ewfacquire.c

sleuthit-2.09 一个磁盘的工具集

/*
 * ewfacquire
 * Reads data from a file and writes it in EWF format
 *
 * Copyright (c) 2006-2007, Joachim Metz <forensics@hoffmannbv.nl>,
 * Hoffmann Investigations. All rights reserved.
 *
 * Refer to AUTHORS for acknowledgements.
 *
 * Redistribution and use in source and binary forms, with or without modification,
 * are permitted provided that the following conditions are met:
 *
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 * - Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 * - Neither the name of the creator, related organisations, nor the names of
 *   its contributors may be used to endorse or promote products derived from
 *   this software without specific prior written permission.
 * - All advertising materials mentioning features or use of this software
 *   must acknowledge the contribution by people stated in the acknowledgements.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER, COMPANY AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include "../libewf/libewf_includes.h"

#include <errno.h>
#include <stdio.h>

#ifdef HAVE_SYS_IOCTL_H
#include <sys/ioctl.h>
#endif

#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif

#ifdef HAVE_STDLIB_H
#include <stdlib.h>
#endif

#ifdef HAVE_CYGWIN_FS_H
#include <cygwin/fs.h>
#endif

#ifdef HAVE_LINUX_FS_H
#include <linux/fs.h>
#endif

#ifdef HAVE_SYS_DISK_H
#include <sys/disk.h>
#endif

#ifdef HAVE_SYS_DISKLABEL_H
#include <sys/disklabel.h>
#endif

#include <libewf.h>

#include "../libewf/libewf_char.h"
#include "../libewf/libewf_common.h"
#include "../libewf/libewf_notify.h"
#include "../libewf/libewf_string.h"

#include "ewfcommon.h"
#include "ewfgetopt.h"
#include "ewfglob.h"
#include "ewfsignal.h"

/* Prints the executable usage information
 */
void usage( void )
{
	fprintf( stderr, "Usage: ewfacquire [ -d digest_type ] [ -hqsvV ] source\n\n" );

	fprintf( stderr, "\tsource: the source file or device\n\n" );

	fprintf( stderr, "\t-d:     calculate additional digest (hash) types besides md5, options: sha1\n" );
	fprintf( stderr, "\t-h:     shows this help\n" );
	fprintf( stderr, "\t-q:     quiet shows no status information\n" );
	fprintf( stderr, "\t-s:     swap byte pairs of the media data (from AB to BA)\n" );
	fprintf( stderr, "\t        (use this for big to little endian conversion and vice versa)\n" );
	fprintf( stderr, "\t-v:     verbose output to stderr\n" );
	fprintf( stderr, "\t-V:     print version\n" );
}

/* Prints an overview of the user provided input
 * and asks the user for confirmation
 * Return 1 if confirmed by user, 0 otherwise
 */
int confirm_input( CHAR_T *filename, LIBEWF_CHAR *case_number, LIBEWF_CHAR *description, LIBEWF_CHAR *evidence_number, LIBEWF_CHAR *examiner_name, LIBEWF_CHAR *notes, uint8_t media_type, uint8_t volume_type, int8_t compression_level, uint8_t compress_empty_block, uint8_t libewf_format, uint64_t acquiry_offset, uint64_t acquiry_size, uint32_t segment_file_size, uint64_t sectors_per_chunk, uint32_t sector_error_granularity, uint8_t read_error_retry, uint8_t wipe_block_on_read_error )
{
	LIBEWF_CHAR *user_input  = NULL;
	LIBEWF_CHAR *yes_no[ 2 ] = { _S_LIBEWF_CHAR( "yes" ),
				     _S_LIBEWF_CHAR( "no" ) };
	int input_confirmed      = -1;

	fprintf( stdout, "The following acquiry parameters were provided:\n" );

	ewfcommon_acquiry_paramters_fprint( stdout, filename, case_number, description, evidence_number, examiner_name, notes, media_type, volume_type, compression_level, compress_empty_block, libewf_format, acquiry_offset, acquiry_size, segment_file_size, sectors_per_chunk, sector_error_granularity, read_error_retry, wipe_block_on_read_error );

	/* Ask for confirmation
	 */
	while( input_confirmed == -1 )
	{
		user_input = ewfcommon_get_user_input_fixed_value( stdout, _S_LIBEWF_CHAR( "Continue acquiry with these values" ), yes_no, 2, 0 );
	
		if( libewf_string_compare( user_input, _S_LIBEWF_CHAR( "yes" ), 3 ) == 0 )
		{
			input_confirmed = 1;
		}
		else if( libewf_string_compare( user_input, _S_LIBEWF_CHAR( "no" ), 2 ) == 0 )
		{
			input_confirmed = 0;
		}
		else
		{
			fprintf( stdout, "Selected option not supported, please try again or terminate using Ctrl^C.\n" );
		}
		libewf_common_free( user_input );
	}
	fprintf( stdout, "\n" );

