1ewfacquirestream LOCAL ewfacquirestream
2
4 ewfacquirestream — acquires data in the EWF format from stdin
5
7 ewfacquirestream [-A codepage] [-b amount_of_sectors]
8 [-B amount_of_bytes] [-c compression_type]
9 [-C case_number] [-d digest_type] [-D description]
10 [-e examiner_name] [-E evidence_number] [-f format]
11 [-l log_filename] [-m media_type] [-M media_flags]
12 [-N notes] [-o offset] [-p process_buffer_size]
13 [-S segment_file_size] [-t target] [-2 secondary_target]
14 [-hqsvVw]
15
17 ewfacquirestream is a utility to acquire media data from stdin and store
18 it in EWF format (Expert Witness Format). ewfacquirestream acquires
19 media data in a format equivalent to EnCase and FTK imager, including
20 meta data. Under Linux, FreeBSD, NetBSD, OpenBSD, MacOS-X/Darwin
21 ewfacquirestream is part of the libewf package. libewf is a library to
23 support the Expert Witness Compression Format (EWF). libewf supports
24 both the SMART format (EWF-S01) and the EnCase format (EWF-E01). libewf
25 currently does not support the Logical Volume format (EWF-L01). EWF-X is
26 an expirimental format intended for testing purposes to enhance the EWF
27 format. libewf allows you to read and write media data in the EWF for‐
28 mat.
29 The options are as follows:
31 -A codepage
33 the codepage of header section, options: ascii (default), win‐
34 dows-874, windows-1250, windows-1251, windows-1252, windows-1253,
35 windows-1254, windows-1255, windows-1256, windows-1257, win‐
36 dows-1258
37 -b amount_of_sectors
39 the amount of sectors to read at once (per chunk), options: 64
40 (default), 128, 256, 512, 1024, 2048, 4096, 8192, 16384 or 32768
41 -B amount_of_bytes
43 the amount of bytes to acquire
44 -c compression_type
46 the compression type, options: none (default), empty-block, fast,
47 best
48 -C case_number
50 the case number (default is case_number)
51 -d digest_type
53 calculate additional digest (hash) types besides md5, options:
54 sha1
55 -D description
57 the description (default is description)
58 -e examiner_name
60 the examiner name (default is examiner_name)
61 -E evidence_number
63 the evidence number (default is evidence_number)
64 -f format
66 the EWF file format to write to, options: ftk, encase2, encase3,
67 encase4, encase5, encase6 (default), linen5, linen6, ewfx.
68 libewf does not support streamed writes for other EWF formats.
69 -h shows this help
71 -l log_filename
73 logs acquiry errors and the digest (hash) to the log filename
74 -m media_type
76 the media type, options: fixed (default), removable, optical,
77 memory
78 -M media_flags
80 the media flags, options: logical, physical (default)
81 -N notes
83 the notes (default is notes)
84 -o offset
86 the offset to start to acquire (default is 0)
87 -p process_buffer_size
89 the process buffer size (default is the chunk size)
90 -q quiet shows no status information
92 -s swap byte pairs of the media data (from AB to BA) (use this for
94 big to little endian conversion and vice versa)
95 -S segment_file_size
97 the segment file size in bytes (default is 1.4 GiB) (minimum is
98 1.0 MiB, maximum is 7.9 EiB for encase6 format and 1.9 GiB for
99 other formats)
100 -t target
102 the target file (without extension) to write to (default is
103 image)
104 -v verbose output to stderr
106 -V print version
108 -w wipe sectors on read error (mimic EnCase like behavior)
110 -2 secondary_target
112 the secondary target file (without extension) to write to
113 ewfacquirestream will read from stding until it encounters a read error.
115 On read error it will stop no error information is stored in the EWF
116 file(s).
117 Empty block compression detects blocks of sectors with entirely the same
119 byte data and compresses them using the default compression level.
120
122 None
123
125 None
126
128 # ewfacquirestream -C 1 -D Floppy -E 1.1 -e 'John D.' -N 'Just a floppy in my system' -m removable -M physical -t floppy </dev/fd0
129 ewfacquirestream 20090229 (libewf 20090229, libuna 20090124, zlib 1.2.3, libcrypto 0.9.8g, libuuid)
130 Using the following acquiry parameters:
132 Image path and filename: floppy.E01
133 Case number: 1
134 Description: Floppy
135 Evidence number: 1.1
136 Examiner name: John D.
137 Notes: Just a floppy in my system
138 Media type: removable
139 Volume type: physical
140 Compression used: none
141 EWF file format: EnCase 5
142 Acquiry start offet: 0
143 Amount of bytes to acquire: 0 (until end of input)
144 Evidence segment file size: 1.4 GiB (1572864000 bytes)
145 Block size: 64 sectors
146 Error granularity: 64 sectors
147 Retries on read error: 2
148 Wipe sectors on read error: no
149 Acquiry started at: Sat Feb 28 11:32:41 2009
151 This could take a while.
153 Status: acquired 1.4 MiB (1474560 bytes)
155 in 1 second(s) with 1 MiB/s (1474560 bytes/second).
156 Acquiry completed at: Sat Feb 28 11:32:42 2009
158 Written: 1.4 MiB (1474560 bytes) in 1 second(s) with 1 MiB/s (1474560 bytes/second).
160 MD5 hash calculated over data: ae1ce8f5ac079d3ee93f97fe3792bda3
162
164 Errors, verbose and debug output are printed to stderr when verbose out‐
165 put -v is enabled. Verbose and debug output are only printed when enabled
166 at compilation.
167
169 Please report bugs of any kind to <forensics@hoffmannbv.nl> or on the
170 project website: http://libewf.sourceforge.net/
171
173 These man pages were written by Joachim Metz.
174
176 Copyright 2006-2009 Joachim Metz, Hoffmann Investigations <foren‐
177 sics@hoffmannbv.nl> and contributors.
178 This is free software; see the source for copying conditions. There is NO
180 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
181 POSE.
182
184 ewfacquire(1), ewfexport(1), ewfinfo(1), ewfverify(1)
185libewf October 17, 2009 libewf