File: ewf.py

package info (click to toggle)
pytsk 20190121-2
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 2,344 kB
  • sloc: python: 3,645; ansic: 3,090; makefile: 69; sh: 40
file content (106 lines) | stat: -rw-r--r-- 3,108 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
#!/usr/bin/python
#
# Copyright 2011, Michael Cohen <scudette@gmail.com>.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
""" This is a module to interface to libewf.

This needs to be tested with the windows port.
"""
from ctypes import *
import ctypes.util

possible_names = ["libewf-1", "ewf",]
for name in possible_names:
  resolved = ctypes.util.find_library(name)
  if resolved:
    break

try:
  if resolved is None:
    raise ImportError("libewf not found")
  libewf = CDLL(resolved)
  if not libewf._name:
    raise OSError()
except OSError:
  raise ImportError("libewf not found")


class ewffile:
  """A file like object to provide access to the ewf file."""

  def __init__(self, *volumes):
    volume_array = c_char_p * len(volumes)
    self.handle = libewf.libewf_open(volume_array(*volumes),
                                     c_int(len(volumes)), c_int(1))
    if self.handle == 0:
      raise RuntimeError("Unable to open ewf file")

    self.readptr = 0
    size_p = pointer(c_ulonglong(0))
    libewf.libewf_get_media_size(self.handle, size_p)
    self.size = size_p.contents.value

  def seek(self, offset, whence=0):
    if whence == 0:
      self.readptr = offset
    elif whence == 1:
      self.readptr += offset
    elif whence == 2:
      self.readptr = self.size + offset

    self.readptr = min(self.readptr, self.size)

  def tell(self):
    return self.readptr

  def read(self, length):
    buf = create_string_buffer(length)
    length = libewf.libewf_read_random(
        self.handle, buf, c_ulong(length), c_ulonglong(self.readptr))

    return buf.raw[:length]

  def close(self):
    libewf.libewf_close(self.handle)

  def get_headers(self):
    properties = ["case_number", "description", "examinier_name",
                  "evidence_number", "notes", "acquiry_date",
                  "system_date", "acquiry_operating_system",
                  "acquiry_software_version", "password",
                  "compression_type", "model", "serial_number"]

    ## Make sure we parsed all headers
    libewf.libewf_parse_header_values(self.handle, c_int(4))
    result = {"size": self.size}
    buf = create_string_buffer(1024)
    for p in properties:
      libewf.libewf_get_header_value(self.handle, p, buf, 1024)
      result[p] = buf.value

    ## Get the hash
    if libewf.libewf_get_md5_hash(self.handle, buf, 16) == 1:
      result["md5"] = buf.raw[:16]

    return result


def ewf_open(volumes):
  return ewffile(volumes)

if __name__== "__main__":
  fd = ewffile("pyflag_stdimage_0.5.e01")
  print fd.get_headers()
  fd.seek(0x8E4B88)
  print "%r" % fd.read(100)