Skip to content

Rewrite EWF #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Schamper wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Rewrite EWF #42

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions MANIFEST.in
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
exclude .gitattributes
exclude .gitignore
recursive-exclude .github/ *
recursive-exclude tests/_data/ *
4 changes: 1 addition & 3 deletions dissect/evidence/ewf/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,16 @@
from dissect.evidence.ewf.c_ewf import c_ewf
from dissect.evidence.ewf.ewf import (
EWF,
EWFError,
EWFStream,
HeaderSection,
SectionDescriptor,
Segment,
TableSection,
VolumeSection,
)
from dissect.evidence.ewf.stream import EWFStream

__all__ = [
"EWF",
"EWFError",
"EWFStream",
"HeaderSection",
"SectionDescriptor",
Expand Down
108 changes: 69 additions & 39 deletions dissect/evidence/ewf/c_ewf.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,65 +25,95 @@
};

typedef struct {
char signature[8];
uint8 fields_start;
uint16 segment_number;
uint16 fields_end;
} EWFHeader;
char signature[8];
uint8 fields_start;
uint16 segment_number;
uint16 fields_end;
} SegmentHeader;

typedef struct {
char type[16];
uint64 next;
uint64 size;
uint8 pad[40];
uint32 checksum;
} EWFSectionDescriptor;
char type[16];
uint64 next;
uint64 size;
uint8 pad[40];
uint32 checksum;
} SectionDescriptor;

typedef struct {
uint32 reserved_1;
uint32 chunk_count;
uint32 sector_count;
uint32 sector_size;
uint32 total_sector_count;
uint8 reserved[20];
uint8 pad[45];
char signature[5];
uint32 checksum;
} EWFVolumeSectionSpec;
uint32 reserved_1;
uint32 number_of_chunks;
uint32 sectors_per_chunk;
uint32 bytes_per_sector;
uint32 number_of_sectors;
uint8 reserved[20];
uint8 pad[45];
char signature[5];
uint32 checksum;
} VolumeSectionSmart;

typedef struct {
MediaType media_type;
uint8 reserved_1[3];
uint32 chunk_count;
uint32 sector_count;
uint32 sector_size;
uint64 total_sector_count;
uint32 num_cylinders;
uint32 num_heads;
uint32 num_sectors;
uint32 number_of_chunks;
uint32 sectors_per_chunk;
uint32 bytes_per_sector;
uint64 number_of_sectors;
uint32 chs_cylinders;
uint32 chs_heads;
uint32 chs_sectors;
uint8 media_flags;
uint8 unknown_1[3];
uint32 palm_start_sector;
uint32 palm_volume_start_sector;
uint32 unknown_2;
uint32 smart_start_sector;
uint32 smart_logs_start_sector;
CompressionLevel compression_level;
uint8 unknown_3[3];
uint32 error_granularity;
uint32 unknown_4;
uint8 uuid[16];
uint8 set_identifier[16];
uint8 pad[963];
char signature[5];
uint32 checksum;
} EWFVolumeSection;
} VolumeSection;

typedef struct {
MediaType media_type;
uint8 unknown1[3];
uint32 number_of_chunks;
uint32 sectors_per_chunk;
uint32 bytes_per_sector;
uint64 number_of_sectors;
uint32 chs_cylinders;
uint32 chs_heads;
uint32 chs_sectors;
MediaFlags media_flags;
uint8 unknown2[3];
uint32 palm_volume_start_sector;
uint32 unknown3;
uint32 smart_logs_start_sector;
CompressionLevel compression_level;
uint8 unknown4[3];
uint32 error_granularity;
uint32 unknown5;
uint8 set_identifier[16];
char pad[963];
char signature[5];
uint32 checksum;
} DataSection;

typedef struct {
uint32 number_of_entries;
uint32 _;
uint64 base_offset;
uint32 _;
uint32 checksum;
} TableSection;

typedef struct {
uint32 num_entries;
uint32 _;
uint64 base_offset;
uint32 _;
uint32 checksum;
uint32 entries[num_entries];
} EWFTableSection;
char md5[16];
char unknown1[16];
uint32 checksum;
} HashSection;
"""

c_ewf = cstruct().load(ewf_def)
138 changes: 101 additions & 37 deletions dissect/evidence/ewf/c_ewf.pyi
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ class _c_ewf(__cs__.cstruct):
Good = ...
Best = ...

class EWFHeader(__cs__.Structure):
class SegmentHeader(__cs__.Structure):
signature: __cs__.CharArray
fields_start: _c_ewf.uint8
segment_number: _c_ewf.uint16
Expand All @@ -38,7 +38,7 @@ class _c_ewf(__cs__.cstruct):
@overload
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...

