LIBEWF PACKAGE

EWFACQUIRE

LIBEWF PACKAGE – writes storage media data from devices and files to EWF files.

Usage

Syntax

       ewfacquire [ -A codepage ] [ -b number_of_sectors ]
                  [ -B number_of_bytes ] [ -c compression_values ]
                  [ -C case_number ] [ -d digest_type ] [ -D description ]
                  [ -e examiner_name ] [ -E evidence_number ] [ -f format ]
                  [ -g number_of_sectors ] [ -l log_filename ]
                  [ -m media_type ] [ -M media_flags ] [ -N notes ]
                  [ -o offset ] [ -p process_buffer_size ]
                  [ -P bytes_per_sector ] [ -r read_error_retries ]
                  [ -S segment_file_size ] [ -t target ] [ -T toc_file ]
                  [ -2 secondary_target ] [ -hqRsuvVw ] source

Options

	-A:     codepage of header section, options: ascii (default),
	        windows-874, windows-932, windows-936, windows-949,
	        windows-950, windows-1250, windows-1251, windows-1252,
	        windows-1253, windows-1254, windows-1255, windows-1256,
	        windows-1257 or windows-1258
	-b:     specify the number of sectors to read at once (per chunk),
	        options: 16, 32, 64 (default), 128, 256, 512, 1024, 2048, 4096,
	        8192, 16384 or 32768
	-B:     specify the number of bytes to acquire (default is all bytes)
	-c:     specify the compression values as: level or method:level
	        compression method options: deflate (default), bzip2
	        (bzip2 is only supported by EWF2 formats)
	        compression level options: none (default), empty-block,
	        fast or best
	-C:     specify the case number (default is case_number).
	-d:     calculate additional digest (hash) types besides md5, options:
	        sha1, sha256
	-D:     specify the description (default is description).
	-e:     specify the examiner name (default is examiner_name).
	-E:     specify the evidence number (default is evidence_number).
	-f:     specify the EWF file format to write to, options: ewf, smart,
	        ftk, encase2, encase3, encase4, encase5, encase6 (default),
	        encase7, encase7-v2, linen5, linen6, linen7, ewfx
	-g      specify the number of sectors to be used as error granularity
	-h:     shows this help LIBEWF PACKAGE
	-l:     logs acquiry errors and the digest (hash) to the log_filename
	-m:     specify the media type, options: fixed (default), removable,
	        optical, memory
	-M:     specify the media flags, options: logical, physical (default)
	-N:     specify the notes (default is notes). LIBEWF PACKAGE
	-o:     specify the offset to start to acquire (default is 0)
	-p:     specify the process buffer size (default is the chunk size)
	-P:     specify the number of bytes per sector (default is 512)
	        (use this to override the automatic bytes per sector detection)
	-q:     quiet shows minimal status information
	-r:     specify the number of retries when a read error occurs (default
	        is 2)
	-R:     resume acquiry at a safe point LIBEWF PACKAGE
	-s:     swap byte pairs of the media data (from AB to BA)
	        (use this for big to little endian conversion and vice versa)
	-S:     specify the segment file size in bytes (default is 1.4 GiB)
	        (minimum is 1.0 MiB, maximum is 7.9 EiB for encase6
	        and encase7 format and 1.9 GiB for other formats)
	-t:     specify the target file (without extension) to write to
	-T:     specify the file containing the table of contents (TOC) of
	        an optical disc. The TOC file must be in the CUE format.
	-u:     unattended mode (disables user interaction)
	-v:     verbose output to stderr
	-V:     print version LIBEWF PACKAGE
	-w:     zero sectors on read error (mimic EnCase like behavior)
	-2:     specify the secondary target file (without extension) to write
	        to

Example

cyborg@cyborg:~$ ewfacquire a.raw
ewfacquire 20130416

Storage media information:
Type:					RAW image
Media size:				9.9 KB (9965 bytes)
Bytes per sector:			512

Acquiry parameters required, please provide the necessary input
Image path and filename without extension: 
Target is required, please try again or terminate using Ctrl^C.
Image path and filename without extension: /home/cyborg/a
Case number: 140
Description: new file evidence
Evidence number: 104020
Examiner name: ztrela      
Notes: test evidence
Media type (fixed, removable, optical, memory) [fixed]: fixed
Media characteristics (logical, physical) [physical]: physical
Use EWF file format (ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx) [encase6]: ewf LIBEWF PACKAGE
Compression method (deflate) [deflate]: deflate
Compression level (none, empty-block, fast, best) [none]: fast
Start to acquire at offset (0 <= value <= 9965) [0]: 19
The number of bytes to acquire (0 <= value <= 9946) [9946]: 1100
Evidence segment file size in bytes (1.0 MiB <= value <= 1.9 GiB) [1.4 GiB]: 
The number of bytes per sector (1 <= value <= 4294967295) [512]: 
The number of sectors to read at once (16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768) [64]: 
The number of sectors to be used as error granularity (1 <= value <= 64) [64]: 
The number of retries when a read error occurs (0 <= value <= 255) [2]: 
Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [no]: 

