PyMODINIT_FUNC initpyewf( void ) { PyObject* module = NULL; PyTypeObject *type_object = NULL; /* Create module */ module = Py_InitModule3( "pyewf", pyewf_module_methods, "Python libewf module." ); /* Setup pyewf_file type */ pyewf_type_object.tp_new = PyType_GenericNew; if( PyType_Ready( &pyewf_type_object ) < 0 ) { return; } Py_INCREF( &pyewf_type_object ); type_object = &pyewf_type_object; PyModule_AddObject( module, "pyewf_file", (PyObject *) type_object ); libewf_set_notify_values( stderr, 1 ); }
TSK_IMG_INFO * ewf_open(int a_num_img, const TSK_TCHAR * const a_images[], unsigned int a_ssize) { #if defined( HAVE_LIBEWF_V2_API ) char error_string[TSK_EWF_ERROR_STRING_SIZE]; libewf_error_t *ewf_error = NULL; int result = 0; #elif !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) uint8_t md5_hash[16]; #endif IMG_EWF_INFO *ewf_info = NULL; TSK_IMG_INFO *img_info = NULL; #if !defined( HAVE_LIBEWF_V2_API) if (tsk_verbose) libewf_set_notify_values(stderr, 1); #endif if ((ewf_info = (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) == NULL) { return NULL; } img_info = (TSK_IMG_INFO *) ewf_info; // See if they specified only the first of the set... ewf_info->used_ewf_glob = 0; if (a_num_img == 1) { #if defined( HAVE_LIBEWF_V2_API) #ifdef TSK_WIN32 if (libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images, &ewf_info->num_imgs, &ewf_error) == -1) { #else if (libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images, &ewf_info->num_imgs, &ewf_error) == -1) { #endif tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open: Not an E01 glob name (%s)", error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); return NULL; } #else //use v1 #ifdef TSK_WIN32 ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #else ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #endif if (ewf_info->num_imgs <= 0) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an E01 glob name"); tsk_img_free(ewf_info); return NULL; } #endif // end v1 ewf_info->used_ewf_glob = 1; if (tsk_verbose) tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs); } else { int i; ewf_info->num_imgs = a_num_img; if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL) { tsk_img_free(ewf_info); return NULL; } for (i = 0; i < a_num_img; i++) { if ((ewf_info->images[i] = (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) + 1) * sizeof(TSK_TCHAR))) == NULL) { tsk_img_free(ewf_info); return NULL; } TSTRNCPY(ewf_info->images[i], a_images[i], TSTRLEN(a_images[i]) + 1); } } #if defined( HAVE_LIBEWF_V2_API ) // Check the file signature before we call the library open #if defined( TSK_WIN32 ) if (libewf_check_file_signature_wide(a_images[0], &ewf_error) != 1) #else if (libewf_check_file_signature(a_images[0], &ewf_error) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open: Not an EWF file (%s)", error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Not an EWF file\n"); } return (NULL); } if (libewf_handle_initialize(&(ewf_info->handle), &ewf_error) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error initializing handle (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Unable to create EWF handle\n"); } return (NULL); } #if defined( TSK_WIN32 ) if (libewf_handle_open_wide(ewf_info->handle, (wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1) #else if (libewf_handle_open(ewf_info->handle, (char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return (NULL); } if (libewf_handle_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size), &ewf_error) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } result = libewf_handle_get_utf8_hash_value_md5(ewf_info->handle, (uint8_t *) ewf_info->md5hash, 33, &ewf_error); if (result == -1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting MD5 of image (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } ewf_info->md5hash_isset = result; #else // V1 API // Check the file signature before we call the library open #if defined( TSK_WIN32 ) if (libewf_check_file_signature_wide(a_images[0]) != 1) #else if (libewf_check_file_signature(a_images[0]) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an EWF file"); tsk_img_free(ewf_info); if (tsk_verbose) tsk_fprintf(stderr, "Not an EWF file\n"); return NULL; } #if defined( TSK_WIN32 ) ewf_info->handle = libewf_open_wide( (wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #else ewf_info->handle = libewf_open( (char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #endif if (ewf_info->handle == NULL) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening", ewf_info->images[0]); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return (NULL); } #if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) // 2007 version img_info->size = libewf_get_media_size(ewf_info->handle); ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle, ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5); #else // libewf-20080322 version if (libewf_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size)) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image", ewf_info->images[0]); tsk_img_free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) { int md5_string_iterator = 0; int md5_hash_iterator = 0; for (md5_hash_iterator = 0; md5_hash_iterator < 16; md5_hash_iterator++) { int digit = md5_hash[md5_hash_iterator] / 16; if (digit <= 9) { ewf_info->md5hash[md5_string_iterator++] = '0' + (char) digit; } else { ewf_info->md5hash[md5_string_iterator++] = 'a' + (char) (digit - 10); } digit = md5_hash[md5_hash_iterator] % 16; if (digit <= 9) { ewf_info->md5hash[md5_string_iterator++] = '0' + (char) digit; } else { ewf_info->md5hash[md5_string_iterator++] = 'a' + (char) (digit - 10); } } ewf_info->md5hash_isset = 1; } #endif /* defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) */ #endif /* defined( HAVE_LIBEWF_V2_API ) */ if (a_ssize != 0) { img_info->sector_size = a_ssize; } else { img_info->sector_size = 512; } img_info->itype = TSK_IMG_TYPE_EWF_EWF; img_info->read = &ewf_image_read; img_info->close = &ewf_image_close; img_info->imgstat = &ewf_image_imgstat; // initialize the read lock tsk_init_lock(&(ewf_info->read_lock)); return (img_info); }
