libewf_internal_handle.c

sleuthit-2.09 一个磁盘的工具集

		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_header_value: invalid handle.\n" );

		return( -1 );
	}
	if( identifier == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_header_value: invalid identifier.\n" );

		return( -1 );
	}
	if( internal_handle->header_values == NULL )
	{
		internal_handle->header_values = libewf_header_values_alloc();

		if( internal_handle->header_values == NULL )
		{
			LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_header_value: unable to create header values.\n" );

			return( -1 );
		}
	}
	return( libewf_header_values_set_value( internal_handle->header_values, identifier, value, length ) );
}

/* Sets the hash value specified by the identifier
 * Returns 1 if successful, -1 on error
 */
int8_t libewf_internal_handle_set_hash_value( LIBEWF_INTERNAL_HANDLE *internal_handle, LIBEWF_CHAR *identifier, LIBEWF_CHAR *value, size_t length )
{
	if( internal_handle == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_hash_value: invalid handle.\n" );

		return( -1 );
	}
	if( identifier == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_hash_value: invalid identifier.\n" );

		return( -1 );
	}
	if( internal_handle->hash_values == NULL )
	{
		internal_handle->hash_values = libewf_hash_values_alloc();

		if( internal_handle->hash_values == NULL )
		{
			LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_hash_value: unable to create hash values.\n" );

			return( -1 );
		}
	}
	return( libewf_hash_values_set_value( internal_handle->hash_values, identifier, value, length ) );
}

/* Sets the swap byte pairs, used by both read and write
 * Returns 1 if successful, -1 on error
 */
int8_t libewf_internal_handle_set_swap_byte_pairs( LIBEWF_INTERNAL_HANDLE *internal_handle, uint8_t swap_byte_pairs )
{
	if( internal_handle == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_swap_byte_pairs: invalid handle.\n" );

		return( -1 );
	}
	internal_handle->swap_byte_pairs = swap_byte_pairs;

	return( 1 );
}

/* Add a acquiry read error sector to the list
 * Returns 1 if successful, -1 on error
 */
int8_t libewf_internal_handle_add_acquiry_error_sector( LIBEWF_INTERNAL_HANDLE *internal_handle, uint64_t sector, uint32_t amount_of_sectors )
{
	LIBEWF_ERROR_SECTOR *acquiry_error_sectors = NULL;
	uint32_t iterator                          = 0;

	if( internal_handle == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_acquiry_error_sector: invalid handle.\n" );

		return( -1 );
	}
	if( internal_handle->media == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_acquiry_error_sector: invalid handle - missing subhandle media.\n" );

		return( -1 );
	}
	if( internal_handle->acquiry_error_sectors == NULL )
	{
		acquiry_error_sectors = (LIBEWF_ERROR_SECTOR *) libewf_common_alloc( LIBEWF_ERROR_SECTOR_SIZE );
	}
	else
	{
		/* Check if acquiry read error sector is already in list
		 */
		for( iterator = 0; iterator < internal_handle->acquiry_amount_of_errors; iterator++ )
		{
			if( internal_handle->acquiry_error_sectors[ iterator ].sector == sector )
			{
				return( 1 );
			}
		}
		acquiry_error_sectors = (LIBEWF_ERROR_SECTOR *) libewf_common_realloc( internal_handle->acquiry_error_sectors, ( LIBEWF_ERROR_SECTOR_SIZE * ( internal_handle->acquiry_amount_of_errors + 1 ) ) );
	}
	if( acquiry_error_sectors == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_acquiry_error_sector: unable to create acquiry read error sectors.\n" );

		return( -1 );
	}
	internal_handle->acquiry_error_sectors = acquiry_error_sectors;

	internal_handle->acquiry_error_sectors[ internal_handle->acquiry_amount_of_errors ].sector            = sector;
	internal_handle->acquiry_error_sectors[ internal_handle->acquiry_amount_of_errors ].amount_of_sectors = amount_of_sectors;

	internal_handle->acquiry_amount_of_errors++;

	return( 1 );
}

/* Add a CRC error sector to the list
 * Returns 1 if successful, -1 on error
 */
int8_t libewf_internal_handle_add_crc_error_chunk( LIBEWF_INTERNAL_HANDLE *internal_handle, uint32_t chunk ) 
{
	LIBEWF_ERROR_SECTOR *crc_error_sectors = NULL;
	uint64_t sector                        = 0;
	uint32_t iterator                      = 0;

	if( internal_handle == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_crc_error_chunk: invalid handle.\n" );

		return( -1 );
	}
	if( internal_handle->media == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_crc_error_chunk: invalid handle - missing subhandle media.\n" );

		return( -1 );
	}
	if( internal_handle->read == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_crc_error_chunk: invalid handle - missing subhandle read.\n" );

		return( -1 );
	}
	sector = (uint64_t) chunk * (uint64_t) internal_handle->media->sectors_per_chunk;

