libyal / libewf Goto Github PK
View Code? Open in Web Editor NEWLibewf is a library to access the Expert Witness Compression Format (EWF)
License: GNU Lesser General Public License v3.0
Libewf is a library to access the Expert Witness Compression Format (EWF)
License: GNU Lesser General Public License v3.0
The name libyal was initially a pun on the naming theme of the various library projects. Now it serves the purpose of providing an overview of the available projects in a single location and as a home for scripts to help maintain the projects. For more information see: * Project documentation: https://github.com/libyal/libyal/wiki/Home * Overiew of available projects: https://github.com/libyal/libyal/wiki/Overview
For building the Debian package using sbuild, I patched tests/test_*.sh so that they could be successfully run in a build directory .../libewf-20160325
:
-TEST_PREFIX=`basename ${TEST_PREFIX} | sed 's/^lib//'`;
+TEST_PREFIX=`basename ${TEST_PREFIX} | sed 's/^lib//' | sed 's/-201.*$//'`;
(This change was also necessary for the recent libsigscan
release.)
Wouldn't it be better to just hard-code TEXT_PREFIX
?
I have multiple examples of E01 images, created using FTK Imager, with more than 64 file segments. The current version of ewfverify fails on these images. However, ewfverify 20140608 works correctly when opening and verifying the images.
Steps to reproduce:
I note that, in December 2014, the constant LIBEWF_MAXIMUM_CACHE_ENTRIES_SEGMENT_FILES was changed to 64.
https://github.com/libyal/libewf/blame/master/libewf/libewf_definitions.h.in#L440
Is it possible that this change to the size of the segment_files_cache in a segment_table could be related?
Build on Fedora linux fails with the undefined reference to the libcstring_narrow_string_length and libcstring_narrow_string_copy. It seems that such function is no longer in libcstring.
I have tried with both release 20150126 (5e47a75) and current head commit (54b0ead)
This is the error message I get during build.
/bin/sh ../libtool --tag=CC --mode=link gcc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -Wl,-z,relro -o ewfacquirestream byte_size_string.o digest_hash.o ewfacquirestream.o ewfinput.o ewfoutput.o guid.o imaging_handle.o log_handle.o platform.o process_status.o storage_media_buffer.o -luuid -lhmac -lcsystem -lcsplit -lcdatetime ../libewf/libewf.la -lcnotify -lclocale -lcerror -lcstring -lbz2
/bin/sh ../libtool --tag=CC --mode=link gcc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -Wl,-z,relro -o ewfdebug byte_size_string.o ewfdebug.o ewfinput.o ewfoutput.o -lcsystem ../libewf/libewf.la -lcnotify -lclocale -lcerror -lcstring -lbz2
libtool: link: gcc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -Wl,-z -Wl,relro -o .libs/ewfacquire byte_size_string.o digest_hash.o device_handle.o ewfacquire.o ewfinput.o ewfoutput.o guid.o imaging_handle.o log_handle.o platform.o process_status.o storage_media_buffer.o -lodraw -lsmdev -lsmraw -luuid -lcsystem -lcdatetime ../libewf/.libs/libewf.so -L/usr/lib64 -lcdata -lcsplit -luna -lcfile -lcpath -lbfio -lfcache -lfdata -lfvalue -lz -lhmac -lcaes -lcnotify -lclocale -lcthreads -lcerror -lcstring -lbz2
libtool: link: gcc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -Wl,-z -Wl,relro -o .libs/ewfacquirestream byte_size_string.o digest_hash.o ewfacquirestream.o ewfinput.o ewfoutput.o guid.o imaging_handle.o log_handle.o platform.o process_status.o storage_media_buffer.o -luuid -lcsystem -lcdatetime ../libewf/.libs/libewf.so -L/usr/lib64 -lcthreads -lcdata -lcsplit -luna -lcfile -lcpath -lbfio -lfcache -lfdata -lfvalue -lz -lhmac -lcaes -lcnotify -lclocale -lcerror -lcstring -lbz2
libtool: link: gcc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -Wl,-z -Wl,relro -o .libs/ewfdebug byte_size_string.o ewfdebug.o ewfinput.o ewfoutput.o -lcsystem ../libewf/.libs/libewf.so -L/usr/lib64 -lcthreads -lcdata -lcsplit -luna -lcfile -lcpath -lbfio -lfcache -lfdata -lfvalue -lz -lhmac -lcaes -lcnotify -lclocale -lcerror -lcstring -lbz2
../libewf/.libs/libewf.so: undefined reference to `libcstring_narrow_string_length'
../libewf/.libs/libewf.so: undefined reference to `libcstring_narrow_string_copy'
collect2: error: ld returned 1 exit status
Makefile:1091: recipe for target 'ewfacquire' failed
make[1]: *** [ewfacquire] Error 1
make[1]: *** Waiting for unfinished jobs....
