if ($DO_SHA1 == 1) {    find_sha1();}# Verify that the TSK binaries are therecheck_execs();# Process the rest of the arguments - image and optional meta addrmy $IMG       = "";    # global for image pathmy $first_img = "";my $META      = "";    # global for root directory to start with# Cycle through the rest of the argswhile (my $tmpimg = shift @ARGV) {    # If it isn't a file, then it is probably the last meta addr    unless ((-e "$tmpimg") || (-l "$tmpimg")) {        if ($tmpimg =~ /^\d+$/) {            if (scalar @ARGV != 0) {                print "Invalid image file (additional args after meta addr)\n";                usage();            }            $META = $tmpimg;            print "Using Directory $META\n" if ($VERBOSE);            last;        }        else {            print "Image file not found: $tmpimg\n";            exit(1);        }    }    # Append it to the list    $IMG .= " \"$tmpimg\"";    $first_img = $tmpimg      if ($first_img eq "");}# Update the output message$img_str .= "${BUL}$first_img${NL}";# Determine the short name$img_shrt = $first_img;$img_shrt = substr($first_img, rindex($first_img, '/') + 1)  if ($first_img =~ /\//);# Figure out the temp file name$TEMP_FILE = "${DIR}/.sorter-$img_shrt-$$-";# verify that the correct arguments were givencheck_args();# Set the $PLATFORM variable based on $FSTYPEset_platform();# Read the config fileif ($ALL_CONFIGS == 1) {    read_config("${SHARE_DIR}default.sort")      if (-e "$SHARE_DIR/default.sort");    read_config("${SHARE_DIR}${PLATFORM}.sort")      if (($PLATFORM ne "") && (-e "${SHARE_DIR}${PLATFORM}.sort"));    read_config("${SHARE_DIR}${PLATFORM}.lcl.sort")      if (($PLATFORM ne "") && (-e "${SHARE_DIR}${PLATFORM}.lcl.sort"));}read_config($CONFIG) if ($CONFIG ne "");# any config data?if ((scalar(keys %file_to_cat) == 0) && ($DO_INDEX == 1) && ($DO_EXT == 0)) {    print "Error: Empty config files\n";    exit(1);}if ((scalar(keys %file_to_ext) == 0) && ($DO_EXT == 1) && ($DO_INDEX == 0)) {    print "Error: No defined extensions\n";    exit(1);}# Open the file handlesopen_files() if ($LIST == 0);analyze_img();if ($LIST == 0) {    close_files();    print "\nAll files have been saved to: ${DIR}\n";}# close off the thumbnails if we used themprint_thumb_footer() if ($img_cnt != 0);print_summary();exit(0);########################################################################### subroutines##################################################################3#################################################################3# analyze_img## Analyze one image.  This function calls 'fls', parses the# output, and then calls analyze_file for each file## Argument is the meta address of directory (null to use root)#sub analyze_img {    #################################################################3    # Process the allocated files in the image    my $pr_str = "";    $pr_str = "of Directory $META"      unless ($META eq "");    print "\nAnalyzing $IMG\n" . "  Loading Allocated File Listing $pr_str\n"      if ($LIST == 0);    my @out     = `\"$SK_FLS\" $IMGTYPE -o $IMGOFF $FSTYPE -rpl $IMG $META`;    my $tmp_cnt = scalar @out;    $alloc_cnt += $tmp_cnt;    print "  Processing $tmp_cnt Allocated Files and Directories\n  "      if ($LIST == 0);    my $prev = 0;    my $cnt  = 0;    foreach (@out) {        my $del;        my $inode;        my $path;        my $size;        # Print the status        if ((++$cnt % 1000) == 0) {            my $cur = int(100 * ($cnt / $tmp_cnt));            if ($cur > $prev + 1) {                print "$cur%," if ($LIST == 0);                $prev = $cur;            }        }        # Extract the file name and inode, skip if it is a directory        # TYPE/TYPE * INUM (realloc): NAME        if (/^([\w\-])\/[\w\-]\s+(\*?)\s*([\d\-]+)[\(\)\w]*:\s+(.