Re: [sleuthkit-developers] [sleuthkit-users] TskAuto filterVs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Robert,

[adding sleuthkit-developers list since this topic is more targeted at that audience]

On Aug 22, 2013, at 6:13 AM, Robert James <sro...@gm...> wrote:

> I'm using TskAuto and would like to implement the filterVs method.  I
> have a few questions:
> 
> 1. filterVs receives a C structure (const TSK_VS_INFO *).  I'd like to
> access it via the C++ TskVsInfo wrapper.  But simply doing
> TskVsInfo(vs_info) gives compiler errors due to the const attribute of
> the struct's pointer.  There doesn't seem to be a constructor for
> TskVsInfo which takes a const pointer.
> 
> How should I initialize the TskVsInfo from the TSK_VS_INFO struct
> passed to filterVs?

It appears that you can't.  But, what do you want to do with the TSK_VS_INFO/TskVsInfo struct/class? 

The main motivation for filterVs is to let the app skip the system or not. If you decide to process it, then you'll get another callback for each partition in filterVol(). 

To be honest, there are some inconsistencies with how much const is used in the C and C++ classes.   The older code doesn't have any uses and it has slowly evolved to use it more in the relevant places.  For example, filterFs() doesn't have a const value passed in. 

Knowing your use case could help to change the design (we've designed these based on our use cases).

> 2. Is filterVs always called? Or can there be a partition or file
> which is not part of any volume system?  If it's not always called,
> how should I set the TskVsInfo pointer to NULL? Simple assignment
> gives error: "error: ‘TskVsInfo::TskVsInfo(const TskVsInfo&)’ is
> private".

filterVs is called only if a file system is detected.  If you point TskAuto at a logical partition (i.e. just a file system with no volume system around it), then filterVs will never be called. If you look at TskAutoDb::filterFs (in tsk/auto/auto_db.cpp), it has logic to see if filterVol was previously called.  The TskAutoDb class keeps internal state to know if it is operating inside of a volume or not.

Hope this helps.  If this gets more into the weeds, let's drop the sleuthkit-users list off.

brian