.Dd May 12, 2007.Dt ewfacquire.Os libewf.Sh NAME.Nm ewfacquire.Nd acquires data in the EWF format.Sh SYNOPSIS.Nm ewfacquire.Op Fl d Ar digest_type.Op Fl -hqsvV.Va Ar source.Sh DESCRIPTION.Nm ewfacquireis a utility to acquire media data from a.Ar sourceand store it in EWF format (Expert Witness Format)..Nm ewfacquireacquires media data in a format equivalent to EnCase and FTK imager, including meta data.Under Linux, FreeBSD, NetBSD, OpenBSD, MacOS\-X/Darwin.Nm ewfacquiresupports reading directly from device files.On other platforms.Nm ewfacquirecan convert a raw (dd) image into the EWF format..Pp.Nm ewfacquireis part of the.Nm libewfpackage..Nm libewfis a library to support the Expert Witness Compression Format (EWF)..Nm libewfsupports both the SMART format (EWF-S01) and the EnCase format (EWF-E01)..Nm libewfcurrently does not support the Logical Volume format (EWF-L01).EWF-X is an expirimental format intended for testing purposes to enhance the EWF format..Nm libewfallows you to read and write media data in the EWF format..Pp.Ar sourceis the source or device file to acquire data from..PpThe options are as follows:.Bl -tag -width Ds.It Fl d Ar digest_typecalculate additional digest (hash) types besides md5, options: sha1.It Fl hshows this help.It Fl qquiet shows no status information.It Fl sswap byte pairs of the media data (from AB to BA)(use this for big to little endian conversion and vice versa).It Fl vverbose output to stderr.It Fl Vprint version.El.Pp.Nm ewfacquirewill read from a file or device until it encounters a read error.On read error it will retry the amount of retries specified.If.Nm ewfacquirestill is unable to read and, if specified, it will zero (wipe) the amount of sectors specified as error granularity..PpEmpty block compression detects blocks of sectors with entirely the same byte data and compresses them using the default compression level..Sh ENVIRONMENTNone.Sh FILESNone.Sh EXAMPLES.Nm ewfacquirewill ask the information it needs..Bd -literal# ewfacquire /dev/fd0ewfacquire 20070512 (libewf 20070512, zlib 1.2.3, libcrypto 0.9.8, libuuid)Information about acquiry required, please provide the necessary inputImage path and filename without extension: floppyCase number: 1Description: FloppyEvidence number: 1.1Examiner name: John D.Notes: Just a floppy in my systemMedia type (fixed, removable) [fixed]: removableVolume type (logical, physical) [physical]: physicalUse compression (none, fast, best) [none]:Compress empty blocks (yes, no) [no]:Use EWF file format (smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx) [encase5]:Start to acquire at offset (0 >= value >= 1474560) [0]:Amount of bytes to acquire (0 >= value >= 1474560) [1474560]:Evidence segment file size in kbytes (2^10) (1440 >= value >= 2097152) [665600]:The amount of sectors to read at once (64, 128, 256, 512, 1024, 2048, 4096) [64]:The amount of sectors to be used as error granularity (1 >= value >= 64) [64]:The amount of retries when a read error occurs (0 >= value >= 255) [2]:Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [yes]:The following information was provided:Image path and filename:        floppy.E01Case number:                    1Description:                    FloppyEvidence number:                1.1Examiner name:                  John D.Notes:                          Just a floppy in my systemMedia type:                     removableVolume type:                    physicalCompression used:               noneCompress empty blocks:          noEWF file format:                Encase 5Acquiry start offet:            0Amount of bytes to acquire:     1474560Evidence segment file size:     665600 kbytesBlock size:                     64 sectorsError granularity:              64 sectorsRetries on read error:          2Wipe sectors on read error:     yesContinue acquiry with these values (yes, no) [yes]:Acquiry started at: Sat May 12 11:32:41 2007This could take a while.Status: at 2%.        acquired 32 kB (32768 bytes) of total 1.4 MB (1474560 bytes)..Dl ...Status: at 100%.        acquired 1.4 MB (1474560 bytes) of total 1.4 MB (1474560 bytes).        completion in 1 second(s) with 1 MB/s (1474560 bytes/second).Acquiry started at: Sat May 12 11:32:42 2007Written: 1.4 MB (1474560 bytes) in 1 second(s) with 1 MB/s (1474560 bytes/second).MD5 hash calculated over data: ae1ce8f5ac079d3ee93f97fe3792bda3.Ed.Sh DIAGNOSTICSErrors, verbose and debug output are printed to stderr when verbose output \-v is enabled.Verbose and debug output are only printed when enabled at compilation..Sh BUGSPlease report bugs of any kind to <forensics@hoffmannbv.nl> or on the project website:https://libewf.uitwisselplatform.nl/.Sh AUTHORThese man pages were written by Kees Mastwijk.Alterations for distribution have been made by Joachim Metz..Sh COPYRIGHTCopyright 2006-2007 Kees Mastwijk, Hoffmann Investigations <forensics@hoffmannbv.nl> and contributors.This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE..Sh SEE ALSO.Xr ewfacquirestream 1 ,.Xr ewfexport 1 ,.Xr ewfinfo 1 ,.Xr ewfverify 1