File: LogicalImagerDateRule.cpp

package info (click to toggle)
sleuthkit 4.12.1%2Bdfsg-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 18,608 kB
  • sloc: ansic: 143,795; cpp: 52,225; java: 37,892; xml: 2,416; python: 1,076; perl: 874; makefile: 439; sh: 184
file content (97 lines) | stat: -rwxr-xr-x 2,539 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
/*
** The Sleuth Kit
**
** Brian Carrier [carrier <at> sleuthkit [dot] org]
** Copyright (c) 2010-2019 Brian Carrier.  All Rights reserved
**
** This software is distributed under the Common Public License 1.0
**
*/

#include <string>
#include <algorithm>
#include <ctime>
#include <stdio.h>
#include <iostream>

#include "LogicalImagerDateRule.h"

/*
* Construct a file date rule.
*
* @param min Minimum date in time_t
* @param max Maximum data in time_t
* @param minDays Minimum days for matching file minDays or newer
* minDays has higher priority over exact (min and max) dates
*/

LogicalImagerDateRule::LogicalImagerDateRule(time_t min, time_t max, int minDays) {
    m_min = min;
    m_max = max;
    m_minDays = minDays;
}

LogicalImagerDateRule::~LogicalImagerDateRule() {
}

/**
 * Get the latest time out of (atime, crtime, mtime and ctime) from the file meta
 *
 * @param meta TSK_FS_META of the file
 * @returns time_t of the latest time
 */
time_t LogicalImagerDateRule::getLatestTime(TSK_FS_META *meta) const {
    return max(max(max(meta->atime, meta->crtime), meta->mtime), meta->ctime);
}

/**
* Is the file latest time more than the minDays (match file minDays or newer)
* Is the file latest time within the min and max dates.
* Matching minDays takes priority over min and max dates.
*
* @param fs_file TSK_FS_FILE containing the filename
* @param path parent path to fs_file
* @returns true if the file matches this rule
*          false otherwise
*/
bool LogicalImagerDateRule::matches(TSK_FS_FILE *fs_file, const char * /* path */) const
{
    if (fs_file->meta == NULL)
        return false;

    time_t latest_time = getLatestTime(fs_file->meta);

    // m_minDays takes priority over explicit date
    if (m_minDays) {
        std::time_t now;
        std::tm localTime = {0};

        std::time(&now);
        gmtime_s(&localTime, &now);
        localTime.tm_mday -= m_minDays;
        std::time_t daysAgo = std::mktime(&localTime);
        if (daysAgo == -1) {
            std::cerr << "daysAgo failed, m_minDays = " << m_minDays << std::endl;
            return false;
        }

        if (latest_time > daysAgo)
            return true;
        else
            return false;
    }

    if (m_max == 0) {
        // no upper limit, check the min date
        if (latest_time > m_min)
            return true;
        else
            return false;
    } else {
        if (latest_time >= m_min && latest_time <= m_max) {
            return true;
        } else {
            return false;
        }
    }
}