/*
* EwfOpen
*/
static int EwfOpen(void *p_handle,
const char **pp_filename_arr,
uint64_t filename_arr_len)
{
pts_EwfHandle p_ewf_handle=(pts_EwfHandle)p_handle;
// We need at least one file
if(filename_arr_len==0) return EWF_NO_INPUT_FILES;
// Make sure all files are EWF files
for(uint64_t i=0;i<filename_arr_len;i++) {
#ifdef HAVE_LIBEWF_V2_API
if(libewf_check_file_signature(pp_filename_arr[i],NULL)!=1)
#else
if(libewf_check_file_signature(pp_filename_arr[i])!=1)
#endif
{
return EWF_INVALID_INPUT_FILES;
}
}
// Open EWF file
#ifdef HAVE_LIBEWF_V2_API
if(libewf_handle_open(p_ewf_handle->h_ewf,
(char* const*)pp_filename_arr,
filename_arr_len,
libewf_get_access_flags_read(),
NULL)!=1)
#else
p_ewf_handle->h_ewf=libewf_open((char* const*)pp_filename_arr,
filename_arr_len,
libewf_get_flags_read());
if(p_ewf_handle->h_ewf==NULL)
#endif
{
return EWF_OPEN_FAILED;
}
#ifndef HAVE_LIBEWF_V2_API
// Parse EWF header
if(libewf_parse_header_values(p_ewf_handle->h_ewf,
LIBEWF_DATE_FORMAT_ISO8601)!=1)
{
return EWF_HEADER_PARSING_FAILED;
}
#endif
return EWF_OK;
}
IMG_INFO *
ewf_open(int num_img, const char **images, IMG_INFO * next)
{
IMG_EWF_INFO *ewf_info;
IMG_INFO *img_info;
if (next != NULL) {
tsk_errno = TSK_ERR_IMG_LAYERS;
snprintf(tsk_errstr, TSK_ERRSTR_L, "EWF must be lowest layer");
tsk_errstr2[0] = '\0';
return NULL;
}
ewf_info = (IMG_EWF_INFO *) mymalloc(sizeof(IMG_EWF_INFO));
if (ewf_info == NULL) {
return NULL;
}
memset((void *) ewf_info, 0, sizeof(IMG_EWF_INFO));
img_info = (IMG_INFO *) ewf_info;
/* check the magic before we call the library open */
if (img_file_header_signature_ncmp(images[0],
"\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) {
// if (libewf_check_file_signature(images[0]) == 0) {
tsk_errno = TSK_ERR_IMG_MAGIC;
snprintf(tsk_errstr, TSK_ERRSTR_L, "ewf_open: Not an EWF file");
tsk_errstr2[0] = '\0';
free(ewf_info);
if (verbose)
fprintf(stderr, "Not an EWF file\n");
return NULL;
}
ewf_info->handle = libewf_open(images, num_img, LIBEWF_OPEN_READ);
img_info->size = libewf_data_size(ewf_info->handle);
ewf_info->md5hash = libewf_data_md5hash(ewf_info->handle);
img_info->itype = EWF_EWF;
img_info->read_random = ewf_image_read_random;
img_info->get_size = ewf_image_get_size;
img_info->close = ewf_image_close;
img_info->imgstat = ewf_image_imgstat;
return img_info;
}
TSK_IMG_INFO *
ewf_open(int a_num_img,
const TSK_TCHAR * const a_images[], unsigned int a_ssize)
{
#if defined( HAVE_LIBEWF_V2_API )
char error_string[TSK_EWF_ERROR_STRING_SIZE];
libewf_error_t *ewf_error = NULL;
int result = 0;
#elif !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
uint8_t md5_hash[16];
#endif
IMG_EWF_INFO *ewf_info = NULL;
TSK_IMG_INFO *img_info = NULL;
#if !defined( HAVE_LIBEWF_V2_API)
if (tsk_verbose)
libewf_set_notify_values(stderr, 1);
#endif
if ((ewf_info =
(IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) ==
NULL) {
return NULL;
}
img_info = (TSK_IMG_INFO *) ewf_info;
// See if they specified only the first of the set...
ewf_info->used_ewf_glob = 0;
if (a_num_img == 1) {
#if defined( HAVE_LIBEWF_V2_API)
#ifdef TSK_WIN32
if (libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images,
&ewf_info->num_imgs, &ewf_error) == -1) {
#else
if (libewf_glob(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images,
&ewf_info->num_imgs, &ewf_error) == -1) {
#endif
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open: Not an E01 glob name (%s)",
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
return NULL;
}
#else //use v1
#ifdef TSK_WIN32
ewf_info->num_imgs =
libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#else
ewf_info->num_imgs =
libewf_glob(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#endif
if (ewf_info->num_imgs <= 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
tsk_error_set_errstr("ewf_open: Not an E01 glob name");
tsk_img_free(ewf_info);
return NULL;
}
#endif // end v1
ewf_info->used_ewf_glob = 1;
if (tsk_verbose)
tsk_fprintf(stderr,
"ewf_open: found %d segment files via libewf_glob\n",
ewf_info->num_imgs);
}
else {
int i;
ewf_info->num_imgs = a_num_img;
if ((ewf_info->images =
(TSK_TCHAR **) tsk_malloc(a_num_img *
sizeof(TSK_TCHAR *))) == NULL) {
tsk_img_free(ewf_info);
return NULL;
}
for (i = 0; i < a_num_img; i++) {
if ((ewf_info->images[i] =
(TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) +
1) * sizeof(TSK_TCHAR))) == NULL) {
tsk_img_free(ewf_info);
return NULL;
}
TSTRNCPY(ewf_info->images[i], a_images[i],
TSTRLEN(a_images[i]) + 1);
}
}
#if defined( HAVE_LIBEWF_V2_API )
// Check the file signature before we call the library open
#if defined( TSK_WIN32 )
if (libewf_check_file_signature_wide(a_images[0], &ewf_error) != 1)
#else
if (libewf_check_file_signature(a_images[0], &ewf_error) != 1)
#endif
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open: Not an EWF file (%s)",
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Not an EWF file\n");
}
return (NULL);
}
if (libewf_handle_initialize(&(ewf_info->handle), &ewf_error) != 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error initializing handle (%s)", a_images[0], error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Unable to create EWF handle\n");
}
return (NULL);
}
#if defined( TSK_WIN32 )
if (libewf_handle_open_wide(ewf_info->handle,
(wchar_t * const *) ewf_info->images,
ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1)
#else
if (libewf_handle_open(ewf_info->handle,
(char *const *) ewf_info->images,
ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1)
#endif
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error opening (%s)", a_images[0], error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return (NULL);
}
if (libewf_handle_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size), &ewf_error) != 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting size of image (%s)", a_images[0],
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return (NULL);
}
result = libewf_handle_get_utf8_hash_value_md5(ewf_info->handle,
(uint8_t *) ewf_info->md5hash, 33, &ewf_error);
if (result == -1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting MD5 of image (%s)", a_images[0],
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return (NULL);
}
ewf_info->md5hash_isset = result;
#else // V1 API
// Check the file signature before we call the library open
#if defined( TSK_WIN32 )
if (libewf_check_file_signature_wide(a_images[0]) != 1)
#else
if (libewf_check_file_signature(a_images[0]) != 1)
#endif
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
tsk_error_set_errstr("ewf_open: Not an EWF file");
tsk_img_free(ewf_info);
if (tsk_verbose)
tsk_fprintf(stderr, "Not an EWF file\n");
return NULL;
}
#if defined( TSK_WIN32 )
ewf_info->handle = libewf_open_wide(
(wchar_t * const *) ewf_info->images, ewf_info->num_imgs,
LIBEWF_OPEN_READ);
#else
ewf_info->handle = libewf_open(
(char *const *) ewf_info->images, ewf_info->num_imgs,
LIBEWF_OPEN_READ);
#endif
if (ewf_info->handle == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error opening", ewf_info->images[0]);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return (NULL);
}
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
// 2007 version
img_info->size = libewf_get_media_size(ewf_info->handle);
ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
#else
// libewf-20080322 version
if (libewf_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size)) != 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting size of image", ewf_info->images[0]);
tsk_img_free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return (NULL);
}
if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
int md5_string_iterator = 0;
int md5_hash_iterator = 0;
for (md5_hash_iterator = 0;
md5_hash_iterator < 16; md5_hash_iterator++) {
int digit = md5_hash[md5_hash_iterator] / 16;
if (digit <= 9) {
ewf_info->md5hash[md5_string_iterator++] =
'0' + (char) digit;
}
else {
ewf_info->md5hash[md5_string_iterator++] =
'a' + (char) (digit - 10);
}
digit = md5_hash[md5_hash_iterator] % 16;
if (digit <= 9) {
ewf_info->md5hash[md5_string_iterator++] =
'0' + (char) digit;
}
else {
ewf_info->md5hash[md5_string_iterator++] =
'a' + (char) (digit - 10);
}
}
ewf_info->md5hash_isset = 1;
}
#endif /* defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) */
#endif /* defined( HAVE_LIBEWF_V2_API ) */
if (a_ssize != 0) {
img_info->sector_size = a_ssize;
}
else {
img_info->sector_size = 512;
}
img_info->itype = TSK_IMG_TYPE_EWF_EWF;
img_info->read = &ewf_image_read;
img_info->close = &ewf_image_close;
img_info->imgstat = &ewf_image_imgstat;
// initialize the read lock
tsk_init_lock(&(ewf_info->read_lock));
return (img_info);
}
disk_t *fewf_init(const char *device, const int mode)
{
unsigned int num_files=0;
char **filenames= NULL;
disk_t *disk=NULL;
struct info_fewf_struct *data;
#if !defined( HAVE_LIBEWF_V2_API ) && defined( HAVE_GLOB_H )
glob_t globbuf;
#endif
data=(struct info_fewf_struct *)MALLOC(sizeof(struct info_fewf_struct));
memset(data, 0, sizeof(struct info_fewf_struct));
data->file_name = strdup(device);
data->handle=NULL;
data->mode = mode;
#ifdef DEBUG_EWF
