File: scalpel.h

package info (click to toggle)
scalpel 1.60-6
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid
  • size: 556 kB
  • sloc: ansic: 4,031; makefile: 61
file content (366 lines) | stat: -rw-r--r-- 11,982 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
// Scalpel Copyright (C) 2005-6 by Golden G. Richard III.
// Written by Golden G. Richard III.
//
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License as
// published by the Free Software Foundation; either version 2 of the
// License, or (at your option) any later version.
// 
// This program is distributed in the hope that it will be useful, but
// WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
// General Public License for more details.

// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
// 02110-1301, USA.

// Scalpel is a complete rewrite of the foremost 0.69 file carver to
// increase speed and support execution on machines with minimal
// resources (e.g., < 256MB RAM).
//
// Thanks to Kris Kendall, Jesse Kornblum, et al for their work on
// foremost.
//

#ifndef SCALPEL_H
#define SCALPEL_H
#define SCALPEL_VERSION    "1.60"

#define _USE_LARGEFILE              1
#define _USE_FILEOFFSET64           1
#define _USE_LARGEFILE64            1
#define _LARGEFILE_SOURCE           1
#define _LARGEFILE64_SOURCE         1
#define _FILE_OFFSET_BITS           64

#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <ctype.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <time.h>
#include <errno.h>
#include <signal.h>
#include <limits.h>
#include <dirent.h>
#include <stdarg.h>
#include <math.h>
#include "base_name.h"
#include "prioque.h"

//
// GGRIII: WARNING: Scalpel has NOT yet been thoroughly tested on OpenBSD, but is
// known to compile and work correctly on Mac OS X (a BSD variant).
//

#ifdef __OPENBSD
#define __UNIX
#include <sys/ttycom.h>
#include <sys/param.h>
#include <sys/ioctl.h>
#include <libgen.h>
// off_t on Mac OS X is 64 bits
#define off64_t  off_t      
#endif  /* ifdef __OPENBSD */

#ifdef __LINUX
#define __UNIX
#include <linux/hdreg.h>
#include <libgen.h>
#include <error.h>
#endif  /* ifdef __LINUX */

#ifdef __WIN32
#include <windows.h>
#include <sys/timeb.h>
#define gettimeofday(A,B) QueryPerformanceCounter(A)
#define ftello   ftello64
#define fseeko   fseeko64
#define sleep    Sleep
#define  snprintf         _snprintf
// macros for the Windows equivalent UNIX functions.  (No worries
// about lstat to stat; Windows doesn't have symbolic links)
#define lstat(A,B)      stat(A,B)
char *basename(char *path);
extern char *optarg;
extern int optind;
int getopt(int argc, char *const argv[], const char *optstring);

#ifdef __MINGW32__
#define realpath(A,B)    _fullpath(B,A,PATH_MAX)
#endif

#ifdef __CYGWIN32__
#define realpath(A,B) \
  (getenv ("CYGWIN_USE_WIN32_PATHS") \
   ? (cygwin_conv_to_full_win32_path ((A), (B)), B) \
   : realpath ((A), (B)))
#endif
#endif    /* ifdef __WIN32 */

#ifdef __GLIBC__
char *__progname;
#else
char *__progname;
void setProgramName(char *s);
#endif  /* ifdef __GLIBC__ */

#ifndef __WIN32
#include <sys/mount.h>
#endif 


#define TRUE   1
#define FALSE  0

#define SEARCHTYPE_FORWARD      0
#define SEARCHTYPE_REVERSE      1
#define SEARCHTYPE_FORWARD_NEXT 2

// GGRIII: If you like having hair (on your head, not in clumps, in your
// hands), then the following parens are pretty important

#define KILOBYTE                  1024
#define MEGABYTE                  (1024 * KILOBYTE)
#define GIGABYTE                  (1024 * MEGABYTE)
#define TERABYTE                  (1024 * GIGABYTE)
#define PETABYTE                  (1024 * TERABYTE)
#define EXABYTE                   (1024 * PETABYTE)

