disk_t *fewf_init(const char *device, const int mode)
{
unsigned int num_files=0;
char **filenames= NULL;
disk_t *disk=NULL;
struct info_fewf_struct *data;
#if !defined( HAVE_LIBEWF_V2_API ) && defined( HAVE_GLOB_H )
glob_t globbuf;
#endif
data=(struct info_fewf_struct *)MALLOC(sizeof(struct info_fewf_struct));
memset(data, 0, sizeof(struct info_fewf_struct));
data->file_name = strdup(device);
data->handle=NULL;
data->mode = mode;
#ifdef DEBUG_EWF
#if defined( HAVE_LIBEWF_V2_API )
libewf_notify_set_stream( stderr, NULL );
libewf_notify_set_verbose( 1 );
#else
libewf_set_notify_values( stderr, 1 );
#endif
#endif
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_glob(
data->file_name,
strlen(data->file_name),
LIBEWF_FORMAT_UNKNOWN,
&filenames,
(int *)&num_files,
NULL ) != 1 )
{
log_error("libewf_glob failed\n");
free(data);
return NULL;
}
#elif defined( HAVE_GLOB_H )
{
globbuf.gl_offs = 0;
glob(data->file_name, GLOB_DOOFFS, NULL, &globbuf);
if(globbuf.gl_pathc>0)
{
filenames=(char **)MALLOC(globbuf.gl_pathc * sizeof(*filenames));
for (num_files=0; num_files<globbuf.gl_pathc; num_files++) {
filenames[num_files]=globbuf.gl_pathv[num_files];
}
}
}
if(filenames==NULL)
{
globfree(&globbuf);
free(data);
return NULL;
}
#else
{
filenames=(char **)MALLOC(1*sizeof(*filenames));
filenames[num_files] = data->file_name;
num_files++;
}
#endif
if((mode&TESTDISK_O_RDWR)==TESTDISK_O_RDWR)
{
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_handle_initialize(
&( data->handle ),
NULL ) != 1 )
{
log_error("libewf_handle_initialize failed\n");
libewf_glob_free(
filenames,
num_files,
NULL );
free(data);
return NULL;
}
if( libewf_handle_open(
data->handle,
filenames,
num_files,
LIBEWF_OPEN_READ_WRITE,
NULL ) != 1 )
{
log_error("libewf_handle_open(%s) failed\n", device);
}
#else
data->handle=libewf_open(filenames, num_files, LIBEWF_OPEN_READ_WRITE);
if(data->handle==NULL)
{
log_error("libewf_open(%s) failed\n", device);
}
#endif /* defined( HAVE_LIBEWF_V2_API ) */
}
if(data->handle==NULL)
{
data->mode&=~TESTDISK_O_RDWR;
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_handle_initialize(
&( data->handle ),
NULL ) != 1 )
{
log_error("libewf_handle_initialize failed\n");
libewf_glob_free(
filenames,
num_files,
NULL );
free(data);
return NULL;
}
if( libewf_handle_open(
data->handle,
filenames,
num_files,
LIBEWF_OPEN_READ,
NULL ) != 1 )
{
log_error("libewf_handle_open(%s) failed\n", device);
libewf_handle_free(
&( data->handle ),
NULL );
libewf_glob_free(
filenames,
num_files,
NULL );
free(data);
return NULL;
}
#else
data->handle=libewf_open(filenames, num_files, LIBEWF_OPEN_READ);
if(data->handle==NULL)
{
log_error("libewf_open(%s) failed\n", device);
#if defined( HAVE_GLOB_H )
globfree(&globbuf);
#endif
free(filenames);
free(data);
return NULL;
}
#endif /* defined( HAVE_LIBEWF_V2_API ) */
}
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_handle_set_header_values_date_format(
data->handle,
LIBEWF_DATE_FORMAT_DAYMONTH,
NULL ) != 1 )
{
log_error("%s Unable to set header values date format\n", device);
}
#else
if( libewf_parse_header_values( data->handle, LIBEWF_DATE_FORMAT_DAYMONTH) != 1 )
{
log_error("%s Unable to parse EWF header values\n", device);
}
#endif
disk=(disk_t *)MALLOC(sizeof(*disk));
init_disk(disk);
disk->arch=&arch_none;
disk->device=strdup(device);
disk->data=data;
disk->description=fewf_description;
disk->description_short=fewf_description_short;
disk->pread_fast=fewf_pread_fast;
disk->pread=fewf_pread;
disk->pwrite=(data->mode&TESTDISK_O_RDWR?fewf_pwrite:fewf_nopwrite);
disk->sync=fewf_sync;
disk->access_mode=(data->mode&TESTDISK_O_RDWR);
disk->clean=fewf_clean;
#if defined( HAVE_LIBEWF_V2_API ) || defined( LIBEWF_GET_BYTES_PER_SECTOR_HAVE_TWO_ARGUMENTS )
{
uint32_t bytes_per_sector = 0;
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_handle_get_bytes_per_sector(