#if defined( HAVE_LIBEWF_V2_API )
libewf_notify_set_stream( stderr, NULL );
libewf_notify_set_verbose( 1 );
#else
libewf_set_notify_values( stderr, 1 );
#endif
#endif
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_glob(
data->file_name,
strlen(data->file_name),
LIBEWF_FORMAT_UNKNOWN,
&filenames,
(int *)&num_files,
NULL ) != 1 )
{
log_error("libewf_glob failed\n");
free(data);
return NULL;
}
#elif defined( HAVE_GLOB_H )
{
globbuf.gl_offs = 0;
glob(data->file_name, GLOB_DOOFFS, NULL, &globbuf);
if(globbuf.gl_pathc>0)
{
filenames=(char **)MALLOC(globbuf.gl_pathc * sizeof(*filenames));
for (num_files=0; num_files<globbuf.gl_pathc; num_files++) {
filenames[num_files]=globbuf.gl_pathv[num_files];
}
}
}
if(filenames==NULL)
{
globfree(&globbuf);
free(data);
return NULL;
}
#else
{
filenames=(char **)MALLOC(1*sizeof(*filenames));
filenames[num_files] = data->file_name;
num_files++;
}
#endif
if((mode&TESTDISK_O_RDWR)==TESTDISK_O_RDWR)
{
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_handle_initialize(
&( data->handle ),
NULL ) != 1 )
{
log_error("libewf_handle_initialize failed\n");
libewf_glob_free(
filenames,
num_files,
NULL );
free(data);
return NULL;
}
if( libewf_handle_open(
data->handle,
filenames,
num_files,
LIBEWF_OPEN_READ_WRITE,
NULL ) != 1 )
{
log_error("libewf_handle_open(%s) failed\n", device);
}
#else
data->handle=libewf_open(filenames, num_files, LIBEWF_OPEN_READ_WRITE);
if(data->handle==NULL)
{
log_error("libewf_open(%s) failed\n", device);
}
#endif /* defined( HAVE_LIBEWF_V2_API ) */
}
if(data->handle==NULL)
{
data->mode&=~TESTDISK_O_RDWR;
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_handle_initialize(
&( data->handle ),
NULL ) != 1 )
{
log_error("libewf_handle_initialize failed\n");
libewf_glob_free(
filenames,
num_files,
NULL );
free(data);
return NULL;
}
if( libewf_handle_open(
data->handle,
filenames,
num_files,
LIBEWF_OPEN_READ,
NULL ) != 1 )
{
log_error("libewf_handle_open(%s) failed\n", device);
libewf_handle_free(
&( data->handle ),
NULL );
libewf_glob_free(
filenames,
num_files,
NULL );
free(data);
return NULL;
}
#else
data->handle=libewf_open(filenames, num_files, LIBEWF_OPEN_READ);
if(data->handle==NULL)
{
log_error("libewf_open(%s) failed\n", device);
#if defined( HAVE_GLOB_H )
globfree(&globbuf);
#endif
free(filenames);
free(data);
return NULL;
}
#endif /* defined( HAVE_LIBEWF_V2_API ) */
}
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_handle_set_header_values_date_format(
data->handle,
LIBEWF_DATE_FORMAT_DAYMONTH,
NULL ) != 1 )
{
log_error("%s Unable to set header values date format\n", device);
}
#else
if( libewf_parse_header_values( data->handle, LIBEWF_DATE_FORMAT_DAYMONTH) != 1 )
{
log_error("%s Unable to parse EWF header values\n", device);
}
#endif
disk=(disk_t *)MALLOC(sizeof(*disk));
init_disk(disk);
disk->arch=&arch_none;
disk->device=strdup(device);
disk->data=data;
disk->description=fewf_description;
disk->description_short=fewf_description_short;
disk->pread_fast=fewf_pread_fast;
disk->pread=fewf_pread;
disk->pwrite=(data->mode&TESTDISK_O_RDWR?fewf_pwrite:fewf_nopwrite);
disk->sync=fewf_sync;
disk->access_mode=(data->mode&TESTDISK_O_RDWR);
disk->clean=fewf_clean;
#if defined( HAVE_LIBEWF_V2_API ) || defined( LIBEWF_GET_BYTES_PER_SECTOR_HAVE_TWO_ARGUMENTS )
{
uint32_t bytes_per_sector = 0;
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_handle_get_bytes_per_sector(
data->handle,
&bytes_per_sector,
NULL ) != 1 )
#else
if( libewf_get_bytes_per_sector(data->handle, &bytes_per_sector)<0)
#endif
{
disk->sector_size=DEFAULT_SECTOR_SIZE;
}
else
{
disk->sector_size=bytes_per_sector;
}
}
#else
disk->sector_size=libewf_get_bytes_per_sector(data->handle);
#endif
// printf("libewf_get_bytes_per_sector %u\n",disk->sector_size);
if(disk->sector_size==0)
disk->sector_size=DEFAULT_SECTOR_SIZE;
/* Set geometry */
disk->geom.cylinders=0;
disk->geom.heads_per_cylinder=1;
disk->geom.sectors_per_head=1;
disk->geom.bytes_per_sector=disk->sector_size;
/* Get disk_real_size */
#if defined( HAVE_LIBEWF_V2_API ) || defined( LIBEWF_GET_MEDIA_SIZE_HAVE_TWO_ARGUMENTS )
{
size64_t media_size = 0;
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_handle_get_media_size(
data->handle,
&media_size,
NULL ) != 1 )
#else
if(libewf_get_media_size(data->handle, &media_size)<0)
#endif
{
disk->disk_real_size=0;
}
else
{
disk->disk_real_size=media_size;
}
}
#else
disk->disk_real_size=libewf_get_media_size(data->handle);
#endif
update_disk_car_fields(disk);
#if defined( HAVE_LIBEWF_V2_API )
libewf_glob_free(
filenames,
num_files,
NULL );
#else
#if defined( HAVE_GLOB_H )
globfree(&globbuf);
#endif
free(filenames);
#endif
return disk;
}
int main( int argc, char * const argv[] )
#endif
{
#ifndef HAVE_GLOB_H
EWFGLOB *glob = NULL;
int32_t glob_count = 0;
#endif
LIBEWF_HANDLE *handle = NULL;
uint8_t *buffer = NULL;
INT_T option = 0;
int64_t count = 0;
uint64_t size = 0;
uint64_t alter_offset = 0;
uint64_t alter_size = 0;
uint8_t swap_byte_pairs = 0;
uint8_t verbose = 0;
ewfsignal_initialize();
fprintf( stderr, "ewfalter is for expirimental usage only.\n" );
ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfalter" ) );
while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "hsqvV" ) ) ) != (INT_T) -1 )
{
switch( option )
{
case (INT_T) '?':
default:
fprintf( stderr, "Invalid argument: %" PRIs ".\n", argv[ optind ] );
usage();
return( EXIT_FAILURE );
case (INT_T) 'h':
usage();
return( EXIT_SUCCESS );
case (INT_T) 's':
swap_byte_pairs = 1;
break;
case (INT_T) 'q':
break;
case (INT_T) 'v':
verbose = 1;
break;
case (INT_T) 'V':
ewfcommon_copyright_fprint( stderr );
return( EXIT_SUCCESS );
}
}
if( optind == argc )
{
fprintf( stderr, "Missing EWF image file(s).\n" );
usage();
return( EXIT_FAILURE );
}
libewf_set_notify_values( stderr, verbose );
#ifndef HAVE_GLOB_H
glob = ewfglob_alloc();
if( glob == NULL )
{
fprintf( stderr, "Unable to create glob.\n" );
return( EXIT_FAILURE );
}
glob_count = ewfglob_resolve( glob, &argv[ optind ], ( argc - optind ) );
if( glob_count <= 0 )
{
fprintf( stderr, "Unable to resolve glob.\n" );
ewfglob_free( glob );
return( EXIT_FAILURE );
}
handle = libewf_open( glob->results, glob->amount, LIBEWF_OPEN_READ_WRITE );
ewfglob_free( glob );
#else
handle = libewf_open( &argv[ optind ], ( argc - optind ), LIBEWF_OPEN_READ_WRITE );
#endif
if( handle == NULL )
{
fprintf( stderr, "Unable to open EWF image file(s).\n" );
return( EXIT_FAILURE );
}
if( libewf_set_swap_byte_pairs( handle, swap_byte_pairs ) != 1 )
{
fprintf( stderr, "Unable to set swap byte pairs in handle.\n" );
return( EXIT_FAILURE );
}
size = libewf_get_media_size( handle );
if( size == 0 )
{
fprintf( stderr, "Error altering data from EWF file(s) - media size is 0.\n" );
return( EXIT_FAILURE );
}
/* Request the necessary case data
*/
fprintf( stderr, "Information for alter required, please provide the necessary input\n" );
alter_offset = ewfcommon_get_user_input_size_variable( stderr, _S_LIBEWF_CHAR( "Start altering at offset" ), 0, size, 0 );
alter_size = ewfcommon_get_user_input_size_variable( stderr, _S_LIBEWF_CHAR( "Amount of bytes to alter" ), 0, size, size );
buffer = libewf_common_alloc( alter_size * sizeof( uint8_t ) );
if( buffer == NULL )
{
fprintf( stderr, "Unable to allocate buffer.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stdout, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
if( libewf_common_memset( buffer, 'X', alter_size ) == NULL )
{
fprintf( stderr, "Unable to set buffer.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stdout, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
count = libewf_write_random( handle, buffer, alter_size, alter_offset );
if( count <= -1 )
{
fprintf( stderr, "Alteration failed.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stdout, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
fprintf( stderr, "Alteration completed.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stdout, "Unable to close EWF file handle.\n" );
return( EXIT_FAILURE );
}
return( EXIT_SUCCESS );
}
int ewf_open(const char *pathname, int flags, mode_t mode)
{
// XXX filename list should be dynamic. 1024 limit is ugly
const char *filenames[1024];
char *ptr,*optr;
char hash[1024];
size64_t media_size;
uint32_t bytes_per_sector;
uint32_t amount_of_sectors;
uint32_t error_granularity;
uint32_t amount_of_acquiry_errors;
int8_t compression_level;
int8_t media_type;
int8_t media_flags;
int8_t volume_type;
uint8_t compress_empty_block;
uint8_t format;
int i;
if (!memcmp(pathname, "els://", 6)) {
FILE *fd = fopen(pathname+6, "r");
ut64 len;
char *buf;
if (fd == NULL)
return -1;
fseek(fd, 0, SEEK_END);
len = ftell(fd);
fseek(fd, 0, SEEK_SET);
buf = (char *)malloc(len);
fread(buf, len, 1, fd);
ptr = strchr(buf, '\n');
for(i=0,optr = buf;ptr&&(ptr=strchr(ptr, '\n'));optr=ptr) {
ptr[0] = '\0';
ptr = ptr + 1;
filenames[i++] = optr;
}
filenames[i] = NULL;
free(buf);
fclose(fd);
for(i=0;filenames[i];i++)
printf("%02x: %s)\n", i, filenames[i]);
} else {
filenames[0] = pathname + 6;
filenames[1] = NULL;
}
ewf_h = libewf_open(&filenames, 1,
(((int)config_get("file.write"))==0)?