class EWFSectionDescriptor(__cs__.Structure):
class SectionDescriptor(__cs__.Structure):
type: __cs__.CharArray
next: _c_ewf.uint64
size: _c_ewf.uint64
Expand All @@ -56,12 +56,12 @@ class _c_ewf(__cs__.cstruct):
@overload
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...

class EWFVolumeSectionSpec(__cs__.Structure):
class VolumeSectionSmart(__cs__.Structure):
reserved_1: _c_ewf.uint32
chunk_count: _c_ewf.uint32
sector_count: _c_ewf.uint32
sector_size: _c_ewf.uint32
total_sector_count: _c_ewf.uint32
number_of_chunks: _c_ewf.uint32
sectors_per_chunk: _c_ewf.uint32
bytes_per_sector: _c_ewf.uint32
number_of_sectors: _c_ewf.uint32
reserved: __cs__.Array[_c_ewf.uint8]
pad: __cs__.Array[_c_ewf.uint8]
signature: __cs__.CharArray
Expand All @@ -70,10 +70,10 @@ class _c_ewf(__cs__.cstruct):
def __init__(
self,
reserved_1: _c_ewf.uint32 | None = ...,
chunk_count: _c_ewf.uint32 | None = ...,
sector_count: _c_ewf.uint32 | None = ...,
sector_size: _c_ewf.uint32 | None = ...,
total_sector_count: _c_ewf.uint32 | None = ...,
number_of_chunks: _c_ewf.uint32 | None = ...,
sectors_per_chunk: _c_ewf.uint32 | None = ...,
bytes_per_sector: _c_ewf.uint32 | None = ...,
number_of_sectors: _c_ewf.uint32 | None = ...,
reserved: __cs__.Array[_c_ewf.uint8] | None = ...,
pad: __cs__.Array[_c_ewf.uint8] | None = ...,
signature: __cs__.CharArray | None = ...,
Expand All @@ -82,26 +82,26 @@ class _c_ewf(__cs__.cstruct):
@overload
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...

class EWFVolumeSection(__cs__.Structure):
class VolumeSection(__cs__.Structure):
media_type: _c_ewf.MediaType
reserved_1: __cs__.Array[_c_ewf.uint8]
chunk_count: _c_ewf.uint32
sector_count: _c_ewf.uint32
sector_size: _c_ewf.uint32
total_sector_count: _c_ewf.uint64
num_cylinders: _c_ewf.uint32
num_heads: _c_ewf.uint32
num_sectors: _c_ewf.uint32
number_of_chunks: _c_ewf.uint32
sectors_per_chunk: _c_ewf.uint32
bytes_per_sector: _c_ewf.uint32
number_of_sectors: _c_ewf.uint64
chs_cylinders: _c_ewf.uint32
chs_heads: _c_ewf.uint32
chs_sectors: _c_ewf.uint32
media_flags: _c_ewf.uint8
unknown_1: __cs__.Array[_c_ewf.uint8]
palm_start_sector: _c_ewf.uint32
palm_volume_start_sector: _c_ewf.uint32
unknown_2: _c_ewf.uint32
smart_start_sector: _c_ewf.uint32
smart_logs_start_sector: _c_ewf.uint32
compression_level: _c_ewf.CompressionLevel
unknown_3: __cs__.Array[_c_ewf.uint8]
error_granularity: _c_ewf.uint32
unknown_4: _c_ewf.uint32
uuid: __cs__.Array[_c_ewf.uint8]
set_identifier: __cs__.Array[_c_ewf.uint8]
pad: __cs__.Array[_c_ewf.uint8]
signature: __cs__.CharArray
checksum: _c_ewf.uint32
Expand All @@ -110,44 +110,108 @@ class _c_ewf(__cs__.cstruct):
self,
media_type: _c_ewf.MediaType | None = ...,
reserved_1: __cs__.Array[_c_ewf.uint8] | None = ...,
chunk_count: _c_ewf.uint32 | None = ...,
sector_count: _c_ewf.uint32 | None = ...,
sector_size: _c_ewf.uint32 | None = ...,
total_sector_count: _c_ewf.uint64 | None = ...,
num_cylinders: _c_ewf.uint32 | None = ...,
num_heads: _c_ewf.uint32 | None = ...,
num_sectors: _c_ewf.uint32 | None = ...,
number_of_chunks: _c_ewf.uint32 | None = ...,
sectors_per_chunk: _c_ewf.uint32 | None = ...,
bytes_per_sector: _c_ewf.uint32 | None = ...,
number_of_sectors: _c_ewf.uint64 | None = ...,
chs_cylinders: _c_ewf.uint32 | None = ...,
chs_heads: _c_ewf.uint32 | None = ...,
chs_sectors: _c_ewf.uint32 | None = ...,
media_flags: _c_ewf.uint8 | None = ...,
unknown_1: __cs__.Array[_c_ewf.uint8] | None = ...,
palm_start_sector: _c_ewf.uint32 | None = ...,
palm_volume_start_sector: _c_ewf.uint32 | None = ...,
unknown_2: _c_ewf.uint32 | None = ...,
smart_start_sector: _c_ewf.uint32 | None = ...,
smart_logs_start_sector: _c_ewf.uint32 | None = ...,
compression_level: _c_ewf.CompressionLevel | None = ...,
unknown_3: __cs__.Array[_c_ewf.uint8] | None = ...,
error_granularity: _c_ewf.uint32 | None = ...,
unknown_4: _c_ewf.uint32 | None = ...,
uuid: __cs__.Array[_c_ewf.uint8] | None = ...,
set_identifier: __cs__.Array[_c_ewf.uint8] | None = ...,
pad: __cs__.Array[_c_ewf.uint8] | None = ...,
signature: __cs__.CharArray | None = ...,
checksum: _c_ewf.uint32 | None = ...,
): ...
@overload
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...

