libewf_header_values.c

sleuthit-2.09 一个磁盘的工具集

		if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ] == NULL )
		 && ( system_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
		{
			libewf_common_free( system_date );
		}
		*string_length = 0;

		return( NULL );
	}
#ifdef HAVE_WIDE_CHARACTER_TYPE
	if( libewf_string_snprintf( header_string, *string_length,
		_S_LIBEWF_CHAR( "%ls%ls\t%ls\t%ls\t%ls\t%ls\t%ls\t%ls\t%ls\t%ls%ls" ),
		header_string_head, case_number, evidence_number, description, examiner_name,
		notes, acquiry_date, system_date, password_hash, compression_type, header_string_tail ) <= -1 )
#else
	if( libewf_string_snprintf( header_string, *string_length,
		_S_LIBEWF_CHAR( "%s%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s%s" ),
		header_string_head, case_number, evidence_number, description, examiner_name,
		notes, acquiry_date, system_date, password_hash, compression_type, header_string_tail ) <= -1 )
#endif
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type1: unable to set header string.\n" );

		libewf_common_free( header_string );

		if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ] == NULL )
		 && ( acquiry_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
		{
			libewf_common_free( acquiry_date );
		}
		if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ] == NULL )
		 && ( system_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
		{
			libewf_common_free( system_date );
		}
		*string_length = 0;

		return( NULL );
	}
	if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ] == NULL )
	 && ( acquiry_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
	{
		libewf_common_free( acquiry_date );
	}
	if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ] == NULL )
	 && ( system_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
	{
		libewf_common_free( system_date );
	}
	/* Make sure the header string is terminated
	 */
	header_string[ *string_length - 1 ] = (LIBEWF_CHAR) '\0';

	return( header_string );
}

/* Generate a header format type 2 (EnCase2, EnCase3, FTK Imager 2)
 * Sets string length
 * Returns a pointer to the new instance, NULL on error
 */
LIBEWF_CHAR *libewf_header_values_generate_header_string_type2( LIBEWF_HEADER_VALUES *header_values, time_t timestamp, int8_t compression_level, LIBEWF_CHAR *header_string_head, LIBEWF_CHAR *header_string_tail, size_t *string_length )
{
	LIBEWF_CHAR *header_string            = NULL;
	LIBEWF_CHAR *case_number              = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *description              = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *examiner_name            = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *evidence_number          = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *notes                    = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *system_date              = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *acquiry_date             = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *acquiry_operating_system = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *acquiry_software_version = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *password_hash            = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *compression_type         = _S_LIBEWF_CHAR( "" );

	if( header_values == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type2: invalid header values.\n" );

		return( NULL );
	}
	if( header_string_head == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type2: invalid header string head.\n" );

		return( NULL );
	}
	if( header_string_tail == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type2: invalid header string tail.\n" );

		return( NULL );
	}
	if( string_length == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type2: invalid string length.\n" );

		return( NULL );
	}
	if( ( compression_level != EWF_COMPRESSION_NONE ) && ( compression_level != EWF_COMPRESSION_FAST ) && ( compression_level != EWF_COMPRESSION_BEST ) )
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type2: compression level not supported.\n" );

		return( NULL );
	}
	*string_length = libewf_string_length( header_string_head );

	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_CASE_NUMBER ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_CASE_NUMBER ] );
		case_number     = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_CASE_NUMBER ];
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_DESCRIPTION ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_DESCRIPTION ] );
		description     = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_DESCRIPTION ];
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EXAMINER_NAME ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EXAMINER_NAME ] );
		examiner_name   = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EXAMINER_NAME ];
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EVIDENCE_NUMBER ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EVIDENCE_NUMBER ] );
		evidence_number = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EVIDENCE_NUMBER ];
	}
	if(  header_values->values[ LIBEWF_HEADER_VALUES_INDEX_NOTES ] != NULL )
	{
		*string_length += libewf_string_length(  header_values->values[ LIBEWF_HEADER_VALUES_INDEX_NOTES ] );
		notes           =  header_values->values[ LIBEWF_HEADER_VALUES_INDEX_NOTES ];
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ] );
		acquiry_date    = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ];
	}
	else
	{
		acquiry_date = libewf_generate_date_header_value( timestamp );

		if( acquiry_date == NULL )
		{
			LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type2: unable to generate acquiry date header value.\n" );

			acquiry_date = _S_LIBEWF_CHAR( "" );
		}
		else
		{
			*string_length += libewf_string_length( acquiry_date );
		}
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ] );
		system_date     = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ];
	}
	else
	{
		system_date = libewf_generate_date_header_value( timestamp );

		if( system_date == NULL )
		{
			LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type2: unable to generate system date header value.\n" );

			system_date = _S_LIBEWF_CHAR( "" );
		}
		else
		{
			*string_length += libewf_string_length( system_date );
		}
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_OPERATING_SYSTEM ] != NULL )
	{
		*string_length          += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_OPERATING_SYSTEM ] );
		acquiry_operating_system = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_OPERATING_SYSTEM ];
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_SOFTWARE_VERSION ] != NULL )
	{
		*string_length          += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_SOFTWARE_VERSION ] );
		acquiry_software_version = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_SOFTWARE_VERSION ];
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_PASSWORD ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_PASSWORD ] );
		password_hash   = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_PASSWORD ];
	}
	else
	{
		*string_length += 1;
		password_hash   = _S_LIBEWF_CHAR( "0" );
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_COMPRESSION_TYPE ] != NULL )
	{
		*string_length  += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_COMPRESSION_TYPE ] );
		compression_type = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_COMPRESSION_TYPE ];
	}
	else
	{
		if( compression_level == EWF_COMPRESSION_NONE )
		{
			compression_type = (LIBEWF_CHAR *) LIBEWF_COMPRESSION_TYPE_NONE;
		}
		else if( compression_level == EWF_COMPRESSION_FAST )
		{
			compression_type = (LIBEWF_CHAR *) LIBEWF_COMPRESSION_TYPE_FAST;
		}
		else if( compression_level == EWF_COMPRESSION_BEST )
		{
			compression_type = (LIBEWF_CHAR *) LIBEWF_COMPRESSION_TYPE_BEST;
		}
		*string_length += libewf_string_length( compression_type );
	}
	*string_length += libewf_string_length( header_string_tail );