*)\s+$REG_DATE\s+$REG_DATE\s+$REG_DATE\s+$REG_DATE\s+(\d+)\s+\d+\s+\d+\s*$/          )        {            if (($1 ne "r") && ($1 ne "-")) {                $dirskip_cnt++;                next;            }            $inode = $3;            $path  = $4;            $size  = $5;            $del   = ($2 eq '*') ? $DEL_DEL : $DEL_ALLOC;        }        else {            print "Error Parsing Output: $_";            next;        }        # skip if file is too small        if (($MIN_SIZE > 0) && ($size < $MIN_SIZE)) {            $dirskip_cnt++;            next;        }        # NTFS can have an inode of 0, but the others cannot        my $inode_int = $inode;        $inode_int = $1 if ($inode_int =~ /^(\d+)-[\d\-]+$/);        if (($inode_int == 0) && ($FSTYPE ne "-f ntfs")) {            $dirskip_cnt++;            next;        }        analyze_file($path, $inode, $del);    }    print "100%\n" if ($LIST == 0);}#################################################################3# analyze_file## Process one file## Arguments are the name of the file, the inode number of the file,# and the deletion status ($DEL_*)sub analyze_file {    if (scalar(@_) != 3) {        print "Incorrect Number of Arguments for analyze_file\n";        return;    }    my $path  = shift;    my $inode = shift;    my $del   = shift;    my $sha1 = "";    my $md5  = "";    my $file;    my $recflag = "";    $recflag = " -R " if ($del != $DEL_ALLOC);    ###############################################################    # Setup & Data Collection    # The FAT full path has the short name in parenths, so    # take them off first    if (($path =~ /\)$/) && ($FSTYPE =~ /fat/)) {        $path = substr($path, 0, rindex($path, '(') - 1);    }    # This was mainly because of the ils output which is <sdas-dead-X>    my $path_encode = $path;    if ($HTML == 1) {        $path_encode =~ s/</&lt;/gs;        $path_encode =~ s/>/&gt;/gs;    }    # Get the hash values and file type    # Are we listing (i.e. can't write files) or we aren't going to save    # the file and do not need the MD5?    if (($LIST) || (($SAVE == 0) && ($DO_MD5 == 0) && ($DO_SHA1 == 0))) {        $file =`\"$SK_ICAT\" $IMGTYPE -o $IMGOFF $FSTYPE $recflag $IMG \"$inode\" | \"$SK_FILE\" -b -z -`;        chomp $file;        if ($DO_SHA1 == 1) {            $sha1 =`\"$SK_ICAT\" $IMGTYPE -o $IMGOFF $FSTYPE $recflag $IMG \"$inode\" | \"$SK_SHA1\"`;            chomp $sha1;        }        if ($DO_MD5 == 1) {            $sha1 =`\"$SK_ICAT\" $IMGTYPE -o $IMGOFF $FSTYPE $recflag $IMG \"$inode\" | \"$SK_MD5\"`;            chomp $md5;        }    }    # Save to temp file    else {`\"$SK_ICAT\" $IMGTYPE -o $IMGOFF $FSTYPE $recflag $IMG \"$inode\" > \"${TEMP_FILE}$inode\"`;        $file = `\"$SK_FILE\" -b -z \"${TEMP_FILE}$inode\"`;        chomp $file;        if ($DO_SHA1 == 1) {            $sha1 = `\"$SK_SHA1\" \"${TEMP_FILE}$inode\"`;            if ($sha1 =~ /^([A-Fa-f0-9]+)\s+.*$/) {                $sha1 = $1;            }            elsif ($sha1 =~ /=\s+([A-Fa-f0-9]+)$/) {                $sha1 = $1;            }        }        if ($DO_MD5 == 1) {            $md5 = `\"$SK_MD5\" \"${TEMP_FILE}$inode\"`;            if ($md5 =~ /^([A-Fa-f0-9]+)\s+.*$/) {                $md5 = $1;            }            elsif ($md5 =~ /=\s+([A-Fa-f0-9]+)$/) {                $md5 = $1;            }        }        unlink("${TEMP_FILE}$inode") if ($SAVE == 0);    }    # Remove non-printable values from the 'file' output    $file =~ s/[\x00-\x19\x7F-\xFF]//g;    # "empty" is a null size file    if ($file eq 'empty') {        unlink("${TEMP_FILE}$inode") if ($SAVE == 1);        $dirskip_cnt++;        return;    }    ###############################################################    # Lookup in hash databases    #    # We will first examine any hashes of known files to alert on.    # Next, we wil look if this is a file that is known and that we can    # ignore (NSRL and the -x flag).  If one of these files is found, we do    # no immediately exit the function.  We also check the extension and    # make sure that it is appropriate.    my $exclude = "";    my $alert   = 0;    # First the alert data base    if ("$ALERT_DB" ne "") {        print "Looking up in Alert Hash Database\n" if ($VERBOSE);        my $out = `\"$SK_HFIND\" -q \"$ALERT_DB\" \"$md5\"`;        if ($out =~ /^1\s+$/) {            $alert = 1;        }        elsif ($out !