1 /* 2 * Sleuth Kit Data Model 3 * 4 * Copyright 2011 Basis Technology Corp. 5 * Contact: carrier <at> sleuthkit <dot> org 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); 8 * you may not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, 15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 package org.sleuthkit.datamodel; 20 21 import java.text.MessageFormat; 22 import java.util.ResourceBundle; 23 import java.util.EnumSet; 24 import java.util.Set; 25 26 /** 27 * Contains enums for the integer values stored in the database and returned by 28 * the various data model objects. 29 */ 30 public class TskData { 31 32 private static ResourceBundle bundle = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle"); 33 34 /** 35 * The type of the file system file, as reported in the name structure of 36 * the file system. This is the dir_type column in the tsk_files table. 37 */ 38 public enum TSK_FS_NAME_TYPE_ENUM { 39 40 UNDEF(0, "-"), ///< Unknown type 41 FIFO(1, "p"), ///< Named pipe NON-NLS 42 CHR(2, "c"), ///< Character device NON-NLS 43 DIR(3, "d"), ///< Directory NON-NLS 44 BLK(4, "b"), ///< Block device NON-NLS 45 REG(5, "r"), ///< Regular file NON-NLS 46 LNK(6, "l"), ///< Symbolic link NON-NLS 47 SOCK(7, "s"), ///< Socket NON-NLS 48 SHAD(8, "h"), ///< Shadow inode (solaris) NON-NLS 49 WHT(9, "w"), ///< Whiteout (openbsd) NON-NLS 50 VIRT(10, "v"), ///< Special (TSK added "Virtual" files) NON-NLS 51 VIRT_DIR(11, "V"); ///< Special (TSK added "Virtual" directories) NON-NLS 52 53 private short dirType; 54 String label; 55 TSK_FS_NAME_TYPE_ENUM(int type, String label)56 private TSK_FS_NAME_TYPE_ENUM(int type, String label) { 57 this.dirType = (short) type; 58 this.label = label; 59 } 60 61 /** 62 * Get dir type 63 * 64 * @return the dir type long value 65 */ getValue()66 public short getValue() { 67 return dirType; 68 } 69 70 /** 71 * Get the label string 72 * 73 * @return the label string value 74 */ getLabel()75 public String getLabel() { 76 return this.label; 77 } 78 79 /** 80 * Convert to the enum type from the short value 81 * 82 * @param dir_type enum type value to convert 83 * 84 * @return converted long value 85 */ valueOf(short dir_type)86 static public TSK_FS_NAME_TYPE_ENUM valueOf(short dir_type) { 87 for (TSK_FS_NAME_TYPE_ENUM v : TSK_FS_NAME_TYPE_ENUM.values()) { 88 if (v.dirType == dir_type) { 89 return v; 90 } 91 } 92 throw new IllegalArgumentException( 93 MessageFormat.format(bundle.getString("TskData.tskFsNameTypeEnum.exception.msg1.text"), dir_type)); 94 } 95 } 96 97 /** 98 * The type of the file system file, as reported in the metadata structure 99 * of the file system. This is the meta_type column in the tsk_files table. 100 */ 101 public enum TSK_FS_META_TYPE_ENUM { 102 103 TSK_FS_META_TYPE_UNDEF(0, "-"), 104 TSK_FS_META_TYPE_REG(1, "r"), ///< Regular file NON-NLS 105 TSK_FS_META_TYPE_DIR(2, "d"), ///< Directory file NON-NLS 106 TSK_FS_META_TYPE_FIFO(3, "p"), ///< Named pipe (fifo) NON-NLS 107 TSK_FS_META_TYPE_CHR(4, "c"), ///< Character device NON-NLS 108 TSK_FS_META_TYPE_BLK(5, "b"), ///< Block device NON-NLS 109 TSK_FS_META_TYPE_LNK(6, "l"), ///< Symbolic link NON-NLS 110 TSK_FS_META_TYPE_SHAD(7, "s"), ///< SOLARIS ONLY NON-NLS 111 TSK_FS_META_TYPE_SOCK(8, "h"), ///< UNIX domain socket NON-NLS 112 TSK_FS_META_TYPE_WHT(9, "w"), ///< Whiteout NON-NLS 113 TSK_FS_META_TYPE_VIRT(10, "v"), ///< "Virtual File" created by TSK for file system areas NON-NLS 114 TSK_FS_META_TYPE_VIRT_DIR(11, "v"); ///< "Virtual Directory" created by TSK for Orphan Files