	/* allow for 10x \t and 1x \0
	 */
	*string_length += 11;

	header_string = (LIBEWF_CHAR *) libewf_common_alloc( LIBEWF_CHAR_SIZE * *string_length );

	if( header_string == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type2: unable to create header string.\n" );

		if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ] == NULL )
		 && ( acquiry_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
		{
			libewf_common_free( acquiry_date );
		}
		if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ] == NULL )
		 && ( system_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
		{
			libewf_common_free( system_date );
		}
		*string_length = 0;

		return( NULL );
	}
#ifdef HAVE_WIDE_CHARACTER_TYPE
	if( libewf_string_snprintf( header_string, *string_length,
		_S_LIBEWF_CHAR( "%ls%ls\t%ls\t%ls\t%ls\t%ls\t%ls\t%ls\t%ls\t%ls\t%ls\t%ls%ls" ),
		header_string_head, case_number, evidence_number, description, examiner_name,
		notes, acquiry_software_version, acquiry_operating_system, acquiry_date,
		system_date, password_hash, compression_type, header_string_tail ) <= -1 )
#else
	if( libewf_string_snprintf( header_string, *string_length,
		_S_LIBEWF_CHAR( "%s%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s%s" ),
		header_string_head, case_number, evidence_number, description, examiner_name,
		notes, acquiry_software_version, acquiry_operating_system, acquiry_date,
		system_date, password_hash, compression_type, header_string_tail ) <= -1 )
#endif
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type2: unable to set header string.\n" );

		libewf_common_free( header_string );

		if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ] == NULL )
		 && ( acquiry_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
		{
			libewf_common_free( acquiry_date );
		}
		if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ] == NULL )
		 && ( system_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
		{
			libewf_common_free( system_date );
		}
		*string_length = 0;

		return( NULL );
	}
	if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ] == NULL )
	 && ( acquiry_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
	{
		libewf_common_free( acquiry_date );
	}
	if( ( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ] == NULL )
	 && ( system_date != (LIBEWF_CHAR *) _S_LIBEWF_CHAR( "" ) ) )
	{
		libewf_common_free( system_date );
	}
	/* Make sure the header string is terminated
	 */
	header_string[ *string_length - 1 ] = (LIBEWF_CHAR) '\0';

	return( header_string );
}

/* Generate a header format type 3 (EnCase4, EnCase5)
 * Sets string length
 * Returns a pointer to the new instance, NULL on error
 */
LIBEWF_CHAR *libewf_header_values_generate_header_string_type3( LIBEWF_HEADER_VALUES *header_values, time_t timestamp, LIBEWF_CHAR *header_string_head, LIBEWF_CHAR *header_string_tail, size_t *string_length )
{
	LIBEWF_CHAR *header_string            = NULL;
	LIBEWF_CHAR *case_number              = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *description              = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *examiner_name            = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *evidence_number          = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *notes                    = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *system_date              = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *acquiry_date             = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *acquiry_operating_system = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *acquiry_software_version = _S_LIBEWF_CHAR( "" );
	LIBEWF_CHAR *password_hash            = _S_LIBEWF_CHAR( "" );

	if( header_values == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type3: invalid header values.\n" );

		return( NULL );
	}
	if( header_string_head == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type3: invalid header string head.\n" );

		return( NULL );
	}
	if( header_string_tail == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type3: invalid header string tail.\n" );

		return( NULL );
	}
	if( string_length == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type3: invalid string length.\n" );

		return( NULL );
	}
	*string_length = libewf_string_length( header_string_head );

	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_CASE_NUMBER ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_CASE_NUMBER ] );
		case_number     = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_CASE_NUMBER ];
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_DESCRIPTION ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_DESCRIPTION ] );
		description     = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_DESCRIPTION ];
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EXAMINER_NAME ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EXAMINER_NAME ] );
		examiner_name   = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EXAMINER_NAME ];
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EVIDENCE_NUMBER ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EVIDENCE_NUMBER ] );
		evidence_number = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_EVIDENCE_NUMBER ];
	}
	if(  header_values->values[ LIBEWF_HEADER_VALUES_INDEX_NOTES ] != NULL )
	{
		*string_length += libewf_string_length(  header_values->values[ LIBEWF_HEADER_VALUES_INDEX_NOTES ] );
		notes           =  header_values->values[ LIBEWF_HEADER_VALUES_INDEX_NOTES ];
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ] );
		acquiry_date    = header_values->values[ LIBEWF_HEADER_VALUES_INDEX_ACQUIRY_DATE ];
	}
	else
	{
		acquiry_date = libewf_generate_date_header_value( timestamp );

		if( acquiry_date == NULL )
		{
			LIBEWF_WARNING_PRINT( "libewf_header_values_generate_header_string_type3: unable to generate acquiry date header value.\n" );

			acquiry_date = _S_LIBEWF_CHAR( "" );
		}
		else
		{
			*string_length += libewf_string_length( acquiry_date );
		}
	}
	if( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ] != NULL )
	{
		*string_length += libewf_string_length( header_values->values[ LIBEWF_HEADER_VALUES_INDEX_SYSTEM_DATE ] );
		system_date     = header_val