Пример #1
0
TSK_IMG_INFO *
qemu_image_open(void *opaque, unsigned int a_ssize)
{
    IMG_QEMU_INFO *qemu_info;
    TSK_IMG_INFO  *img_info;

    if ((qemu_info =
	    (IMG_QEMU_INFO *) tsk_img_malloc(sizeof(IMG_QEMU_INFO))) == NULL)
	return NULL;

    memset((void *) qemu_info, 0, sizeof(IMG_QEMU_INFO));

    img_info = (TSK_IMG_INFO *) qemu_info;

    //AVB, does this matter?
    img_info->itype = QEMU_IMG;

    img_info->read = qemu_read;
    img_info->close = __qemu_close;
    img_info->imgstat = qemu_imgstat;

    img_info->sector_size = 512;

    //AVB, This is BlockDriverState associated with the image
    qemu_info->opaque = (void*) opaque;
    
    // This does not matter here, as the size is reset again in DECAF
    // to the correct size, for proper functionality of the read function
    img_info->size = 17179869184; 
 
    return img_info;
}
Пример #2
0
TSK_IMG_INFO *
aff_open(const TSK_TCHAR * const images[], unsigned int a_ssize)
{
    IMG_AFF_INFO *aff_info;
    TSK_IMG_INFO *img_info;
    int type;
    char *image;

#ifdef TSK_WIN32
    // convert wchar_t* image path to char* to conform to
    // the AFFLIB API
    UTF16 *utf16 = (UTF16 *)images[0];
    size_t ilen = wcslen(utf16);
    size_t olen = ilen*4 + 1;
    UTF8 *utf8 = (UTF8 *) tsk_malloc(olen);

    image = (char *) utf8;
    if ( image == NULL )
        return NULL;
    TSKConversionResult retval =
    tsk_UTF16toUTF8_lclorder( (const UTF16 **) &utf16,
        &utf16[ilen], &utf8,
        &utf8[olen], TSKlenientConversion );
    *utf8 = '\0';
    if (retval != TSKconversionOK) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_FS_UNICODE);
        tsk_error_set_errstr("aff_open file: %" PRIttocTSK
            ": Error converting path to UTF-8 %d\n",
            images[0], retval);
        free(image);
        return NULL;
    }
    utf8 = (UTF8 *) image;
    while ( *utf8 ) {
        if ( *utf8 > 127 ) {
            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_FS_UNICODE);
            tsk_error_set_errstr("aff_open file: %" PRIttocTSK
                ": Non-Latin paths are not supported for AFF images\n",
                images[0]);
            free(image);
            return NULL;
        }
        utf8++;
    }
#else
    image = (char *) tsk_malloc( strlen(images[0])+1 );
    if ( image == NULL )
        return NULL;
    strncpy(image, images[0], strlen(images[0])+1 );
#endif

    if ((aff_info =
            (IMG_AFF_INFO *) tsk_img_malloc(sizeof(IMG_AFF_INFO))) ==
        NULL) {
        free(image);
        return NULL;
    }

    img_info = (TSK_IMG_INFO *) aff_info;
    img_info->read = aff_read;
    img_info->close = aff_close;
    img_info->imgstat = aff_imgstat;

    img_info->sector_size = 512;
    if (a_ssize)
        img_info->sector_size = a_ssize;

    type = af_identify_file_type(image, 1);
    if ((type == AF_IDENTIFY_ERR) || (type == AF_IDENTIFY_NOEXIST)) {
        if (tsk_verbose) {
            tsk_fprintf(stderr,
                "aff_open: Error determining type of file: %" PRIttocTSK
                "\n", images[0]);
            perror("aff_open");
        }
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("aff_open file: %" PRIttocTSK
            ": Error checking type", images[0]);
        tsk_img_free(aff_info);
        free(image);
        return NULL;
    }
    else if (type == AF_IDENTIFY_AFF) {
        img_info->itype = TSK_IMG_TYPE_AFF_AFF;
    }
    else if (type == AF_IDENTIFY_AFD) {
        img_info->itype = TSK_IMG_TYPE_AFF_AFD;
    }
    else if (type == AF_IDENTIFY_AFM) {
        img_info->itype = TSK_IMG_TYPE_AFF_AFM;
    }
    else {
        img_info->itype = TSK_IMG_TYPE_AFF_ANY;
    }