data->handle,
&bytes_per_sector,
NULL ) != 1 )
#else
if( libewf_get_bytes_per_sector(data->handle, &bytes_per_sector)<0)
#endif
{
disk->sector_size=DEFAULT_SECTOR_SIZE;
}
else
{
disk->sector_size=bytes_per_sector;
}
}
#else
disk->sector_size=libewf_get_bytes_per_sector(data->handle);
#endif
// printf("libewf_get_bytes_per_sector %u\n",disk->sector_size);
if(disk->sector_size==0)
disk->sector_size=DEFAULT_SECTOR_SIZE;
/* Set geometry */
disk->geom.cylinders=0;
disk->geom.heads_per_cylinder=1;
disk->geom.sectors_per_head=1;
disk->geom.bytes_per_sector=disk->sector_size;
/* Get disk_real_size */
#if defined( HAVE_LIBEWF_V2_API ) || defined( LIBEWF_GET_MEDIA_SIZE_HAVE_TWO_ARGUMENTS )
{
size64_t media_size = 0;
#if defined( HAVE_LIBEWF_V2_API )
if( libewf_handle_get_media_size(
data->handle,
&media_size,
NULL ) != 1 )
#else
if(libewf_get_media_size(data->handle, &media_size)<0)
#endif
{
disk->disk_real_size=0;
}
else
{
disk->disk_real_size=media_size;
}
}
#else
disk->disk_real_size=libewf_get_media_size(data->handle);
#endif
update_disk_car_fields(disk);
#if defined( HAVE_LIBEWF_V2_API )
libewf_glob_free(
filenames,
num_files,
NULL );
#else
#if defined( HAVE_GLOB_H )
globfree(&globbuf);
#endif
free(filenames);
#endif
return disk;
}
int ewf_open(const char *pathname, int flags, mode_t mode)
{
// XXX filename list should be dynamic. 1024 limit is ugly
const char *filenames[1024];
char *ptr,*optr;
char hash[1024];
size64_t media_size;
uint32_t bytes_per_sector;
uint32_t amount_of_sectors;
uint32_t error_granularity;
uint32_t amount_of_acquiry_errors;
int8_t compression_level;
int8_t media_type;
int8_t media_flags;
int8_t volume_type;
uint8_t compress_empty_block;
uint8_t format;
int i;
if (!memcmp(pathname, "els://", 6)) {
FILE *fd = fopen(pathname+6, "r");
ut64 len;
char *buf;
if (fd == NULL)
return -1;
fseek(fd, 0, SEEK_END);
len = ftell(fd);
fseek(fd, 0, SEEK_SET);
buf = (char *)malloc(len);
fread(buf, len, 1, fd);
ptr = strchr(buf, '\n');
for(i=0,optr = buf;ptr&&(ptr=strchr(ptr, '\n'));optr=ptr) {
ptr[0] = '\0';
ptr = ptr + 1;
filenames[i++] = optr;
}
filenames[i] = NULL;
free(buf);
fclose(fd);
for(i=0;filenames[i];i++)
printf("%02x: %s)\n", i, filenames[i]);
} else {
filenames[0] = pathname + 6;
filenames[1] = NULL;
}
ewf_h = libewf_open(&filenames, 1,
(((int)config_get("file.write"))==0)?
LIBEWF_OPEN_READ_WRITE:LIBEWF_OPEN_READ);
if (ewf_h == NULL)
ewf_fd = -1;
else {
ewf_fd = EWF_FD;
#if 0
if( ((libewf_internal_handle_t*)ewf_h)->header_values == NULL ) {
fprintf( stream, "\tNo information found in file.\n" );
} else {
libewf_get_header_value_examiner_name(ewf_h, hash, 128);
eprintf("ExaminerName: %s\n", hash);
libewf_get_header_value_case_number(ewf_h, hash, 128);
eprintf("CaseNumber: %s\n", hash);
#endif
libewf_get_format(ewf_h, &format);
eprintf("FormatVersion: %d\n", format);
libewf_get_compression_values(ewf_h, &compression_level, &compress_empty_block);
eprintf("CompressionLevel: %d\n", compression_level);
libewf_get_error_granularity(ewf_h, &error_granularity);
eprintf("ErrorGranurality: %d\n", error_granularity);
libewf_get_amount_of_sectors(ewf_h, &amount_of_sectors);
eprintf("AmountOfSectors: %d\n", amount_of_sectors);
libewf_get_bytes_per_sector(ewf_h, &bytes_per_sector);
eprintf("BytesPerSector: %d\n", bytes_per_sector);
libewf_get_volume_type(ewf_h, &volume_type);
eprintf("VolumeType: %d\n", volume_type);
libewf_get_media_size(ewf_h, &media_size);
eprintf("MediaSize: %lld\n", media_size);
libewf_get_media_type(ewf_h, &media_type);
eprintf("MediaType: %d\n", media_type);
libewf_get_media_flags(ewf_h, &media_flags);
eprintf("MediaFlags: %d\n", media_flags);
libewf_get_md5_hash(ewf_h, hash, 128);
eprintf("CalculatedHash: %s\n", hash);
#if 0
}
#endif
}
return ewf_fd;
}
int main( int argc, char * const argv[] )