ewfacquirestream.o: In function `ewfacquirestream_read_chunk':
/home/mambroz/rpmbuild/BUILD/libewf-54b0eada69defd015c49e4e1e1e4e26a27409ba3/ewftools/ewfacquirestream.c:326: undefined reference to `libcsystem_file_io_read'
../libewf/.libs/libewf.so: undefined reference to `libcstring_narrow_string_length'
../libewf/.libs/libewf.so: undefined reference to `libcstring_narrow_string_copy'
collect2: error: ld returned 1 exit status
Makefile:1095: recipe for target 'ewfacquirestream' failed
make[1]: *** [ewfacquirestream] Error 1
../libewf/.libs/libewf.so: undefined reference to `libcstring_narrow_string_length'
../libewf/.libs/libewf.so: undefined reference to `libcstring_narrow_string_copy'
collect2: error: ld returned 1 exit status
Makefile:1099: recipe for target 'ewfdebug' failed
make[1]: *** [ewfdebug] Error 1
make[1]: Leaving directory '/home/mambroz/rpmbuild/BUILD/libewf-54b0eada69defd015c49e4e1e1e4e26a27409ba3/ewftools'
Makefile:804: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.nGlIJ0 (%build)
Ewfverify fails on large images. I've used ewfverify on the images of a large (3TB) disk, and ewfverify consistently fails at the same point. The error messages suggest there is a problem with reading the evidence files, but the images are verified correctly in EnCase.
I've tried outputting more verbose error logs, but the resulting log file stays empty. I've used the latest version (libewf-20140608.tar.gz), and built it in Ubuntu 12.04 x86, and the latest Mint (17.1) x86.
I've used the same version of libewf to verify the evidence files on a 64 bit system, and the verification passes.
Is it perhaps a limitation of 32 bit systems, or is there a possible bug?
The error messages from the console:
Status: at 38%.
verified 1.0 TiB (1163113988096 bytes) of total 2.7 TiB (3000592982016 bytes).
completion in 2 hour(s), 56 minute(s) and 32 second(s) with 167 MiB/s (175637613 bytes/second).
Status: at 38%.
verified 1.0 TiB (1163994595328 bytes) of total 2.7 TiB (3000592982016 bytes).
completion in 2 hour(s), 56 minute(s) and 38 second(s) with 167 MiB/s (175534864 bytes/second).
Status: at 38%.
verified 1.0 TiB (1164875137024 bytes) of total 2.7 TiB (3000592982016 bytes).
completion in 2 hour(s), 56 minute(s) and 45 second(s) with 167 MiB/s (175421980 bytes/second).
Verify failed at: Mar 13, 2015 13:25:09
Unable to verify input.
libewf_handle_read_buffer: unable to read chunk data: 35570143.
verification_handle_read_buffer: unable to read storage media buffer.
verification_handle_verify_input: unable to read data.
ewfverify: FAILURE
I am running an Arch 64 build:
Linux ARCHIR 4.2.5-1-ARCH #1 SMP PREEMPT Tue Oct 27 08:13:28 CET 2015 x86_64 GNU/Linux
[ Problem ]:
No matter what I do, following your instructions on building from source does not allow me to 'apparently' install the libraries correctly. I say apparently because the PLASO RUNTESTS.PY script reports these libraries as missing.
What should I do?
See below.
$ python2 ./run_tests.py
Checking availability and versions of plaso dependencies.
[OK] artifacts version: 20150409
[OK] bencode
[OK] binplist version: 0.1.4
[OK] construct version: 2.5.2
[OK] dateutil version: 2.4.2
[OK] dfvfs version: 20151231
[OK] dpkt version: 1.8
[OK] google.protobuf
[OK] hachoir_core version: 1.3.3
[OK] hachoir_parser version: 1.3.4
[OK] hachoir_metadata version: 1.3.3
[OK] IPython version: 4.0.0
[OK] pefile version: 1.2.10-139
[OK] psutil version: 3.3.0
[OK] pyparsing version: 2.0.7
[OK] pytz
[OK] requests version: 2.9.1
[OK] six version: 1.10.0
[OK] sqlite3 version: 3.9.2
[OK] yaml version: 3.11
[OK] SleuthKit version: 4.2.0
[OK] pytsk3 version: 20150406
[OK] libbde (pybde) version: 20160108
[OK] libesedb (pyesedb) version: 20160107
[OK] libevt (pyevt) version: 20160107
[OK] libevtx (pyevtx) version: 20160107
[FAILURE] missing: pyewf.
[OK] libfwsi (pyfwsi) version: 20160106
[OK] liblnk (pylnk) version: 20160107
[OK] libmsiecf (pymsiecf) version: 20160107
[OK] libolecf (pyolecf) version: 20160107
[FAILURE] missing: pyqcow.
