File: ewfexport.1

package info (click to toggle)
libewf 20100226-1
  • links: PTS, VCS
  • area: main
  • in suites: squeeze, wheezy
  • size: 6,840 kB
  • ctags: 2,937
  • sloc: ansic: 100,745; sh: 10,115; makefile: 533
file content (129 lines) | stat: -rw-r--r-- 4,576 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
.Dd October 17, 2009
.Dt ewfexport
.Os libewf
.Sh NAME
.Nm ewfexport
.Nd exports media data stored in EWF files
.Sh SYNOPSIS
.Nm ewfexport
.Op Fl A Ar codepage
.Op Fl B Ar amount_of_bytes
.Op Fl c Ar compression_type
.Op Fl d Ar digest_type
.Op Fl f Ar format
.Op Fl l Ar log_filename
.Op Fl o Ar offset
.Op Fl p Ar process_buffer_size
.Op Fl S Ar segment_file_size
.Op Fl t Ar target
.Op Fl hqsuvVw
.Ar ewf_files
.Sh DESCRIPTION
.Nm ewfexport
is a utility to export media data stored in EWF files.
.Pp
.Nm ewfexport
is part of the
.Nm libewf
package.
.Nm libewf
is a library to support the Expert Witness Compression Format (EWF).
.Nm libewf
supports both the SMART format (EWF-S01) and the EnCase format (EWF-E01).
.Nm libewf
currently does not support the Logical Volume format (EWF-L01). EWF-X is an expirimental format intended for testing purposes to enhance the EWF format.
.Nm libewf
allows you to read and write media data in the EWF format.
.Pp
.Ar ewf_files
the first or the entire set of EWF segment files
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl A Ar codepage
the codepage of header section, options: ascii (default), windows-874, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258
.It Fl B Ar amount_of_bytes
the amount of bytes to export
.It Fl c Ar compression_type
the compression type, options: none (default), empty-block, fast, best (not used for raw format)
.It Fl d Ar digest_type
calculate additional digest (hash) types besides md5, options: sha1 (not used for raw format)
.It Fl f Ar format
the file format to write to, options: raw (default), ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx.
.It Fl h
shows this help
.It Fl l Ar log_filename
logs export errors and the digest (hash) to the log filename
.It Fl o Ar offset
the offset to start the export (default is 0)
.It Fl p Ar process_buffer_size
the process buffer size (default is the chunk size)
.It Fl s
swap byte pairs of the media data (from AB to BA) (use this for big to little endian conversion and vice versa)
.It Fl S Ar segment_file_size
the segment file size in bytes (default is 1.4 GiB) (minimum is 1.0 MiB, maximum is 7.9 EiB for encase6 format and 1.9 GiB for other formats) (not used for raw format)
.It Fl t Ar target
the target file to export to, use \- for stdout (default is export) stdout is only supported for the raw format
.It Fl u
unattended mode (disables user interaction)
.It Fl v
verbose output to stderr
.It Fl V
print version
.It Fl w
wipe sectors on CRC error (mimic EnCase like behavior)
.El
.Sh ENVIRONMENT
None
.Sh FILES
None
.Sh EXAMPLES
.Nm ewfexport
will ask the information it needs.
.Bd -literal
# ewfexport floppy.E01
ewfexport 20090229 (libewf 20090229, libuna 20090124, zlib 1.2.3, libcrypto 0.9.8g, libuuid)

Information for export required, please provide the necessary input
Export to file format (raw, ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx) [raw]:
Target path and filename with extension or \- for stdout: floppy.raw
Start export at offset (0 >= value >= 1474560) [0]:
Amount of bytes to export (0 >= value >= 1474560) [1474560]:

Export started at: Sat Feb 28 19:19:40 2009

This could take a while.

Status: at 2%.
        exported 32 kB (32768 bytes) of total 1.4 MiB (1474560 bytes).

.Dl ...

Status: at 100%.
        exported 1.4 MiB (1474560 bytes) of total 1.4 MiB (1474560 bytes).
        completion in 1 second(s) with 1 MiB/s (1474560 bytes/second).

Export completed at: Sat Feb 28 19:19:41 2009

Written: 1.4 MiB (1474560 bytes) in 1 second(s) with 1 MiB/s (1474560 bytes/second).
MD5 hash calculated over data:  ae1ce8f5ac079d3ee93f97fe3792bda3
.Ed
.Sh DIAGNOSTICS
Errors, verbose and debug output are printed to stderr when verbose output \-v is enabled. Verbose and debug output are only printed when enabled at compilation.
.Sh BUGS
Please report bugs of any kind to <forensics@hoffmannbv.nl> or on the project website: http://libewf.sourceforge.net/
.Sh AUTHOR
.Pp
These man pages were written by Kees Mastwijk.
.Pp
Alterations for distribution have been made by Joachim Metz.
.Sh COPYRIGHT
.Pp
Copyright 2006-2009 Kees Mastwijk, Hoffmann Investigations <forensics@hoffmannbv.nl> and contributors.
.Pp
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
.Sh SEE ALSO
.Xr ewfacquire 1 ,
.Xr ewfacquirestream 1 ,
.Xr ewfinfo 1 ,
.Xr ewfverify 1