    aff_info->af_file = af_open(image, O_RDONLY | O_BINARY, 0);
    if (!aff_info->af_file) {
        // @@@ Need to check here if the open failed because of an incorrect password. 
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("aff_open file: %" PRIttocTSK
            ": Error opening - %s", images[0], strerror(errno));
        tsk_img_free(aff_info);
        if (tsk_verbose) {
            tsk_fprintf(stderr, "Error opening AFF/AFD/AFM file\n");
            perror("aff_open");
        }
        free(image);
        return NULL;
    }
    // verify that a password was given and we can read encrypted data. 
    if (af_cannot_decrypt(aff_info->af_file)) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_PASSWD);
        tsk_error_set_errstr("aff_open file: %" PRIttocTSK, images[0]);
        tsk_img_free(aff_info);
        if (tsk_verbose) {
            tsk_fprintf(stderr,
                "Error opening AFF/AFD/AFM file (incorrect password)\n");
        }
        free(image);
        return NULL;
    }

    aff_info->type = type;

    img_info->size = af_imagesize(aff_info->af_file);

    af_seek(aff_info->af_file, 0, SEEK_SET);
    aff_info->seek_pos = 0;
    free(image);
    return img_info;
}
Пример #3
0
TSK_IMG_INFO *
ewf_open(int a_num_img,
    const TSK_TCHAR * const a_images[], unsigned int a_ssize)
{
#if defined( HAVE_LIBEWF_V2_API )
    char error_string[TSK_EWF_ERROR_STRING_SIZE];

    libewf_error_t *ewf_error = NULL;
    int result = 0;
#elif !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
    uint8_t md5_hash[16];
#endif

    IMG_EWF_INFO *ewf_info = NULL;
    TSK_IMG_INFO *img_info = NULL;

#if !defined( HAVE_LIBEWF_V2_API)
    if (tsk_verbose)
        libewf_set_notify_values(stderr, 1);
#endif

    if ((ewf_info =
            (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) ==
        NULL) {
        return NULL;
    }
    img_info = (TSK_IMG_INFO *) ewf_info;

    // See if they specified only the first of the set...
    ewf_info->used_ewf_glob = 0;
    if (a_num_img == 1) {
#if defined( HAVE_LIBEWF_V2_API)
#ifdef TSK_WIN32
        if (libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]),
                LIBEWF_FORMAT_UNKNOWN, &ewf_info->images,
                &ewf_info->num_imgs, &ewf_error) == -1) {
#else
        if (libewf_glob(a_images[0], TSTRLEN(a_images[0]),
                LIBEWF_FORMAT_UNKNOWN, &ewf_info->images,
                &ewf_info->num_imgs, &ewf_error) == -1) {
#endif
            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_IMG_MAGIC);

            getError(ewf_error, error_string);
            tsk_error_set_errstr("ewf_open: Not an E01 glob name (%s)",
                error_string);
            libewf_error_free(&ewf_error);
            tsk_img_free(ewf_info);
            return NULL;
        }

#else                           //use v1

#ifdef TSK_WIN32
        ewf_info->num_imgs =
            libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]),
            LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#else
        ewf_info->num_imgs =
            libewf_glob(a_images[0], TSTRLEN(a_images[0]),
            LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#endif
        if (ewf_info->num_imgs <= 0) {
            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
            tsk_error_set_errstr("ewf_open: Not an E01 glob name");

            tsk_img_free(ewf_info);
            return NULL;
        }
#endif                          // end v1

        ewf_info->used_ewf_glob = 1;
        if (tsk_verbose)
            tsk_fprintf(stderr,
                "ewf_open: found %d segment files via libewf_glob\n",
                ewf_info->num_imgs);
    }
    else {
        int i;
        ewf_info->num_imgs = a_num_img;
        if ((ewf_info->images =
                (TSK_TCHAR **) tsk_malloc(a_num_img *
                    sizeof(TSK_TCHAR *))) == NULL) {
            tsk_img_free(ewf_info);
            return NULL;
        }
        for (i = 0; i < a_num_img; i++) {
            if ((ewf_info->images[i] =
                    (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) +
                            1) * sizeof(TSK_TCHAR))) == NULL) {
                tsk_img_free(ewf_info);
                return NULL;
            }
            TSTRNCPY(ewf_info->images[i], a_images[i],
                TSTRLEN(a_images[i]) + 1);
        }
    }


#if defined( HAVE_LIBEWF_V2_API )