// SIZE_OF_BUFFER indicates how much data to read from an image file
// at a time. With the elimination of "quick" mode in Scalpel, the
// restrictions on divisibility by block size are irrelevant, but they
// don't hurt anything.
#define SIZE_OF_BUFFER            (10 * MEGABYTE)

#define SCALPEL_SIZEOFBUFFER_PANIC_STRING \
"PANIC: SIZE_OF_BUFFER has been incorrectly configured.\n"


#define SCALPEL_BLOCK_SIZE           512
#define MAX_STRING_LENGTH            4096
#define MAX_NEEDLES                   254
#define NUM_SEARCH_SPEC_ELEMENTS        6
#define MAX_SUFFIX_LENGTH               8
#define MAX_FILE_TYPES                100

#define MAX_FILES_PER_SUBDIRECTORY    1000


#define SCALPEL_OK                     0
#define SCALPEL_ERROR_NO_SEARCH_SPEC   1
#define SCALPEL_ERROR_FILE_OPEN        2
#define SCALPEL_ERROR_FILE_READ        3
#define SCALPEL_ERROR_FILE_WRITE       4
#define SCALPEL_ERROR_FILE_CLOSE       5
#define SCALPEL_ERROR_TOO_MANY_TYPES   6
#define SCALPEL_ERROR_FATAL_READ       7
#define SCALPEL_GENERAL_ABORT        999

#define UNITS_BYTES                     0
#define UNITS_KILOB                     1
#define UNITS_MEGAB                     2
#define UNITS_GIGAB                     3
#define UNITS_TERAB                     4
#define UNITS_PETAB                     5
#define UNITS_EXAB                      6

// GLOBALS

// signal has been caught by signal handler
int signal_caught; 

// current wildcard character
char wildcard;

// width of tty, for progress bar
int ttywidth;

extern char *__progname;
extern int  errno;


#define SCALPEL_NOEXTENSION_SUFFIX "NONE"
#define SCALPEL_NOEXTENSION '\xFF'

#define SCALPEL_DEFAULT_WILDCARD       '?'
#define SCALPEL_DEFAULT_CONFIG_FILE    "/etc/scalpel/scalpel.conf"

#define SCALPEL_DEFAULT_OUTPUT_DIR     "scalpel-output"

#define SCALPEL_BANNER_STRING \
"Scalpel version %s\n"\
"Written by Golden G. Richard III, based on Foremost 0.69.\n", SCALPEL_VERSION

#define SCALPEL_COPYRIGHT_STRING \
"Scalpel is (c) 2005-6 by Golden G. Richard III.\nThis program is based on Foremost 0.69, by Kris Kendall and Jesse Kornblum."

#define NONEMPTYDIR_ERROR_MSG  \
"ERROR: You have attempted to use a non-empty output directory. In order\n"\
"       to maintain forensic soundness, this is not allowed.\n"

// During the file carving operations (which occur after an initial
// scan of an image file to build the header/footer database), we want
// to read the image file only once more, sequentially, for all
// carves.  The following structure tracks the filename and first/last
// bytes in the image file for a single file to be carved.  When the
// read buffer includes the first byte of a file, the file is opened
// and the first write occurs.  When the read buffer includes the end
// byte, the last write operation occurs, the file is closed, and the
// struct can be reused.

// *****GGRIII: use of priority field to store these flags and the 
// data structures which track CarveInfo structs needs to be better
// documented

#define STARTCARVE      1       // carve operation for this CarveInfo struct
                                // starts in current buffer
#define STOPCARVE       2       // carve operation stops in current buffer
#define STARTSTOPCARVE  3       // carve operation both starts and stops in
                                // current buffer
#define CONTINUECARVE   4       // carve operation includes entire contents
                                // of current buffer

typedef struct CarveInfo {
  char *filename;            // output filename for file to carve
  FILE *fp;                  // file descriptor for file to carve
  unsigned long long start;  // offset of first byte in file
  unsigned long long stop;   // offset of last byte in file
  char chopped;              // is carved file's length constrained
                             // by max file size for type? (i.e., could
                             // the file actually be longer?
} CarveInfo;