	return( input_confirmed );
}

/* Determine the device size using a file descriptor
 */
uint64_t determine_device_size( int file_descriptor )
{
#ifndef DIOCGMEDIASIZE
#ifdef DIOCGDINFO
	struct disklabel disk_label;
#endif
#endif
	uint64_t input_size  = 0;
#ifdef DKIOCGETBLOCKCOUNT
	uint64_t block_count = 0;
	uint32_t block_size  = 0;
#endif
	if( file_descriptor == -1 )
	{
		return( 0 );
	}
#ifdef BLKGETSIZE64
	if( ioctl( file_descriptor, BLKGETSIZE64, &input_size ) == -1 )
	{
		return( 0 );
	}
#else
#ifdef DIOCGMEDIASIZE
	if( ioctl( file_descriptor, DIOCGMEDIASIZE, &input_size ) == -1 )
	{
		return( 0 );
	}
#else
#ifdef DIOCGDINFO
	if( ioctl( file_descriptor, DIOCGDINFO, &disk_label ) == -1 )
	{
		return( 0 );
	}
	input_size = disk_label.d_secperunit * disk_label.d_secsize;
#else
#ifdef DKIOCGETBLOCKCOUNT
	if( ioctl( file_descriptor, DKIOCGETBLOCKSIZE, &block_size ) == -1 )
	{
		return( 0 );
	}
	if( ioctl( file_descriptor, DKIOCGETBLOCKCOUNT, &block_count ) == -1 )
	{
		return( 0 );
	}
#ifdef HAVE_DEBUG_OUTPUT
	fprintf( stderr, "block size: %" PRIu32 " block count: %" PRIu64 " ", block_size, block_count );
#endif
	input_size = block_count * block_size;
#else
	input_size = 0;

#endif /* DKIOCGETBLOCKCOUNT */
#endif /* DIOCGDINFO */
#endif /* DIOCGMEDIASIZE */
#endif /* BLKGETSIZE64 */

#ifdef HAVE_DEBUG_OUTPUT
	fprintf( stderr, "device size: %" PRIu64 "\n", input_size );
#endif
	return( input_size );
}

/* The main program
 */
#ifdef HAVE_WIDE_CHARACTER_SUPPORT_FUNCTIONS
int wmain( int argc, wchar_t * const argv[] )
#else
int main( int argc, char * const argv[] )
#endif
{
	struct stat input_file_stat;

#if defined(HAVE_UUID_UUID_H) && defined(HAVE_LIBUUID)
	uint8_t guid[ 16 ];
#endif
	CHAR_T *filenames[ 1 ]                    = { NULL };

	LIBEWF_HANDLE *handle                     = NULL;
	LIBEWF_CHAR *calculated_md5_hash_string   = NULL;
	LIBEWF_CHAR *calculated_sha1_hash_string  = NULL;
	LIBEWF_CHAR *user_input                   = NULL;
	LIBEWF_CHAR *case_number                  = NULL;
	LIBEWF_CHAR *description                  = NULL;
	LIBEWF_CHAR *evidence_number              = NULL;
	LIBEWF_CHAR *examiner_name                = NULL;
	LIBEWF_CHAR *notes                        = NULL;
	LIBEWF_CHAR *acquiry_operating_system     = NULL;
	LIBEWF_CHAR *acquiry_software_version     = NULL;
	CHAR_T *filename                          = NULL;
	CHAR_T *time_string                       = NULL;
#if defined(HAVE_STRERROR_R) || defined(HAVE_STRERROR)
	CHAR_T *error_string                      = NULL;
#endif
	void *callback                            = &ewfcommon_process_status_fprint;

	INT_T option                              = 0;
	size_t string_length                      = 0;
	time_t timestamp_start                    = 0;
	time_t timestamp_end                      = 0;
	int64_t count                             = 0;
	int64_t segment_file_size                 = 0;
	uint64_t input_size                       = 0;
	uint64_t acquiry_offset                   = 0;
	uint64_t acquiry_size                     = 0;
	uint64_t sectors_per_chunk                = 0;
	uint32_t sector_error_granularity         = 0;
	int8_t compression_level                  = LIBEWF_COMPRESSION_NONE;
	int8_t result_md5_hash                    = 0;
	int8_t result_sha1_hash                   = 0;
	uint8_t media_type                        = LIBEWF_MEDIA_TYPE_FIXED;
	uint8_t volume_type                       = LIBEWF_VOLUME_TYPE_LOGICAL;
	uint8_t compress_empty_block              = 0;
	uint8_t wipe_block_on_read_error          = 0;
	uint8_t libewf_format                     = LIBEWF_FORMAT_UNKNOWN;
	uint8_t read_error_retry                  = 2;
	uint8_t swap_byte_pairs                   = 0;
	uint8_t seek_on_error                     = 1;
	uint8_t calculate_sha1                    = 0;
	uint8_t verbose                           = 0;
	int file_descriptor                       = 0;

