From a9a6344e82b08caa5f14e69ebe7b1518abbbbf99 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Wed, 28 Sep 2011 17:47:00 +0000 Subject: [PATCH] Added -d option to tsk_recover --- NEWS.txt | 1 + man/tsk_recover.1 | 6 +++- tools/autotools/tsk_comparedir.cpp | 16 +++-------- tools/autotools/tsk_recover.cpp | 46 ++++++++++++++++++++---------- 4 files changed, 41 insertions(+), 28 deletions(-) diff --git a/NEWS.txt b/NEWS.txt index ce9e1f3733..3c3624e4f2 100644 --- a/NEWS.txt +++ b/NEWS.txt @@ -18,6 +18,7 @@ New Features: - Need to only specify first E01 file and the rest are found - Changed docs license to non-commercial - Unicode conversion routines fix invalid UTF-16 text during conversion +- Added '-d' to tsk_recover to specify directory to recover Bug Fixes: diff --git a/man/tsk_recover.1 b/man/tsk_recover.1 index 8e787078d7..c8d682520f 100644 --- a/man/tsk_recover.1 +++ b/man/tsk_recover.1 @@ -8,7 +8,9 @@ tsk_recover - Export files from an image into a local directory .I dev_sector_size .B ] [-o .I sector_offset -.B ] +.B ] [-d +.I dir_inum +.B ] .I image output_dir .SH DESCRIPTION .B tsk_recover @@ -37,6 +39,8 @@ If not given, autodetection methods are used. Sector offset for a volume to recover (recovers only that volume) If not given, will attempt to recover all volumes in image and save them to different folders. +.IP "-d dir_inum" +Directory inum to recover from (must also specify a specific partition using -o or there must not be a volume system) .SH EXAMPLES To recover only unallocated files from image.dd to the recovered directory: diff --git a/tools/autotools/tsk_comparedir.cpp b/tools/autotools/tsk_comparedir.cpp index 48387d0451..6b3fa4f85f 100644 --- a/tools/autotools/tsk_comparedir.cpp +++ b/tools/autotools/tsk_comparedir.cpp @@ -365,23 +365,15 @@ main(int argc, char **argv1) case _TSK_T('n'): - inum = (TSK_INUM_T) TSTRTOUL(OPTARG, &cp, 0); - if (*cp || *cp == *OPTARG || inum <= 0) { - TFPRINTF(stderr, - _TSK_T - ("invalid argument: inum must be positive: %s\n"), - OPTARG); + if (tsk_fs_parse_inum(OPTARG, &inum, NULL, NULL, NULL, NULL)) { + tsk_error_print(stderr); usage(); } break; case _TSK_T('o'): - soffset = (TSK_OFF_T) TSTRTOUL(OPTARG, &cp, 0); - if (*cp || *cp == *OPTARG || soffset < 0) { - TFPRINTF(stderr, - _TSK_T - ("invalid argument: sector offset must be positive: %s\n"), - OPTARG); + if ((soffset = tsk_parse_offset(OPTARG)) == -1) { + tsk_error_print(stderr); usage(); } break; diff --git a/tools/autotools/tsk_recover.cpp b/tools/autotools/tsk_recover.cpp index dd58b50433..4e44372139 100644 --- a/tools/autotools/tsk_recover.cpp +++ b/tools/autotools/tsk_recover.cpp @@ -21,7 +21,7 @@ usage() { TFPRINTF(stderr, _TSK_T - ("usage: %s [-vVae] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o sector_offset] image [image] output_dir\n"), + ("usage: %s [-vVae] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o sector_offset] [-d dir_inum] image [image] output_dir\n"), progname); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for