LIBEWF_OPEN_READ_WRITE:LIBEWF_OPEN_READ);
if (ewf_h == NULL)
ewf_fd = -1;
else {
ewf_fd = EWF_FD;
#if 0
if( ((libewf_internal_handle_t*)ewf_h)->header_values == NULL ) {
fprintf( stream, "\tNo information found in file.\n" );
} else {
libewf_get_header_value_examiner_name(ewf_h, hash, 128);
eprintf("ExaminerName: %s\n", hash);
libewf_get_header_value_case_number(ewf_h, hash, 128);
eprintf("CaseNumber: %s\n", hash);
#endif
libewf_get_format(ewf_h, &format);
eprintf("FormatVersion: %d\n", format);
libewf_get_compression_values(ewf_h, &compression_level, &compress_empty_block);
eprintf("CompressionLevel: %d\n", compression_level);
libewf_get_error_granularity(ewf_h, &error_granularity);
eprintf("ErrorGranurality: %d\n", error_granularity);
libewf_get_amount_of_sectors(ewf_h, &amount_of_sectors);
eprintf("AmountOfSectors: %d\n", amount_of_sectors);
libewf_get_bytes_per_sector(ewf_h, &bytes_per_sector);
eprintf("BytesPerSector: %d\n", bytes_per_sector);
libewf_get_volume_type(ewf_h, &volume_type);
eprintf("VolumeType: %d\n", volume_type);
libewf_get_media_size(ewf_h, &media_size);
eprintf("MediaSize: %lld\n", media_size);
libewf_get_media_type(ewf_h, &media_type);
eprintf("MediaType: %d\n", media_type);
libewf_get_media_flags(ewf_h, &media_flags);
eprintf("MediaFlags: %d\n", media_flags);
libewf_get_md5_hash(ewf_h, hash, 128);
eprintf("CalculatedHash: %s\n", hash);
#if 0
}
#endif
}
return ewf_fd;
}
int main( int argc, char * const argv[] )
#endif
{
#if defined(HAVE_UUID_UUID_H) && defined(HAVE_LIBUUID)
uint8_t guid[ 16 ];
#endif
CHAR_T *filenames[ 1 ] = { "stream" };
LIBEWF_HANDLE *handle = NULL;
LIBEWF_CHAR *calculated_md5_hash_string = NULL;
LIBEWF_CHAR *calculated_sha1_hash_string = NULL;
LIBEWF_CHAR *case_number = NULL;
LIBEWF_CHAR *description = NULL;
LIBEWF_CHAR *evidence_number = NULL;
LIBEWF_CHAR *examiner_name = NULL;
LIBEWF_CHAR *notes = NULL;
LIBEWF_CHAR *acquiry_operating_system = NULL;
LIBEWF_CHAR *acquiry_software_version = NULL;
CHAR_T *option_case_number = NULL;
CHAR_T *option_description = NULL;
CHAR_T *option_examiner_name = NULL;
CHAR_T *option_evidence_number = NULL;
CHAR_T *option_notes = NULL;
CHAR_T *time_string = NULL;
CHAR_T *end_of_string = NULL;
void *callback = &ewfcommon_stream_process_status_fprint;
INT_T option = 0;
size_t string_length = 0;
time_t timestamp_start = 0;
time_t timestamp_end = 0;
int64_t segment_file_size = ( 650 * 1024 );
int64_t count = 0;
uint64_t acquiry_offset = 0;
uint64_t acquiry_size = 0;
uint64_t sectors_per_chunk = 64;
uint32_t sector_error_granularity = 64;
int8_t compression_level = LIBEWF_COMPRESSION_NONE;
int8_t result_md5_hash = 0;
int8_t result_sha1_hash = 0;
uint8_t media_type = LIBEWF_MEDIA_TYPE_FIXED;
uint8_t volume_type = LIBEWF_VOLUME_TYPE_LOGICAL;
uint8_t compress_empty_block = 0;
uint8_t libewf_format = LIBEWF_FORMAT_ENCASE5;
uint8_t wipe_block_on_read_error = 0;
uint8_t read_error_retry = 2;
uint8_t swap_byte_pairs = 0;
uint8_t seek_on_error = 0;
uint8_t calculate_sha1 = 0;
uint8_t verbose = 0;
ewfsignal_initialize();
ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfacquirestream" ) );
while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "b:c:C:d:D:e:E:f:hm:M:N:sS:t:vV" ) ) ) != (INT_T) -1 )
{
switch( option )
{
case (INT_T) '?':
default:
fprintf( stderr, "Invalid argument: %" PRIs "\n", argv[ optind ] );
usage();
return( EXIT_FAILURE );
case (INT_T) 'b':
if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "32768" ), 5 ) == 0 )
{
sectors_per_chunk = 32768;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "16384" ), 5 ) == 0 )
{
sectors_per_chunk = 16384;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "8192" ), 4 ) == 0 )
{
sectors_per_chunk = 8192;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "4096" ), 4 ) == 0 )
{
sectors_per_chunk = 4096;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "2048" ), 4 ) == 0 )
{
sectors_per_chunk = 2048;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "1024" ), 4 ) == 0 )
{
sectors_per_chunk = 1024;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "512" ), 3 ) == 0 )
{
sectors_per_chunk = 512;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "256" ), 3 ) == 0 )
{
sectors_per_chunk = 256;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "128" ), 3 ) == 0 )
{
sectors_per_chunk = 128;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "64" ), 2 ) == 0 )
{
sectors_per_chunk = 64;
}
else
{
fprintf( stderr, "unsuported amount of sectors per chunk defaulting to 64.\n" );
}
break;
case (INT_T) 'c':
if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "none" ), 4 ) == 0 )
{
compression_level = LIBEWF_COMPRESSION_NONE;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "empty_block" ), 11 ) == 0 )
{
compress_empty_block = 1;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "fast" ), 4 ) == 0 )
{
compression_level = LIBEWF_COMPRESSION_FAST;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "best" ), 4 ) == 0 )
{
compression_level = LIBEWF_COMPRESSION_BEST;
}
else
{
fprintf( stderr, "unsuported compression type defaulting to none.\n" );
}
break;
case (INT_T) 'C':
option_case_number = optarg;
break;
case (INT_T) 'd':
if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "sha1" ), 4 ) == 0 )
{
calculate_sha1 = 1;
}
else
{
fprintf( stderr, "unsuported digest type.\n" );
}
break;
case (INT_T) 'D':
option_description = optarg;
break;
case (INT_T) 'e':
option_examiner_name = optarg;
break;
case (INT_T) 'E':
option_evidence_number = optarg;
break;
case (INT_T) 'f':
if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "ftk" ), 3 ) == 0 )
{
libewf_format = LIBEWF_FORMAT_FTK;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "encase2" ), 7 ) == 0 )
{
libewf_format = LIBEWF_FORMAT_ENCASE2;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "encase3" ), 7 ) == 0 )
{
libewf_format = LIBEWF_FORMAT_ENCASE3;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "encase4" ), 7 ) == 0 )
{
libewf_format = LIBEWF_FORMAT_ENCASE4;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "encase5" ), 7 ) == 0 )
{
libewf_format = LIBEWF_FORMAT_ENCASE5;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "encase6" ), 7 ) == 0 )
{
libewf_format = LIBEWF_FORMAT_ENCASE6;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "linen5" ), 6 ) == 0 )
{
libewf_format = LIBEWF_FORMAT_LINEN5;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "linen6" ), 6 ) == 0 )
{
libewf_format = LIBEWF_FORMAT_LINEN6;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "ewfx" ), 4 ) == 0 )
{
libewf_format = LIBEWF_FORMAT_EWFX;
}
else
{
fprintf( stderr, "unsuported EWF file format type defaulting to encase5.\n" );
}
break;
case (INT_T) 'h':
usage();
return( EXIT_SUCCESS );
case (INT_T) 'm':
if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "fixed" ), 5 ) == 0 )
{
media_type = LIBEWF_MEDIA_TYPE_FIXED;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "removable" ), 9 ) == 0 )
{
media_type = LIBEWF_MEDIA_TYPE_REMOVABLE;
}
else
{
fprintf( stderr, "unsuported media type defaulting to fixed.\n" );
}
break;
case (INT_T) 'M':
if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "logical" ), 7 ) == 0 )
{
volume_type = LIBEWF_VOLUME_TYPE_LOGICAL;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "physical" ), 8 ) == 0 )
{
volume_type = LIBEWF_VOLUME_TYPE_PHYSICAL;
}
else
{
fprintf( stderr, "unsuported volume type defaulting to logical.\n" );
}
break;
case (INT_T) 'N':
option_notes = optarg;
break;
case (INT_T) 'q':
break;
case (INT_T) 's':