disk_t *fewf_init(const char *device, const int mode) { unsigned int num_files=0; char **filenames= NULL; disk_t *disk=NULL; struct info_fewf_struct *data; #if !defined( HAVE_LIBEWF_V2_API ) && defined( HAVE_GLOB_H ) glob_t globbuf; #endif data=(struct info_fewf_struct *)MALLOC(sizeof(struct info_fewf_struct)); memset(data, 0, sizeof(struct info_fewf_struct)); data->file_name = strdup(device); data->handle=NULL; data->mode = mode; #ifdef DEBUG_EWF #if defined( HAVE_LIBEWF_V2_API ) libewf_notify_set_stream( stderr, NULL ); libewf_notify_set_verbose( 1 ); #else libewf_set_notify_values( stderr, 1 ); #endif #endif #if defined( HAVE_LIBEWF_V2_API ) if( libewf_glob( data->file_name, strlen(data->file_name), LIBEWF_FORMAT_UNKNOWN, &filenames, (int *)&num_files, NULL ) != 1 ) { log_error("libewf_glob failed\n"); free(data); return NULL; } #elif defined( HAVE_GLOB_H ) { globbuf.gl_offs = 0; glob(data->file_name, GLOB_DOOFFS, NULL, &globbuf); if(globbuf.gl_pathc>0) { filenames=(char **)MALLOC(globbuf.gl_pathc * sizeof(*filenames)); for (num_files=0; num_files<globbuf.gl_pathc; num_files++) { filenames[num_files]=globbuf.gl_pathv[num_files]; } } } if(filenames==NULL) { globfree(&globbuf); free(data); return NULL; } #else { filenames=(char **)MALLOC(1*sizeof(*filenames)); filenames[num_files] = data->file_name; num_files++; } #endif if((mode&TESTDISK_O_RDWR)==TESTDISK_O_RDWR) { #if defined( HAVE_LIBEWF_V2_API ) if( libewf_handle_initialize( &( data->handle ), NULL ) != 1 ) { log_error("libewf_handle_initialize failed\n"); libewf_glob_free( filenames, num_files, NULL ); free(data); return NULL; } if( libewf_handle_open( data->handle, filenames, num_files, LIBEWF_OPEN_READ_WRITE, NULL ) != 1 ) { log_error("libewf_handle_open(%s) failed\n", device); } #else data->handle=libewf_open(filenames, num_files, LIBEWF_OPEN_READ_WRITE); if(data->handle==NULL) { log_error("libewf_open(%s) failed\n", device); } #endif /* defined( HAVE_LIBEWF_V2_API ) */ } if(data->handle==NULL) { data->mode&=~TESTDISK_O_RDWR; #if defined( HAVE_LIBEWF_V2_API ) if( libewf_handle_initialize( &( data->handle ), NULL ) != 1 ) { log_error("libewf_handle_initialize failed\n"); libewf_glob_free( filenames, num_files, NULL ); free(data); return NULL; } if( libewf_handle_open( data->handle, filenames, num_files, LIBEWF_OPEN_READ, NULL ) != 1 ) { log_error("libewf_handle_open(%s) failed\n", device); libewf_handle_free( &( data->handle ), NULL ); libewf_glob_free( filenames, num_files, NULL ); free(data); return NULL; } #else data->handle=libewf_open(filenames, num_files, LIBEWF_OPEN_READ); if(data->handle==NULL) { log_error("libewf_open(%s) failed\n", device); #if defined( HAVE_GLOB_H ) globfree(&globbuf); #endif free(filenames); free(data); return NULL; } #endif /* defined( HAVE_LIBEWF_V2_API ) */ } #if defined( HAVE_LIBEWF_V2_API ) if( libewf_handle_set_header_values_date_format( data->handle, LIBEWF_DATE_FORMAT_DAYMONTH, NULL ) != 1 ) { log_error("%s Unable to set header values date format\n", device); } #else if( libewf_parse_header_values( data->handle, LIBEWF_DATE_FORMAT_DAYMONTH) != 1 ) { log_error("%s Unable to parse EWF header values\n", device); } #endif disk=(disk_t *)MALLOC(sizeof(*disk)); init_disk(disk); disk->arch=&arch_none; disk->device=strdup(device); disk->data=data; disk->description=fewf_description; disk->description_short=fewf_description_short; disk->pread_fast=fewf_pread_fast; disk->pread=fewf_pread; disk->pwrite=(data->mode&TESTDISK_O_RDWR?fewf_pwrite:fewf_nopwrite); disk->sync=fewf_sync; disk->access_mode=(data->mode&TESTDISK_O_RDWR); disk->clean=fewf_clean; #if defined( HAVE_LIBEWF_V2_API ) || defined( LIBEWF_GET_BYTES_PER_SECTOR_HAVE_TWO_ARGUMENTS ) { uint32_t bytes_per_sector = 0; #if defined( HAVE_LIBEWF_V2_API ) if( libewf_handle_get_bytes_per_sector( data->handle, &bytes_per_sector, NULL ) != 1 ) #else if( libewf_get_bytes_per_sector(data->handle, &bytes_per_sector)<0) #endif { disk->sector_size=DEFAULT_SECTOR_SIZE; } else { disk->sector_size=bytes_per_sector; } } #else disk->sector_size=libewf_get_bytes_per_sector(data->handle); #endif // printf("libewf_get_bytes_per_sector %u\n",disk->sector_size); if(disk->sector_size==0) disk->sector_size=DEFAULT_SECTOR_SIZE; /* Set geometry */ disk->geom.cylinders=0; disk->geom.heads_per_cylinder=1; disk->geom.sectors_per_head=1; disk->geom.bytes_per_sector=disk->sector_size; /* Get disk_real_size */ #if defined( HAVE_LIBEWF_V2_API ) || defined( LIBEWF_GET_MEDIA_SIZE_HAVE_TWO_ARGUMENTS ) { size64_t media_size = 0; #if defined( HAVE_LIBEWF_V2_API ) if( libewf_handle_get_media_size( data->handle, &media_size, NULL ) != 1 ) #else if(libewf_get_media_size(data->handle, &media_size)<0) #endif { disk->disk_real_size=0; } else { disk->disk_real_size=media_size; } } #else disk->disk_real_size=libewf_get_media_size(data->handle); #endif update_disk_car_fields(disk); #if defined( HAVE_LIBEWF_V2_API ) libewf_glob_free( filenames, num_files, NULL ); #else #if defined( HAVE_GLOB_H ) globfree(&globbuf); #endif free(filenames); #endif return disk; }
int main( int argc, char * const argv[] ) #endif { #ifndef HAVE_GLOB_H EWFGLOB *glob = NULL; int32_t glob_count = 0; #endif LIBEWF_HANDLE *handle = NULL; uint8_t *buffer = NULL; INT_T option = 0; int64_t count = 0; uint64_t size = 0; uint64_t alter_offset = 0; uint64_t alter_size = 0; uint8_t swap_byte_pairs = 0; uint8_t verbose = 0; ewfsignal_initialize(); fprintf( stderr, "ewfalter is for expirimental usage only.\n" ); ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfalter" ) ); while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "hsqvV" ) ) ) != (INT_T) -1 ) { switch( option ) { case (INT_T) '?': default: fprintf( stderr, "Invalid argument: %" PRIs ".\n", argv[ optind ] ); usage(); return( EXIT_FAILURE ); case (INT_T) 'h': usage(); return( EXIT_SUCCESS ); case (INT_T) 's': swap_byte_pairs = 1; break; case (INT_T) 'q': break; case (INT_T) 'v': verbose = 1; break; case (INT_T) 'V': ewfcommon_copyright_fprint( stderr ); return( EXIT_SUCCESS ); } } if( optind == argc ) { fprintf( stderr, "Missing EWF image file(s).\n" ); usage(); return( EXIT_FAILURE ); } libewf_set_notify_values( stderr, verbose ); #ifndef HAVE_GLOB_H glob = ewfglob_alloc(); if( glob == NULL ) { fprintf( stderr, "Unable to create glob.