TSK_IMG_INFO * qemu_image_open(void *opaque, unsigned int a_ssize) { IMG_QEMU_INFO *qemu_info; TSK_IMG_INFO *img_info; if ((qemu_info = (IMG_QEMU_INFO *) tsk_img_malloc(sizeof(IMG_QEMU_INFO))) == NULL) return NULL; memset((void *) qemu_info, 0, sizeof(IMG_QEMU_INFO)); img_info = (TSK_IMG_INFO *) qemu_info; //AVB, does this matter? img_info->itype = QEMU_IMG; img_info->read = qemu_read; img_info->close = __qemu_close; img_info->imgstat = qemu_imgstat; img_info->sector_size = 512; //AVB, This is BlockDriverState associated with the image qemu_info->opaque = (void*) opaque; // This does not matter here, as the size is reset again in DECAF // to the correct size, for proper functionality of the read function img_info->size = 17179869184; return img_info; }
TSK_IMG_INFO * aff_open(const TSK_TCHAR * const images[], unsigned int a_ssize) { IMG_AFF_INFO *aff_info; TSK_IMG_INFO *img_info; int type; char *image; #ifdef TSK_WIN32 // convert wchar_t* image path to char* to conform to // the AFFLIB API UTF16 *utf16 = (UTF16 *)images[0]; size_t ilen = wcslen(utf16); size_t olen = ilen*4 + 1; UTF8 *utf8 = (UTF8 *) tsk_malloc(olen); image = (char *) utf8; if ( image == NULL ) return NULL; TSKConversionResult retval = tsk_UTF16toUTF8_lclorder( (const UTF16 **) &utf16, &utf16[ilen], &utf8, &utf8[olen], TSKlenientConversion ); *utf8 = '\0'; if (retval != TSKconversionOK) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNICODE); tsk_error_set_errstr("aff_open file: %" PRIttocTSK ": Error converting path to UTF-8 %d\n", images[0], retval); free(image); return NULL; } utf8 = (UTF8 *) image; while ( *utf8 ) { if ( *utf8 > 127 ) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNICODE); tsk_error_set_errstr("aff_open file: %" PRIttocTSK ": Non-Latin paths are not supported for AFF images\n", images[0]); free(image); return NULL; } utf8++; } #else image = (char *) tsk_malloc( strlen(images[0])+1 ); if ( image == NULL ) return NULL; strncpy(image, images[0], strlen(images[0])+1 ); #endif if ((aff_info = (IMG_AFF_INFO *) tsk_img_malloc(sizeof(IMG_AFF_INFO))) == NULL) { free(image); return NULL; } img_info = (TSK_IMG_INFO *) aff_info; img_info->read = aff_read; img_info->close = aff_close; img_info->imgstat = aff_imgstat; img_info->sector_size = 512; if (a_ssize) img_info->sector_size = a_ssize; type = af_identify_file_type(image, 1); if ((type == AF_IDENTIFY_ERR) || (type == AF_IDENTIFY_NOEXIST)) { if (tsk_verbose) { tsk_fprintf(stderr, "aff_open: Error determining type of file: %" PRIttocTSK "\n", images[0]); perror("aff_open"); } tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("aff_open file: %" PRIttocTSK ": Error checking type", images[0]); tsk_img_free(aff_info); free(image); return NULL; } else if (type == AF_IDENTIFY_AFF) { img_info->itype = TSK_IMG_TYPE_AFF_AFF; } else if (type == AF_IDENTIFY_AFD) { img_info->itype = TSK_IMG_TYPE_AFF_AFD; } else if (type == AF_IDENTIFY_AFM) { img_info->itype = TSK_IMG_TYPE_AFF_AFM; } else { img_info->itype = TSK_IMG_TYPE_AFF_ANY; } aff_info->af_file = af_open(image, O_RDONLY | O_BINARY, 0); if (!aff_info->af_file) { // @@@ Need to check here if the open failed because of an incorrect password. tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("aff_open file: %" PRIttocTSK ": Error opening - %s", images[0], strerror(errno)); tsk_img_free(aff_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error opening AFF/AFD/AFM file\n"); perror("aff_open"); } free(image); return NULL; } // verify that a password was given and we can read encrypted data. if (af_cannot_decrypt(aff_info->af_file)) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_PASSWD); tsk_error_set_errstr("aff_open file: %" PRIttocTSK, images[0]); tsk_img_free(aff_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error opening AFF/AFD/AFM file (incorrect password)\n"); } free(image); return NULL; } aff_info->type = type; img_info->size = af_imagesize(aff_info->af_file); af_seek(aff_info->af_file, 0, SEEK_SET); aff_info->seek_pos = 0; free(image); return img_info; }
