-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.go
84 lines (66 loc) · 2.22 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
package main
import (
"flag"
"fmt"
"os"
"time"
"github.com/aarsakian/EWF_Reader/ewf"
Utils "github.com/aarsakian/EWF_Reader/ewf/utils"
)
var MediaTypes = map[uint]string{0x00: "Removable Storage Media",
0x01: "Fixed Storage Media", 0x03: "Optical Disc", 0x0e: "Logical Evidence File", 0x10: "Physical Memory RAM",
}
var MediaFlags = map[uint]string{0x01: "Image File",
0x02: "Physical Device", 0x04: "Fast Writer blocker used", 0x08: "Tableau writer used",
}
var CompressionLevel = map[uint]string{0x00: "no compression",
0x01: "good compression", 0x02: "best compression",
}
type Decompressor interface {
Decompress([]byte)
}
func main() {
evidencePath := flag.String("evidence", "", "path to evidence")
verify := flag.Bool("verify", false, "verify data of evidence using adler32 checksum")
VerifyHash := flag.Bool("verifyHash", false, "verify stored hash in evidence")
showImageInfo := flag.Bool("showInfo", false, "show evidence information")
showHash := flag.Bool("showHash", false, "show stored hash value")
offset := flag.Int64("offset", -1, "offset to read data from the evidence")
length := flag.Int64("len", 0, "number of bytes to read from offset in the evidence")
profile := flag.Bool("profile", false, "profile performance")
flag.Parse()
if *evidencePath == "" {
fmt.Println("Evidence filename needed")
os.Exit(0)
}
defer Utils.TimeTrack(time.Now(), "finished")
filenames := Utils.FindEvidenceFiles(*evidencePath)
ewf_image := ewf.EWF_Image{Profiling: *profile}
ewf_image.ParseEvidence(filenames)
if *showImageInfo {
ewf_image.ShowInfo()
}
if *showHash {
hash := ewf_image.GetHash()
fmt.Println(hash)
}
if *offset > int64(ewf_image.NofChunks)*int64(ewf_image.Chuncksize) {
panic("offset exceeds size of data")
}
if *offset+*length > int64(ewf_image.NofChunks)*int64(ewf_image.Chuncksize) {
panic("len exceeds remaing data area")
}
if *offset != -1 && *length != 0 {
fmt.Printf("data to read %d\n", *length)
data := ewf_image.RetrieveData(*offset, *length)
fmt.Printf("%x\n", data[0:1])
}
if *verify {
verified := ewf_image.Verify()
fmt.Println("verified ", verified)
}
if *VerifyHash {
verified1 := ewf_image.VerifyHash()
fmt.Println("Verified hash", verified1) // buf)
}
}