Skip to content

Commit 3b55775

Browse files
SchamperSchamper
committed
Rewrite EWF
1 parent 354d252 commit 3b55775

File tree

21 files changed

+665
-335
lines changed

21 files changed

+665
-335
lines changed

dissect/evidence/ewf/__init__.py

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,18 +3,16 @@
33
from dissect.evidence.ewf.c_ewf import c_ewf
44
from dissect.evidence.ewf.ewf import (
55
EWF,
6-
EWFError,
7-
EWFStream,
86
HeaderSection,
97
SectionDescriptor,
108
Segment,
119
TableSection,
1210
VolumeSection,
1311
)
12+
from dissect.evidence.ewf.stream import EWFStream
1413

1514
__all__ = [
1615
"EWF",
17-
"EWFError",
1816
"EWFStream",
1917
"HeaderSection",
2018
"SectionDescriptor",

dissect/evidence/ewf/c_ewf.py

Lines changed: 69 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -25,65 +25,95 @@
2525
};
2626
2727
typedef struct {
28-
char signature[8];
29-
uint8 fields_start;
30-
uint16 segment_number;
31-
uint16 fields_end;
32-
} EWFHeader;
28+
char signature[8];
29+
uint8 fields_start;
30+
uint16 segment_number;
31+
uint16 fields_end;
32+
} SegmentHeader;
3333
3434
typedef struct {
35-
char type[16];
36-
uint64 next;
37-
uint64 size;
38-
uint8 pad[40];
39-
uint32 checksum;
40-
} EWFSectionDescriptor;
35+
char type[16];
36+
uint64 next;
37+
uint64 size;
38+
uint8 pad[40];
39+
uint32 checksum;
40+
} SectionDescriptor;
4141
4242
typedef struct {
43-
uint32 reserved_1;
44-
uint32 chunk_count;
45-
uint32 sector_count;
46-
uint32 sector_size;
47-
uint32 total_sector_count;
48-
uint8 reserved[20];
49-
uint8 pad[45];
50-
char signature[5];
51-
uint32 checksum;
52-
} EWFVolumeSectionSpec;
43+
uint32 reserved_1;
44+
uint32 number_of_chunks;
45+
uint32 sectors_per_chunk;
46+
uint32 bytes_per_sector;
47+
uint32 number_of_sectors;
48+
uint8 reserved[20];
49+
uint8 pad[45];
50+
char signature[5];
51+
uint32 checksum;
52+
} VolumeSectionSmart;
5353
5454
typedef struct {
5555
MediaType media_type;
5656
uint8 reserved_1[3];
57-
uint32 chunk_count;
58-
uint32 sector_count;
59-
uint32 sector_size;
60-
uint64 total_sector_count;
61-
uint32 num_cylinders;
62-
uint32 num_heads;
63-
uint32 num_sectors;
57+
uint32 number_of_chunks;
58+
uint32 sectors_per_chunk;
59+
uint32 bytes_per_sector;
60+
uint64 number_of_sectors;
61+
uint32 chs_cylinders;
62+
uint32 chs_heads;
63+
uint32 chs_sectors;
6464
uint8 media_flags;
6565
uint8 unknown_1[3];
66-
uint32 palm_start_sector;
66+
uint32 palm_volume_start_sector;
6767
uint32 unknown_2;
68-
uint32 smart_start_sector;
68+
uint32 smart_logs_start_sector;
6969
CompressionLevel compression_level;
7070
uint8 unknown_3[3];
7171
uint32 error_granularity;
7272
uint32 unknown_4;
73-
uint8 uuid[16];
73+
uint8 set_identifier[16];
7474
uint8 pad[963];
7575
char signature[5];
7676
uint32 checksum;
77-
} EWFVolumeSection;
77+
} VolumeSection;
78+
79+
typedef struct {
80+
MediaType media_type;
81+
uint8 unknown1[3];
82+
uint32 number_of_chunks;
83+
uint32 sectors_per_chunk;
84+
uint32 bytes_per_sector;
85+
uint64 number_of_sectors;
86+
uint32 chs_cylinders;
87+
uint32 chs_heads;
88+
uint32 chs_sectors;
89+
MediaFlags media_flags;
90+
uint8 unknown2[3];
91+
uint32 palm_volume_start_sector;
92+
uint32 unknown3;
93+
uint32 smart_logs_start_sector;
94+
CompressionLevel compression_level;
95+
uint8 unknown4[3];
96+
uint32 error_granularity;
97+
uint32 unknown5;
98+
uint8 set_identifier[16];
99+
char pad[963];
100+
char signature[5];
101+
uint32 checksum;
102+
} DataSection;
103+
104+
typedef struct {
105+
uint32 number_of_entries;
106+
uint32 _;
107+
uint64 base_offset;
108+
uint32 _;
109+
uint32 checksum;
110+
} TableSection;
78111
79112
typedef struct {
80-
uint32 num_entries;
81-
uint32 _;
82-
uint64 base_offset;
83-
uint32 _;
84-
uint32 checksum;
85-
uint32 entries[num_entries];
86-
} EWFTableSection;
113+
char md5[16];
114+
char unknown1[16];
115+
uint32 checksum;
116+
} HashSection;
87117
"""
88118

