TSK_IMG_INFO *
ewf_open(int num_img, const TSK_TCHAR * const images[],
unsigned int a_ssize)
{
IMG_EWF_INFO *ewf_info;
TSK_IMG_INFO *img_info;
#if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
uint8_t md5_hash[16];
#endif
if ((ewf_info =
(IMG_EWF_INFO *) tsk_malloc(sizeof(IMG_EWF_INFO))) == NULL) {
return NULL;
}
img_info = (TSK_IMG_INFO *) ewf_info;
/* check the magic before we call the library open */
//if (img_file_header_signature_ncmp(images[0],
// "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) {
#if defined (TSK_WIN32)
if (libewf_check_file_signature_wide(images[0]) == 0) {
#else
if (libewf_check_file_signature(images[0]) == 0) {
#endif
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_MAGIC;
snprintf(tsk_errstr, TSK_ERRSTR_L, "ewf_open: Not an EWF file");
free(ewf_info);
if (tsk_verbose)
tsk_fprintf(stderr, "Not an EWF file\n");
return NULL;
}
#if defined (TSK_WIN32)
ewf_info->handle =
libewf_open_wide((wchar_t * const *) images, num_img, LIBEWF_OPEN_READ);
#else
ewf_info->handle =
libewf_open((char *const *) images, num_img, LIBEWF_OPEN_READ);
#endif
if (ewf_info->handle == NULL) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_OPEN;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"ewf_open file: %" PRIttocTSK ": Error opening", images[0]);
free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return NULL;
}
// 2007 version
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
img_info->size = libewf_get_media_size(ewf_info->handle);
ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
// libewf-20080322 version
#else
if (libewf_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size))
!= 1) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_OPEN;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"ewf_open file: %" PRIttocTSK ": Error getting size of image",
images[0]);
free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return NULL;
}
if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
int md5_string_iterator = 0;
int md5_hash_iterator;
for (md5_hash_iterator = 0; md5_hash_iterator < 16;
md5_hash_iterator++) {
int digit = md5_hash[md5_hash_iterator] / 16;
if (digit <= 9)
ewf_info->md5hash[md5_string_iterator++] = (char)
('0' + digit);
else
ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
(digit - 10));
digit = md5_hash[md5_hash_iterator] % 16;
if (digit <= 9)
ewf_info->md5hash[md5_string_iterator++] =
(char) ('0' + digit);
else
ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
(digit - 10));
}
ewf_info->md5hash_isset = 1;
}
#endif
img_info->sector_size = 512;
if (a_ssize)
img_info->sector_size = a_ssize;
img_info->itype = TSK_IMG_TYPE_EWF_EWF;
img_info->read = ewf_image_read;
img_info->close = ewf_image_close;
img_info->imgstat = ewf_image_imgstat;
return img_info;
}
TSK_IMG_INFO *
ewf_open(int a_num_img,
const TSK_TCHAR * const a_images[], unsigned int a_ssize)
{
#if defined( HAVE_LIBEWF_V2_API )
char error_string[TSK_EWF_ERROR_STRING_SIZE];
libewf_error_t *ewf_error = NULL;
int result = 0;
#elif !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
uint8_t md5_hash[16];
#endif
IMG_EWF_INFO *ewf_info = NULL;
TSK_IMG_INFO *img_info = NULL;
#if !defined( HAVE_LIBEWF_V2_API)
if (tsk_verbose)
libewf_set_notify_values(stderr, 1);
#endif
if ((ewf_info =
(IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) ==
NULL) {
return NULL;
}
img_info = (TSK_IMG_INFO *) ewf_info;
// See if they specified only the first of the set...
