This function allows to download file system data units (blocks) from
the given partition.
The API can be used to detect data hidden within filesystem bad blocks
or slack space.
Moreover for filesystems such as Ext3 and Ext4, this function is the
only way to retrieve deleted files. An example is given in the function
tests.
Signed-off-by: Matteo Cafasso <noxdafox(a)gmail.com>
---
daemon/sleuthkit.c | 41 ++++++++++++++++++++++++++++++++++++++++-
generator/actions.ml | 24 ++++++++++++++++++++++++
gobject/Makefile.inc | 2 ++
src/MAX_PROC_NR | 2 +-
4 files changed, 67 insertions(+), 2 deletions(-)
diff --git a/daemon/sleuthkit.c b/daemon/sleuthkit.c
index 1262b68..eb7f877 100644
--- a/daemon/sleuthkit.c
+++ b/daemon/sleuthkit.c
@@ -32,6 +32,7 @@
static int send_command_output (const char *cmd);
GUESTFSD_EXT_CMD(str_icat, icat);
+GUESTFSD_EXT_CMD(str_blkls, blkls);
int
do_download_inode (const mountable_t *mountable, int64_t inode)
@@ -46,7 +47,8 @@ do_download_inode (const mountable_t *mountable, int64_t inode)
}
/* Construct the command. */
- ret = asprintf(&cmd, "%s -r %s %" PRIi64, str_icat, mountable->device,
inode);
+ ret = asprintf (&cmd, "%s -r %s %" PRIi64,
+ str_icat, mountable->device, inode);
if (ret < 0) {
reply_with_perror ("asprintf");
return -1;
@@ -55,6 +57,43 @@ do_download_inode (const mountable_t *mountable, int64_t inode)
return send_command_output (cmd);
}
+/* Takes optional arguments, consult optargs_bitmask. */
+int
+do_download_blocks (const mountable_t *mountable, int64_t start, int64_t stop,
+ int unallocated)
+{
+ int ret;
+ const char *params;
+ CLEANUP_FREE char *cmd = NULL;
+
+ /* Data unit address start must be greater than 0 */
+ if (start < 0) {
+ reply_with_error ("starting address must be greater than zero");
+ return -1;
+ }
+
+ /* Data unit address stop must be greater than start */
+ if (stop <= start) {
+ reply_with_error ("stopping address must be greater than starting
address");
+ return -1;
+ }
+
+ if (!(optargs_bitmask & GUESTFS_DOWNLOAD_BLOCKS_UNALLOCATED_BITMASK))
+ params = " -e";
+ else
+ params = "";
+
+ /* Construct the command. */
+ ret = asprintf (&cmd, "%s %s %s %" PRIi64 "-%" PRIi64,
+ str_blkls, mountable->device, params, start, stop);
+ if (ret < -0) {
+ reply_with_perror ("asprintf");
+ return -1;
+ }
+
+ return send_command_output (cmd);
+}
+
/* Run the given command, collect the output and send it to the appliance.
* Return 0 on success, -1 on error.
*/
diff --git a/generator/actions.ml b/generator/actions.ml
index e0931b8..b31885f 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -13114,6 +13114,30 @@ fails and the C<errno> is set to C<ENODEV>." };
shortdesc = "walk through the filesystem content";
longdesc = "Internal function for filesystem_walk." };
+ { defaults with
+ name = "download_blocks"; added = (1, 33, 40);
+ style = RErr, [Mountable "device"; Int64 "start"; Int64
"stop"; FileOut "filename"], [OBool "unallocated"];
+ proc_nr = Some 467;
+ optional = Some "sleuthkit";
+ progress = true; cancellable = true;
+ shortdesc = "download the given data units from the disk";
+ longdesc = "\
+Download the data units from F<start> address
+to F<stop> from the disk partition (eg. F</dev/sda1>)
+and save them as F<filename> on the local machine.
+
+The use of this API on sparse disk image formats such as QCOW,
+may result in large zero-filled files downloaded on the host.
+
+The size of a data unit varies across filesystem implementations.
+On NTFS filesystems data units are referred as clusters
+while on ExtX ones they are referred as fragments.
+
+If the optional C<unallocated> flag is true (default is false),
+only the unallocated blocks will be extracted.
+This is useful to detect hidden data or to retrieve deleted files
+which data units have not been overwritten yet." };
+
]
(* Non-API meta-commands available only in guestfish.
diff --git a/gobject/Makefile.inc b/gobject/Makefile.inc
index 77f1614..d422cb0 100644
--- a/gobject/Makefile.inc
+++ b/gobject/Makefile.inc
@@ -68,6 +68,7 @@ guestfs_gobject_headers= \
include/guestfs-gobject/optargs-copy_file_to_file.h \
include/guestfs-gobject/optargs-cpio_out.h \
include/guestfs-gobject/optargs-disk_create.h \
+ include/guestfs-gobject/optargs-download_blocks.h \
include/guestfs-gobject/optargs-e2fsck.h \
include/guestfs-gobject/optargs-fstrim.h \
include/guestfs-gobject/optargs-glob_expand.h \
@@ -156,6 +157,7 @@ guestfs_gobject_sources= \
src/optargs-copy_file_to_file.c \
src/optargs-cpio_out.c \
src/optargs-disk_create.c \
+ src/optargs-download_blocks.c \
src/optargs-e2fsck.c \
src/optargs-fstrim.c \
src/optargs-glob_expand.c \
diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR
index f27d46f..5873851 100644
--- a/src/MAX_PROC_NR
+++ b/src/MAX_PROC_NR
@@ -1 +1 @@
-466
+467
--
2.8.1