The following acquiry parameters were provided:
Image path and filename:		/home/cyborg/a.raw.e01
Case number:				140
Description:				new file evidence
Evidence number:			104020
Examiner name:				ztrela
Notes:					test evidence
Media type:				fixed disk
Is physical:				yes
EWF file format:			original EWF (.e01)
Compression method:			deflate
Compression level:			fast
Acquiry start offset:			19
Number of bytes to acquire:		1.0 KiB (1100 bytes)
Evidence segment file size:		1.4 GiB (1572864000 bytes)
Bytes per sector:			512


EWFACQUIRESTREAM

LIBEWF PACKAGE – writes data from stdin to EWF files.

Usage

Syntax

       ewfacquirestream [ -A codepage ] [ -b number_of_sectors ]
                        [ -B number_of_bytes ] [ -c compression_values ]
                        [ -C case_number ] [ -d digest_type ]
                        [ -D description ] [ -e examiner_name ]
                        [ -E evidence_number ] [ -f format ]
                        [ -l log_filename ] [ -m media_type ]
                        [ -M media_flags ] [ -N notes ]
                        [ -o offset ] [ -p process_buffer_size ]
                        [ -P bytes_per_sector ] [ -S segment_file_size ]
                        [ -t target ] [ -2 secondary_target ]
                        [ -hqsvV ]

Options

        -A: codepage of header section, options: ascii (default),
	    windows-874, windows-932, windows-936, windows-949,
	    windows-950, windows-1250, windows-1251, windows-1252,
	    windows-1253, windows-1254, windows-1255, windows-1256,
	    windows-1257 or windows-1258
	-b: specify the number of sectors to read at once (per chunk), options:
	    16, 32, 64 (default), 128, 256, 512, 1024, 2048, 4096, 8192, 16384
	    or 32768 LIBEWF PACKAGE
	-B: specify the number of bytes to acquire (default is all bytes)
	-c: specify the compression values as: level or method:level
	    compression method options: deflate (default), bzip2
	    (bzip2 is only supported by EWF2 formats)
	    compression level options: none (default), empty-block,
	    fast or best
	-C: specify the case number (default is case_number).
	-d: calculate additional digest (hash) types besides md5, options:
	    sha1, sha256
	-D: specify the description (default is description).
	-e: specify the examiner name (default is examiner_name).
	-E: specify the evidence number (default is evidence_number).
	-f: specify the EWF file format to write to, options: ftk, encase2,
	    encase3, encase4, encase5, encase6 (default), encase7, linen5,
	    linen6, linen7, ewfx
	-h: shows this help LIBEWF PACKAGE
	-l: logs acquiry errors and the digest (hash) to the log_filename
	-m: specify the media type, options: fixed (default), removable,
	    optical, memory
	-M: specify the media flags, options: logical, physical (default)
	-N: specify the notes (default is notes).
	-o: specify the offset to start to acquire (default is 0)
	-p: specify the process buffer size (default is the chunk size)
	-P: specify the number of bytes per sector (default is 512)
	-q: quiet shows minimal status information
	-s: swap byte pairs of the media data (from AB to BA)
	    (use this for big to little endian conversion and vice versa)
	-S: specify the segment file size in bytes (default is 1.4 GiB)
	    (minimum is 1.0 MiB, maximum is 7.9 EiB for encase6 and
	    encase7 format and 1.9 GiB for other formats)
	-t: specify the target file (without extension) to write to (default
	    is image)
	-v: verbose output to stderr
	-V: print version LIBEWF PACKAGE
	-2: specify the secondary target file (without extension) to write to

Example

cyborg@cyborg:~$ ewfacquirestream a.raw
ewfacquirestream 20130416

Using the following acquiry parameters:
Image path and filename:		image.E01
Case number:				case_number
Description:				description
Evidence number:			evidence_number
Examiner name:				examiner_name
Notes:					notes
Media type:				fixed disk
Is physical:				yes
EWF file format:			EnCase 6 (.E01)
Compression method:			deflate
Compression level:			none
Acquiry start offset:			0
Number of bytes to acquire:		0 (until end of input)
Evidence segment file size:		1.4 GiB (1572864000 bytes)
Bytes per sector:			512
Block size:				64 sectors
Error granularity:			64 sectors
Retries on read error:			2
Zero sectors on read error:		no

Acquiry started at: Sat Oct 17 13:36:19 2015

This could take a while.


