Beispiel #1
0
func (ewf_file *EWF_file) ReadAt(length uint64, off uint64) *bytes.Reader {
	//cast to struct respecting endianess
	defer parseutil.TimeTrack(time.Now(), "reading")
	buff := make([]byte, length)
	var err error
	var n int
	//read 100KB chunks
	STEP := uint64(1000 * 1024)
	rem := length
	if length < STEP {
		_, err := ewf_file.File.ReadAt(buff, int64(off))
		if err == io.EOF {
			fmt.Println("Error reading file:", err)

		}
	} else {
		for i := uint64(0); i <= length; i += STEP {
			if rem < STEP { //final read
				n, err = ewf_file.File.ReadAt(buff[i:length], int64(off))
			} else {
				n, err = ewf_file.File.ReadAt(buff[i:i+STEP], int64(off))
			}
			off += uint64(n)
			rem -= uint64(n)
			if err != nil {
				fmt.Println("Error reading file:", err)
				log.Fatal(err)
			}
		}
	}

	return bytes.NewReader(buff)
}
Beispiel #2
0
func (ewf_header *EWF_Header) Parse(buf *bytes.Reader) {
	//parse struct attributes
	//iterate through the fields of the struct
	defer parseutil.TimeTrack(time.Now(), "Parsing")
	s := reflect.ValueOf(ewf_header).Elem()
	for i := 0; i < s.NumField(); i++ {
		parseutil.Parse(buf, s.Field(i).Addr().Interface())
	}
}
Beispiel #3
0
func (digest_section *EWF_Digest_Section) Parse(r *bytes.Reader) {

	defer parseutil.TimeTrack(time.Now(), "Parsing")

	s := reflect.ValueOf(digest_section).Elem()
	for i := 0; i < s.NumField(); i++ {
		//parse struct attributes
		parseutil.Parse(r, s.Field(i).Addr().Interface())

	}
}
Beispiel #4
0
func (section_header *Section_Header) Parse(buf *bytes.Reader) {

	defer parseutil.TimeTrack(time.Now(), "Parsing") //header of each section

	s := reflect.ValueOf(section_header).Elem()
	for i := 0; i < s.NumField(); i++ {
		//parse struct attributes
		parseutil.Parse(buf, s.Field(i).Addr().Interface())

	}

}
Beispiel #5
0
func (ewf_file *EWF_file) ParseHeader(cur_offset *uint64) {
	defer parseutil.TimeTrack(time.Now(), "Parsing Segment Header")
	buf := ewf_file.ReadAt(EWF_Header_s, *cur_offset) //producer
	*cur_offset += EWF_Header_s
	ewf_header := new(EWF_Header) //ewf_header acts as a pointer

	ewf_header.Parse(buf) //consume
	sig := parseutil.Stringify(ewf_header.Signature[:])

	if !strings.Contains(sig, "EVF") {
		os.Exit(0)
	}

}
Beispiel #6
0
func (ewf_table_section *EWF_Table_Section) Parse(buf *bytes.Reader) {

	defer parseutil.TimeTrack(time.Now(), "Parsing")
	val := make([]byte, int64(buf.Len()))

	buf.Read(val)

	ewf_table_section.table_header.Parse(bytes.NewReader(val[0:24]))
	ewf_table_section.table_footer.Parse(bytes.NewReader(val[len(val)-4 : len(val)]))
	val = val[24 : len(val)-4]
	k := 0
	ewf_table_section.Table_entries = make([]EWF_Table_Section_Entry, ewf_table_section.table_header.nofEntries)
	for i := uint32(0); i < ewf_table_section.table_header.nofEntries; i += 1 {

		ewf_table_section.Table_entries[i].Parse(bytes.NewReader(val[0+k : 4+k]))
		//  fmt.Println("EFW in by",i,
		//       ewf_table_section.table_entries[i].IsCompressed,ewf_table_section.table_entries[i].ChunkDataOffset)
		k += 4

	}

}
Beispiel #7
0
func (ewf_h2_section *EWF_Header2_Section) Parse(buf *bytes.Reader) {
	//0x09 tab 0x0a new line delimiter
	//function to parse header2 section attributes
	//to do take into account endianess
	val := make([]byte, buf.Len())
	buf.Read(val)
	val = parseutil.Decompress(val)

	defer parseutil.TimeTrack(time.Now(), "Parsing")
	line_del, _ := hex.DecodeString("0a")
	tab_del, err := hex.DecodeString("09")
	if err != nil {
		log.Fatal(err)
	}
	var b *bytes.Reader

	for line_number, line := range bytes.Split(val, line_del) {
		for id_num, attr := range bytes.Split(line, tab_del) {
			b = bytes.NewReader(attr)
			if line_number == 0 {
				parseutil.Parse(b, &ewf_h2_section.BOM)
				parseutil.Parse(b, &ewf_h2_section.NofCategories)

			} else if line_number == 1 {
				parseutil.Parse(b, &ewf_h2_section.CategoryName)
			} else if line_number == 2 {

			} else if line_number == 3 {
				if id_num == EWF_HEADER_VALUES_INDEX_DESCRIPTION {
					ewf_h2_section.a = string(attr)
					fmt.Println("TIME", ewf_h2_section.a)
				} else if id_num == EWF_HEADER_VALUES_INDEX_CASE_NUMBER {
					ewf_h2_section.c = string(attr)

				} else if id_num == EWF_HEADER_VALUES_INDEX_EXAMINER_NAME {
					ewf_h2_section.n = string(attr)
				} else if id_num == EWF_HEADER_VALUES_INDEX_EVIDENCE_NUMBER {
					ewf_h2_section.e = string(attr)
				} else if id_num == EWF_HEADER_VALUES_INDEX_NOTES {
					ewf_h2_section.t = string(attr)
				} else if id_num == EWF_HEADER_VALUES_INDEX_ACQUIRY_SOFTWARE_VERSION {
					ewf_h2_section.av = string(attr)
				} else if id_num == EWF_HEADER_VALUES_INDEX_ACQUIRY_OPERATING_SYSTEM {
					ewf_h2_section.ov = string(attr)
				} else if id_num == EWF_HEADER_VALUES_INDEX_ACQUIRY_DATE {
					ewf_h2_section.m = parseutil.SetTime(attr)

				} else if id_num == EWF_HEADER_VALUES_INDEX_SYSTEM_DATE {
					ewf_h2_section.u = parseutil.SetTime(attr)

				} else if id_num == EWF_HEADER_VALUES_INDEX_PASSWORD {
					ewf_h2_section.p = string(attr)
				} else if id_num == EWF_HEADER_VALUES_INDEX_PROCESS_IDENTIFIER {
					ewf_h2_section.pid = string(attr)

				}

			}
		}
	}

}