	if( internal_handle->read->crc_error_sectors == NULL )
	{
		crc_error_sectors = (LIBEWF_ERROR_SECTOR *) libewf_common_alloc( LIBEWF_ERROR_SECTOR_SIZE );
	}
	else
	{
		/* Check if CRC error is already in list
		 */
		for( iterator = 0; iterator < internal_handle->read->crc_amount_of_errors; iterator++ )
		{
			if( internal_handle->read->crc_error_sectors[ iterator ].sector == sector )
			{
				return( 1 );
			}
		}
		crc_error_sectors = (LIBEWF_ERROR_SECTOR *) libewf_common_realloc( internal_handle->read->crc_error_sectors, ( internal_handle->read->crc_amount_of_errors + 1 ) );
	}
	if( crc_error_sectors == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_set_crc_error_chunk: unable to create CRC error sectors.\n" );

		return( -1 );
	}
	internal_handle->read->crc_error_sectors = crc_error_sectors;

	internal_handle->read->crc_error_sectors[ internal_handle->read->crc_amount_of_errors ].sector            = sector;
	internal_handle->read->crc_error_sectors[ internal_handle->read->crc_amount_of_errors ].amount_of_sectors = internal_handle->media->sectors_per_chunk;

	internal_handle->read->crc_amount_of_errors++;

	return( 1 );
}

/* Determines the EWF file format based on known characteristics
 * Returns 1 if the format was determined, -1 on errror
 */
int8_t libewf_internal_handle_determine_format( LIBEWF_INTERNAL_HANDLE *internal_handle )
{
	if( internal_handle == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_determine_format: invalid handle.\n" );

		return( -1 );
	}
	if( internal_handle->ewf_format == EWF_FORMAT_S01 )
	{
		/* The format identifier for the EWF-S01 format was already set
		 * while reading the volume section
		 */
	}
	else if( internal_handle->ewf_format == EWF_FORMAT_E01 )
	{
		if( internal_handle->xheader != NULL )
		{
			internal_handle->format = LIBEWF_FORMAT_EWFX;
		}
		/* The header2 in raw format starts with 0xff 0xfe <number>
		 */
		else if( internal_handle->header2 != NULL )
		{
			if( internal_handle->header2[ 2 ] == (EWF_CHAR) '3' )
			{
				/* The EnCase5 header2 contains av on the 6th position (0x36 ... 0x38 ...)
				 * the header2 is an UTF16 string
				 */
				if( ( internal_handle->header2[ 36 ] == (EWF_CHAR) 'a' ) && ( internal_handle->header2[ 38 ] == (EWF_CHAR) 'v' ) )
				{
					internal_handle->format = LIBEWF_FORMAT_ENCASE5;
				}
				else if( ( internal_handle->header2[ 36 ] == (EWF_CHAR) 'm' ) && ( internal_handle->header2[ 38 ] == (EWF_CHAR) 'd' ) )
				{
					internal_handle->format = LIBEWF_FORMAT_ENCASE6;
				}
				else
				{
					LIBEWF_WARNING_PRINT( "libewf_internal_handle_determine_format: unsupported header2 format: %c%c.\n", (char) internal_handle->header2[ 36 ], (char) internal_handle->header2[ 38 ] );

					return( -1 );
				}
			}
			else if( internal_handle->header2[ 2 ] == (EWF_CHAR) '1' )
			{
				internal_handle->format = LIBEWF_FORMAT_ENCASE4;
			}
			else
			{
				LIBEWF_WARNING_PRINT( "libewf_internal_handle_determine_format: unsupported header2 version: %c.\n", (char) internal_handle->header2[ 2 ] );

				return( -1 );
			}
		}
		else if( internal_handle->header != NULL )
		{
			if( internal_handle->header[ 0 ] == (EWF_CHAR) '3' )
			{
				/* The linen5 header2 contains av on the 6th position (0x17 0x18)
				 * the header2 is an UTF16 string
				 */
				if( ( internal_handle->header[ 17 ] == (EWF_CHAR) 'a' ) && ( internal_handle->header[ 18 ] == (EWF_CHAR) 'v' ) )
				{
					internal_handle->format = LIBEWF_FORMAT_LINEN5;
				}
				else if( ( internal_handle->header[ 17 ] == (EWF_CHAR) 'm' ) && ( internal_handle->header[ 18 ] == (EWF_CHAR) 'd' ) )
				{
					internal_handle->format = LIBEWF_FORMAT_LINEN6;
				}
				else
				{
					LIBEWF_WARNING_PRINT( "libewf_internal_handle_determine_format: unsupported header format: %c%c.\n", (char) internal_handle->header[ 17 ], (char) internal_handle->header[ 18 ] );

