Beispiel #1
0
/* Parses the header values from the xheader, header2 or header section
 * Will parse the first available header in order mentioned above
 * Returns 1 if successful, -1 on error
 */
int8_t libewf_parse_header_values( LIBEWF_HANDLE *handle, uint8_t date_format )
{
	LIBEWF_HEADER_VALUES *header_values     = NULL;
	LIBEWF_INTERNAL_HANDLE *internal_handle = NULL;

	if( handle == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_parse_header_values: invalid handle.\n" );

		return( -1 );
	}
	internal_handle = (LIBEWF_INTERNAL_HANDLE *) handle;

	if( internal_handle->xheader != NULL )
	{
		header_values = libewf_header_values_parse_xheader( internal_handle->xheader, internal_handle->xheader_size, date_format );
	}
	if( ( header_values == NULL ) && internal_handle->header2 != NULL )
	{
		header_values = libewf_header_values_parse_header2( internal_handle->header2, internal_handle->header2_size, date_format );
	}
	if( ( header_values == NULL ) && ( internal_handle->header != NULL ) )
	{
		header_values = libewf_header_values_parse_header( internal_handle->header, internal_handle->header_size, date_format );
	}
	if( header_values == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_parse_header_values: unable to parse header(s) for values.\n" );

		return( -1 );
	}
	if( internal_handle->header_values != NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_parse_header_values: header values already set in handle - cleaning up previous ones.\n" );

		libewf_header_values_free( internal_handle->header_values );
	}
	internal_handle->header_values = header_values;

	/* The EnCase2 and EnCase3 format are the same
	 * only the acquiry software version provides insight in which version of EnCase was used
	 */
	if( ( internal_handle->format == LIBEWF_FORMAT_ENCASE2 )
	 && ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_SOFTWARE_VERSION ] != NULL )
	 && ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_SOFTWARE_VERSION ][ 0 ] == '3' ) )
 	{
		internal_handle->format = LIBEWF_FORMAT_ENCASE3;
	}
	return( 1 );
}
/* Parses the header, header2 and/or xheader section for header values
 * Returns 1 if successful or -1 on error
 */
int libewf_header_sections_parse(
     libewf_header_sections_t *header_sections,
     libewf_io_handle_t *io_handle,
     libfvalue_table_t *header_values,
     uint8_t *format,
     libcerror_error_t **error )
{
	static char *function = "libewf_header_sections_parse";
	int result_header     = 1;
	int result_header2    = 1;
	int result_xheader    = 1;

	if( header_sections == NULL )
	{
		libcerror_error_set(
		 error,
		 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
		 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
		 "%s: invalid header sections.",
		 function );

		return( -1 );
	}
	if( io_handle == NULL )
	{
		libcerror_error_set(
		 error,
		 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
		 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
		 "%s: invalid IO handle.",
		 function );

		return( -1 );
	}
	if( format == NULL )
	{
		libcerror_error_set(
		 error,
		 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
		 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
		 "%s: invalid format.",
		 function );

		return( -1 );
	}
	/* For EWF version 1 format read all the header sections
	 * and overwrite values by the most specific data
	 * This also applied to the format
	 */
	if( header_sections->header != NULL )
	{
		if( libewf_header_values_parse_header(
		     header_values,
		     header_sections->header,
		     header_sections->header_size,
		     io_handle->header_codepage,
		     format,
		     error ) != 1 )
		{
			libcerror_error_set(
			 error,
			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
			 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
			 "%s: unable to parse header.",
			 function );

			result_header = -1;
		}
	}
	if( header_sections->header2 != NULL )
	{
		if( libewf_header_values_parse_header2(
		     header_values,
		     header_sections->header2,
		     header_sections->header2_size,
		     format,
		     error ) != 1 )
		{
			libcerror_error_set(
			 error,
			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
			 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
			 "%s: unable to parse header2.",
			 function );

			result_header2 = -1;
		}
	}
	if( header_sections->xheader != NULL )
	{
		if( libewf_header_values_parse_xheader(
		     header_values,
		     header_sections->xheader,
		     header_sections->xheader_size,
		     error ) != 1 )
		{
			libcerror_error_set(
			 error,
			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
			 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
			 "%s: unable to parse xheader.",
			 function );

			result_xheader = -1;
		}
		*format = LIBEWF_FORMAT_EWFX;
	}
	if( ( result_header != 1 )
	 && ( result_header2 != 1 )
	 && ( result_xheader != 1 ) )
	{
		return( -1 );
	}
	if( ( result_header != 1 )
	 || ( result_header2 != 1 )
	 || ( result_xheader != 1 ) )
	{
#if defined( HAVE_DEBUG_OUTPUT )
		if( libcnotify_verbose != 0 )
		{
			if( ( error != NULL )
			 && ( *error != NULL ) )
			{
				libcnotify_print_error_backtrace(
				 *error );
			}
		}
#endif
		libcerror_error_free(
		 error );
	}
	return( 1 );
}