[OK] libregf (pyregf) version: 20160107
[OK] libsigscan (pysigscan) version: 20160108
[OK] libsmdev (pysmdev) version: 20160108
[OK] libsmraw (pysmraw) version: 20160108
[OK] libvhdi (pyvhdi) version: 20160108
[FAILURE] missing: pyvmdk.
[OK] libvshadow (pyvshadow) version: 20160108
Would like to have a way to disable the constant progress display entries so that the only progress display entries are for each percentage points. (e.g. for 1% 2% ... etc)
It is really just asking to for a method to get the behaviour of libewf_20100226 or similar as seen in the ewf-tools package in debian squeeze.
( https://packages.debian.org/squeeze/ewf-tools )
This will help me to work around issue 16 where there is an problem with progress updates under windows.
ref: #16
sed: -e expression #1, char 9: unterminated `s' command
Unable to find the "libewf-experimental-.tar.gz" on the downloads page following the building instructions in below link.
https://github.com/libyal/libewf/wiki/Building
"To retrieve the source package go to the downloads page and download the file named:
libewf-experimental-.tar.gz"
The downloads page is in the following link:
https://googledrive.com/host/0B3fBvzttpiiSMTdoaVExWWNsRjg/
The delta segment file solution is only useful for a small number of changes and adds a significant amount of complexity to the code base.
Data chunk is not properly aligned when running ewfacquire with '-x' switch. The resulting Ex01 file layout is different from which was created without the '-x' switch, and cannot be verified successfully by ewfverify tool.
ewfacquire -x -C test -u -q -d sha1 -m fixed -f encase7-v2 -c fast -t /tmp/test /dev/sdc
"ewfverify /tmp/test" failed with message "unexpected end of data".
A quick tracing of the code shows two problems:
I note the function : libewf_set_volume_type (
Line 2373 in 54b0ead
LIBEWF_VOLUME_TYPE_LOGICAL = 0x00,
LIBEWF_VOLUME_TYPE_PHYSICAL = 0x01
(
libewf/libewf/libewf_definitions.h.in
Line 162 in 54b0ead
From what I can gather, these should be passed to libewf_set_volume_type so that the resulting E01 'knows' whether it is an E01 of a physical item (.\PhysicalDiskX) or logical volume?
However, the compiled DLL I have dates back to June 2014 and using DLL Explorer, the function libewf_set_volume_type is not listed in it, so I assume it dates later than my DLL.
Was there another function that predated libewf_set_volume_type but which did the same thing? If so, could you tell me what it was called? I can't find anything that reselmbles it - libewf_set_media_type is the nearest but I think that's things like "CD\USB\Disk" etc I realise the best thing would be to generate a new DLL from the latest source code but having tried that the other day, I found it didn't work with my project (I use Delphi\Freepascal).
Thanks
When trying to reproduce steps from test_ewfacquire_resume.sh I noticed that source file is re-acquired from the beggining (the "status" messages start from 0%) when ewfacquire is called with -R flag. Also ewfacquire determines "Resume acquiry offset" from "underimaged" file as 0, which also seems weird to me, however confirms strange behaviour. This behaviour seems more like "restart" but not "resume".
Also when using .NET bindings, library behaves the same way:
ewfexport -f encase6 exports to RAW which is not the correct behavior
A quick test run of ewfacquire caused all system memory to be quickly used up and the process was terminated:
ewfacquire -C test -u -q -d sha1 -m fixed -f encase7-v2 -c fast -t /tmp/test /dev/sdc
It turns out to be that chunk_data allocated in libewf_handle.c:libewf_handle_write_buffer() never gets freed.
I mounted a small multi-partition .E01 image to /media/mntpt,
used
kpartx -a to create the /dev/mapper/loop0p1.
then
mount /dev/mapper/loop0p1 -o ro /media/mntpt1
viewed two graphics files
umount /dev/mapper/loop0p1
kpartx -d /dev/mapper/loop0p1
then tried to umount /media/mntpt
and got the error:
"umount: /media/mntpt: target is busy"
I'm attempting to mount an image of a 500GB hard drive acquired using EnCase 6.19.7. After running the command to mount (ewfmount /mnt/hgfs/Cases/evidence.e* /mnt/ewf/), all seems to be good and I get no error messages. ewf1 appears in the specified location. When I try parted or mmls, it is unable to recognise any partitions.
I have successfully mounted the same image using ewfmount 20140608.
Happy to share any info you need.
ewfacquire -h
and ewfexport -h
list encase7-v2
among the possible arguments for the -f
flag. The man pages for ewfacquire
and ewfexport
do not list encase7-v2
as one of the arguments for the -f
flag. The man page should be updated to reflect what's supported.
Hi Joachim
I wanted to try using a new DLL compiled from your recent March release. It has been a while since I compiled it last time so it took me a while some reading to do, but having done it, I fear I have done something wrong.
