1ewfacquire LOCAL ewfacquire
2
4 ewfacquire — acquires data in the EWF format
5
7 ewfacquire [-A codepage] [-b number_of_sectors] [-B number_of_bytes]
8 [-c compression_values] [-C case_number] [-d digest_type]
9 [-D description] [-e examiner_name] [-E evidence_number]
10 [-f format] [-g number_of_sectors] [-l log_filename]
11 [-m media_type] [-M media_flags] [-N notes] [-o offset]
12 [-p process_buffer_size] [-P bytes_per_sector]
13 [-r read_error_retries] [-S segment_file_size] [-t target]
14 [-T toc_file] [-2 secondary_target] [-hqRsuvVwx] source
15
17 ewfacquire is a utility to acquire media data from a source and store it
18 in EWF format (Expert Witness Compression Format). ewfacquire acquires
19 media data in a format equivalent to EnCase and FTK imager, including
20 meta data. Under Linux, FreeBSD, NetBSD, OpenBSD, MacOS-X/Darwin
21 ewfacquire supports reading directly from device files. On other plat‐
22 forms ewfacquire can convert a raw (dd) image into the EWF format.
23 ewfacquire is part of the libewf package. libewf is a library to access
25 the Expert Witness Compression Format (EWF).
26 source the source file(s) or device
28 The options are as follows:
30 -A codepage
32 the codepage of header section, options: ascii (default), win‐
33 dows-874, windows-932, windows-936, windows-949, windows-950,
34 windows-1250, windows-1251, windows-1252, windows-1253, win‐
35 dows-1254, windows-1255, windows-1256, windows-1257 or win‐
36 dows-1258
37 -b number_of_sectors
39 the number of sectors to read at once (per chunk), options: 16,
40 32, 64 (default), 128, 256, 512, 1024, 2048, 4096, 8192, 16384 or
41 32768
42 -B number_of_bytes
44 the number of bytes to acquire
45 -c compression_values
47 specify the compression values as: level or method:level compres‐
48 sion method options: deflate (default), bzip2 (bzip2 is only sup‐
49 ported by EWF2 formats) compression level options: none
50 (default), empty-block, fast or best
51 -C case_number
53 the case number (default is case_number)
54 -d digest_type
56 calculate additional digest (hash) types besides md5, options:
57 sha1, sha256
58 -D description
60 the description (default is description)
61 -e examiner_name
63 the examiner name (default is examiner_name)
64 -E evidence_number
66 the evidence number (default is evidence_number)
67 -f format
69 the EWF file format to write to, options: ewf, smart, ftk,
70 encase1, encase2, encase3, encase4, encase5, encase6 (default),
71 encase7, linen5, linen6, linen7, ewfx.
72 -g number_of_sectors
74 the number of sectors to be used as error granularity
75 -h shows this help
77 -l log_filename
79 logs acquiry errors and the digest (hash) to the log filename
80 -m media_type
82 the media type, options: fixed (default), removable, optical,
83 memory
84 -M media_flags
86 the media flags, options: logical, physical (default)
87 -N notes
89 the notes (default is notes)
90 -o offset
92 the offset to start to acquire (default is 0)
93 -p process_buffer_size
95 the process buffer size (default is the chunk size)
96 -P bytes_per_sector
98 the number of bytes per sector (default is 512) (use this to
99 override the automatic bytes per sector detection)
100 -q quiet shows minimal status information
102 -r read_error_retries
104 the number of retries when a read error occurs (default is 2)
105 -R resume acquiry at a safe point
107 -s swap byte pairs of the media data (from AB to BA) (use this for
109 big to little endian conversion and vice versa)
110 -S segment_file_size
112 the segment file size in bytes (default is 1.4 GiB) (minimum is
113 1.0 MiB, maximum is 7.9 EiB for encase6 and encase7 format and
114 1.9 GiB for other formats)
115 -t target
117 the target file (without extension) to write to (default is
118 image)
119 -T toc_file
121 specify the file containing the table of contents (TOC) of an
122 optical disc. The TOC file must be in the CUE format.
123 -u unattended mode (disables user interaction)
125 -v verbose output to stderr
127 -V print version
129 -w zero sectors on read error (mimic EnCase like behavior)
131 -x use the chunk data instead of the buffered read and write func‐
133 tions.
134 -2 secondary_target
136 the secondary target file (without extension) to write to
137 ewfacquire will read from a file or device until it encounters a read
139 error. On read error it will retry the number of retries specified. If
140 ewfacquire still is unable to read and, if specified, it will zero (wipe)
141 the the remainder of the number of sectors specified as error granular‐
142 ity. If ewfacquire should mimic EnCase it will zero all of sectors speci‐
143 fied as error granularity.
144 Empty block compression detects blocks of sectors with entirely the same
146 byte data and compresses them using the default compression level.