\n" ); return( EXIT_FAILURE ); } glob_count = ewfglob_resolve( glob, &argv[ optind ], ( argc - optind ) ); if( glob_count <= 0 ) { fprintf( stderr, "Unable to resolve glob.\n" ); ewfglob_free( glob ); return( EXIT_FAILURE ); } handle = libewf_open( glob->results, glob->amount, LIBEWF_OPEN_READ_WRITE ); ewfglob_free( glob ); #else handle = libewf_open( &argv[ optind ], ( argc - optind ), LIBEWF_OPEN_READ_WRITE ); #endif if( handle == NULL ) { fprintf( stderr, "Unable to open EWF image file(s).\n" ); return( EXIT_FAILURE ); } if( libewf_set_swap_byte_pairs( handle, swap_byte_pairs ) != 1 ) { fprintf( stderr, "Unable to set swap byte pairs in handle.\n" ); return( EXIT_FAILURE ); } size = libewf_get_media_size( handle ); if( size == 0 ) { fprintf( stderr, "Error altering data from EWF file(s) - media size is 0.\n" ); return( EXIT_FAILURE ); } /* Request the necessary case data */ fprintf( stderr, "Information for alter required, please provide the necessary input\n" ); alter_offset = ewfcommon_get_user_input_size_variable( stderr, _S_LIBEWF_CHAR( "Start altering at offset" ), 0, size, 0 ); alter_size = ewfcommon_get_user_input_size_variable( stderr, _S_LIBEWF_CHAR( "Amount of bytes to alter" ), 0, size, size ); buffer = libewf_common_alloc( alter_size * sizeof( uint8_t ) ); if( buffer == NULL ) { fprintf( stderr, "Unable to allocate buffer.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stdout, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( libewf_common_memset( buffer, 'X', alter_size ) == NULL ) { fprintf( stderr, "Unable to set buffer.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stdout, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } count = libewf_write_random( handle, buffer, alter_size, alter_offset ); if( count <= -1 ) { fprintf( stderr, "Alteration failed.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stdout, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } fprintf( stderr, "Alteration completed.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stdout, "Unable to close EWF file handle.\n" ); return( EXIT_FAILURE ); } return( EXIT_SUCCESS ); }
int main( int argc, char * const argv[] ) #endif { #if defined(HAVE_UUID_UUID_H) && defined(HAVE_LIBUUID) uint8_t guid[ 16 ]; #endif CHAR_T *filenames[ 1 ] = { "stream" }; LIBEWF_HANDLE *handle = NULL; LIBEWF_CHAR *calculated_md5_hash_string = NULL; LIBEWF_CHAR *calculated_sha1_hash_string = NULL; LIBEWF_CHAR *case_number = NULL; LIBEWF_CHAR *description = NULL; LIBEWF_CHAR *evidence_number = NULL; LIBEWF_CHAR *examiner_name = NULL; LIBEWF_CHAR *notes = NULL; LIBEWF_CHAR *acquiry_operating_system = NULL; LIBEWF_CHAR *acquiry_software_version = NULL; CHAR_T *option_case_number = NULL; CHAR_T *option_description = NULL; CHAR_T *option_examiner_name = NULL; CHAR_T *option_evidence_number = NULL; CHAR_T *option_notes = NULL; CHAR_T *time_string = NULL; CHAR_T *end_of_string = NULL; void *callback = &ewfcommon_stream_process_status_fprint; INT_T option = 0; size_t string_length = 0; time_t timestamp_start = 0; time_t timestamp_end = 0; int64_t segment_file_size = ( 650 * 1024 ); int64_t count = 0; uint64_t acquiry_offset = 0; uint64_t acquiry_size = 0; uint64_t sectors_per_chunk = 64; uint32_t sector_error_granularity = 64; int8_t compression_level = LIBEWF_COMPRESSION_NONE; int8_t result_md5_hash = 0; int8_t result_sha1_hash = 0; uint8_t media_type = LIBEWF_MEDIA_TYPE_FIXED; uint8_t volume_type = LIBEWF_VOLUME_TYPE_LOGICAL; uint8_t compress_empty_block = 0; uint8_t libewf_format = LIBEWF_FORMAT_ENCASE5; uint8_t wipe_block_on_read_error = 0; uint8_t read_error_retry = 2; uint8_t swap_byte_pairs = 0; uint8_t seek_on_error = 0; uint8_t calculate_sha1 = 0; uint8_t verbose = 0; ewfsignal_initialize(); ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfacquirestream" ) ); while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "b:c:C:d:D:e:E:f:hm:M:N:sS:t:vV" ) ) ) != (INT_T) -1 ) { switch( option ) { case (INT_T) '?': default: fprintf( stderr, "Invalid argument: %" PRIs "\n", argv[ optind ] ); usage(); return( EXIT_FAILURE ); case (INT_T) 'b': if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "32768" ), 5 ) == 0 ) { sectors_per_chunk = 32768; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "16384" ), 5 ) == 0 ) { sectors_per_chunk = 16384; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "8192" ), 4 ) == 0 ) { sectors_per_chunk = 8192; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "4096" ), 4 ) == 0 ) { sectors_per_chunk = 4096; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "2048" ), 4 ) == 0 ) { sectors_per_chunk = 2048; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "1024" ), 4 ) == 0 ) { sectors_per_chunk = 1024; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "512" ), 3 ) == 0 ) { sectors_per_chunk = 512; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "256" ), 3 ) == 0 ) { sectors_per_chunk = 256; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "128" ), 3 ) == 0 ) { sectors_per_chunk = 128; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "64" ), 2 ) == 0 ) { sectors_per_chunk = 64; } else { fprintf( stderr, "unsuported amount of sectors per chunk defaulting to 64.\n" ); } break; case (INT_T) 'c': if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "none" ), 4 ) == 0 ) { compression_level = LIBEWF_COMPRESSION_NONE; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "empty_block" ), 11 ) == 0 ) { compress_empty_block = 1; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "fast" ), 4 ) == 0 ) { compression_level = LIBEWF_COMPRESSION_FAST; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "best" ), 4 ) == 0 ) { compression_level = LIBEWF_COMPRESSION_BEST; } else { fprintf( stderr, "unsuported compression type defaulting to none.\n" ); } break; case (INT_T) 'C': option_case_number = optarg; break; case (INT_T) 'd': if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "sha1" ), 4 ) == 0 ) { calculate_sha1 = 1; } else { fprintf( stderr, "unsuported digest type.