I followed the instructions here to build using Windows 7 64-bit and MSYS-MinGW. Upon completion I had libewf-3.dll and I also went and downloaded libgcc_s_dw2-1.dll from somewhere and copied that to my project folder, along with my existing zlib.dll file and so on.
Trouble is, my LoadLibraryA call fails. I thought for a while it was due to something I had done, but after a few hours debugging and using Dependancy Walker, I realised that the newly compiled DLL was missing dependancies, namely libbz2-2.dll and zlib1.dll (I have a zlib.dll already, just not zlib1.dll) to start with. But even after downloading those, there remained several other warnings in Dependancy Walker stating that "Error opening file. The system cannot find the file specified" for the following files:
API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-ERROR-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-ROBUFFER-L1-1-0.DLL
API-MS-WIN-CORE-WINRT-STRING-L1-1-0.DLL
API-MS-WIN-SHCORE-SCALING-L1-1-1.DLL
DCOMP.DLL
IESHIMS.DLL
So at this stage, I gave up and thought I'd ask you here in case I was missing something obvious.
Have you compiled the latest libEWF yourself using Windows and MSYS-MinGW? If so, can I ask what else you did to ensure your other projects or any programs can load the resulting libewf.DLL? As it stands, I have the following DLL's in my project folder :
libbz2-2.dll (downloaded from Internet)
libewf.dll (that I renamed from libewf-3.dll, built with MSYS-MinGW)
libgcc_s_dw2-1.dll (downloaded from Internet)
msvcr100.dll (downloaded from Internet)
zlib.dll (about a year or two old)
zlib1.dll (downloaded from Internet, dated 2013)
Many thanks as always for your time and development work.
Using ewfacquire 20140608 (not the newer experimental release).
I happen to notice the initial time estimate can be way off, but then it jumps drastically on the 1GB updates.
It's like the code does something like:
time_remaining = total_GB * (time_in_progress / int(GB_done))
Thus in the first few GB the error is pretty drastic. In particular, my 2 1/2 hour image was estimating 5 hours at the 1.9 GB process stage, but then corrected to 2 1/2 hours on the next update.
Hi Joachim
I'm having some difficulty applying compression. I am using libewf_set_compression_values to assign BEST, LOW, NONE compression to E01 image files (though I notice there's a 'libewf_handle_set_compression_values - perhaps I need to use that?)
libewf/libewf/libewf_metadata.c
Line 732 in 9f67838
I am also assigning LIBEWF_COMPRESSION_LEVELS within my function. (https://github.com/libyal/libewf/blob/9f678389d18b46db96c6a3b169a46afc2516bf39/include/libewf/definitions.h.in)
The user is asked to choose a default, none, fast or best compression method via the GUI and their selection is assigned to an integer var as -1, 0, 1 or 2.
I then lookup that variables value and,
if it's -1, libewf_set_compression_values is called with (LIBEWF_COMPRESSION_DEFAULT, 0).
if it's 0, libewf_set_compression_values is called with (LIBEWF_COMPRESSION_NONE, 0).
if it's 1, libewf_set_compression_values is called with (LIBEWF_COMPRESSION_FAST, 0).
if it's 2, libewf_set_compression_values is called with (LIBEWF_COMPRESSION_BEST, 0).
If the user chooses none, I get an uncompresssed E01 just as expected and hoped. However, if the user chooses FAST or BEST, the resulting image is always the same size. I would expect one to be larger than the other, even if by only a small amount.
Do I have to call something else? In other words, having SET the compression with libewf_set_compression_values, do I need to call another function to actually incorporate the varying levels of compression?
Source code version : libewf-20140608.tar.gz
(have also tried with latest from git (cloned yesterday))
OS: windows 7 64 bit
built under cygwin using following configure command (as well as usual make and make install)
./configure --host=i686-w64-mingw32 --enable-static-executables --enable-python
ewfacquire .\PhysicalDrive1
Worked fine but with similar issues with status updating too soon.
These tools work perfectly fine apart from the status update which spams the screen with updates as well as the transfer rate being incorrect.
misc note:
Status information is updating too often. (example below)
Affects the performance as well as the transfer rate seems affected.
< begin snip>
Status: at 20%.
verified 829 MiB (869826560 bytes) of total 3.9 GiB (4227858432 bytes).
completion in 33 second(s) with 10 bytes/second.
Status: at 20%.
verified 829 MiB (869924864 bytes) of total 3.9 GiB (4227858432 bytes).
completion in 33 second(s) with 10 bytes/second.
Status: at 20%.
verified 829 MiB (870055936 bytes) of total 3.9 GiB (4227858432 bytes).
completion in 33 second(s) with 10 bytes/second.
Status: at 20%.
verified 829 MiB (870154240 bytes) of total 3.9 GiB (4227858432 bytes).
completion in 33 second(s) with 10 bytes/second.
