1ewfacquirestream LOCAL ewfacquirestream
2
4 ewfacquirestream — acquires data in the EWF format from stdin
5
7 ewfacquirestream [-A codepage] [-b number_of_sectors]
8 [-B number_of_bytes] [-c compression_values]
9 [-C case_number] [-d digest_type] [-D description]
10 [-e examiner_name] [-E evidence_number] [-f format]
11 [-l log_filename] [-m media_type] [-M media_flags]
12 [-N notes] [-o offset] [-p process_buffer_size]
13 [-P bytes_per_sector] [-S segment_file_size] [-t target]
14 [-2 secondary_target] [-hqsvVx]
15
17 ewfacquirestream is a utility to acquire media data from stdin and store
18 it in EWF format (Expert Witness Format). ewfacquirestream acquires
19 media data in a format equivalent to EnCase and FTK imager, including
20 meta data. Under Linux, FreeBSD, NetBSD, OpenBSD, MacOS-X/Darwin
21 ewfacquirestream is part of the libewf package. libewf is a library to
23 access the Expert Witness Compression Format (EWF).
24 The options are as follows:
26 -A codepage
28 the codepage of header section, options: ascii (default), win‐
29 dows-874, windows-932, windows-936, windows-949, windows-950,
30 windows-1250, windows-1251, windows-1252, windows-1253, win‐
31 dows-1254, windows-1255, windows-1256, windows-1257 or win‐
32 dows-1258
33 -b number_of_sectors
35 the number of sectors to read at once (per chunk), options: 16,
36 32, 64 (default), 128, 256, 512, 1024, 2048, 4096, 8192, 16384 or
37 32768
38 -B number_of_bytes
40 the number of bytes to acquire
41 -c compression_values
43 specify the compression values as: level or method:level compres‐
44 sion method options: deflate (default), bzip2 (bzip2 is only sup‐
45 ported by EWF2 formats) compression level options: none
46 (default), empty-block, fast or best
47 -C case_number
49 the case number (default is case_number)
50 -d digest_type
52 calculate additional digest (hash) types besides md5, options:
53 sha1, sha256
54 -D description
56 the description (default is description)
57 -e examiner_name
59 the examiner name (default is examiner_name)
60 -E evidence_number
62 the evidence number (default is evidence_number)
63 -f format
65 the EWF file format to write to, options: ftk, encase2, encase3,
66 encase4, encase5, encase6 (default), encase7, linen5, linen6,
67 linen7, ewfx. libewf does not support streamed writes for other
68 EWF formats.
69 -h shows this help
71 -l log_filename
73 logs acquiry errors and the digest (hash) to the log filename
74 -m media_type
76 the media type, options: fixed (default), removable, optical,
77 memory
78 -M media_flags
80 the media flags, options: logical, physical (default)
81 -N notes
83 the notes (default is notes)
84 -o offset
86 the offset to start to acquire (default is 0)
87 -p process_buffer_size
89 the process buffer size (default is the chunk size)
90 -P bytes_per_sector
92 the number of bytes per sector (default is 512)
93 -q quiet shows minimal status information
95 -s swap byte pairs of the media data (from AB to BA) (use this for
97 big to little endian conversion and vice versa)
98 -S segment_file_size
100 the segment file size in bytes (default is 1.4 GiB) (minimum is
101 1.0 MiB, maximum is 7.9 EiB for encase6 and encase7 format and
102 1.9 GiB for other formats)
103 -t target
105 the target file (without extension) to write to (default is
106 image)
107 -v verbose output to stderr
109 -V print version
111 -x use the chunk data instead of the buffered read and write func‐
113 tions.
114 -2 secondary_target
116 the secondary target file (without extension) to write to
117 ewfacquirestream will read from stding until it encounters a read error.
119 On read error it will stop no error information is stored in the EWF
120 file(s).
121 Empty block compression detects blocks of sectors with entirely the same
123 byte data and compresses them using the default compression level.
124
126 None
127
129 None
130
132 # ewfacquirestream -C 1 -D Floppy -E 1.1 -e 'John D.' -N 'Just a floppy in my system' -m removable -M logical -t floppy </dev/fd0
133 ewfacquirestream 20120805
134 Using the following acquiry parameters:
136 Image path and filename: floppy.E01
137 Case number: 1
138 Description: Floppy
139 Evidence number: 1.1
140 Examiner name: John D.
141 Notes: Just a floppy in my system
142 Media type: removable
143 Volume type: logical
144 EWF file format: EnCase 5
145 Compression method: deflate
146 Compression level: none
147 Acquiry start offet: 0
148 Number of bytes to acquire: 0 (until end of input)
149 Evidence segment file size: 1.4 GiB (1572864000 bytes)
150 Block size: 64 sectors
151 Error granularity: 64 sectors
152 Retries on read error: 2
153 Acquiry started at: Sun Aug 5 11:32:41 2012
155 This could take a while.
157 Status: acquired 1.4 MiB (1474560 bytes)
159 in 1 second(s) with 1 MiB/s (1474560 bytes/second).
160 Acquiry completed at: Sun Aug 5 11:32:42 2012
162 Written: 1.4 MiB (1474560 bytes) in 1 second(s) with 1 MiB/s (1474560 bytes/second).
164 MD5 hash calculated over data: ae1ce8f5ac079d3ee93f97fe3792bda3
166
168 Errors, verbose and debug output are printed to stderr when verbose out‐
169 put -v is enabled. Verbose and debug output are only printed when enabled
170 at compilation.
171
173 Please report bugs of any kind to <joachim.metz@gmail.com> or on the
174 project website: http://code.google.com/p/libewf/
175
177 These man pages were written by Joachim Metz.
178
180 Copyright 2006-2014, Joachim Metz <joachim.metz@gmail.com>.
181 This is free software; see the source for copying conditions. There is NO
183 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
184 POSE.
185
187 ewfacquire(1), ewfexport(1), ewfinfo(1), ewfmount(1), ewfrecover(1),
188 ewfverify(1)
189libewf January 19, 2014 libewf