#!/usr/bin/perl -W
#
# Copyright Bart Somers <bart@doornenburg.homelinux.net>
#
# Find the filtetypes in a forensics image of a filesystem.
# Extract the beginning of the block and run "file" on it. This
# gives a list, including the location in the image, from the type.
#
# Modified to use offsets, blocksizes and a filename.
# Added help and autopsy-address.
#
# $Id: blocktype,v 1.5 2006-05-14 11:49:17 bart Exp $
#
# This software is released under the GPL. The full licence
# can be found at:
# http://www.gnu.org/licenses/licenses.html#GPL
#

use strict;
use Getopt::Long;

my $blocksize = 512;
my $offset = 0;
my ($fname, $help, $tmpfile, $buf, $sstring);
my $multiply = 4;
my $FILE = "/usr/bin/file";
my $cnt = 0;


GetOptions (	"b=i" => \$blocksize,
		"f=s" => \$fname,
		"o=i" => \$offset,
		"h"   => \$help,
		"s=s" => \$sstring
	);

if ( defined $help )
{
	print "\nUsage: $0 <options>\n";
	print "-b\tblocksize (in multiplies of 512)\n";
	print "-f\tfilename, filename of image\n";
	print "-o\toffset, offset of where to start (multiplies of blocksize)\n";
	print "-s\tsearch-string. Case is ignored\n";
	print "-h\thelp. This text\n";
	print "\n";
	exit (0);
}

if ( ! defined $fname )
{
	print "No filename given. Exiting.\n";
	exit (1);
}

open(IN, "<$fname") or die ("Error opening $fname");

$multiply = $blocksize / 512;

while ( $cnt < $offset )
{
	read (IN, $buf, $blocksize);
}

if ( -d "/dev/shm" && -w "/dev/shm" )
{
	$tmpfile = "/dev/shm/blk.tmp";
} else {
	$tmpfile = "/tmp/blk.tmp";
}

print "Reported datablock-unit is from RAW image!\n";
print "The \"block(512)\" is the address used in, i.e., autopsy browser.\n";
print "Identified image: $fname\n";
print "Used blocksize: $blocksize\n";
print "Search string: $sstring\n\n" if ( defined $sstring );

print "datablock\tblock(512)\tidentified as\n\n";
while (read (IN, $buf, $blocksize)) {
	open(OUT,"> $tmpfile") or die ("error opening $tmpfile");
	print OUT $buf;
	close(OUT);
	my $out = ` $FILE -b $tmpfile`;
	chomp $out;
	$cnt++;

	next if ($out =~ /^data$/);
	next if ($out =~ /^ISO\-8859 text/);
	my $intcount = $cnt -1;
	my $bla = $intcount * $multiply;
	if ( defined $sstring )
	{
		print "$intcount: ($bla): $out\n" if ( $out =~ /$sstring/i ) ;
	} else {
		print "$intcount: ($bla): $out\n" if ( $out !~ /^$/ ) ;
	}
}

unlink $tmpfile;
exit (0);