    // Check the file signature before we call the library open
#if defined( TSK_WIN32 )
    if (libewf_check_file_signature_wide(a_images[0], &ewf_error) != 1)
#else
    if (libewf_check_file_signature(a_images[0], &ewf_error) != 1)
#endif
    {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_MAGIC);

        getError(ewf_error, error_string);
        tsk_error_set_errstr("ewf_open: Not an EWF file (%s)",
            error_string);
        libewf_error_free(&ewf_error);

        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Not an EWF file\n");
        }
        return (NULL);
    }

    if (libewf_handle_initialize(&(ewf_info->handle), &ewf_error) != 1) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);

        getError(ewf_error, error_string);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error initializing handle (%s)", a_images[0], error_string);
        libewf_error_free(&ewf_error);

        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Unable to create EWF handle\n");
        }
        return (NULL);
    }
#if defined( TSK_WIN32 )
    if (libewf_handle_open_wide(ewf_info->handle,
            (wchar_t * const *) ewf_info->images,
            ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1)
#else
    if (libewf_handle_open(ewf_info->handle,
            (char *const *) ewf_info->images,
            ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1)
#endif
    {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);

        getError(ewf_error, error_string);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error opening (%s)", a_images[0], error_string);
        libewf_error_free(&ewf_error);

        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Error opening EWF file\n");
        }
        return (NULL);
    }
    if (libewf_handle_get_media_size(ewf_info->handle,
            (size64_t *) & (img_info->size), &ewf_error) != 1) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);

        getError(ewf_error, error_string);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error getting size of image (%s)", a_images[0],
            error_string);
        libewf_error_free(&ewf_error);

        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Error getting size of EWF file\n");
        }
        return (NULL);
    }
    result = libewf_handle_get_utf8_hash_value_md5(ewf_info->handle,
        (uint8_t *) ewf_info->md5hash, 33, &ewf_error);

    if (result == -1) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);

        getError(ewf_error, error_string);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error getting MD5 of image (%s)", a_images[0],
            error_string);
        libewf_error_free(&ewf_error);

        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Error getting size of EWF file\n");
        }
        return (NULL);
    }
    ewf_info->md5hash_isset = result;

#else                           // V1 API

    // Check the file signature before we call the library open
#if defined( TSK_WIN32 )
    if (libewf_check_file_signature_wide(a_images[0]) != 1)
#else
    if (libewf_check_file_signature(a_images[0]) != 1)
#endif
    {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
        tsk_error_set_errstr("ewf_open: Not an EWF file");
        tsk_img_free(ewf_info);
        if (tsk_verbose)
            tsk_fprintf(stderr, "Not an EWF file\n");

        return NULL;
    }

#if defined( TSK_WIN32 )
    ewf_info->handle = libewf_open_wide(
        (wchar_t * const *) ewf_info->images, ewf_info->num_imgs,
        LIBEWF_OPEN_READ);
#else
    ewf_info->handle = libewf_open(
        (char *const *) ewf_info->images, ewf_info->num_imgs,
        LIBEWF_OPEN_READ);
#endif
    if (ewf_info->handle == NULL) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error opening", ewf_info->images[0]);
        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Error opening EWF file\n");
        }
        return (NULL);
    }
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
    // 2007 version
    img_info->size = libewf_get_media_size(ewf_info->handle);

    ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
        ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
#else
    // libewf-20080322 version
    if (libewf_get_media_size(ewf_info->handle,
            (size64_t *) & (img_info->size)) != 1) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error getting size of image", ewf_info->images[0]);
        tsk_img_free(ewf_info);
        if (tsk_verbose) {
            tsk_fprintf(stderr, "Error getting size of EWF file\n");
        }
        return (NULL);
    }
    if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
        int md5_string_iterator = 0;
        int md5_hash_iterator = 0;

        for (md5_hash_iterator = 0;
            md5_hash_iterator < 16; md5_hash_iterator++) {
            int digit = md5_hash[md5_hash_iterator] / 16;

            if (digit <= 9) {
                ewf_info->md5hash[md5_string_iterator++] =
                    '0' + (char) digit;
            }
            else {
                ewf_info->md5hash[md5_string_iterator++] =
                    'a' + (char) (digit - 10);
            }
            digit = md5_hash[md5_hash_iterator] % 16;

            if (digit <= 9) {
                ewf_info->md5hash[md5_string_iterator++] =
                    '0' + (char) digit;
            }
            else {
                ewf_info->md5hash[md5_string_iterator++] =
                    'a' + (char) (digit - 10);
            }
        }
        ewf_info->md5hash_isset = 1;
    }
#endif                          /* defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) */
#endif                          /* defined( HAVE_LIBEWF_V2_API ) */
    if (a_ssize != 0) {
        img_info->sector_size = a_ssize;
    }
    else {
        img_info->sector_size = 512;
    }
    img_info->itype = TSK_IMG_TYPE_EWF_EWF;
    img_info->read = &ewf_image_read;
    img_info->close = &ewf_image_close;
    img_info->imgstat = &ewf_image_imgstat;

