/* * ewfacquire * Reads data from a file and writes it in EWF format * * Copyright (c) 2006-2007, Joachim Metz <forensics@hoffmannbv.nl>, * Hoffmann Investigations. All rights reserved. * * Refer to AUTHORS for acknowledgements. * * Redistribution and use in source and binary forms, with or without modification, * are permitted provided that the following conditions are met: * * - Redistributions of source code must retain the above copyright notice, *   this list of conditions and the following disclaimer. * - Redistributions in binary form must reproduce the above copyright notice, *   this list of conditions and the following disclaimer in the documentation *   and/or other materials provided with the distribution. * - Neither the name of the creator, related organisations, nor the names of *   its contributors may be used to endorse or promote products derived from *   this software without specific prior written permission. * - All advertising materials mentioning features or use of this software *   must acknowledge the contribution by people stated in the acknowledgements. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER, COMPANY AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */#include "../libewf/libewf_includes.h"#include <errno.h>#include <stdio.h>#ifdef HAVE_SYS_IOCTL_H#include <sys/ioctl.h>#endif#ifdef HAVE_UNISTD_H#include <unistd.h>#endif#ifdef HAVE_STDLIB_H#include <stdlib.h>#endif#ifdef HAVE_CYGWIN_FS_H#include <cygwin/fs.h>#endif#ifdef HAVE_LINUX_FS_H#include <linux/fs.h>#endif#ifdef HAVE_SYS_DISK_H#include <sys/disk.h>#endif#ifdef HAVE_SYS_DISKLABEL_H#include <sys/disklabel.h>#endif#include <libewf.h>#include "../libewf/libewf_char.h"#include "../libewf/libewf_common.h"#include "../libewf/libewf_notify.h"#include "../libewf/libewf_string.h"#include "ewfcommon.h"#include "ewfgetopt.h"#include "ewfglob.h"#include "ewfsignal.h"/* Prints the executable usage information */void usage( void ){	fprintf( stderr, "Usage: ewfacquire [ -d digest_type ] [ -hqsvV ] source\n\n" );	fprintf( stderr, "\tsource: the source file or device\n\n" );	fprintf( stderr, "\t-d:     calculate additional digest (hash) types besides md5, options: sha1\n" );	fprintf( stderr, "\t-h:     shows this help\n" );	fprintf( stderr, "\t-q:     quiet shows no status information\n" );	fprintf( stderr, "\t-s:     swap byte pairs of the media data (from AB to BA)\n" );	fprintf( stderr, "\t        (use this for big to little endian conversion and vice versa)\n" );	fprintf( stderr, "\t-v:     verbose output to stderr\n" );	fprintf( stderr, "\t-V:     print version\n" );}/* Prints an overview of the user provided input * and asks the user for confirmation * Return 1 if confirmed by user, 0 otherwise */int confirm_input( CHAR_T *filename, LIBEWF_CHAR *case_number, LIBEWF_CHAR *description, LIBEWF_CHAR *evidence_number, LIBEWF_CHAR *examiner_name, LIBEWF_CHAR *notes, uint8_t media_type, uint8_t volume_type, int8_t compression_level, uint8_t compress_empty_block, uint8_t libewf_format, uint64_t acquiry_offset, uint64_t acquiry_size, uint32_t segment_file_size, uint64_t sectors_per_chunk, uint32_t sector_error_granularity, uint8_t read_error_retry, uint8_t wipe_block_on_read_error ){	LIBEWF_CHAR *user_input  = NULL;	LIBEWF_CHAR *yes_no[ 2 ] = { _S_LIBEWF_CHAR( "yes" ),				     _S_LIBEWF_CHAR( "no" ) };	int input_confirmed      = -1;	fprintf( stdout, "The following acquiry parameters were provided:\n" );	ewfcommon_acquiry_paramters_fprint( stdout, filename, case_number, description, evidence_number, examiner_name, notes, media_type, volume_type, compression_level, compress_empty_block, libewf_format, acquiry_offset, acquiry_size, segment_file_size, sectors_per_chunk, sector_error_granularity, read_error_retry, wipe_block_on_read_error );	/* Ask for confirmation	 */	while( input_confirmed == -1 )	{		user_input = ewfcommon_get_user_input_fixed_value( stdout, _S_LIBEWF_CHAR( "Continue acquiry with these values" ), yes_no, 2, 0 );			if( libewf_string_compare( user_input, _S_LIBEWF_CHAR( "yes" ), 3 ) == 0 )		{			input_confirmed = 1;		}		else if( libewf_string_compare( user_input, _S_LIBEWF_CHAR( "no" ), 2 ) == 0 )		{			input_confirmed = 0;		}		else		{			fprintf( stdout, "Selected option not supported, please try again or terminate using Ctrl^C.