swap_byte_pairs = 1;
break;
case (INT_T) 'S':
string_length = CHAR_T_LENGTH( optarg );
end_of_string = &optarg[ string_length - 1 ];
segment_file_size = CHAR_T_TOLONG( optarg, &end_of_string, 0 );
break;
case (INT_T) 't':
filenames[ 0 ] = optarg;
break;
case (INT_T) 'v':
verbose = 1;
break;
case (INT_T) 'V':
ewfcommon_copyright_fprint( stderr );
return( EXIT_SUCCESS );
}
}
libewf_set_notify_values( stderr, verbose );
segment_file_size *= 1024;
/* Make sure the segment file size is 1 byte smaller than 2 Gb (2 * 1024 * 1024 * 1024)
*/
if( segment_file_size >= (int64_t) INT32_MAX )
{
segment_file_size = (int64_t) INT32_MAX - 1;
}
/* And larger than 1440 kb (1440 * 1024)
*/
else if( segment_file_size < (1440 * 1024) )
{
segment_file_size = 1440 * 1024;
}
if( option_case_number != NULL )
{
string_length = CHAR_T_LENGTH( option_case_number );
if( string_length > 0 )
{
string_length += 1;
case_number = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * string_length );
if( case_number == NULL )
{
fprintf( stderr, "Unable to create case number string.\n" );
return( EXIT_FAILURE );
}
if( ewfcommon_copy_libewf_char_from_char_t( case_number, option_case_number, string_length ) != 1 )
{
fprintf( stderr, "Unable to set case number string.\n" );
return( EXIT_FAILURE );
}
}
}
if( option_description != NULL )
{
string_length = CHAR_T_LENGTH( option_description );
if( string_length > 0 )
{
string_length += 1;
description = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * string_length );
if( description == NULL )
{
fprintf( stderr, "Unable to create description string.\n" );
return( EXIT_FAILURE );
}
if( ewfcommon_copy_libewf_char_from_char_t( description, option_description, string_length ) != 1 )
{
fprintf( stderr, "Unable to set description string.\n" );
return( EXIT_FAILURE );
}
}
}
if( option_examiner_name != NULL )
{
string_length = CHAR_T_LENGTH( option_examiner_name );
if( string_length > 0 )
{
string_length += 1;
examiner_name = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * string_length );
if( examiner_name == NULL )
{
fprintf( stderr, "Unable to create examiner name string.\n" );
return( EXIT_FAILURE );
}
if( ewfcommon_copy_libewf_char_from_char_t( examiner_name, option_examiner_name, string_length ) != 1 )
{
fprintf( stderr, "Unable to set examiner name string.\n" );
return( EXIT_FAILURE );
}
}
}
if( option_evidence_number != NULL )
{
string_length = CHAR_T_LENGTH( option_evidence_number );
if( string_length > 0 )
{
string_length += 1;
evidence_number = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * string_length );
if( evidence_number == NULL )
{
fprintf( stderr, "Unable to create evidence number string.\n" );
return( EXIT_FAILURE );
}
if( ewfcommon_copy_libewf_char_from_char_t( evidence_number, option_evidence_number, string_length ) != 1 )
{
fprintf( stderr, "Unable to set evidence number string.\n" );
return( EXIT_FAILURE );
}
}
}
if( option_notes != NULL )
{
string_length = CHAR_T_LENGTH( option_notes );
if( string_length > 0 )
{
string_length += 1;
notes = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * string_length );
if( notes == NULL )
{
fprintf( stderr, "Unable to create notes string.\n" );
return( EXIT_FAILURE );
}
if( ewfcommon_copy_libewf_char_from_char_t( notes, option_notes, string_length ) != 1 )
{
fprintf( stderr, "Unable to set notes string.\n" );
return( EXIT_FAILURE );
}
}
}
acquiry_operating_system = ewfcommon_determine_operating_system();
acquiry_software_version = LIBEWF_VERSION;
fprintf( stdout, "Using the following acquiry parameters:\n" );
ewfcommon_acquiry_paramters_fprint( stdout, filenames[ 0 ], case_number, description, evidence_number, examiner_name, notes, media_type, volume_type, compression_level, compress_empty_block, libewf_format, acquiry_offset, acquiry_size, (uint32_t) segment_file_size, sectors_per_chunk, sector_error_granularity, read_error_retry, wipe_block_on_read_error );
handle = libewf_open( (CHAR_T * const *) filenames, 1, LIBEWF_OPEN_WRITE );
if( handle == NULL )
{
fprintf( stderr, "Unable to create EWF file handle.\n" );
return( EXIT_FAILURE );
}
if( libewf_set_media_values( handle, (uint32_t) sectors_per_chunk, 512 ) != 1 )
{
fprintf( stderr, "Unable to set media values in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
if( libewf_set_write_segment_file_size( handle, (uint32_t) segment_file_size ) != 1 )
{
fprintf( stderr, "Unable to set write segment file size in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
if( libewf_set_write_media_type( handle, media_type, volume_type ) != 1 )
{
fprintf( stderr, "Unable to set write media type in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
if( libewf_set_write_compression_values( handle, compression_level, compress_empty_block ) != 1 )
{
fprintf( stderr, "Unable to set write compression values in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
if( libewf_set_write_format( handle, libewf_format ) != 1 )
{
fprintf( stderr, "Unable to set write format in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
if( libewf_set_swap_byte_pairs( handle, swap_byte_pairs ) != 1 )
{
fprintf( stderr, "Unable to set swap byte pairs in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
if( case_number == NULL )
{
string_length = 0;
}
else
{
string_length = libewf_string_length( case_number );
}
if( libewf_set_header_value_case_number( handle, case_number, string_length ) != 1 )
{
fprintf( stderr, "Unable to set header value case number in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
libewf_common_free( case_number );
if( description == NULL )
{
string_length = 0;
}
else
{
string_length = libewf_string_length( description );
}
if( libewf_set_header_value_description( handle, description, string_length ) != 1 )
{
fprintf( stderr, "Unable to set header value description in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
libewf_common_free( description );
if( examiner_name == NULL )
{
string_length = 0;
}
else
{
string_length = libewf_string_length( examiner_name );
}
if( libewf_set_header_value_examiner_name( handle, examiner_name, string_length ) != 1 )
{
fprintf( stderr, "Unable to set header value examiner name in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
libewf_common_free( examiner_name );
if( evidence_number == NULL )
{
string_length = 0;
}
else
{
string_length = libewf_string_length( evidence_number );
}
if( libewf_set_header_value_evidence_number( handle, evidence_number, string_length ) != 1 )
{
fprintf( stderr, "Unable to set header value evidence number in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
libewf_common_free( evidence_number );
if( notes == NULL )
{
string_length = 0;
}
else
{
string_length = libewf_string_length( notes );
}
if( libewf_set_header_value_notes( handle, notes, string_length ) != 1 )
{
fprintf( stderr, "Unable to set header value notes in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
libewf_common_free( notes );
/* Acquiry date, system date and compression type will be generated automatically when set to NULL
*/
if( acquiry_operating_system != NULL )
{
if( libewf_set_header_value_acquiry_operating_system( handle, acquiry_operating_system, libewf_string_length( acquiry_operating_system ) ) != 1 )
{
fprintf( stderr, "Unable to set header value acquiry operating system in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
libewf_common_free( acquiry_operating_system );
}
