1libewf(3) BSD Library Functions Manual libewf(3)
2
4 libewf.h — Library to read from and write to the Expert Witness Compres‐
5 sion Format (EWF) file format
6
8 library “libewf”
9
11 #include <libewf.h>
12
13 int8_t
14 libewf_check_file_signature(const char *filename);
15
16 LIBEWF_HANDLE *
17 libewf_open(char * const filenames[], uint16_t file_amount, uint8_t flags);
18
19 off_t
20 libewf_seek_offset(LIBEWF_HANDLE *handle, off_t offset);
21
22 ssize_t
23 libewf_read_buffer(LIBEWF_HANDLE *handle, void *buffer, size_t size);
24
25 ssize_t
26 libewf_read_random(LIBEWF_HANDLE *handle, void *buffer, size_t size, off_t offset);
27
28 ssize_t
29 libewf_write_buffer(LIBEWF_HANDLE *handle, void *buffer, size_t size);
30
31 ssize_t
32 libewf_write_random(LIBEWF_HANDLE *handle, void *buffer, size_t size, off_t offset);
33
34 ssize_t
35 libewf_write_finalize(LIBEWF_HANDLE *handle);
36
37 int8_t
38 libewf_close(LIBEWF_HANDLE *handle);
39
40 int32_t
41 libewf_get_bytes_per_sector(LIBEWF_HANDLE *handle);
42
43 int32_t
44 libewf_get_amount_of_sectors(LIBEWF_HANDLE *handle);
45
46 int32_t
47 libewf_get_chunk_size(LIBEWF_HANDLE *handle);
48
49 int32_t
50 libewf_get_error_granularity(LIBEWF_HANDLE *handle);
51
52 int8_t
53 libewf_get_compression_level(LIBEWF_HANDLE *handle);
54
55 int64_t
56 libewf_get_media_size(LIBEWF_HANDLE *handle);
57
58 int8_t
59 libewf_get_media_type(LIBEWF_HANDLE *handle);
60
61 int8_t
62 libewf_get_media_flags(LIBEWF_HANDLE *handle);
63
64 int8_t
65 libewf_get_volume_type(LIBEWF_HANDLE *handle);
66
67 int8_t
68 libewf_get_format(LIBEWF_HANDLE *handle);
69
70 int8_t
71 libewf_get_guid(LIBEWF_HANDLE *handle, uint8_t *guid, size_t size);
72
73 int64_t
74 libewf_get_write_amount_of_chunks(LIBEWF_HANDLE *handle);
75
76 int8_t
77 libewf_set_media_values(LIBEWF_HANDLE *handle, uint32_t sectors_per_chunk, uint32_t bytes_per_sector);
78
79 int8_t
80 libewf_set_guid(LIBEWF_HANDLE *handle, uint8_t *guid, size_t size);
81
82 int8_t
83 libewf_set_write_segment_file_size(LIBEWF_HANDLE *handle, uint32_t segment_file_size);
84
85 int8_t
86 libewf_set_write_compression_values(LIBEWF_HANDLE *handle, int8_t compression_level, uint8_t compress_empty_block);
87
88 int8_t
89 libewf_set_write_media_type(LIBEWF_HANDLE *handle, uint8_t media_type, uint8_t volume_type);
90
91 int8_t
92 libewf_set_write_format(LIBEWF_HANDLE *handle, uint8_t format);
93
94 int8_t
95 libewf_set_write_input_size(LIBEWF_HANDLE *handle, uint64_t input_write_size);
96
97 int8_t
98 libewf_set_swap_byte_pairs(LIBEWF_HANDLE *handle, uint8_t swap_byte_pairs);
99
100 int8_t
101 libewf_parse_header_values(LIBEWF_HANDLE *handle, uint8_t date_format);
102
103 int8_t
104 libewf_parse_hash_values(LIBEWF_HANDLE *handle);
105
106 int8_t
107 libewf_add_acquiry_error(LIBEWF_HANDLE *handle, uint64_t sector, uint32_t amount_of_sectors);
108
109 void
110 libewf_set_notify_values(FILE *stream, uint8_t verbose);
111
112 When the library was compiled with narrow character support (default) the
113 following functions are available
114
115 const char *
116 libewf_get_version(void);
117
118 int8_t
119 libewf_get_header_value(LIBEWF_HANDLE *handle, char *identifier, char *value, size_t length);
120
121 int8_t
122 libewf_get_header_value_case_number(LIBEWF_HANDLE *handle, char *case_number, size_t length);