89119
c_ewf = cstruct().load(ewf_def)

dissect/evidence/ewf/c_ewf.pyi

Lines changed: 101 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ class _c_ewf(__cs__.cstruct):
2222
Good = ...
2323
Best = ...
2424

25-
class EWFHeader(__cs__.Structure):
25+
class SegmentHeader(__cs__.Structure):
2626
signature: __cs__.CharArray
2727
fields_start: _c_ewf.uint8
2828
segment_number: _c_ewf.uint16
@@ -38,7 +38,7 @@ class _c_ewf(__cs__.cstruct):
3838
@overload
3939
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
4040

41-
class EWFSectionDescriptor(__cs__.Structure):
41+
class SectionDescriptor(__cs__.Structure):
4242
type: __cs__.CharArray
4343
next: _c_ewf.uint64
4444
size: _c_ewf.uint64
@@ -56,12 +56,12 @@ class _c_ewf(__cs__.cstruct):
5656
@overload
5757
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
5858

59-
class EWFVolumeSectionSpec(__cs__.Structure):
59+
class VolumeSectionSmart(__cs__.Structure):
6060
reserved_1: _c_ewf.uint32
61-
chunk_count: _c_ewf.uint32
62-
sector_count: _c_ewf.uint32
63-
sector_size: _c_ewf.uint32
64-
total_sector_count: _c_ewf.uint32
61+
number_of_chunks: _c_ewf.uint32
62+
sectors_per_chunk: _c_ewf.uint32
63+
bytes_per_sector: _c_ewf.uint32
64+
number_of_sectors: _c_ewf.uint32
6565
reserved: __cs__.Array[_c_ewf.uint8]
6666
pad: __cs__.Array[_c_ewf.uint8]
6767
signature: __cs__.CharArray
@@ -70,10 +70,10 @@ class _c_ewf(__cs__.cstruct):
7070
def __init__(
7171
self,
7272
reserved_1: _c_ewf.uint32 | None = ...,
73-
chunk_count: _c_ewf.uint32 | None = ...,
74-
sector_count: _c_ewf.uint32 | None = ...,
75-
sector_size: _c_ewf.uint32 | None = ...,
76-
total_sector_count: _c_ewf.uint32 | None = ...,
73+
number_of_chunks: _c_ewf.uint32 | None = ...,
74+
sectors_per_chunk: _c_ewf.uint32 | None = ...,
75+
bytes_per_sector: _c_ewf.uint32 | None = ...,
76+
number_of_sectors: _c_ewf.uint32 | None = ...,
7777
reserved: __cs__.Array[_c_ewf.uint8] | None = ...,
7878
pad: __cs__.Array[_c_ewf.uint8] | None = ...,
7979
signature: __cs__.CharArray | None = ...,
@@ -82,26 +82,26 @@ class _c_ewf(__cs__.cstruct):
8282
@overload
8383
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
8484

