Add a get_filesystem_timeline_tsk action.

Author: Spferical

.github/workflows/ci.yml

@@ -21,6 +21,9 @@ jobs:
       - name: 'Install Linux dependencies'
         if: ${{ runner.os == 'Linux' }}
         run: sudo apt install attr e2fsprogs libfuse-dev
+      - name: 'Install macOS dependencies'
+        if: ${{ runner.os == 'macOS' }}
+        run: brew install autoconf automake libtool
       - name: 'Checkout the repository'
         uses: actions/checkout@v2
         with:
@@ -33,7 +36,7 @@ jobs:
           rustc --version
           cargo --version
       - name: 'Build RRG executable'
-        run: cargo build
+        run: cargo build --features 'action-get_filesystem_timeline_tsk'
       # TODO: Add a step that runs tests with all action features disabled.
       - name: 'Run RRG tests'
-        run: cargo test --features 'test-chattr test-setfattr test-fuse test-wtmp'
+        run: cargo test --features 'test-chattr test-setfattr test-fuse test-wtmp action-get_filesystem_timeline_tsk'

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "vendor/sleuthkit"]
+	path = vendor/sleuthkit
+	url = https://github.com/sleuthkit/sleuthkit

Cargo.toml

@@ -3,6 +3,8 @@ members = [
     "./crates/ospect",
     "./crates/rrg",
     "./crates/rrg-proto",
+    "./crates/tsk",
+    "./crates/tsk-sys",
     "./crates/winreg",
     "./crates/wmi",
 ]

crates/ospect/src/fs.rs

@@ -189,7 +189,7 @@ where
 }
 
 /// Information about a mounted filesystem.
-#[derive(Debug)]
+#[derive(Debug, Clone, PartialEq, Eq)]
 pub struct Mount {
     /// Name of the mounted device.
     pub name: String,

crates/rrg-proto/build.rs

@@ -19,6 +19,7 @@ const PROTOS: &'static [&'static str] = &[
     "../../proto/rrg/action/get_file_hash.proto",
     "../../proto/rrg/action/get_file_metadata.proto",
     "../../proto/rrg/action/get_filesystem_timeline.proto",
+    "../../proto/rrg/action/get_filesystem_timeline_tsk.proto",
     "../../proto/rrg/action/get_system_metadata.proto",
     "../../proto/rrg/action/get_tcp_response.proto",
     "../../proto/rrg/action/get_winreg_value.proto",

crates/rrg/Cargo.toml

@@ -36,6 +36,7 @@ action-get_file_metadata-sha256 = ["action-get_file_metadata", "dep:sha2"]
 action-get_file_contents = ["dep:sha2"]
 action-grep_file_contents = []
 action-get_filesystem_timeline = ["dep:flate2", "dep:sha2"]
+action-get_filesystem_timeline_tsk = ["action-get_filesystem_timeline", "dep:tsk"]
 action-get_tcp_response = []
 action-list_connections = []
 action-list_interfaces = []
@@ -65,6 +66,10 @@ path = "../ospect"
 [dependencies.rrg-proto]
 path = "../rrg-proto"
 
+[dependencies.tsk]
+path = "../tsk"
+optional = true
+
 [dependencies.winreg]
 path = "../winreg"
 

crates/rrg/src/action.rs

@@ -30,6 +30,9 @@ pub mod grep_file_contents;
 #[cfg(feature = "action-get_filesystem_timeline")]
 pub mod get_filesystem_timeline;
 
+#[cfg(feature = "action-get_filesystem_timeline_tsk")]
+pub mod get_filesystem_timeline_tsk;
+
 #[cfg(feature = "action-get_tcp_response")]
 pub mod get_tcp_response;
 
@@ -109,6 +112,10 @@ where
         GetFilesystemTimeline => {
             handle(session, request, self::get_filesystem_timeline::handle)
         }
+        #[cfg(feature = "action-get_filesystem_timeline_tsk")]
+        GetFilesystemTimelineTsk => {
+            handle(session, request, self::get_filesystem_timeline_tsk::handle)
+        }
         #[cfg(feature = "action-get_tcp_response")]
         GetTcpResponse => {
             handle(session, request, self::get_tcp_response::handle)