/* Prints the number of bytes per second (with a leading space) to a stream */ void process_status_bytes_per_second_fprint( FILE *stream, size64_t bytes, time_t seconds ) { libcstring_system_character_t bytes_per_second_string[ 16 ]; size64_t bytes_per_second = 0; int result = 0; if( stream == NULL ) { return; } if( seconds == 0 ) { return; } if( seconds > 0 ) { bytes_per_second = bytes / seconds; if( bytes_per_second > 1024 ) { result = byte_size_string_create( bytes_per_second_string, 10, bytes_per_second, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); } fprintf( stream, " with" ); if( result == 1 ) { fprintf( stream, " %" PRIs_LIBCSTRING_SYSTEM "/s (%" PRIu64 " bytes/second)", bytes_per_second_string, bytes_per_second ); } else { fprintf( stream, " %" PRIu64 " bytes/second", bytes_per_second ); } } }
/* Prints the number of bytes (with a leading space) to a stream * Creates a human readable version of the number of bytes if possible */ void process_status_bytes_fprint( FILE *stream, size64_t bytes ) { libcstring_system_character_t bytes_string[ 16 ]; int result = 0; if( stream == NULL ) { return; } if( bytes > 1024 ) { result = byte_size_string_create( bytes_string, 10, bytes, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); } if( result == 1 ) { fprintf( stream, " %" PRIs_LIBCSTRING_SYSTEM " (%" PRIi64 " bytes)", bytes_string, bytes ); } else { fprintf( stream, " %" PRIi64 " bytes", bytes ); } }
/* Prints the segment information * Returns 1 if successful or -1 on error */ int info_handle_segment_fprint( info_handle_t *info_handle, int segment_index, libvslvm_segment_t *segment, libcerror_error_t **error ) { libcstring_system_character_t segment_size_string[ 16 ]; libvslvm_stripe_t *stripe = NULL; static char *function = "info_handle_segment_fprint"; off64_t segment_offset = 0; size64_t segment_size = 0; int number_of_stripes = 0; int result = 0; int stripe_index = 0; if( info_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid info handle.", function ); return( -1 ); } fprintf( info_handle->notify_stream, "\tSegment: %d\n", segment_index + 1 ); if( libvslvm_segment_get_offset( segment, &segment_offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve offset.", function ); goto on_error; } fprintf( info_handle->notify_stream, "\t\tOffset:\t\t\t\t0x%08" PRIx64 " (%" PRIi64 ")\n", segment_offset, segment_offset ); if( libvslvm_segment_get_size( segment, &segment_size, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve size.", function ); goto on_error; } result = byte_size_string_create( segment_size_string, 16, segment_size, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); if( result == 1 ) { fprintf( info_handle->notify_stream, "\t\tSize:\t\t\t\t%" PRIs_LIBCSTRING_SYSTEM " (%" PRIu64 " bytes)\n", segment_size_string, segment_size ); } else { fprintf( info_handle->notify_stream, "\t\tSize:\t\t\t\t%" PRIu64 " bytes\n", segment_size ); } if( libvslvm_segment_get_number_of_stripes( segment, &number_of_stripes, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of stripes.", function ); goto on_error; } fprintf( info_handle->notify_stream, "\t\tNumber of stripes:\t\t%d\n", number_of_stripes ); for( stripe_index = 0; stripe_index < number_of_stripes; stripe_index++ ) { if( libvslvm_segment_get_stripe( segment, stripe_index, &stripe, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve stripe: %d.", function, stripe_index ); goto on_error; } if( info_handle_stripe_fprint( info_handle, stripe_index, stripe, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_PRINT_FAILED, "%s: unable to print stripe: %d information.", function, stripe_index ); goto on_error; } if( libvslvm_stripe_free( &stripe, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free stripe: %d.", function, stripe_index ); goto on_error; } } return( 1 ); on_error: if( stripe != NULL ) { libvslvm_stripe_free( &stripe, NULL ); } return( -1 ); }