if( libewf_set_header_value( handle, _S_LIBEWF_CHAR( "acquiry_software" ), _S_LIBEWF_CHAR( "ewfacquirestream" ), 16 ) != 1 )
{
fprintf( stderr, "Unable to set header value acquiry software in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
if( libewf_set_header_value_acquiry_software_version( handle, acquiry_software_version, libewf_string_length( acquiry_software_version ) ) != 1 )
{
fprintf( stderr, "Unable to set header value acquiry software version number in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
#if defined(HAVE_UUID_UUID_H) && defined(HAVE_LIBUUID)
/* Add a system GUID if necessary
*/
if( ewfcommon_determine_guid( guid, libewf_format ) != 1 )
{
fprintf( stderr, "Unable to create GUID.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
if( libewf_set_guid( handle, guid, 16 ) != 1 )
{
fprintf( stderr, "Unable to set GUID in handle.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
#endif
/* Start acquiring data
*/
timestamp_start = time( NULL );
time_string = libewf_common_ctime( ×tamp_start );
if( time_string != NULL )
{
fprintf( stderr, "Acquiry started at: %" PRIs "\n", time_string );
libewf_common_free( time_string );
}
else
{
fprintf( stderr, "Acquiry started.\n" );
}
if( callback != NULL )
{
ewfcommon_process_status_initialize( stderr, _S_LIBEWF_CHAR( "acquired" ), timestamp_start );
}
fprintf( stderr, "This could take a while.\n\n" );
count = ewfcommon_write_from_file_descriptor( handle, 0, acquiry_size, acquiry_offset, read_error_retry, sector_error_granularity, wipe_block_on_read_error, seek_on_error, calculate_sha1, callback );
/* Done acquiring data
*/
if( count > -1 )
{
calculated_md5_hash_string = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 );
if( calculated_md5_hash_string == NULL )
{
fprintf( stderr, "Unable to create calculated MD5 hash string.\n" );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
result_md5_hash = libewf_get_calculated_md5_hash( handle, calculated_md5_hash_string, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 );
if( calculate_sha1 == 1 )
{
calculated_sha1_hash_string = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * LIBEWF_STRING_DIGEST_HASH_LENGTH_SHA1 );
if( calculated_sha1_hash_string == NULL )
{
fprintf( stderr, "Unable to create calculated SHA1 hash string.\n" );
libewf_common_free( calculated_md5_hash_string );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
result_sha1_hash = libewf_get_hash_value( handle, _S_LIBEWF_CHAR( "SHA1" ), calculated_sha1_hash_string, LIBEWF_STRING_DIGEST_HASH_LENGTH_SHA1 );
}
}
timestamp_end = time( NULL );
time_string = libewf_common_ctime( ×tamp_end );
if( count <= -1 )
{
if( time_string != NULL )
{
fprintf( stderr, "Acquiry failed at: %" PRIs "\n", time_string );
libewf_common_free( time_string );
}
else
{
fprintf( stderr, "Acquiry failed.\n" );
}
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
}
return( EXIT_FAILURE );
}
if( time_string != NULL )
{
fprintf( stderr, "Acquiry completed at: %" PRIs "\n", time_string );
libewf_common_free( time_string );
}
else
{
fprintf( stderr, "Acquiry completed.\n" );
}
ewfcommon_process_summary_fprint( stderr, _S_LIBEWF_CHAR( "Written" ), count, timestamp_start, timestamp_end );
fprintf( stderr, "\n" );
ewfcommon_acquiry_errors_fprint( stderr, handle );
if( libewf_close( handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file handle.\n" );
libewf_common_free( calculated_md5_hash_string );
if( calculate_sha1 == 1 )
{
libewf_common_free( calculated_sha1_hash_string );
}
return( EXIT_FAILURE );
}
if( result_md5_hash == -1 )
{
fprintf( stderr, "Unable to get calculated MD5 hash.\n" );
libewf_common_free( calculated_md5_hash_string );
if( calculate_sha1 == 1 )
{
libewf_common_free( calculated_sha1_hash_string );
}
return( EXIT_FAILURE );
}
else if( result_md5_hash == 0 )
{
fprintf( stderr, "MD5 hash calculated over data: N/A\n" );
}
else
{
fprintf( stderr, "MD5 hash calculated over data: %" PRIs_EWF "\n", calculated_md5_hash_string );
}
libewf_common_free( calculated_md5_hash_string );
if( calculate_sha1 == 1 )
{
if( result_sha1_hash == -1 )
{
fprintf( stderr, "Unable to get calculated SHA1 hash.\n" );
libewf_common_free( calculated_sha1_hash_string );
return( EXIT_FAILURE );
}
else if( result_sha1_hash == 0 )
{
fprintf( stderr, "SHA1 hash calculated over data:\tN/A\n" );
}
else
{
fprintf( stderr, "SHA1 hash calculated over data:\t%" PRIs_EWF "\n", calculated_sha1_hash_string );
}
libewf_common_free( calculated_sha1_hash_string );
}
return( EXIT_SUCCESS );
}
TSK_IMG_INFO *
ewf_open(int num_img, const TSK_TCHAR * const images[],
unsigned int a_ssize)
{
IMG_EWF_INFO *ewf_info;
TSK_IMG_INFO *img_info;
#if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
uint8_t md5_hash[16];
#endif
if ((ewf_info =
(IMG_EWF_INFO *) tsk_malloc(sizeof(IMG_EWF_INFO))) == NULL) {
return NULL;
}
img_info = (TSK_IMG_INFO *) ewf_info;
/* check the magic before we call the library open */
//if (img_file_header_signature_ncmp(images[0],
// "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) {
#if defined (TSK_WIN32)
if (libewf_check_file_signature_wide(images[0]) == 0) {
#else
if (libewf_check_file_signature(images[0]) == 0) {
#endif
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_MAGIC;
snprintf(tsk_errstr, TSK_ERRSTR_L, "ewf_open: Not an EWF file");
free(ewf_info);
if (tsk_verbose)
tsk_fprintf(stderr, "Not an EWF file\n");
return NULL;
}
#if defined (TSK_WIN32)
ewf_info->handle =
libewf_open_wide((wchar_t * const *) images, num_img, LIBEWF_OPEN_READ);
#else
ewf_info->handle =
libewf_open((char *const *) images, num_img, LIBEWF_OPEN_READ);
#endif
if (ewf_info->handle == NULL) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_OPEN;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"ewf_open file: %" PRIttocTSK ": Error opening", images[0]);
free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return NULL;
}
// 2007 version
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
img_info->size = libewf_get_media_size(ewf_info->handle);
ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
// libewf-20080322 version
#else
if (libewf_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size))
!= 1) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_OPEN;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"ewf_open file: %" PRIttocTSK ": Error getting size of image",
images[0]);
free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return NULL;
}
if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
int md5_string_iterator = 0;
int md5_hash_iterator;
for (md5_hash_iterator = 0; md5_hash_iterator < 16;
md5_hash_iterator++) {
int digit = md5_hash[md5_hash_iterator] / 16;
if (digit <= 9)
ewf_info->md5hash[md5_string_iterator++] = (char)
('0' + digit);
else
ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
(digit - 10));
digit = md5_hash[md5_hash_iterator] % 16;
if (digit <= 9)
ewf_info->md5hash[md5_string_iterator++] =
(char) ('0' + digit);
else
ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
(digit - 10));
}
ewf_info->md5hash_isset = 1;
}
#endif
img_info->sector_size = 512;
if (a_ssize)
img_info->sector_size = a_ssize;
img_info->itype = TSK_IMG_TYPE_EWF_EWF;
img_info->read = ewf_image_read;
img_info->close = ewf_image_close;
img_info->imgstat = ewf_image_imgstat;
return img_info;
}
int main( int argc, char * const argv[] )
#endif
{
uint8_t guid[ 16 ];
#ifndef HAVE_GLOB_H
EWFGLOB *glob = NULL;
int32_t glob_count = 0;
#endif
LIBEWF_HANDLE *handle = NULL;
INT_T option = 0;
int8_t format = 0;
int8_t compression_level = 0;