NON-NLS 115 116 private short metaType; 117 private String metaTypeStr; 118 TSK_FS_META_TYPE_ENUM(int type, String metaTypeStr)119 private TSK_FS_META_TYPE_ENUM(int type, String metaTypeStr) { 120 this.metaType = (short) type; 121 this.metaTypeStr = metaTypeStr; 122 } 123 124 /** 125 * Get meta type short value 126 * 127 * @return the meta type long value 128 */ getValue()129 public short getValue() { 130 return metaType; 131 } 132 133 @Override toString()134 public String toString() { 135 return metaTypeStr; 136 } 137 valueOf(short metaType)138 public static TSK_FS_META_TYPE_ENUM valueOf(short metaType) { 139 for (TSK_FS_META_TYPE_ENUM type : TSK_FS_META_TYPE_ENUM.values()) { 140 if (type.getValue() == metaType) { 141 return type; 142 } 143 } 144 throw new IllegalArgumentException( 145 MessageFormat.format(bundle.getString("TskData.tskFsMetaTypeEnum.exception.msg1.text"), metaType)); 146 } 147 } 148 149 /** 150 * The allocated status of a file system file, as reported in the name 151 * structure of the file system. This is the dir_flags column in the 152 * tsk_files table. 153 */ 154 public enum TSK_FS_NAME_FLAG_ENUM { 155 156 ALLOC(1, bundle.getString("TskData.tskFsNameFlagEnum.allocated")), ///< Name is in an allocated state 157 UNALLOC(2, bundle.getString("TskData.tskFsNameFlagEnum.unallocated")); ///< Name is in an unallocated state 158 159 private short dirFlag; 160 private String dirFlagStr; 161 TSK_FS_NAME_FLAG_ENUM(int flag, String dirFlagStr)162 private TSK_FS_NAME_FLAG_ENUM(int flag, String dirFlagStr) { 163 this.dirFlag = (short) flag; 164 this.dirFlagStr = dirFlagStr; 165 } 166 167 /** 168 * Get short value of the flag 169 * 170 * @return the long flag value 171 */ getValue()172 public short getValue() { 173 return dirFlag; 174 } 175 176 @Override toString()177 public String toString() { 178 return dirFlagStr; 179 } 180 181 /** 182 * Convert dirFlag int value to the enum type 183 * 184 * @param dirFlag int value to convert 185 * 186 * @return the enum type corresponding to dirFlag 187 */ valueOf(int dirFlag)188 public static TSK_FS_NAME_FLAG_ENUM valueOf(int dirFlag) { 189 for (TSK_FS_NAME_FLAG_ENUM flag : TSK_FS_NAME_FLAG_ENUM.values()) { 190 if (flag.dirFlag == dirFlag) { 191 return flag; 192 } 193 } 194 throw new IllegalArgumentException( 195 MessageFormat.format(bundle.getString("TskData.tskFsNameFlagEnum.exception.msg1.text"), dirFlag)); 196 } 197 } 198 199 /** 200 * The allocated status of the file system file, as reported in the metadata 201 * structure of the file system. This is the meta_flags column in the 202 * tsk_files table. 203 */ 204 public enum TSK_FS_META_FLAG_ENUM { 205 206 ALLOC(1, bundle.getString("TskData.tskFsMetaFlagEnum.allocated")), ///< Metadata structure is currently in an allocated state 207 UNALLOC(2, bundle.getString("TskData.tskFsMetaFlagEnum.unallocated")), ///< Metadata structure is currently in an unallocated state 208 USED(4, bundle.getString("TskData.tskFsMetaFlagEnum.used")), ///< Metadata structure has been allocated at least once 209 UNUSED(8, bundle.getString("TskData.tskFsMetaFlagEnum.unused")), ///< Metadata structure has never been allocated. 210 COMP(16, bundle.getString("TskData.tskFsMetaFlagEnum.compressed")), ///< The file contents are compressed. 