123
124 int8_t
125 libewf_get_header_value_description(LIBEWF_HANDLE *handle, char *description, size_t length);
126
127 int8_t
128 libewf_get_header_value_examiner_name(LIBEWF_HANDLE *handle, char *examiner_name, size_t length);
129
130 int8_t
131 libewf_get_header_value_evidence_number(LIBEWF_HANDLE *handle, char *evidence_number, size_t length);
132
133 int8_t
134 libewf_get_header_value_notes(LIBEWF_HANDLE *handle, char *notes, size_t length);
135
136 int8_t
137 libewf_get_header_value_acquiry_date(LIBEWF_HANDLE *handle, char *acquiry_date, size_t length);
138
139 int8_t
140 libewf_get_header_value_system_date(LIBEWF_HANDLE *handle, char *system_date, size_t length);
141
142 int8_t
143 libewf_get_header_value_acquiry_operating_system(LIBEWF_HANDLE *handle, char *acquiry_operating_system, size_t length);
144
145 int8_t
146 libewf_get_header_value_acquiry_software_version(LIBEWF_HANDLE *handle, char *acquiry_software_version, size_t length);
147
148 int8_t
149 libewf_get_header_value_password(LIBEWF_HANDLE *handle, char *password, size_t length);
150
151 int8_t
152 libewf_get_header_value_compression_type(LIBEWF_HANDLE *handle, char *compression_type, size_t length);
153
154 int8_t
155 libewf_get_hash_value(LIBEWF_HANDLE *handle, char *identifier, char *value, size_t length);
156
157 int8_t
158 libewf_set_header_value(LIBEWF_HANDLE *handle, char *identifier, char *value, size_t length);
159
160 int8_t
161 libewf_set_header_value_case_number(LIBEWF_HANDLE *handle, char *case_number, size_t length);
162
163 int8_t
164 libewf_set_header_value_description(LIBEWF_HANDLE *handle, char *description, size_t length);
165
166 int8_t
167 libewf_set_header_value_examiner_name(LIBEWF_HANDLE *handle, char *examiner_name, size_t length);
168
169 int8_t
170 libewf_set_header_value_evidence_number(LIBEWF_HANDLE *handle, char *evidence_number, size_t length);
171
172 int8_t
173 libewf_set_header_value_notes(LIBEWF_HANDLE *handle, char *notes, size_t length);
174
175 int8_t
176 libewf_set_header_value_acquiry_date(LIBEWF_HANDLE *handle, char *acquiry_date, size_t length);
177
178 int8_t
179 libewf_set_header_value_system_date(LIBEWF_HANDLE *handle, char *system_date, size_t length);
180
181 int8_t
182 libewf_set_header_value_acquiry_operating_system(LIBEWF_HANDLE *handle, char *acquiry_operating_system, size_t length);
183
184 int8_t
185 libewf_set_header_value_acquiry_software_version(LIBEWF_HANDLE *handle, char *acquiry_software_version, size_t length);
186
187 int8_t
188 libewf_set_header_value_password(LIBEWF_HANDLE *handle, char *password, size_t length);
189
190 int8_t
191 libewf_set_header_value_compression_type(LIBEWF_HANDLE *handle, char *compression_type, size_t length);
192
193 int8_t
194 libewf_set_hash_value(LIBEWF_HANDLE *handle, char *identifier, char *value, size_t length);
195
196 int8_t
197 libewf_calculate_md5_hash(LIBEWF_HANDLE *handle, char *string, size_t length);
198
199 int8_t
200 libewf_get_stored_md5_hash(LIBEWF_HANDLE *handle, char *string, size_t length);
201
202 int8_t
203 libewf_get_calculated_md5_hash(LIBEWF_HANDLE *handle, char *string, size_t length);
204
205 When the library was compiled with wide character support the following
206 functions are available instead of the narrow character functions
207