\n" ); } break; case (INT_T) 'D': option_description = optarg; break; case (INT_T) 'e': option_examiner_name = optarg; break; case (INT_T) 'E': option_evidence_number = optarg; break; case (INT_T) 'f': if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "ftk" ), 3 ) == 0 ) { libewf_format = LIBEWF_FORMAT_FTK; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "encase2" ), 7 ) == 0 ) { libewf_format = LIBEWF_FORMAT_ENCASE2; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "encase3" ), 7 ) == 0 ) { libewf_format = LIBEWF_FORMAT_ENCASE3; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "encase4" ), 7 ) == 0 ) { libewf_format = LIBEWF_FORMAT_ENCASE4; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "encase5" ), 7 ) == 0 ) { libewf_format = LIBEWF_FORMAT_ENCASE5; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "encase6" ), 7 ) == 0 ) { libewf_format = LIBEWF_FORMAT_ENCASE6; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "linen5" ), 6 ) == 0 ) { libewf_format = LIBEWF_FORMAT_LINEN5; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "linen6" ), 6 ) == 0 ) { libewf_format = LIBEWF_FORMAT_LINEN6; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "ewfx" ), 4 ) == 0 ) { libewf_format = LIBEWF_FORMAT_EWFX; } else { fprintf( stderr, "unsuported EWF file format type defaulting to encase5.\n" ); } break; case (INT_T) 'h': usage(); return( EXIT_SUCCESS ); case (INT_T) 'm': if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "fixed" ), 5 ) == 0 ) { media_type = LIBEWF_MEDIA_TYPE_FIXED; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "removable" ), 9 ) == 0 ) { media_type = LIBEWF_MEDIA_TYPE_REMOVABLE; } else { fprintf( stderr, "unsuported media type defaulting to fixed.\n" ); } break; case (INT_T) 'M': if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "logical" ), 7 ) == 0 ) { volume_type = LIBEWF_VOLUME_TYPE_LOGICAL; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "physical" ), 8 ) == 0 ) { volume_type = LIBEWF_VOLUME_TYPE_PHYSICAL; } else { fprintf( stderr, "unsuported volume type defaulting to logical.\n" ); } break; case (INT_T) 'N': option_notes = optarg; break; case (INT_T) 'q': break; case (INT_T) 's': swap_byte_pairs = 1; break; case (INT_T) 'S': string_length = CHAR_T_LENGTH( optarg ); end_of_string = &optarg[ string_length - 1 ]; segment_file_size = CHAR_T_TOLONG( optarg, &end_of_string, 0 ); break; case (INT_T) 't': filenames[ 0 ] = optarg; break; case (INT_T) 'v': verbose = 1; break; case (INT_T) 'V': ewfcommon_copyright_fprint( stderr ); return( EXIT_SUCCESS ); } } libewf_set_notify_values( stderr, verbose ); segment_file_size *= 1024; /* Make sure the segment file size is 1 byte smaller than 2 Gb (2 * 1024 * 1024 * 1024) */ if( segment_file_size >= (int64_t) INT32_MAX ) { segment_file_size = (int64_t) INT32_MAX - 1; } /* And larger than 1440 kb (1440 * 1024) */ else if( segment_file_size < (1440 * 1024) ) { segment_file_size = 1440 * 1024; } if( option_case_number != NULL ) { string_length = CHAR_T_LENGTH( option_case_number ); if( string_length > 0 ) { string_length += 1; case_number = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * string_length ); if( case_number == NULL ) { fprintf( stderr, "Unable to create case number string.\n" ); return( EXIT_FAILURE ); } if( ewfcommon_copy_libewf_char_from_char_t( case_number, option_case_number, string_length ) != 1 ) { fprintf( stderr, "Unable to set case number string.\n" ); return( EXIT_FAILURE ); } } } if( option_description != NULL ) { string_length = CHAR_T_LENGTH( option_description ); if( string_length > 0 ) { string_length += 1; description = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * string_length ); if( description == NULL ) { fprintf( stderr, "Unable to create description string.\n" ); return( EXIT_FAILURE ); } if( ewfcommon_copy_libewf_char_from_char_t( description, option_description, string_length ) != 1 ) { fprintf( stderr, "Unable to set description string.\n" ); return( EXIT_FAILURE ); } } } if( option_examiner_name != NULL ) { string_length = CHAR_T_LENGTH( option_examiner_name ); if( string_length > 0 ) { string_length += 1; examiner_name = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * string_length ); if( examiner_name == NULL ) { fprintf( stderr, "Unable to create examiner name string.\n" ); return( EXIT_FAILURE ); } if( ewfcommon_copy_libewf_char_from_char_t( examiner_name, option_examiner_name, string_length ) != 1 ) { fprintf( stderr, "Unable to set examiner name string.\n" ); return( EXIT_FAILURE ); } } } if( option_evidence_number != NULL ) { string_length = CHAR_T_LENGTH( option_evidence_number ); if( string_length > 0 ) { string_length += 1; evidence_number = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * string_length ); if( evidence_number == NULL ) { fprintf( stderr, "Unable to create evidence number string.\n" ); return( EXIT_FAILURE ); } if( ewfcommon_copy_libewf_char_from_char_t( evidence_number, option_evidence_number, string_length ) != 1 ) { fprintf( stderr, "Unable to set evidence number string.\n" ); return( EXIT_FAILURE ); } } } if( option_notes != NULL ) { string_length = CHAR_T_LENGTH( option_notes ); if( string_length > 0 ) { string_length += 1; notes = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * string_length ); if( notes == NULL ) { fprintf( stderr, "Unable to create notes string.\n" ); return( EXIT_FAILURE ); } if( ewfcommon_copy_libewf_char_from_char_t( notes, option_notes, string_length ) != 1 ) { fprintf( stderr, "Unable to set notes string.\n" ); return( EXIT_FAILURE ); } } } acquiry_operating_system = ewfcommon_determine_operating_system(); acquiry_software_version = LIBEWF_VERSION; fprintf( stdout, "Using the following acquiry parameters:\n" ); ewfcommon_acquiry_paramters_fprint( stdout, filenames[ 0 ], case_number, description, evidence_number, examiner_name, notes, media_type, volume_type, compression_level, compress_empty_block, libewf_format, acquiry_offset, acquiry_size, (uint32_t) segment_file_size, sectors_per_chunk, sector_error_granularity, read_error_retry, wipe_block_on_read_error ); handle = libewf_open( (CHAR_T * const *) filenames, 1, LIBEWF_OPEN_WRITE ); if( handle == NULL ) { fprintf( stderr, "Unable to create EWF file handle.