211 ORPHAN(32, bundle.getString("TskData.tskFsMetaFlagEnum.orphan")); ///< Return only metadata structures that have no file name pointing to the (inode_walk flag only) 212 213 private short meta_flag; 214 private String label; 215 TSK_FS_META_FLAG_ENUM(int flag, String label)216 private TSK_FS_META_FLAG_ENUM(int flag, String label) { 217 this.meta_flag = (short) flag; 218 this.label = label; 219 } 220 221 /** 222 * Get meta flags short value 223 * 224 * @return the long value of meta flags 225 */ getValue()226 public short getValue() { 227 return meta_flag; 228 } 229 230 /** 231 * Get string label of the metal flags 232 * 233 * @return string meta flags label 234 */ 235 @Override toString()236 public String toString() { 237 return label; 238 } 239 240 /** 241 * Returns all the enum elements that match the flags in metaFlag 242 * 243 * @param metaFlags Flags to convert to Enums. 244 * 245 * @return matching TSK_FS_META_FLAG_ENUM elements 246 */ valuesOf(short metaFlags)247 public static Set<TSK_FS_META_FLAG_ENUM> valuesOf(short metaFlags) { 248 Set<TSK_FS_META_FLAG_ENUM> matchedFlags = EnumSet.noneOf(TSK_FS_META_FLAG_ENUM.class); 249 250 for (TSK_FS_META_FLAG_ENUM v : TSK_FS_META_FLAG_ENUM.values()) { 251 long flag = v.getValue(); 252 253 if ((metaFlags & flag) == flag) { 254 matchedFlags.add(v); 255 } 256 } 257 258 return matchedFlags; 259 } 260 toInt(Set<TSK_FS_META_FLAG_ENUM> metaFlags)261 public static short toInt(Set<TSK_FS_META_FLAG_ENUM> metaFlags) { 262 short val = 0; 263 for (TSK_FS_META_FLAG_ENUM flag : metaFlags) { 264 val |= flag.getValue(); 265 } 266 return val; 267 } 268 269 } 270 271 /** 272 * Type of data that is stored in the attribute for a file system file. This 273 * is the attr_type column in the tsk_files table. 274 */ 275 public enum TSK_FS_ATTR_TYPE_ENUM { 276 277 TSK_FS_ATTR_TYPE_NOT_FOUND(0x00), // 0 278 TSK_FS_ATTR_TYPE_DEFAULT(0x01), // 1 279 TSK_FS_ATTR_TYPE_NTFS_SI(0x10), // 16 280 TSK_FS_ATTR_TYPE_NTFS_ATTRLIST(0x20), // 32 281 TSK_FS_ATTR_TYPE_NTFS_FNAME(0x30), // 48 282 TSK_FS_ATTR_TYPE_NTFS_VVER(0x40), // 64 (NT) 283 TSK_FS_ATTR_TYPE_NTFS_OBJID(0x40), // 64 (2K) 284 TSK_FS_ATTR_TYPE_NTFS_SEC(0x50), // 80 285 TSK_FS_ATTR_TYPE_NTFS_VNAME(0x60), // 96 286 TSK_FS_ATTR_TYPE_NTFS_VINFO(0x70), // 112 287 TSK_FS_ATTR_TYPE_NTFS_DATA(0x80), // 128 288 TSK_FS_ATTR_TYPE_NTFS_IDXROOT(0x90), // 144 289 TSK_FS_ATTR_TYPE_NTFS_IDXALLOC(0xA0), // 160 290 TSK_FS_ATTR_TYPE_NTFS_BITMAP(0xB0), // 176 291 TSK_FS_ATTR_TYPE_NTFS_SYMLNK(0xC0), // 192 (NT) 292 TSK_FS_ATTR_TYPE_NTFS_REPARSE(0xC0), // 192 (2K) 293 TSK_FS_ATTR_TYPE_NTFS_EAINFO(0xD0), // 208 294 TSK_FS_ATTR_TYPE_NTFS_EA(0xE0), // 224 295 TSK_FS_ATTR_TYPE_NTFS_PROP(0xF0), // (NT) 296 TSK_FS_ATTR_TYPE_NTFS_LOG(0x100), // (2K) 297 TSK_FS_ATTR_TYPE_UNIX_INDIR(0x1001), // Indirect blocks for UFS and ExtX file systems 298 299 // Types for HFS+ File Attributes 300 TSK_FS_ATTR_TYPE_HFS_DEFAULT(0x01), // 1 Data fork of fs special files and misc 301 TSK_FS_ATTR_TYPE_HFS_DATA(0x1100), // 4352 Data fork of regular files 302 TSK_FS_ATTR_TYPE_HFS_RSRC(0x1101), // 4353 Resource fork of regular files 303 TSK_FS_ATTR_TYPE_HFS_EXT_ATTR(0x1102), // 4354 Extended Attributes) except compression records 304 TSK_FS_ATTR_TYPE_HFS_COMP_REC(0x1103); // 4355 Compression records 305 306 private int val; 307 TSK_FS_ATTR_TYPE_ENUM(int val)308 private TSK_FS_ATTR_TYPE_ENUM(int val) { 309 this.val = val; 310 } 311 getValue()312 public int getValue() { 313 return val; 314 } 315 valueOf(int val)316 public static TSK_FS_ATTR_TYPE_ENUM valueOf(int val) { 317 for (TSK_FS_ATTR_TYPE_ENUM type : TSK_FS_ATTR_TYPE_ENUM.values()) { 318 if (type.val == val) { 319 return type; 320 } 321 } 322 throw new IllegalArgumentException( 323 MessageFormat.format(bundle.getString("TskData.tskFsAttrTypeEnum.exception.msg1.text"), val)); 324 } 325 }; 326 327 /** 328 * Flags for a partition in the disk image. This is the flags column in the 329 * tsk_vs_parts table. 