208 const wchar_t *
209 libewf_get_version(void);
210
211 int8_t
212 libewf_get_header_value(LIBEWF_HANDLE *handle, wchar_t *identifier, wchar_t *value, size_t length);
213
214 int8_t
215 libewf_get_header_value_case_number(LIBEWF_HANDLE *handle, wchar_t *case_number, size_t length);
216
217 int8_t
218 libewf_get_header_value_description(LIBEWF_HANDLE *handle, wchar_t *description, size_t length);
219
220 int8_t
221 libewf_get_header_value_examiner_name(LIBEWF_HANDLE *handle, wchar_t *examiner_name, size_t length);
222
223 int8_t
224 libewf_get_header_value_evidence_number(LIBEWF_HANDLE *handle, wchar_t *evidence_number, size_t length);
225
226 int8_t
227 libewf_get_header_value_notes(LIBEWF_HANDLE *handle, wchar_t *notes, size_t length);
228
229 int8_t
230 libewf_get_header_value_acquiry_date(LIBEWF_HANDLE *handle, wchar_t *acquiry_date, size_t length);
231
232 int8_t
233 libewf_get_header_value_system_date(LIBEWF_HANDLE *handle, wchar_t *system_date, size_t length);
234
235 int8_t
236 libewf_get_header_value_acquiry_operating_system(LIBEWF_HANDLE *handle, wchar_t *acquiry_operating_system, size_t length);
237
238 int8_t
239 libewf_get_header_value_acquiry_software_version(LIBEWF_HANDLE *handle, wchar_t *acquiry_software_version, size_t length);
240
241 int8_t
242 libewf_get_header_value_password(LIBEWF_HANDLE *handle, wchar_t *password, size_t length);
243
244 int8_t
245 libewf_get_header_value_compression_type(LIBEWF_HANDLE *handle, wchar_t *compression_type, size_t length);
246
247 int8_t
248 libewf_get_hash_value(LIBEWF_HANDLE *handle, wchar_t *identifier, wchar_t *value, size_t length);
249
250 int8_t
251 libewf_set_header_value(LIBEWF_HANDLE *handle, wchar_t *identifier, wchar_t *value, size_t length);
252
253 int8_t
254 libewf_set_header_value_case_number(LIBEWF_HANDLE *handle, wchar_t *case_number, size_t length);
255
256 int8_t
257 libewf_set_header_value_description(LIBEWF_HANDLE *handle, wchar_t *description, size_t length);
258
259 int8_t
260 libewf_set_header_value_examiner_name(LIBEWF_HANDLE *handle, wchar_t *examiner_name, size_t length);
261
262 int8_t
263 libewf_set_header_value_evidence_number(LIBEWF_HANDLE *handle, wchar_t *evidence_number, size_t length);
264
265 int8_t
266 libewf_set_header_value_notes(LIBEWF_HANDLE *handle, wchar_t *notes, size_t length);
267
268 int8_t
269 libewf_set_header_value_acquiry_date(LIBEWF_HANDLE *handle, wchar_t *acquiry_date, size_t length);
270
271 int8_t
272 libewf_set_header_value_system_date(LIBEWF_HANDLE *handle, wchar_t *system_date, size_t length);
273
274 int8_t
275 libewf_set_header_value_acquiry_operating_system(LIBEWF_HANDLE *handle, wchar_t *acquiry_operating_system, size_t length);
276
277 int8_t
278 libewf_set_header_value_acquiry_software_version(LIBEWF_HANDLE *handle, wchar_t *acquiry_software_version, size_t length);
279
280 int8_t
281 libewf_set_header_value_password(LIBEWF_HANDLE *handle, wchar_t *password, size_t length);
282
283 int8_t
284 libewf_set_header_value_compression_type(LIBEWF_HANDLE *handle, wchar_t *compression_type, size_t length);
285
286 int8_t
287 libewf_set_hash_value(LIBEWF_HANDLE *handle, wchar_t *identifier, wchar_t *value, size_t length);
288
289 int8_t
290 libewf_calculate_md5_hash(LIBEWF_HANDLE *handle, wchar_t *string, size_t length);