    // initialize the read lock
    tsk_init_lock(&(ewf_info->read_lock));

    return (img_info);
}
Пример #4
0
/**
    Originally we used tsk_img_open_sing(), but that leads to calling ewf_open(),
    which in turn will fail if the L01 file has an incorrect filename extension.
    This function is a simpler version of ewf_open() which will not fail if the
    filename extension is wrong.
*/
TSK_IMG_INFO * TskL01Extract::openEwfSimple()
{
    const int a_num_img = 1;
    unsigned int a_ssize = 512;
    int result = 0;
    TSK_IMG_INFO *img_info = NULL;
    ewf::libewf_error_t *ewfError = NULL;
    ewf::IMG_EWF_INFO *ewf_info = NULL;

    try
    {
        // Make an absolute path (if it's relative) so that libewf doesn't cause 
        // an error when it tries to make it absolute.
        Poco::Path tempPath(TskUtilities::toUTF8(m_archivePath));
        tempPath.makeAbsolute();
        // We convert to unicode here because that is what the TSK_IMG_INFO structure requires.
        std::wstring ewfArchivePath = TskUtilities::toUTF16(tempPath.toString());

        if ((ewf_info = (ewf::IMG_EWF_INFO *) tsk_img_malloc(sizeof(ewf::IMG_EWF_INFO))) == NULL)
        {
            throw TskException("tsk_img_malloc");
        }
        img_info = (TSK_IMG_INFO *) ewf_info;

        if (ewf::libewf_handle_initialize(&(ewf_info->handle), &ewfError) != 1)
        {
            throw TskException("libewf_handle_initialize");
        }

        //int i;
        ewf_info->num_imgs = a_num_img;
        if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL)
        {
            throw TskException("tsk_malloc");
        }

        if ((ewf_info->images[0] =
            (TSK_TCHAR *) tsk_malloc((TSTRLEN(ewfArchivePath.c_str()) + 1) * sizeof(TSK_TCHAR))) == NULL)
        {
            throw TskException("tsk_malloc 2");
        }
        TSTRNCPY(ewf_info->images[0], ewfArchivePath.c_str(), TSTRLEN(ewfArchivePath.c_str()) + 1);

        ///NOTE: libewf_handle_open_wide() will not open the file if the filename length is < 4 chars long.
        ewfError = NULL;
    #if defined( TSK_WIN32 )
        if (ewf::libewf_handle_open_wide(ewf_info->handle, (TSK_TCHAR * const *) ewf_info->images,
            ewf_info->num_imgs, ewf::LIBEWF_ACCESS_FLAG_READ, &ewfError) != 1)
    #else
        if (ewf::libewf_handle_open(ewf_info->handle,
                (char *const *) ewf_info->images,
                ewf_info->num_imgs, ewf::LIBEWF_OPEN_READ, &ewfError) != 1)
    #endif
        {
            throw TskException("libewf_handle_open_wide");
        }

        ewfError = NULL;
        if (ewf::libewf_handle_get_media_size(ewf_info->handle,
                (ewf::size64_t *) & (img_info->size), &ewfError) != 1)
        {
            throw TskException("libewf_handle_get_media_size");
        }

        ewfError = NULL;
        result = ewf::libewf_handle_get_utf8_hash_value_md5(ewf_info->handle,
            (uint8_t *) ewf_info->md5hash, 33, &ewfError);

        if (result == -1)
        {
            throw TskException("libewf_handle_get_utf8_hash_value_md5");
        }
        ewf_info->md5hash_isset = result;

        if (a_ssize != 0)
        {
            img_info->sector_size = a_ssize;
        }
        else
        {
            img_info->sector_size = 512;
        }

        img_info->itype   = TSK_IMG_TYPE_EWF_EWF;
        img_info->close   = ewf_image_close;
        img_info->read    = null_read;
        img_info->imgstat = null_imgstat;