supported types)\n"); @@ -36,6 +36,8 @@ usage() "\t-e: Recover all files (allocated and unallocated)\n"); tsk_fprintf(stderr, "\t-o sector_offset: sector offset for a volume to recover (recovers only that volume)\n"); + tsk_fprintf(stderr, + "\t-d dir_inum: Directory inum to recover from (must also specify a specific partition using -o or there must not be a volume system)\n"); exit(1); } @@ -52,7 +54,7 @@ class TskRecover:public TskAuto { virtual TSK_RETVAL_ENUM processFile(TSK_FS_FILE * fs_file, const char *path); virtual TSK_FILTER_ENUM filterVol(const TSK_VS_PART_INFO * vs_part); virtual TSK_FILTER_ENUM filterFs(TSK_FS_INFO * fs_info); - uint8_t findFiles(TSK_OFF_T soffset, TSK_FS_TYPE_ENUM a_ftype); + uint8_t findFiles(TSK_OFF_T soffset, TSK_FS_TYPE_ENUM a_ftype, TSK_INUM_T a_dirInum); private: TSK_TCHAR * m_base_dir; @@ -346,14 +348,22 @@ TskRecover::filterFs(TSK_FS_INFO * fs_info) } uint8_t -TskRecover::findFiles(TSK_OFF_T a_soffset, TSK_FS_TYPE_ENUM a_ftype) +TskRecover::findFiles(TSK_OFF_T a_soffset, TSK_FS_TYPE_ENUM a_ftype, TSK_INUM_T a_dirInum) { uint8_t retval; - if (a_soffset) - retval = findFilesInFs(a_soffset * m_img_info->sector_size, a_ftype); - else - retval = findFilesInImg(); + if (a_soffset) { + if (a_dirInum) + retval = findFilesInFs(a_soffset * m_img_info->sector_size, a_ftype, a_dirInum); + else + retval = findFilesInFs(a_soffset * m_img_info->sector_size, a_ftype); + } + else { + if (a_dirInum) + retval = findFilesInFs(0, a_ftype, a_dirInum); + else + retval = findFilesInImg(); + } printf("Files Recovered: %d\n", m_fileCount); return retval; @@ -370,6 +380,7 @@ main(int argc, char **argv1) TSK_OFF_T soffset = 0; TSK_TCHAR *cp; TSK_FS_DIR_WALK_FLAG_ENUM walkflag = TSK_FS_DIR_WALK_FLAG_UNALLOC; + TSK_INUM_T dirInum = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) @@ -385,7 +396,7 @@ main(int argc, char **argv1) progname = argv[0]; setlocale(LC_ALL, ""); - while ((ch = GETOPT(argc, argv, _TSK_T("ab:ef:i:o:vV"))) > 0) { + while ((ch = GETOPT(argc, argv, _TSK_T("ab:d:ef:i:o:vV"))) > 0) { switch (ch) { case _TSK_T('?'): default: @@ -408,6 +419,15 @@ main(int argc, char **argv1) } break; + case _TSK_T('d'): + if (tsk_fs_parse_inum(OPTARG, &dirInum, NULL, NULL, NULL, NULL)) { + TFPRINTF(stderr, + _TSK_T("invalid argument for directory inode: %s\n"), + OPTARG); + usage(); + } + break; + case _TSK_T('e'): walkflag = (TSK_FS_DIR_WALK_FLAG_ENUM) (TSK_FS_DIR_WALK_FLAG_UNALLOC | @@ -442,12 +462,8 @@ main(int argc, char **argv1) break; case _TSK_T('o'): - soffset = (TSK_OFF_T) TSTRTOUL(OPTARG, &cp, 0); - if (*cp || *cp == *OPTARG || soffset < 0) { - TFPRINTF(stderr, - _TSK_T - ("invalid argument: sector offset must be positive: %s\n"), - OPTARG); + if ((soffset = tsk_parse_offset(OPTARG)) == -1) { + tsk_error_print(stderr); usage(); } break; @@ -478,7 +494,7 @@ main(int argc, char **argv1) exit(1); } - if (tskRecover.findFiles(soffset, fstype)) { + if (tskRecover.findFiles(soffset, fstype, dirInum)) { tsk_error_print(stderr); exit(1); }