/* * EwfSize */ static int EwfSize(void *p_handle, uint64_t *p_size) { pts_EwfHandle p_ewf_handle=(pts_EwfHandle)p_handle; #ifdef HAVE_LIBEWF_V2_API if(libewf_handle_get_media_size(p_ewf_handle->h_ewf,p_size,NULL)!=1) { #else if(libewf_get_media_size(p_ewf_handle->h_ewf,p_size)!=1) { #endif return EWF_GET_SIZE_FAILED; } return EWF_OK; } /* * EwfRead */ static int EwfRead(void *p_handle, char *p_buf, off_t offset, size_t count, size_t *p_read, int *p_errno) { pts_EwfHandle p_ewf_handle=(pts_EwfHandle)p_handle; // TODO: Return value of libewf_handle_read_buffer is ssize_t with -1 on error size_t bytes_read; #ifdef HAVE_LIBEWF_V2_API if(libewf_handle_seek_offset(p_ewf_handle->h_ewf, offset, SEEK_SET, NULL)!=-1) #else if(libewf_seek_offset(p_ewf_handle->h_ewf,offset)!=-1) #endif { #ifdef HAVE_LIBEWF_V2_API bytes_read=libewf_handle_read_buffer(p_ewf_handle->h_ewf, p_buf, count, NULL); #else bytes_read=libewf_read_buffer(p_ewf_handle->h_ewf,p_buf,count); #endif if(bytes_read!=count) return EWF_READ_FAILED; } else { return EWF_SEEK_FAILED; } *p_read=bytes_read; return EWF_OK; }
static ut64 ewf__lseek(RIO *io, RIODesc *fd, ut64 offset, int whence) { if (RIOEWF_IS_VALID (fd)) { size64_t media_size; switch (whence) { case SEEK_SET: /* ignore */ break; case SEEK_CUR: offset += io->seek; break; case SEEK_END: libewf_get_media_size (RIOEWF_HANDLE (fd), &media_size); offset = media_size - offset; break; } libewf_seek_offset (RIOEWF_HANDLE (fd), offset); return offset; } return (ut64)-1; }
ut64 ewf_lseek(int fildes, ut64 offset, int whence) { size64_t media_size; if (fildes == ewf_fd) { switch(whence) { case SEEK_SET: /* ignore */ break; case SEEK_CUR: offset += config.seek; break; case SEEK_END: libewf_get_media_size(ewf_h, &media_size); offset = media_size - offset; break; } libewf_seek_offset(ewf_h, offset); return offset; } return lseek(fildes, offset, whence); }
TSK_IMG_INFO * ewf_open(int a_num_img, const TSK_TCHAR * const a_images[], unsigned int a_ssize) { #if defined( HAVE_LIBEWF_V2_API ) char error_string[TSK_EWF_ERROR_STRING_SIZE]; libewf_error_t *ewf_error = NULL; int result = 0; #elif !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) uint8_t md5_hash[16]; #endif IMG_EWF_INFO *ewf_info = NULL; TSK_IMG_INFO *img_info = NULL; #if !defined( HAVE_LIBEWF_V2_API) if (tsk_verbose) libewf_set_notify_values(stderr, 1); #endif if ((ewf_info = (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) == NULL) { return NULL; } img_info = (TSK_IMG_INFO *) ewf_info; // See if they specified only the first of the set... ewf_info->used_ewf_glob = 0; if (a_num_img == 1) { #if defined( HAVE_LIBEWF_V2_API) #ifdef TSK_WIN32 if (libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images, &ewf_info->num_imgs, &ewf_error) == -1) { #else if (libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images, &ewf_info->num_imgs, &ewf_error) == -1) { #endif tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open: Not an E01 glob name (%s)", error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); return NULL; } #else //use v1 #ifdef TSK_WIN32 ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #else ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #endif if (ewf_info->num_imgs <= 0) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an E01 glob name"); tsk_img_free(ewf_info); return NULL; } #endif // end v1 ewf_info->used_ewf_glob = 1; if (tsk_verbose) tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs); } else { int i; ewf_info->num_imgs = a_num_img; if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL) { tsk_img_free(ewf_info); return NULL; } for (i = 0; i < a_num_img; i++) { if ((ewf_info->images[i] = (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) + 1) * sizeof(TSK_TCHAR))) == NULL) { tsk_img_free(ewf_info); return NULL; } TSTRNCPY(ewf_info->images[i], a_images[i], TSTRLEN(a_images[i]) + 1); } } #if defined( HAVE_LIBEWF_V2_API ) // Check the file signature before we call the library open #if defined( TSK_WIN32 ) if (libewf_check_file_signature_wide(a_images[0], &ewf_error) != 1) #else if (libewf_check_file_signature(a_images[0], &ewf_error) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open: Not an EWF file (%s)", error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Not an EWF file\n"); } return (NULL); } if (libewf_handle_initialize(&(ewf_info->handle), &ewf_error) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error initializing handle (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Unable to create EWF handle\n"); } return (NULL); } #if defined( TSK_WIN32 ) if (libewf_handle_open_wide(ewf_info->handle, (wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1) #else if (libewf_handle_open(ewf_info->handle, (char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return (NULL); } if (libewf_handle_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size), &ewf_error) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } result = libewf_handle_get_utf8_hash_value_md5(ewf_info->handle, (uint8_t *) ewf_info->md5hash, 33, &ewf_error); if (result == -1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting MD5 of image (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } ewf_info->md5hash_isset = result; #else // V1 API // Check the file signature before we call the library open #if defined( TSK_WIN32 ) if (libewf_check_file_signature_wide(a_images[0]) != 1) #else if (libewf_check_file_signature(a_images[0]) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an EWF file"); tsk_img_free(ewf_info); if (tsk_verbose) tsk_fprintf(stderr, "Not an EWF file\n"); return NULL; } #if defined( TSK_WIN32 ) ewf_info->handle = libewf_open_wide( (wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #else ewf_info->handle = libewf_open( (char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #endif if (ewf_info->handle == NULL) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening", ewf_info->images[0]); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return (NULL); } #if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) // 2007 version img_info->size = libewf_get_media_size(ewf_info->handle); ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle, ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5); #else // libewf-20080322 version if (libewf_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size)) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image", ewf_info->images[0]); tsk_img_free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) { int md5_string_iterator = 0; int md5_hash_iterator = 0; for (md5_hash_iterator = 0; md5_hash_iterator < 16; md5_hash_iterator++) { int digit = md5_hash[md5_hash_iterator] / 16; if (digit <= 9) { ewf_info->md5hash[md5_string_iterator++] = '0' + (char) digit; } else { ewf_info->md5hash[md5_string_iterator++] = 'a' + (char) (digit - 10); } digit = md5_hash[md5_hash_iterator] % 16; if (digit <= 9) { ewf_info->md5hash[md5_string_iterator++] = '0' + (char) digit; } else { ewf_info->md5hash[md5_string_iterator++] = 'a' + (char) (digit - 10); } } ewf_info->md5hash_isset = 1; } #endif /* defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) */ #endif /* defined( HAVE_LIBEWF_V2_API ) */ if (a_ssize != 0) { img_info->sector_size = a_ssize; } else { img_info->sector_size = 512; } img_info->itype = TSK_IMG_TYPE_EWF_EWF; img_info->read = &ewf_image_read; img_info->close = &ewf_image_close; img_info->imgstat = &ewf_image_imgstat; // initialize the read lock tsk_init_lock(&(ewf_info->read_lock)); return (img_info); }
disk_t *fewf_init(const char *device, const int mode) { unsigned int num_files=0; char **filenames= NULL; disk_t *disk=NULL; struct info_fewf_struct *data; #if !defined( HAVE_LIBEWF_V2_API ) && defined( HAVE_GLOB_H ) glob_t globbuf; #endif data=(struct info_fewf_struct *)MALLOC(sizeof(struct info_fewf_struct)); memset(data, 0, sizeof(struct info_fewf_struct)); data->file_name = strdup(device); data->handle=NULL; data->mode = mode; #ifdef DEBUG_EWF #if defined( HAVE_LIBEWF_V2_API ) libewf_notify_set_stream( stderr, NULL ); libewf_notify_set_verbose( 1 ); #else libewf_set_notify_values( stderr, 1 ); #endif #endif #if defined( HAVE_LIBEWF_V2_API ) if( libewf_glob( data->file_name, strlen(data->file_name), LIBEWF_FORMAT_UNKNOWN, &filenames, (int *)&num_files, NULL ) != 1 ) { log_error("libewf_glob failed\n"); free(data); return NULL; } #elif defined( HAVE_GLOB_H ) { globbuf.gl_offs = 0; glob(data->file_name, GLOB_DOOFFS, NULL, &globbuf); if(globbuf.gl_pathc>0) { filenames=(char **)MALLOC(globbuf.gl_pathc * sizeof(*filenames)); for (num_files=0; num_files<globbuf.gl_pathc; num_files++) { filenames[num_files]=globbuf.gl_pathv[num_files]; } } } if(filenames==NULL) { globfree(&globbuf); free(data); return NULL; } #else { filenames=(char **)MALLOC(1*sizeof(*filenames)); filenames[num_files] = data->file_name; num_files++; } #endif if((mode&TESTDISK_O_RDWR)==TESTDISK_O_RDWR) { #if defined( HAVE_LIBEWF_V2_API ) if( libewf_handle_initialize( &( data->handle ), NULL ) != 1 ) { log_error("libewf_handle_initialize failed\n"); libewf_glob_free( filenames, num_files, NULL ); free(data); return NULL; } if( libewf_handle_open( data->handle, filenames, num_files, LIBEWF_OPEN_READ_WRITE, NULL ) != 1 ) { log_error("libewf_handle_open(%s) failed\n", device); } #else data->handle=libewf_open(filenames, num_files, LIBEWF_OPEN_READ_WRITE); if(data->handle==NULL) { log_error("libewf_open(%s) failed\n", device); } #endif /* defined( HAVE_LIBEWF_V2_API ) */ } if(data->handle==NULL) { data->mode&=~TESTDISK_O_RDWR; #if defined( HAVE_LIBEWF_V2_API ) if( libewf_handle_initialize( &( data->handle ), NULL ) != 1 ) { log_error("libewf_handle_initialize failed\n"); libewf_glob_free( filenames, num_files, NULL ); free(data); return NULL; } if( libewf_handle_open( data->handle, filenames, num_files, LIBEWF_OPEN_READ, NULL ) != 1 ) { log_error("libewf_handle_open(%s) failed\n", device); libewf_handle_free( &( data->handle ), NULL ); libewf_glob_free( filenames, num_files, NULL ); free(data); return NULL; } #else data->handle=libewf_open(filenames, num_files, LIBEWF_OPEN_READ); if(data->handle==NULL) { log_error("libewf_open(%s) failed\n", device); #if defined( HAVE_GLOB_H ) globfree(&globbuf); #endif free(filenames); free(data); return NULL; } #endif /* defined( HAVE_LIBEWF_V2_API ) */ } #if defined( HAVE_LIBEWF_V2_API ) if( libewf_handle_set_header_values_date_format( data->handle, LIBEWF_DATE_FORMAT_DAYMONTH, NULL ) != 1 ) { log_error("%s Unable to set header values date format\n", device); } #else if( libewf_parse_header_values( data->handle, LIBEWF_DATE_FORMAT_DAYMONTH) != 1 ) { log_error("%s Unable to parse EWF header values\n", device); } #endif disk=(disk_t *)MALLOC(sizeof(*disk)); init_disk(disk); disk->arch=&arch_none; disk->device=strdup(device); disk->data=data; disk->description=fewf_description; disk->description_short=fewf_description_short; disk->pread_fast=fewf_pread_fast; disk->pread=fewf_pread; disk->pwrite=(data->mode&TESTDISK_O_RDWR?fewf_pwrite:fewf_nopwrite); disk->sync=fewf_sync; disk->access_mode=(data->mode&TESTDISK_O_RDWR); disk->clean=fewf_clean; #if defined( HAVE_LIBEWF_V2_API ) || defined( LIBEWF_GET_BYTES_PER_SECTOR_HAVE_TWO_ARGUMENTS ) { uint32_t bytes_per_sector = 0; #if defined( HAVE_LIBEWF_V2_API ) if( libewf_handle_get_bytes_per_sector( data->handle, &bytes_per_sector, NULL ) != 1 ) #else if( libewf_get_bytes_per_sector(data->handle, &bytes_per_sector)<0) #endif { disk->sector_size=DEFAULT_SECTOR_SIZE; } else { disk->sector_size=bytes_per_sector; } } #else disk->sector_size=libewf_get_bytes_per_sector(data->handle); #endif // printf("libewf_get_bytes_per_sector %u\n",disk->sector_size); if(disk->sector_size==0) disk->sector_size=DEFAULT_SECTOR_SIZE; /* Set geometry */ disk->geom.cylinders=0; disk->geom.heads_per_cylinder=1; disk->geom.sectors_per_head=1; disk->geom.bytes_per_sector=disk->sector_size; /* Get disk_real_size */ #if defined( HAVE_LIBEWF_V2_API ) || defined( LIBEWF_GET_MEDIA_SIZE_HAVE_TWO_ARGUMENTS ) { size64_t media_size = 0; #if defined( HAVE_LIBEWF_V2_API ) if( libewf_handle_get_media_size( data->handle, &media_size, NULL ) != 1 ) #else if(libewf_get_media_size(data->handle, &media_size)<0) #endif { disk->disk_real_size=0; } else { disk->disk_real_size=media_size; } } #else disk->disk_real_size=libewf_get_media_size(data->handle); #endif update_disk_car_fields(disk); #if defined( HAVE_LIBEWF_V2_API ) libewf_glob_free( filenames, num_files, NULL ); #else #if defined( HAVE_GLOB_H ) globfree(&globbuf); #endif free(filenames); #endif return disk; }
int main( int argc, char * const argv[] ) #endif { #ifndef HAVE_GLOB_H EWFGLOB *glob = NULL; int32_t glob_count = 0; #endif LIBEWF_HANDLE *handle = NULL; uint8_t *buffer = NULL; INT_T option = 0; int64_t count = 0; uint64_t size = 0; uint64_t alter_offset = 0; uint64_t alter_size = 0; uint8_t swap_byte_pairs = 0; uint8_t verbose = 0; ewfsignal_initialize(); fprintf( stderr, "ewfalter is for expirimental usage only.\n" ); ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfalter" ) ); while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "hsqvV" ) ) ) != (INT_T) -1 ) { switch( option ) { case (INT_T) '?': default: fprintf( stderr, "Invalid argument: %" PRIs ".\n", argv[ optind ] ); usage(); return( EXIT_FAILURE ); case (INT_T) 'h': usage(); return( EXIT_SUCCESS ); case (INT_T) 's': swap_byte_pairs = 1; break; case (INT_T) 'q': break; case (INT_T) 'v': verbose = 1; break; case (INT_T) 'V': ewfcommon_copyright_fprint( stderr ); return( EXIT_SUCCESS ); } } if( optind == argc ) { fprintf( stderr, "Missing EWF image file(s).\n" ); usage(); return( EXIT_FAILURE ); } libewf_set_notify_values( stderr, verbose ); #ifndef HAVE_GLOB_H glob = ewfglob_alloc(); if( glob == NULL ) { fprintf( stderr, "Unable to create glob.\n" ); return( EXIT_FAILURE ); } glob_count = ewfglob_resolve( glob, &argv[ optind ], ( argc - optind ) ); if( glob_count <= 0 ) { fprintf( stderr, "Unable to resolve glob.\n" ); ewfglob_free( glob ); return( EXIT_FAILURE ); } handle = libewf_open( glob->results, glob->amount, LIBEWF_OPEN_READ_WRITE ); ewfglob_free( glob ); #else handle = libewf_open( &argv[ optind ], ( argc - optind ), LIBEWF_OPEN_READ_WRITE ); #endif if( handle == NULL ) { fprintf( stderr, "Unable to open EWF image file(s).\n" ); return( EXIT_FAILURE ); } if( libewf_set_swap_byte_pairs( handle, swap_byte_pairs ) != 1 ) { fprintf( stderr, "Unable to set swap byte pairs in handle.\n" ); return( EXIT_FAILURE ); } size = libewf_get_media_size( handle ); if( size == 0 ) { fprintf( stderr, "Error altering data from EWF file(s) - media size is 0.\n" ); return( EXIT_FAILURE ); } /* Request the necessary case data */ fprintf( stderr, "Information for alter required, please provide the necessary input\n" ); alter_offset = ewfcommon_get_user_input_size_variable( stderr, _S_LIBEWF_CHAR( "Start altering at offset" ), 0, size, 0 ); alter_size = ewfcommon_get_user_input_size_variable( stderr, _S_LIBEWF_CHAR( "Amount of bytes to alter" ), 0, size, size ); buffer = libewf_common_alloc( alter_size * sizeof( uint8_t ) ); if( buffer == NULL ) { fprintf( stderr, "Unable to allocate buffer.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stdout, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } if( libewf_common_memset( buffer, 'X', alter_size ) == NULL ) { fprintf( stderr, "Unable to set buffer.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stdout, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } count = libewf_write_random( handle, buffer, alter_size, alter_offset ); if( count <= -1 ) { fprintf( stderr, "Alteration failed.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stdout, "Unable to close EWF file handle.\n" ); } return( EXIT_FAILURE ); } fprintf( stderr, "Alteration completed.\n" ); if( libewf_close( handle ) != 0 ) { fprintf( stdout, "Unable to close EWF file handle.\n" ); return( EXIT_FAILURE ); } return( EXIT_SUCCESS ); }