int8_t media_type = 0;
int8_t media_flags = 0;
int8_t volume_type = 0;
uint8_t verbose = 0;
uint8_t date_format = LIBEWF_DATE_FORMAT_DAYMONTH;
char info_option = 'a';
ewfsignal_initialize();
ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfinfo" ) );
while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "d:himvV" ) ) ) != (INT_T) -1 )
{
switch( option )
{
case (INT_T) '?':
default:
fprintf( stderr, "Invalid argument: %" PRIs "\n", argv[ optind ] );
usage();
return( EXIT_FAILURE );
case (INT_T) 'd':
if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "md" ), 3 ) == 0 )
{
date_format = LIBEWF_DATE_FORMAT_MONTHDAY;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "iso8601" ), 8 ) == 0 )
{
date_format = LIBEWF_DATE_FORMAT_ISO8601;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "dm" ), 3 ) != 0 )
{
fprintf( stderr, "Unsupported date format: %" PRIs " using default day/month.\n", optarg );
}
break;
case (INT_T) 'e':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option );
usage();
return( EXIT_FAILURE );
}
info_option = 'e';
break;
case (INT_T) 'h':
usage();
return( EXIT_SUCCESS );
case (INT_T) 'i':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option );
usage();
return( EXIT_FAILURE );
}
info_option = 'i';
break;
case (INT_T) 'm':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option );
usage();
return( EXIT_FAILURE );
}
info_option = 'm';
break;
case (INT_T) 'v':
verbose = 1;
break;
case (INT_T) 'V':
ewfcommon_copyright_fprint( stderr );
return( EXIT_SUCCESS );
}
}
if( optind == argc )
{
fprintf( stderr, "Missing EWF image file(s).\n" );
usage();
return( EXIT_FAILURE );
}
libewf_set_notify_values( stderr, verbose );
#ifndef HAVE_GLOB_H
glob = ewfglob_alloc();
if( glob == NULL )
{
fprintf( stderr, "Unable to create glob.\n" );
return( EXIT_FAILURE );
}
glob_count = ewfglob_resolve( glob, &argv[ optind ], ( argc - optind ) );
if( glob_count <= 0 )
{
fprintf( stderr, "Unable to resolve glob.\n" );
ewfglob_free( glob );
return( EXIT_FAILURE );
}
handle = libewf_open( glob->results, glob->amount, LIBEWF_OPEN_READ );
ewfglob_free( glob );
#else
handle = libewf_open( &argv[ optind ], ( argc - optind ), LIBEWF_OPEN_READ );
#endif
if( handle == NULL )
{
fprintf( stderr, "Unable to open EWF image file(s).\n" );
return( EXIT_FAILURE );
}
if( libewf_parse_header_values( handle, date_format ) != 1 )
{
fprintf( stderr, "Unable to parse header values.\n" );
}
format = libewf_get_format( handle );
if( verbose == 1 )
{
fprintf( stdout, "File format:\t\t\t" );
switch( format )
{
case LIBEWF_FORMAT_EWF:
fprintf( stdout, "original EWF" );
break;
case LIBEWF_FORMAT_SMART:
fprintf( stdout, "SMART" );
break;
case LIBEWF_FORMAT_FTK:
fprintf( stdout, "FTK Imager" );
break;
case LIBEWF_FORMAT_ENCASE1:
fprintf( stdout, "EnCase 1" );
break;
case LIBEWF_FORMAT_ENCASE2:
fprintf( stdout, "EnCase 2" );
break;
case LIBEWF_FORMAT_ENCASE3:
fprintf( stdout, "EnCase 3" );
break;
case LIBEWF_FORMAT_ENCASE4:
fprintf( stdout, "EnCase 4" );
break;
case LIBEWF_FORMAT_ENCASE5:
fprintf( stdout, "EnCase 5" );
break;
case LIBEWF_FORMAT_ENCASE6:
fprintf( stdout, "EnCase 6" );
break;
case LIBEWF_FORMAT_LINEN5:
fprintf( stdout, "linen 5" );
break;
case LIBEWF_FORMAT_LINEN6:
fprintf( stdout, "linen 6" );
break;
case LIBEWF_FORMAT_EWFX:
fprintf( stdout, "extended EWF (libewf)" );
break;
case LIBEWF_FORMAT_UNKNOWN:
default:
fprintf( stdout, "unknown" );
break;
}
fprintf( stdout, "\n\n" );
}
if( ( info_option == 'a' ) || ( info_option == 'i' ) )
{
fprintf( stdout, "Acquiry information\n" );
ewfcommon_header_values_fprint( stdout, handle );
fprintf( stdout, "\n" );
}
if( ( info_option == 'a' ) || ( info_option == 'm' ) )
{
fprintf( stdout, "Media information\n" );
if( ( format != LIBEWF_FORMAT_EWF )
&& ( format != LIBEWF_FORMAT_SMART ) )
{
media_type = libewf_get_media_type( handle );
media_flags = libewf_get_media_flags( handle );
volume_type = libewf_get_volume_type( handle );
if( media_type == LIBEWF_MEDIA_TYPE_REMOVABLE )
{
fprintf( stdout, "\tMedia type:\t\tremovable disk\n" );
}
else if( media_type == LIBEWF_MEDIA_TYPE_FIXED )
{
fprintf( stdout, "\tMedia type:\t\tfixed disk\n" );
}
else
{
fprintf( stdout, "\tMedia type:\t\tunknown (0x%" PRIx8 ")\n", media_type );
}
if( verbose == 1 )
{
fprintf( stdout, "\tMedia flags:\t\t0x%" PRIx8 "\n", media_flags );
}
if( volume_type == LIBEWF_VOLUME_TYPE_LOGICAL )
{
fprintf( stdout, "\tMedia is physical:\tno\n" );
}
else if( volume_type == LIBEWF_VOLUME_TYPE_PHYSICAL )
{
fprintf( stdout, "\tMedia is physical:\tyes\n" );
}
else
{
fprintf( stdout, "\tVolume type:\t\tunknown (0x%" PRIx8 ")\n", volume_type );
}
}
fprintf( stdout, "\tAmount of sectors:\t%" PRIu32 "\n", libewf_get_amount_of_sectors( handle ) );
fprintf( stdout, "\tBytes per sector:\t%" PRIu32 "\n", libewf_get_bytes_per_sector( handle ) );
fprintf( stdout, "\tMedia size:\t\t%" PRIu64 "\n", libewf_get_media_size( handle ) );
if( ( format == LIBEWF_FORMAT_ENCASE5 )
|| ( format == LIBEWF_FORMAT_ENCASE6 )
|| ( format == LIBEWF_FORMAT_LINEN5 )
|| ( format == LIBEWF_FORMAT_LINEN6 )
|| ( format == LIBEWF_FORMAT_EWFX ) )
{
fprintf( stdout, "\tError granularity:\t%" PRIu32 "\n", libewf_get_error_granularity( handle ) );
compression_level = libewf_get_compression_level( handle );
if( compression_level == LIBEWF_COMPRESSION_NONE )
{
fprintf( stdout, "\tCompression type:\tno compression\n" );
}
else if( compression_level == LIBEWF_COMPRESSION_FAST )
{
fprintf( stdout, "\tCompression type:\tgood (fast) compression\n" );
}
else if( compression_level == LIBEWF_COMPRESSION_BEST )
{
fprintf( stdout, "\tCompression type:\tbest compression\n" );
}
else
{
fprintf( stdout, "\tCompression type:\tunknown compression\n" );
}
if( libewf_get_guid( handle, guid, 16 ) == 1 )
{
fprintf( stdout, "\tGUID:\t\t\t%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "\n",
guid[ 0 ], guid[ 1 ], guid[ 2 ], guid[ 3 ], guid[ 4 ], guid[ 5 ], guid[ 6 ], guid[ 7 ],
guid[ 8 ], guid[ 9 ], guid[ 10 ], guid[ 11 ], guid[ 12 ], guid[ 13 ], guid[ 14 ], guid[ 15 ]
);
}
}
ewfcommon_hash_values_fprint( stdout, handle );
fprintf( stdout, "\n" );
}
if( ( info_option == 'a' ) || ( info_option == 'e' ) )
{
ewfcommon_acquiry_errors_fprint( stdout, handle );
}
if( libewf_close( handle ) != 0 )
{
fprintf( stdout, "Unable to close EWF file handle.\n" );
return( EXIT_FAILURE );
}
return( EXIT_SUCCESS );
}
int main( int argc, char * const argv[] )
#endif
{
character_t media_size_string[ 16 ];
uint8_t guid[ 16 ];
character_t *program = _CHARACTER_T_STRING( "ewfinfo" );
#if !defined( HAVE_GLOB_H )
ewfglob_t *glob = NULL;
int32_t glob_count = 0;
#endif
#if defined( HAVE_STRERROR_R ) || defined( HAVE_STRERROR )
system_character_t *error_string = NULL;
#endif
char *file_format_string = NULL;
system_integer_t option = 0;
size64_t media_size = 0;
uint32_t bytes_per_sector = 0;
uint32_t amount_of_sectors = 0;
uint32_t error_granularity = 0;
uint32_t amount_of_acquiry_errors = 0;
uint32_t amount_of_sessions = 0;
int8_t compression_level = 0;
int8_t media_type = 0;
int8_t media_flags = 0;
int8_t volume_type = 0;
uint8_t compress_empty_block = 0;
uint8_t format = 0;
uint8_t verbose = 0;
uint8_t date_format = LIBEWF_DATE_FORMAT_CTIME;
char info_option = 'a';
int result = 0;
/*
ewfoutput_version_fprint(
stdout,
program );
*/
while( ( option = ewfgetopt(
argc,
argv,
_SYSTEM_CHARACTER_T_STRING( "d:ehimvcV" ) ) ) != (system_integer_t) -1 )
{
switch( option )
{
case (system_integer_t) '?':
default:
fprintf( stderr, "Invalid argument: %" PRIs_SYSTEM "\n",
argv[ optind ] );
usage_fprint(
stdout );
return( EXIT_FAILURE );
case (system_integer_t) 'd':
if( system_string_compare(
optarg,
_SYSTEM_CHARACTER_T_STRING( "dm" ),
3 ) == 0 )
{
date_format = LIBEWF_DATE_FORMAT_DAYMONTH;
}
else if( system_string_compare(
optarg,
_SYSTEM_CHARACTER_T_STRING( "md" ),
3 ) == 0 )
{
date_format = LIBEWF_DATE_FORMAT_MONTHDAY;
}
else if( system_string_compare(
optarg,
_SYSTEM_CHARACTER_T_STRING( "iso8601" ),
8 ) == 0 )
{
date_format = LIBEWF_DATE_FORMAT_ISO8601;
}
else if( system_string_compare(
optarg,
_SYSTEM_CHARACTER_T_STRING( "ctime" ),
3 ) != 0 )
{
fprintf( stderr, "Unsupported date format: %" PRIs_SYSTEM " using default ctime.\n",
optarg );
}
break;
case (system_integer_t) 'e':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n",
option, info_option );
usage_fprint(
stdout );
return( EXIT_FAILURE );
}
info_option = 'e';
break;
case (system_integer_t) 'h':
usage_fprint(
stdout );
return( EXIT_SUCCESS );
case (system_integer_t) 'i':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n",
option, info_option );
usage_fprint(
stdout );
return( EXIT_FAILURE );
}
info_option = 'i';
break;
case (system_integer_t) 'c':
info_option = 'c';
break;
case (system_integer_t) 'm':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n",
option, info_option );
usage_fprint(
stdout );
return( EXIT_FAILURE );
}
info_option = 'm';
break;
case (system_integer_t) 'v':
verbose = 1;
break;
case (system_integer_t) 'V':
ewfoutput_copyright_fprint(
stdout );
return( EXIT_SUCCESS );
}
}
if( optind == argc )
{
fprintf( stderr, "Missing EWF image file(s).\n" );
usage_fprint(
stdout );
return( EXIT_FAILURE );
}
libewf_set_notify_values(
stderr,
verbose );
if( ewfsignal_attach(
ewfcommon_signal_handler ) != 1 )
{
fprintf( stderr, "Unable to attach signal handler.\n" );
}
#if 0 && !defined( HAVE_GLOB_H )
glob = ewfglob_alloc();
if( glob == NULL )
{
fprintf( stderr, "Unable to create glob.\n" );
return( EXIT_FAILURE );
}
glob_count = ewfglob_resolve(
glob,
&argv[ optind ],
( argc - optind ) );
if( glob_count <= 0 )
{
fprintf( stderr, "Unable to resolve glob.\n" );
ewfglob_free(
glob );
return( EXIT_FAILURE );
}
ewfcommon_libewf_handle = libewf_open(
glob->results,
glob->amount,
LIBEWF_OPEN_READ );
ewfglob_free(
glob );
#else
ewfcommon_libewf_handle = libewf_open(
&argv[ optind ],
( argc - optind ),
LIBEWF_OPEN_READ );
#endif
if( ( ewfcommon_abort == 0 )
&& ( ewfcommon_libewf_handle == NULL ) )
{
#if defined( HAVE_STRERROR_R ) || defined( HAVE_STRERROR )
if( errno != 0 )
{
error_string = ewfcommon_strerror(
errno );
}
if( error_string != NULL )
{
fprintf( stderr, "Unable to open EWF file(s) with failure: %" PRIs_SYSTEM ".\n",
error_string );
memory_free(
error_string );
}
else
{
fprintf( stderr, "Unable to open EWF file(s).\n" );
}
#else
fprintf( stderr, "Unable to open EWF file(s).\n" );
#endif
return( EXIT_FAILURE );
}
if( ( ewfcommon_abort == 0 )
&& ( libewf_parse_header_values(
ewfcommon_libewf_handle,
date_format ) != 1 ) )
{
fprintf( stderr, "Unable to parse header values.\n" );
}
if( ( ewfcommon_abort == 0 )
&& ( libewf_get_format(
ewfcommon_libewf_handle,
&format ) != 1 ) )
{
fprintf( stderr, "Unable to determine format.\n" );
}
else if( verbose == 1 )
{
switch( format )
{
case LIBEWF_FORMAT_EWF:
file_format_string = "original EWF";
break;
case LIBEWF_FORMAT_SMART:
file_format_string = "SMART";
break;
case LIBEWF_FORMAT_FTK:
file_format_string = "FTK Imager";
break;
case LIBEWF_FORMAT_ENCASE1:
file_format_string = "EnCase 1";
break;
case LIBEWF_FORMAT_ENCASE2:
file_format_string = "EnCase 2";
break;
case LIBEWF_FORMAT_ENCASE3:
file_format_string = "EnCase 3";
break;
case LIBEWF_FORMAT_ENCASE4:
file_format_string = "EnCase 4";
break;
case LIBEWF_FORMAT_ENCASE5:
file_format_string = "EnCase 5";
break;
case LIBEWF_FORMAT_ENCASE6:
file_format_string = "EnCase 6";
break;
case LIBEWF_FORMAT_LINEN5:
file_format_string = "linen 5";
break;
case LIBEWF_FORMAT_LINEN6:
file_format_string = "linen 6";
break;
case LIBEWF_FORMAT_EWFX:
file_format_string = "extended EWF (libewf)";
break;
case LIBEWF_FORMAT_UNKNOWN:
default:
file_format_string = "unknown";
break;
}
fprintf( stdout, "File format:\t\t\t%s\n\n",
file_format_string );
}
if( ( ewfcommon_abort == 0 )
&& ( ( info_option == 'a' )
|| ( info_option == 'i' ) ) )
{
fprintf( stdout, "Acquiry information\n" );
ewfoutput_header_values_fprint(
stdout,
ewfcommon_libewf_handle );
fprintf( stdout, "\n" );
}
if( ( ewfcommon_abort == 0 )
&& ( ( info_option == 'a' )
|| ( info_option == 'm' ) ) )
{
fprintf( stdout, "Media information\n" );
if( ( format != LIBEWF_FORMAT_EWF )
&& ( format != LIBEWF_FORMAT_SMART ) )
{
if( libewf_get_media_type(
ewfcommon_libewf_handle,
&media_type ) != 1 )
{
fprintf( stderr, "Unable to determine media type.\n" );
}
else if( media_type == LIBEWF_MEDIA_TYPE_REMOVABLE )
{
fprintf( stdout, "\tMedia type:\t\tremovable disk\n" );
}
else if( media_type == LIBEWF_MEDIA_TYPE_FIXED )
{
fprintf( stdout, "\tMedia type:\t\tfixed disk\n" );
}
else if( media_type == LIBEWF_MEDIA_TYPE_CD )
{
fprintf( stdout, "\tMedia type:\t\tCD/DVD\n" );
}
else
{
fprintf( stdout, "\tMedia type:\t\tunknown (0x%" PRIx8 ")\n",
media_type );
}
if( libewf_get_media_flags(
ewfcommon_libewf_handle,
&media_flags ) != 1 )
{
fprintf( stderr, "Unable to determine media flags.\n" );
}
else if( verbose == 1 )
{
fprintf( stdout, "\tMedia flags:\t\t0x%" PRIx8 "\n",
media_flags );
}
if( libewf_get_volume_type(
ewfcommon_libewf_handle,
&volume_type ) != 1 )
{
fprintf( stderr, "Unable to determine volume type.\n" );
}
else if( volume_type == LIBEWF_VOLUME_TYPE_LOGICAL )
{
fprintf( stdout, "\tMedia is physical:\tno\n" );
}
else if( volume_type == LIBEWF_VOLUME_TYPE_PHYSICAL )
{
fprintf( stdout, "\tMedia is physical:\tyes\n" );
}
else
{
fprintf( stdout, "\tVolume type:\t\tunknown (0x%" PRIx8 ")\n",
volume_type );
}
}
if( libewf_get_amount_of_sectors(
ewfcommon_libewf_handle,
&amount_of_sectors ) == 1 )
{
fprintf( stdout, "\tAmount of sectors:\t%" PRIu32 "\n",
amount_of_sectors );
}
else
{
fprintf( stderr, "Unable to determine amount of sectors.\n" );
}
if( libewf_get_bytes_per_sector(
ewfcommon_libewf_handle,
&bytes_per_sector ) == 1 )
{
fprintf( stdout, "\tBytes per sector:\t%" PRIu32 "\n",
bytes_per_sector );
}
else
{
fprintf( stderr, "Unable to determine bytes per sector.\n" );
}
if( libewf_get_media_size(
ewfcommon_libewf_handle,
&media_size ) == 1 )
{
result = ewfbyte_size_string_create(
media_size_string,
16,
media_size,
EWFBYTE_SIZE_STRING_UNIT_MEBIBYTE );
if( result == 1 )
{
fprintf( stdout, "\tMedia size:\t\t%" PRIs " (%" PRIu64 " bytes)\n",
media_size_string, media_size );
}
else
{
fprintf( stdout, "\tMedia size:\t\t%" PRIu64 " bytes\n",
media_size );
}
}
else
{
fprintf( stderr, "Unable to determine media size.\n" );
}
if( ( format == LIBEWF_FORMAT_ENCASE5 )
|| ( format == LIBEWF_FORMAT_ENCASE6 )
|| ( format == LIBEWF_FORMAT_LINEN5 )
|| ( format == LIBEWF_FORMAT_LINEN6 )
|| ( format == LIBEWF_FORMAT_EWFX ) )
{
if( libewf_get_error_granularity(
ewfcommon_libewf_handle,
&error_granularity ) == 1 )
{
fprintf( stdout, "\tError granularity:\t%" PRIu32 "\n",
error_granularity );
}
else
{
fprintf( stderr, "Unable to determine error granularity.\n" );
}
if( libewf_get_compression_values(
ewfcommon_libewf_handle,
&compression_level,
&compress_empty_block ) == 1 )
{
if( compression_level == LIBEWF_COMPRESSION_NONE )
{
fprintf( stdout, "\tCompression type:\tno compression\n" );
