AFF4 support

This PR adds support for AFF4 images to Sleuthkit.

This is a patch of PR #847 which fixes filename encoding for Windows, populates TSK_IMG_INFO::images without leaking memory, and centralizes cleanup after failure to open an image.

Nicely done. Thanks!

bump

bump++

I've fixed the conflict. Could we get this merged, please?

Can you give instructions on getting the aff4 library installed on linux? I tried a while back but had no luck (I'm not a linux person though so I may be missing something obvious). We don't want to take it until someone here has verified it works and we can add instructions on installing aff4 to the readme

Fixed conflict again.

@APriestman What have you

Can you give instructions on getting the aff4 library installed on linux? I tried a while back but had no luck (I'm not a linux person though so I may be missing something obvious).

I would need more information about what you tried and how it failed to be able to advise. There's no special configuration for libaff4 in the dynamically-linked stack we build:

./configure
make
make install

Can you show me what happens when you try that?

How did you get the library?

On Mon, Jul 12, 2021 at 12:48 PM Joel Uckelman @.***> wrote:

@APriestman https://github.com/APriestman What have you

Can you give instructions on getting the aff4 library installed on linux? I tried a while back but had no luck (I'm not a linux person though so I may be missing something obvious).

I would need more information about what you tried and how it failed to be able to advise. There's no special configuration for libaff4 in the dynamically-linked stack we build:

./configure make make install

Can you show me what happens when you try that?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/sleuthkit/sleuthkit/pull/1272#issuecomment-878432688, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAYWAIDGZOQECBKRYXC5ZZTTXMMEPANCNFSM4FF45BMA .

It's here: https://github.com/Velocidex/c-aff4

Fixed conflict again.

It's here: https://github.com/Velocidex/c-aff4

Thanks. The error I get is: ../aff4/rdf.h:20:10: fatal error: spdlog/fmt/ostr.h: No such file or directory 20 | #include <spdlog/fmt/ostr.h>

It seems like the issue is that spdlog doesn't bundle fmt, but I don't understand how to fix it.

It's here: https://github.com/Velocidex/c-aff4

Thanks. The error I get is: ../aff4/rdf.h:20:10: fatal error: spdlog/fmt/ostr.h: No such file or directory 20 | #include <spdlog/fmt/ostr.h>

It seems like the issue is that spdlog doesn't bundle fmt, but I don't understand how to fix it.

I have spdlog/fmt/ostr.h in spdlog 0.17.0. It also seems to be present in 1.5.0, which is the system version I have here. What version are you using?

Hi, @uckelman-sf I have tried your aff4_support branch on macOS 10.15.7. PRIuOFF has been removed since 4.7.0, so it occurs compilation errors like below:

aff4.c:49:60: error: expected ')'
        tsk_error_set_errstr("aff4_image_read - offset: %" PRIuOFF

Besides, several AFF4_* functions have too few arguments:

aff4.c:43:56: error: too few arguments to function call, expected 5, have 4
    cnt = AFF4_read(aff4_info->handle, offset, buf, len);
          ~~~~~~~~~                                    ^
/usr/local/include/aff4/libaff4-c.h:112:1: note: 'AFF4_read' declared here
ssize_t AFF4_read(AFF4_Handle* handle, uint64_t offset, void* buffer, size_t length, AFF4_Message** msg);
^

@mnrkbys

PRIuOFF has been removed since 4.7.0

I've fixed that.

@mnrkbys I've added some additional commits to deal with the c-aff4 API change, among other things.

Is this ever going to be available in Autopsy...?