evf2

package
v0.0.0-...-cf494c4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 30, 2024 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	EVF2Signature = "EVF2\x0d\x0a\x81\x00"
	LVF2Signature = "LVF2\x0d\x0a\x81\x00"
)
View Source 
const (
	DefaultChunkSize = 32768
	ChecksumSize     = 4
	Uint32Size       = 4
)
View Source 
const (
	// The chunk data is compressed
	EWF_CHUNK_DATA_FLAG_IS_COMPRESSED = 0x00000001
	// The chunk data has a checksum
	EWF_CHUNK_DATA_FLAG_HAS_CHECKSUM = 0x00000002
	// The chunk data uses pattern fill
	EWF_CHUNK_DATA_FLAG_USES_PATTERN_FILL = 0x00000004
)
View Source 
const (
	EWF_COMPRESSION_METHOD_NONE  = 0
	EWF_COMPRESSION_METHOD_ZLIB  = 1
	EWF_COMPRESSION_METHOD_BZIP2 = 2
)

Variables

View Source 
var CaseDataIdentifiers = map[EWFCaseDataInformationKey]string{
	EWF_CASE_DATA_NAME:                 "Name",
	EWF_CASE_DATA_CASE_NUMBER:          "Case Number",
	EWF_CASE_DATA_EVIDENCE_NUMBER:      "Evidence Number",
	EWF_CASE_DATA_EXAMINER_NAME:        "Examiner name",
	EWF_CASE_DATA_NOTES:                "Notes",
	EWF_CASE_DATA_APPLICATION_VERSION:  "Application Version",
	EWF_CASE_DATA_OS:                   "Operatin system",
	EWF_CASE_DATA_TARGET_TIME:          "Target Time",
	EWF_CASE_DATA_ACTUAL_TIME:          "Actual Time",
	EWF_CASE_DATA_NUMBER_OF_CHUNKS:     "Number of chunks",
	EWF_CASE_DATA_COMPRESSION_METHOD:   "Compression method",
	EWF_CASE_DATA_NUMBER_OF_SECTORS_PC: "Number of sectors per chunk",
	EWF_CASE_DATA_ERROR_GRANULARITY:    "Error granularity",
	EWF_CASE_DATA_WRITE_BLOCKER_TYPE:   "Write-blocker type",
}
View Source 
var DescriptorSize = int64(binary.Size(&EWFSectionDescriptorData{}))
View Source 
var DeviceInformationIdentifiers = map[EWFDeviceInformationKey]string{
	EWF_DEVICE_INFO_SERIAL_NUMBER:        "Serial Number",
	EWF_DEVICE_INFO_DRIVE_MODEL:          "Drive Model",
	EWF_DEVICE_INFO_DRIVE_LABEL:          "Drive Label",
	EWF_DEVICE_INFO_NUMBER_OF_SECTORS:    "Number of Sectors",
	EWF_DEVICE_INFO_NUMBER_OF_HPA:        "Number of HPA protected sectors",
	EWF_DEVICE_INFO_NUMBER_OF_DCO:        "Number of DCO protected sectors",
	EWF_DEVICE_INFO_DRIVE_TYPE:           "Drive Type",
	EWF_DEVICE_INFO_PROCESS_ID:           "Process Identifier",
	EWF_DEVICE_INFO_MUMBER_OF_PALM:       "Number of sectors PALM Ram device",
	EWF_DEVICE_INFO_NUMBER_OF_SMART_LOGS: "SMART or ATA logs",
	EWF_DEVICE_INFO_BYTES_PER_SEC:        "Bytes per Sector",
	EWF_DEVICE_INFO_IS_PHYSICAL:          "Is physical",
}

Functions

This section is empty.