#endif
{
character_t media_size_string[ 16 ];
uint8_t guid[ 16 ];
character_t *program = _CHARACTER_T_STRING( "ewfinfo" );
#if !defined( HAVE_GLOB_H )
ewfglob_t *glob = NULL;
int32_t glob_count = 0;
#endif
#if defined( HAVE_STRERROR_R ) || defined( HAVE_STRERROR )
system_character_t *error_string = NULL;
#endif
char *file_format_string = NULL;
system_integer_t option = 0;
size64_t media_size = 0;
uint32_t bytes_per_sector = 0;
uint32_t amount_of_sectors = 0;
uint32_t error_granularity = 0;
uint32_t amount_of_acquiry_errors = 0;
uint32_t amount_of_sessions = 0;
int8_t compression_level = 0;
int8_t media_type = 0;
int8_t media_flags = 0;
int8_t volume_type = 0;
uint8_t compress_empty_block = 0;
uint8_t format = 0;
uint8_t verbose = 0;
uint8_t date_format = LIBEWF_DATE_FORMAT_CTIME;
char info_option = 'a';
int result = 0;
/*
ewfoutput_version_fprint(
stdout,
program );
*/
while( ( option = ewfgetopt(
argc,
argv,
_SYSTEM_CHARACTER_T_STRING( "d:ehimvcV" ) ) ) != (system_integer_t) -1 )
{
switch( option )
{
case (system_integer_t) '?':
default:
fprintf( stderr, "Invalid argument: %" PRIs_SYSTEM "\n",
argv[ optind ] );
usage_fprint(
stdout );
return( EXIT_FAILURE );
case (system_integer_t) 'd':
if( system_string_compare(
optarg,
_SYSTEM_CHARACTER_T_STRING( "dm" ),
3 ) == 0 )
{
date_format = LIBEWF_DATE_FORMAT_DAYMONTH;
}
else if( system_string_compare(
optarg,
_SYSTEM_CHARACTER_T_STRING( "md" ),
3 ) == 0 )
{
date_format = LIBEWF_DATE_FORMAT_MONTHDAY;
}
else if( system_string_compare(
optarg,
_SYSTEM_CHARACTER_T_STRING( "iso8601" ),
8 ) == 0 )
{
date_format = LIBEWF_DATE_FORMAT_ISO8601;
}
else if( system_string_compare(
optarg,
_SYSTEM_CHARACTER_T_STRING( "ctime" ),
3 ) != 0 )
{
fprintf( stderr, "Unsupported date format: %" PRIs_SYSTEM " using default ctime.\n",
optarg );
}
break;
case (system_integer_t) 'e':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n",
option, info_option );
usage_fprint(
stdout );
return( EXIT_FAILURE );
}
info_option = 'e';
break;
case (system_integer_t) 'h':
usage_fprint(
stdout );
return( EXIT_SUCCESS );
case (system_integer_t) 'i':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n",
option, info_option );
usage_fprint(
stdout );
return( EXIT_FAILURE );
}
info_option = 'i';
break;
case (system_integer_t) 'c':
info_option = 'c';
break;
case (system_integer_t) 'm':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc_SYSTEM " and %c\n",
option, info_option );
usage_fprint(
stdout );
return( EXIT_FAILURE );
}
info_option = 'm';
break;
case (system_integer_t) 'v':
verbose = 1;
break;
case (system_integer_t) 'V':
ewfoutput_copyright_fprint(
stdout );
return( EXIT_SUCCESS );
}
}
if( optind == argc )
{
fprintf( stderr, "Missing EWF image file(s).\n" );
usage_fprint(
stdout );
return( EXIT_FAILURE );
}
libewf_set_notify_values(
stderr,
verbose );
if( ewfsignal_attach(
ewfcommon_signal_handler ) != 1 )
{
fprintf( stderr, "Unable to attach signal handler.\n" );
}
#if 0 && !defined( HAVE_GLOB_H )
glob = ewfglob_alloc();
if( glob == NULL )
{
fprintf( stderr, "Unable to create glob.\n" );
return( EXIT_FAILURE );
}
glob_count = ewfglob_resolve(
glob,
&argv[ optind ],
( argc - optind ) );
if( glob_count <= 0 )
{
fprintf( stderr, "Unable to resolve glob.\n" );
ewfglob_free(
glob );
return( EXIT_FAILURE );
}
ewfcommon_libewf_handle = libewf_open(
glob->results,
glob->amount,
LIBEWF_OPEN_READ );
ewfglob_free(
glob );
#else
ewfcommon_libewf_handle = libewf_open(
&argv[ optind ],
( argc - optind ),
LIBEWF_OPEN_READ );
#endif
if( ( ewfcommon_abort == 0 )
&& ( ewfcommon_libewf_handle == NULL ) )
{
#if defined( HAVE_STRERROR_R ) || defined( HAVE_STRERROR )
if( errno != 0 )
{
error_string = ewfcommon_strerror(
errno );
}
if( error_string != NULL )
{
fprintf( stderr, "Unable to open EWF file(s) with failure: %" PRIs_SYSTEM ".\n",
error_string );