\n" );		}		libewf_common_free( user_input );	}	fprintf( stdout, "\n" );	return( input_confirmed );}/* Determine the device size using a file descriptor */uint64_t determine_device_size( int file_descriptor ){#ifndef DIOCGMEDIASIZE#ifdef DIOCGDINFO	struct disklabel disk_label;#endif#endif	uint64_t input_size  = 0;#ifdef DKIOCGETBLOCKCOUNT	uint64_t block_count = 0;	uint32_t block_size  = 0;#endif	if( file_descriptor == -1 )	{		return( 0 );	}#ifdef BLKGETSIZE64	if( ioctl( file_descriptor, BLKGETSIZE64, &input_size ) == -1 )	{		return( 0 );	}#else#ifdef DIOCGMEDIASIZE	if( ioctl( file_descriptor, DIOCGMEDIASIZE, &input_size ) == -1 )	{		return( 0 );	}#else#ifdef DIOCGDINFO	if( ioctl( file_descriptor, DIOCGDINFO, &disk_label ) == -1 )	{		return( 0 );	}	input_size = disk_label.d_secperunit * disk_label.d_secsize;#else#ifdef DKIOCGETBLOCKCOUNT	if( ioctl( file_descriptor, DKIOCGETBLOCKSIZE, &block_size ) == -1 )	{		return( 0 );	}	if( ioctl( file_descriptor, DKIOCGETBLOCKCOUNT, &block_count ) == -1 )	{		return( 0 );	}#ifdef HAVE_DEBUG_OUTPUT	fprintf( stderr, "block size: %" PRIu32 " block count: %" PRIu64 " ", block_size, block_count );#endif	input_size = block_count * block_size;#else	input_size = 0;#endif /* DKIOCGETBLOCKCOUNT */#endif /* DIOCGDINFO */#endif /* DIOCGMEDIASIZE */#endif /* BLKGETSIZE64 */#ifdef HAVE_DEBUG_OUTPUT	fprintf( stderr, "device size: %" PRIu64 "\n", input_size );#endif	return( input_size );}/* The main program */#ifdef HAVE_WIDE_CHARACTER_SUPPORT_FUNCTIONSint wmain( int argc, wchar_t * const argv[] )#elseint main( int argc, char * const argv[] )#endif{	struct stat input_file_stat;#if defined(HAVE_UUID_UUID_H) && defined(HAVE_LIBUUID)	uint8_t guid[ 16 ];#endif	CHAR_T *filenames[ 1 ]                    = { NULL };	LIBEWF_HANDLE *handle                     = NULL;	LIBEWF_CHAR *calculated_md5_hash_string   = NULL;	LIBEWF_CHAR *calculated_sha1_hash_string  = NULL;	LIBEWF_CHAR *user_input                   = NULL;	LIBEWF_CHAR *case_number                  = NULL;	LIBEWF_CHAR *description                  = NULL;	LIBEWF_CHAR *evidence_number              = NULL;	LIBEWF_CHAR *examiner_name                = NULL;	LIBEWF_CHAR *notes                        = NULL;	LIBEWF_CHAR *acquiry_operating_system     = NULL;	LIBEWF_CHAR *acquiry_software_version     = NULL;	CHAR_T *filename                          = NULL;	CHAR_T *time_string                       = NULL;#if defined(HAVE_STRERROR_R) || defined(HAVE_STRERROR)	CHAR_T *error_string                      = NULL;#endif	void *callback                            = &ewfcommon_process_status_fprint;	INT_T option                              = 0;	size_t string_length                      = 0;	time_t timestamp_start                    = 0;	time_t timestamp_end                      = 0;	int64_t count                             = 0;	int64_t segment_file_size                 = 0;	uint64_t input_size                       = 0;	uint64_t acquiry_offset                   = 0;	uint64_t acquiry_size                     = 0;	uint64_t sectors_per_chunk                = 0;	uint32_t sector_error_granularity         = 0;	int8_t compression_level                  = LIBEWF_COMPRESSION_NONE;	int8_t result_md5_hash                    = 0;	int8_t result_sha1_hash                   = 0;	uint8_t media_type                        = LIBEWF_MEDIA_TYPE_FIXED;	uint8_t volume_type                       = LIBEWF_VOLUME_TYPE_LOGICAL;	uint8_t compress_empty_block              = 0;	uint8_t wipe_block_on_read_error          = 0;	uint8_t