class EWFTableSection(__cs__.Structure):
num_entries: _c_ewf.uint32
class DataSection(__cs__.Structure):
media_type: _c_ewf.MediaType
unknown1: __cs__.Array[_c_ewf.uint8]
number_of_chunks: _c_ewf.uint32
sectors_per_chunk: _c_ewf.uint32
bytes_per_sector: _c_ewf.uint32
number_of_sectors: _c_ewf.uint64
chs_cylinders: _c_ewf.uint32
chs_heads: _c_ewf.uint32
chs_sectors: _c_ewf.uint32
media_flags: _c_ewf.MediaFlags
unknown2: __cs__.Array[_c_ewf.uint8]
palm_volume_start_sector: _c_ewf.uint32
unknown3: _c_ewf.uint32
smart_logs_start_sector: _c_ewf.uint32
compression_level: _c_ewf.CompressionLevel
unknown4: __cs__.Array[_c_ewf.uint8]
error_granularity: _c_ewf.uint32
unknown5: _c_ewf.uint32
set_identifier: __cs__.Array[_c_ewf.uint8]
pad: __cs__.CharArray
signature: __cs__.CharArray
checksum: _c_ewf.uint32
@overload
def __init__(
self,
media_type: _c_ewf.MediaType | None = ...,
unknown1: __cs__.Array[_c_ewf.uint8] | None = ...,
number_of_chunks: _c_ewf.uint32 | None = ...,
sectors_per_chunk: _c_ewf.uint32 | None = ...,
bytes_per_sector: _c_ewf.uint32 | None = ...,
number_of_sectors: _c_ewf.uint64 | None = ...,
chs_cylinders: _c_ewf.uint32 | None = ...,
chs_heads: _c_ewf.uint32 | None = ...,
chs_sectors: _c_ewf.uint32 | None = ...,
media_flags: _c_ewf.MediaFlags | None = ...,
unknown2: __cs__.Array[_c_ewf.uint8] | None = ...,
palm_volume_start_sector: _c_ewf.uint32 | None = ...,
unknown3: _c_ewf.uint32 | None = ...,
smart_logs_start_sector: _c_ewf.uint32 | None = ...,
compression_level: _c_ewf.CompressionLevel | None = ...,
unknown4: __cs__.Array[_c_ewf.uint8] | None = ...,
error_granularity: _c_ewf.uint32 | None = ...,
unknown5: _c_ewf.uint32 | None = ...,
set_identifier: __cs__.Array[_c_ewf.uint8] | None = ...,
pad: __cs__.CharArray | None = ...,
signature: __cs__.CharArray | None = ...,
checksum: _c_ewf.uint32 | None = ...,
): ...
@overload
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...

class TableSection(__cs__.Structure):
number_of_entries: _c_ewf.uint32
_: _c_ewf.uint32
base_offset: _c_ewf.uint64
checksum: _c_ewf.uint32
entries: __cs__.Array[_c_ewf.uint32]
@overload
def __init__(
self,
num_entries: _c_ewf.uint32 | None = ...,
number_of_entries: _c_ewf.uint32 | None = ...,
_: _c_ewf.uint32 | None = ...,
base_offset: _c_ewf.uint64 | None = ...,
checksum: _c_ewf.uint32 | None = ...,
entries: __cs__.Array[_c_ewf.uint32] | None = ...,
): ...
@overload
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...

class HashSection(__cs__.Structure):
md5: __cs__.CharArray
unknown1: __cs__.CharArray
checksum: _c_ewf.uint32
@overload
def __init__(
self,
md5: __cs__.CharArray | None = ...,
unknown1: __cs__.CharArray | None = ...,
checksum: _c_ewf.uint32 | None = ...,
): ...
@overload
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
Expand Down
Loading
Loading