Types

type EWFCaseDataInformationKey 

type EWFCaseDataInformationKey string
const (
	EWF_CASE_DATA_NAME                 EWFCaseDataInformationKey = "nm"
	EWF_CASE_DATA_CASE_NUMBER          EWFCaseDataInformationKey = "cn"
	EWF_CASE_DATA_EVIDENCE_NUMBER      EWFCaseDataInformationKey = "en"
	EWF_CASE_DATA_EXAMINER_NAME        EWFCaseDataInformationKey = "ex"
	EWF_CASE_DATA_NOTES                EWFCaseDataInformationKey = "nt"
	EWF_CASE_DATA_APPLICATION_VERSION  EWFCaseDataInformationKey = "av"
	EWF_CASE_DATA_OS                   EWFCaseDataInformationKey = "os"
	EWF_CASE_DATA_TARGET_TIME          EWFCaseDataInformationKey = "tt"
	EWF_CASE_DATA_ACTUAL_TIME          EWFCaseDataInformationKey = "at"
	EWF_CASE_DATA_NUMBER_OF_CHUNKS     EWFCaseDataInformationKey = "tb"
	EWF_CASE_DATA_COMPRESSION_METHOD   EWFCaseDataInformationKey = "cp"
	EWF_CASE_DATA_NUMBER_OF_SECTORS_PC EWFCaseDataInformationKey = "sb"
	EWF_CASE_DATA_ERROR_GRANULARITY    EWFCaseDataInformationKey = "gr"
	EWF_CASE_DATA_WRITE_BLOCKER_TYPE   EWFCaseDataInformationKey = "wb"
)

type EWFCaseDataSection 

type EWFCaseDataSection struct {
	NumberOfObjects string
	ObjectName      string
	KeyValue        map[string]string
}

func (*EWFCaseDataSection) Decode 

func (ewfHeader *EWFCaseDataSection) Decode(fh io.ReadSeeker, section *EWFSectionDescriptor, decompressorFunc shared.Decompressor) error

func (*EWFCaseDataSection) Encode 

func (ewfHeader *EWFCaseDataSection) Encode(ewf io.Writer, previousDescriptorPosition int64) (dataN int, descN int, err error)

Encode writes data and its description to the target writer. Returns data write count, descriptor write count and err

func (*EWFCaseDataSection) GetChunkCount 

func (c *EWFCaseDataSection) GetChunkCount() (int, error)

func (*EWFCaseDataSection) GetSectorCount 

func (c *EWFCaseDataSection) GetSectorCount() (int, error)

type EWFCreator 

type EWFCreator struct {
	// contains filtered or unexported fields
}

func CreateEWF 

func CreateEWF(dest io.Writer) (*EWFCreator, error)

func (*EWFCreator) AddCaseData 

func (creator *EWFCreator) AddCaseData(key EWFCaseDataInformationKey, value string)

func (*EWFCreator) AddDeviceInformation 

func (creator *EWFCreator) AddDeviceInformation(key EWFDeviceInformationKey, value string)

func (*EWFCreator) Start 

func (creator *EWFCreator) Start(totalSize int64) (*EWFWriter, error)

type EWFDeviceInformationKey 

type EWFDeviceInformationKey string
const (
	EWF_DEVICE_INFO_SERIAL_NUMBER        EWFDeviceInformationKey = "sn"
	EWF_DEVICE_INFO_DRIVE_MODEL          EWFDeviceInformationKey = "md"
	EWF_DEVICE_INFO_DRIVE_LABEL          EWFDeviceInformationKey = "lb"
	EWF_DEVICE_INFO_NUMBER_OF_SECTORS    EWFDeviceInformationKey = "ts"
	EWF_DEVICE_INFO_NUMBER_OF_HPA        EWFDeviceInformationKey = "hs"
	EWF_DEVICE_INFO_NUMBER_OF_DCO        EWFDeviceInformationKey = "dc"
	EWF_DEVICE_INFO_DRIVE_TYPE           EWFDeviceInformationKey = "dt"
	EWF_DEVICE_INFO_PROCESS_ID           EWFDeviceInformationKey = "pid"
	EWF_DEVICE_INFO_MUMBER_OF_PALM       EWFDeviceInformationKey = "rs"
	EWF_DEVICE_INFO_NUMBER_OF_SMART_LOGS EWFDeviceInformationKey = "ls"
	EWF_DEVICE_INFO_BYTES_PER_SEC        EWFDeviceInformationKey = "bp"
	EWF_DEVICE_INFO_IS_PHYSICAL          EWFDeviceInformationKey = "ph"
)

type EWFDeviceInformationSection 

type EWFDeviceInformationSection struct {
	NumberOfObjects string
	ObjectName      string
	KeyValue        map[string]string
}

func (*EWFDeviceInformationSection) Decode 

func (ewfHeader *EWFDeviceInformationSection) Decode(fh io.ReadSeeker, section *EWFSectionDescriptor, decompressorFunc shared.Decompressor) error

func (*EWFDeviceInformationSection) Encode 

func (ewfHeader *EWFDeviceInformationSection) Encode(ewf io.Writer, previousDescriptorPosition int64) (dataN int, descN int, err error)

