1 /* 2 * 3 * The Sleuth Kit 4 * 5 * Contact: Brian Carrier [carrier <at> sleuthkit [dot] org] 6 * Copyright (c) 2010-2012 Basis Technology Corporation. All Rights 7 * reserved. 8 * 9 * This software is distributed under the Common Public License 1.0 10 */ 11 12 #ifndef _TSK_IMGDBSQLITE_H 13 #define _TSK_IMGDBSQLITE_H 14 15 // System includes 16 #include <string> // to get std::wstring 17 #include <list> 18 #include <vector> 19 using namespace std; 20 21 // Framework includes 22 #include "tsk/framework/framework_i.h" 23 #include "TskImgDB.h" 24 #include "tsk/framework/utilities/SectorRuns.h" 25 #include "tsk/framework/utilities/UnallocRun.h" 26 #include "TskBlackboardArtifact.h" 27 #include "TskBlackboardAttribute.h" 28 29 #include "tsk/libtsk.h" 30 31 #ifdef HAVE_LIBSQLITE3 32 #include <sqlite3.h> 33 #else 34 #include "tsk/auto/sqlite3.h" 35 #endif 36 37 /** 38 * Implementation of TskImgDB that uses SQLite to store the data. 39 * Do not use this in a distributed environment if multiple processes 40 * will be accessing the database at the same time. 41 */ 42 class TSK_FRAMEWORK_API TskImgDBSqlite : public TskImgDB 43 { 44 public: 45 TskImgDBSqlite(const char * a_outpath); 46 virtual ~ TskImgDBSqlite(); 47 48 virtual int initialize(); 49 virtual int open(); 50 51 virtual int close(); 52 53 virtual int begin(); 54 virtual int commit(); 55 56 virtual int addToolInfo(const char* name, const char* version); 57 virtual int addImageInfo(int type, int sectorSize); 58 virtual int addImageName(char const * imgName); 59 virtual int addVolumeInfo(const TSK_VS_PART_INFO * vs_part); 60 virtual int addFsInfo(int volId, int fsId, const TSK_FS_INFO * fs_info); 61 virtual int addFsFileInfo(int fsId, const TSK_FS_FILE *fs_file, const char *name, int type, int idx, uint64_t & fileId, const char * path); 62 63 virtual int addCarvedFileInfo(int vol_id, const char * name, uint64_t size, uint64_t *runStarts, uint64_t *runLengths, int numRuns, uint64_t & fileId); 64 virtual int addDerivedFileInfo(const std::string& name, const uint64_t parentId, 65 const bool isDirectory, const uint64_t size, const std::string& details, 66 const int ctime, const int crtime, const int atime, const int mtime, uint64_t & fileId, std::string path); 67 virtual int addFsBlockInfo(int fsID, uint64_t a_mFileId, int count, uint64_t blk_addr, uint64_t len); 68 virtual int addAllocUnallocMapInfo(int a_volID, int unallocImgID, uint64_t unallocImgStart, uint64_t length, uint64_t origImgStart); 69 virtual int getSessionID() const; 70 virtual int getFileIds(char *a_fileName, uint64_t *a_outBuffer, int a_buffSize) const; 71 virtual int getMaxFileIdReadyForAnalysis(uint64_t a_lastFileId, uint64_t & maxFileId) const; 72 virtual int getMinFileIdReadyForAnalysis(uint64_t & minFileId) const; 73 virtual uint64_t getFileId(int fsId, uint64_t fs_file_id) const; 74 virtual int getFileRecord(const uint64_t fileId, TskFileRecord& fileRecord) const; 75 virtual SectorRuns * getFileSectors(uint64_t fileId) const; 76 virtual std::string getImageBaseName() const; 77 virtual std::vector<std::wstring> getImageNamesW() const; 78 virtual std::vector<std::string> getImageNames() const; 79 virtual int getFileUniqueIdentifiers(uint64_t a_fileId, uint64_t &a_fsOffset, uint64_t &a_fsFileId, int &a_attrType, int &a_attrId) const; 80 virtual int getNumVolumes() const; 81 virtual int getNumFiles() const; 82 virtual int getImageInfo(int & type, int & sectorSize) const; 83 virtual int getVolumeInfo(std::list<TskVolumeInfoRecord> & volumeInfoList) const; 84 virtual int getFsInfo(std::list<TskFsInfoRecord> & fsInfoList) const; 85 virtual int getFileInfoSummary(std::list<TskFileTypeRecord>& fileTypeInfoList) const; 86 virtual int getFileInfoSummary(FILE_TYPES fileType, std::list<TskFileTypeRecord> & fileTypeInfoList) const; 87 virtual TskImgDB::KNOWN_STATUS getKnownStatus(const uint64_t fileId) const; 88 89 virtual UnallocRun * getUnallocRun(int file_id, int file_offset) const; 90 virtual SectorRuns * getFreeSectors() const; 91 92 virtual int updateFileStatus(uint64_t a_file_id, FILE_STATUS a_status); 93 virtual int updateKnownStatus(uint64_t a_file_id, KNOWN_STATUS a_status); 94 virtual bool dbExist() const; 95 96 // Get set of file ids that match the given condition (i.e. SQL where clause) 97 virtual std::vector<uint64_t> getFileIds(const std::string& condition) const; 98 virtual const std::vector<TskFileRecord> getFileRecords(const std::string& condition) const; 99 100 // Get the number of files that match the given condition 101 virtual int getFileCount(const