1 /*
2
3 File: file_e01.c
4
5 Copyright (C) 2009 Christophe GRENIER <grenier@cgsecurity.org>
6
7 This software is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License along
18 with this program; if not, write the Free Software Foundation, Inc., 51
19 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26 #ifdef HAVE_STRING_H
27 #include <string.h>
28 #endif
29 #include <stdio.h>
30 #include "types.h"
31 #include "filegen.h"
32 #include "common.h"
33
34 static void register_header_check_e01(file_stat_t *file_stat);
35
36 const file_hint_t file_hint_e01= {
37 .extension="e01",
38 .description="Encase",
39 .max_filesize=PHOTOREC_MAX_FILE_SIZE,
40 .recover=1,
41 .enable_by_default=1,
42 .register_header_check=®ister_header_check_e01
43 };
44
45 struct ewf_file_header
46 {
47 /* The EWF file signature (magic header)
48 * consists of 8 bytes containing
49 * EVF 0x09 0x0d 0x0a 0xff 0x00
50 */
51 uint8_t signature[ 8 ];
52 /* The fields start
53 * consists of 1 byte (8 bit) containing
54 * 0x01
55 */
56 uint8_t fields_start;
57 /* The fields segment number
58 * consists of 2 bytes (16 bits) containing
59 */
60 uint16_t fields_segment;
61 /* The fields end
62 * consists of 2 bytes (16 bits) containing
63 * 0x00 0x00
64 */
65 uint16_t fields_end;
66 } __attribute__ ((gcc_struct, __packed__));
67
file_check_e01(file_recovery_t * file_recovery)68 static void file_check_e01(file_recovery_t *file_recovery)
69 {
70 const uint64_t tmp=file_recovery->file_size;
71 const unsigned char sig_done[16]={
72 'd', 'o', 'n', 'e', 0x00, 0x00, 0x00, 0x00,
73 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
74 };
75 const unsigned char sig_next[16]={
76 'n', 'e', 'x', 't', 0x00, 0x00, 0x00, 0x00,
77 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
78 };
79 file_search_footer(file_recovery, sig_next, sizeof(sig_next), 60);
80 if(file_recovery->file_size!=0)
81 return ;
82 file_recovery->file_size=tmp;
83 file_search_footer(file_recovery, sig_done, sizeof(sig_done), 60);
84 }
85
header_check_e01(const unsigned char * buffer,const unsigned int buffer_size,const unsigned int safe_header_only,const file_recovery_t * file_recovery,file_recovery_t * file_recovery_new)86 static int header_check_e01(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
87 {
88 const struct ewf_file_header *ewf=(const struct ewf_file_header *)buffer;
89 static char ext[4];
90 reset_file_recovery(file_recovery_new);
91 ext[0]='E'+le16(ewf->fields_segment)/100;
92 ext[1]='0'+(le16(ewf->fields_segment)%100)/10;
93 ext[2]='0'+(le16(ewf->fields_segment)%10);
94 ext[3]='\0';
95 file_recovery_new->extension=(const char*)&ext;
96 file_recovery_new->file_check=&file_check_e01;
97 return 1;
98 }
99
register_header_check_e01(file_stat_t * file_stat)100 static void register_header_check_e01(file_stat_t *file_stat)
101 {
102 static const unsigned char e01_header[9]= {
103 'E' , 'V' , 'F' , 0x09, 0x0d, 0x0a, 0xff, 0x00,
104 0x01
105 };
106 register_header_check(0, e01_header, sizeof(e01_header), &header_check_e01, file_stat);
107 }
108