330 */ 331 public enum TSK_VS_PART_FLAG_ENUM { 332 333 TSK_VS_PART_FLAG_ALLOC(1), ///< Sectors are allocated to a volume in the volume system 334 TSK_VS_PART_FLAG_UNALLOC(2), ///< Sectors are not allocated to a volume 335 TSK_VS_PART_FLAG_META(4), ///< Sectors contain volume system metadata and could also be ALLOC or UNALLOC 336 TSK_VS_PART_FLAG_ALL(7); ///< Show all sectors in the walk. 337 338 private long vs_flag; 339 TSK_VS_PART_FLAG_ENUM(long flag)340 private TSK_VS_PART_FLAG_ENUM(long flag) { 341 vs_flag = flag; 342 } 343 344 /** 345 * Get long value of the vs flag 346 * 347 * @return the long value of the flag 348 */ getVsFlag()349 public long getVsFlag() { 350 return vs_flag; 351 } 352 353 } 354 355 /** 356 * The permissions of a file system file. This is the mode column in the 357 * tsk_files table. 358 */ 359 public enum TSK_FS_META_MODE_ENUM { 360 /* 361 * The following describe the file permissions 362 */ 363 364 TSK_FS_META_MODE_ISUID(0004000), ///< set user id on execution 365 TSK_FS_META_MODE_ISGID(0002000), ///< set group id on execution 366 TSK_FS_META_MODE_ISVTX(0001000), ///< sticky bit 367 368 TSK_FS_META_MODE_IRUSR(0000400), ///< R for owner 369 TSK_FS_META_MODE_IWUSR(0000200), ///< W for owner 370 TSK_FS_META_MODE_IXUSR(0000100), ///< X for owner 371 372 TSK_FS_META_MODE_IRGRP(0000040), ///< R for group 373 TSK_FS_META_MODE_IWGRP(0000020), ///< W for group 374 TSK_FS_META_MODE_IXGRP(0000010), ///< X for group 375 376 TSK_FS_META_MODE_IROTH(0000004), ///< R for other 377 TSK_FS_META_MODE_IWOTH(0000002), ///< W for other 378 TSK_FS_META_MODE_IXOTH(0000001); ///< X for other 379 380 private short mode; 381 TSK_FS_META_MODE_ENUM(int mode)382 private TSK_FS_META_MODE_ENUM(int mode) { 383 this.mode = (short) mode; 384 } 385 386 /** 387 * Get short value of the meta mode 388 * 389 * @return the long value of the meta mode 390 */ getMode()391 public short getMode() { 392 return mode; 393 } 394 395 /** 396 * Returns all the TSK_FS_META_MODE_ENUM enum elements that match the 397 * given modes 398 * 399 * @param modes 400 * 401 * @return matching TSK_FS_META_MODE_ENUM elements 402 */ valuesOf(short modes)403 public static Set<TSK_FS_META_MODE_ENUM> valuesOf(short modes) { 404 Set<TSK_FS_META_MODE_ENUM> matchedFlags = EnumSet.noneOf(TSK_FS_META_MODE_ENUM.class); 405 406 for (TSK_FS_META_MODE_ENUM v : TSK_FS_META_MODE_ENUM.values()) { 407 long flag = v.getMode(); 408 409 if ((modes & flag) == flag) { 410 matchedFlags.add(v); 411 } 412 } 413 414 return matchedFlags; 415 } 416 417 /** 418 * @param modes the set of modes to convert 419 * 420 * @return the short int representing the given set of modes 421 */ toInt(Set<TSK_FS_META_MODE_ENUM> modes)422 public static short toInt(Set<TSK_FS_META_MODE_ENUM> modes) { 423 short modesInt = 0; 424 for (TSK_FS_META_MODE_ENUM mode : modes) { 425 modesInt |= mode.getMode(); 426 } 427 return modesInt; 428 } 429 }; 430 431 /** 432 * The type of the file system. This is the fs_type column in the 433 * tsk_fs_info table. 