1 /* 2 ** The Sleuth Kit 3 ** 4 ** Brian Carrier [carrier <at> sleuthkit [dot] org] 5 ** Copyright (c) 2011-2012 Brian Carrier. All Rights reserved 6 ** 7 ** This software is distributed under the Common Public License 1.0 8 ** 9 */ 10 11 /** 12 * \file tsk_db.h 13 * Contains TSK interface to abstract database handling class. The intent of this class 14 * is so that different databases can be seamlessly used by TSK. 15 */ 16 17 #ifndef _TSK_DB_H 18 #define _TSK_DB_H 19 20 #include <vector> 21 #include <string> 22 #include <ostream> 23 24 #include "tsk_auto_i.h" 25 #include "db_connection_info.h" 26 27 using std::ostream; 28 using std::vector; 29 using std::string; 30 31 #define TSK_SCHEMA_VER 8 32 #define TSK_SCHEMA_MINOR_VER 3 33 34 /** 35 * Values for the type column in the tsk_objects table. 36 */ 37 typedef enum { 38 TSK_DB_OBJECT_TYPE_IMG = 0, ///< Object is a disk image 39 TSK_DB_OBJECT_TYPE_VS, ///< Object is a volume system. 40 TSK_DB_OBJECT_TYPE_VOL, ///< Object is a volume 41 TSK_DB_OBJECT_TYPE_FS, ///< Object is a file system 42 TSK_DB_OBJECT_TYPE_FILE, ///< Object is a file (exact type can be determined in the tsk_files table via TSK_DB_FILES_TYPE_ENUM) 43 } TSK_DB_OBJECT_TYPE_ENUM; 44 45 /** 46 * Values for the files type column in the tsk_files table. 47 */ 48 typedef enum { 49 TSK_DB_FILES_TYPE_FS = 0, ///< File that can be found in file system tree. 50 TSK_DB_FILES_TYPE_CARVED, ///< Set of blocks for a file found from carving. Could be on top of a TSK_DB_FILES_TYPE_UNALLOC_BLOCKS range. 51 TSK_DB_FILES_TYPE_DERIVED, ///< File derived from a parent file (i.e. from ZIP) 52 TSK_DB_FILES_TYPE_LOCAL, ///< Local file that was added (not from a disk image) 53 TSK_DB_FILES_TYPE_UNALLOC_BLOCKS, ///< Set of blocks not allocated by file system. Parent should be image, volume, or file system. Many columns in tsk_files will be NULL. Set layout in tsk_file_layout. 54 TSK_DB_FILES_TYPE_UNUSED_BLOCKS, ///< Set of blocks that are unallocated AND not used by a carved or other file type. Parent should be UNALLOC_BLOCKS, many columns in tsk_files will be NULL, set layout in tsk_file_layout. 55 TSK_DB_FILES_TYPE_VIRTUAL_DIR, ///< Virtual directory (not on fs) with no meta-data entry that can be used to group files of types other than TSK_DB_FILES_TYPE_FS. Its parent is either another TSK_DB_FILES_TYPE_FS or a root directory or type TSK_DB_FILES_TYPE_FS. 56 TSK_DB_FILES_TYPE_SLACK ///< Slack space for a single file 57 } TSK_DB_FILES_TYPE_ENUM; 58 59 60 61 /** 62 * Values for the "known" column of the tsk_files table 63 */ 64 typedef enum { 65 TSK_DB_FILES_KNOWN_UNKNOWN = 0, ///< Not matched against an index 66 TSK_DB_FILES_KNOWN_KNOWN = 1, ///< Match found in a "known" file index (such as NIST NSRL)and could be good or bad. 67 TSK_DB_FILES_KNOWN_KNOWN_BAD = 2, ///< Match found in a "known bad" index 68 TSK_DB_FILES_KNOWN_KNOWN_GOOD = 3, ///< Match found in a "known good" index 69 } TSK_DB_FILES_KNOWN_ENUM; 70 71 72 /** 73 * Structure wrapping a single tsk objects db entry 74 */ 75 typedef struct _TSK_DB_OBJECT { 76 int64_t objId; ///< set to 0 if unknown (before it becomes a db object) 77 int64_t parObjId; 78 TSK_DB_OBJECT_TYPE_ENUM type; 79 } TSK_DB_OBJECT; 80 81 ostream& operator <<(ostream &os,const TSK_DB_OBJECT &dbObject); 82 83 /** 84 * Structure wrapping a single file_layout db entry 85 */ 86 typedef struct _TSK_DB_FILE_LAYOUT_RANGE { 87 //default constructor _TSK_DB_FILE_LAYOUT_RANGE_TSK_DB_FILE_LAYOUT_RANGE88 _TSK_DB_FILE_LAYOUT_RANGE() 89 : fileObjId(0),byteStart(0),byteLen(0),sequence(0) {} 90 //constructor for non-db object (before it becomes one) _TSK_DB_FILE_LAYOUT_RANGE_TSK_DB_FILE_LAYOUT_RANGE91 _TSK_DB_FILE_LAYOUT_RANGE(uint64_t byteStart, uint64_t byteLen, int sequence) 92 : fileObjId(0),byteStart(byteStart),byteLen(byteLen),sequence(sequence) {} 93 94 int64_t fileObjId; ///< set to 0 if unknown (before it becomes a db object) 95 uint64_t byteStart; 96 uint64_t byteLen; 97 uint32_t sequence; 98 99 //default comparator by sequence 100 bool operator< (const struct _TSK_DB_FILE_LAYOUT_RANGE & rhs) const 101 { return sequence < rhs.sequence; } 102 103 } TSK_DB_FILE_LAYOUT_RANGE; 104 105 ostream& operator <<(ostream &os,const TSK_DB_FILE_LAYOUT_RANGE &layoutRange); 106 107 /** 108 * Structure wrapping a single fs info db entry 109 */ 110 typedef struct _TSK_DB_FS_INFO { 111 int64_t objId; ///< set to 0 if unknown (before it becomes a db object) 112 TSK_OFF_T imgOffset; 113 TSK_FS_TYPE_ENUM fType; 114 unsigned int block_size; 115 TSK_DADDR_T block_count; 116 TSK_INUM_T root_inum; 117 TSK_INUM_T first_inum; 118 TSK_INUM_T last_inum; 119 } TSK_DB_FS_INFO; 120 121 ostream& operator <<(ostream &os,const TSK_DB_FS_INFO &fsInfo); 122 123 124 /** 125 * Structure wrapping a single vs info db entry 126 */ 127 typedef struct _TSK_DB_VS_INFO { 128 int64_t objId; ///< set to 0 if unknown (before it becomes a db object) 129 TSK_VS_TYPE_ENUM vstype; 130 TSK_DADDR_T offset; 131 unsigned int block_size; 132 } TSK_DB_VS_INFO; 133 134 ostream& operator <<(ostream &os,const TSK_DB_VS_INFO &vsInfo); 135 136 /** 137 * Structure wrapping a single vs part db entry 138 */ 139 #define TSK_MAX_DB_VS_PART_INFO_DESC_LEN 512 140 typedef struct _TSK_DB_VS_PART_INFO { 141 int64_t objId; ///< set to 0 if unknown (before it becomes a db object) 142 TSK_PNUM_T addr; 143 TSK_DADDR_T start; 144 TSK_DADDR_T len; 145 char desc[TSK_MAX_DB_VS_PART_INFO_DESC_LEN]; 146 TSK_VS_PART_FLAG_ENUM flags; 147 } TSK_DB_VS_PART_INFO; 148 149 ostream& operator <<(ostream &os,const TSK_DB_VS_PART_INFO &vsPartInfos); 150 151 /** \internal 152 * C++ class that serves as interface to direct database handling classes. 153 */ 154 class TskDb { 155 156 // these buffers are used to manipulate strings in getParentPathAndName() 157 #define MAX_PATH_LENGTH 2048 158 char parent_name[MAX_PATH_LENGTH]; 159 char parent_path[MAX_PATH_LENGTH + 2]; // +2 is for leading slash and trailing slash 160 161 public: 162 #ifdef TSK_WIN32 163 //@@@@ 164 TskDb(const TSK_TCHAR * a_dbFilePath, bool a_blkMapFlag); 165 #endif 166 TskDb(const char *a_dbFilePathUtf8, bool a_blkMapFlag); ~TskDb()167 virtual ~TskDb() {}; 168 virtual int open(bool) = 0; 169 virtual int close() = 0; 170 virtual TSK_RETVAL_ENUM setConnectionInfo(CaseDbConnectionInfo * info); 171 virtual int addImageInfo(int type, int size, int64_t & objId, const string & timezone) = 0; 172 virtual int addImageInfo(int type, int size, int64_t & objId, const string & timezone, TSK_OFF_T, const string &md5, const string &sha1, const string &sha256) = 0; 173 virtual int addImageInfo(int type, TSK_OFF_T size, int64_t & objId, const string & timezone, TSK_OFF_T, const string &md5, const string &sha1, const string &sha256, const string& deviceId, const string& collectionDetails) = 0; 174 virtual int addImageName(int64_t objId, char const *imgName, int sequence) = 0; 175 virtual int addVsInfo(const TSK_VS_INFO * vs_info, int64_t parObjId, int64_t & objId) = 0; 176 virtual int addVolumeInfo(const TSK_VS_PART_INFO * vs_part, int64_t