int ewf_open(const char *pathname, int flags, mode_t mode) { // XXX filename list should be dynamic. 1024 limit is ugly const char *filenames[1024]; char *ptr,*optr; char hash[1024]; size64_t media_size; uint32_t bytes_per_sector; uint32_t amount_of_sectors; uint32_t error_granularity; uint32_t amount_of_acquiry_errors; int8_t compression_level; int8_t media_type; int8_t media_flags; int8_t volume_type; uint8_t compress_empty_block; uint8_t format; int i; if (!memcmp(pathname, "els://", 6)) { FILE *fd = fopen(pathname+6, "r"); ut64 len; char *buf; if (fd == NULL) return -1; fseek(fd, 0, SEEK_END); len = ftell(fd); fseek(fd, 0, SEEK_SET); buf = (char *)malloc(len); fread(buf, len, 1, fd); ptr = strchr(buf, '\n'); for(i=0,optr = buf;ptr&&(ptr=strchr(ptr, '\n'));optr=ptr) { ptr[0] = '\0'; ptr = ptr + 1; filenames[i++] = optr; } filenames[i] = NULL; free(buf); fclose(fd); for(i=0;filenames[i];i++) printf("%02x: %s)\n", i, filenames[i]); } else { filenames[0] = pathname + 6; filenames[1] = NULL; } ewf_h = libewf_open(&filenames, 1, (((int)config_get("file.write"))==0)? LIBEWF_OPEN_READ_WRITE:LIBEWF_OPEN_READ); if (ewf_h == NULL) ewf_fd = -1; else { ewf_fd = EWF_FD; #if 0 if( ((libewf_internal_handle_t*)ewf_h)->header_values == NULL ) { fprintf( stream, "\tNo information found in file.\n" ); } else { libewf_get_header_value_examiner_name(ewf_h, hash, 128); eprintf("ExaminerName: %s\n", hash); libewf_get_header_value_case_number(ewf_h, hash, 128); eprintf("CaseNumber: %s\n", hash); #endif libewf_get_format(ewf_h, &format); eprintf("FormatVersion: %d\n", format); libewf_get_compression_values(ewf_h, &compression_level, &compress_empty_block); eprintf("CompressionLevel: %d\n", compression_level); libewf_get_error_granularity(ewf_h, &error_granularity); eprintf("ErrorGranurality: %d\n", error_granularity); libewf_get_amount_of_sectors(ewf_h, &amount_of_sectors); eprintf("AmountOfSectors: %d\n", amount_of_sectors); libewf_get_bytes_per_sector(ewf_h, &bytes_per_sector); eprintf("BytesPerSector: %d\n", bytes_per_sector); libewf_get_volume_type(ewf_h, &volume_type); eprintf("VolumeType: %d\n", volume_type); libewf_get_media_size(ewf_h, &media_size); eprintf("MediaSize: %lld\n", media_size); libewf_get_media_type(ewf_h, &media_type); eprintf("MediaType: %d\n", media_type); libewf_get_media_flags(ewf_h, &media_flags); eprintf("MediaFlags: %d\n", media_flags); libewf_get_md5_hash(ewf_h, hash, 128); eprintf("CalculatedHash: %s\n", hash); #if 0 } #endif } return ewf_fd; }
TSK_IMG_INFO * ewf_open(int num_img, const TSK_TCHAR * const images[], unsigned int a_ssize) { IMG_EWF_INFO *ewf_info; TSK_IMG_INFO *img_info; #if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) uint8_t md5_hash[16]; #endif if ((ewf_info = (IMG_EWF_INFO *) tsk_malloc(sizeof(IMG_EWF_INFO))) == NULL) { return NULL; } img_info = (TSK_IMG_INFO *) ewf_info; /* check the magic before we call the library open */ //if (img_file_header_signature_ncmp(images[0], // "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) { #if defined (TSK_WIN32) if (libewf_check_file_signature_wide(images[0]) == 0) { #else if (libewf_check_file_signature(images[0]) == 0) { #endif tsk_error_reset(); tsk_errno = TSK_ERR_IMG_MAGIC; snprintf(tsk_errstr, TSK_ERRSTR_L, "ewf_open: Not an EWF file"); free(ewf_info); if (tsk_verbose) tsk_fprintf(stderr, "Not an EWF file\n"); return NULL; } #if defined (TSK_WIN32) ewf_info->handle = libewf_open_wide((wchar_t * const *) images, num_img, LIBEWF_OPEN_READ); #else ewf_info->handle = libewf_open((char *const *) images, num_img, LIBEWF_OPEN_READ); #endif if (ewf_info->handle == NULL) { tsk_error_reset(); tsk_errno = TSK_ERR_IMG_OPEN; snprintf(tsk_errstr, TSK_ERRSTR_L, "ewf_open file: %" PRIttocTSK ": Error opening", images[0]); free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return NULL; } // 2007 version #if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) img_info->size = libewf_get_media_size(ewf_info->handle); ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle, ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5); // libewf-20080322 version #else if (libewf_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size)) != 1) { tsk_error_reset(); tsk_errno = TSK_ERR_IMG_OPEN; snprintf(tsk_errstr, TSK_ERRSTR_L, "ewf_open file: %" PRIttocTSK ": Error getting size of image", images[0]); free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return NULL; } if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) { int md5_string_iterator = 0; int md5_hash_iterator; for (md5_hash_iterator = 0; md5_hash_iterator < 16; md5_hash_iterator++) { int digit = md5_hash[md5_hash_iterator] / 16; if (digit <= 9) ewf_info->md5hash[md5_string_iterator++] = (char) ('0' + digit); else ewf_info->md5hash[md5_string_iterator++] = (char) ('a' + (digit - 10)); digit = md5_hash[md5_hash_iterator] % 16; if (digit <= 9) ewf_info->md5hash[md5_string_iterator++] = (char) ('0' + digit); else ewf_info->md5hash[md5_string_iterator++] = (char) ('a' + (digit - 10)); } ewf_info->md5hash_isset = 1; } #endif img_info->sector_size = 512; if (a_ssize) img_info->sector_size = a_ssize; img_info->itype = TSK_IMG_TYPE_EWF_EWF; img_info->read = ewf_image_read; img_info->close = ewf_image_close; img_info->imgstat = ewf_image_imgstat; return img_info; }