~ /^0\s+$/) {            print "Error running 'hfind': $out\n";            exit(1);        }    }    # Ones we can ignore    if (($alert == 0) && ("$EXCLUDE_DB" ne "")) {        print "Looking up in Exclude Hash Database\n" if ($VERBOSE);        my $out = `\"$SK_HFIND\" -q \"$EXCLUDE_DB\" \"$md5\"`;        if ($out =~ /^1\s+$/) {            # Print to the appropriate files            if ($LIST == 0) {                print EXCLUDE "${MNT}$path_encode${NL}";                print EXCLUDE "${TAB}Image: $first_img  Inode: $inode${NL}";                print EXCLUDE "${TAB}$file${NL}";                print EXCLUDE "${TAB}MD5: $md5${NL}";                print EXCLUDE "${TAB}Exclude Database${NL}${NL}";            }            $exclude = "Exclude Hash Database";            $excl_cnt++;        }        elsif ($out !~ /^0\s+$/) {            print "Error running 'hfind': $out\n";            exit(1);        }    }    # NSRL    if (($alert == 0) && ("$NSRL" ne "") && ($exclude eq "")) {        print "Looking up in NSRL Hash Database\n" if ($VERBOSE);        my $out = `\"$SK_HFIND\" -q \"$NSRL\" \"$md5\"`;        if ($out =~ /^1\s+$/) {            # Print to the appropriate files            if ($LIST == 0) {                print EXCLUDE "${MNT}$path_encode${NL}";                print EXCLUDE "${TAB}Image: $first_img  Inode: $inode${NL}";                print EXCLUDE "${TAB}$file${NL}";                print EXCLUDE "${TAB}MD5: $md5${NL}";                print EXCLUDE "${TAB}NSRL Database${NL}${NL}";            }            $exclude = "NSRL";            $excl_cnt++;        }        elsif ($out !~ /^0\s+$/) {            print "Error running 'hfind': $out\n";            exit(1);        }    }    ###############################################################    #    # Extension versus File Type    #    ###############################################################    my $mismatch = 0;    my $ext      = "";    # Is there an extension on this file?    my $ext_off = rindex($path, ".");    # Some sanity checks to verify that the '.' is after the '/' and    # add one so that we don't process /.asd as an extension    if (($ext_off != -1) && ($ext_off > (rindex($path, "/") + 1))) {        $ext = substr($path, $ext_off + 1);        $ext =~ tr/[A-Z]/[a-z]/;    }    $path .= " (deleted)" if ($del == $DEL_DEL);    if ($VERBOSE) {        print "File ${MNT}$path (ext: $ext)\n";        print "File Output: $file\n";    }    # Check the extension if it exists    # Ignore data as it is unknown stuff    if (($DO_EXT == 1) && ($ext ne "") && ($file ne 'data')) {        my $found = 0;        # cycle through the known file keywords that have a known ext        for (my $ext_i = $#ext_order; $ext_i >= 0; $ext_i--) {            my $ext_kw = $ext_order[$ext_i];            print "Trying Extension Keyword: $ext_kw\n" if ($VERBOSE);            # is this the 'file' category?            if ($file =~ /$ext_kw/i) {                print "Found Extension Keyword\n" if ($VERBOSE);                # we found at least one set of extensions that matches                # this file type, so set the mismatch to 1 and if we                # find this extension we will set it to 0, otherwise                # it will be considered a mismatch                $mismatch = 1;                $ext =~ tr/[A-Z]/[a-z/;                # cycle through each possible extension for this type                foreach my $cat_ext (@{$file_to_ext{$ext_kw}}) {                    print "Comparing ext with $cat_ext\n" if ($VERBOSE);                    if ($cat_ext eq $ext) {                        print "Found ext\n" if ($VERBOSE);                        $mismatch = 0;                        $found    = 1;                        last;                    }                }            }            # If we have found the extension, then get out of the loop            last if ($found == 1);        }    }    # The special mismatch file for those that we should be ignoring    # but they may be worthwhile looking at now    if (($mismatch == 1) && ($exclude ne "")) {        $exclmis_cnt++;        if ($LIST == 0) {            print EXCLUDEMIS "${MNT}$path_encode${NL}";            print EXCLUDEMIS "${TAB}$file$  (Ext: $ext)${NL}";            print EXCLUDEMIS "${TAB}Image: $first_img  Inode: $inode${NL}";            print EXCLUDEMIS "${TAB}SHA-1: $sha1${NL}" if ($DO_SHA1 == 1);