434 */ 435 public enum TSK_FS_TYPE_ENUM { 436 437 TSK_FS_TYPE_DETECT(0x00000000, bundle.getString("TskData.tskFsTypeEnum.autoDetect")), ///< Use autodetection methods 438 TSK_FS_TYPE_NTFS(0x00000001, "NTFS"), ///< NTFS file system 439 TSK_FS_TYPE_NTFS_DETECT(0x00000001, bundle.getString("TskData.tskFsTypeEnum.NTFSautoDetect")), ///< NTFS auto detection 440 TSK_FS_TYPE_FAT12(0x00000002, "FAT12"), ///< FAT12 file system 441 TSK_FS_TYPE_FAT16(0x00000004, "FAT16"), ///< FAT16 file system 442 TSK_FS_TYPE_FAT32(0x00000008, "FAT32"), ///< FAT32 file system 443 TSK_FS_TYPE_EXFAT(0x0000000A, "ExFAT"), ///< ExFAT file system 444 TSK_FS_TYPE_FAT_DETECT(0x0000000e, bundle.getString("TskData.tskFsTypeEnum.FATautoDetect")), ///< FAT auto detection 445 TSK_FS_TYPE_FFS1(0x00000010, "UFS1"), ///< UFS1 (FreeBSD, OpenBSD, BSDI ...) 446 TSK_FS_TYPE_FFS1B(0x00000020, "UFS1b"), ///< UFS1b (Solaris - has no type) 447 TSK_FS_TYPE_FFS2(0x00000040, "UFS2"), ///< UFS2 - FreeBSD, NetBSD 448 TSK_FS_TYPE_FFS_DETECT(0x00000070, "UFS"), ///< UFS auto detection 449 TSK_FS_TYPE_EXT2(0x00000080, "Ext2"), ///< Ext2 file system 450 TSK_FS_TYPE_EXT3(0x00000100, "Ext3"), ///< Ext3 file system 451 TSK_FS_TYPE_EXT_DETECT(0x00000180, bundle.getString("TskData.tskFsTypeEnum.ExtXautoDetect")), ///< ExtX auto detection 452 TSK_FS_TYPE_SWAP(0x00000200, "SWAP"), ///< SWAP file system 453 TSK_FS_TYPE_SWAP_DETECT(0x00000200, bundle.getString("TskData.tskFsTypeEnum.SWAPautoDetect")), ///< SWAP auto detection 454 TSK_FS_TYPE_RAW(0x00000400, "RAW"), ///< RAW file system 455 TSK_FS_TYPE_RAW_DETECT(0x00000400, bundle.getString("TskData.tskFsTypeEnum.RAWautoDetect")), ///< RAW auto detection 456 TSK_FS_TYPE_ISO9660(0x00000800, "ISO9660"), ///< ISO9660 file system 457 TSK_FS_TYPE_ISO9660_DETECT(0x00000800, bundle.getString("TskData.tskFsTypeEnum.ISO9660autoDetect")), ///< ISO9660 auto detection 458 TSK_FS_TYPE_HFS(0x00001000, "HFS"), ///< HFS file system 459 TSK_FS_TYPE_HFS_DETECT(0x00001000, bundle.getString("TskData.tskFsTypeEnum.HFSautoDetect")), ///< HFS auto detection 460 TSK_FS_TYPE_EXT4(0x00002000, "Ext4"), ///< Ext4 file system 461 TSK_FS_TYPE_YAFFS2(0x00004000, "YAFFS2"), ///< YAFFS2 file system 462 TSK_FS_TYPE_YAFFS2_DETECT(0x00004000, bundle.getString("TskData.tskFsTypeEnum.YAFFS2autoDetect")), ///< YAFFS2 auto detection 463 TSK_FS_TYPE_UNSUPP(0xffffffff, bundle.getString("TskData.tskFsTypeEnum.unsupported")); ///< Unsupported file system 464 465 private int value; 466 private String displayName; 467 TSK_FS_TYPE_ENUM(int value, String displayName)468 private TSK_FS_TYPE_ENUM(int value, String displayName) { 469 this.value = value; 470 this.displayName = displayName; 471 } 472 473 /** 474 * get the value for the enum type 475 * 476 * @return int value for the enum type 477 */ getValue()478 public int getValue() { 479 return value; 480 } 481 482 /** 483 * Get display name of the enum 484 * 485 * @return the displayName 486 */ getDisplayName()487 public String getDisplayName() { 488 return displayName; 489 } 490 491 /** 492 * Convert fs type int value to the enum type - get the first matching 493 * enum type 494 * 495 * @param fsTypeValue int value to convert 496 * 497 * @return the enum type - first enum type matching the fsTypeValue 498 */ valueOf(int fsTypeValue)499 public static TSK_FS_TYPE_ENUM valueOf(int fsTypeValue) { 500 for (TSK_FS_TYPE_ENUM type : TSK_FS_TYPE_ENUM.values()) { 501 if (type.value == fsTypeValue) { 502 return type; 503 } 504 } 505 throw new IllegalArgumentException( 506 MessageFormat.format(bundle.getString("TskData.tskFsTypeEnum.exception.msg1.text"), fsTypeValue)); 507 } 508 509 }; 510 511 /** 512 * The type of the disk image. This is the types column in the 513 * tsk_images_info table. 