85-
class EWFVolumeSection(__cs__.Structure):
85+
class VolumeSection(__cs__.Structure):
8686
media_type: _c_ewf.MediaType
8787
reserved_1: __cs__.Array[_c_ewf.uint8]
88-
chunk_count: _c_ewf.uint32
89-
sector_count: _c_ewf.uint32
90-
sector_size: _c_ewf.uint32
91-
total_sector_count: _c_ewf.uint64
92-
num_cylinders: _c_ewf.uint32
93-
num_heads: _c_ewf.uint32
94-
num_sectors: _c_ewf.uint32
88+
number_of_chunks: _c_ewf.uint32
89+
sectors_per_chunk: _c_ewf.uint32
90+
bytes_per_sector: _c_ewf.uint32
91+
number_of_sectors: _c_ewf.uint64
92+
chs_cylinders: _c_ewf.uint32
93+
chs_heads: _c_ewf.uint32
94+
chs_sectors: _c_ewf.uint32
9595
media_flags: _c_ewf.uint8
9696
unknown_1: __cs__.Array[_c_ewf.uint8]
97-
palm_start_sector: _c_ewf.uint32
97+
palm_volume_start_sector: _c_ewf.uint32
9898
unknown_2: _c_ewf.uint32
99-
smart_start_sector: _c_ewf.uint32
99+
smart_logs_start_sector: _c_ewf.uint32
100100
compression_level: _c_ewf.CompressionLevel
101101
unknown_3: __cs__.Array[_c_ewf.uint8]
102102
error_granularity: _c_ewf.uint32
103103
unknown_4: _c_ewf.uint32
104-
uuid: __cs__.Array[_c_ewf.uint8]
104+
set_identifier: __cs__.Array[_c_ewf.uint8]
105105
pad: __cs__.Array[_c_ewf.uint8]
106106
signature: __cs__.CharArray
107107
checksum: _c_ewf.uint32
@@ -110,44 +110,108 @@ class _c_ewf(__cs__.cstruct):
110110
self,
111111
media_type: _c_ewf.MediaType | None = ...,
112112
reserved_1: __cs__.Array[_c_ewf.uint8] | None = ...,
113-
chunk_count: _c_ewf.uint32 | None = ...,
114-
sector_count: _c_ewf.uint32 | None = ...,
115-
sector_size: _c_ewf.uint32 | None = ...,
116-
total_sector_count: _c_ewf.uint64 | None = ...,
117-
num_cylinders: _c_ewf.uint32 | None = ...,
118-
num_heads: _c_ewf.uint32 | None = ...,
119-
num_sectors: _c_ewf.uint32 | None = ...,
113+
number_of_chunks: _c_ewf.uint32 | None = ...,
114+
sectors_per_chunk: _c_ewf.uint32 | None = ...,
115+
bytes_per_sector: _c_ewf.uint32 | None = ...,
116+
number_of_sectors: _c_ewf.uint64 | None = ...,
117+
chs_cylinders: _c_ewf.uint32 | None = ...,
118+
chs_heads: _c_ewf.uint32 | None = ...,
119+
chs_sectors: _c_ewf.uint32 | None = ...,
120120
media_flags: _c_ewf.uint8 | None = ...,
121121
unknown_1: __cs__.Array[_c_ewf.uint8] | None = ...,
122-
palm_start_sector: _c_ewf.uint32 | None = ...,
122+
palm_volume_start_sector: _c_ewf.uint32 | None = ...,
123123
unknown_2: _c_ewf.uint32 | None = ...,
124-
smart_start_sector: _c_ewf.uint32 | None = ...,
124+
smart_logs_start_sector: _c_ewf.uint32 | None = ...,
125125
compression_level: _c_ewf.CompressionLevel | None = ...,
126126
unknown_3: __cs__.Array[_c_ewf.uint8] | None = ...,
127127
error_granularity: _c_ewf.uint32 | None = ...,
128128
unknown_4: _c_ewf.uint32 | None = ...,
129-
uuid: __cs__.Array[_c_ewf.uint8] | None = ...,
129+
set_identifier: __cs__.Array[_c_ewf.uint8] | None = ...,
130130
pad: __cs__.Array[_c_ewf.uint8] | None = ...,
131131
signature: __cs__.CharArray | None = ...,
132132
checksum: _c_ewf.uint32 | None = ...,
133133
): ...
134134
@overload
135135
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
136136