Status: acquired 1 bytes
        in 0 second(s).


EWFEXPORT

LIBEWF PACKAGE – exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.

Usage

Syntax

       ewfexport [ -A codepage ] [ -b number_of_sectors ]
                 [ -B number_of_bytes ] [ -c compression_values ]
                 [ -d digest_type ] [ -f format ] [ -l log_filename ]
                 [ -o offset ] [ -p process_buffer_size ]
                 [ -S segment_file_size ] [ -t target ] [ -hqsuvVw ] ewf_files

Options

        -A:        codepage of header section, options: ascii (default),
	           windows-874, windows-932, windows-936, windows-949,
	           windows-950, windows-1250, windows-1251, windows-1252,
	           windows-1253, windows-1254, windows-1255, windows-1256,
	           windows-1257 or windows-1258
	-b:        specify the number of sectors to read at once (per chunk),
	           options: 16, 32, 64 (default), 128, 256, 512, 1024, 2048,
	           4096, 8192, 16384 or 32768 (not used for raw and files
	           formats)
	-B:        specify the number of bytes to export (default is all bytes)
	-c:        specify the compression values as: level or method:level
	           compression method options: deflate (default), bzip2
	           (bzip2 is only supported by EWF2 formats)
	           compression level options: none (default), empty-block,
	           fast or best
	-d:        calculate additional digest (hash) types besides md5,
	           options: sha1, sha256 (not used for raw and files format)
	-f:        specify the output format to write to, options:
	           raw (default), files (restricted to logical volume files), ewf,
	           smart, encase1, encase2, encase3, encase4, encase5, encase6,
	           encase7, encase7-v2, linen5, linen6, linen7, ewfx
	-h:        shows this help LIBEWF PACKAGE
	-l:        logs export errors and the digest (hash) to the log_filename
	-o:        specify the offset to start the export (default is 0)
	-p:        specify the process buffer size (default is the chunk size)
	-q:        quiet shows minimal status information
	-s:        swap byte pairs of the media data (from AB to BA)
	           (use this for big to little endian conversion and vice
	           versa) LIBEWF PACKAGE
	-S:        specify the segment file size in bytes (default is 1.4 GiB)
	           (minimum is 1.0 MiB, maximum is 7.9 EiB for raw, encase6
	           and encase7 format and 1.9 GiB for other formats)
	           (not used for files format)
	-t:        specify the target file to export to, use - for stdout
	           (default is export) stdout is only supported for the raw
	           format
	-u:        unattended mode (disables user interaction)
	-v:        verbose output to stderr
	-V:        print version LIBEWF PACKAGE
	-w:        zero sectors on checksum error (mimic EnCase like behavior)

Example

cyborg@cyborg:~$ ewfexport -B 100 fileewf.E01 
ewfexport 20130416

Information for export required, please provide the necessary input
Export to format (raw, files, ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, encase7, encase7-v2, linen5, linen6, linen7, ewfx) [raw]: ewf
Target path and filename without extension: newfilewf
Compression method (deflate) [deflate]: deflate
Compression level (none, empty-block, fast, best) [none]: fast
Evidence segment file size in bytes (1.0 MiB <= value <= 1.9 GiB) [1.4 GiB]: 
The number of sectors to read at once (16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768) [64]: 128
Start export at offset (0 <= value <= 2141356032) [0]: 

Export started at: Tue Oct 20 09:56:40 2015

This could take a while.

Status: at 0%.
        exported 32 KiB (32768 bytes) of total 100 bytes.

Export completed at: Tue Oct 20 09:56:41 2015

Written: 32 KiB (32768 bytes) in 1 second(s) with 32 KiB/s (32768 bytes/second).
MD5 hash calculated over data:		eed61c4e466d59fe4bccb5dd785368a5
ewfexport: SUCCESS


EWFINFO

LIBEWF PACKAGE – shows the metadata in EWF files.

Usage

Syntax

ewfinfo [ -A codepage ] [ -d date_format ] [ -f format ]
               [ -ehimvVx ] ewf_files

Options

        -A:        codepage of header section, options: ascii (default),
	           windows-874, windows-932, windows-936, windows-949,
	           windows-950, windows-1250, windows-1251, windows-1252,
	           windows-1253, windows-1254, windows-1255, windows-1256,
	           windows-1257 or windows-1258
	-d:        specify the date format, options: ctime (default),
	           dm (day/month), md (month/day), iso8601
	-e:        only show EWF read error information
	-f:        specify the output format, options: text (default),
	           dfxml 
	-h:        shows this help LIBEWF PACKAGE
	-i:        only show EWF acquiry information
	-m:        only show EWF media information
	-v:        verbose output to stderr
	-V:        print version