memory_free(
error_string );
}
else
{
fprintf( stderr, "Unable to open EWF file(s).\n" );
}
#else
fprintf( stderr, "Unable to open EWF file(s).\n" );
#endif
return( EXIT_FAILURE );
}
if( ( ewfcommon_abort == 0 )
&& ( libewf_parse_header_values(
ewfcommon_libewf_handle,
date_format ) != 1 ) )
{
fprintf( stderr, "Unable to parse header values.\n" );
}
if( ( ewfcommon_abort == 0 )
&& ( libewf_get_format(
ewfcommon_libewf_handle,
&format ) != 1 ) )
{
fprintf( stderr, "Unable to determine format.\n" );
}
else if( verbose == 1 )
{
switch( format )
{
case LIBEWF_FORMAT_EWF:
file_format_string = "original EWF";
break;
case LIBEWF_FORMAT_SMART:
file_format_string = "SMART";
break;
case LIBEWF_FORMAT_FTK:
file_format_string = "FTK Imager";
break;
case LIBEWF_FORMAT_ENCASE1:
file_format_string = "EnCase 1";
break;
case LIBEWF_FORMAT_ENCASE2:
file_format_string = "EnCase 2";
break;
case LIBEWF_FORMAT_ENCASE3:
file_format_string = "EnCase 3";
break;
case LIBEWF_FORMAT_ENCASE4:
file_format_string = "EnCase 4";
break;
case LIBEWF_FORMAT_ENCASE5:
file_format_string = "EnCase 5";
break;
case LIBEWF_FORMAT_ENCASE6:
file_format_string = "EnCase 6";
break;
case LIBEWF_FORMAT_LINEN5:
file_format_string = "linen 5";
break;
case LIBEWF_FORMAT_LINEN6:
file_format_string = "linen 6";
break;
case LIBEWF_FORMAT_EWFX:
file_format_string = "extended EWF (libewf)";
break;
case LIBEWF_FORMAT_UNKNOWN:
default:
file_format_string = "unknown";
break;
}
fprintf( stdout, "File format:\t\t\t%s\n\n",
file_format_string );
}
if( ( ewfcommon_abort == 0 )
&& ( ( info_option == 'a' )
|| ( info_option == 'i' ) ) )
{
fprintf( stdout, "Acquiry information\n" );
ewfoutput_header_values_fprint(
stdout,
ewfcommon_libewf_handle );
fprintf( stdout, "\n" );
}
if( ( ewfcommon_abort == 0 )
&& ( ( info_option == 'a' )
|| ( info_option == 'm' ) ) )
{
fprintf( stdout, "Media information\n" );
if( ( format != LIBEWF_FORMAT_EWF )
&& ( format != LIBEWF_FORMAT_SMART ) )
{
if( libewf_get_media_type(
ewfcommon_libewf_handle,
&media_type ) != 1 )
{
fprintf( stderr, "Unable to determine media type.\n" );
}
else if( media_type == LIBEWF_MEDIA_TYPE_REMOVABLE )
{
fprintf( stdout, "\tMedia type:\t\tremovable disk\n" );
}
else if( media_type == LIBEWF_MEDIA_TYPE_FIXED )
{
fprintf( stdout, "\tMedia type:\t\tfixed disk\n" );
}
else if( media_type == LIBEWF_MEDIA_TYPE_CD )
{
fprintf( stdout, "\tMedia type:\t\tCD/DVD\n" );
}
else
{
fprintf( stdout, "\tMedia type:\t\tunknown (0x%" PRIx8 ")\n",
media_type );
}
if( libewf_get_media_flags(
ewfcommon_libewf_handle,
&media_flags ) != 1 )
{
fprintf( stderr, "Unable to determine media flags.\n" );
}
else if( verbose == 1 )
{
fprintf( stdout, "\tMedia flags:\t\t0x%" PRIx8 "\n",
media_flags );
}
if( libewf_get_volume_type(
ewfcommon_libewf_handle,
&volume_type ) != 1 )
{
fprintf( stderr, "Unable to determine volume type.\n" );
}
else if( volume_type == LIBEWF_VOLUME_TYPE_LOGICAL )
{
fprintf( stdout, "\tMedia is physical:\tno\n" );
}
else if( volume_type == LIBEWF_VOLUME_TYPE_PHYSICAL )
{
fprintf( stdout, "\tMedia is physical:\tyes\n" );
}
else
{
fprintf( stdout, "\tVolume type:\t\tunknown (0x%" PRIx8 ")\n",
volume_type );
}
}
if( libewf_get_amount_of_sectors(
ewfcommon_libewf_handle,
&amount_of_sectors ) == 1 )
{
fprintf( stdout, "\tAmount of sectors:\t%" PRIu32 "\n",
amount_of_sectors );
}
else
{
fprintf( stderr, "Unable to determine amount of sectors.\n" );
}
if( libewf_get_bytes_per_sector(
ewfcommon_libewf_handle,
&bytes_per_sector ) == 1 )
{
fprintf( stdout, "\tBytes per sector:\t%" PRIu32 "\n",
bytes_per_sector );
}
else
{
fprintf( stderr, "Unable to determine bytes per sector.\n" );
}
if( libewf_get_media_size(
ewfcommon_libewf_handle,
&media_size ) == 1 )
{
result = ewfbyte_size_string_create(
media_size_string,
16,
media_size,
EWFBYTE_SIZE_STRING_UNIT_MEBIBYTE );