// Each struct SearchSpecLine defines a particular file type,
// including header and footer information.  The following structure,
// SearchSpecOffsets, defines the absolute locations of all matching
// headers and footers for a particular file type.  Because the entire
// header/footer database is built during a single pass over an image
// or device file, the header and footer locations are sorted in
// ascending order.

typedef struct SearchSpecOffsets {
  unsigned long long *headers;                 // positions of discovered headers
  unsigned long long headerstorage;            // space allocated for this many header offsets
  unsigned long long numheaders;               // # stored header positions
  unsigned long long *footers;                 // positions of discovered headers
  unsigned long long footerstorage;            // space allocated for this many footer offsets
  unsigned long long numfooters;               // # stored footer positions
} SearchSpecOffsets;

// max files to open at once during carving--modify if you get
// a "too many files open" error message during the second carving phase.
#ifdef __WIN32
#define MAX_FILES_TO_OPEN            20
#else
#define MAX_FILES_TO_OPEN            512
#endif


typedef struct SearchSpecLine {
  char *suffix;
  int casesensitive;
  unsigned long long length;     
  char *begin;
  int beginlength;
  size_t begin_bm_table[UCHAR_MAX+1];
  char *end;
  int endlength;
  size_t end_bm_table[UCHAR_MAX+1];
  int searchtype; // FORWARD, NEXT, REVERSE search type for footer
  struct SearchSpecOffsets offsets;
  unsigned long long numfilestocarve;      // # files to carve of this type
  unsigned long organizeDirNum;            // subdirectory # for organization 
                                           // of files of this type
} SearchSpecLine;


typedef struct scalpelState {
  char *imagefile; 
  char *conffile; 
  char *outputdirectory;
  int specLines;
  struct SearchSpecLine* SearchSpec;
  unsigned long long fileswritten;
  int modeVerbose;
  int modeNoSuffix;
  FILE *auditFile;
  char *invocation;
  unsigned long long skip;
  char *coveragedirectory;
  unsigned int coverageblocksize;
  FILE *coverageblockmap;
  unsigned char *coveragebitmap;
  unsigned long long coveragenumblocks;
  int useInputFileList;
  char *inputFileList; 
  int carveWithMissingFooters;
  int noSearchOverlap;
  int ignoreEmbedded;
  int generateHeaderFooterDatabase;
  int updateCoverageBlockmap;
  int useCoverageBlockmap;
  int organizeSubdirectories;
  unsigned long long organizeMaxFilesPerSub;
  int blockAlignedOnly;
  unsigned int alignedblocksize;
  int previewMode;
} scalpelState;


// one extent for a fragmented file.  'start' and 'stop'
// are real disk image addresses that define the fragment's
// location.

typedef struct Fragment {
  unsigned long long start;
  unsigned long long stop;
} Fragment;

  
// prototypes for visible dig.c functions
int digImageFile(struct scalpelState *state);
int carveImageFile(struct scalpelState *state);


// prototypes for visible helpers.c functions
void checkMemoryAllocation(struct scalpelState *state, void *ptr, int line, 
			   char *file, char *structure);
int skipInFile(struct scalpelState *state, FILE *infile);
void scalpelLog(struct scalpelState *state, char *format, ...);
void handleError(struct scalpelState *s, int error);
int memwildcardcmp(const void* s1, const void* s2, 
		   size_t n, int caseSensitive);

void init_bm_table(char *needle, size_t table[UCHAR_MAX + 1], 
		   size_t len, int casesensitive);
int findLongestNeedle(struct SearchSpecLine* SearchSpec);

char *bm_needleinhaystack(char *needle, size_t needle_len,
                          char *haystack, size_t haystack_len,
                          size_t table[UCHAR_MAX + 1], int casesensitive);
int translate(char *str);
char *skipWhiteSpace(char *str);
void setttywidth();

// prototypes for visible files.c functions
unsigned long long measureOpenFile(FILE *f, struct scalpelState *state);
int openAuditFile(struct scalpelState* state);
int closeFile(FILE* f);


// WIN32 string.h wierdness
#ifdef __WIN32
extern const char *strsignal(int sig);
#else
extern char *strsignal(int sig);
#endif  /*  ifdef __WIN32 */

#endif   /* ifndef SCALPEL_H */