int main( int argc, char * const argv[] ) #endif { uint8_t guid[ 16 ]; #ifndef HAVE_GLOB_H EWFGLOB *glob = NULL; int32_t glob_count = 0; #endif LIBEWF_HANDLE *handle = NULL; INT_T option = 0; int8_t format = 0; int8_t compression_level = 0; int8_t media_type = 0; int8_t media_flags = 0; int8_t volume_type = 0; uint8_t verbose = 0; uint8_t date_format = LIBEWF_DATE_FORMAT_DAYMONTH; char info_option = 'a'; ewfsignal_initialize(); ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfinfo" ) ); while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "d:himvV" ) ) ) != (INT_T) -1 ) { switch( option ) { case (INT_T) '?': default: fprintf( stderr, "Invalid argument: %" PRIs "\n", argv[ optind ] ); usage(); return( EXIT_FAILURE ); case (INT_T) 'd': if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "md" ), 3 ) == 0 ) { date_format = LIBEWF_DATE_FORMAT_MONTHDAY; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "iso8601" ), 8 ) == 0 ) { date_format = LIBEWF_DATE_FORMAT_ISO8601; } else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "dm" ), 3 ) != 0 ) { fprintf( stderr, "Unsupported date format: %" PRIs " using default day/month.\n", optarg ); } break; case (INT_T) 'e': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option ); usage(); return( EXIT_FAILURE ); } info_option = 'e'; break; case (INT_T) 'h': usage(); return( EXIT_SUCCESS ); case (INT_T) 'i': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option ); usage(); return( EXIT_FAILURE ); } info_option = 'i'; break; case (INT_T) 'm': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option ); usage(); return( EXIT_FAILURE ); } info_option = 'm'; break; case (INT_T) 'v': verbose = 1; break; case (INT_T) 'V': ewfcommon_copyright_fprint( stderr ); return( EXIT_SUCCESS ); } } if( optind == argc ) { fprintf( stderr, "Missing EWF image file(s).\n" ); usage(); return( EXIT_FAILURE ); } libewf_set_notify_values( stderr, verbose ); #ifndef HAVE_GLOB_H glob = ewfglob_alloc(); if( glob == NULL ) { fprintf( stderr, "Unable to create glob.\n" ); return( EXIT_FAILURE ); } glob_count = ewfglob_resolve( glob, &argv[ optind ], ( argc - optind ) ); if( glob_count <= 0 ) { fprintf( stderr, "Unable to resolve glob.\n" ); ewfglob_free( glob ); return( EXIT_FAILURE ); } handle = libewf_open( glob->results, glob->amount, LIBEWF_OPEN_READ ); ewfglob_free( glob ); #else handle = libewf_open( &argv[ optind ], ( argc - optind ), LIBEWF_OPEN_READ ); #endif if( handle == NULL ) { fprintf( stderr, "Unable to open EWF image file(s).\n" ); return( EXIT_FAILURE ); } if( libewf_parse_header_values( handle, date_format ) != 1 ) { fprintf( stderr, "Unable to parse header values.\n" ); } format = libewf_get_format( handle ); if( verbose == 1 ) { fprintf( stdout, "File format:\t\t\t" ); switch( format ) { case LIBEWF_FORMAT_EWF: fprintf( stdout, "original EWF" ); break; case LIBEWF_FORMAT_SMART: fprintf( stdout, "SMART" ); break; case LIBEWF_FORMAT_FTK: fprintf( stdout, "FTK Imager" ); break; case LIBEWF_FORMAT_ENCASE1: fprintf( stdout, "EnCase 1" ); break; case LIBEWF_FORMAT_ENCASE2: fprintf( stdout, "EnCase 2" ); break; case LIBEWF_FORMAT_ENCASE3: fprintf( stdout, "EnCase 3" ); break; case LIBEWF_FORMAT_ENCASE4: fprintf( stdout, "EnCase 4" ); break; case LIBEWF_FORMAT_ENCASE5: fprintf( stdout, "EnCase 5" ); break; case LIBEWF_FORMAT_ENCASE6: fprintf( stdout, "EnCase 6" ); break; case LIBEWF_FORMAT_LINEN5: fprintf( stdout, "linen 5" ); break; case LIBEWF_FORMAT_LINEN6: fprintf( stdout, "linen 6" ); break; case LIBEWF_FORMAT_EWFX: fprintf( stdout, "extended EWF (libewf)" ); break; case LIBEWF_FORMAT_UNKNOWN: default: fprintf( stdout, "unknown" ); break; } fprintf( stdout, "\n\n" ); } if( ( info_option == 'a' ) || ( info_option == 'i' ) ) { fprintf( stdout, "Acquiry information\n" ); ewfcommon_header_values_fprint( stdout, handle ); fprintf( stdout, "\n" ); } if( ( info_option == 'a' ) || ( info_option == 'm' ) ) { fprintf( stdout, "Media information\n" ); if( ( format != LIBEWF_FORMAT_EWF ) && ( format != LIBEWF_FORMAT_SMART ) ) { media_type = libewf_get_media_type( handle ); media_flags = libewf_get_media_flags( handle ); volume_type = libewf_get_volume_type( handle ); if( media_type == LIBEWF_MEDIA_TYPE_REMOVABLE ) { fprintf( stdout, "\tMedia type:\t\tremovable disk\n" ); } else if( media_type == LIBEWF_MEDIA_TYPE_FIXED ) { fprintf( stdout, "\tMedia type:\t\tfixed disk\n" ); } else { fprintf( stdout, "\tMedia type:\t\tunknown (0x%" PRIx8 ")\n", media_type ); } if( verbose == 1 ) { fprintf( stdout, "\tMedia flags:\t\t0x%" PRIx8 "\n", media_flags ); } if( volume_type == LIBEWF_VOLUME_TYPE_LOGICAL ) { fprintf( stdout, "\tMedia is physical:\tno\n" ); } else if( volume_type == LIBEWF_VOLUME_TYPE_PHYSICAL ) { fprintf( stdout, "\tMedia is physical:\tyes\n" ); } else { fprintf( stdout, "\tVolume type:\t\tunknown (0x%" PRIx8 ")\n", volume_type ); } } fprintf( stdout, "\tAmount of sectors:\t%" PRIu32 "\n", libewf_get_amount_of_sectors( handle ) ); fprintf( stdout, "\tBytes per sector:\t%" PRIu32 "\n", libewf_get_bytes_per_sector( handle ) ); fprintf( stdout, "\tMedia size:\t\t%" PRIu64 "\n", libewf_get_media_size( handle ) ); if( ( format == LIBEWF_FORMAT_ENCASE5 ) || ( format == LIBEWF_FORMAT_ENCASE6 ) || ( format == LIBEWF_FORMAT_LINEN5 ) || ( format == LIBEWF_FORMAT_LINEN6 ) || ( format == LIBEWF_FORMAT_EWFX ) ) { fprintf( stdout, "\tError granularity:\t%" PRIu32 "\n", libewf_get_error_granularity( handle ) ); compression_level = libewf_get_compression_level( handle ); if( compression_level == LIBEWF_COMPRESSION_NONE ) { fprintf( stdout, "\tCompression type:\tno compression\n" ); } else if( compression_level == LIBEWF_COMPRESSION_FAST ) { fprintf( stdout, "\tCompression type:\tgood (fast) compression\n" ); } else if( compression_level == LIBEWF_COMPRESSION_BEST ) { fprintf( stdout, "\tCompression type:\tbest compression\n" ); } else { fprintf( stdout, "\tCompression type:\tunknown compression\n" ); } if( libewf_get_guid( handle, guid, 16 ) == 1 ) { fprintf( stdout, "\tGUID:\t\t\t%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "\n", guid[ 0 ], guid[ 1 ], guid[ 2 ], guid[ 3 ], guid[ 4 ], guid[ 5 ], guid[ 6 ], guid[ 7 ], guid[ 8 ], guid[ 9 ], guid[ 10 ], guid[ 11 ], guid[ 12 ], guid[ 13 ], guid[ 14 ], guid[ 15 ] ); } } ewfcommon_hash_values_fprint( stdout, handle ); fprintf( stdout, "\n" ); } if( ( info_option == 'a' ) || ( info_option == 'e' ) ) { ewfcommon_acquiry_errors_fprint( stdout, handle ); } if( libewf_close( handle ) != 0 ) { fprintf( stdout, "Unable to close EWF file handle.\n" ); return( EXIT_FAILURE ); } return( EXIT_SUCCESS ); }
int main( int argc, char * const argv[] ) #endif { character_t media_size_string[ 16 ]; uint8_t guid[ 16 ]; character_t *program = _CHARACTER_T_STRING( "ewfinfo" ); #if !defined( HAVE_GLOB_H ) ewfglob_t *glob = NULL; int32_t glob_count = 0; #endif #if defined( HAVE_STRERROR_R ) || defined( HAVE_STRERROR ) system_character_t *error_string = NULL; #endif char *file_format_string = NULL; system_integer_t option = 0; size64_t media_size = 0; uint32_t bytes_per_sector = 0; uint32_t amount_of_sectors = 0; uint32_t error_granularity = 0; uint32_t amount_of_acquiry_errors = 0; uint32_t amount_of_sessions = 0; int8_t compression_level = 0; int8_t media_type = 0; int8_t media_flags = 0; int8_t volume_type = 0; uint8_t compress_empty_block = 0; uint8_t format = 0; uint8_t verbose = 0; uint8_t date_format = LIBEWF_DATE_FORMAT_CTIME; char info_option = 'a'; int result = 0; /* ewfoutput_version_fprint( stdout, program ); */ while( ( option = ewfgetopt( argc, argv, _SYSTEM_CHARACTER_T_STRING( "d:ehimvcV" ) ) ) != (system_integer_t) -1 ) { switch( option ) { case (system_integer_t) '?': default: fprintf( stderr, "Invalid argument: %" PRIs_SYSTEM "\n", argv[ optind ] ); usage_fprint( stdout ); return( EXIT_FAILURE ); case (system_integer_t) 'd': if( system_string_compare( optarg, _SYSTEM_CHARACTER_T_STRING( "dm" ), 3 ) == 0 ) { date_format = LIBEWF_DATE_FORMAT_DAYMONTH; } else if( system_string_compare( optarg, _SYSTEM_CHARACTER_T_STRING( "md" ), 3 ) == 0 ) { date_format = LIBEWF_DATE_FORMAT_MONTHDAY; } else if( system_string_compare( optarg, _SYSTEM_CHARACTER_T_STRING( "iso8601" ), 8 ) == 0 ) { date_format = LIBEWF_DATE_FORMAT_ISO8601; } else if( system_string_compare( optarg, _SYSTEM_CHARACTER_T_STRING( "ctime" ), 3 ) != 0 ) { fprintf( stderr, "Unsupported date format: %" PRIs_SYSTEM " using default ctime.\n", optarg ); } break; case (system_integer_t) 'e': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n", option, info_option ); usage_fprint( stdout ); return( EXIT_FAILURE ); } info_option = 'e'; break; case (system_integer_t) 'h': usage_fprint( stdout ); return( EXIT_SUCCESS ); case (system_integer_t) 'i': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n", option, info_option ); usage_fprint( stdout ); return( EXIT_FAILURE ); } info_option = 'i'; break; case (system_integer_t) 'c': info_option = 'c'; break; case (system_integer_t) 'm': if( info_option != 'a' ) { fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n", option, info_option ); usage_fprint( stdout ); return( EXIT_FAILURE ); } info_option = 'm'; break; case (system_integer_t) 'v': verbose = 1; break; case (system_integer_t) 'V': ewfoutput_copyright_fprint( stdout ); return( EXIT_SUCCESS ); } } if( optind == argc ) { fprintf( stderr, "Missing EWF image file(s).\n" ); usage_fprint( stdout ); return( EXIT_FAILURE ); } libewf_set_notify_values( stderr, verbose ); if( ewfsignal_attach( ewfcommon_signal_handler ) != 1 ) { fprintf( stderr, "Unable to attach signal handler.\n" ); } #if 0 && !defined( HAVE_GLOB_H ) glob = ewfglob_alloc(); if( glob == NULL ) { fprintf( stderr, "Unable to create glob.\n" ); return( EXIT_FAILURE ); } glob_count = ewfglob_resolve( glob, &argv[ optind ], ( argc - optind ) ); if( glob_count <= 0 ) { fprintf( stderr, "Unable to resolve glob.\n" ); ewfglob_free( glob ); return( EXIT_FAILURE ); } ewfcommon_libewf_handle = libewf_open( glob->results, glob->amount, LIBEWF_OPEN_READ ); ewfglob_free( glob ); #else ewfcommon_libewf_handle = libewf_open( &argv[ optind ], ( argc - optind ), LIBEWF_OPEN_READ ); #endif if( ( ewfcommon_abort == 0 ) && ( ewfcommon_libewf_handle == NULL ) ) { #if defined( HAVE_STRERROR_R ) || defined( HAVE_STRERROR ) if( errno != 0 ) { error_string = ewfcommon_strerror( errno ); } if( error_string != NULL ) { fprintf( stderr, "Unable to open EWF file(s) with failure: %" PRIs_SYSTEM ".