if( result == 1 )
{
fprintf( stdout, "\tMedia size:\t\t%" PRIs " (%" PRIu64 " bytes)\n",
media_size_string, media_size );
}
else
{
fprintf( stdout, "\tMedia size:\t\t%" PRIu64 " bytes\n",
media_size );
}
}
else
{
fprintf( stderr, "Unable to determine media size.\n" );
}
if( ( format == LIBEWF_FORMAT_ENCASE5 )
|| ( format == LIBEWF_FORMAT_ENCASE6 )
|| ( format == LIBEWF_FORMAT_LINEN5 )
|| ( format == LIBEWF_FORMAT_LINEN6 )
|| ( format == LIBEWF_FORMAT_EWFX ) )
{
if( libewf_get_error_granularity(
ewfcommon_libewf_handle,
&error_granularity ) == 1 )
{
fprintf( stdout, "\tError granularity:\t%" PRIu32 "\n",
error_granularity );
}
else
{
fprintf( stderr, "Unable to determine error granularity.\n" );
}
if( libewf_get_compression_values(
ewfcommon_libewf_handle,
&compression_level,
&compress_empty_block ) == 1 )
{
if( compression_level == LIBEWF_COMPRESSION_NONE )
{
fprintf( stdout, "\tCompression type:\tno compression\n" );
}
else if( compression_level == LIBEWF_COMPRESSION_FAST )
{
fprintf( stdout, "\tCompression type:\tgood (fast) compression\n" );
}
else if( compression_level == LIBEWF_COMPRESSION_BEST )
{
fprintf( stdout, "\tCompression type:\tbest compression\n" );
}
else
{
fprintf( stdout, "\tCompression type:\tunknown compression\n" );
}
}
else
{
fprintf( stderr, "Unable to determine compression level.\n" );
}
if( libewf_get_guid(
ewfcommon_libewf_handle,
guid,
16 ) == 1 )
{
fprintf( stdout, "\tGUID:\t\t\t%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8
"%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8
"%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "\n",
guid[ 0 ], guid[ 1 ], guid[ 2 ], guid[ 3 ], guid[ 4 ], guid[ 5 ], guid[ 6 ], guid[ 7 ],
guid[ 8 ], guid[ 9 ], guid[ 10 ], guid[ 11 ], guid[ 12 ], guid[ 13 ], guid[ 14 ], guid[ 15 ]
);
}
}
ewfoutput_hash_values_fprint(
stdout,
ewfcommon_libewf_handle );
fprintf( stdout, "\n" );
ewfoutput_sessions_fprint(
stdout,
ewfcommon_libewf_handle,
&amount_of_sessions );
}
if ( ( ewfcommon_abort == 0)
&& ( ( info_option =='c' )))
{
libewf_internal_handle_t *handle = (libewf_internal_handle_t *)ewfcommon_libewf_handle;
int i;
struct libewf_chunk_offset *chunk = handle->offset_table->chunk_offset;
// Print some attributes
printf("size=%lld\n", handle->media_values->media_size);
printf("chunk_size=%d\n", handle->media_values->chunk_size);
printf("count=%d\n", handle->offset_table->amount);
for(i=0; i<handle->offset_table->amount; i++) {
printf("%d,%lld,%d,%d,%s\n", i, chunk[i].file_offset, chunk[i].size,
chunk[i].compressed,
chunk[i].segment_file_handle->filename);
};
};
if( ( ewfcommon_abort == 0 )
&& ( ( info_option == 'a' )
|| ( info_option == 'e' ) ) )
{
ewfoutput_acquiry_errors_fprint(
stdout,
ewfcommon_libewf_handle,
&amount_of_acquiry_errors );
}
if( ewfsignal_detach() != 1 )
{
fprintf( stderr, "Unable to detach signal handler.\n" );
}
if( ewfcommon_abort != 0 )
{
fprintf( stdout, "%" PRIs ": ABORTED\n",
program );
return( EXIT_FAILURE );
}
if( libewf_close(
ewfcommon_libewf_handle ) != 0 )
{
fprintf( stderr, "Unable to close EWF file(s).\n" );
return( EXIT_FAILURE );
}
return( EXIT_SUCCESS );
}
int main( int argc, char * const argv[] )
#endif
{
uint8_t guid[ 16 ];
#ifndef HAVE_GLOB_H
EWFGLOB *glob = NULL;
int32_t glob_count = 0;
#endif
LIBEWF_HANDLE *handle = NULL;
INT_T option = 0;
int8_t format = 0;
int8_t compression_level = 0;
int8_t media_type = 0;
int8_t media_flags = 0;
int8_t volume_type = 0;
uint8_t verbose = 0;
uint8_t date_format = LIBEWF_DATE_FORMAT_DAYMONTH;
char info_option = 'a';
ewfsignal_initialize();
ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfinfo" ) );
while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "d:himvV" ) ) ) != (INT_T) -1 )
{
switch( option )
{
case (INT_T) '?':
default:
fprintf( stderr, "Invalid argument: %" PRIs "\n", argv[ optind ] );