ewf_info->used_ewf_glob = 0;
if (a_num_img == 1) {
#if defined( HAVE_LIBEWF_V2_API)
#ifdef TSK_WIN32
if (libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images,
&ewf_info->num_imgs, &ewf_error) == -1) {
#else
if (libewf_glob(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images,
&ewf_info->num_imgs, &ewf_error) == -1) {
#endif
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open: Not an E01 glob name (%s)",
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
return NULL;
}
#else //use v1
#ifdef TSK_WIN32
ewf_info->num_imgs =
libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#else
ewf_info->num_imgs =
libewf_glob(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#endif
if (ewf_info->num_imgs <= 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
tsk_error_set_errstr("ewf_open: Not an E01 glob name");
tsk_img_free(ewf_info);
return NULL;
}
#endif // end v1
ewf_info->used_ewf_glob = 1;
if (tsk_verbose)
tsk_fprintf(stderr,
"ewf_open: found %d segment files via libewf_glob\n",
ewf_info->num_imgs);
}
else {
int i;
ewf_info->num_imgs = a_num_img;
if ((ewf_info->images =
(TSK_TCHAR **) tsk_malloc(a_num_img *
sizeof(TSK_TCHAR *))) == NULL) {
tsk_img_free(ewf_info);
return NULL;
}
for (i = 0; i < a_num_img; i++) {
if ((ewf_info->images[i] =
(TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) +
1) * sizeof(TSK_TCHAR))) == NULL) {
tsk_img_free(ewf_info);
return NULL;
}
TSTRNCPY(ewf_info->images[i], a_images[i],
TSTRLEN(a_images[i]) + 1);
}
}
#if defined( HAVE_LIBEWF_V2_API )
// Check the file signature before we call the library open
#if defined( TSK_WIN32 )
if (libewf_check_file_signature_wide(a_images[0], &ewf_error) != 1)
#else
if (libewf_check_file_signature(a_images[0], &ewf_error) != 1)
#endif
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open: Not an EWF file (%s)",
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Not an EWF file\n");
}
return (NULL);
}
if (libewf_handle_initialize(&(ewf_info->handle), &ewf_error) != 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error initializing handle (%s)", a_images[0], error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Unable to create EWF handle\n");
}
return (NULL);
}
#if defined( TSK_WIN32 )
if (libewf_handle_open_wide(ewf_info->handle,
(wchar_t * const *) ewf_info->images,
ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1)
#else
if (libewf_handle_open(ewf_info->handle,
(char *const *) ewf_info->images,
ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1)
#endif
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error opening (%s)", a_images[0], error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return (NULL);
}
if (libewf_handle_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size), &ewf_error) != 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting size of image (%s)", a_images[0],
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return (NULL);
}
result = libewf_handle_get_utf8_hash_value_md5(ewf_info->handle,
(uint8_t *) ewf_info->md5hash, 33, &ewf_error);
if (result == -1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting MD5 of image (%s)", a_images[0],
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return (NULL);
}
ewf_info->md5hash_isset = result;
#else // V1 API
// Check the file signature before we call the library open
#if defined( TSK_WIN32 )
if (libewf_check_file_signature_wide(a_images[0]) != 1)
#else
if (libewf_check_file_signature(a_images[0]) != 1)
#endif
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
tsk_error_set_errstr("ewf_open: Not an EWF file");
tsk_img_free(ewf_info);
if (tsk_verbose)
tsk_fprintf(stderr, "Not an EWF file\n");
return NULL;
}
#if defined( TSK_WIN32 )
ewf_info->handle = libewf_open_wide(
(wchar_t * const *) ewf_info->images, ewf_info->num_imgs,
LIBEWF_OPEN_READ);
#else
ewf_info->handle = libewf_open(
(char *const *) ewf_info->images, ewf_info->num_imgs,
LIBEWF_OPEN_READ);
#endif
if (ewf_info->handle == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error opening", ewf_info->images[0]);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return (NULL);
}
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
// 2007 version
img_info->size = libewf_get_media_size(ewf_info->handle);
ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
#else
// libewf-20080322 version
if (libewf_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size)) != 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting size of image", ewf_info->images[0]);
tsk_img_free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return (NULL);
}
if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
int md5_string_iterator = 0;
int md5_hash_iterator = 0;
for (md5_hash_iterator = 0;
md5_hash_iterator < 16; md5_hash_iterator++) {
int digit = md5_hash[md5_hash_iterator] / 16;
if (digit <= 9) {
ewf_info->md5hash[md5_string_iterator++] =
'0' + (char) digit;
}
else {
ewf_info->md5hash[md5_string_iterator++] =
'a' + (char) (digit - 10);
}
digit = md5_hash[md5_hash_iterator] % 16;
if (digit <= 9) {
ewf_info->md5hash[md5_string_iterator++] =
'0' + (char) digit;
}
else {
ewf_info->md5hash[md5_string_iterator++] =
'a' + (char) (digit - 10);
}
}
ewf_info->md5hash_isset = 1;
}
#endif /* defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) */
#endif /* defined( HAVE_LIBEWF_V2_API ) */
if (a_ssize != 0) {
img_info->sector_size = a_ssize;
}
else {
img_info->sector_size = 512;
}
img_info->itype = TSK_IMG_TYPE_EWF_EWF;
img_info->read = &ewf_image_read;
img_info->close = &ewf_image_close;
img_info->imgstat = &ewf_image_imgstat;
// initialize the read lock
tsk_init_lock(&(ewf_info->read_lock));
return (img_info);
}
TSK_IMG_INFO *
ewf_open(int a_num_img, const TSK_TCHAR * const a_images[],
unsigned int a_ssize)
{
IMG_EWF_INFO *ewf_info;
TSK_IMG_INFO *img_info;
#if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
uint8_t md5_hash[16];
#endif
if ((ewf_info =
(IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) ==
NULL) {
return NULL;
}
img_info = (TSK_IMG_INFO *) ewf_info;
// See if they specified only the first of the set...