Encode writes data and its description to the target writer. Returns data write count, descriptor write count and err

func (*EWFDeviceInformationSection) GetSectorSize 

func (c *EWFDeviceInformationSection) GetSectorSize() (int, error)

type EWFDoneSection 

type EWFDoneSection struct {
}

func (*EWFDoneSection) Decode 

func (d *EWFDoneSection) Decode(fh io.ReadSeeker, section *EWFSectionDescriptor, segment *EWFSegment) error

func (*EWFDoneSection) Encode 

func (d *EWFDoneSection) Encode(ewf io.Writer, previousDescriptorPosition int64) (dataN int, descN int, err error)

type EWFHeader 

type EWFHeader struct {
	Signature         [8]byte
	MajorVersion      uint8
	MinorVersion      uint8
	CompressionMethod uint16
	SegmentNumber     uint16
	SetIdentifier     [8]byte
}

func (*EWFHeader) Decode 

func (e *EWFHeader) Decode(fh io.Reader) error

func (*EWFHeader) Encode 

func (e *EWFHeader) Encode(ewf io.Writer) error

type EWFMD5Section 

type EWFMD5Section struct {
	Hash     [16]uint8
	Checksum uint32
}

func (*EWFMD5Section) Decode 

func (d *EWFMD5Section) Decode(fh io.ReadSeeker, section *EWFSectionDescriptor) error

func (*EWFMD5Section) Encode 

func (d *EWFMD5Section) Encode(ewf io.Writer, previousDescriptorPosition int64) (dataN int, descN int, err error)

type EWFReader 

type EWFReader struct {
	First *EWFSegment

	ChunkSize uint32
	EWFSize   int64
	// contains filtered or unexported fields
}

func OpenEWF 

func OpenEWF(fhs ...io.ReadSeeker) (*EWFReader, error)

func (*EWFReader) Metadata 

func (ewf *EWFReader) Metadata() map[string]interface{}

func (*EWFReader) Read 

func (ewf *EWFReader) Read(p []byte) (n int, err error)

func (*EWFReader) ReadAt 

func (ewf *EWFReader) ReadAt(p []byte, off int64) (n int, err error)

func (*EWFReader) Seek 

func (ewf *EWFReader) Seek(offset int64, whence int) (ret int64, err error)

Seek implements vfs.FileDescriptionImpl.Seek.

func (*EWFReader) Segment 

func (ewf *EWFReader) Segment(index int) (*EWFSegment, *list.Element, error)

func (*EWFReader) Size 

func (ewf *EWFReader) Size() int64

type EWFSHA1Section 

type EWFSHA1Section struct {
	Hash     [20]uint8
	Checksum uint32
}

func (*EWFSHA1Section) Decode 

func (d *EWFSHA1Section) Decode(fh io.ReadSeeker, section *EWFSectionDescriptor) error

func (*EWFSHA1Section) Encode 

func (d *EWFSHA1Section) Encode(ewf io.Writer, previousDescriptorPosition int64) (dataN int, descN int, err error)

type EWFSectionDescriptor 

type EWFSectionDescriptor struct {
	Descriptor *EWFSectionDescriptorData
	Type       EWFSectionType
	Previous   uint64
	Size       uint64
	Checksum   uint32
	DataOffset int64
	// contains filtered or unexported fields
}

func NewEWFSectionDescriptor 

func NewEWFSectionDescriptor(fh io.ReadSeeker) (*EWFSectionDescriptor, error)

func (*EWFSectionDescriptor) String 

func (esd *EWFSectionDescriptor) String() string

type EWFSectionDescriptorData 

type EWFSectionDescriptorData struct {
	Type           uint32
	DataFlags      uint32
	PreviousOffset uint64
	DataSize       uint64
	DescriptorSize uint32
	PaddingSize    uint32
	MD5Hash        [16]byte
	Pad            [12]byte
	Checksum       uint32
}

func NewEWFSectionDescriptorData 

func NewEWFSectionDescriptorData(secType EWFSectionType) *EWFSectionDescriptorData