/* Prints the executable usage information to the stream */ void usage_fprint( FILE *stream ) { libcstring_system_character_t default_segment_file_size_string[ 16 ]; libcstring_system_character_t minimum_segment_file_size_string[ 16 ]; libcstring_system_character_t maximum_32bit_segment_file_size_string[ 16 ]; libcstring_system_character_t maximum_64bit_segment_file_size_string[ 16 ]; int result = 0; if( stream == NULL ) { return; } result = byte_size_string_create( default_segment_file_size_string, 16, EWFCOMMON_DEFAULT_SEGMENT_FILE_SIZE, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); if( result == 1 ) { result = byte_size_string_create( minimum_segment_file_size_string, 16, EWFCOMMON_MINIMUM_SEGMENT_FILE_SIZE, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); } if( result == 1 ) { result = byte_size_string_create( maximum_32bit_segment_file_size_string, 16, EWFCOMMON_MAXIMUM_SEGMENT_FILE_SIZE_32BIT, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); } if( result == 1 ) { result = byte_size_string_create( maximum_64bit_segment_file_size_string, 16, EWFCOMMON_MAXIMUM_SEGMENT_FILE_SIZE_64BIT, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); } fprintf( stream, "Use ewfexport to export data from the EWF format (Expert Witness Compression\n" "Format) to raw data or another EWF format.\n\n" ); fprintf( stream, "Usage: ewfexport [ -A codepage ] [ -b number_of_sectors ]\n" " [ -B number_of_bytes ] [ -c compression_level ]\n" " [ -d digest_type ] [ -f format ] [ -l log_filename ]\n" " [ -o offset ] [ -p process_buffer_size ]\n" " [ -S segment_file_size ] [ -t target ] [ -hqsuvVw ] ewf_files\n\n" ); fprintf( stream, "\tewf_files: the first or the entire set of EWF segment files\n\n" ); fprintf( stream, "\t-A: codepage of header section, options: ascii (default),\n" "\t windows-874, windows-1250, windows-1251, windows-1252,\n" "\t windows-1253, windows-1254, windows-1255, windows-1256,\n" "\t windows-1257, windows-1258\n" ); fprintf( stream, "\t-b: specify the number of sectors to read at once (per chunk),\n" "\t options: 16, 32, 64 (default), 128, 256, 512, 1024, 2048, 4096,\n" "\t 8192, 16384 or 32768 (not used for raw and files formats)\n" ); fprintf( stream, "\t-B: specify the number of bytes to export (default is all bytes)\n" ); fprintf( stream, "\t-c: specify the compression level, options: none (default),\n" "\t empty-block, fast or best (not used for raw and files format)\n" ); fprintf( stream, "\t-d: calculate additional digest (hash) types besides md5,\n" "\t options: sha1, sha256 (not used for raw and files format)\n" ); fprintf( stream, "\t-f: specify the output format to write to, options:\n" "\t raw (default), files (restricted to logical volume files), ewf,\n" "\t smart, encase1, encase2, encase3, encase4, encase5, encase6,\n" "\t linen5, linen6, ewfx\n" ); fprintf( stream, "\t-h: shows this help\n" ); fprintf( stream, "\t-l: logs export errors and the digest (hash) to the log_filename\n" ); fprintf( stream, "\t-o: specify the offset to start the export (default is 0)\n" ); fprintf( stream, "\t-p: specify the process buffer size (default is the chunk size)\n" ); fprintf( stream, "\t-q: quiet shows minimal status information\n" ); fprintf( stream, "\t-s: swap byte pairs of the media data (from AB to BA)\n" "\t (use this for big to little endian conversion and vice\n" "\t versa)\n" ); if( result == 1 ) { fprintf( stream, "\t-S: specify the segment file size in