Status: at 20%.
verified 829 MiB (870252544 bytes) of total 3.9 GiB (4227858432 bytes).
completion in 33 second(s) with 10 bytes/second.
Status: at 20%.
verified 829 MiB (870285312 bytes) of total 3.9 GiB (4227858432 bytes).
completion in 33 second(s) with 10 bytes/second.
Status: at 20%.
verified 830 MiB (870416384 bytes) of total 3.9 GiB (4227858432 bytes).
completion in 33 second(s) with 10 bytes/second.
Status: at 20%.
verified 830 MiB (870547456 bytes) of total 3.9 GiB (4227858432 bytes).
completion in 33 second(s) with 10 bytes/second.
Status: at 20%.
verified 830 MiB (870711296 bytes) of total 3.9 GiB (4227858432 bytes).
completion in 33 second(s) with 10 bytes/second.
Status: at 20%.
verified 830 MiB (870875136 bytes) of total 3.9 GiB (4227858432 bytes).
completion in 33 second(s) with 10 bytes/second.
Check if a Replaces section can fix dependency problems on Ubuntu with libewf2
https://www.debian.org/doc/debian-policy/ch-relationships.html#s-replaces
Hi
I am using libewf_handle_set_md5_hash and libewf_handle_set_sha1_hash to embed either Md5 or SHA1 hash values into the E01 using libewf.
libewf_handle_set_md5_hash works fine - the MD5 hash is embedded. But when I use the same technique with libewf_handle_set_sha1_hash, the function returns valid (no error, integer returned is 1) but when I open the E01 file using FTK Imager, the hash value properties field is empty.
What might I be doing wrong? Or is there a problem with the function? I am using the libewf.dll from http://labalec.fr/erwan/?p=1235 (specifically this download http://labalec.fr/erwan/wp-content/uploads/2014/05/libewf2.zip), which may be the problem?
Running python setup.py build
on Windows 7 after following all other build instructions causes the C++ linker to throw the following errors:
libhmac_md5.obj : error LNK2019: unresolved external symbol __imp__CryptReleaseContext@8 referenced in function _libhmac_md5_initialize
libhmac_sha1.obj : error LNK2001: unresolved external symbol __imp__CryptReleaseContext@8
libhmac_md5.obj : error LNK2019: unresolved external symbol __imp__CryptCreateHash@20 referenced in function _libhmac_md5_initialize
libhmac_sha1.obj : error LNK2001: unresolved external symbol __imp__CryptCreateHash@20
libhmac_md5.obj : error LNK2019: unresolved external symbol __imp__CryptAcquireContextW@20 referenced in function _libhmac_md5_initialize
libhmac_sha1.obj : error LNK2001: unresolved external symbol __imp__CryptAcquireContextW@20
libhmac_md5.obj : error LNK2019: unresolved external symbol __imp__CryptDestroyHash@4 referenced in function _libhmac_md5_free
libhmac_sha1.obj : error LNK2001: unresolved external symbol __imp__CryptDestroyHash@4
libhmac_md5.obj : error LNK2019: unresolved external symbol __imp__CryptHashData@16 referenced in function _libhmac_md5_update
libhmac_sha1.obj : error LNK2001: unresolved external symbol __imp__CryptHashData@16
libhmac_md5.obj : error LNK2019: unresolved external symbol __imp__CryptGetHashParam@20 referenced in function _libhmac_md5_finalize
libhmac_sha1.obj : error LNK2001: unresolved external symbol __imp__CryptGetHashParam@20
This is most likely because of problems in including wincrypt.h, as the functions are declared in the header but apparently not found by anything else. This was attempted with Python 2 and Visual Studio 9.0.
+2GB LVF seems to define 8-byte size rather than a 4-byte
try to reproduce and update documentation
I'm receiving errors when attempting to build from source on an Ubuntu 12.04 machine.
Following the steps:
./synclibs.sh
./autogen.sh
./configure
make
gcc: error: @LIBFDATETIME_CPPFLAGS@: No such file or directory
gcc: error: @LIBFGUID_CPPFLAGS@: No such file or directory
gcc: error: @LIBFWNT_CPPFLAGS@: No such file or directory
The synclibs.sh
file makes no reference to these libraries. But I see the Makefile
under libfvalue
references these on line 540-542 under AM_CPPFLAGS
.
Possibly Pertinent Info: I need to build this on an air-gapped machine, so I downloaded the repo on another, Internet-connected machine (running same OS version), ran ./synclibs.sh
, and then copied that directory to the target machine and tried to build.
When using ewfexport to send an image to stdout, it will append the string "ewfexport: SUCCESS" to end of the image on completion. Receiving programs will interpret this string as part of the image body. For example, here someprogram will not be working with an exact copy of a raw image, but has 19 additional bytes at the end...
ewfexport -u -f raw -t - image.E01 | someprogram
Maybe that exit message should go to stderr instead, when stdout is used for the image?