usage();
return( EXIT_FAILURE );
case (INT_T) 'd':
if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "md" ), 3 ) == 0 )
{
date_format = LIBEWF_DATE_FORMAT_MONTHDAY;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "iso8601" ), 8 ) == 0 )
{
date_format = LIBEWF_DATE_FORMAT_ISO8601;
}
else if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "dm" ), 3 ) != 0 )
{
fprintf( stderr, "Unsupported date format: %" PRIs " using default day/month.\n", optarg );
}
break;
case (INT_T) 'e':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option );
usage();
return( EXIT_FAILURE );
}
info_option = 'e';
break;
case (INT_T) 'h':
usage();
return( EXIT_SUCCESS );
case (INT_T) 'i':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option );
usage();
return( EXIT_FAILURE );
}
info_option = 'i';
break;
case (INT_T) 'm':
if( info_option != 'a' )
{
fprintf( stderr, "Conflicting options: %" PRIc " and %c\n", option, info_option );
usage();
return( EXIT_FAILURE );
}
info_option = 'm';
break;
case (INT_T) 'v':
verbose = 1;
break;
case (INT_T) 'V':
ewfcommon_copyright_fprint( stderr );
return( EXIT_SUCCESS );
}
}
if( optind == argc )
{
fprintf( stderr, "Missing EWF image file(s).\n" );
usage();
return( EXIT_FAILURE );
}
libewf_set_notify_values( stderr, verbose );
#ifndef HAVE_GLOB_H
glob = ewfglob_alloc();
if( glob == NULL )
{
fprintf( stderr, "Unable to create glob.\n" );
return( EXIT_FAILURE );
}
glob_count = ewfglob_resolve( glob, &argv[ optind ], ( argc - optind ) );
if( glob_count <= 0 )
{
fprintf( stderr, "Unable to resolve glob.\n" );
ewfglob_free( glob );
return( EXIT_FAILURE );
}
handle = libewf_open( glob->results, glob->amount, LIBEWF_OPEN_READ );
ewfglob_free( glob );
#else
handle = libewf_open( &argv[ optind ], ( argc - optind ), LIBEWF_OPEN_READ );
#endif
if( handle == NULL )
{
fprintf( stderr, "Unable to open EWF image file(s).\n" );
return( EXIT_FAILURE );
}
if( libewf_parse_header_values( handle, date_format ) != 1 )
{
fprintf( stderr, "Unable to parse header values.\n" );
}
format = libewf_get_format( handle );
if( verbose == 1 )
{
fprintf( stdout, "File format:\t\t\t" );
switch( format )
{
case LIBEWF_FORMAT_EWF:
fprintf( stdout, "original EWF" );
break;
case LIBEWF_FORMAT_SMART:
fprintf( stdout, "SMART" );
break;
case LIBEWF_FORMAT_FTK:
fprintf( stdout, "FTK Imager" );
break;
case LIBEWF_FORMAT_ENCASE1:
fprintf( stdout, "EnCase 1" );
break;
case LIBEWF_FORMAT_ENCASE2:
fprintf( stdout, "EnCase 2" );
break;
case LIBEWF_FORMAT_ENCASE3:
fprintf( stdout, "EnCase 3" );
break;
case LIBEWF_FORMAT_ENCASE4:
fprintf( stdout, "EnCase 4" );
break;
case LIBEWF_FORMAT_ENCASE5:
fprintf( stdout, "EnCase 5" );
break;
case LIBEWF_FORMAT_ENCASE6:
fprintf( stdout, "EnCase 6" );
break;
case LIBEWF_FORMAT_LINEN5:
fprintf( stdout, "linen 5" );
break;
case LIBEWF_FORMAT_LINEN6:
fprintf( stdout, "linen 6" );
break;
case LIBEWF_FORMAT_EWFX:
fprintf( stdout, "extended EWF (libewf)" );
break;
case LIBEWF_FORMAT_UNKNOWN:
default:
fprintf( stdout, "unknown" );
break;
}
fprintf( stdout, "\n\n" );
}
if( ( info_option == 'a' ) || ( info_option == 'i' ) )
{
fprintf( stdout, "Acquiry information\n" );
ewfcommon_header_values_fprint( stdout, handle );
fprintf( stdout, "\n" );
}
if( ( info_option == 'a' ) || ( info_option == 'm' ) )
{
fprintf( stdout, "Media information\n" );
if( ( format != LIBEWF_FORMAT_EWF )
&& ( format != LIBEWF_FORMAT_SMART ) )
{
media_type = libewf_get_media_type( handle );
media_flags = libewf_get_media_flags( handle );
volume_type = libewf_get_volume_type( handle );
if( media_type == LIBEWF_MEDIA_TYPE_REMOVABLE )
{
fprintf( stdout, "\tMedia type:\t\tremovable disk\n" );
}
else if( media_type == LIBEWF_MEDIA_TYPE_FIXED )
{
fprintf( stdout, "\tMedia type:\t\tfixed disk\n" );
}
else
{
fprintf( stdout, "\tMedia type:\t\tunknown (0x%" PRIx8 ")\n", media_type );