bytes (default is %" PRIs_LIBCSTRING_SYSTEM ")\n" "\t (minimum is %" PRIs_LIBCSTRING_SYSTEM ", maximum is %" PRIs_LIBCSTRING_SYSTEM " for raw and encase6\n" "\t and %" PRIs_LIBCSTRING_SYSTEM " for other formats)\n" "\t (not used for files format)\n", default_segment_file_size_string, minimum_segment_file_size_string, maximum_64bit_segment_file_size_string, maximum_32bit_segment_file_size_string ); } else { fprintf( stream, "\t-S: specify the segment file size in bytes (default is %" PRIu32 ")\n" "\t (minimum is %" PRIu32 ", maximum is %" PRIu64 " for raw and encase6 format\n" "\t and %" PRIu32 " for other formats)\n" "\t (not used for files format)\n", (uint32_t) EWFCOMMON_DEFAULT_SEGMENT_FILE_SIZE, (uint32_t) EWFCOMMON_MINIMUM_SEGMENT_FILE_SIZE, (uint64_t) EWFCOMMON_MAXIMUM_SEGMENT_FILE_SIZE_64BIT, (uint32_t) EWFCOMMON_MAXIMUM_SEGMENT_FILE_SIZE_32BIT ); } fprintf( stream, "\t-t: specify the target file to export to, use - for stdout\n" "\t (default is export) stdout is only supported for the raw\n" "\t format\n" ); fprintf( stream, "\t-u: unattended mode (disables user interaction)\n" ); fprintf( stream, "\t-v: verbose output to stderr\n" ); fprintf( stream, "\t-V: print version\n" ); fprintf( stream, "\t-w: zero sectors on checksum error (mimic EnCase like behavior)\n" ); }
/* Get a byte size variable * Returns 1 if successful, 0 if no input was provided or -1 on error */ int ewfinput_get_byte_size_variable( FILE *stream, libsystem_character_t *input_buffer, size_t input_buffer_size, libsystem_character_t *request_string, uint64_t minimum, uint64_t maximum, uint64_t default_value, uint64_t *byte_size_variable, liberror_error_t **error ) { libsystem_character_t minimum_size_string[ 16 ]; libsystem_character_t maximum_size_string[ 16 ]; libsystem_character_t default_size_string[ 16 ]; libsystem_character_t *end_of_input = NULL; libsystem_character_t *result_string = NULL; static char *function = "ewfinput_get_byte_size_variable"; ssize_t input_length = 0; if( stream == NULL ) { liberror_error_set( error, LIBERROR_ERROR_DOMAIN_ARGUMENTS, LIBERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid output stream.", function ); return( -1 ); } if( input_buffer == NULL ) { liberror_error_set( error, LIBERROR_ERROR_DOMAIN_ARGUMENTS, LIBERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid input buffer.", function ); return( -1 ); } if( input_buffer_size > (size_t) SSIZE_MAX ) { liberror_error_set( error, LIBERROR_ERROR_DOMAIN_ARGUMENTS, LIBERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid input buffer size value exceeds maximum.", function ); return( -1 ); } if( request_string == NULL ) { liberror_error_set( error, LIBERROR_ERROR_DOMAIN_ARGUMENTS, LIBERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid request string.", function ); return( -1 ); } if( byte_size_variable == NULL ) { liberror_error_set( error, LIBERROR_ERROR_DOMAIN_ARGUMENTS, LIBERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid byte size variable.", function ); return( -1 ); } if( byte_size_string_create( minimum_size_string, 16, minimum, BYTE_SIZE_STRING_UNIT_MEBIBYTE, error ) != 1 ) { liberror_error_set( error, LIBERROR_ERROR_DOMAIN_RUNTIME, LIBERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to create minimum byte size string.", function ); return( -1 ); } if( byte_size_string_create( default_size_string, 16, default_value, BYTE_SIZE_STRING_UNIT_MEBIBYTE, error ) != 1 ) { liberror_error_set( error, LIBERROR_ERROR_DOMAIN_RUNTIME, LIBERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to create default byte size string.", function ); return( -1 ); } if( byte_size_string_create( maximum_size_string, 