parObjId, int64_t & objId) = 0; 177 virtual int addFsInfo(const TSK_FS_INFO * fs_info, int64_t parObjId, int64_t & objId) = 0; 178 virtual int addFsFile(TSK_FS_FILE * fs_file, const TSK_FS_ATTR * fs_attr, 179 const char *path, const unsigned char *const md5, 180 const TSK_DB_FILES_KNOWN_ENUM known, int64_t fsObjId, 181 int64_t & objId, int64_t dataSourceObjId) = 0; 182 183 virtual TSK_RETVAL_ENUM addVirtualDir(const int64_t fsObjId, const int64_t parentDirId, const char * const name, int64_t & objId, int64_t dataSourceObjId) = 0; 184 virtual TSK_RETVAL_ENUM addUnallocFsBlockFilesParent(const int64_t fsObjId, int64_t & objId, int64_t dataSourceObjId) = 0; 185 virtual TSK_RETVAL_ENUM addUnallocBlockFile(const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, 186 vector<TSK_DB_FILE_LAYOUT_RANGE> & ranges, int64_t & objId, int64_t dataSourceObjId) = 0; 187 virtual TSK_RETVAL_ENUM addUnusedBlockFile(const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, 188 vector<TSK_DB_FILE_LAYOUT_RANGE> & ranges, int64_t & objId, int64_t dataSourceObjId) = 0; 189 virtual TSK_RETVAL_ENUM addCarvedFile(const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, 190 vector<TSK_DB_FILE_LAYOUT_RANGE> & ranges, int64_t & objId, int64_t dataSourceObjId) = 0; 191 192 virtual int addFileLayoutRange(const TSK_DB_FILE_LAYOUT_RANGE & fileLayoutRange) = 0; 193 virtual int addFileLayoutRange(int64_t a_fileObjId, uint64_t a_byteStart, uint64_t a_byteLen, int a_sequence) = 0; 194 195 virtual bool isDbOpen() = 0; 196 virtual int createSavepoint(const char *name) = 0; 197 virtual int revertSavepoint(const char *name) = 0; 198 virtual int releaseSavepoint(const char *name) = 0; 199 virtual bool inTransaction() = 0; 200 virtual bool dbExists() = 0; 201 202 virtual bool getParentPathAndName(const char *path, const char **ret_parent_path, const char **ret_name); 203 204 //query methods / getters 205 virtual TSK_RETVAL_ENUM getFileLayouts(vector<TSK_DB_FILE_LAYOUT_RANGE> & fileLayouts) = 0; 206 virtual TSK_RETVAL_ENUM getFsInfos(int64_t imgId, vector<TSK_DB_FS_INFO> & fsInfos) = 0; 207 virtual TSK_RETVAL_ENUM getVsInfos(int64_t imgId, vector<TSK_DB_VS_INFO> & vsInfos) = 0; 208 virtual TSK_RETVAL_ENUM getVsInfo(int64_t objId, TSK_DB_VS_INFO & vsInfo) = 0; 209 virtual TSK_RETVAL_ENUM getVsPartInfos(int64_t imgId, vector<TSK_DB_VS_PART_INFO> & vsPartInfos) = 0; 210 virtual TSK_RETVAL_ENUM getObjectInfo(int64_t objId, TSK_DB_OBJECT & objectInfo) = 0; 211 virtual TSK_RETVAL_ENUM getParentImageId (const int64_t objId, int64_t & imageId) = 0; 212 virtual TSK_RETVAL_ENUM getFsRootDirObjectInfo(const int64_t fsObjId, TSK_DB_OBJECT & rootDirObjInfo) = 0; 213 214 protected: 215 216 /** 217 Extract the extension from the given file name and store it in the supplied string. 218 219 @param name A file name 220 @param extension The file name extension will be extracted to extension. extractExtension(char * name,char * extension)221 */void extractExtension(char *name, char *extension ) { 222 char *ext = strrchr(name, '.'); 223 224 //if ext is not null and is not the entire filename... 225 if (ext && (name != ext)) { 226 size_t extLen = strlen(ext); 227 //... and doesn't only contain the '.' and isn't too long to be a real extension. 228 if ((1 < extLen) && (extLen < 15) ) { 229 strncpy(extension, ext + 1, extLen -1); 230 //normalize to lower case, only works for ascii 231 for (int i = 0; extension[i]; i++) { 232 extension[i] = tolower(extension[i]); 233 } 234 } 235 } 236 } 237 }; 238 239 #endif 240