libewf_format                     = LIBEWF_FORMAT_UNKNOWN;	uint8_t read_error_retry                  = 2;	uint8_t swap_byte_pairs                   = 0;	uint8_t seek_on_error                     = 1;	uint8_t calculate_sha1                    = 0;	uint8_t verbose                           = 0;	int file_descriptor                       = 0;	LIBEWF_CHAR *compression_types[ 3 ]       = { _S_LIBEWF_CHAR( "none" ),						      _S_LIBEWF_CHAR( "fast" ),						      _S_LIBEWF_CHAR( "best" ) };	LIBEWF_CHAR *format_types[ 12 ]           = { _S_LIBEWF_CHAR( "ewf" ),						      _S_LIBEWF_CHAR( "smart" ),						      _S_LIBEWF_CHAR( "ftk" ),						      _S_LIBEWF_CHAR( "encase1" ),						      _S_LIBEWF_CHAR( "encase2" ),						      _S_LIBEWF_CHAR( "encase3" ),						      _S_LIBEWF_CHAR( "encase4" ),						      _S_LIBEWF_CHAR( "encase5" ),						      _S_LIBEWF_CHAR( "encase6" ),						      _S_LIBEWF_CHAR( "linen5" ),						      _S_LIBEWF_CHAR( "linen6" ),						      _S_LIBEWF_CHAR( "ewfx" ) };	LIBEWF_CHAR *media_types[ 2 ]             = { _S_LIBEWF_CHAR( "fixed" ),						      _S_LIBEWF_CHAR( "removable" ) };	LIBEWF_CHAR *volume_types[ 2 ]            = { _S_LIBEWF_CHAR( "logical" ),						      _S_LIBEWF_CHAR( "physical" ) };	LIBEWF_CHAR *sector_per_block_sizes[ 10 ] = { _S_LIBEWF_CHAR( "64" ),						      _S_LIBEWF_CHAR( "128" ),						      _S_LIBEWF_CHAR( "256" ),						      _S_LIBEWF_CHAR( "512" ),						      _S_LIBEWF_CHAR( "1024" ),						      _S_LIBEWF_CHAR( "2048" ),						      _S_LIBEWF_CHAR( "4096" ),						      _S_LIBEWF_CHAR( "8192" ),						      _S_LIBEWF_CHAR( "16384" ),						      _S_LIBEWF_CHAR( "32768" ) };	LIBEWF_CHAR *yes_no[ 2 ]                  = { _S_LIBEWF_CHAR( "yes" ),						      _S_LIBEWF_CHAR( "no" ) };	ewfsignal_initialize();	ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfacquire" ) );	while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "d:hqsvV" ) ) ) != (INT_T) -1 )	{		switch( option )		{			case (INT_T) '?':			default:				fprintf( stderr, "Invalid argument: %" PRIs "\n", argv[ optind ] );				usage();				return( EXIT_FAILURE );			case (INT_T) 'd':				if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "sha1" ), 4 ) == 0 )				{					calculate_sha1 = 1;				}				else				{					fprintf( stderr, "unsuported digest type.\n" );				}				break;			case (INT_T) 'h':				usage();				return( EXIT_SUCCESS );			case (INT_T) 'q':				callback = NULL;				break;			case (INT_T) 's':				swap_byte_pairs = 1;				break;			case (INT_T) 'v':				verbose = 1;				break;			case (INT_T) 'V':				ewfcommon_copyright_fprint( stderr );				return( EXIT_SUCCESS );		}	}	if( optind == argc )	{		fprintf( stderr, "Missing source file or device.\n" );		usage();		return( EXIT_FAILURE );	}	libewf_set_notify_values( stderr, verbose );	/* Check if to read from stdin	 */	if( CHAR_T_COMPARE( argv[ optind ], _S_CHAR_T( "-" ), 1 ) == 0 )	{		fprintf( stderr, "Reading from stdin not supported.\n" );		return( EXIT_FAILURE );	}	/* Open the input file or device size	 */	file_descriptor = libewf_common_open( argv[ optind ], LIBEWF_OPEN_READ );	if( file_descriptor == -1 )	{#if defined(HAVE_STRERROR_R) || defined(HAVE_STRERROR)		error_string = libewf_common_strerror( errno );		if( error_string != NULL )		{			fprintf( stderr, "Error opening file or device: %" PRIs " with failure: %" PRIs ".\n", argv[ optind ], error_string );			libewf_common_free( error_string );		}#else		fprintf( stderr, "Error opening file or device: %" PRIs ".\n", argv[ optind ] );#endif		return( EXIT_FAILURE );	}	/* Check the input file or device size	 */	input_size = 0;	if( fstat( file_descriptor, &input_file_stat ) != 0 )	{		fprintf( stderr, "Unable to get status information of file.\n" );		return( EXIT_FAILURE );	}#ifndef HAVE_WINDOWS_API	if( S_ISBLK( input_file_stat.st_mode ) || S_ISCHR( input_file_stat.st_mode ) )	{		input_size = determine_device_size( file_descriptor );	}	else#endif	{		input_size = input_file_stat.st_size;