\n" ); return( EXIT_FAILURE ); } if( libewf_set_media_values( handle, (uint32_t) sectors_per_chunk, 512 ) != 1 ) { fprintf( stderr, "Unable to set media values in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( libewf_set_write_segment_file_size( handle, (uint32_t) segment_file_size ) != 1 ) { fprintf( stderr, "Unable to set write segment file size in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( libewf_set_write_media_type( handle, media_type, volume_type ) != 1 ) { fprintf( stderr, "Unable to set write media type in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( libewf_set_write_compression_values( handle, compression_level, compress_empty_block ) != 1 ) { fprintf( stderr, "Unable to set write compression values in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( libewf_set_write_format( handle, libewf_format ) != 1 ) { fprintf( stderr, "Unable to set write format in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( libewf_set_swap_byte_pairs( handle, swap_byte_pairs ) != 1 ) { fprintf( stderr, "Unable to set swap byte pairs in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( case_number == NULL ) { string_length = 0; } else { string_length = libewf_string_length( case_number ); } if( libewf_set_header_value_case_number( handle, case_number, string_length ) != 1 ) { fprintf( stderr, "Unable to set header value case number in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } libewf_common_free( case_number ); if( description == NULL ) { string_length = 0; } else { string_length = libewf_string_length( description ); } if( libewf_set_header_value_description( handle, description, string_length ) != 1 ) { fprintf( stderr, "Unable to set header value description in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } libewf_common_free( description ); if( examiner_name == NULL ) { string_length = 0; } else { string_length = libewf_string_length( examiner_name ); } if( libewf_set_header_value_examiner_name( handle, examiner_name, string_length ) != 1 ) { fprintf( stderr, "Unable to set header value examiner name in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } libewf_common_free( examiner_name ); if( evidence_number == NULL ) { string_length = 0; } else { string_length = libewf_string_length( evidence_number ); } if( libewf_set_header_value_evidence_number( handle, evidence_number, string_length ) != 1 ) { fprintf( stderr, "Unable to set header value evidence number in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } libewf_common_free( evidence_number ); if( notes == NULL ) { string_length = 0; } else { string_length = libewf_string_length( notes ); } if( libewf_set_header_value_notes( handle, notes, string_length ) != 1 ) { fprintf( stderr, "Unable to set header value notes in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } libewf_common_free( notes ); /* Acquiry date, system date and compression type will be generated automatically when set to NULL */ if( acquiry_operating_system != NULL ) { if( libewf_set_header_value_acquiry_operating_system( handle, acquiry_operating_system, libewf_string_length( acquiry_operating_system ) ) != 1 ) { fprintf( stderr, "Unable to set header value acquiry operating system in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } libewf_common_free( acquiry_operating_system ); } if( libewf_set_header_value( handle, _S_LIBEWF_CHAR( "acquiry_software" ), _S_LIBEWF_CHAR( "ewfacquirestream" ), 16 ) != 1 ) { fprintf( stderr, "Unable to set header value acquiry software in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( libewf_set_header_value_acquiry_software_version( handle, acquiry_software_version, libewf_string_length( acquiry_software_version ) ) != 1 ) { fprintf( stderr, "Unable to set header value acquiry software version number in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } #if defined(HAVE_UUID_UUID_H) && defined(HAVE_LIBUUID) /* Add a system GUID if necessary */ if( ewfcommon_determine_guid( guid, libewf_format ) != 1 ) { fprintf( stderr, "Unable to create GUID.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( libewf_set_guid( handle, guid, 16 ) != 1 ) { fprintf( stderr, "Unable to set GUID in handle.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } #endif /* Start acquiring data */ timestamp_start = time( NULL ); time_string = libewf_common_ctime( ×tamp_start ); if( time_string != NULL ) { fprintf( stderr, "Acquiry started at: %" PRIs "\n", time_string ); libewf_common_free( time_string ); } else { fprintf( stderr, "Acquiry started.\n" ); } if( callback != NULL ) { ewfcommon_process_status_initialize( stderr, _S_LIBEWF_CHAR( "acquired" ), timestamp_start ); } fprintf( stderr, "This could take a while.\n\n" ); count = ewfcommon_write_from_file_descriptor( handle, 0, acquiry_size, acquiry_offset, read_error_retry, sector_error_granularity, wipe_block_on_read_error, seek_on_error, calculate_sha1, callback ); /* Done acquiring data */ if( count > -1 ) { calculated_md5_hash_string = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ); if( calculated_md5_hash_string == NULL ) { fprintf( stderr, "Unable to create calculated MD5 hash string.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } result_md5_hash = libewf_get_calculated_md5_hash( handle, calculated_md5_hash_string, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ); if( calculate_sha1 == 1 ) { calculated_sha1_hash_string = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * LIBEWF_STRING_DIGEST_HASH_LENGTH_SHA1 ); if( calculated_sha1_hash_string == NULL ) { fprintf( stderr, "Unable to create calculated SHA1 hash string.\n" ); libewf_common_free( calculated_md5_hash_string ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } result_sha1_hash = libewf_get_hash_value( handle, _S_LIBEWF_CHAR( "SHA1" ), calculated_sha1_hash_string, LIBEWF_STRING_DIGEST_HASH_LENGTH_SHA1 ); } } timestamp_end = time( NULL ); time_string = libewf_common_ctime( ×tamp_end ); if( count <= -1 ) { if( time_string != NULL ) { fprintf( stderr, "Acquiry failed at: %" PRIs "\n", time_string ); libewf_common_free( time_string ); } else { fprintf( stderr, "Acquiry failed.\n" ); } if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( time_string != NULL ) { fprintf( stderr, "Acquiry completed at: %" PRIs "\n", time_string ); libewf_common_free( time_string ); } else { fprintf( stderr, "Acquiry completed.