514 */ 515 public enum TSK_IMG_TYPE_ENUM { 516 517 TSK_IMG_TYPE_DETECT(0, bundle.getString("TskData.tskImgTypeEnum.autoDetect")), // Auto Detection 518 TSK_IMG_TYPE_RAW_SING(1, bundle.getString("TskData.tskImgTypeEnum.rawSingle")), // Single raw file (dd) 519 TSK_IMG_TYPE_RAW_SPLIT(2, bundle.getString("TskData.tskImgTypeEnum.rawSplit")), // Split raw files 520 TSK_IMG_TYPE_AFF_AFF(4, "AFF"), // Advanced Forensic Format NON-NLS 521 TSK_IMG_TYPE_AFF_AFD(8, "AFD"), // AFF Multiple File NON-NLS 522 TSK_IMG_TYPE_AFF_AFM(16, "AFM"), // AFF with external metadata NON-NLS 523 TSK_IMG_TYPE_AFF_ANY(32, "AFF"), // All AFFLIB image formats (including beta ones) NON-NLS 524 TSK_IMG_TYPE_EWF_EWF(64, "E01"), // Expert Witness format (encase) NON-NLS 525 TSK_IMG_TYPE_VMDK_VMDK(128, "VMDK"), // VMware Virtual Disk (VMDK) NON-NLS 526 TSK_IMG_TYPE_VHD_VHD(256, "VHD"), // Virtual Hard Disk (VHD) image format NON-NLS 527 TSK_IMG_TYPE_UNSUPP(65535, bundle.getString("TskData.tskImgTypeEnum.unknown")); // Unsupported Image Type 528 529 private long imgType; 530 private String name; 531 TSK_IMG_TYPE_ENUM(long type, String name)532 private TSK_IMG_TYPE_ENUM(long type, String name) { 533 this.imgType = type; 534 this.name = name; 535 } 536 valueOf(long imgType)537 public static TSK_IMG_TYPE_ENUM valueOf(long imgType) { 538 for (TSK_IMG_TYPE_ENUM type : TSK_IMG_TYPE_ENUM.values()) { 539 if (type.getValue() == imgType) { 540 return type; 541 } 542 } 543 throw new IllegalArgumentException( 544 MessageFormat.format(bundle.getString("TskData.tskImgTypeEnum.exception.msg1.text"), imgType)); 545 } 546 547 /** 548 * Get long value of the image type 549 * 550 * @return the long value of the image type 551 */ getValue()552 public long getValue() { 553 return imgType; 554 } 555 556 /** 557 * Get the name of the image type 558 * 559 * @return 560 */ getName()561 public String getName() { 562 return name; 563 } 564 }; 565 566 /** 567 * The type of the partition in the partition table. This is the flags 568 * column in the tsk_vs_parts table. 569 */ 570 public enum TSK_VS_TYPE_ENUM { 571 572 TSK_VS_TYPE_DETECT(0x0000, bundle.getString("TskData.tskVSTypeEnum.autoDetect")), ///< Use autodetection methods 573 TSK_VS_TYPE_DOS(0x0001, "DOS"), ///< DOS Partition table NON-NLS 574 TSK_VS_TYPE_BSD(0x0002, "BSD"), ///< BSD Partition table NON-NLS 575 TSK_VS_TYPE_SUN(0x0004, "SUN VTOC"), ///< Sun VTOC NON-NLS 576 TSK_VS_TYPE_MAC(0x0008, "Mac"), ///< Mac partition table NON-NLS 577 TSK_VS_TYPE_GPT(0x0010, "GPT"), ///< GPT partition table NON-NLS 578 TSK_VS_TYPE_DBFILLER(0x00F0, bundle.getString("TskData.tskVSTypeEnum.fake")), ///< fake partition table type for loaddb (for images that do not have a volume system) 579 TSK_VS_TYPE_UNSUPP(0xFFFF, bundle.getString("TskData.tskVSTypeEnum.unsupported")); ///< Unsupported 580 581 private long vsType; 582 private String name; 583 TSK_VS_TYPE_ENUM(long type, String name)584 private TSK_VS_TYPE_ENUM(long type, String name) { 585 this.vsType = type; 586 this.name = name; 587 } 588 valueOf(long vsType)589 public static TSK_VS_TYPE_ENUM valueOf(long vsType) { 590 for (TSK_VS_TYPE_ENUM type : TSK_VS_TYPE_ENUM.values()) { 591 if (type.getVsType() == vsType) { 592 return type; 593 } 594 } 595 throw new IllegalArgumentException( 596 MessageFormat.format(bundle.getString("TskData.tskVSTypeEnum.exception.msg1.text"), vsType)); 597 } 598 599 /** 600 * Get long value of the vs type 601 * 602 * @return the long value of the vs type 603 */ getVsType()604 public long getVsType() { 605 return vsType; 606 } 607 608 /** 609 * Get the name of the volume system type. 610 * 611 * @return 612 */ getName()613 public String getName() { 614 return name; 615 } 616 }; 617 618 /** 619 * High-level type of an object from the database. This is the type column 620 * in the tsk_objects table. 