\n", error_string ); memory_free( error_string ); } else { fprintf( stderr, "Unable to open EWF file(s).\n" ); } #else fprintf( stderr, "Unable to open EWF file(s).\n" ); #endif return( EXIT_FAILURE ); } if( ( ewfcommon_abort == 0 ) && ( libewf_parse_header_values( ewfcommon_libewf_handle, date_format ) != 1 ) ) { fprintf( stderr, "Unable to parse header values.\n" ); } if( ( ewfcommon_abort == 0 ) && ( libewf_get_format( ewfcommon_libewf_handle, &format ) != 1 ) ) { fprintf( stderr, "Unable to determine format.\n" ); } else if( verbose == 1 ) { switch( format ) { case LIBEWF_FORMAT_EWF: file_format_string = "original EWF"; break; case LIBEWF_FORMAT_SMART: file_format_string = "SMART"; break; case LIBEWF_FORMAT_FTK: file_format_string = "FTK Imager"; break; case LIBEWF_FORMAT_ENCASE1: file_format_string = "EnCase 1"; break; case LIBEWF_FORMAT_ENCASE2: file_format_string = "EnCase 2"; break; case LIBEWF_FORMAT_ENCASE3: file_format_string = "EnCase 3"; break; case LIBEWF_FORMAT_ENCASE4: file_format_string = "EnCase 4"; break; case LIBEWF_FORMAT_ENCASE5: file_format_string = "EnCase 5"; break; case LIBEWF_FORMAT_ENCASE6: file_format_string = "EnCase 6"; break; case LIBEWF_FORMAT_LINEN5: file_format_string = "linen 5"; break; case LIBEWF_FORMAT_LINEN6: file_format_string = "linen 6"; break; case LIBEWF_FORMAT_EWFX: file_format_string = "extended EWF (libewf)"; break; case LIBEWF_FORMAT_UNKNOWN: default: file_format_string = "unknown"; break; } fprintf( stdout, "File format:\t\t\t%s\n\n", file_format_string ); } if( ( ewfcommon_abort == 0 ) && ( ( info_option == 'a' ) || ( info_option == 'i' ) ) ) { fprintf( stdout, "Acquiry information\n" ); ewfoutput_header_values_fprint( stdout, ewfcommon_libewf_handle ); fprintf( stdout, "\n" ); } if( ( ewfcommon_abort == 0 ) && ( ( info_option == 'a' ) || ( info_option == 'm' ) ) ) { fprintf( stdout, "Media information\n" ); if( ( format != LIBEWF_FORMAT_EWF ) && ( format != LIBEWF_FORMAT_SMART ) ) { if( libewf_get_media_type( ewfcommon_libewf_handle, &media_type ) != 1 ) { fprintf( stderr, "Unable to determine media type.\n" ); } else if( media_type == LIBEWF_MEDIA_TYPE_REMOVABLE ) { fprintf( stdout, "\tMedia type:\t\tremovable disk\n" ); } else if( media_type == LIBEWF_MEDIA_TYPE_FIXED ) { fprintf( stdout, "\tMedia type:\t\tfixed disk\n" ); } else if( media_type == LIBEWF_MEDIA_TYPE_CD ) { fprintf( stdout, "\tMedia type:\t\tCD/DVD\n" ); } else { fprintf( stdout, "\tMedia type:\t\tunknown (0x%" PRIx8 ")\n", media_type ); } if( libewf_get_media_flags( ewfcommon_libewf_handle, &media_flags ) != 1 ) { fprintf( stderr, "Unable to determine media flags.\n" ); } else if( verbose == 1 ) { fprintf( stdout, "\tMedia flags:\t\t0x%" PRIx8 "\n", media_flags ); } if( libewf_get_volume_type( ewfcommon_libewf_handle, &volume_type ) != 1 ) { fprintf( stderr, "Unable to determine volume type.\n" ); } else if( volume_type == LIBEWF_VOLUME_TYPE_LOGICAL ) { fprintf( stdout, "\tMedia is physical:\tno\n" ); } else if( volume_type == LIBEWF_VOLUME_TYPE_PHYSICAL ) { fprintf( stdout, "\tMedia is physical:\tyes\n" ); } else { fprintf( stdout, "\tVolume type:\t\tunknown (0x%" PRIx8 ")\n", volume_type ); } } if( libewf_get_amount_of_sectors( ewfcommon_libewf_handle, &amount_of_sectors ) == 1 ) { fprintf( stdout, "\tAmount of sectors:\t%" PRIu32 "\n", amount_of_sectors ); } else { fprintf( stderr, "Unable to determine amount of sectors.\n" ); } if( libewf_get_bytes_per_sector( ewfcommon_libewf_handle, &bytes_per_sector ) == 1 ) { fprintf( stdout, "\tBytes per sector:\t%" PRIu32 "\n", bytes_per_sector ); } else { fprintf( stderr, "Unable to determine bytes per sector.\n" ); } if( libewf_get_media_size( ewfcommon_libewf_handle, &media_size ) == 1 ) { result = ewfbyte_size_string_create( media_size_string, 16, media_size, EWFBYTE_SIZE_STRING_UNIT_MEBIBYTE ); if( result == 1 ) { fprintf( stdout, "\tMedia size:\t\t%" PRIs " (%" PRIu64 " bytes)\n", media_size_string, media_size ); } else { fprintf( stdout, "\tMedia size:\t\t%" PRIu64 " bytes\n", media_size ); } } else { fprintf( stderr, "Unable to determine media size.\n" ); } if( ( format == LIBEWF_FORMAT_ENCASE5 ) || ( format == LIBEWF_FORMAT_ENCASE6 ) || ( format == LIBEWF_FORMAT_LINEN5 ) || ( format == LIBEWF_FORMAT_LINEN6 ) || ( format == LIBEWF_FORMAT_EWFX ) ) { if( libewf_get_error_granularity( ewfcommon_libewf_handle, &error_granularity ) == 1 ) { fprintf( stdout, "\tError granularity:\t%" PRIu32 "\n", error_granularity ); } else { fprintf( stderr, "Unable to determine error granularity.\n" ); } if( libewf_get_compression_values( ewfcommon_libewf_handle, &compression_level, &compress_empty_block ) == 1 ) { if( compression_level == LIBEWF_COMPRESSION_NONE ) { fprintf( stdout, "\tCompression type:\tno compression\n" ); } else if( compression_level == LIBEWF_COMPRESSION_FAST ) { fprintf( stdout, "\tCompression type:\tgood (fast) compression\n" ); } else if( compression_level == LIBEWF_COMPRESSION_BEST ) { fprintf( stdout, "\tCompression type:\tbest compression\n" ); } else { fprintf( stdout, "\tCompression type:\tunknown compression\n" ); } } else { fprintf( stderr, "Unable to determine compression level.