\n" ); } ewfcommon_process_summary_fprint( stderr, _S_LIBEWF_CHAR( "Written" ), count, timestamp_start, timestamp_end ); fprintf( stderr, "\n" ); ewfcommon_acquiry_errors_fprint( stderr, handle ); if( libewf_close( handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file handle.\n" ); libewf_common_free( calculated_md5_hash_string ); if( calculate_sha1 == 1 ) { libewf_common_free( calculated_sha1_hash_string ); } return( EXIT_FAILURE ); } if( result_md5_hash == -1 ) { fprintf( stderr, "Unable to get calculated MD5 hash.\n" ); libewf_common_free( calculated_md5_hash_string ); if( calculate_sha1 == 1 ) { libewf_common_free( calculated_sha1_hash_string ); } return( EXIT_FAILURE ); } else if( result_md5_hash == 0 ) { fprintf( stderr, "MD5 hash calculated over data: N/A\n" ); } else { fprintf( stderr, "MD5 hash calculated over data: %" PRIs_EWF "\n", calculated_md5_hash_string ); } libewf_common_free( calculated_md5_hash_string ); if( calculate_sha1 == 1 ) { if( result_sha1_hash == -1 ) { fprintf( stderr, "Unable to get calculated SHA1 hash.\n" ); libewf_common_free( calculated_sha1_hash_string ); return( EXIT_FAILURE ); } else if( result_sha1_hash == 0 ) { fprintf( stderr, "SHA1 hash calculated over data:\tN/A\n" ); } else { fprintf( stderr, "SHA1 hash calculated over data:\t%" PRIs_EWF "\n", calculated_sha1_hash_string ); } libewf_common_free( calculated_sha1_hash_string ); } return( EXIT_SUCCESS ); }
int main( int argc, char * const argv[] ) #endif { uint8_t guid[ 16 ]; #ifndef HAVE_GLOB_H EWFGLOB *glob = NULL; int32_t glob_count = 0; #endif LIBEWF_HANDLE *handle = NULL; INT_T option = 0; int8_t format = 0; int8_t compression_level = 0; int8_t media_type = 0; int8_t media_flags = 0; int8_t volume_type = 0; uint8_t verbose = 0; uint8_t date_format = LIBEWF_DATE_FORMAT_DAYMONTH; char info_option = 'a'; ewfsignal_initialize(); ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfinfo" ) ); while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "d:himvV" ) ) ) != (INT_T) -1 ) { switch( option ) { case (INT_T) '?': default: fprintf( stderr, "Invalid argument: %" PRIs "\n", argv[ optind ] ); usage(); return( EXIT_FAILURE ); case (INT_T) 'd': if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "md" ), 3 ) == 0 ) { date_format = LIBEWF_DATE_FORMAT_MONTHDAY; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "iso8601" ), 8 ) == 0 ) { date_format = LIBEWF_DATE_FORMAT_ISO8601; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "dm" ), 3 ) != 0 ) { fprintf( stderr, "Unsupported date format: %" PRIs " using default day/month.\n", optarg ); } break; case (INT_T) 'e': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option ); usage(); return( EXIT_FAILURE ); } info_option = 'e'; break; case (INT_T) 'h': usage(); return( EXIT_SUCCESS ); case (INT_T) 'i': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option ); usage(); return( EXIT_FAILURE ); } info_option = 'i'; break; case (INT_T) 'm': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option ); usage(); return( EXIT_FAILURE ); } info_option = 'm'; break; case (INT_T) 'v': verbose = 1; break; case (INT_T) 'V': ewfcommon_copyright_fprint( stderr ); return( EXIT_SUCCESS ); } } if( optind == argc ) { fprintf( stderr, "Missing EWF image file(s).\n" ); usage(); return( EXIT_FAILURE ); } libewf_set_notify_values( stderr, verbose ); #ifndef HAVE_GLOB_H glob = ewfglob_alloc(); if( glob == NULL ) { fprintf( stderr, "Unable to create glob.\n" ); return( EXIT_FAILURE ); } glob_count = ewfglob_resolve( glob, &argv[ optind ], ( argc - optind ) ); if( glob_count <= 0 ) { fprintf( stderr, "Unable to resolve glob.\n" ); ewfglob_free( glob ); return( EXIT_FAILURE ); } handle = libewf_open( glob->results, glob->amount, LIBEWF_OPEN_READ ); ewfglob_free( glob ); #else handle = libewf_open( &argv[ optind ], ( argc - optind ), LIBEWF_OPEN_READ ); #endif if( handle == NULL ) { fprintf( stderr, "Unable to open EWF image file(s).\n" ); return( EXIT_FAILURE ); } if( libewf_parse_header_values( handle, date_format ) != 1 ) { fprintf( stderr, "Unable to parse header values.\n" ); } format = libewf_get_format( handle ); if( verbose == 1 ) { fprintf( stdout, "File format:\t\t\t" ); switch( format ) { case LIBEWF_FORMAT_EWF: fprintf( stdout, "original EWF" ); break; case LIBEWF_FORMAT_SMART: fprintf( stdout, "SMART" ); break; case LIBEWF_FORMAT_FTK: fprintf( stdout, "FTK Imager" ); break; case LIBEWF_FORMAT_ENCASE1: fprintf( stdout, "EnCase 1" ); break; case LIBEWF_FORMAT_ENCASE2: fprintf( stdout, "EnCase 2" ); break; case LIBEWF_FORMAT_ENCASE3: fprintf( stdout, "EnCase 3" ); break; case LIBEWF_FORMAT_ENCASE4: fprintf( stdout, "EnCase 4" ); break; case LIBEWF_FORMAT_ENCASE5: fprintf( stdout, "EnCase 5" ); break; case LIBEWF_FORMAT_ENCASE6: fprintf( stdout, "EnCase 6" ); break; case LIBEWF_FORMAT_LINEN5: fprintf( stdout, "linen 5" ); break; case LIBEWF_FORMAT_LINEN6: fprintf( stdout, "linen 6" ); break; case LIBEWF_FORMAT_EWFX: fprintf( stdout, "extended EWF (libewf)" ); break; case LIBEWF_FORMAT_UNKNOWN: default: fprintf( stdout, "unknown" ); break; } fprintf( stdout, "\n\n" ); } if( ( info_option == 'a' ) || ( info_option == 'i' ) ) { fprintf( stdout, "Acquiry information\n" ); ewfcommon_header_values_fprint( stdout, handle ); fprintf( stdout, "\n" ); } if( ( info_option == 'a' ) || ( info_option == 'm' ) ) { fprintf( stdout, "Media information\n" ); if( ( format != LIBEWF_FORMAT_EWF ) && ( format != LIBEWF_FORMAT_SMART ) ) { media_type = libewf_get_media_type( handle ); media_flags = libewf_get_media_flags( handle ); volume_type = libewf_get_volume_type( handle ); if( media_type == LIBEWF_MEDIA_TYPE_REMOVABLE ) { fprintf( stdout, "\tMedia type:\t\tremovable disk\n" ); } else if( media_type == LIBEWF_MEDIA_TYPE_FIXED ) { fprintf( stdout, "\tMedia type:\t\tfixed disk\n" ); } else { fprintf( stdout, "\tMedia type:\t\tunknown (0x%" PRIx8 ")\n", media_type ); } if( verbose == 1 ) { fprintf( stdout, "\tMedia flags:\t\t0x%" PRIx8 "\n", media_flags ); } if( volume_type == LIBEWF_VOLUME_TYPE_LOGICAL ) { fprintf( stdout, "\tMedia is physical:\tno\n" ); } else if( volume_type == LIBEWF_VOLUME_TYPE_PHYSICAL ) { fprintf( stdout, "\tMedia is physical:\tyes\n" ); } else { fprintf( stdout, "\tVolume type:\t\tunknown (0x%" PRIx8 ")\n", volume_type ); } } fprintf( stdout, "\tAmount of sectors:\t%" PRIu32 "\n", libewf_get_amount_of_sectors( handle ) ); fprintf( stdout, "\tBytes per sector:\t%" PRIu32 "\n", libewf_get_bytes_per_sector( handle ) ); fprintf( stdout, "\tMedia size:\t\t%" PRIu64 "\n", libewf_get_media_size( handle ) ); if( ( format == LIBEWF_FORMAT_ENCASE5 ) || ( format == LIBEWF_FORMAT_ENCASE6 ) || ( format == LIBEWF_FORMAT_LINEN5 ) || ( format == LIBEWF_FORMAT_LINEN6 ) || ( format == LIBEWF_FORMAT_EWFX ) ) { fprintf( stdout, "\tError granularity:\t%" PRIu32 "\n", libewf_get_error_granularity( handle ) ); compression_level = libewf_get_compression_level( handle ); if( compression_level == LIBEWF_COMPRESSION_NONE ) { fprintf( stdout, "\tCompression type:\tno compression\n" ); } else if( compression_level == LIBEWF_COMPRESSION_FAST ) { fprintf( stdout, "\tCompression type:\tgood (fast) compression\n" ); } else if( compression_level == LIBEWF_COMPRESSION_BEST ) { fprintf( stdout, "\tCompression type:\tbest compression\n" ); } else { fprintf( stdout, "\tCompression type:\tunknown compression\n" ); } if( libewf_get_guid( handle, guid, 16 ) == 1 ) { fprintf( stdout, "\tGUID:\t\t\t%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "\n", guid[ 0 ], guid[ 1 ], guid[ 2 ], guid[ 3 ], guid[ 4 ], guid[ 5 ], guid[ 6 ], guid[ 7 ], guid[ 8 ], guid[ 9 ], guid[ 10 ], guid[ 11 ], guid[ 12 ], guid[ 13 ], guid[ 14 ], guid[ 15 ] ); } } ewfcommon_hash_values_fprint( stdout, handle ); fprintf( stdout, "\n" ); } if( ( info_option == 'a' ) || ( info_option == 'e' ) ) { ewfcommon_acquiry_errors_fprint( stdout, handle ); } if( libewf_close( handle ) != 0 ) { fprintf( stdout, "Unable to close EWF file handle.\n" ); return( EXIT_FAILURE ); } return( EXIT_SUCCESS ); }
int main( int argc, char * const argv[] ) #endif { character_t media_size_string[ 16 ]; uint8_t guid[ 16 ]; character_t *program = _CHARACTER_T_STRING( "ewfinfo" ); #if !defined( HAVE_GLOB_H ) ewfglob_t *glob = NULL; int32_t glob_count = 0; #endif #if defined( HAVE_STRERROR_R ) || defined( HAVE_STRERROR ) system_character_t *error_string = NULL; #endif char *file_format_string = NULL; system_integer_t option = 0; size64_t media_size = 0; uint32_t bytes_per_sector = 0; uint32_t amount_of_sectors = 0; uint32_t error_granularity = 0; uint32_t amount_of_acquiry_errors = 0; uint32_t amount_of_sessions = 0; int8_t compression_level = 0; int8_t media_type = 0; int8_t media_flags = 0; int8_t volume_type = 0; uint8_t compress_empty_block = 0; uint8_t format = 0; uint8_t verbose = 0; uint8_t date_format = LIBEWF_DATE_FORMAT_CTIME; char info_option = 'a'; int result = 0; /* ewfoutput_version_fprint( stdout, program ); */ while( ( option = ewfgetopt( argc, argv, _SYSTEM_CHARACTER_T_STRING( "d:ehimvcV" ) ) ) != (system_integer_t) -1 ) { switch( option ) { case (system_integer_t) '?': default: fprintf( stderr, "Invalid argument: %" PRIs_SYSTEM "\n", argv[ optind ] ); usage_fprint( stdout ); return( EXIT_FAILURE ); case (system_integer_t) 'd': if( system_string_compare( optarg, _SYSTEM_CHARACTER_T_STRING( "dm" ), 3 ) == 0 ) { date_format = LIBEWF_DATE_FORMAT_DAYMONTH; } else if( system_string_compare( optarg, _SYSTEM_CHARACTER_T_STRING( "md" ), 3 ) == 0 ) { date_format = LIBEWF_DATE_FORMAT_MONTHDAY; } else if( system_string_compare( optarg, _SYSTEM_CHARACTER_T_STRING( "iso8601" ), 8 ) == 0 ) { date_format = LIBEWF_DATE_FORMAT_ISO8601; } else if( system_string_compare( optarg, _SYSTEM_CHARACTER_T_STRING( "ctime" ), 3 ) != 0 ) { fprintf( stderr, "Unsupported date format: %" PRIs_SYSTEM " using default ctime.\n", optarg ); } break; case (system_integer_t) 'e': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n", option, info_option ); usage_fprint( stdout ); return( EXIT_FAILURE ); } info_option = 'e'; break; case (system_integer_t) 'h': usage_fprint( stdout ); return( EXIT_SUCCESS ); case (system_integer_t) 'i': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n", option, info_option ); usage_fprint( stdout ); return( EXIT_FAILURE ); } info_option = 'i'; break; case (system_integer_t) 'c': info_option = 'c'; break; case (system_integer_t) 'm': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n", option, info_option ); usage_fprint( stdout ); return( EXIT_FAILURE ); } info_option = 'm'; break; case (system_integer_t) 'v': verbose = 1; break; case (system_integer_t) 'V': ewfoutput_copyright_fprint( stdout ); return( EXIT_SUCCESS ); } } if( optind == argc ) { fprintf( stderr, "Missing EWF image file(s).\n" ); usage_fprint( stdout ); return( EXIT_FAILURE ); } libewf_set_notify_values( stderr, verbose ); if( ewfsignal_attach( ewfcommon_signal_handler ) != 1 ) { fprintf( stderr, "Unable to attach signal handler.\n" ); } #if 0 && !defined( HAVE_GLOB_H ) glob = ewfglob_alloc(); if( glob == NULL ) { fprintf( stderr, "Unable to create glob.\n" ); return( EXIT_FAILURE ); } glob_count = ewfglob_resolve( glob, &argv[ optind ], ( argc - optind ) ); if( glob_count <= 0 ) { fprintf( stderr, "Unable to resolve glob.\n" ); ewfglob_free( glob ); return( EXIT_FAILURE ); } ewfcommon_libewf_handle = libewf_open( glob->results, glob->amount, LIBEWF_OPEN_READ ); ewfglob_free( glob ); #else ewfcommon_libewf_handle = libewf_open( &argv[ optind ], ( argc - optind ), LIBEWF_OPEN_READ ); #endif if( ( ewfcommon_abort == 0 ) && ( ewfcommon_libewf_handle == NULL ) ) { #if defined( HAVE_STRERROR_R ) || defined( HAVE_STRERROR ) if( errno != 0 ) { error_string = ewfcommon_strerror( errno ); } if( error_string != NULL ) { fprintf( stderr, "Unable to open EWF file(s) with failure: %" PRIs_SYSTEM ".\n", error_string ); memory_free( error_string ); } else { fprintf( stderr, "Unable to open EWF file(s).\n" ); } #else fprintf( stderr, "Unable to open EWF file(s).\n" ); #endif return( EXIT_FAILURE ); } if( ( ewfcommon_abort == 0 ) && ( libewf_parse_header_values( ewfcommon_libewf_handle, date_format ) != 1 ) ) { fprintf( stderr, "Unable to parse header values.\n" ); } if( ( ewfcommon_abort == 0 ) && ( libewf_get_format( ewfcommon_libewf_handle, &format ) != 1 ) ) { fprintf( stderr, "Unable to determine format.