        // initialize the read lock
        tsk_init_lock(&(ewf_info->read_lock));

        return img_info;
    }
    catch (TskException &ex)
    {
        std::ostringstream msg;
        msg << "openEwfSimple: TskException: " << ex.message();
        if (ewfError)
        {
            char errorString[512];
            errorString[0] = '\0';
            ewf::libewf_error_backtrace_sprint(ewfError, errorString, 512);
            msg << " - libewf error: " << errorString << std::endl;
        }
        LOGERROR(msg.str());
        free(ewf_info);
        return NULL;
    }
}
Пример #5
0
/** 
 * \internal
 * Open the set of disk images as a set of split raw images
 *
 * @param a_num_img Number of images in set
 * @param a_images List of disk image paths (in sorted order)
 * @param a_ssize Size of device sector in bytes (or 0 for default)
 *
 * @return NULL on error
 */
TSK_IMG_INFO *
raw_open(int a_num_img, const TSK_TCHAR * const a_images[],
    unsigned int a_ssize)
{
    IMG_RAW_INFO *raw_info;
    TSK_IMG_INFO *img_info;
    int i;
    TSK_OFF_T first_seg_size;

    if ((raw_info =
            (IMG_RAW_INFO *) tsk_img_malloc(sizeof(IMG_RAW_INFO))) == NULL)
        return NULL;

    img_info = (TSK_IMG_INFO *) raw_info;

    img_info->itype = TSK_IMG_TYPE_RAW;
    img_info->read = raw_read;
    img_info->close = raw_close;
    img_info->imgstat = raw_imgstat;

    img_info->sector_size = 512;
    if (a_ssize)
        img_info->sector_size = a_ssize;
    raw_info->is_winobj = 0;

#if defined(TSK_WIN32) || defined(__CYGWIN__)
    /* determine if this is the path to a Windows device object */
    if ((a_images[0][0] == _TSK_T('\\'))
        && (a_images[0][1] == _TSK_T('\\'))
        && ((a_images[0][2] == _TSK_T('.')) || (a_images[0][2] == _TSK_T('?')))
        && (a_images[0][3] == _TSK_T('\\'))) {
        raw_info->is_winobj = 1;
    }
#endif

    /* Check that the first image file exists and is not a directory */
    first_seg_size = get_size(a_images[0], raw_info->is_winobj);
    if (first_seg_size < -1) {
        tsk_img_free(raw_info);
        return NULL;
    }

    /* see if there are more of them... */
    if ((a_num_img == 1) && (raw_info->is_winobj == 0)) {
        if ((raw_info->images =
                tsk_img_findFiles(a_images[0],
                    &raw_info->num_img)) == NULL) {
            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_IMG_STAT);
            tsk_error_set_errstr
                ("raw_open: could not find segment files starting at \"%"
                PRIttocTSK "\"", a_images[0]);
            tsk_img_free(raw_info);
            return NULL;
        }
    }
    else {
        raw_info->num_img = a_num_img;
        raw_info->images =
            (TSK_TCHAR **) tsk_malloc(sizeof(TSK_TCHAR *) * a_num_img);
        if (raw_info->images == NULL) {
            tsk_img_free(raw_info);
            return NULL;
        }

        for (i = 0; i < raw_info->num_img; i++) {
            size_t len = TSTRLEN(a_images[i]);
            raw_info->images[i] =
                (TSK_TCHAR *) tsk_malloc(sizeof(TSK_TCHAR) * (len + 1));
            if (raw_info->images[i] == NULL) {
                int j;
                for (j = 0; j < i; j++) {
                    free(raw_info->images[j]);
                }
                free(raw_info->images);
                tsk_img_free(raw_info);
                return NULL;
            }
            TSTRNCPY(raw_info->images[i], a_images[i], len + 1);
        }
    }

    /* sanity check: when we have multiple segments, the size of
     * each must be known */
    if ((raw_info->num_img > 1) && (first_seg_size < 0)) {
        if (tsk_verbose) {
            tsk_fprintf(stderr,
                "raw_open: file size is unknown in a segmented raw image\n");
        }

        for (i = 0; i < raw_info->num_img; i++) {
            free(raw_info->images[i]);
        }
        free(raw_info->images);
        tsk_img_free(raw_info);
        return NULL;
    }

