On Sun, Mar 06, 2016 at 05:42:24PM +0200, Matteo Cafasso wrote:
As discussed in the topic:
https://www.redhat.com/archives/libguestfs/2016-March/msg00018.html
I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth
Kit.
http://www.sleuthkit.org/
The two APIs I'm adding with the patch are a simple example of which type of features
TSK can enable.
A few comments in general terms:
The current splitting of the commits doesn't make much sense to me.
I think it would be better as:
- commit to add TSK to the appliance
- commit to add the icat API
- tests for icat
- commit to add the fls0 API
- tests for fls0
although it would be fine to combine the tests with the new API, or
even have all the tests as a single separate commit (as now).
This benefits you because it will allow patches to go upstream
earlier. For example, a commit to add TSK to the appliance is a
simple and obvious change that I see no problem with. Also the icat
API is closer to being ready than the fls0 API (see below for
explanation).
><fs> fls0 /dev/sda2 /home/noxdafox/disk-content.txt
r/r 15711-128-1:
$Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/desktop.ini
-/r * 60015-128-1:
$Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/$R07QQZ2.txt
-/r * 60015-128-3:
$Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/$R07QQZ2.txt:Zone.Identifier
What is `/home/noxdafox/disk-content.txt'?
The problem with this API is it pushes all the parsing up in the
stack, to libguestfs consumers.
In general we'd like to avoid that and have just one place where all
parsing needs to be done (ie. libguestfs itself), so it'd be nicer to
have an API that returns a list of structs (RStructList) with all the
important fields parsed out.
Does TSK have a machine-readable mode? If it does, it'll definitely
make things easier if (eg) JSON or XML output is available. If not,
push upstream to add that to TSK -- it's a simple change for them,
which will make their tools much more usable, a win for everyone.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top