type EWFSectionType 

type EWFSectionType uint32
const (
	EWF_SECTION_TYPE_DEVICE_INFORMATION   EWFSectionType = 1
	EWF_SECTION_TYPE_CASE_DATA            EWFSectionType = 2
	EWF_SECTION_TYPE_SECTOR_DATA          EWFSectionType = 3
	EWF_SECTION_TYPE_SECTOR_TABLE         EWFSectionType = 4
	EWF_SECTION_TYPE_ERROR_TABLE          EWFSectionType = 5
	EWF_SECTION_TYPE_SESSION_TABLE        EWFSectionType = 6
	EWF_SECTION_TYPE_INCREMENET_DATA      EWFSectionType = 7
	EWF_SECTION_TYPE_MD5_HASH             EWFSectionType = 8
	EWF_SECTION_TYPE_SHA1_HASH            EWFSectionType = 9
	EWF_SECTION_TYPE_RESTART_DATA         EWFSectionType = 10
	EWF_SECTION_TYPE_ENCRYPTION_KEYS      EWFSectionType = 11
	EWF_SECTION_TYPE_MEMORY_EXTENTS_TABLE EWFSectionType = 12
	EWF_SECTION_TYPE_NEXT                 EWFSectionType = 13
	EWF_SECTION_TYPE_FINAL_INFORMATION    EWFSectionType = 14
	EWF_SECTION_TYPE_DONE                 EWFSectionType = 15
	EWF_SECTION_TYPE_ANALYTICAL_DATA      EWFSectionType = 16
)

type EWFSectorsSection 

type EWFSectorsSection struct {
}

func (*EWFSectorsSection) Decode 

func (d *EWFSectorsSection) Decode(fh io.ReadSeeker, section *EWFSectionDescriptor) error

func (*EWFSectorsSection) Encode 

func (d *EWFSectorsSection) Encode(ewf io.Writer, dataSize uint64, paddingSize uint32, previousDescriptorPosition int64) (dataN int, descN int, err error)

type EWFSegment 

type EWFSegment struct {
	EWFHeader         *EWFHeader
	DeviceInformation *EWFDeviceInformationSection
	CaseData          *EWFCaseDataSection

	Sectors  *EWFSectorsSection
	Tables   []*EWFTableSection
	MD5Hash  *EWFMD5Section
	SHA1Hash *EWFSHA1Section
	Done     *EWFDoneSection

	SectionDescriptors []*EWFSectionDescriptor
	// contains filtered or unexported fields
}

func NewEWFSegment 

func NewEWFSegment(fh io.ReadSeeker) (*EWFSegment, error)

func (*EWFSegment) Decode 

func (seg *EWFSegment) Decode(link *EWFSegment, decompressorFunc shared.Decompressor) error

func (*EWFSegment) ReadSectors 

func (seg *EWFSegment) ReadSectors(sector int64, count int) ([]byte, error)

type EWFTableSection 

type EWFTableSection struct {
	Section      *EWFSectionDescriptor
	Segment      *EWFSegment
	Header       *EWFTableSectionHeader
	Entries      *EWFTableSectionEntries
	Footer       *EWFTableSectionFooter
	SectorCount  int64
	SectorOffset int64
	Size         int64
	Offset       int64
	// contains filtered or unexported fields
}

func (*EWFTableSection) Decode 

func (d *EWFTableSection) Decode(fh io.ReadSeeker, section *EWFSectionDescriptor, segment *EWFSegment, decompressorFunc shared.Decompressor) error

func (*EWFTableSection) Encode 

func (d *EWFTableSection) Encode(ewf io.Writer, previousDescriptorPosition int64) (dataN int, descN int, err error)

type EWFTableSectionEntries 

type EWFTableSectionEntries struct {
	Data []EWFTableSectionEntry
	// contains filtered or unexported fields
}

type EWFTableSectionEntry 

type EWFTableSectionEntry struct {
	DataOffset uint64
	Size       uint32
	DataFlags  uint32
}

type EWFTableSectionFooter 

type EWFTableSectionFooter struct {
	Checksum uint32
}

type EWFTableSectionHeader 

type EWFTableSectionHeader struct {
	FirstChunkNumber uint64 // header
	NumEntries       uint32 // header
	Pad              uint32 // header
	Checksum         uint32 // header
}

type EWFWriter 

type EWFWriter struct {
	Segment       *EWFSegment
	SegmentOffset uint32
	ChunkSize     uint32
	// contains filtered or unexported fields
}

EWFWriter is helper for creating Ex01 images. Data is always compressed

func (*EWFWriter) Close 

func (ewf *EWFWriter) Close() error

func (*EWFWriter) Write 

func (ewf *EWFWriter) Write(p []byte) (n int, err error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.