\n" ); } if( libewf_get_guid( ewfcommon_libewf_handle, guid, 16 ) == 1 ) { fprintf( stdout, "\tGUID:\t\t\t%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "\n", guid[ 0 ], guid[ 1 ], guid[ 2 ], guid[ 3 ], guid[ 4 ], guid[ 5 ], guid[ 6 ], guid[ 7 ], guid[ 8 ], guid[ 9 ], guid[ 10 ], guid[ 11 ], guid[ 12 ], guid[ 13 ], guid[ 14 ], guid[ 15 ] ); } } ewfoutput_hash_values_fprint( stdout, ewfcommon_libewf_handle ); fprintf( stdout, "\n" ); ewfoutput_sessions_fprint( stdout, ewfcommon_libewf_handle, &amount_of_sessions ); } if ( ( ewfcommon_abort == 0) && ( ( info_option =='c' ))) { libewf_internal_handle_t *handle = (libewf_internal_handle_t *)ewfcommon_libewf_handle; int i; struct libewf_chunk_offset *chunk = handle->offset_table->chunk_offset; // Print some attributes printf("size=%lld\n", handle->media_values->media_size); printf("chunk_size=%d\n", handle->media_values->chunk_size); printf("count=%d\n", handle->offset_table->amount); for(i=0; i<handle->offset_table->amount; i++) { printf("%d,%lld,%d,%d,%s\n", i, chunk[i].file_offset, chunk[i].size, chunk[i].compressed, chunk[i].segment_file_handle->filename); }; }; if( ( ewfcommon_abort == 0 ) && ( ( info_option == 'a' ) || ( info_option == 'e' ) ) ) { ewfoutput_acquiry_errors_fprint( stdout, ewfcommon_libewf_handle, &amount_of_acquiry_errors ); } if( ewfsignal_detach() != 1 ) { fprintf( stderr, "Unable to detach signal handler.\n" ); } if( ewfcommon_abort != 0 ) { fprintf( stdout, "%" PRIs ": ABORTED\n", program ); return( EXIT_FAILURE ); } if( libewf_close( ewfcommon_libewf_handle ) != 0 ) { fprintf( stderr, "Unable to close EWF file(s).\n" ); return( EXIT_FAILURE ); } return( EXIT_SUCCESS ); }
TSK_IMG_INFO * ewf_open(int a_num_img, const TSK_TCHAR * const a_images[], unsigned int a_ssize) { IMG_EWF_INFO *ewf_info; TSK_IMG_INFO *img_info; #if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) uint8_t md5_hash[16]; #endif if ((ewf_info = (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) == NULL) { return NULL; } img_info = (TSK_IMG_INFO *) ewf_info; // See if they specified only the first of the set... if (a_num_img == 1) { #ifdef TSK_WIN32 ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #else ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #endif if (ewf_info->num_imgs <= 0) { free(ewf_info); return NULL; } if (tsk_verbose) tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs); } else { int i; ewf_info->num_imgs = a_num_img; if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL) { free(ewf_info); return NULL; } for (i = 0; i < a_num_img; i++) { if ((ewf_info->images[i] = (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) + 1) * sizeof(TSK_TCHAR))) == NULL) { free(ewf_info); return NULL; } TSTRNCPY(ewf_info->images[i], a_images[i], TSTRLEN(a_images[i]) + 1); } } /* check the magic before we call the library open */ //if (img_file_header_signature_ncmp(images[0], // "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) { #if defined (TSK_WIN32) if (libewf_check_file_signature_wide(ewf_info->images[0]) == 0) { #else if (libewf_check_file_signature(ewf_info->images[0]) == 0) { #endif tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an EWF file"); free(ewf_info); if (tsk_verbose) tsk_fprintf(stderr, "Not an EWF file\n"); return NULL; } #if defined (TSK_WIN32) ewf_info->handle = libewf_open_wide((wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #else ewf_info->handle = libewf_open((char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #endif if (ewf_info->handle == NULL) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening", ewf_info->images[0]); free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return NULL; } // 2007 version #if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) img_info->size = libewf_get_media_size(ewf_info->handle); ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle, ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5); // libewf-20080322 version #else if (libewf_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size)) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image", ewf_info->images[0]); free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return NULL; } if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) { int md5_string_iterator = 0; int md5_hash_iterator; for (md5_hash_iterator = 0; md5_hash_iterator < 16; md5_hash_iterator++) { int digit = md5_hash[md5_hash_iterator] / 16; if (digit <= 9) ewf_info->md5hash[md5_string_iterator++] = (char) ('0' + digit); else ewf_info->md5hash[md5_string_iterator++] = (char) ('a' + (digit - 10)); digit = md5_hash[md5_hash_iterator] % 16; if (digit <= 9) ewf_info->md5hash[md5_string_iterator++] = (char) ('0' + digit); else ewf_info->md5hash[md5_string_iterator++] = (char) ('a' + (digit - 10)); } ewf_info->md5hash_isset = 1; } #endif img_info->sector_size = 512; if (a_ssize) img_info->sector_size = a_ssize; img_info->itype = TSK_IMG_TYPE_EWF_EWF; img_info->read = ewf_image_read; img_info->close = ewf_image_close; img_info->imgstat = ewf_image_imgstat; return img_info; }