621 */ 622 public enum ObjectType { 623 624 IMG(0), ///< Disk Image - see tsk_image_info for more details 625 VS(1), ///< Volume System - see tsk_vs_info for more details 626 VOL(2), ///< Volume - see tsk_vs_parts for more details 627 FS(3), ///< File System - see tsk_fs_info for more details 628 ABSTRACTFILE(4), ///< File - see tsk_files for more details 629 ARTIFACT(5), /// Artifact - see blackboard_artifacts for more details 630 REPORT(6) ///< Report - see reports for more details 631 ; 632 private short objectType; 633 ObjectType(int objectType)634 private ObjectType(int objectType) { 635 this.objectType = (short) objectType; 636 } 637 638 /** 639 * Get short value of the object type 640 * 641 * @return the long value of the object type 642 */ getObjectType()643 public short getObjectType() { 644 return objectType; 645 } 646 647 /** 648 * Convert object type short value to the enum type 649 * 650 * @param objectType long value to convert 651 * 652 * @return the enum type 653 */ valueOf(short objectType)654 public static ObjectType valueOf(short objectType) { 655 for (ObjectType v : ObjectType.values()) { 656 if (v.objectType == objectType) { 657 return v; 658 } 659 } 660 throw new IllegalArgumentException( 661 MessageFormat.format(bundle.getString("TskData.objectTypeEnum.exception.msg1.text"), objectType)); 662 } 663 } 664 665 /** 666 * The type of file in a database, such as file system versus local file. 667 * This is the type field in the tsk_files table. 668 */ 669 public enum TSK_DB_FILES_TYPE_ENUM { 670 671 FS(0, "File System"), ///< File that can be found in file system tree. 672 CARVED(1, "Carved"), ///< Set of blocks for a file found from carving. Could be on top of a TSK_DB_FILES_TYPE_UNALLOC_BLOCKS range. 673 DERIVED(2, "Derived"), ///< File derived from a parent file (i.e. from ZIP) 674 LOCAL(3, "Local"), ///< Local file that was added (not from a disk image) 675 UNALLOC_BLOCKS(4, "Unallocated Blocks"), ///< Set of blocks not allocated by file system. Parent should be image, volume, or file system. Many columns in tsk_files will be NULL. Set layout in tsk_file_layout. 676 UNUSED_BLOCKS(5, "Unused Blocks"), ///< Set of blocks that are unallocated AND not used by a carved or other file type. Parent should be UNALLOC_BLOCKS, many columns in tsk_files will be NULL, set layout in tsk_file_layout. 677 VIRTUAL_DIR(6, "Virtual Directory"), ///< Virtual directory (not on fs) with no meta-data entry that can be used to group files of types other than TSK_DB_FILES_TYPE_FS. Its parent is either another TSK_DB_FILES_TYPE_FS or a root directory or type TSK_DB_FILES_TYPE_FS. 678 SLACK(7, "Slack"), ///< Slack space for a single file 679 LOCAL_DIR(8, "Local Directory"), ///< Local directory that was added (not from a disk image) 680 LAYOUT_FILE(9, "Layout File"), ///< Set of blocks from an image that have been designated as a file 681 ; 682 683 private final short fileType; 684 private final String name; 685 TSK_DB_FILES_TYPE_ENUM(int fileType, String name)686 private TSK_DB_FILES_TYPE_ENUM(int fileType, String name) { 687 this.fileType = (short) fileType; 688 this.name = name; 689 } 690 691 /** 692 * Convert db files type short value to the enum type 693 * 694 * @param fileType long value to convert 695 * 696 * @return the enum type 697 */ valueOf(short fileType)698 public static TSK_DB_FILES_TYPE_ENUM valueOf(short fileType) { 699 for (TSK_DB_FILES_TYPE_ENUM type : TSK_DB_FILES_TYPE_ENUM.values()) { 