libforensic1394

0.2.0

The latest version of libforensic1394 can be found at: https://freddie.witherden.org/tools/libforensic1394/

This API gives you access to the FireWire bus of contemporary operating systems in order to facilitate digital forensics on an attached device. Unlike existing APIs Forensic1394 is:

By omitting features not required in forensic applications (such as isochronous transfers) the API is both simple to use and port. For example the memory of an attached device can be read using the following code:

 forensic1394_bus *bus;
 forensic1394_dev **dev;
 char data[512];

 // Allocate a bus handle
 bus = forensic1394_alloc();
 assert(bus);

 // Enabls SBP-2; required for memory access to some systems
 forensic1394_enable_sbp2(bus);

 // Give the bus time to reinitialise
 sleep(2);

 // Get the devices attached to the systen
 dev = forensic1394_get_devices(bus, NULL, NULL);
 assert(dev);

 // Open the first device
 forensic1394_open_device(dev[0]);

 // Read some memory from the device
 forensic1394_read_device(dev[0], 50 * 1024 * 1024, 512, data);

 // Data now contains 512 bytes of memory starting at an offset of 50MiB

 // Close the device and destroy the bus
 forensic1394_close_device(dev[0]);
 forensic1394_destroy(bus);
Handling bus resets
Bus resets occur when devices are added/removed from the system or when the configuration ROM of a device is updated. The following methods are affected by bus resets:
After a bus reset calls to all three of these methods will result in FORENSIC1394_RESULT_BUS_RESET being returned. Applications should handle this by saving the GUIDs of any devices being accessed and then call forensic1394_get_devices. Calling this will void all device handles. The new list of devices can then be iterated through and their GUIDs compared against saved GUIDs. The GUID of a device can be obtained by calling forensic1394_get_device_guid.
Thread safety
libforensic1394 is thread safe at the device level with the restriction that devices can only be accessed by the thread that opened them. This is because some backends, namely Mac OS X/IOKit, install thread-specific callback dispatchers upon opening a device. When using multiple threads of execution care must be taken when calling forensic1394_get_devices (which closes and destroys any open device handles). It is the responsibility of the caller to ensure that this is safe. The process can be simplified through the use of an ondestroy callback handler.
Author:
Freddie Witherden
All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Defines