					return( -1 );
				}
			}
			else if( internal_handle->header[ 0 ] == (EWF_CHAR) '1' )
			{
				/* EnCase uses \r\n
				 */
				if( internal_handle->header[ 1 ] == (EWF_CHAR) '\r' )
				{
					if( internal_handle->header[ 25 ] == (EWF_CHAR) 'r' )
					{
						internal_handle->format = LIBEWF_FORMAT_ENCASE1;
					}
					else if( internal_handle->header[ 31 ] == (EWF_CHAR) 'r' )
					{
						internal_handle->format = LIBEWF_FORMAT_ENCASE2;
					}
					else
					{
						LIBEWF_WARNING_PRINT( "libewf_internal_handle_determine_format: unsupported header version.\n" );

						return( -1 );
					}
				}
				/* FTK Imager uses \n
				 */
				else if( internal_handle->header[ 1 ] == (EWF_CHAR) '\n' )
				{
					if( internal_handle->header[ 29 ] == (EWF_CHAR) 'r' )
					{
						internal_handle->format = LIBEWF_FORMAT_FTK;
					}
					else
					{
						LIBEWF_WARNING_PRINT( "libewf_internal_handle_determine_format: unsupported header version.\n" );

						return( -1 );
					}
				}
				else
				{
					LIBEWF_WARNING_PRINT( "libewf_internal_handle_determine_format: unsupported header version.\n" );

					return( -1 );
				}
			}
			else
			{
				LIBEWF_WARNING_PRINT( "libewf_internal_handle_determine_format: unsupported header version.\n" );

				return( -1 );
			}
		}
		else
		{
			LIBEWF_WARNING_PRINT( "libewf_internal_handle_determine_format: missing header information.\n" );

			return( -1 );
		}
	}
	else if( internal_handle->ewf_format == EWF_FORMAT_L01 )
	{
		internal_handle->format = LIBEWF_FORMAT_LVF;
	}
	else
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_determine_format: unsupported EWF file format.\n" );

		return( -1 );
	}
	return( 1 );
}

/* Create the default header values
 * Returns 1 on success, -1 on error
 */
int8_t libewf_internal_handle_create_header_values( LIBEWF_INTERNAL_HANDLE *internal_handle )
{
	LIBEWF_CHAR *case_number              = _S_LIBEWF_CHAR( "Case Number" );
	LIBEWF_CHAR *description              = _S_LIBEWF_CHAR( "Description" );
	LIBEWF_CHAR *evidence_number          = _S_LIBEWF_CHAR( "Evidence Number" );
	LIBEWF_CHAR *examiner_name            = _S_LIBEWF_CHAR( "Examiner Name" );
	LIBEWF_CHAR *notes                    = _S_LIBEWF_CHAR( "Notes" );
	LIBEWF_CHAR *acquiry_operating_system = _S_LIBEWF_CHAR( "Undetermined" );
	LIBEWF_CHAR *acquiry_software_version = LIBEWF_VERSION;

	if( internal_handle == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_create_header_values: invalid handle.\n" );

		return( -1 );
	}
	if( internal_handle->header_values != NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_create_header_values: header values already created - cleaning up previous header values.\n" );

		libewf_header_values_free( internal_handle->header_values );
	}
	internal_handle->header_values = libewf_header_values_alloc();

	if( internal_handle->header_values == NULL )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_create_header_values: unable to create header values.\n" );

		return( -1 );
	}
	if( libewf_header_values_set_value( internal_handle->header_values, _S_LIBEWF_CHAR( "case_number" ), case_number, libewf_string_length( case_number ) ) != 1 )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_create_header_values: unable to set case number.\n" );

		return( -1 );
	}
	if( libewf_header_values_set_value( internal_handle->header_values, _S_LIBEWF_CHAR( "description" ), description, libewf_string_length( description ) ) != 1 )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_create_header_values: unable to set description.\n" );

		return( -1 );
	}
	if( libewf_header_values_set_value( internal_handle->header_values, _S_LIBEWF_CHAR( "evidence_number" ), evidence_number, libewf_string_length( evidence_number ) ) != 1 )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_create_header_values: unable to set evidence number.\n" );

		return( -1 );
	}
	if( libewf_header_values_set_value( internal_handle->header_values, _S_LIBEWF_CHAR( "examiner_name" ), examiner_name, libewf_string_length( examiner_name ) ) != 1 )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_create_header_values: unable to set examiner name.\n" );

		return( -1 );
	}
	if( libewf_header_values_set_value( internal_handle->header_values, _S_LIBEWF_CHAR( "notes" ), notes, libewf_string_length( notes ) ) != 1 )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_create_header_values: unable to set notes.\n" );

		return( -1 );
	}
	if( libewf_header_values_set_value( internal_handle->header_values, _S_LIBEWF_CHAR( "acquiry_operating_system" ), acquiry_operating_system, libewf_string_length( acquiry_operating_system ) ) != 1 )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_create_header_values: unable to acquiry operating system.\n" );

		return( -1 );
	}
	if( libewf_header_values_set_value( internal_handle->header_values, _S_LIBEWF_CHAR( "acquiry_software_version" ), acquiry_software_version, libewf_string_length( acquiry_software_version ) ) != 1 )
	{
		LIBEWF_WARNING_PRINT( "libewf_internal_handle_create_header_values: unable to acquiry software version.\n" );