func (ewf_table_section *EWF_Table_Section) Collect(sectors_buf []byte, sectors_offs uint64) {
fmt.Println("NODF entries", len(ewf_table_section.Table_entries), ewf_table_section.table_header.nofEntries)
zlib_header := []byte{72, 13}
var data []byte
for idx, entry := range ewf_table_section.Table_entries[:len(ewf_table_section.Table_entries)-1] {
data = sectors_buf[entry.ChunkDataOffset-uint32(sectors_offs) : entry.ChunkDataOffset-uint32(sectors_offs)+Chunk_Size]
if bytes.HasPrefix(data, zlib_header) {
parseutil.Decompress(data)
fmt.Println("IDX", idx)
/*sectors_buf[entry.ChunkDataOffset-uint32(sectors_offs):entry.ChunkDataOffset-uint32(sectors_offs)+5],
"REM",uint32(len(sectors_buf))-entry.ChunkDataOffset-uint32(sectors_offs), "CompresseD?",entry.IsCompressed)*/
// parseutil.DecompressF(data)
}
}
//last data chunk maybe less than 32K size
last_entry := ewf_table_section.Table_entries[len(ewf_table_section.Table_entries)-1]
data = sectors_buf[last_entry.ChunkDataOffset-uint32(sectors_offs) : last_entry.ChunkDataOffset-uint32(sectors_offs)+
uint32(len(sectors_buf))-last_entry.ChunkDataOffset-uint32(sectors_offs)]
if bytes.HasSuffix(data, zlib_header) {
parseutil.DecompressF(data)
}
}
func (ewf_h2_section *EWF_Header2_Section) Parse(buf *bytes.Reader) {
//0x09 tab 0x0a new line delimiter
//function to parse header2 section attributes
//to do take into account endianess
val := make([]byte, buf.Len())
buf.Read(val)
val = parseutil.Decompress(val)
defer parseutil.TimeTrack(time.Now(), "Parsing")
line_del, _ := hex.DecodeString("0a")
tab_del, err := hex.DecodeString("09")
if err != nil {
log.Fatal(err)
}
var b *bytes.Reader
for line_number, line := range bytes.Split(val, line_del) {
for id_num, attr := range bytes.Split(line, tab_del) {
b = bytes.NewReader(attr)
if line_number == 0 {
parseutil.Parse(b, &ewf_h2_section.BOM)
parseutil.Parse(b, &ewf_h2_section.NofCategories)
} else if line_number == 1 {
parseutil.Parse(b, &ewf_h2_section.CategoryName)
} else if line_number == 2 {
} else if line_number == 3 {
if id_num == EWF_HEADER_VALUES_INDEX_DESCRIPTION {
ewf_h2_section.a = string(attr)
fmt.Println("TIME", ewf_h2_section.a)
} else if id_num == EWF_HEADER_VALUES_INDEX_CASE_NUMBER {
ewf_h2_section.c = string(attr)
} else if id_num == EWF_HEADER_VALUES_INDEX_EXAMINER_NAME {
ewf_h2_section.n = string(attr)
} else if id_num == EWF_HEADER_VALUES_INDEX_EVIDENCE_NUMBER {
ewf_h2_section.e = string(attr)
} else if id_num == EWF_HEADER_VALUES_INDEX_NOTES {
ewf_h2_section.t = string(attr)
} else if id_num == EWF_HEADER_VALUES_INDEX_ACQUIRY_SOFTWARE_VERSION {
ewf_h2_section.av = string(attr)
} else if id_num == EWF_HEADER_VALUES_INDEX_ACQUIRY_OPERATING_SYSTEM {
ewf_h2_section.ov = string(attr)
} else if id_num == EWF_HEADER_VALUES_INDEX_ACQUIRY_DATE {
ewf_h2_section.m = parseutil.SetTime(attr)
} else if id_num == EWF_HEADER_VALUES_INDEX_SYSTEM_DATE {
ewf_h2_section.u = parseutil.SetTime(attr)
} else if id_num == EWF_HEADER_VALUES_INDEX_PASSWORD {
ewf_h2_section.p = string(attr)
} else if id_num == EWF_HEADER_VALUES_INDEX_PROCESS_IDENTIFIER {
ewf_h2_section.pid = string(attr)
}
}
}
}
}