700 if (type.fileType == fileType) { 701 return type; 702 } 703 } 704 throw new IllegalArgumentException( 705 MessageFormat.format(bundle.getString("TskData.tskDbFilesTypeEnum.exception.msg1.text"), fileType)); 706 } 707 708 /** 709 * Get short value of the file type 710 * 711 * @return the long value of the file type 712 */ getFileType()713 public short getFileType() { 714 return fileType; 715 } 716 getName()717 public String getName() { 718 return name; 719 } 720 } 721 722 /** 723 * Identifies if a file was in a hash database or not. This is the known 724 * column in the tsk_files table. 725 */ 726 public enum FileKnown { 727 728 UNKNOWN(0, bundle.getString("TskData.fileKnown.unknown")), ///< File marked as unknown by hash db 729 KNOWN(1, bundle.getString("TskData.fileKnown.known")), ///< File marked as a known by hash db 730 BAD(2, bundle.getString("TskData.fileKnown.knownBad")); ///< File marked as known and bad/notable/interesting by hash db 731 732 private byte known; 733 private String name; 734 FileKnown(int known, String name)735 private FileKnown(int known, String name) { 736 this.known = (byte) known; 737 this.name = name; 738 } 739 740 /** 741 * Convert file known type byte value to the enum type 742 * 743 * @param known long value to convert 744 * 745 * @return the enum type 746 */ valueOf(byte known)747 public static FileKnown valueOf(byte known) { 748 for (FileKnown v : FileKnown.values()) { 749 if (v.known == known) { 750 return v; 751 } 752 } 753 throw new IllegalArgumentException( 754 MessageFormat.format(bundle.getString("TskData.fileKnown.exception.msg1.text"), known)); 755 } 756 getName()757 public String getName() { 758 return this.name; 759 } 760 761 /** 762 * Get byte value of the file known status 763 * 764 * @return the long value of the file known status 765 */ getFileKnownValue()766 public byte getFileKnownValue() { 767 return this.known; 768 } 769 } 770 771 /** 772 * DbType is the enum covering database type. It tells you what underlying 773 * database you can use in Autopsy and TSK. 774 */ 775 public enum DbType { 776 777 // Add any additional remote database types here, and keep it in sync 778 // with the Sleuthkit version of this enum located at: 779 // sleuthkit/tsk/auto/db_connection_info.h 780 // Be sure to add to settingsValid() if you add a type here. 781 SQLITE(0), 782 POSTGRESQL(1); 783 784 private int value; 785 DbType(int val)786 DbType(int val) { 787 this.value = val; 788 } 789 getValue()790 public int getValue() { 791 return this.value; 792 } 793 } 794 795 /** 796 * Encoding type records whether locally stored files have been encoded 797 * or not, and the method used to do so. This is the encoding_type column 798 * in the tsk_files_path table. 799 * Files are encoded using EncodedFileOutputStream and are saved to the 800 * database as derived files with the appropriate encoding type argument. 801 */ 802 public enum EncodingType{ 803 // Update EncodedFileUtil.java to handle any new types 804 NONE(0), 805 XOR1(1); 806 807 private final int type; 808 EncodingType(int type)809 private EncodingType(int type){ 810 this.type = type; 811 } 812 getType()813 public int getType(){ 814 return type; 815 } 816 valueOf(int type)817 public static EncodingType valueOf(int type) { 818 for (EncodingType v : EncodingType.values()) { 819 if (v.type == type) { 820 return v; 821 } 822 } 823 throw new IllegalArgumentException( 824 MessageFormat.format(bundle.getString("TskData.encodingType.exception.msg1.text"), type)); 825 } 826 } 827 } 828