	LIBEWF_CHAR *compression_types[ 3 ]       = { _S_LIBEWF_CHAR( "none" ),
						      _S_LIBEWF_CHAR( "fast" ),
						      _S_LIBEWF_CHAR( "best" ) };
	LIBEWF_CHAR *format_types[ 12 ]           = { _S_LIBEWF_CHAR( "ewf" ),
						      _S_LIBEWF_CHAR( "smart" ),
						      _S_LIBEWF_CHAR( "ftk" ),
						      _S_LIBEWF_CHAR( "encase1" ),
						      _S_LIBEWF_CHAR( "encase2" ),
						      _S_LIBEWF_CHAR( "encase3" ),
						      _S_LIBEWF_CHAR( "encase4" ),
						      _S_LIBEWF_CHAR( "encase5" ),
						      _S_LIBEWF_CHAR( "encase6" ),
						      _S_LIBEWF_CHAR( "linen5" ),
						      _S_LIBEWF_CHAR( "linen6" ),
						      _S_LIBEWF_CHAR( "ewfx" ) };
	LIBEWF_CHAR *media_types[ 2 ]             = { _S_LIBEWF_CHAR( "fixed" ),
						      _S_LIBEWF_CHAR( "removable" ) };
	LIBEWF_CHAR *volume_types[ 2 ]            = { _S_LIBEWF_CHAR( "logical" ),
						      _S_LIBEWF_CHAR( "physical" ) };
	LIBEWF_CHAR *sector_per_block_sizes[ 10 ] = { _S_LIBEWF_CHAR( "64" ),
						      _S_LIBEWF_CHAR( "128" ),
						      _S_LIBEWF_CHAR( "256" ),
						      _S_LIBEWF_CHAR( "512" ),
						      _S_LIBEWF_CHAR( "1024" ),
						      _S_LIBEWF_CHAR( "2048" ),
						      _S_LIBEWF_CHAR( "4096" ),
						      _S_LIBEWF_CHAR( "8192" ),
						      _S_LIBEWF_CHAR( "16384" ),
						      _S_LIBEWF_CHAR( "32768" ) };
	LIBEWF_CHAR *yes_no[ 2 ]                  = { _S_LIBEWF_CHAR( "yes" ),
						      _S_LIBEWF_CHAR( "no" ) };

	ewfsignal_initialize();

	ewfcommon_version_fprint( stderr, _S_LIBEWF_CHAR( "ewfacquire" ) );

	while( ( option = ewfgetopt( argc, argv, _S_CHAR_T( "d:hqsvV" ) ) ) != (INT_T) -1 )
	{
		switch( option )
		{
			case (INT_T) '?':
			default:
				fprintf( stderr, "Invalid argument: %" PRIs "\n", argv[ optind ] );

				usage();

				return( EXIT_FAILURE );

			case (INT_T) 'd':
				if( CHAR_T_COMPARE( optarg, _S_CHAR_T( "sha1" ), 4 ) == 0 )
				{
					calculate_sha1 = 1;
				}
				else
				{
					fprintf( stderr, "unsuported digest type.\n" );
				}
				break;

			case (INT_T) 'h':
				usage();

				return( EXIT_SUCCESS );

			case (INT_T) 'q':
				callback = NULL;

				break;

			case (INT_T) 's':
				swap_byte_pairs = 1;

				break;

			case (INT_T) 'v':
				verbose = 1;

				break;

			case (INT_T) 'V':
				ewfcommon_copyright_fprint( stderr );

				return( EXIT_SUCCESS );
		}
	}
	if( optind == argc )
	{
		fprintf( stderr, "Missing source file or device.\n" );

		usage();

		return( EXIT_FAILURE );
	}
	libewf_set_notify_values( stderr, verbose );

	/* Check if to read from stdin
	 */
	if( CHAR_T_COMPARE( argv[ optind ], _S_CHAR_T( "-" ), 1 ) == 0 )
	{
		fprintf( stderr, "Reading from stdin not supported.\n" );

		return( EXIT_FAILURE );
	}
	/* Open the input file or device size
	 */
	file_descriptor = libewf_common_open( argv[ optind ], LIBEWF_OPEN_READ );

	if( file_descriptor == -1 )
	{
#if defined(HAVE_STRERROR_R) || defined(HAVE_STRERROR)
		error_string = libewf_common_strerror( errno );

		if( error_string != NULL )
		{
			fprintf( stderr, "Error opening file or device: %" PRIs " with failure: %" PRIs ".\n", argv[ optind ], error_string );

			libewf_common_free( error_string );
		}
#else
		fprintf( stderr, "Error opening file or device: %" PRIs ".\n", argv[ optind ] );
#endif
		return( EXIT_FAILURE );
	}
	/* Check the input file or device size
	 */
	input_size = 0;

	if( fstat( file_descriptor, &input_file_stat ) != 0 )
	{
		fprintf( stderr, "Unable to get status information of file.\n" );

		return( EXIT_FAILURE );
	}
#ifndef HAVE_WINDOWS_API
	if( S_ISBLK( input_file_stat.st_mode ) || S_ISCHR( input_file_stat.st_mode ) )
	{
		input_size = determine_device_size( file_descriptor );
	}
	else
#endif
	{
		input_size = input_file_stat.st_size;