\n" ); } else if( verbose == 1 ) { switch( format ) { case LIBEWF_FORMAT_EWF: file_format_string = "original EWF"; break; case LIBEWF_FORMAT_SMART: file_format_string = "SMART"; break; case LIBEWF_FORMAT_FTK: file_format_string = "FTK Imager"; break; case LIBEWF_FORMAT_ENCASE1: file_format_string = "EnCase 1"; break; case LIBEWF_FORMAT_ENCASE2: file_format_string = "EnCase 2"; break; case LIBEWF_FORMAT_ENCASE3: file_format_string = "EnCase 3"; break; case LIBEWF_FORMAT_ENCASE4: file_format_string = "EnCase 4"; break; case LIBEWF_FORMAT_ENCASE5: file_format_string = "EnCase 5"; break; case LIBEWF_FORMAT_ENCASE6: file_format_string = "EnCase 6"; break; case LIBEWF_FORMAT_LINEN5: file_format_string = "linen 5"; break; case LIBEWF_FORMAT_LINEN6: file_format_string = "linen 6"; break; case LIBEWF_FORMAT_EWFX: file_format_string = "extended EWF (libewf)"; break; case LIBEWF_FORMAT_UNKNOWN: default: file_format_string = "unknown"; break; } fprintf( stdout, "File format:\t\t\t%s\n\n", file_format_string ); } if( ( ewfcommon_abort == 0 ) && ( ( info_option == 'a' ) || ( info_option == 'i' ) ) ) { fprintf( stdout, "Acquiry information\n" ); ewfoutput_header_values_fprint( stdout, ewfcommon_libewf_handle ); fprintf( stdout, "\n" ); } if( ( ewfcommon_abort == 0 ) && ( ( info_option == 'a' ) || ( info_option == 'm' ) ) ) { fprintf( stdout, "Media information\n" ); if( ( format != LIBEWF_FORMAT_EWF ) && ( format != LIBEWF_FORMAT_SMART ) ) { if( libewf_get_media_type( ewfcommon_libewf_handle, &media_type ) != 1 ) { fprintf( stderr, "Unable to determine media type.\n" ); } else if( media_type == LIBEWF_MEDIA_TYPE_REMOVABLE ) { fprintf( stdout, "\tMedia type:\t\tremovable disk\n" ); } else if( media_type == LIBEWF_MEDIA_TYPE_FIXED ) { fprintf( stdout, "\tMedia type:\t\tfixed disk\n" ); } else if( media_type == LIBEWF_MEDIA_TYPE_CD ) { fprintf( stdout, "\tMedia type:\t\tCD/DVD\n" ); } else { fprintf( stdout, "\tMedia type:\t\tunknown (0x%" PRIx8 ")\n", media_type ); } if( libewf_get_media_flags( ewfcommon_libewf_handle, &media_flags ) != 1 ) { fprintf( stderr, "Unable to determine media flags.\n" ); } else if( verbose == 1 ) { fprintf( stdout, "\tMedia flags:\t\t0x%" PRIx8 "\n", media_flags ); } if( libewf_get_volume_type( ewfcommon_libewf_handle, &volume_type ) != 1 ) { fprintf( stderr, "Unable to determine volume type.\n" ); } else if( volume_type == LIBEWF_VOLUME_TYPE_LOGICAL ) { fprintf( stdout, "\tMedia is physical:\tno\n" ); } else if( volume_type == LIBEWF_VOLUME_TYPE_PHYSICAL ) { fprintf( stdout, "\tMedia is physical:\tyes\n" ); } else { fprintf( stdout, "\tVolume type:\t\tunknown (0x%" PRIx8 ")\n", volume_type ); } } if( libewf_get_amount_of_sectors( ewfcommon_libewf_handle, &amount_of_sectors ) == 1 ) { fprintf( stdout, "\tAmount of sectors:\t%" PRIu32 "\n", amount_of_sectors ); } else { fprintf( stderr, "Unable to determine amount of sectors.\n" ); } if( libewf_get_bytes_per_sector( ewfcommon_libewf_handle, &bytes_per_sector ) == 1 ) { fprintf( stdout, "\tBytes per sector:\t%" PRIu32 "\n", bytes_per_sector ); } else { fprintf( stderr, "Unable to determine bytes per sector.\n" ); } if( libewf_get_media_size( ewfcommon_libewf_handle, &media_size ) == 1 ) { result = ewfbyte_size_string_create( media_size_string, 16, media_size, EWFBYTE_SIZE_STRING_UNIT_MEBIBYTE ); if( result == 1 ) { fprintf( stdout, "\tMedia size:\t\t%" PRIs " (%" PRIu64 " bytes)\n", media_size_string, media_size ); } else { fprintf( stdout, "\tMedia size:\t\t%" PRIu64 " bytes\n", media_size ); } } else { fprintf( stderr, "Unable to determine media size.\n" ); } if( ( format == LIBEWF_FORMAT_ENCASE5 ) || ( format == LIBEWF_FORMAT_ENCASE6 ) || ( format == LIBEWF_FORMAT_LINEN5 ) || ( format == LIBEWF_FORMAT_LINEN6 ) || ( format == LIBEWF_FORMAT_EWFX ) ) { if( libewf_get_error_granularity( ewfcommon_libewf_handle, &error_granularity ) == 1 ) { fprintf( stdout, "\tError granularity:\t%" PRIu32 "\n", error_granularity ); } else { fprintf( stderr, "Unable to determine error granularity.\n" ); } if( libewf_get_compression_values( ewfcommon_libewf_handle, &compression_level, &compress_empty_block ) == 1 ) { if( compression_level == LIBEWF_COMPRESSION_NONE ) { fprintf( stdout, "\tCompression type:\tno compression\n" ); } else if( compression_level == LIBEWF_COMPRESSION_FAST ) { fprintf( stdout, "\tCompression type:\tgood (fast) compression\n" ); } else if( compression_level == LIBEWF_COMPRESSION_BEST ) { fprintf( stdout, "\tCompression type:\tbest compression\n" ); } else { fprintf( stdout, "\tCompression type:\tunknown compression\n" ); } } else { fprintf( stderr, "Unable to determine compression level.\n" ); } if( libewf_get_guid( ewfcommon_libewf_handle, guid, 16 ) == 1 ) { fprintf( stdout, "\tGUID:\t\t\t%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "\n", guid[ 0 ], guid[ 1 ], guid[ 2 ], guid[ 3 ], guid[ 4 ], guid[ 5 ], guid[ 6 ], guid[ 7 ], guid[ 8 ], guid[ 9 ], guid[ 10 ], guid[ 11 ], guid[ 12 ], guid[ 13 ], guid[ 14 ], guid[ 15 ] ); } } ewfoutput_hash_values_fprint( stdout, ewfcommon_libewf_handle ); fprintf( stdout, "\n" ); ewfoutput_sessions_fprint( stdout, ewfcommon_libewf_handle, &amount_of_sessions ); } if ( ( ewfcommon_abort == 0) && ( ( info_option =='c' ))) { libewf_internal_handle_t *handle = (libewf_internal_handle_t *)ewfcommon_libewf_handle; int i; struct libewf_chunk_offset *chunk = handle->offset_table->chunk_offset; // Print some attributes printf("size=%lld\n", handle->media_values->media_size); printf("chunk_size=%d\n", handle->media_values->chunk_size); printf("count=%d\n", handle->offset_table->amount); for(i=0; i<handle->offset_table->amount; i++) { printf("%d,%lld,%d,%d,%s\n", i, chunk[i].file_offset, chunk[i].size, chunk[i].compressed, chunk[i].segment_file_handle->filename); }; }; if( ( ewfcommon_abort == 0 ) && ( ( info_option == 'a' ) || ( info_option == 'e' ) ) ) { ewfoutput_acquiry_errors_fprint( stdout, ewfcommon_libewf_handle, &amount_of_acquiry_errors ); } if( ewfsignal_detach() != 1 ) { fprintf( stderr, "Unable to detach signal handler.\n" ); } if( ewfcommon_abort != 0 ) { fprintf( stdout, "%" PRIs ": ABORTED\n", program ); return( EXIT_FAILURE ); } if( libewf_close( ewfcommon_libewf_handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file(s).\n" ); return( EXIT_FAILURE ); } return( EXIT_SUCCESS ); }