Skip to content

Commit

Permalink
Added -d option to tsk_recover
Browse files Browse the repository at this point in the history
  • Loading branch information
@bcarrier
bcarrier committed Sep 28, 2011
1 parent 8dbe7f1 commit a9a6344
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 28 deletions.
1 change: 1 addition & 0 deletions NEWS.txt
View file
Expand Up @@ -18,6 +18,7 @@ New Features:
- Need to only specify first E01 file and the rest are found
- Changed docs license to non-commercial
- Unicode conversion routines fix invalid UTF-16 text during conversion
- Added '-d' to tsk_recover to specify directory to recover


Bug Fixes:
Expand Down
6 changes: 5 additions & 1 deletion man/tsk_recover.1
View file
Expand Up @@ -8,7 +8,9 @@ tsk_recover - Export files from an image into a local directory
.I dev_sector_size
.B ] [-o
.I sector_offset
.B ]
.B ] [-d
.I dir_inum
.B ]
.I image output_dir
.SH DESCRIPTION
.B tsk_recover
Expand Down Expand Up @@ -37,6 +39,8 @@ If not given, autodetection methods are used.
Sector offset for a volume to recover (recovers only that volume)
If not given, will attempt to recover all volumes in image and save them
to different folders.
.IP "-d dir_inum"
Directory inum to recover from (must also specify a specific partition using -o or there must not be a volume system)

.SH EXAMPLES
To recover only unallocated files from image.dd to the recovered directory:
Expand Down
16 changes: 4 additions & 12 deletions tools/autotools/tsk_comparedir.cpp
View file
Expand Up @@ -365,23 +365,15 @@ main(int argc, char **argv1)


case _TSK_T('n'):
inum = (TSK_INUM_T) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || inum <= 0) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: inum must be positive: %s\n"),
OPTARG);
if (tsk_fs_parse_inum(OPTARG, &inum, NULL, NULL, NULL, NULL)) {
tsk_error_print(stderr);
usage();
}
break;

case _TSK_T('o'):
soffset = (TSK_OFF_T) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || soffset < 0) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector offset must be positive: %s\n"),
OPTARG);
if ((soffset = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
usage();
}
break;
Expand Down
46 changes: 31 additions & 15 deletions tools/autotools/tsk_recover.cpp
View file
Expand Up @@ -21,7 +21,7 @@ usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-vVae] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o sector_offset] image [image] output_dir\n"),
("usage: %s [-vVae] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o sector_offset] [-d dir_inum] image [image] output_dir\n"),
progname);
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
Expand All @@ -36,6 +36,8 @@ usage()
"\t-e: Recover all files (allocated and unallocated)\n");
tsk_fprintf(stderr,
"\t-o sector_offset: sector offset for a volume to recover (recovers only that volume)\n");
tsk_fprintf(stderr,
"\t-d dir_inum: Directory inum to recover from (must also specify a specific partition using -o or there must not be a volume system)\n");

exit(1);
}
Expand All @@ -52,7 +54,7 @@ class TskRecover:public TskAuto {
virtual TSK_RETVAL_ENUM processFile(TSK_FS_FILE * fs_file, const char *path);
virtual TSK_FILTER_ENUM filterVol(const TSK_VS_PART_INFO * vs_part);
virtual TSK_FILTER_ENUM filterFs(TSK_FS_INFO * fs_info);
uint8_t findFiles(TSK_OFF_T soffset, TSK_FS_TYPE_ENUM a_ftype);
uint8_t findFiles(TSK_OFF_T soffset, TSK_FS_TYPE_ENUM a_ftype, TSK_INUM_T a_dirInum);

private:
TSK_TCHAR * m_base_dir;
Expand Down Expand Up @@ -346,14 +348,22 @@ TskRecover::filterFs(TSK_FS_INFO * fs_info)
}

uint8_t
TskRecover::findFiles(TSK_OFF_T a_soffset, TSK_FS_TYPE_ENUM a_ftype)
TskRecover::findFiles(TSK_OFF_T a_soffset, TSK_FS_TYPE_ENUM a_ftype, TSK_INUM_T a_dirInum)
{
uint8_t retval;

if (a_soffset)
retval = findFilesInFs(a_soffset * m_img_info->sector_size, a_ftype);
else
retval = findFilesInImg();
if (a_soffset) {
if (a_dirInum)
retval = findFilesInFs(a_soffset * m_img_info->sector_size, a_ftype, a_dirInum);
else
retval = findFilesInFs(a_soffset * m_img_info->sector_size, a_ftype);
}
else {
if (a_dirInum)
retval = findFilesInFs(0, a_ftype, a_dirInum);
else
retval = findFilesInImg();
}

printf("Files Recovered: %d\n", m_fileCount);
return retval;
Expand All @@ -370,6 +380,7 @@ main(int argc, char **argv1)
TSK_OFF_T soffset = 0;
TSK_TCHAR *cp;
TSK_FS_DIR_WALK_FLAG_ENUM walkflag = TSK_FS_DIR_WALK_FLAG_UNALLOC;
TSK_INUM_T dirInum = 0;

#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
Expand All @@ -385,7 +396,7 @@ main(int argc, char **argv1)
progname = argv[0];
setlocale(LC_ALL, "");

while ((ch = GETOPT(argc, argv, _TSK_T("ab:ef:i:o:vV"))) > 0) {
while ((ch = GETOPT(argc, argv, _TSK_T("ab:d:ef:i:o:vV"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
Expand All @@ -408,6 +419,15 @@ main(int argc, char **argv1)
}
break;

case _TSK_T('d'):
if (tsk_fs_parse_inum(OPTARG, &dirInum, NULL, NULL, NULL, NULL)) {
TFPRINTF(stderr,
_TSK_T("invalid argument for directory inode: %s\n"),
OPTARG);
usage();
}
break;

case _TSK_T('e'):
walkflag =
(TSK_FS_DIR_WALK_FLAG_ENUM) (TSK_FS_DIR_WALK_FLAG_UNALLOC |
Expand Down Expand Up @@ -442,12 +462,8 @@ main(int argc, char **argv1)
break;

case _TSK_T('o'):
soffset = (TSK_OFF_T) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || soffset < 0) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector offset must be positive: %s\n"),
OPTARG);
if ((soffset = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
usage();
}
break;
Expand Down Expand Up @@ -478,7 +494,7 @@ main(int argc, char **argv1)
exit(1);
}

if (tskRecover.findFiles(soffset, fstype)) {
if (tskRecover.findFiles(soffset, fstype, dirInum)) {
tsk_error_print(stderr);
exit(1);
}
Expand Down

0 comments on commit a9a6344

Please sign in to comment.