if (a_num_img == 1) {
#ifdef TSK_WIN32
ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#else
ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#endif
if (ewf_info->num_imgs <= 0) {
free(ewf_info);
return NULL;
}
if (tsk_verbose)
tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs);
}
else {
int i;
ewf_info->num_imgs = a_num_img;
if ((ewf_info->images =
(TSK_TCHAR **) tsk_malloc(a_num_img *
sizeof(TSK_TCHAR *))) == NULL) {
free(ewf_info);
return NULL;
}
for (i = 0; i < a_num_img; i++) {
if ((ewf_info->images[i] =
(TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) +
1) * sizeof(TSK_TCHAR))) == NULL) {
free(ewf_info);
return NULL;
}
TSTRNCPY(ewf_info->images[i], a_images[i],
TSTRLEN(a_images[i]) + 1);
}
}
/* check the magic before we call the library open */
//if (img_file_header_signature_ncmp(images[0],
// "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) {
#if defined (TSK_WIN32)
if (libewf_check_file_signature_wide(ewf_info->images[0]) == 0) {
#else
if (libewf_check_file_signature(ewf_info->images[0]) == 0) {
#endif
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
tsk_error_set_errstr("ewf_open: Not an EWF file");
free(ewf_info);
if (tsk_verbose)
tsk_fprintf(stderr, "Not an EWF file\n");
return NULL;
}
#if defined (TSK_WIN32)
ewf_info->handle =
libewf_open_wide((wchar_t * const *) ewf_info->images,
ewf_info->num_imgs, LIBEWF_OPEN_READ);
#else
ewf_info->handle =
libewf_open((char *const *) ewf_info->images, ewf_info->num_imgs,
LIBEWF_OPEN_READ);
#endif
if (ewf_info->handle == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error opening", ewf_info->images[0]);
free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return NULL;
}
// 2007 version
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
img_info->size = libewf_get_media_size(ewf_info->handle);
ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
// libewf-20080322 version
#else
if (libewf_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size))
!= 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting size of image", ewf_info->images[0]);
free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return NULL;
}
if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
int md5_string_iterator = 0;
int md5_hash_iterator;
for (md5_hash_iterator = 0; md5_hash_iterator < 16;
md5_hash_iterator++) {
int digit = md5_hash[md5_hash_iterator] / 16;
if (digit <= 9)
ewf_info->md5hash[md5_string_iterator++] = (char)
('0' + digit);
else
ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
(digit - 10));
digit = md5_hash[md5_hash_iterator] % 16;
if (digit <= 9)
ewf_info->md5hash[md5_string_iterator++] =
(char) ('0' + digit);
else
ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
(digit - 10));
}
ewf_info->md5hash_isset = 1;
}
#endif
img_info->sector_size = 512;
if (a_ssize)
img_info->sector_size = a_ssize;
img_info->itype = TSK_IMG_TYPE_EWF_EWF;
img_info->read = ewf_image_read;
img_info->close = ewf_image_close;
img_info->imgstat = ewf_image_imgstat;
return img_info;
}