291
292 int8_t
293 libewf_get_stored_md5_hash(LIBEWF_HANDLE *handle, wchar_t *string, size_t length);
294
295 int8_t
296 libewf_get_calculated_md5_hash(LIBEWF_HANDLE *handle, wchar_t *string, size_t length);
297
298 When wide character support functions like wmain and wopen are present
299 and libewf is compiled with HAVE_WIDE_CHARACTER_SUPPORT_FUNCTIONS the
300 following functions will replace their narrow character functions.
301
302 int8_t
303 libewf_check_file_signature(const wchar_t *filename);
304
305 LIBEWF_HANDLE *
306 libewf_open(wchar_t * const filenames[], uint16_t file_amount, uint8_t flags);
307
309 The libewf_get_version() function is used to retrieve the library ver‐
310 sion.
311
312 The libewf_check_file_signature() function is used to test if the EWF
313 file signature is present within a certain filename.
314
315 The libewf_open(), libewf_seek_offset(), libewf_read_buffer(),
316 libewf_read_random(), libewf_write_buffer(), libewf_write_random(),
317 libewf_close() functions can be used to open, seek in, read from, write
318 to and close a set of EWF files.
319
320 The libewf_write_finalize() function needs to be called after writing a
321 set of EWF files without knowing the input size upfront, e.g. reading
322 from a pipe. libewf_write_finalize() will the necessary correction to
323 the set of EWF files. Note that certain information like the calculated
324 MD5 has is not available if libewf_write_finalize() has not been issued.
325
326 The libewf_get_*() functions can be used to retrieve information from the
327 handle. This information is read from a set of EWF files when
328 libewf_open() is used. The libewf_parse_header_values,()
329 libewf_parse_hash_values() functions need to be called before retrieving
330 header or hash values.
331
332 The libewf_set_*() functions can be used to set information in the
333 handle. This information is written to a set of EWF files when
334 libewf_write_buffer() is used.
335
336 The libewf_parse_header_values() function can be used to parse the values
337 in the header strings within a set of EWF files.
338
339 The libewf_parse_hash_values() function can be used to parse the values
340 in the hash string within a set of EWF files. The hash string is cur‐
341 rently only present in the EWF-X format.
342
343 The libewf_add_acquiry_error() function can be used to add an acquiry
344 error (a read error during acquiry) to be written into a set of EWF
345 files.
346
347 The libewf_set_notify_values() function can be used to direct the warn‐
348 ing, verbose and debug output from the library.
349
351 Most of the functions return NULL or -1 on error, dependent on the return
352 type. For the actual return values refer to libewf.h
353
355 None
356
358 None
359
361 Please report bugs of any kind to <forensics@hoffmannbv.nl> or on the
362 project website: https://libewf.uitwisselplatform.nl/
363
365 These man pages were written by Joachim Metz.
366
368 Copyright 2006-2007 Joachim Metz, Hoffmann Investigations <foren‐
369 sics@hoffmannbv.nl> and contributors. This is free software; see the
370 source for copying conditions. There is NO warranty; not even for MER‐
371 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
372
374 the libewf.h include file
375
376libewf May 12, 2007 libewf