Refactor UsnJrnl logic

tools/fstools/usnjls.cpp

@@ -13,6 +13,7 @@
 
 #include <locale.h>
 #include "tsk/fs/tsk_fs_i.h"
+#include "tsk/fs/tsk_ntfs.h"
 
 #include <memory>
 

tsk/fs/tsk_fs_i.h

@@ -254,46 +254,6 @@ extern "C" {
     extern void tsk_fs_free(TSK_FS_INFO *);
 
 
-    /****************** NTFS USN Journal Structures ******************/
-
-    /** \name NTFS Update Sequence Number Journal Data Structures */
-    //@{
-
-
-    typedef struct {
-        uint32_t length;
-        uint16_t major_version;
-        uint16_t minor_version;
-
-    } TSK_USN_RECORD_HEADER;
-
-    /**
-    * Function definition used for callback to ntfs_usnjentry_walk().
-    *
-    * @param a_header Pointer to USN header structure.
-    * @param a_record Pointer USN record structure, its type can be deduced
-    *    from the major version number in the header.
-    * @param a_ptr Pointer that was supplied by the caller who called
-    *    ntfs_usnjentry_walk.
-    * @returns Value to identify if walk should continue, stop, or stop because of error
-    */
-    typedef TSK_WALK_RET_ENUM(*TSK_FS_USNJENTRY_WALK_CB) (
-        TSK_USN_RECORD_HEADER *a_header, void *a_record, void *a_ptr);
-
-    extern uint8_t tsk_ntfs_usnjopen(TSK_FS_INFO * fs, TSK_INUM_T inum);
-    extern uint8_t tsk_ntfs_usnjentry_walk(TSK_FS_INFO * fs,
-        TSK_FS_USNJENTRY_WALK_CB action, void *ptr);
-
-    enum TSK_FS_USNJLS_FLAG_ENUM {
-        TSK_FS_USNJLS_NONE = 0x00,
-        TSK_FS_USNJLS_LONG = 0x01,
-        TSK_FS_USNJLS_MAC = 0x02
-    };
-    typedef enum TSK_FS_USNJLS_FLAG_ENUM TSK_FS_USNJLS_FLAG_ENUM;
-    extern uint8_t tsk_fs_usnjls(TSK_FS_INFO * fs, TSK_INUM_T inode,
-        TSK_FS_USNJLS_FLAG_ENUM flags);
-
-
 // Endian macros - actual functions in misc/
 
 #define tsk_fs_guessu16(fs, x, mag)   \

tsk/fs/tsk_ntfs.h

@@ -614,6 +614,10 @@ extern "C" {
 /************************************************************************
 */
 
+    /****************** NTFS USN Journal Structures ******************/
+
+    /** \name NTFS Update Sequence Number Journal Data Structures */
+    //@{
 
     enum TSK_FS_USN_REASON {
         TSK_FS_USN_REASON_DATA_OVERWRITE = 0x00000001,
@@ -640,7 +644,6 @@ extern "C" {
     };
     typedef enum TSK_FS_USN_REASON TSK_FS_USN_REASON;
 
-
     enum TSK_FS_USN_SOURCE_INFO {
         TSK_FS_USN_SOURCE_INFO_DATA_MANAGEMENT = 0x01,
         TSK_FS_USN_SOURCE_INFO_AUXILIARY_DATA = 0x02,
@@ -649,7 +652,6 @@ extern "C" {
     };
     typedef enum TSK_FS_USN_SOURCE_INFO TSK_FS_USN_SOURCE_INFO;
 
-
     enum TSK_FS_NTFS_FILE_ATTRIBUTES {
         TSK_FS_NTFS_FILE_ATTRIBUTE_READONLY = 0x000001,
         TSK_FS_NTFS_FILE_ATTRIBUTE_HIDDEN = 0x000002,
@@ -671,32 +673,65 @@ extern "C" {
     };
     typedef enum TSK_FS_NTFS_FILE_ATTRIBUTES TSK_FS_NTFS_FILE_ATTRIBUTES;
 
-
+    /* V2/V3 Record specific data */
     typedef struct {
-        uint64_t refnum;
-        uint16_t refnum_seq;
-        uint64_t parent_refnum;
-        uint16_t parent_refnum_seq;
-        uint64_t usn;
         uint32_t time_sec;
         uint32_t time_nsec;
-        TSK_FS_USN_REASON reason;
-        TSK_FS_USN_SOURCE_INFO source_info;
         uint32_t security;
         TSK_FS_NTFS_FILE_ATTRIBUTES attributes;
         char *fname;
-
-    } TSK_USN_RECORD_V2;
-
+    } TSK_USN_V3_DATA;
 
     typedef struct {
+        /* Record header */
+        uint32_t length;
+        uint16_t major_version;
+        uint16_t minor_version;
+        /* Record common content */
+        uint64_t refnum;
+        uint32_t refnum_seq;
+        uint64_t parent_refnum;
+        uint32_t parent_refnum_seq;
+        uint64_t usn;
+        TSK_FS_USN_REASON reason;
+        TSK_FS_USN_SOURCE_INFO source_info;
+        /* Version specific fields */
+        union {
+            TSK_USN_V3_DATA v2;
+            TSK_USN_V3_DATA v3;
+        };
+    } TSK_USN_RECORD;
 
