TSK_IMG_INFO * ewf_open(int a_num_img, const TSK_TCHAR * const a_images[], unsigned int a_ssize) { #if defined( HAVE_LIBEWF_V2_API ) char error_string[TSK_EWF_ERROR_STRING_SIZE]; libewf_error_t *ewf_error = NULL; int result = 0; #elif !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) uint8_t md5_hash[16]; #endif IMG_EWF_INFO *ewf_info = NULL; TSK_IMG_INFO *img_info = NULL; #if !defined( HAVE_LIBEWF_V2_API) if (tsk_verbose) libewf_set_notify_values(stderr, 1); #endif if ((ewf_info = (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) == NULL) { return NULL; } img_info = (TSK_IMG_INFO *) ewf_info; // See if they specified only the first of the set... ewf_info->used_ewf_glob = 0; if (a_num_img == 1) { #if defined( HAVE_LIBEWF_V2_API) #ifdef TSK_WIN32 if (libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images, &ewf_info->num_imgs, &ewf_error) == -1) { #else if (libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images, &ewf_info->num_imgs, &ewf_error) == -1) { #endif tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open: Not an E01 glob name (%s)", error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); return NULL; } #else //use v1 #ifdef TSK_WIN32 ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #else ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #endif if (ewf_info->num_imgs <= 0) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an E01 glob name"); tsk_img_free(ewf_info); return NULL; } #endif // end v1 ewf_info->used_ewf_glob = 1; if (tsk_verbose) tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs); } else { int i; ewf_info->num_imgs = a_num_img; if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL) { tsk_img_free(ewf_info); return NULL; } for (i = 0; i < a_num_img; i++) { if ((ewf_info->images[i] = (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) + 1) * sizeof(TSK_TCHAR))) == NULL) { tsk_img_free(ewf_info); return NULL; } TSTRNCPY(ewf_info->images[i], a_images[i], TSTRLEN(a_images[i]) + 1); } } #if defined( HAVE_LIBEWF_V2_API ) // Check the file signature before we call the library open #if defined( TSK_WIN32 ) if (libewf_check_file_signature_wide(a_images[0], &ewf_error) != 1) #else if (libewf_check_file_signature(a_images[0], &ewf_error) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open: Not an EWF file (%s)", error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Not an EWF file\n"); } return (NULL); } if (libewf_handle_initialize(&(ewf_info->handle), &ewf_error) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error initializing handle (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Unable to create EWF handle\n"); } return (NULL); } #if defined( TSK_WIN32 ) if (libewf_handle_open_wide(ewf_info->handle, (wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1) #else if (libewf_handle_open(ewf_info->handle, (char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return (NULL); } if (libewf_handle_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size), &ewf_error) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } result = libewf_handle_get_utf8_hash_value_md5(ewf_info->handle, (uint8_t *) ewf_info->md5hash, 33, &ewf_error); if (result == -1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting MD5 of image (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } ewf_info->md5hash_isset = result; #else // V1 API // Check the file signature before we call the library open #if defined( TSK_WIN32 ) if (libewf_check_file_signature_wide(a_images[0]) != 1) #else if (libewf_check_file_signature(a_images[0]) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an EWF file"); tsk_img_free(ewf_info); if (tsk_verbose) tsk_fprintf(stderr, "Not an EWF file\n"); return NULL; } #if defined( TSK_WIN32 ) ewf_info->handle = libewf_open_wide( (wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #else ewf_info->handle = libewf_open( (char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #endif if (ewf_info->handle == NULL) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening", ewf_info->images[0]); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return (NULL); } #if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) // 2007 version img_info->size = libewf_get_media_size(ewf_info->handle); ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle, ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5); #else // libewf-20080322 version if (libewf_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size)) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image", ewf_info->images[0]); tsk_img_free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) { int md5_string_iterator = 0; int md5_hash_iterator = 0; for (md5_hash_iterator = 0; md5_hash_iterator < 16; md5_hash_iterator++) { int digit = md5_hash[md5_hash_iterator] / 16; if (digit <= 9) { ewf_info->md5hash[md5_string_iterator++] = '0' + (char) digit; } else { ewf_info->md5hash[md5_string_iterator++] = 'a' + (char) (digit - 10); } digit = md5_hash[md5_hash_iterator] % 16; if (digit <= 9) { ewf_info->md5hash[md5_string_iterator++] = '0' + (char) digit; } else { ewf_info->md5hash[md5_string_iterator++] = 'a' + (char) (digit - 10); } } ewf_info->md5hash_isset = 1; } #endif /* defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) */ #endif /* defined( HAVE_LIBEWF_V2_API ) */ if (a_ssize != 0) { img_info->sector_size = a_ssize; } else { img_info->sector_size = 512; } img_info->itype = TSK_IMG_TYPE_EWF_EWF; img_info->read = &ewf_image_read; img_info->close = &ewf_image_close; img_info->imgstat = &ewf_image_imgstat; // initialize the read lock tsk_init_lock(&(ewf_info->read_lock)); return (img_info); }
TSK_IMG_INFO * ewf_open(int num_img, const TSK_TCHAR * const images[], unsigned int a_ssize) { IMG_EWF_INFO *ewf_info; TSK_IMG_INFO *img_info; #if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) uint8_t md5_hash[16]; #endif if ((ewf_info = (IMG_EWF_INFO *) tsk_malloc(sizeof(IMG_EWF_INFO))) == NULL) { return NULL; } img_info = (TSK_IMG_INFO *) ewf_info; /* check the magic before we call the library open */ //if (img_file_header_signature_ncmp(images[0], // "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) { #if defined (TSK_WIN32) if (libewf_check_file_signature_wide(images[0]) == 0) { #else if (libewf_check_file_signature(images[0]) == 0) { #endif tsk_error_reset(); tsk_errno = TSK_ERR_IMG_MAGIC; snprintf(tsk_errstr, TSK_ERRSTR_L, "ewf_open: Not an EWF file"); free(ewf_info); if (tsk_verbose) tsk_fprintf(stderr, "Not an EWF file\n"); return NULL; } #if defined (TSK_WIN32) ewf_info->handle = libewf_open_wide((wchar_t * const *) images, num_img, LIBEWF_OPEN_READ); #else ewf_info->handle = libewf_open((char *const *) images, num_img, LIBEWF_OPEN_READ); #endif if (ewf_info->handle == NULL) { tsk_error_reset(); tsk_errno = TSK_ERR_IMG_OPEN; snprintf(tsk_errstr, TSK_ERRSTR_L, "ewf_open file: %" PRIttocTSK ": Error opening", images[0]); free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return NULL; } // 2007 version #if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) img_info->size = libewf_get_media_size(ewf_info->handle); ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle, ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5); // libewf-20080322 version #else if (libewf_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size)) != 1) { tsk_error_reset(); tsk_errno = TSK_ERR_IMG_OPEN; snprintf(tsk_errstr, TSK_ERRSTR_L, "ewf_open file: %" PRIttocTSK ": Error getting size of image", images[0]); free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return NULL; } if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) { int md5_string_iterator = 0; int md5_hash_iterator; for (md5_hash_iterator = 0; md5_hash_iterator < 16; md5_hash_iterator++) { int digit = md5_hash[md5_hash_iterator] / 16; if (digit <= 9) ewf_info->md5hash[md5_string_iterator++] = (char) ('0' + digit); else ewf_info->md5hash[md5_string_iterator++] = (char) ('a' + (digit - 10)); digit = md5_hash[md5_hash_iterator] % 16; if (digit <= 9) ewf_info->md5hash[md5_string_iterator++] = (char) ('0' + digit); else ewf_info->md5hash[md5_string_iterator++] = (char) ('a' + (digit - 10)); } ewf_info->md5hash_isset = 1; } #endif img_info->sector_size = 512; if (a_ssize) img_info->sector_size = a_ssize; img_info->itype = TSK_IMG_TYPE_EWF_EWF; img_info->read = ewf_image_read; img_info->close = ewf_image_close; img_info->imgstat = ewf_image_imgstat; return img_info; }
int ewf_open(const char *pathname, int flags, mode_t mode) { // XXX filename list should be dynamic. 1024 limit is ugly const char *filenames[1024]; char *ptr,*optr; char hash[1024]; size64_t media_size; uint32_t bytes_per_sector; uint32_t amount_of_sectors; uint32_t error_granularity; uint32_t amount_of_acquiry_errors; int8_t compression_level; int8_t media_type; int8_t media_flags; int8_t volume_type; uint8_t compress_empty_block; uint8_t format; int i; if (!memcmp(pathname, "els://", 6)) { FILE *fd = fopen(pathname+6, "r"); ut64 len; char *buf; if (fd == NULL) return -1; fseek(fd, 0, SEEK_END); len = ftell(fd); fseek(fd, 0, SEEK_SET); buf = (char *)malloc(len); fread(buf, len, 1, fd); ptr = strchr(buf, '\n'); for(i=0,optr = buf;ptr&&(ptr=strchr(ptr, '\n'));optr=ptr) { ptr[0] = '\0'; ptr = ptr + 1; filenames[i++] = optr; } filenames[i] = NULL; free(buf); fclose(fd); for(i=0;filenames[i];i++) printf("%02x: %s)\n", i, filenames[i]); } else { filenames[0] = pathname + 6; filenames[1] = NULL; } ewf_h = libewf_open(&filenames, 1, (((int)config_get("file.write"))==0)? LIBEWF_OPEN_READ_WRITE:LIBEWF_OPEN_READ); if (ewf_h == NULL) ewf_fd = -1; else { ewf_fd = EWF_FD; #if 0 if( ((libewf_internal_handle_t*)ewf_h)->header_values == NULL ) { fprintf( stream, "\tNo information found in file.