TSK_IMG_INFO * ewf_open(int a_num_img, const TSK_TCHAR * const a_images[], unsigned int a_ssize) { #if defined( HAVE_LIBEWF_V2_API ) char error_string[TSK_EWF_ERROR_STRING_SIZE]; libewf_error_t *ewf_error = NULL; int result = 0; #elif !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) uint8_t md5_hash[16]; #endif IMG_EWF_INFO *ewf_info = NULL; TSK_IMG_INFO *img_info = NULL; #if !defined( HAVE_LIBEWF_V2_API) if (tsk_verbose) libewf_set_notify_values(stderr, 1); #endif if ((ewf_info = (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) == NULL) { return NULL; } img_info = (TSK_IMG_INFO *) ewf_info; // See if they specified only the first of the set... ewf_info->used_ewf_glob = 0; if (a_num_img == 1) { #if defined( HAVE_LIBEWF_V2_API) #ifdef TSK_WIN32 if (libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images, &ewf_info->num_imgs, &ewf_error) == -1) { #else if (libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images, &ewf_info->num_imgs, &ewf_error) == -1) { #endif tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open: Not an E01 glob name (%s)", error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); return NULL; } #else //use v1 #ifdef TSK_WIN32 ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #else ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #endif if (ewf_info->num_imgs <= 0) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an E01 glob name"); tsk_img_free(ewf_info); return NULL; } #endif // end v1 ewf_info->used_ewf_glob = 1; if (tsk_verbose) tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs); } else { int i; ewf_info->num_imgs = a_num_img; if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL) { tsk_img_free(ewf_info); return NULL; } for (i = 0; i < a_num_img; i++) { if ((ewf_info->images[i] = (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) + 1) * sizeof(TSK_TCHAR))) == NULL) { tsk_img_free(ewf_info); return NULL; } TSTRNCPY(ewf_info->images[i], a_images[i], TSTRLEN(a_images[i]) + 1); } } #if defined( HAVE_LIBEWF_V2_API ) // Check the file signature before we call the library open #if defined( TSK_WIN32 ) if (libewf_check_file_signature_wide(a_images[0], &ewf_error) != 1) #else if (libewf_check_file_signature(a_images[0], &ewf_error) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open: Not an EWF file (%s)", error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Not an EWF file\n"); } return (NULL); } if (libewf_handle_initialize(&(ewf_info->handle), &ewf_error) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error initializing handle (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Unable to create EWF handle\n"); } return (NULL); } #if defined( TSK_WIN32 ) if (libewf_handle_open_wide(ewf_info->handle, (wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1) #else if (libewf_handle_open(ewf_info->handle, (char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return (NULL); } if (libewf_handle_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size), &ewf_error) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } result = libewf_handle_get_utf8_hash_value_md5(ewf_info->handle, (uint8_t *) ewf_info->md5hash, 33, &ewf_error); if (result == -1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); getError(ewf_error, error_string); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting MD5 of image (%s)", a_images[0], error_string); libewf_error_free(&ewf_error); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } ewf_info->md5hash_isset = result; #else // V1 API // Check the file signature before we call the library open #if defined( TSK_WIN32 ) if (libewf_check_file_signature_wide(a_images[0]) != 1) #else if (libewf_check_file_signature(a_images[0]) != 1) #endif { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an EWF file"); tsk_img_free(ewf_info); if (tsk_verbose) tsk_fprintf(stderr, "Not an EWF file\n"); return NULL; } #if defined( TSK_WIN32 ) ewf_info->handle = libewf_open_wide( (wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #else ewf_info->handle = libewf_open( (char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #endif if (ewf_info->handle == NULL) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening", ewf_info->images[0]); tsk_img_free(ewf_info); if (tsk_verbose != 0) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return (NULL); } #if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) // 2007 version img_info->size = libewf_get_media_size(ewf_info->handle); ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle, ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5); #else // libewf-20080322 version if (libewf_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size)) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image", ewf_info->images[0]); tsk_img_free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return (NULL); } if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) { int md5_string_iterator = 0; int md5_hash_iterator = 0; for (md5_hash_iterator = 0; md5_hash_iterator < 16; md5_hash_iterator++) { int digit = md5_hash[md5_hash_iterator] / 16; if (digit <= 9) { ewf_info->md5hash[md5_string_iterator++] = '0' + (char) digit; } else { ewf_info->md5hash[md5_string_iterator++] = 'a' + (char) (digit - 10); } digit = md5_hash[md5_hash_iterator] % 16; if (digit <= 9) { ewf_info->md5hash[md5_string_iterator++] = '0' + (char) digit; } else { ewf_info->md5hash[md5_string_iterator++] = 'a' + (char) (digit - 10); } } ewf_info->md5hash_isset = 1; } #endif /* defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) */ #endif /* defined( HAVE_LIBEWF_V2_API ) */ if (a_ssize != 0) { img_info->sector_size = a_ssize; } else { img_info->sector_size = 512; } img_info->itype = TSK_IMG_TYPE_EWF_EWF; img_info->read = &ewf_image_read; img_info->close = &ewf_image_close; img_info->imgstat = &ewf_image_imgstat; // initialize the read lock tsk_init_lock(&(ewf_info->read_lock)); return (img_info); }
/** Originally we used tsk_img_open_sing(), but that leads to calling ewf_open(), which in turn will fail if the L01 file has an incorrect filename extension. This function is a simpler version of ewf_open() which will not fail if the filename extension is wrong. */ TSK_IMG_INFO * TskL01Extract::openEwfSimple() { const int a_num_img = 1; unsigned int a_ssize = 512; int result = 0; TSK_IMG_INFO *img_info = NULL; ewf::libewf_error_t *ewfError = NULL; ewf::IMG_EWF_INFO *ewf_info = NULL; try { // Make an absolute path (if it's relative) so that libewf doesn't cause // an error when it tries to make it absolute. Poco::Path tempPath(TskUtilities::toUTF8(m_archivePath)); tempPath.makeAbsolute(); // We convert to unicode here because that is what the TSK_IMG_INFO structure requires. std::wstring ewfArchivePath = TskUtilities::toUTF16(tempPath.toString()); if ((ewf_info = (ewf::IMG_EWF_INFO *) tsk_img_malloc(sizeof(ewf::IMG_EWF_INFO))) == NULL) { throw TskException("tsk_img_malloc"); } img_info = (TSK_IMG_INFO *) ewf_info; if (ewf::libewf_handle_initialize(&(ewf_info->handle), &ewfError) != 1) { throw TskException("libewf_handle_initialize"); } //int i; ewf_info->num_imgs = a_num_img; if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL) { throw TskException("tsk_malloc"); } if ((ewf_info->images[0] = (TSK_TCHAR *) tsk_malloc((TSTRLEN(ewfArchivePath.c_str()) + 1) * sizeof(TSK_TCHAR))) == NULL) { throw TskException("tsk_malloc 2"); } TSTRNCPY(ewf_info->images[0], ewfArchivePath.c_str(), TSTRLEN(ewfArchivePath.c_str()) + 1); ///NOTE: libewf_handle_open_wide() will not open the file if the filename length is < 4 chars long. ewfError = NULL; #if defined( TSK_WIN32 ) if (ewf::libewf_handle_open_wide(ewf_info->handle, (TSK_TCHAR * const *) ewf_info->images, ewf_info->num_imgs, ewf::LIBEWF_ACCESS_FLAG_READ, &ewfError) != 1) #else if (ewf::libewf_handle_open(ewf_info->handle, (char *const *) ewf_info->images, ewf_info->num_imgs, ewf::LIBEWF_OPEN_READ, &ewfError) != 1) #endif { throw TskException("libewf_handle_open_wide"); } ewfError = NULL; if (ewf::libewf_handle_get_media_size(ewf_info->handle, (ewf::size64_t *) & (img_info->size), &ewfError) != 1) { throw TskException("libewf_handle_get_media_size"); } ewfError = NULL; result = ewf::libewf_handle_get_utf8_hash_value_md5(ewf_info->handle, (uint8_t *) ewf_info->md5hash, 33, &ewfError); if (result == -1) { throw TskException("libewf_handle_get_utf8_hash_value_md5"); } ewf_info->md5hash_isset = result; if (a_ssize != 0) { img_info->sector_size = a_ssize; } else { img_info->sector_size = 512; } img_info->itype = TSK_IMG_TYPE_EWF_EWF; img_info->close = ewf_image_close; img_info->read = null_read; img_info->imgstat = null_imgstat; // initialize the read lock tsk_init_lock(&(ewf_info->read_lock)); return img_info; } catch (TskException &ex) { std::ostringstream msg; msg << "openEwfSimple: TskException: " << ex.message(); if (ewfError) { char errorString[512]; errorString[0] = '\0'; ewf::libewf_error_backtrace_sprint(ewfError, errorString, 512); msg << " - libewf error: " << errorString << std::endl; } LOGERROR(msg.str()); free(ewf_info); return NULL; } }
/** * \internal * Open the set of disk images as a set of split raw images * * @param a_num_img Number of images in set * @param a_images List of disk image paths (in sorted order) * @param a_ssize Size of device sector in bytes (or 0 for default) * * @return NULL on error */ TSK_IMG_INFO * raw_open(int a_num_img, const TSK_TCHAR * const a_images[], unsigned int a_ssize) { IMG_RAW_INFO *raw_info; TSK_IMG_INFO *img_info; int i; TSK_OFF_T first_seg_size; if ((raw_info = (IMG_RAW_INFO *) tsk_img_malloc(sizeof(IMG_RAW_INFO))) == NULL) return NULL; img_info = (TSK_IMG_INFO *) raw_info; img_info->itype = TSK_IMG_TYPE_RAW; img_info->read = raw_read; img_info->close = raw_close; img_info->imgstat = raw_imgstat; img_info->sector_size = 512; if (a_ssize) img_info->sector_size = a_ssize; raw_info->is_winobj = 0; #if defined(TSK_WIN32) || defined(__CYGWIN__) /* determine if this is the path to a Windows device object */ if ((a_images[0][0] == _TSK_T('\\')) && (a_images[0][1] == _TSK_T('\\')) && ((a_images[0][2] == _TSK_T('.')) || (a_images[0][2] == _TSK_T('?'))) && (a_images[0][3] == _TSK_T('\\'))) { raw_info->is_winobj = 1; } #endif /* Check that the first image file exists and is not a directory */ first_seg_size = get_size(a_images[0], raw_info->is_winobj); if (first_seg_size < -1) { tsk_img_free(raw_info); return NULL; } /* see if there are more of them... */ if ((a_num_img == 1) && (raw_info->is_winobj == 0)) { if ((raw_info->images = tsk_img_findFiles(a_images[0], &raw_info->num_img)) == NULL) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_STAT); tsk_error_set_errstr ("raw_open: could not find segment files starting at \"%" PRIttocTSK "\"", a_images[0]); tsk_img_free(raw_info); return NULL; } } else { raw_info->num_img = a_num_img; raw_info->images = (TSK_TCHAR **) tsk_malloc(sizeof(TSK_TCHAR *) * a_num_img); if (raw_info->images == NULL) { tsk_img_free(raw_info); return NULL; } for (i = 0; i < raw_info->num_img; i++) { size_t len = TSTRLEN(a_images[i]); raw_info->images[i] = (TSK_TCHAR *) tsk_malloc(sizeof(TSK_TCHAR) * (len + 1)); if (raw_info->images[i] == NULL) { int j; for (j = 0; j < i; j++) { free(raw_info->images[j]); } free(raw_info->images); tsk_img_free(raw_info); return NULL; } TSTRNCPY(raw_info->images[i], a_images[i], len + 1); } } /* sanity check: when we have multiple segments, the size of * each must be known */ if ((raw_info->num_img > 1) && (first_seg_size < 0)) { if (tsk_verbose) { tsk_fprintf(stderr, "raw_open: file size is unknown in a segmented raw image\n"); } for (i = 0; i < raw_info->num_img; i++) { free(raw_info->images[i]); } free(raw_info->images); tsk_img_free(raw_info); return NULL; } /* initialize the split cache */ raw_info->cptr = (int *) tsk_malloc(raw_info->num_img * sizeof(int)); if (raw_info->cptr == NULL) { for (i = 0; i < raw_info->num_img; i++) { free(raw_info->images[i]); } free(raw_info->images); tsk_img_free(raw_info); return NULL; } memset((void *) &raw_info->cache, 0, SPLIT_CACHE * sizeof(IMG_SPLIT_CACHE)); raw_info->next_slot = 0; /* initialize the offset table and re-use the first segment * size gathered above */ raw_info->max_off = (TSK_OFF_T *) tsk_malloc(raw_info->num_img * sizeof(TSK_OFF_T)); if (raw_info->max_off == NULL) { free(raw_info->cptr); for (i = 0; i < raw_info->num_img; i++) { free(raw_info->images[i]); } free(raw_info->images); tsk_img_free(raw_info); return NULL; } img_info->size = first_seg_size; raw_info->max_off[0] = img_info->size; raw_info->cptr[0] = -1; if (tsk_verbose) { tsk_fprintf(stderr, "raw_open: segment: 0 size: %" PRIuOFF " max offset: %" PRIuOFF " path: %" PRIttocTSK "\n", first_seg_size, raw_info->max_off[0], raw_info->images[0]); } /* get size info for each file - we do not open each one because that * could cause us to run out of file decsriptors when we only need a few. * The descriptors are opened as needed */ for (i = 1; i < raw_info->num_img; i++) { TSK_OFF_T size; raw_info->cptr[i] = -1; size = get_size(raw_info->images[i], raw_info->is_winobj); if (size < 0) { if (size == -1) { if (tsk_verbose) { tsk_fprintf(stderr, "raw_open: file size is unknown in a segmented raw image\n"); } } free(raw_info->cptr); for (i = 0; i < raw_info->num_img; i++) { free(raw_info->images[i]); } free(raw_info->images); tsk_img_free(raw_info); return NULL; } /* add the size of this image to the total and save the current max */ img_info->size += size; raw_info->max_off[i] = img_info->size; if (tsk_verbose) { tsk_fprintf(stderr, "raw_open: segment: %d size: %" PRIuOFF " max offset: %" PRIuOFF " path: %" PRIttocTSK "\n", i, size, raw_info->max_off[i], raw_info->images[i]); } } return img_info; }
/** * \internal * Open the file as a raw image. * @param image Path to disk image to open. * @param a_ssize Size of device sector in bytes (or 0 for default) * @returns NULL on error. */ TSK_IMG_INFO * raw_open(const TSK_TCHAR * image, unsigned int a_ssize) { IMG_RAW_INFO *raw_info; TSK_IMG_INFO *img_info; struct STAT_STR stat_buf; int is_winobj = 0; if ((raw_info = (IMG_RAW_INFO *) tsk_img_malloc(sizeof(IMG_RAW_INFO))) == NULL) return NULL; img_info = (TSK_IMG_INFO *) raw_info; img_info->itype = TSK_IMG_TYPE_RAW_SING; img_info->read = raw_read; img_info->close = raw_close; img_info->imgstat = raw_imgstat; img_info->sector_size = 512; if (a_ssize) img_info->sector_size = a_ssize; #if defined(TSK_WIN32) || defined(__CYGWIN__) if ((image[0] == _TSK_T('\\')) && (image[1] == _TSK_T('\\')) && (image[2] == _TSK_T('.')) && (image[3] == _TSK_T('\\'))) { is_winobj = 1; } #endif if (is_winobj == 0) { /* Exit if we are given a directory */ if (TSTAT(image, &stat_buf) < 0) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_STAT); tsk_error_set_errstr("raw_open: %s", strerror(errno)); return NULL; } else if ((stat_buf.st_mode & S_IFMT) == S_IFDIR) { if (tsk_verbose) TFPRINTF(stderr, _TSK_T("raw_open: image %s is a directory\n"), image); tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("raw_open: path is for a directory"); return NULL; } } #ifdef TSK_WIN32 { DWORD dwHi, dwLo; if ((raw_info->fd = CreateFile(image, FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) == INVALID_HANDLE_VALUE) { // if it is a device, try with SHARE_WRITE if ((image[0] == _TSK_T('\\')) && (image[1] == _TSK_T('\\')) && (image[2] == _TSK_T('.')) && (image[3] == _TSK_T('\\'))) { if (tsk_verbose) tsk_fprintf(stderr, "raw_open: Trying Windows device with share_write mode\n"); raw_info->fd = CreateFile(image, FILE_READ_DATA, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); } if (raw_info->fd == INVALID_HANDLE_VALUE) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); // print string of commonly found errors if (GetLastError() == ERROR_ACCESS_DENIED) { tsk_error_set_errstr("raw_open file: %" PRIttocTSK " (Access Denied)", image); } else if (GetLastError() == ERROR_SHARING_VIOLATION) { tsk_error_set_errstr("raw_open file: %" PRIttocTSK " (Sharing Violation)", image); } else if (GetLastError() == ERROR_FILE_NOT_FOUND) { tsk_error_set_errstr("raw_open file: %" PRIttocTSK " (File not found)", image); } else { tsk_error_set_errstr("raw_open file: %" PRIttocTSK " (%d)", image, (int) GetLastError()); } return NULL; } } /* We need different techniques to determine the size of physical * devices versus normal files */ if (is_winobj == 0) { dwLo = GetFileSize(raw_info->fd, &dwHi); if (dwLo == 0xffffffff) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("raw_open file: %" PRIttocTSK " GetFileSize: %d", image, (int) GetLastError()); return NULL; } img_info->size = dwLo | ((TSK_OFF_T) dwHi << 32); } else { DISK_GEOMETRY pdg; DWORD junk; if (FALSE == DeviceIoControl(raw_info->fd, // device to be queried IOCTL_DISK_GET_DRIVE_GEOMETRY, // operation to perform NULL, 0, &pdg, sizeof(pdg), &junk, (LPOVERLAPPED) NULL)) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("raw_open file: %" PRIttocTSK " DeviceIoControl: %d", image, (int) GetLastError()); return NULL; } img_info->size = pdg.Cylinders.QuadPart * (TSK_OFF_T) pdg.TracksPerCylinder * (TSK_OFF_T) pdg.SectorsPerTrack * (TSK_OFF_T) pdg.BytesPerSector; } } #else if ((raw_info->fd = open(image, O_RDONLY | O_BINARY)) < 0) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("raw_open file: %" PRIttocTSK " msg: %s", image, strerror(errno)); return NULL; } #if defined(__APPLE__) /* OS X doesn't support SEEK_END on char devices */ if ((stat_buf.st_mode & S_IFMT) != S_IFCHR) { img_info->size = lseek(raw_info->fd, 0, SEEK_END); lseek(raw_info->fd, 0, SEEK_SET); } if (img_info->size == 0) { int blkSize; long long blkCnt; if (ioctl(raw_info->fd, DKIOCGETBLOCKSIZE, &blkSize) >= 0) { if (ioctl(raw_info->fd, DKIOCGETBLOCKCOUNT, &blkCnt) >= 0) { img_info->size = blkCnt * (long long) blkSize; } } } #else /* We don't use the stat output because it doesn't work on raw * devices and such */ img_info->size = lseek(raw_info->fd, 0, SEEK_END); lseek(raw_info->fd, 0, SEEK_SET); #endif #endif raw_info->seek_pos = 0; return img_info; }
