FS | 15) 290 #define TSK_ERR_FS_CORRUPT (TSK_ERR_FS | 16) 291 #define TSK_ERR_FS_ATTR_NOTFOUND (TSK_ERR_FS | 17) 292 #define TSK_ERR_FS_MAX 18 293 294 295 #define TSK_ERR_HDB_UNKTYPE (TSK_ERR_HDB | 0) 296 #define TSK_ERR_HDB_UNSUPTYPE (TSK_ERR_HDB | 1) 297 #define TSK_ERR_HDB_READDB (TSK_ERR_HDB | 2) 298 #define TSK_ERR_HDB_READIDX (TSK_ERR_HDB | 3) 299 #define TSK_ERR_HDB_ARG (TSK_ERR_HDB | 4) 300 #define TSK_ERR_HDB_WRITE (TSK_ERR_HDB | 5) 301 #define TSK_ERR_HDB_CREATE (TSK_ERR_HDB | 6) 302 #define TSK_ERR_HDB_DELETE (TSK_ERR_HDB | 7) 303 #define TSK_ERR_HDB_MISSING (TSK_ERR_HDB | 8) 304 #define TSK_ERR_HDB_PROC (TSK_ERR_HDB | 9) 305 #define TSK_ERR_HDB_OPEN (TSK_ERR_HDB | 10) 306 #define TSK_ERR_HDB_CORRUPT (TSK_ERR_HDB | 11) 307 #define TSK_ERR_HDB_MAX 12 308 309 #define TSK_ERR_AUTO_DB (TSK_ERR_AUTO | 0) 310 #define TSK_ERR_AUTO_CORRUPT (TSK_ERR_AUTO | 1) 311 #define TSK_ERR_AUTO_UNICODE (TSK_ERR_AUTO | 2) 312 #define TSK_ERR_AUTO_NOTOPEN (TSK_ERR_AUTO | 3) 313 #define TSK_ERR_AUTO_MAX 4 314 //@} 315 316 317 /** \name Endian Ordering Functions */ 318 //@{ 319 /** 320 * Flag that identifies the endian ordering of the data being read. 321 */ 322 typedef enum { 323 TSK_LIT_ENDIAN = 0x01, ///< Data is in little endian 324 TSK_BIG_ENDIAN = 0x02 ///< Data is in big endian 325 } TSK_ENDIAN_ENUM; 326 327 //@} 328 329 330 331 extern TSK_OFF_T tsk_parse_offset(const TSK_TCHAR *); 332 extern int tsk_parse_pnum(const TSK_TCHAR * a_pnum_str, 333 TSK_PNUM_T * a_pnum); 334 335 336 337 /** \name MD5 and SHA-1 hashing */ 338 //@{ 339 340 /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All 341 rights reserved. 342 343 License to copy and use this software is granted provided that it 344 is identified as the "RSA Data Security, Inc. MD5 Message-Digest 345 Algorithm" in all material mentioning or referencing this software 346 or this function. 347 348 License is also granted to make and use derivative works provided 349 that such works are identified as "derived from the RSA Data 350 Security, Inc. MD5 Message-Digest Algorithm" in all material 351 mentioning or referencing the derived work. 352 353 RSA Data Security, Inc. makes no representations concerning either 354 the merchantability of this software or the suitability of this 355 software for any particular purpose. It is provided "as is" 356 without express or implied warranty of any kind. 357 358 These notices must be retained in any copies of any part of this 359 documentation and/or software. 360 */ 361 362 363 /* POINTER defines a generic pointer type */ 364 typedef unsigned char *POINTER; 365 366 /* UINT2 defines a two byte word */ 367 //typedef unsigned short int UINT2; 368 typedef uint16_t UINT2; 369 370 /* UINT4 defines a four byte word */ 371 typedef uint32_t UINT4; 372 373 /* Added for sha1 */ 374 /* BYTE defines a unsigned character */ 375 typedef uint8_t BYTE; 376 377 #ifndef TRUE 378 #define FALSE 0 379 #define TRUE ( !FALSE ) 380 #endif /* TRUE */ 381 382 383 384 /* MD5 context. */ 385 typedef struct { 386 UINT4 state[4]; /* state (ABCD) */ 387 UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ 388 unsigned char buffer[64]; /* input buffer */ 389 } TSK_MD5_CTX; 390 391 void TSK_MD5_Init(TSK_MD5_CTX *); 392 void TSK_MD5_Update(TSK_MD5_CTX *, unsigned char *, unsigned int); 393 void TSK_MD5_Final(unsigned char[16], TSK_MD5_CTX *); 394 395 396 397 /* sha.h */ 398 399 /* The structure for storing SHS info */ 400 401 typedef struct { 402 UINT4 digest[5]; /* Message digest */ 403 UINT4 countLo, countHi; /* 64-bit bit count */ 404 UINT4 data[16]; /* SHS data buffer */ 405 int Endianness; 406 } TSK_SHA_CTX; 407 408 /* Message digest functions */ 409 410 void TSK_SHA_Init(TSK_SHA_CTX *); 411 void TSK_SHA_Update(TSK_SHA_CTX *, BYTE * buffer, int count); 412 void TSK_SHA_Final(BYTE * output, TSK_SHA_CTX *); 413 //@} 414 415 #ifdef __cplusplus 416 } 417 #endif 418 #endif 419