+    typedef struct {
         TSK_FS_FILE *fs_file;
         TSK_INUM_T usnj_inum;
         uint32_t bsize;
-
     } NTFS_USNJINFO;
 
+    /**
+    * Function definition used for callback to ntfs_usnjentry_walk().
+    *
+    * @param a_record Pointer USN record structure.
+    * @param a_ptr Pointer that was supplied by the caller who called
+    *    ntfs_usnjentry_walk.
+    * @returns Value to identify if walk should continue, stop, or stop because of error
+    */
+    typedef TSK_WALK_RET_ENUM(*TSK_FS_USNJENTRY_WALK_CB) (
+        TSK_USN_RECORD *a_record, void *a_ptr);
+
+    extern uint8_t tsk_ntfs_usnjopen(TSK_FS_INFO * fs, TSK_INUM_T inum);
+    extern uint8_t tsk_ntfs_usnjentry_walk(TSK_FS_INFO * fs,
+        TSK_FS_USNJENTRY_WALK_CB action, void *ptr);
+
+    enum TSK_FS_USNJLS_FLAG_ENUM {
+        TSK_FS_USNJLS_NONE = 0x00,
+        TSK_FS_USNJLS_LONG = 0x01,
+        TSK_FS_USNJLS_MAC = 0x02
+    };
+    typedef enum TSK_FS_USNJLS_FLAG_ENUM TSK_FS_USNJLS_FLAG_ENUM;
+    extern uint8_t tsk_fs_usnjls(TSK_FS_INFO * fs, TSK_INUM_T inode,
+        TSK_FS_USNJLS_FLAG_ENUM flags);
+
 
 /************************************************************************
 */

tsk/fs/usn_journal.cpp

@@ -18,6 +18,13 @@
 #include "tsk_ntfs.h"
 
 
+typedef struct {
+    uint32_t length;
+    uint16_t major_version;
+    uint16_t minor_version;
+} TSK_USN_RECORD_HEADER;
+
+
 /*
  * Search the next record in the buffer skipping null bytes.
  * Records are alway aligned at 8 bytes.
@@ -35,12 +42,11 @@ search_record(const unsigned char *buf, TSK_OFF_T offset, ssize_t bufsize)
 
 
 /*
- * Convert the record file name from UTF16 to UTF8.
+ * Convert the file name from UTF16 to UTF8.
  * Returns 0 on success, 1 otherwise
  */
-static uint8_t
-parse_fname(const unsigned char *buf, uint16_t nlen,
-            TSK_USN_RECORD_V2 *record, TSK_ENDIAN_ENUM endian)
+static char *
+parse_fname(const unsigned char *buf, uint16_t nlen, TSK_ENDIAN_ENUM endian)
 {
     int ret = 0;
     UTF8 *temp_name = NULL;
@@ -50,7 +56,7 @@ parse_fname(const unsigned char *buf, uint16_t nlen,
     if (record->fname == NULL)
         return 1;
 
-    temp_name = (UTF8*)record->fname;
+    temp_name = (UTF8*)fname;
 
     ret = tsk_UTF16toUTF8(endian,
                           (const UTF16**)&buf, (UTF16*)&buf[src_len],
@@ -60,14 +66,14 @@ parse_fname(const unsigned char *buf, uint16_t nlen,
     if (ret != TSKconversionOK) {
         if (tsk_verbose)
             tsk_fprintf(
-                stderr, "parse_v2_record: USN name to UTF8 conversion error.");
+                stderr, "parse_fname: USN name to UTF8 conversion error.");
 
         record->fname[0] = '\0';
     }
     else
-        record->fname[dst_len] = '\0';
+        fname[dst_len] = '\0';
 
-    return 0;
+    return fname;
 }
 
 
@@ -103,8 +109,8 @@ parse_v2_record(
 
     /* Convert NT timestamp into Unix */
     timestamp = tsk_getu64(endian, &buf[32]);
-    record->time_sec = nt2unixtime(timestamp);
-    record->time_nsec = nt2nano(timestamp);
+    record->v2.time_sec = nt2unixtime(timestamp);
+    record->v2.time_nsec = nt2nano(timestamp);
 
     record->reason = (TSK_FS_USN_REASON) tsk_getu32(endian, &buf[40]);
     record->source_info = (TSK_FS_USN_SOURCE_INFO) tsk_getu32(endian, &buf[44]);
@@ -114,8 +120,9 @@ parse_v2_record(
     /* Extract file name */
     name_length = tsk_getu16(endian, &buf[56]);
     name_offset = tsk_getu16(endian, &buf[58]);
+    record->v2.fname = parse_fname(&buf[name_offset], name_length, endian);
 
-    return parse_fname(&buf[name_offset], name_length, record, endian);
+    return (record->v2.fname == NULL) ? 1 : 0;
 }
 
 
@@ -137,7 +144,7 @@ parse_record(const unsigned char *buf, TSK_USN_RECORD_HEADER *header,
 
         const TSK_WALK_RET_ENUM ret = (*action)(header, &record, ptr);
 
-        free(record.fname);
+        free(record.v2.fname);
 
         return ret;
     }