Hello, I am sorry if it's not the correct place to ask questions but I couldn't find a place for discussion. I compiled libclocale
using these options:
./configure --enable-wide-character-type --enable-shared=no
and libewf
using these options:
./configure --enable-verbose-output --enable-shared=no --enable-static-executables=yes --enable-python --enable-wide-character-type
Features:
Multi-threading support: pthread
Wide character type support: yes
ewftools are build as static executables: yes
Python (pyewf) support: 2.7
Verbose output: yes
Debug output: no
Version 1 API compatibility: no
Then I ewfmount
a .E01 file, then mount -o ro,loop
to mount it in Ubuntu 14.04. I am seeing question marks like these in ls
????_2014 - 2015?????????????.docx
where there should be CJK characters. (Ubuntu itself can view CJK characters correctly)
So I guess my question is, are wide characters and Unicode supported? If not, how can I correctly view those files?
Hi, i need help on building libewf latest release using MSYS-MinGW on Windows 10. When i run CPPFLAGS=-DWINVER=0x0501 ./configure --prefix=/mingw
it keep stopping at flex checking and said flex.exe not responding. Do you have any idea on what should i do? Thanks.
I am trying to acquiring 8GB USB, and i always got error failure between 90%.
here error output
Acquiry failed at: May 25, 2016 20:17:40
Unable to acquire input.
libcfile_file_read_buffer_with_error_code: invalid read count: 28672 returned.
libsmdev_handle_read_buffer: unable to read from device file.
device_handle_read_storage_media_buffer: unable to read buffer from device input handle.
ewfacquire_read_input: error reading data from input.
ewfacquire: FAILURE
what cause this error?
When I try to build libewf_dll project, I got following error from Visual Studio
TP_POOL support not implemented yet on Visual Studio 2013
The error is caused by following line from libcthreads_thread_pool.c file
if defined( WINAPI ) && ( WINVER >= 0x0602 )
/* TODO */
error TP_POOL support not implemented yet
I tried to extract a E01 file (http://digitalcorpora.org/corpora/scenarios/2012-ngdc/carry-tablet/carry-tablet-2012-07-16-final.E01) to raw format. The memory used by ewfexport stays at around 40MB initially. It jumped more than 4GB at around 89% and depleted system memory. The following is the output and the version of ewfexport.
$ ewfexport carry-tablet-2012-07-16-final.E01 > /dev/null
ewfexport 20150126
Information for export required, please provide the necessary input
Export to format (raw, files, ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, encase7, encase7-v2, linen5, linen6, linen7, ewfx) [raw]:
Target path and filename without extension or - for stdout: -
Start export at offset (0 <= value <= 30928797696) [0]:
Number of bytes to export (0 <= value <= 30928797696) [30928797696]:
Export failed at: Nov 25, 2015 07:21:29
Unable to export input.
libewf_chunk_data_initialize_clear_data: unable to create data.
libewf_chunk_table_get_chunk_data_by_offset: unable to create chunk: 879016 data.
libewf_handle_read_buffer: unable to read chunk: 879016 data.
export_handle_read_buffer: unable to read storage media buffer.
export_handle_export_input: unable to read data.
I have successfully imaged other thumb drives so this is not a generic issue.
With a specific thumb drive I am trying to image ewfacquire is failing. The thumbdrive itself is operational and I can image it via dc3dd.
ewfacquire /dev/sdb
ewfacquire 20140608Device information:
Unable to print media information.
libsmdev_string_trim_copy_from_byte_stream: string too small.
libsmdev_internal_handle_determine_media_information: unable to set serial number.
libsmdev_handle_get_bus_type: unable to determine media information.
device_handle_media_information_fprint: unable to retrieve bus type.
Unable to retrieve media type from device.
libsmdev_string_trim_copy_from_byte_stream: string too small.
libsmdev_internal_handle_determine_media_information: unable to set serial number.
libsmdev_handle_get_media_type: unable to determine media information.
device_handle_get_media_type: unable to retrieve media type.
