1ewfacquirestream                     LOCAL                    ewfacquirestream
2

NAME

4     ewfacquirestream — acquires data in the EWF format from stdin
5

SYNOPSIS

7     ewfacquirestream [-A codepage] [-b number_of_sectors]
8                      [-B number_of_bytes] [-c compression_values]
9                      [-C case_number] [-d digest_type] [-D description]
10                      [-e examiner_name] [-E evidence_number] [-f format]
11                      [-l log_filename] [-m media_type] [-M media_flags]
12                      [-N notes] [-o offset] [-p process_buffer_size]
13                      [-P bytes_per_sector] [-S segment_file_size] [-t target]
14                      [-2 secondary_target] [-hqsvVx]
15

DESCRIPTION

17     ewfacquirestream is a utility to acquire media data from stdin and store
18     it in EWF format (Expert Witness Format).  ewfacquirestream acquires
19     media data in a format equivalent to EnCase and FTK imager, including
20     meta data. Under Linux, FreeBSD, NetBSD, OpenBSD, MacOS-X/Darwin
21
22     ewfacquirestream is part of the libewf package.  libewf is a library to
23     access the Expert Witness Compression Format (EWF).
24
25     The options are as follows:
26
27     -A codepage
28             the codepage of header section, options: ascii (default), win‐
29             dows-874, windows-932, windows-936, windows-949, windows-950,
30             windows-1250, windows-1251, windows-1252, windows-1253, win‐
31             dows-1254, windows-1255, windows-1256, windows-1257 or win‐
32             dows-1258
33
34     -b number_of_sectors
35             the number of sectors to read at once (per chunk), options: 16,
36             32, 64 (default), 128, 256, 512, 1024, 2048, 4096, 8192, 16384 or
37             32768
38
39     -B number_of_bytes
40             the number of bytes to acquire
41
42     -c compression_values
43             specify the compression values as: level or method:level compres‐
44             sion method options: deflate (default), bzip2 (bzip2 is only sup‐
45             ported by EWF2 formats) compression level options: none
46             (default), empty-block, fast or best
47
48     -C case_number
49             the case number (default is case_number)
50
51     -d digest_type
52             calculate additional digest (hash) types besides md5, options:
53             sha1, sha256
54
55     -D description
56             the description (default is description)
57
58     -e examiner_name
59             the examiner name (default is examiner_name)
60
61     -E evidence_number
62             the evidence number (default is evidence_number)
63
64     -f format
65             the EWF file format to write to, options: ftk, encase2, encase3,
66             encase4, encase5, encase6 (default), encase7, linen5, linen6,
67             linen7, ewfx.  libewf does not support streamed writes for other
68             EWF formats.
69
70     -h      shows this help
71
72     -l log_filename
73             logs acquiry errors and the digest (hash) to the log filename
74
75     -m media_type
76             the media type, options: fixed (default), removable, optical,
77             memory
78
79     -M media_flags
80             the media flags, options: logical, physical (default)
81
82     -N notes
83             the notes (default is notes)
84
85     -o offset
86             the offset to start to acquire (default is 0)
87
88     -p process_buffer_size
89             the process buffer size (default is the chunk size)
90
91     -P bytes_per_sector
92             the number of bytes per sector (default is 512)
93
94     -q      quiet shows minimal status information
95
96     -s      swap byte pairs of the media data (from AB to BA) (use this for
97             big to little endian conversion and vice versa)
98
99     -S segment_file_size
100             the segment file size in bytes (default is 1.4 GiB) (minimum is
101             1.0 MiB, maximum is 7.9 EiB for encase6 and encase7 format and
102             1.9 GiB for other formats)
103
104     -t target
105             the target file (without extension) to write to (default is
106             image)
107
108     -v      verbose output to stderr
109
110     -V      print version
111
112     -x      use the chunk data instead of the buffered read and write func‐
113             tions.
114
115     -2 secondary_target
116             the secondary target file (without extension) to write to
117
118     ewfacquirestream will read from stding until it encounters a read error.
119     On read error it will stop no error information is stored in the EWF
120     file(s).
121
122     Empty block compression detects blocks of sectors with entirely the same
123     byte data and compresses them using the default compression level.
124

ENVIRONMENT

126     None
127

FILES

129     None
130

EXAMPLES

132     # ewfacquirestream -C 1 -D Floppy -E 1.1 -e 'John D.' -N 'Just a floppy in my system' -m removable -M logical -t floppy </dev/fd0
133     ewfacquirestream 20120805
134
135     Using the following acquiry parameters:
136     Image path and filename:                floppy.E01
137     Case number:                            1
138     Description:                            Floppy
139     Evidence number:                        1.1
140     Examiner name:                          John D.
141     Notes:                                  Just a floppy in my system
142     Media type:                             removable
143     Volume type:                            logical
144     EWF file format:                        EnCase 5
145     Compression method:                     deflate
146     Compression level:                      none
147     Acquiry start offet:                    0
148     Number of bytes to acquire:             0 (until end of input)
149     Evidence segment file size:             1.4 GiB (1572864000 bytes)
150     Block size:                             64 sectors
151     Error granularity:                      64 sectors
152     Retries on read error:                  2
153
154     Acquiry started at: Sun Aug  5 11:32:41 2012
155
156     This could take a while.
157
158     Status: acquired 1.4 MiB (1474560 bytes)
159             in 1 second(s) with 1 MiB/s (1474560 bytes/second).
160
161     Acquiry completed at: Sun Aug  5 11:32:42 2012
162
163     Written: 1.4 MiB (1474560 bytes) in 1 second(s) with 1 MiB/s (1474560 bytes/second).
164
165     MD5 hash calculated over data:          ae1ce8f5ac079d3ee93f97fe3792bda3
166

DIAGNOSTICS

168     Errors, verbose and debug output are printed to stderr when verbose out‐
169     put -v is enabled. Verbose and debug output are only printed when enabled
170     at compilation.
171

BUGS

173     Please report bugs of any kind to <joachim.metz@gmail.com> or on the
174     project website: http://code.google.com/p/libewf/
175

AUTHOR

177     These man pages were written by Joachim Metz.
178
180     Copyright 2006-2014, Joachim Metz <joachim.metz@gmail.com>.
181
182     This is free software; see the source for copying conditions. There is NO
183     warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
184     POSE.
185

SEE ALSO

187     ewfacquire(1), ewfexport(1), ewfinfo(1), ewfmount(1), ewfrecover(1),
188     ewfverify(1)
189
190libewf                         January 19, 2014                         libewf
Impressum