16, maximum, BYTE_SIZE_STRING_UNIT_MEBIBYTE, error ) != 1 ) { liberror_error_set( error, LIBERROR_ERROR_DOMAIN_RUNTIME, LIBERROR_RUNTIME_ERROR_SET_FAILED, "%s: unable to create maximum byte size string.", function ); return( -1 ); } /* Safe guard the end of the input buffer */ input_buffer[ input_buffer_size - 1 ] = 0; while( 1 ) { fprintf( stream, "%" PRIs_LIBSYSTEM " (%" PRIs_LIBSYSTEM " >= value >= %" PRIs_LIBSYSTEM ") [%" PRIs_LIBSYSTEM "]: ", request_string, minimum_size_string, maximum_size_string, default_size_string ); result_string = libsystem_file_stream_get_string( stdin, input_buffer, input_buffer_size - 1 ); if( result_string != NULL ) { end_of_input = libsystem_string_search( input_buffer, (libsystem_character_t) '\n', input_buffer_size ); /* Input was larger than size of buffer */ if( end_of_input == NULL ) { /* Flush the stdin stream */ while( end_of_input == NULL ) { result_string = libsystem_file_stream_get_string( stdin, input_buffer, input_buffer_size - 1 ); end_of_input = libsystem_string_search( input_buffer, (libsystem_character_t) '\n', input_buffer_size ); } return( -1 ); } input_length = (ssize_t) ( end_of_input - input_buffer ); if( input_length < 0 ) { return( -1 ); } else if( input_length == 0 ) { *byte_size_variable = default_value; return( 0 ); } if( byte_size_string_convert( input_buffer, (size_t) input_length, byte_size_variable, NULL ) != 1 ) { fprintf( stream, "Invalid value, please try again or terminate using Ctrl^C.\n" ); } else if( ( *byte_size_variable >= minimum ) && ( *byte_size_variable <= maximum ) ) { break; } else { fprintf( stream, "Value not within specified range, please try again or terminate using Ctrl^C.\n" ); } } else { fprintf( stream, "Error reading input, please try again or terminate using Ctrl^C.\n" ); } } return( 1 ); }
/* Prints the executable usage information to the stream */ void usage_fprint( FILE *stream ) { libcstring_system_character_t default_segment_file_size_string[ 16 ]; libcstring_system_character_t minimum_segment_file_size_string[ 16 ]; libcstring_system_character_t maximum_32bit_segment_file_size_string[ 16 ]; libcstring_system_character_t maximum_64bit_segment_file_size_string[ 16 ]; int result = 0; if( stream == NULL ) { return; } result = byte_size_string_create( default_segment_file_size_string, 16, EWFCOMMON_DEFAULT_SEGMENT_FILE_SIZE, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); if( result == 1 ) { result = byte_size_string_create( minimum_segment_file_size_string, 16, EWFCOMMON_MINIMUM_SEGMENT_FILE_SIZE, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); } if( result == 1 ) { result = byte_size_string_create( maximum_32bit_segment_file_size_string, 16, EWFCOMMON_MAXIMUM_SEGMENT_FILE_SIZE_32BIT, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); } if( result == 1 ) { result = byte_size_string_create( maximum_64bit_segment_file_size_string, 16, EWFCOMMON_MAXIMUM_SEGMENT_FILE_SIZE_64BIT, BYTE_SIZE_STRING_UNIT_MEBIBYTE, NULL ); } fprintf( stream, "Use ewfacquirestream to acquire data from a pipe and store it in the EWF format\n" "(Expert Witness Compression Format).\n\n" ); fprintf( stream, "Usage: ewfacquirestream [ -A codepage ] [ -b number_of_sectors ]\n" " [ -B number_of_bytes ] [ -c compression_values ]\n" " [ -C case_number ] [ -d digest_type ]\n" " [ -D description ] [ -e examiner_name ]\n" " [ -E evidence_number ] [ -f format ]\n" " [ -l log_filename ] [ -m media_type ]\n" " [ -M media_flags ] [ -N notes ]\n" " [ -o offset ] [ -p process_buffer_size ]\n" " [ -P bytes_per_sector ] [ -S segment_file_size ]\n" " [ -t target ] [ -2 secondary_target ]\n" " [ -hqsvVx ]\n\n" ); fprintf( stream, "\tReads data from stdin\n\n" ); fprintf( stream, "\t-A: codepage of header section, options: ascii (default),\n" "\t windows-874, windows-932, windows-936, windows-949,\n" "\t windows-950, windows-1250, windows-1251, windows-1252,\n" "\t windows-1253, windows-1254, windows-1255, windows-1256,\n" "\t windows-1257 or windows-1258\n" ); fprintf( stream, "\t-b: specify the number of sectors to read at once (per chunk), options:\n" "\t 16, 32, 64 (default), 128, 256, 512, 1024, 2048, 4096, 8192, 16384\n" "\t or 32768\n" ); fprintf( stream, "\t-B: specify the number of bytes to acquire (default is all bytes)\n" ); fprintf( stream, "\t-c: specify the compression values as: level or method:level\n" "\t compression method options: deflate (default), bzip2\n" "\t (bzip2 is only supported by EWF2 formats)\n" "\t compression level options: none (default), empty-block,\n" "\t fast or best\n" ); fprintf( stream, "\t-C: specify the case number (default is case_number).\n" ); fprintf( stream, "\t-d: calculate additional digest (hash) types besides md5, options:\n" "\t sha1, sha256\n" ); fprintf( stream, "\t-D: specify the description (default is description).\n" ); fprintf( stream, "\t-e: specify the examiner name (default is examiner_name).\n" ); fprintf( stream, "\t-E: specify the evidence number (default is evidence_number).\n" ); fprintf( stream, "\t-f: specify the EWF file format to write to, options: ftk, encase2,\n" "\t encase3, encase4, encase5, encase6 (default), encase7, linen5,\n" "\t linen6, linen7, ewfx\n" ); fprintf( stream, "\t-h: shows this help\n" ); fprintf( stream, "\t-l: logs acquiry errors and the digest (hash) to the log_filename\n" ); fprintf( stream, "\t-m: specify the media type, options: fixed (default), removable,\n" "\t optical, memory\n" ); fprintf( stream, "\t-M: specify the media flags, options: logical, physical (default)\n" ); fprintf( stream, "\t-N: specify the notes (default is notes).\n" ); fprintf( stream, "\t-o: specify the offset to start to acquire (default is 0)\n" ); fprintf( stream, "\t-p: specify the process buffer size (default is the chunk size)\n" ); fprintf( stream, "\t-P: specify the number of bytes per sector (default is 512)\n" ); fprintf( stream, "\t-q: quiet shows minimal status information\n" ); fprintf( stream, "\t-s: swap byte pairs of the media data (from AB to BA)\n" "\t (use this for big to little endian conversion and vice versa)\n" ); if( result == 1 ) { fprintf( stream, "\t-S: specify the segment file size in bytes (default is %" PRIs_LIBCSTRING_SYSTEM ")\n" "\t (minimum is %" PRIs_LIBCSTRING_SYSTEM ", maximum is %" PRIs_LIBCSTRING_SYSTEM " for encase6 and\n" "\t encase7 format and %" PRIs_LIBCSTRING_SYSTEM " for other formats)\n", default_segment_file_size_string, minimum_segment_file_size_string, maximum_64bit_segment_file_size_string, maximum_32bit_segment_file_size_string ); } else { fprintf( stream, "\t-S: specify the segment file size in bytes (default is %" PRIu32 ")\n" "\t (minimum is %" PRIu32 ", maximum is %" PRIu64 " for encase6 and\n" "\t encase7 format and %" PRIu32 " for other formats)\n", (uint32_t) EWFCOMMON_DEFAULT_SEGMENT_FILE_SIZE, (uint32_t) EWFCOMMON_MINIMUM_SEGMENT_FILE_SIZE, (uint64_t) EWFCOMMON_MAXIMUM_SEGMENT_FILE_SIZE_64BIT, (uint32_t) EWFCOMMON_MAXIMUM_SEGMENT_FILE_SIZE_32BIT ); } fprintf( stream, "\t-t: specify the target file (without extension) to write to (default\n" "\t is image)\n" ); fprintf( stream, "\t-v: verbose output to stderr\n" ); fprintf( stream, "\t-V: print version\n" ); fprintf( stream, "\t-x: use the chunk data instead of the buffered read and write functions.\n" ); fprintf( stream, "\t-2: specify the secondary target file (without extension) to write to\n" ); }