The thumb drive is a generic one.
l don't know if it is helpful, but "lsusb -v -s" gives this detail
Bus 004 Device 003: ID 13fe:5500 Kingston Technology Company Inc.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 3.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 9
idVendor 0x13fe Kingston Technology Company Inc.
idProduct 0x5500
bcdDevice 1.00
iManufacturer 1
iProduct 2 Patriot Memory
iSerial 3
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 44
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 126mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 80 Bulk-Only
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 3
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 3
Binary Object Store Descriptor:
bLength 5
bDescriptorType 15
wTotalLength 22
bNumDeviceCaps 2
USB 2.0 Extension Device Capability:
bLength 7
bDescriptorType 16
bDevCapabilityType 2
bmAttributes 0x00000002
Link Power Management (LPM) Supported
SuperSpeed USB Device Capability:
bLength 10
bDescriptorType 16
bDevCapabilityType 3
bmAttributes 0x00
wSpeedsSupported 0x000e
Device can operate at Full Speed (12Mbps)
Device can operate at High Speed (480Mbps)
Device can operate at SuperSpeed (5Gbps)
bFunctionalitySupport 2
Lowest fully-functional device speed is High Speed (480Mbps)
bU1DevExitLat 10 micro seconds
bU2DevExitLat 2047 micro seconds
Device Status: 0x0000
(Bus Powered)
hi, i got error when building libewf (experimental 20160424) with msys in mingw. i have zlib, bzip2 and Crypto API librra. i follow this article #https://github.com/libyal/libewf/wiki/Building#using-msys-mingw, but fail while make.
Making all in include
make[1]: Entering directory/home/HUDA/libewf-20160424/include' make[1]: Nothing to be done for
all'.
make[1]: Leaving directory/home/HUDA/libewf-20160424/include' Making all in common make[1]: Entering directory
/home/HUDA/libewf-20160424/common'
make all-am
make[2]: Entering directory/home/HUDA/libewf-20160424/common' make[2]: Leaving directory
/home/HUDA/libewf-20160424/common'
make[1]: Leaving directory/home/HUDA/libewf-20160424/common' Making all in libcstring make[1]: Entering directory
/home/HUDA/libewf-20160424/libcstring'
/bin/sh ../libtool --tag=CC --mode=link gcc -g -O2 -Wall -o libcstring.la libcstring_support.lo libcstring_wide_string.lo -lbz2 -lz
libtool: link: rm -fr .libs/libcstring.lax
libtool: link: lib -OUT:.libs/libcstring.lib .libs/libcstring_support.o .libs/libcstring_wide_string.o
make[1]: Leaving directory `/home/HUDA/libewf-20160424/libcstring'
and error messages
../libtool: line 1095: lib: command not found
make[1]: *** [libcstring.la] Error 127
make: *** [all-recursive] Error 1
i google
lib: command not found
but no one work. any one know this issue?
my OS is win7 64-bit, and i am not sure if i install mingw 64 bit (there is mingw32 folder inside mingw directory). i don't have any problem while build libewf (same version) in centos. please helpme.
Just tried to download and build current rev under cygwin. It fails with the following error:
make[2]: Entering directory '/cygdrive/c/Users/jm460/Downloads/libewf/libewf-master/libodraw'
/bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../common -I../include -I../common -I../libcstring -I../libcerror -I../libcthreads -I../libcdata -I../libclocale -I../libcnotify -I../libcsplit -I../libuna -I../libcfile -I../libcpath -I../libbfio -D_FILE_OFFSET_BITS=64 -DFUSE_USE_VERSION=26 -D_FILE_OFFSET_BITS=64 -g -O2 -Wall -MT libodraw_cue_parser.lo -MD -MP -MF .deps/libodraw_cue_parser.Tpo -c -o libodraw_cue_parser.lo libodraw_cue_parser.c
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../common -I../include -I../common -I../libcstring -I../libcerror -I../libcthreads -I../libcdata -I../libclocale -I../libcnotify -I../libcsplit -I../libuna -I../libcfile -I../libcpath -I../libbfio -D_FILE_OFFSET_BITS=64 -DFUSE_USE_VERSION=26 -D_FILE_OFFSET_BITS=64 -g -O2 -Wall -MT libodraw_cue_parser.lo -MD -MP -MF .deps/libodraw_cue_parser.Tpo -c libodraw_cue_parser.c -DDLL_EXPORT -DPIC -o .libs/libodraw_cue_parser.o
libodraw_cue_parser.c: In function 'cue_scanner_parse':
libodraw_cue_parser.c:1544:7: error: too few arguments to function 'cue_scanner_lex'
yychar = yylex ();
^
libodraw_cue_parser.c:416:12: note: declared here
extern int cue_scanner_lex(
^
libodraw_cue_parser.c:1658:30: error: 'parser_state' undeclared (first use in this function)
( (cue_parser_state_t *) parser_state )->error,
^
libodraw_cue_parser.c:1658:30: note: each undeclared identifier is reported only once for each function it appears in
libodraw_cue_parser.c: In function 'cue_parser_parse_buffer':
libodraw_cue_parser.c:2742:8: error: too many arguments to function 'cue_scanner_parse'
&parser_state ) == 0 )
^
libodraw_cue_parser.c:63:25: note: declared here
#define yyparse cue_scanner_parse
^
libodraw_cue_parser.c:1388:1: note: in expansion of macro 'yyparse'
yyparse (void)
^
Makefile:784: recipe for target 'libodraw_cue_parser.lo' failed
make[2]: *** [libodraw_cue_parser.lo] Error 1
make[2]: Leaving directory '/cygdrive/c/Users/jm460/Downloads/libewf/libewf-master/libodraw'
Makefile:697: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory '/cygdrive/c/Users/jm460/Downloads/libewf/libewf-master/libodraw'
Makefile:824: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1
Also, it would be really nice if there was an approved repository of precompiled downloads for Windows. Not everybody has windows compilers other than gnu, and the cygwin build has never worked as far as I'm aware.
