ewfacquirestream.1 5.93 KB
Newer Older
1
.Dd April  4, 2016
2 3 4 5 6 7 8
.Dt ewfacquirestream
.Os libewf
.Sh NAME
.Nm ewfacquirestream
.Nd acquires data in the EWF format from stdin
.Sh SYNOPSIS
.Nm ewfacquirestream
9
.Op Fl A Ar codepage
10 11
.Op Fl b Ar number_of_sectors
.Op Fl B Ar number_of_bytes
12
.Op Fl c Ar compression_values
13 14 15 16 17 18
.Op Fl C Ar case_number
.Op Fl d Ar digest_type
.Op Fl D Ar description
.Op Fl e Ar examiner_name
.Op Fl E Ar evidence_number
.Op Fl f Ar format
19
.Op Fl j Ar jobs
20
.Op Fl l Ar log_filename
21
.Op Fl m Ar media_type
22
.Op Fl M Ar media_flags
23
.Op Fl N Ar notes
24 25
.Op Fl o Ar offset
.Op Fl p Ar process_buffer_size
26
.Op Fl P Ar bytes_per_sector
27 28
.Op Fl S Ar segment_file_size
.Op Fl t Ar target
29
.Op Fl 2 Ar secondary_target
30
.Op Fl hqsvVx
31 32
.Sh DESCRIPTION
.Nm ewfacquirestream
33
is a utility to acquire media data from stdin and store it in EWF format (Expert Witness Format).
34
.Nm ewfacquirestream
35
acquires media data in a format equivalent to EnCase and FTK imager, including meta data. Under Linux, FreeBSD, NetBSD, OpenBSD, MacOS\-X/Darwin
36 37 38 39 40 41
.Pp
.Nm ewfacquirestream
is part of the
.Nm libewf
package.
.Nm libewf
42
is a library to access the Expert Witness Compression Format (EWF).
43 44 45
.Pp
The options are as follows:
.Bl -tag -width Ds
46
.It Fl A Ar codepage
47
the codepage of header section, options: ascii (default), windows-874, windows-932, windows-936, windows-949, windows-950, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257 or windows-1258
48 49 50 51
.It Fl b Ar number_of_sectors
the number of sectors to read at once (per chunk), options: 16, 32, 64 (default), 128, 256, 512, 1024, 2048, 4096, 8192, 16384 or 32768
.It Fl B Ar number_of_bytes
the number of bytes to acquire
52 53
.It Fl c Ar compression_values
specify the compression values as: level or method:level
54
compression method options: deflate (default)
55
compression level options: none (default), empty-block, fast or best
56 57 58
.It Fl C Ar case_number
the case number (default is case_number)
.It Fl d Ar digest_type
59
calculate additional digest (hash) types besides md5, options: sha1, sha256
60 61 62 63 64 65 66
.It Fl D Ar description
the description (default is description)
.It Fl e Ar examiner_name
the examiner name (default is examiner_name)
.It Fl E Ar evidence_number
the evidence number (default is evidence_number)
.It Fl f Ar format
67
the EWF file format to write to, options: ftk, encase2, encase3, encase4, encase5, encase6 (default), encase7, encase7-v2, linen5, linen6, linen7, ewfx.
68 69
.It Fl h
shows this help
70 71 72 73
.It Fl j Ar jobs
the number of concurrent processing jobs (threads), where a number of 0 represents single-threaded mode (default is 4 if multi-threaded mode is supported).
.Nm libewf
does not support streamed writes for other EWF formats.
74 75
.It Fl l Ar log_filename
logs acquiry errors and the digest (hash) to the log filename
76
.It Fl m Ar media_type
77 78 79
the media type, options: fixed (default), removable, optical, memory
.It Fl M Ar media_flags
the media flags, options: logical, physical (default)
80 81
.It Fl N Ar notes
the notes (default is notes)
82 83 84 85
.It Fl o Ar offset
the offset to start to acquire (default is 0)
.It Fl p Ar process_buffer_size
the process buffer size (default is the chunk size)
86 87
.It Fl P Ar bytes_per_sector
the number of bytes per sector (default is 512)
88
.It Fl q
89
quiet shows minimal status information
90
.It Fl s
91
swap byte pairs of the media data (from AB to BA) (use this for big to little endian conversion and vice versa)
92
.It Fl S Ar segment_file_size
93
the segment file size in bytes (default is 1.4 GiB) (minimum is 1.0 MiB, maximum is 7.9 EiB for encase6 and later formats and 1.9 GiB for other formats)
94
.It Fl t Ar target
95
the target file (without extension) to write to (default is image)
96 97 98 99
.It Fl v
verbose output to stderr
.It Fl V
print version
100 101
.It Fl x
use the chunk data instead of the buffered read and write functions.
102 103
.It Fl 2 Ar secondary_target
the secondary target file (without extension) to write to
104 105 106 107 108 109 110 111 112 113 114 115 116
.El
.Pp
.Nm ewfacquirestream
will read from stding until it encounters a read error.
On read error it will stop no error information is stored in the EWF file(s).
.Pp
Empty block compression detects blocks of sectors with entirely the same byte data and compresses them using the default compression level.
.Sh ENVIRONMENT
None
.Sh FILES
None
.Sh EXAMPLES
.Bd -literal
117
# ewfacquirestream \-C 1 \-D Floppy \-E 1.1 \-e 'John D.' \-N 'Just a floppy in my system' \-m removable \-M logical \-t floppy </dev/fd0
118
ewfacquirestream 20120805
119 120

Using the following acquiry parameters:
121 122 123 124 125 126 127 128 129
Image path and filename:		floppy.E01
Case number:				1
Description:				Floppy
Evidence number:			1.1
Examiner name:				John D.
Notes:					Just a floppy in my system
Media type:				removable
Volume type:				logical
EWF file format:			EnCase 5
130 131
Compression method:			deflate
Compression level:			none
132 133 134 135 136 137
Acquiry start offet:			0
Number of bytes to acquire:		0 (until end of input)
Evidence segment file size:		1.4 GiB (1572864000 bytes)
Block size:				64 sectors
Error granularity:			64 sectors
Retries on read error:			2
138

139
Acquiry started at: Sun Aug  5 11:32:41 2012
140 141 142 143 144 145

This could take a while.

Status: acquired 1.4 MiB (1474560 bytes)
        in 1 second(s) with 1 MiB/s (1474560 bytes/second).

146
Acquiry completed at: Sun Aug  5 11:32:42 2012
147 148 149

Written: 1.4 MiB (1474560 bytes) in 1 second(s) with 1 MiB/s (1474560 bytes/second).

150
MD5 hash calculated over data:		ae1ce8f5ac079d3ee93f97fe3792bda3
151 152
.Ed
.Sh DIAGNOSTICS
153
Errors, verbose and debug output are printed to stderr when verbose output \-v is enabled. Verbose and debug output are only printed when enabled at compilation.
154
.Sh BUGS
155
Please report bugs of any kind to <joachim.metz@gmail.com> or on the project website:
156
https://github.com/libyal/libewf/
157 158 159
.Sh AUTHOR
These man pages were written by Joachim Metz.
.Sh COPYRIGHT
160
.Pp
161
Copyright (C) 2006-2016, Joachim Metz <joachim.metz@gmail.com>.
162
.Pp
163 164 165 166 167
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
.Sh SEE ALSO
.Xr ewfacquire 1 ,
.Xr ewfexport 1 ,
.Xr ewfinfo 1 ,
168
.Xr ewfmount 1 ,
169
.Xr ewfrecover 1 ,
170
.Xr ewfverify 1