std::string& condition) const; 102 103 virtual std::map<uint64_t, std::string> getUniqueCarvedFiles(HASH_TYPE hashType) const; 104 virtual std::vector<TskCarvedFileInfo> getUniqueCarvedFilesInfo(HASH_TYPE hashType) const; 105 virtual std::vector<uint64_t> getCarvedFileIds() const; 106 107 virtual std::vector<uint64_t> getUniqueFileIds(HASH_TYPE hashType) const; 108 virtual std::vector<uint64_t> getFileIds() const; 109 110 virtual int setHash(const uint64_t a_file_id, const TskImgDB::HASH_TYPE hashType, const std::string& hash) const; 111 virtual std::string getCfileName(const uint64_t a_file_id) const; 112 113 virtual int addModule(const std::string& name, const std::string& description, int & moduleId); 114 virtual int setModuleStatus(uint64_t file_id, int module_id, int status); 115 virtual int getModuleInfo(std::vector<TskModuleInfo> & moduleInfoList) const; 116 virtual int getModuleErrors(std::vector<TskModuleStatus> & moduleStatusList) const; 117 virtual std::string getFileName(uint64_t file_id) const; 118 119 virtual int addUnallocImg(int & unallocImgId); 120 virtual int setUnallocImgStatus(int unallocImgId, TskImgDB::UNALLOC_IMG_STATUS status); 121 virtual TskImgDB::UNALLOC_IMG_STATUS getUnallocImgStatus(int unallocImgId) const; 122 virtual int getAllUnallocImgStatus(std::vector<TskUnallocImgStatusRecord> & unallocImgStatusList) const; 123 124 virtual int addUnusedSectors(int unallocImgId, std::vector<TskUnusedSectorsRecord> & unusedSectorsList); 125 virtual int getUnusedSector(uint64_t fileId, TskUnusedSectorsRecord & unusedSectorsRecord) const; 126 127 virtual std::string quote(const std::string str) const; 128 129 friend class TskDBBlackboard; 130 131 protected: 132 // Blackboard methods. 133 virtual TskBlackboardArtifact createBlackboardArtifact(uint64_t file_id, int artifactTypeID); 134 virtual void addBlackboardAttribute(TskBlackboardAttribute attr); 135 136 virtual void addArtifactType(int typeID, string artifactTypeName, string displayName); 137 virtual void addAttributeType(int typeID, string attributeTypeName, string displayName); 138 139 virtual string getArtifactTypeDisplayName(int artifactTypeID); 140 virtual int getArtifactTypeID(string artifactTypeString); 141 virtual string getArtifactTypeName(int artifactTypeID); 142 virtual vector<TskBlackboardArtifact> getMatchingArtifacts(string condition); 143 144 virtual string getAttributeTypeDisplayName(int attributeTypeID); 145 virtual int getAttributeTypeID(string attributeTypeString); 146 virtual string getAttributeTypeName(int attributeTypeID); 147 virtual vector<TskBlackboardAttribute> getMatchingAttributes(string condition); 148 virtual vector<int> findAttributeTypes(int artifactTypeId); 149 private: 150 char m_outPath[256]; 151 char m_dbFilePath[256]; 152 sqlite3 * m_db; 153 154 int dropTables(); 155 156 static int busyHandler(void *, int); 157 std::vector<uint64_t> getFileIdsWorker(std::string tableName, const std::string condition = "") const; 158 void constructStmt(std::string& stmt, std::string condition) const; 159 int addUnusedSector(uint64_t sectStart, uint64_t sectEnd, int volId, std::vector<TskUnusedSectorsRecord> & unusedSectorsList); 160 int getFileTypeRecords(const std::string& stmt, std::list<TskFileTypeRecord>& fileTypeInfoList) const; 161 virtual vector<TskBlackboardArtifact> getArtifactsHelper(uint64_t file_id, int artifactTypeID, string artifactTypeName); 162 void getCarvedFileInfo(const std::string& stmt, std::map<uint64_t, std::string>& results) const; 163 164 /** 165 * A helper function for getUniqueCarvedFilesInfo() that executes a very specific SQL SELECT statement 166 * assembled by the caller. 167 * 168 * @param stmtToExecute The SQL statement. 169 * @param getHash A flag indicating whether the SELECT includes a hash value. 170 * @param carvedFileInfos[out] The data returned by the query as TskCarvedFileInfo objects. 171 * @return Throws TskException 172 */ 173 void getCarvedFileInfo(const std::string &query, bool getHash, std::vector<TskCarvedFileInfo> &carvedFileInfos) const; 174 175 /** 176 * Executes an SQL statement. 177 * 178 * @param stmtToExecute The SQL statement. 179 * @param[out] statement The result set as a sqlite3_stmt object, caller should call sqlite3_finalize() on the pointer in case of normal execution. 180 * @param caller The caller in the form <class_name>::<member_function_name> for error messages. 181 * @return Throws TskException. 182 */ 183 void executeStatement(const std::string &stmtToExecute, sqlite3_stmt *&statement, const std::string &caller) const; 184 }; 185 186 #endif 187