    /* initialize the split cache */
    raw_info->cptr = (int *) tsk_malloc(raw_info->num_img * sizeof(int));
    if (raw_info->cptr == NULL) {
        for (i = 0; i < raw_info->num_img; i++) {
            free(raw_info->images[i]);
        }
        free(raw_info->images);
        tsk_img_free(raw_info);
        return NULL;
    }
    memset((void *) &raw_info->cache, 0,
        SPLIT_CACHE * sizeof(IMG_SPLIT_CACHE));
    raw_info->next_slot = 0;

    /* initialize the offset table and re-use the first segment
     * size gathered above */
    raw_info->max_off =
        (TSK_OFF_T *) tsk_malloc(raw_info->num_img * sizeof(TSK_OFF_T));
    if (raw_info->max_off == NULL) {
        free(raw_info->cptr);
        for (i = 0; i < raw_info->num_img; i++) {
            free(raw_info->images[i]);
        }
        free(raw_info->images);
        tsk_img_free(raw_info);
        return NULL;
    }
    img_info->size = first_seg_size;
    raw_info->max_off[0] = img_info->size;
    raw_info->cptr[0] = -1;
    if (tsk_verbose) {
        tsk_fprintf(stderr,
            "raw_open: segment: 0  size: %" PRIuOFF "  max offset: %"
            PRIuOFF "  path: %" PRIttocTSK "\n", first_seg_size,
            raw_info->max_off[0], raw_info->images[0]);
    }

    /* get size info for each file - we do not open each one because that
     * could cause us to run out of file decsriptors when we only need a few.
     * The descriptors are opened as needed */
    for (i = 1; i < raw_info->num_img; i++) {
        TSK_OFF_T size;
        raw_info->cptr[i] = -1;
        size = get_size(raw_info->images[i], raw_info->is_winobj);
        if (size < 0) {
            if (size == -1) {
                if (tsk_verbose) {
                    tsk_fprintf(stderr,
                        "raw_open: file size is unknown in a segmented raw image\n");
                }
            }
            free(raw_info->cptr);
            for (i = 0; i < raw_info->num_img; i++) {
                free(raw_info->images[i]);
            }
            free(raw_info->images);
            tsk_img_free(raw_info);
            return NULL;
        }

        /* add the size of this image to the total and save the current max */
        img_info->size += size;
        raw_info->max_off[i] = img_info->size;

        if (tsk_verbose) {
            tsk_fprintf(stderr,
                "raw_open: segment: %d  size: %" PRIuOFF "  max offset: %"
                PRIuOFF "  path: %" PRIttocTSK "\n", i, size,
                raw_info->max_off[i], raw_info->images[i]);
        }
    }

    return img_info;
}
Пример #6
0
/**
 * \internal
 * Open the file as a raw image.
 * @param image Path to disk image to open.
 * @param a_ssize Size of device sector in bytes (or 0 for default)
 * @returns NULL on error.
 */
TSK_IMG_INFO *
raw_open(const TSK_TCHAR * image, unsigned int a_ssize)
{
    IMG_RAW_INFO *raw_info;
    TSK_IMG_INFO *img_info;
    struct STAT_STR stat_buf;
    int is_winobj = 0;

    if ((raw_info =
            (IMG_RAW_INFO *) tsk_img_malloc(sizeof(IMG_RAW_INFO))) == NULL)
        return NULL;

    img_info = (TSK_IMG_INFO *) raw_info;

    img_info->itype = TSK_IMG_TYPE_RAW_SING;
    img_info->read = raw_read;
    img_info->close = raw_close;
    img_info->imgstat = raw_imgstat;

    img_info->sector_size = 512;
    if (a_ssize)
        img_info->sector_size = a_ssize;


#if defined(TSK_WIN32) || defined(__CYGWIN__)
    if ((image[0] == _TSK_T('\\'))
        && (image[1] == _TSK_T('\\'))
        && (image[2] == _TSK_T('.'))
        && (image[3] == _TSK_T('\\'))) {
        is_winobj = 1;
    }
#endif
    if (is_winobj == 0) {
        /* Exit if we are given a directory */
        if (TSTAT(image, &stat_buf) < 0) {
            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_IMG_STAT);
            tsk_error_set_errstr("raw_open: %s", strerror(errno));
            return NULL;
        }
        else if ((stat_buf.st_mode & S_IFMT) == S_IFDIR) {
            if (tsk_verbose)
                TFPRINTF(stderr,
                    _TSK_T("raw_open: image %s is a directory\n"), image);