}
if( verbose == 1 )
{
fprintf( stdout, "\tMedia flags:\t\t0x%" PRIx8 "\n", media_flags );
}
if( volume_type == LIBEWF_VOLUME_TYPE_LOGICAL )
{
fprintf( stdout, "\tMedia is physical:\tno\n" );
}
else if( volume_type == LIBEWF_VOLUME_TYPE_PHYSICAL )
{
fprintf( stdout, "\tMedia is physical:\tyes\n" );
}
else
{
fprintf( stdout, "\tVolume type:\t\tunknown (0x%" PRIx8 ")\n", volume_type );
}
}
fprintf( stdout, "\tAmount of sectors:\t%" PRIu32 "\n", libewf_get_amount_of_sectors( handle ) );
fprintf( stdout, "\tBytes per sector:\t%" PRIu32 "\n", libewf_get_bytes_per_sector( handle ) );
fprintf( stdout, "\tMedia size:\t\t%" PRIu64 "\n", libewf_get_media_size( handle ) );
if( ( format == LIBEWF_FORMAT_ENCASE5 )
|| ( format == LIBEWF_FORMAT_ENCASE6 )
|| ( format == LIBEWF_FORMAT_LINEN5 )
|| ( format == LIBEWF_FORMAT_LINEN6 )
|| ( format == LIBEWF_FORMAT_EWFX ) )
{
fprintf( stdout, "\tError granularity:\t%" PRIu32 "\n", libewf_get_error_granularity( handle ) );
compression_level = libewf_get_compression_level( handle );
if( compression_level == LIBEWF_COMPRESSION_NONE )
{
fprintf( stdout, "\tCompression type:\tno compression\n" );
}
else if( compression_level == LIBEWF_COMPRESSION_FAST )
{
fprintf( stdout, "\tCompression type:\tgood (fast) compression\n" );
}
else if( compression_level == LIBEWF_COMPRESSION_BEST )
{
fprintf( stdout, "\tCompression type:\tbest compression\n" );
}
else
{
fprintf( stdout, "\tCompression type:\tunknown compression\n" );
}
if( libewf_get_guid( handle, guid, 16 ) == 1 )
{
fprintf( stdout, "\tGUID:\t\t\t%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "-%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "%.2" PRIx8 "\n",
guid[ 0 ], guid[ 1 ], guid[ 2 ], guid[ 3 ], guid[ 4 ], guid[ 5 ], guid[ 6 ], guid[ 7 ],
guid[ 8 ], guid[ 9 ], guid[ 10 ], guid[ 11 ], guid[ 12 ], guid[ 13 ], guid[ 14 ], guid[ 15 ]
);
}
}
ewfcommon_hash_values_fprint( stdout, handle );
fprintf( stdout, "\n" );
}
if( ( info_option == 'a' ) || ( info_option == 'e' ) )
{
ewfcommon_acquiry_errors_fprint( stdout, handle );
}
if( libewf_close( handle ) != 0 )
{
fprintf( stdout, "Unable to close EWF file handle.\n" );
return( EXIT_FAILURE );
}
return( EXIT_SUCCESS );
}
/*
* EwfGetInfofileContent
*/
static int EwfGetInfofileContent(void *p_handle, const char **pp_info_buf) {
pts_EwfHandle p_ewf_handle=(pts_EwfHandle)p_handle;
char *p_infobuf=NULL;
int ret;
char buf[512];
uint8_t uint8value;
uint32_t uint32value;
uint64_t uint64value;
#define EWF_INFOBUF_REALLOC(size) { \
p_infobuf=(char*)realloc(p_infobuf,size); \
if(p_infobuf==NULL) return EWF_MEMALLOC_FAILED; \
}
#define EWF_INFOBUF_APPEND_STR(str) { \
if(p_infobuf!=NULL) { \
EWF_INFOBUF_REALLOC(strlen(p_infobuf)+strlen(str)+1); \
strcpy(p_infobuf+strlen(p_infobuf),str); \
} else { \
EWF_INFOBUF_REALLOC(strlen(str)+1); \
strcpy(p_infobuf,str); \
} \
}
#define EWF_INFOBUF_APPEND_VALUE(desc) { \
if(ret==1) { \
EWF_INFOBUF_APPEND_STR(desc); \
EWF_INFOBUF_APPEND_STR(buf); \
EWF_INFOBUF_APPEND_STR("\n"); \
} \
}
EWF_INFOBUF_APPEND_STR("_Acquiry information_\n");
#ifdef HAVE_LIBEWF_V2_API
#define EWF_GET_HEADER_VALUE(fun) { \
ret=fun(p_ewf_handle->h_ewf,(uint8_t*)buf,sizeof(buf),NULL); \
}
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_case_number);
EWF_INFOBUF_APPEND_VALUE("Case number: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_description);
EWF_INFOBUF_APPEND_VALUE("Description: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_examiner_name);
EWF_INFOBUF_APPEND_VALUE("Examiner: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_evidence_number);
EWF_INFOBUF_APPEND_VALUE("Evidence number: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_notes);
EWF_INFOBUF_APPEND_VALUE("Notes: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_acquiry_date);