Example

cyborg@cyborg:~$ ewfinfo  fileewf.E01 
ewfinfo 20130416

Acquiry information
	Case number:		1
	Description:		4454d
	Examiner name:		ztrela
	Evidence number:	45
	Notes:			ss
	Acquisition date:	Tue Oct 20 04:19:42 2015
	System date:		Tue Oct 20 04:19:42 2015
	Operating system used:	Windows 7
	Software version used:	ADI3.4.0.1
	Password:		N/A

EWF information
	File format:		FTK Imager
	Sectors per chunk:	64
	Compression method:	deflate
	Compression level:	no compression
	Is corrupted:		yes

Media information
	Media type:		fixed disk
	Is physical:		yes
	Bytes per sector:	512
	Number of sectors:	4182336
	Media size:		1.9 GiB (2141356032 bytes)


EWFVERIFY

LIBEWF PACKAGE – verifies the storage media data in EWF files.

Usage

Syntax

ewfverify [ -A codepage ] [ -d digest_type ] [ -f format ]
                 [ -l log_filename ] [ -p process_buffer_size ]
                 [ -hqvVw ] ewf_files

Options

        -A:        codepage of header section, options: ascii (default),
	           windows-874, windows-932, windows-936, windows-949,
	           windows-950, windows-1250, windows-1251, windows-1252,
	           windows-1253, windows-1254, windows-1255, windows-1256,
	           windows-1257 or windows-1258
	-d:        calculate additional digest (hash) types besides md5,
	           options: sha1, sha256
	-f:        specify the input format, options: raw (default),
	           files (restricted to logical volume files)
	-h:        shows this help LIBEWF PACKAGE
	-l:        logs verification errors and the digest (hash) to the
	           log_filename
	-p:        specify the process buffer size (default is the chunk size)
	-q:        quiet shows minimal status information
	-v:        verbose output to stderr
	-V:        print version
	-w:        zero sectors on checksum error (mimic EnCase like behavior)

Example

cyborg@cyborg:~$ ewfverify -d md5 fileewf.E01 
ewfverify 20130416

Verify started at: Tue Oct 20 10:00:14 2015 LIBEWF PACKAGE

This could take a while.

Status: at 0%. LIBEWF PACKAGE
        verified 32 KiB (32768 bytes) of total 1.9 GiB (2141356032 bytes).

Status: at 4%. LIBEWF PACKAGE
        verified 81 MiB (85655552 bytes) of total 1.9 GiB (2141356032 bytes).

Status: at 5%. LIBEWF PACKAGE
        verified 102 MiB (107085824 bytes) of total 1.9 GiB (2141356032 bytes).


Status: at 9%. LIBEWF PACKAGE
        verified 183 MiB (192741376 bytes) of total 1.9 GiB (2141356032 bytes).

Status: at 10%. LIBEWF PACKAGE
        verified 204 MiB (214138880 bytes) of total 1.9 GiB (2141356032 bytes).

Status: at 11%. LIBEWF PACKAGE
        verified 224 MiB (235569152 bytes) of total 1.9 GiB (2141356032 bytes).

Status: at 12%. LIBEWF PACKAGE
        verified 245 MiB (256966656 bytes) of total 1.9 GiB (2141356032 bytes).
        completion in 7 second(s) with 255 MiB/s (267669504 bytes/second).

Status: at 32%. LIBEWF PACKAGE
        verified 657 MiB (689209344 bytes) of total 1.9 GiB (2141356032 bytes).
        completion in 4 second(s) with 340 MiB/s (356892672 bytes/second).

Status: at 53%. LIBEWF PACKAGE
        verified 1.0 GiB (1135214592 bytes) of total 1.9 GiB (2141356032 bytes).
        completion in 2 second(s) with 408 MiB/s (428271206 bytes/second).

Status: at 73%. LIBEWF PACKAGE
        verified 1.4 GiB (1584529408 bytes) of total 1.9 GiB (2141356032 bytes).
        completion in 1 second(s) with 408 MiB/s (428271206 bytes/second).

Status: at 94%.LIBEWF PACKAGE
        verified 1.9 GiB (2033483776 bytes) of total 1.9 GiB (2141356032 bytes).
        completion in 0 second(s) with 408 MiB/s (428271206 bytes/second).

Verify completed at: Tue Oct 20 10:00:19 2015

Read: 1.9 GiB (2141356032 bytes) in 5 second(s) with 408 MiB/s (428271206 bytes/second).


MD5 hash stored in file:		N/A
MD5 hash calculated over data:		1ed939289212fc079d6ebb56741f1cfd

Unable to verify input.
ewfverify: SUCCESS
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?