Thanks
John
Create encase-7 ex01 files for a 512GB dm-zero device:
echo '0 1000000000 zero' | dmsetup create z1
ewfacquire -C test -u -q -d sha1 -m fixed -f encase7-v2 -c fast -S 200000000 -t test /dev/mapper/z1
This created 7 files, test.Ex01...Ex07, each has a size of nearly 500MB.
Run ewfverify against these files:
ewfverify test.Ex01
The memory usage of ewfverify process grows linearly over time and become nearly 2GB at about 90% of the verification process, causing the whole system to hang up.
This was tested on a 64-bit Ubuntu 14.04.1 system with 2GB RAM.
Could you please update the downloads link ?
The download link on the building page "https://github.com/libyal/libewf/wiki/Building" doesn't work.
Would like to download and build a stable copy.
Cheers.
Brief:
After creating E01 image with libewf, i'm executing following code:
if(libewf_handle_close(ewfHandle, NULL) == -1)
std::cout << "Can't close EWF file handle";
if(libewf_handle_free(&ewfHandle, NULL) == -1)
std::cout << "Can't free EWF file handle";
Before libewf_handle_close i have, as expected, opened handle to %filename%.E01 file.
After execution of libewf_handle_free this code i have opened handle to %filename%.E02 file.
How i'm reproducing this:
How i've fixed this
As long as libewf_handle_free calls libewf_handle_close, i left only call to libewf_handle_free this fixed that trouble - *.e01 handle is being closed, no other files are created. Memory is freed.
Trouble
if( imaging_handle_close(
ewfacquire_imaging_handle,
&error ) != 0 )
{
fprintf(
stderr,
"Unable to close output file(s).\n" );
goto on_error;
}
if( imaging_handle_free(
&ewfacquire_imaging_handle,
&error ) != 1 )
imaging_handle_free after successfull call to imaging_handle_close. This might produce memory leak if imaging_handle_close will fail.
Look at adding Cygwin fuse support to ewfmount
import pyewf
file_object = open("image.E01", "wb")
ewf_handle = pyewf.handle()
ewf_handle.open_file_objects([file_object])
ewf_handle.write("dddddd")
ewf_handle.close()
IOError: pyewf_handle_write_offset: unable to write offset. libewf_handle_write_offset: invalid handle - missing file IO pool
why?
Hello,
libewf fails to build with following error:
libtool: link: gcc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wall -Wl,-z -Wl,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -o .libs/ewfacquirestream byte_size_string.o digest_hash.o ewfacquirestream.o ewfinput.o ewfoutput.o guid.o imaging_handle.o log_handle.o platform.o process_status.o storage_media_buffer.o storage_media_buffer_queue.o -luuid -lcsystem -lcdatetime ../libewf/.libs/libewf.so -L/usr/lib64 -lcdata -lclocale -lcnotify -lcsplit -luna -lcfile -lcpath -lbfio -lfcache -lfdata -lfguid -lfvalue -lz -lbz2 -lhmac -lcaes -lcthreads -lcerror -lcstring
libtool: link: gcc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wall -Wl,-z -Wl,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -o .libs/ewfacquire byte_size_string.o digest_hash.o device_handle.o ewfacquire.o ewfinput.o ewfoutput.o guid.o imaging_handle.o log_handle.o platform.o process_status.o storage_media_buffer.o storage_media_buffer_queue.o -lodraw -lsmdev -lsmraw -luuid -lcsystem -lcdatetime ../libewf/.libs/libewf.so -L/usr/lib64 -lcdata -lclocale -lcnotify -lcsplit -luna -lcfile -lcpath -lbfio -lfcache -lfdata -lfguid -lfvalue -lz -lbz2 -lhmac -lcaes -lcthreads -lcerror -lcstring
../libewf/.libs/libewf.so: undefined reference to `libcstring_narrow_string_compare'
collect2: error: ld returned 1 exit status
Makefile:1203: recipe for target 'ewfdebug' failed
I guess it is the same issue as patched in the pull request #46
The 'include
Best regards
Michal Ambroz
I see that it is possible through check_file_signature_file() to see if an EWF file has checksums, but as far as I can tell there is no function for actually validating the checksum. This would be great, as it appears that the checksum is not equivalent to a checksum of the whole EWF file itself, but of a specific subset of the file.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.