[sleuthkit-developers] Re: IO Subsystem patch for fstools

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Brian,
   I have started implementing the changes according to your suggestions, a=
nd=20
Its coming along great. I quite like the method of extending the basic=20
IO_INFO struct with more specific structs and then casting them back and=20
forth. The code has a great OO feeling about it. Thanks for the pointers.

   Attached is an incomplete patch just to check that im on the right track=
=2E=20
Only the fls tool is working with the new system currently, although it=20
should compile ok. Here is a summary of the changes:

1) fls uses the -i commandline paramter to choose the subsystem to use, and=
=20
then gets an IO_INFO object by doing an:
	io=3Dio_open(io_subsys);
	If no subsystem is specified, it uses "standard" which is the current=20
default.

2) options are parsed into the io object by calling: =09
	io_parse_options(io,argv[optind++]);

	(options are option=3Dvalue format or else if they do not contain '=3D', w=
e take=20
it as a filename).

3) Once we parse all of the options, we create an fs object using the io=20
object:
	fs =3D fs_open(io, fstype);

	This will initialise a fs->io paramter with the io subsystem object.=20

4) All filesystem code uses the io object to actually do the reading. e.g.:
	ext2fs->fs_info.io->read_random(ext2fs->fs_info.io, (FS_INFO *) ext2fs,(ch=
ar=20
*) gd, sizeof(ext2fs_gd),offs, "group descriptor");

	the io object has a number of methods. For example:
	io->constructor
	io->read_random
	io->read_block
	This has a cool object oriented feel about it.

5) There is an array in fs_io.c which acts like a class and is initialised =
to=20
produce new objects of all IO_INFO derived types. (i.e. all new io objects=
=20
are basically copies of this struct with extra stuff appended) Eg.

static IO_INFO subsystems[] =3D{
  { "standard","Standard Sleuthkit IO Subsystem", sizeof(IO_INFO_STD),=20
&io_constructor, &free, &std_help, &std_initialiser,  &std_read_block, =20
&std_read_random,  &std_open,  &std_close},

	Note that IO_INFO_STD is a derived object of IO_INFO:
	struct IO_INFO_STD {
 		 IO_INFO io;
		 char *name;
  		int fd;
	};

	i.e. it has the same methods like IO_INFO, but extra attributes. All the=20
other subsystems use this method to add extra attributes to the basic IO_IN=
=46O=20
pointer which is carried around the place as an IO_INFO (cast from=20
IO_INFO_ADV etc).

=46rom a user perspective we can now do this:

=2D Read in a simple dd partition (compatibility with old fls):
fls -r -f linux-ext2 honeypot.hda5.dd

=2D Read in a partition file from a hdd dd image. (i.e. use an offset):
fls -r -i advanced offset=3D100 honeypot.hda5.dd

=2DRead in a split dd file (after splitting with split):
fls -r -i advanced /tmp/xa*
Or (same thing just to emphesize the fact that multiple files can be specif=
ied=20
on the same command line):
fls -r -i advanced /tmp/xaa /tmp/xab /tmp/xac /tmp/xad

=2DRead in an sgziped file:
fls -i sgzip -r -f linux-ext2 honeypot.hda5.dd.sgz

=2D List files in directory inode 62446:
fls -i sgzip -r -f linux-ext2 honeypot.hda5.dd.sgz 62446

Whats left to do:
As I mentioned, this is only an intermediate patch to check that im on the=
=20
right track. These are the things that need to be finished:

1) Add a config file parser option to allow options to be passed from a con=
fig=20
file, ie:
fls -r -c config -i advanced honeypot.hda5.dd

where config is just a files with lines like:
offset=3D1024

2) Change offset to be in blocks (and add a blocks keyword to override the =
fs=20
default).

3) Update all the other tools other than fls to support the new syntax.

4) I also have been working on an expert witness subsystem. Expert witness =
is=20
the format used by encase, ftk etc. I have a filter working atm to convert=
=20
these files to straight dd, but i want to implement a subsystem so we can=20
work on these files directly in sleuthkit. This is coming very soon, maybe=
=20
this weekend. This will obviously require lots of tender loving testing=20
because i only have encase ver 3 to play with.

Please let me know what you think about this. Also let me know if there are=
=20
other things that need to be completed still regards this patch.

  Michael.