137-
class EWFTableSection(__cs__.Structure):
138-
num_entries: _c_ewf.uint32
137+
class DataSection(__cs__.Structure):
138+
media_type: _c_ewf.MediaType
139+
unknown1: __cs__.Array[_c_ewf.uint8]
140+
number_of_chunks: _c_ewf.uint32
141+
sectors_per_chunk: _c_ewf.uint32
142+
bytes_per_sector: _c_ewf.uint32
143+
number_of_sectors: _c_ewf.uint64
144+
chs_cylinders: _c_ewf.uint32
145+
chs_heads: _c_ewf.uint32
146+
chs_sectors: _c_ewf.uint32
147+
media_flags: _c_ewf.MediaFlags
148+
unknown2: __cs__.Array[_c_ewf.uint8]
149+
palm_volume_start_sector: _c_ewf.uint32
150+
unknown3: _c_ewf.uint32
151+
smart_logs_start_sector: _c_ewf.uint32
152+
compression_level: _c_ewf.CompressionLevel
153+
unknown4: __cs__.Array[_c_ewf.uint8]
154+
error_granularity: _c_ewf.uint32
155+
unknown5: _c_ewf.uint32
156+
set_identifier: __cs__.Array[_c_ewf.uint8]
157+
pad: __cs__.CharArray
158+
signature: __cs__.CharArray
159+
checksum: _c_ewf.uint32
160+
@overload
161+
def __init__(
162+
self,
163+
media_type: _c_ewf.MediaType | None = ...,
164+
unknown1: __cs__.Array[_c_ewf.uint8] | None = ...,
165+
number_of_chunks: _c_ewf.uint32 | None = ...,
166+
sectors_per_chunk: _c_ewf.uint32 | None = ...,
167+
bytes_per_sector: _c_ewf.uint32 | None = ...,
168+
number_of_sectors: _c_ewf.uint64 | None = ...,
169+
chs_cylinders: _c_ewf.uint32 | None = ...,
170+
chs_heads: _c_ewf.uint32 | None = ...,
171+
chs_sectors: _c_ewf.uint32 | None = ...,
172+
media_flags: _c_ewf.MediaFlags | None = ...,
173+
unknown2: __cs__.Array[_c_ewf.uint8] | None = ...,
174+
palm_volume_start_sector: _c_ewf.uint32 | None = ...,
175+
unknown3: _c_ewf.uint32 | None = ...,
176+
smart_logs_start_sector: _c_ewf.uint32 | None = ...,
177+
compression_level: _c_ewf.CompressionLevel | None = ...,
178+
unknown4: __cs__.Array[_c_ewf.uint8] | None = ...,
179+
error_granularity: _c_ewf.uint32 | None = ...,
180+
unknown5: _c_ewf.uint32 | None = ...,
181+
set_identifier: __cs__.Array[_c_ewf.uint8] | None = ...,
182+
pad: __cs__.CharArray | None = ...,
183+
signature: __cs__.CharArray | None = ...,
184+
checksum: _c_ewf.uint32 | None = ...,
185+
): ...
186+
@overload
187+
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
188+
189+
class TableSection(__cs__.Structure):
190+
number_of_entries: _c_ewf.uint32
139191
_: _c_ewf.uint32
140192
base_offset: _c_ewf.uint64
141193
checksum: _c_ewf.uint32
142-
entries: __cs__.Array[_c_ewf.uint32]
143194
@overload
144195
def __init__(
145196
self,
146-
num_entries: _c_ewf.uint32 | None = ...,
197+
number_of_entries: _c_ewf.uint32 | None = ...,
147198
_: _c_ewf.uint32 | None = ...,
148199
base_offset: _c_ewf.uint64 | None = ...,
149200
checksum: _c_ewf.uint32 | None = ...,
150-
entries: __cs__.Array[_c_ewf.uint32] | None = ...,
201+
): ...
202+
@overload
203+
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...
204+
205+
class HashSection(__cs__.Structure):
206+
md5: __cs__.CharArray
207+
unknown1: __cs__.CharArray
208+
checksum: _c_ewf.uint32
209+
@overload
210+
def __init__(
211+
self,
212+
md5: __cs__.CharArray | None = ...,
213+
unknown1: __cs__.CharArray | None = ...,
214+
checksum: _c_ewf.uint32 | None = ...,
151215
): ...
152216
@overload
153217
def __init__(self, fh: bytes | memoryview | bytearray | BinaryIO, /): ...

0 commit comments

Comments
 (0)