            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
            tsk_error_set_errstr("raw_open: path is for a directory");
            return NULL;
        }
    }

#ifdef TSK_WIN32
    {
        DWORD dwHi, dwLo;

        if ((raw_info->fd = CreateFile(image, FILE_READ_DATA,
                    FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) ==
            INVALID_HANDLE_VALUE) {

            // if it is a device, try with SHARE_WRITE
            if ((image[0] == _TSK_T('\\')) && (image[1] == _TSK_T('\\')) &&
                (image[2] == _TSK_T('.')) && (image[3] == _TSK_T('\\'))) {
                if (tsk_verbose)
                    tsk_fprintf(stderr,
                        "raw_open: Trying Windows device with share_write mode\n");

                raw_info->fd = CreateFile(image, FILE_READ_DATA,
                    FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
                    OPEN_EXISTING, 0, NULL);
            }

            if (raw_info->fd == INVALID_HANDLE_VALUE) {
                tsk_error_reset();
                tsk_error_set_errno(TSK_ERR_IMG_OPEN);
                // print string of commonly found errors
                if (GetLastError() == ERROR_ACCESS_DENIED) {
                    tsk_error_set_errstr("raw_open file: %" PRIttocTSK
                        " (Access Denied)", image);
                }
                else if (GetLastError() == ERROR_SHARING_VIOLATION) {
                    tsk_error_set_errstr("raw_open file: %" PRIttocTSK
                        " (Sharing Violation)", image);
                }
                else if (GetLastError() == ERROR_FILE_NOT_FOUND) {
                    tsk_error_set_errstr("raw_open file: %" PRIttocTSK
                        " (File not found)", image);
                }
                else {
                    tsk_error_set_errstr("raw_open file: %" PRIttocTSK
                        " (%d)", image, (int) GetLastError());
                }
                return NULL;
            }
        }

        /* We need different techniques to determine the size of physical
         * devices versus normal files
         */
        if (is_winobj == 0) {
            dwLo = GetFileSize(raw_info->fd, &dwHi);
            if (dwLo == 0xffffffff) {
                tsk_error_reset();
                tsk_error_set_errno(TSK_ERR_IMG_OPEN);
                tsk_error_set_errstr("raw_open file: %" PRIttocTSK
                    " GetFileSize: %d", image, (int) GetLastError());
                return NULL;
            }
            img_info->size = dwLo | ((TSK_OFF_T) dwHi << 32);
        }
        else {
            DISK_GEOMETRY pdg;
            DWORD junk;

            if (FALSE == DeviceIoControl(raw_info->fd,  // device to be queried
                    IOCTL_DISK_GET_DRIVE_GEOMETRY,      // operation to perform
                    NULL, 0, &pdg, sizeof(pdg), &junk,
                    (LPOVERLAPPED) NULL)) {
                tsk_error_reset();
                tsk_error_set_errno(TSK_ERR_IMG_OPEN);
                tsk_error_set_errstr("raw_open file: %" PRIttocTSK
                    " DeviceIoControl: %d", image, (int) GetLastError());
                return NULL;
            }

            img_info->size =
                pdg.Cylinders.QuadPart *
                (TSK_OFF_T) pdg.TracksPerCylinder *
                (TSK_OFF_T) pdg.SectorsPerTrack *
                (TSK_OFF_T) pdg.BytesPerSector;
        }
    }
#else
    if ((raw_info->fd = open(image, O_RDONLY | O_BINARY)) < 0) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("raw_open file: %" PRIttocTSK " msg: %s",
            image, strerror(errno));
        return NULL;
    }

#if defined(__APPLE__)
    /* OS X doesn't support SEEK_END on char devices */
    if ((stat_buf.st_mode & S_IFMT) != S_IFCHR) {
        img_info->size = lseek(raw_info->fd, 0, SEEK_END);
        lseek(raw_info->fd, 0, SEEK_SET);
    }

    if (img_info->size == 0) {
        int blkSize;
        long long blkCnt;

        if (ioctl(raw_info->fd, DKIOCGETBLOCKSIZE, &blkSize) >= 0) {
            if (ioctl(raw_info->fd, DKIOCGETBLOCKCOUNT, &blkCnt) >= 0) {
                img_info->size = blkCnt * (long long) blkSize;
            }
        }
    }
#else
    /* We don't use the stat output because it doesn't work on raw
     * devices and such */
    img_info->size = lseek(raw_info->fd, 0, SEEK_END);
    lseek(raw_info->fd, 0, SEEK_SET);
#endif