147 The encase6 and encase7 format allows for segment files greater than 2
149 GiB (2147483648 bytes).
150
152 None
153
155 None
156
158 ewfacquire can either image devices, (split) RAW image file(s) or optical
159 disc (split) RAW image files. ewfacquire will try to detect device
160 information, but results may vary per platform. In attended mode
161 (default) ewfacquire will ask for the information it requires.
162 To image a floppy:
164 # ewfacquire /dev/fd0
165 ewfacquire 20120805
166 Device information:
168 Bus type:
169 Vendor: Y-E DATA
170 Model: USB-FDU
171 Serial:
172 Storage media information:
174 Type: Device
175 Media size: 1.4 MB (1474560 bytes)
176 Bytes per sector: 512
177 Information about acquiry required, please provide the necessary input
179 Image path and filename without extension: floppy
180 Case number: 1
181 Description: Floppy
182 Evidence number: 1.1
183 Examiner name: John D.
184 Notes: Just a floppy in my system
185 Media type (fixed, removable, optical, memory) [fixed]: removable
186 Media characteristics (logical, physical) [logical]:
187 Use EWF file format (smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, encase7, linen5, linen6, linen7, ewfx) [encase6]: encase5
188 Compression method (deflate) [deflate]:
189 Compression level (none, empty-block, fast, best) [none]:
190 Start to acquire at offset (0 <= value <= 1474560) [0]:
191 The number of bytes to acquire (0 <= value <= 1474560) [1474560]:
192 Evidence segment file size in bytes (1.0 MiB <= value <= 1.9 GiB) [1.4 GiB]:
193 The number of bytes per sector (1 <= value <= 4294967295) [512]:
194 The number of sectors to read at once (16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768) [64]:
195 The number of sectors to be used as error granularity (1 <= value <= 64) [64]:
196 The number of retries when a read error occurs (0 <= value <= 255) [2]:
197 Zero sectors on read error (mimic EnCase like behavior) (yes, no) [no]:
198 The following information was provided:
200 Image path and filename: floppy.E01
201 Case number: 1
202 Description: Floppy
203 Evidence number: 1.1
204 Examiner name: John D.
205 Notes: Just a floppy in my system
206 Media type: removable
207 Is physical: no
208 EWF file format: Encase 5 (.E01)
209 Compression method: deflate
210 Compression level: none
211 Acquiry start offset: 0
212 Number of bytes to acquire: 1.4 MiB (1474560 bytes)
213 Evidence segment file size: 1.4 GiB (1572864000 bytes)
214 Bytes per sector: 512
215 Block size: 64 sectors
216 Error granularity: 64 sectors
217 Retries on read error: 2
218 Zero sectors on read error: no
219 Continue acquiry with these values (yes, no) [yes]:
221 Acquiry started at: Sun Aug 5 11:32:41 2012
223 This could take a while.
225 Status: at 2%.
227 acquired 32 kB (32768 bytes) of total 1.4 MiB (1474560 bytes).
228 ...
230 Status: at 100%.
232 acquired 1.4 MiB (1474560 bytes) of total 1.4 MiB (1474560 bytes).
233 completion in 1 second(s) with 1 MiB/s (1474560 bytes/second).
234 Acquiry completed at: Sun Aug 5 11:32:42 2012
236 Written: 1.4 MiB (1474560 bytes) in 1 second(s) with 1 MiB/s (1474560 bytes/second).
238 MD5 hash calculated over data: ae1ce8f5ac079d3ee93f97fe3792bda3
240 To convert a split RAW image into an EWF image:
243 # ewfacquire usb256.raw.0??
244 ewfacquire 20120805
245 Storage media information:
247 Type: RAW image
248 Media size: 262 MB (262144000 bytes)
249 Bytes per sector: 512
250 ...
252 To convert an optical disc RAW image with a table of contents file into an
255 EWF image:
256 # ewfacquire -T cdrom.cue cdrom.iso
257 ewfacquire 20120805
258 Storage media information:
260 Type: Optical disc RAW image
261 Media size: 42 MB (42885120 bytes)
262 Bytes per sector: 2048
263 Sessions:
264 total number: 2
265 at sector(s): 0 - 20619 number: 20620
266 at sector(s): 20620 - 20939 number: 320
267 ...
269
272 Errors, verbose and debug output are printed to stderr when verbose out‐
273 put -v is enabled. Verbose and debug output are only printed when enabled
274 at compilation.
275
277 Please report bugs of any kind to <joachim.metz@gmail.com> or on the
278 project website: http://code.google.com/p/libewf/
279
281 These man pages were written by Kees Mastwijk.
282 Alterations for distribution have been made by Joachim Metz.
284
286 Copyright 2006-2014, Joachim Metz <joachim.metz@gmail.com>.
287 This is free software; see the source for copying conditions. There is NO
289 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
290 POSE.
291
293 ewfacquirestream(1), ewfexport(1), ewfinfo(1), ewfmount(1),
294 ewfrecover(1), ewfverify(1)
295libewf January 19, 2014 libewf