TSK_IMG_INFO * ewf_open(int a_num_img, const TSK_TCHAR * const a_images[], unsigned int a_ssize) { IMG_EWF_INFO *ewf_info; TSK_IMG_INFO *img_info; #if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) uint8_t md5_hash[16]; #endif if ((ewf_info = (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) == NULL) { return NULL; } img_info = (TSK_IMG_INFO *) ewf_info; // See if they specified only the first of the set... if (a_num_img == 1) { #ifdef TSK_WIN32 ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #else ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images); #endif if (ewf_info->num_imgs <= 0) { free(ewf_info); return NULL; } if (tsk_verbose) tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs); } else { int i; ewf_info->num_imgs = a_num_img; if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL) { free(ewf_info); return NULL; } for (i = 0; i < a_num_img; i++) { if ((ewf_info->images[i] = (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) + 1) * sizeof(TSK_TCHAR))) == NULL) { free(ewf_info); return NULL; } TSTRNCPY(ewf_info->images[i], a_images[i], TSTRLEN(a_images[i]) + 1); } } /* check the magic before we call the library open */ //if (img_file_header_signature_ncmp(images[0], // "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) { #if defined (TSK_WIN32) if (libewf_check_file_signature_wide(ewf_info->images[0]) == 0) { #else if (libewf_check_file_signature(ewf_info->images[0]) == 0) { #endif tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_MAGIC); tsk_error_set_errstr("ewf_open: Not an EWF file"); free(ewf_info); if (tsk_verbose) tsk_fprintf(stderr, "Not an EWF file\n"); return NULL; } #if defined (TSK_WIN32) ewf_info->handle = libewf_open_wide((wchar_t * const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #else ewf_info->handle = libewf_open((char *const *) ewf_info->images, ewf_info->num_imgs, LIBEWF_OPEN_READ); #endif if (ewf_info->handle == NULL) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error opening", ewf_info->images[0]); free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error opening EWF file\n"); } return NULL; } // 2007 version #if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) img_info->size = libewf_get_media_size(ewf_info->handle); ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle, ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5); // libewf-20080322 version #else if (libewf_get_media_size(ewf_info->handle, (size64_t *) & (img_info->size)) != 1) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("ewf_open file: %" PRIttocTSK ": Error getting size of image", ewf_info->images[0]); free(ewf_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error getting size of EWF file\n"); } return NULL; } if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) { int md5_string_iterator = 0; int md5_hash_iterator; for (md5_hash_iterator = 0; md5_hash_iterator < 16; md5_hash_iterator++) { int digit = md5_hash[md5_hash_iterator] / 16; if (digit <= 9) ewf_info->md5hash[md5_string_iterator++] = (char) ('0' + digit); else ewf_info->md5hash[md5_string_iterator++] = (char) ('a' + (digit - 10)); digit = md5_hash[md5_hash_iterator] % 16; if (digit <= 9) ewf_info->md5hash[md5_string_iterator++] = (char) ('0' + digit); else ewf_info->md5hash[md5_string_iterator++] = (char) ('a' + (digit - 10)); } ewf_info->md5hash_isset = 1; } #endif img_info->sector_size = 512; if (a_ssize) img_info->sector_size = a_ssize; img_info->itype = TSK_IMG_TYPE_EWF_EWF; img_info->read = ewf_image_read; img_info->close = ewf_image_close; img_info->imgstat = ewf_image_imgstat; return img_info; }