#endif
    raw_info->seek_pos = 0;

    return img_info;
}
Пример #7
0
TSK_IMG_INFO *
ewf_open(int a_num_img, const TSK_TCHAR * const a_images[],
    unsigned int a_ssize)
{
    IMG_EWF_INFO *ewf_info;
    TSK_IMG_INFO *img_info;

#if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
    uint8_t md5_hash[16];
#endif
    if ((ewf_info =
            (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) ==
        NULL) {
        return NULL;
    }

    img_info = (TSK_IMG_INFO *) ewf_info;


    // See if they specified only the first of the set...
    if (a_num_img == 1) {
#ifdef TSK_WIN32
        ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#else
        ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#endif
        if (ewf_info->num_imgs <= 0) {
            free(ewf_info);
            return NULL;
        }
        if (tsk_verbose)
            tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs);
    }
    else {
        int i;
        ewf_info->num_imgs = a_num_img;
        if ((ewf_info->images =
                (TSK_TCHAR **) tsk_malloc(a_num_img *
                    sizeof(TSK_TCHAR *))) == NULL) {
            free(ewf_info);
            return NULL;
        }
        for (i = 0; i < a_num_img; i++) {
            if ((ewf_info->images[i] =
                    (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) +
                            1) * sizeof(TSK_TCHAR))) == NULL) {
                free(ewf_info);
                return NULL;
            }
            TSTRNCPY(ewf_info->images[i], a_images[i],
                TSTRLEN(a_images[i]) + 1);
        }
    }


    /* check the magic before we call the library open */
    //if (img_file_header_signature_ncmp(images[0],
    //        "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) {
#if defined (TSK_WIN32)
    if (libewf_check_file_signature_wide(ewf_info->images[0]) == 0) {
#else
    if (libewf_check_file_signature(ewf_info->images[0]) == 0) {
#endif
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
        tsk_error_set_errstr("ewf_open: Not an EWF file");
        free(ewf_info);
        if (tsk_verbose)
            tsk_fprintf(stderr, "Not an EWF file\n");

        return NULL;
    }

#if defined (TSK_WIN32)
    ewf_info->handle =
        libewf_open_wide((wchar_t * const *) ewf_info->images,
        ewf_info->num_imgs, LIBEWF_OPEN_READ);
#else
    ewf_info->handle =
        libewf_open((char *const *) ewf_info->images, ewf_info->num_imgs,
        LIBEWF_OPEN_READ);
#endif
    if (ewf_info->handle == NULL) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error opening", ewf_info->images[0]);
        free(ewf_info);
        if (tsk_verbose) {
            tsk_fprintf(stderr, "Error opening EWF file\n");
        }
        return NULL;
    }

    // 2007 version
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
    img_info->size = libewf_get_media_size(ewf_info->handle);
    ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
        ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
// libewf-20080322 version
#else
    if (libewf_get_media_size(ewf_info->handle,
            (size64_t *) & (img_info->size))
        != 1) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error getting size of image", ewf_info->images[0]);
        free(ewf_info);
        if (tsk_verbose) {
            tsk_fprintf(stderr, "Error getting size of EWF file\n");
        }
        return NULL;
    }

    if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
        int md5_string_iterator = 0;
        int md5_hash_iterator;
        for (md5_hash_iterator = 0; md5_hash_iterator < 16;
            md5_hash_iterator++) {
            int digit = md5_hash[md5_hash_iterator] / 16;
            if (digit <= 9)
                ewf_info->md5hash[md5_string_iterator++] = (char)
                    ('0' + digit);
            else
                ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
                    (digit - 10));
            digit = md5_hash[md5_hash_iterator] % 16;
            if (digit <= 9)
                ewf_info->md5hash[md5_string_iterator++] =
                    (char) ('0' + digit);
            else
                ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
                    (digit - 10));
        }
        ewf_info->md5hash_isset = 1;
    }
#endif
    img_info->sector_size = 512;
    if (a_ssize)
        img_info->sector_size = a_ssize;


    img_info->itype = TSK_IMG_TYPE_EWF_EWF;
    img_info->read = ewf_image_read;
    img_info->close = ewf_image_close;
    img_info->imgstat = ewf_image_imgstat;

    return img_info;
}