}
else if( compression_level == LIBEWF_COMPRESSION_FAST )
{
fprintf( stdout, "\tCompression type:\tgood (fast) compression\n" );
}
else if( compression_level == LIBEWF_COMPRESSION_BEST )
{
fprintf( stdout, "\tCompression type:\tbest compression\n" );
}
else
{
fprintf( stdout, "\tCompression type:\tunknown compression\n" );
}
}
else
{
fprintf( stderr, "Unable to determine compression level.\n" );
}
if( libewf_get_guid(
ewfcommon_libewf_handle,
guid,
16 ) == 1 )
{
fprintf( stdout, "\tGUID:\t\t\t%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8
"%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8
"%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "\n",
guid[ 0 ], guid[ 1 ], guid[ 2 ], guid[ 3 ], guid[ 4 ], guid[ 5 ], guid[ 6 ], guid[ 7 ],
guid[ 8 ], guid[ 9 ], guid[ 10 ], guid[ 11 ], guid[ 12 ], guid[ 13 ], guid[ 14 ], guid[ 15 ]
);
}
}
ewfoutput_hash_values_fprint(
stdout,
ewfcommon_libewf_handle );
fprintf( stdout, "\n" );
ewfoutput_sessions_fprint(
stdout,
ewfcommon_libewf_handle,
&amount_of_sessions );
}
if ( ( ewfcommon_abort == 0)
&& ( ( info_option =='c' )))
{
libewf_internal_handle_t *handle = (libewf_internal_handle_t *)ewfcommon_libewf_handle;
int i;
struct libewf_chunk_offset *chunk = handle->offset_table->chunk_offset;
// Print some attributes
printf("size=%lld\n", handle->media_values->media_size);
printf("chunk_size=%d\n", handle->media_values->chunk_size);
printf("count=%d\n", handle->offset_table->amount);
for(i=0; i<handle->offset_table->amount; i++) {
printf("%d,%lld,%d,%d,%s\n", i, chunk[i].file_offset, chunk[i].size,
chunk[i].compressed,
chunk[i].segment_file_handle->filename);
};
};
if( ( ewfcommon_abort == 0 )
&& ( ( info_option == 'a' )
|| ( info_option == 'e' ) ) )
{
ewfoutput_acquiry_errors_fprint(
stdout,
ewfcommon_libewf_handle,
&amount_of_acquiry_errors );
}
if( ewfsignal_detach() != 1 )
{
fprintf( stderr, "Unable to detach signal handler.\n" );
}
if( ewfcommon_abort != 0 )
{
fprintf( stdout, "%" PRIs ": ABORTED\n",
program );
return( EXIT_FAILURE );
}
if( libewf_close(
ewfcommon_libewf_handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file(s).\n" );
return( EXIT_FAILURE );
}
return( EXIT_SUCCESS );
}
TSK_IMG_INFO *
ewf_open(int a_num_img, const TSK_TCHAR * const a_images[],
unsigned int a_ssize)
{
IMG_EWF_INFO *ewf_info;
TSK_IMG_INFO *img_info;
#if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
uint8_t md5_hash[16];
#endif
if ((ewf_info =
(IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) ==
NULL) {
return NULL;
}
img_info = (TSK_IMG_INFO *) ewf_info;
// See if they specified only the first of the set...
if (a_num_img == 1) {
#ifdef TSK_WIN32
ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#else
ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#endif
if (ewf_info->num_imgs <= 0) {
free(ewf_info);
return NULL;
}
if (tsk_verbose)
tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs);
}
else {
int i;
ewf_info->num_imgs = a_num_img;
if ((ewf_info->images =
(TSK_TCHAR **) tsk_malloc(a_num_img *
sizeof(TSK_TCHAR *))) == NULL) {
free(ewf_info);
return NULL;
}
for (i = 0; i < a_num_img; i++) {
if ((ewf_info->images[i] =
(TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) +
1) * sizeof(TSK_TCHAR))) == NULL) {
free(ewf_info);
return NULL;
}
TSTRNCPY(ewf_info->images[i], a_images[i],
TSTRLEN(a_images[i]) + 1);
}
}
/* check the magic before we call the library open */
//if (img_file_header_signature_ncmp(images[0],
// "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) {
#if defined (TSK_WIN32)
if (libewf_check_file_signature_wide(ewf_info->images[0]) == 0) {
#else
if (libewf_check_file_signature(ewf_info->images[0]) == 0) {
#endif
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
tsk_error_set_errstr("ewf_open: Not an EWF file");
free(ewf_info);
if (tsk_verbose)
tsk_fprintf(stderr, "Not an EWF file\n");
return NULL;
}
#if defined (TSK_WIN32)
ewf_info->handle =
libewf_open_wide((wchar_t * const *) ewf_info->images,
ewf_info->num_imgs, LIBEWF_OPEN_READ);
#else
ewf_info->handle =
libewf_open((char *const *) ewf_info->images, ewf_info->num_imgs,
LIBEWF_OPEN_READ);
#endif
if (ewf_info->handle == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error opening", ewf_info->images[0]);
free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return NULL;
}
// 2007 version
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
img_info->size = libewf_get_media_size(ewf_info->handle);
ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
// libewf-20080322 version
#else
if (libewf_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size))
!= 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting size of image", ewf_info->images[0]);
free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return NULL;
}
if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
int md5_string_iterator = 0;
int md5_hash_iterator;
for (md5_hash_iterator = 0; md5_hash_iterator < 16;
md5_hash_iterator++) {
int digit = md5_hash[md5_hash_iterator] / 16;
if (digit <= 9)
ewf_info->md5hash[md5_string_iterator++] = (char)
('0' + digit);
else
ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
(digit - 10));
digit = md5_hash[md5_hash_iterator] % 16;
if (digit <= 9)
ewf_info->md5hash[md5_string_iterator++] =
(char) ('0' + digit);
else
ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
(digit - 10));
}
ewf_info->md5hash_isset = 1;
}
#endif
img_info->sector_size = 512;
if (a_ssize)
img_info->sector_size = a_ssize;
img_info->itype = TSK_IMG_TYPE_EWF_EWF;
img_info->read = ewf_image_read;
img_info->close = ewf_image_close;
img_info->imgstat = ewf_image_imgstat;
return img_info;
}
/*
* EwfOpen
*/
static int EwfOpen(void *p_handle,
const char **pp_filename_arr,
uint64_t filename_arr_len)
{
pts_EwfHandle p_ewf_handle=(pts_EwfHandle)p_handle;
// We need at least one file
if(filename_arr_len==0) return EWF_NO_INPUT_FILES;
// Make sure all files are EWF files
for(uint64_t i=0;i<filename_arr_len;i++) {
#ifdef HAVE_LIBEWF_V2_API
if(libewf_check_file_signature(pp_filename_arr[i],NULL)!=1)
#else
if(libewf_check_file_signature(pp_filename_arr[i])!=1)
#endif
{
return EWF_INVALID_INPUT_FILES;
}
}
// Open EWF file
#ifdef HAVE_LIBEWF_V2_API
if(libewf_handle_open(p_ewf_handle->h_ewf,
(char* const*)pp_filename_arr,
filename_arr_len,
libewf_get_access_flags_read(),
NULL)!=1)
#else
p_ewf_handle->h_ewf=libewf_open((char* const*)pp_filename_arr,
filename_arr_len,
libewf_get_flags_read());
if(p_ewf_handle->h_ewf==NULL)
#endif
{
return EWF_OPEN_FAILED;
}
#ifdef HAVE_LIBEWF_V2_API
// Try to read 1 byte from the image end to verify that all segments were
// specified (Only needed because libewf_handle_open() won't fail even if not
// all segments were specified!)
uint64_t image_size=0;
char buf;
if(libewf_handle_get_media_size(p_ewf_handle->h_ewf,&image_size,NULL)!=1) {
return EWF_GET_SIZE_FAILED;
}
if(image_size==0) return EWF_OK;
LIBXMOUNT_LOG_DEBUG(p_ewf_handle->debug,
"Trying to read last byte of image at offset %"
PRIu64 " (image size = %" PRIu64 " bytes)\n",
image_size-1,
image_size);
if(libewf_handle_seek_offset(p_ewf_handle->h_ewf,
image_size-1,
SEEK_SET,
NULL)==-1)
{
return EWF_OPEN_FAILED_SEEK;
}
if(libewf_handle_read_buffer(p_ewf_handle->h_ewf,&buf,1,NULL)!=1) {
return EWF_OPEN_FAILED_READ;
}
#endif
#ifndef HAVE_LIBEWF_V2_API
// Parse EWF header
if(libewf_parse_header_values(p_ewf_handle->h_ewf,
LIBEWF_DATE_FORMAT_ISO8601)!=1)
{
return EWF_HEADER_PARSING_FAILED;
}
#endif
return EWF_OK;
}