EWF_INFOBUF_APPEND_VALUE("Acquiry date: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_system_date);
EWF_INFOBUF_APPEND_VALUE("System date: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_acquiry_operating_system);
EWF_INFOBUF_APPEND_VALUE("Acquiry os: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_acquiry_software_version);
EWF_INFOBUF_APPEND_VALUE("Acquiry sw version: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_model);
EWF_INFOBUF_APPEND_VALUE("Model: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_header_value_serial_number);
EWF_INFOBUF_APPEND_VALUE("Serial number: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_hash_value_md5);
EWF_INFOBUF_APPEND_VALUE("MD5 hash: ");
EWF_GET_HEADER_VALUE(libewf_handle_get_utf8_hash_value_sha1);
EWF_INFOBUF_APPEND_VALUE("SHA1 hash: ");
#undef EWF_GET_HEADER_VALUE
#else
#define EWF_GET_HEADER_VALUE(fun) { \
ret=fun(p_ewf_handle->h_ewf,buf,sizeof(buf)); \
}
EWF_GET_HEADER_VALUE(libewf_get_header_value_case_number);
EWF_INFOBUF_APPEND_VALUE("Case number: ");
EWF_GET_HEADER_VALUE(libewf_get_header_value_description);
EWF_INFOBUF_APPEND_VALUE("Description: ");
EWF_GET_HEADER_VALUE(libewf_get_header_value_examiner_name);
EWF_INFOBUF_APPEND_VALUE("Examiner: ");
EWF_GET_HEADER_VALUE(libewf_get_header_value_evidence_number);
EWF_INFOBUF_APPEND_VALUE("Evidence number: ");
EWF_GET_HEADER_VALUE(libewf_get_header_value_notes);
EWF_INFOBUF_APPEND_VALUE("Notes: ");
EWF_GET_HEADER_VALUE(libewf_get_header_value_acquiry_date);
EWF_INFOBUF_APPEND_VALUE("Acquiry date: ");
EWF_GET_HEADER_VALUE(libewf_get_header_value_system_date);
EWF_INFOBUF_APPEND_VALUE("System date: ");
EWF_GET_HEADER_VALUE(libewf_get_header_value_acquiry_operating_system);
EWF_INFOBUF_APPEND_VALUE("Acquiry os: ");
EWF_GET_HEADER_VALUE(libewf_get_header_value_acquiry_software_version);
EWF_INFOBUF_APPEND_VALUE("Acquiry sw version: ");
EWF_GET_HEADER_VALUE(libewf_get_header_value_model);
EWF_INFOBUF_APPEND_VALUE("Model: ");
EWF_GET_HEADER_VALUE(libewf_get_header_value_serial_number);
EWF_INFOBUF_APPEND_VALUE("Serial number: ");
EWF_GET_HEADER_VALUE(libewf_get_hash_value_md5);
EWF_INFOBUF_APPEND_VALUE("MD5 hash: ");
EWF_GET_HEADER_VALUE(libewf_get_hash_value_sha1);
EWF_INFOBUF_APPEND_VALUE("SHA1 hash: ");
#undef EWF_GET_HEADER_VALUE
#endif
EWF_INFOBUF_APPEND_STR("\n_Media information_\n");
#ifdef HAVE_LIBEWF_V2_API
ret=libewf_handle_get_media_type(p_ewf_handle->h_ewf,&uint8value,NULL);
#else
ret=libewf_get_media_type(p_ewf_handle->h_ewf,&uint8value);
#endif
if(ret==1) {
EWF_INFOBUF_APPEND_STR("Media type: ");
switch(uint8value) {
case LIBEWF_MEDIA_TYPE_REMOVABLE:
EWF_INFOBUF_APPEND_STR("removable disk\n");
break;
case LIBEWF_MEDIA_TYPE_FIXED:
EWF_INFOBUF_APPEND_STR("fixed disk\n");
break;
case LIBEWF_MEDIA_TYPE_OPTICAL:
EWF_INFOBUF_APPEND_STR("optical\n");
break;
case LIBEWF_MEDIA_TYPE_SINGLE_FILES:
EWF_INFOBUF_APPEND_STR("single files\n");
break;
case LIBEWF_MEDIA_TYPE_MEMORY:
EWF_INFOBUF_APPEND_STR("memory\n");
break;
default:
EWF_INFOBUF_APPEND_STR("unknown\n");
}
}
#ifdef HAVE_LIBEWF_V2_API
ret=libewf_handle_get_bytes_per_sector(p_ewf_handle->h_ewf,&uint32value,NULL);
sprintf(buf,"%" PRIu32,uint32value);
EWF_INFOBUF_APPEND_VALUE("Bytes per sector: ");
ret=libewf_handle_get_number_of_sectors(p_ewf_handle->h_ewf,&uint64value,NULL);
sprintf(buf,"%" PRIu64,uint64value);
EWF_INFOBUF_APPEND_VALUE("Number of sectors: ");
#else
ret=libewf_get_bytes_per_sector(p_ewf_handle->h_ewf,&uint32value);
sprintf(buf,"%" PRIu32,uint32value);
EWF_INFOBUF_APPEND_VALUE("Bytes per sector: ");
ret=libewf_handle_get_amount_of_sectors(p_ewf_handle->h_ewf,&uint64value);
sprintf(buf,"%" PRIu64,uint64value);
EWF_INFOBUF_APPEND_VALUE("Number of sectors: ");
#endif
#undef EWF_INFOBUF_APPEND_VALUE
#undef EWF_INFOBUF_APPEND_STR
#undef EWF_INFOBUF_REALLOC
*pp_info_buf=p_infobuf;
return EWF_OK;
}