\n" ); } else { libewf_get_header_value_examiner_name(ewf_h, hash, 128); eprintf("ExaminerName: %s\n", hash); libewf_get_header_value_case_number(ewf_h, hash, 128); eprintf("CaseNumber: %s\n", hash); #endif libewf_get_format(ewf_h, &format); eprintf("FormatVersion: %d\n", format); libewf_get_compression_values(ewf_h, &compression_level, &compress_empty_block); eprintf("CompressionLevel: %d\n", compression_level); libewf_get_error_granularity(ewf_h, &error_granularity); eprintf("ErrorGranurality: %d\n", error_granularity); libewf_get_amount_of_sectors(ewf_h, &amount_of_sectors); eprintf("AmountOfSectors: %d\n", amount_of_sectors); libewf_get_bytes_per_sector(ewf_h, &bytes_per_sector); eprintf("BytesPerSector: %d\n", bytes_per_sector); libewf_get_volume_type(ewf_h, &volume_type); eprintf("VolumeType: %d\n", volume_type); libewf_get_media_size(ewf_h, &media_size); eprintf("MediaSize: %lld\n", media_size); libewf_get_media_type(ewf_h, &media_type); eprintf("MediaType: %d\n", media_type); libewf_get_media_flags(ewf_h, &media_flags); eprintf("MediaFlags: %d\n", media_flags); libewf_get_md5_hash(ewf_h, hash, 128); eprintf("CalculatedHash: %s\n", hash); #if 0 } #endif } return ewf_fd; }
TSK_IMG_INFO * ewf_open(int a_num_img, const TSK_TCHAR * const a_images[], unsigned int a_ssize) { IMG_EWF_INFO *ewf_info; TSK_IMG_INFO *img_info; #if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) uint8_t md5_hash[16]; #endif if ((ewf_info = (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) == NULL) { return NULL; } img_info = (TSK_IMG_INFO *) ewf_info; // See if they specified only the first of the set... if (a_num_img == 1) { #ifdef TSK_WIN32 ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #else ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #endif if (ewf_info->num_imgs <= 0) { free(ewf_info); return NULL; } if (tsk_verbose) tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs); } else { int i; ewf_info->num_imgs = a_num_img; if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL) { free(ewf_info); return NULL; } for (i = 0; i < a_num_img; i++) { if ((ewf_info->images[i] = (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) + 1) * sizeof(TSK_TCHAR))) == NULL) { free(ewf_info); return NULL; } TSTRNCPY(ewf_info->images[i], a_images[i], TSTRLEN(a_images[i]) + 1); } } /* check the magic before we call the library open */ //if (img_file_header_signature_ncmp(images[0], // "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) { #if defined (TSK_WIN32) if (libewf_check_file_signature_wide(ewf_info->images[0]) == 0) { #else if (libewf_check_file_signature(ewf_info->images[0]) == 0) { #endif tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an EWF file"); free(ewf_info); if (tsk_verbose) tsk_fprintf(stderr, "Not an EWF file\n"); return NULL; } #if defined (TSK_WIN32) ewf_info->handle = libewf_open_wide((wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #else ewf_info->handle = libewf_open((char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #endif if (ewf_info->handle == NULL) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening", ewf_info->images[0]); free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return NULL; } // 2007 version #if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) img_info->size = libewf_get_media_size(ewf_info->handle); ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle, ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5); // libewf-20080322 version #else if (libewf_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size)) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image", ewf_info->images[0]); free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return NULL; } if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) { int md5_string_iterator = 0; int md5_hash_iterator; for (md5_hash_iterator = 0; md5_hash_iterator < 16; md5_hash_iterator++) { int digit = md5_hash[md5_hash_iterator] / 16; if (digit <= 9) ewf_info->md5hash[md5_string_iterator++] = (char) ('0' + digit); else ewf_info->md5hash[md5_string_iterator++] = (char) ('a' + (digit - 10)); digit = md5_hash[md5_hash_iterator] % 16; if (digit <= 9) ewf_info->md5hash[md5_string_iterator++] = (char) ('0' + digit); else ewf_info->md5hash[md5_string_iterator++] = (char) ('a' + (digit - 10)); } ewf_info->md5hash_isset = 1; } #endif img_info->sector_size = 512; if (a_ssize) img_info->sector_size = a_ssize; img_info->itype = TSK_IMG_TYPE_EWF_EWF; img_info->read = ewf_image_read; img_info->close = ewf_image_close; img_info->imgstat = ewf_image_imgstat; return img_info; }