in EWF format(1)

ENVIRONMENT

None

FILES

None

EXAMPLES

ewfacquire will ask for the information it requires.

# ewfacquire /dev/fd0
ewfacquire 20090503 (libewf 20090503, libuna 20090124, zlib 1.2.3, libcrypto 0.9.8g, libuuid)

Information about acquiry required, please provide the necessary input
Image path and filename without extension: floppy
Case number: 1
Description: Floppy
Evidence number: 1.1
Examiner name: John D.
Notes: Just a floppy in my system
Media type (fixed, removable, optical, memory) [fixed]: removable
Media characteristics (logical, physical) [logical]:
Use compression (none, empty-block, fast, best) [none]:
Use EWF file format (smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx) [encase6]: Start to acquire at offset (0 >= value >= 1474560) [0]:
The amount of bytes to acquire (0 >= value >= 1474560) [1474560]:
Evidence segment file size in bytes (1.0 MiB >= value >= 1.9 GiB) [1.4 GiB]: The amount of bytes per sector (0 >= value >= 4294967295) [512]:
The amount of sectors to read at once (64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768) [64]: The amount of sectors to be used as error granularity (1 >= value >= 64) [64]: The amount of retries when a read error occurs (0 >= value >= 255) [2]:
Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [no]:

The following information was provided:
Image path and filename: floppy.E01
Case number: 1
Description: Floppy
Evidence number: 1.1
Examiner name: John D.
Notes: Just a floppy in my system
Media type: removable
Is physical: no
Compression used: none
EWF file format: Encase 5
Acquiry start offset: 0
Amount of bytes to acquire: 1.4 MiB (1474560 bytes)
Evidence segment file size: 1.4 GiB (1572864000 bytes)
Block size: 64 sectors
Error granularity: 64 sectors
Retries on read error: 2
Wipe sectors on read error: no

Continue acquiry with these values (yes, no) [yes]:

Acquiry started at: Sat Feb 28 11:32:41 2009

This could take a while.

Status: at 2%.
acquired 32 kB (32768 bytes) of total 1.4 MiB (1474560 bytes).
...
Status: at 100%.
acquired 1.4 MiB (1474560 bytes) of total 1.4 MiB (1474560 bytes). completion in 1 second(s) with 1 MiB/s (1474560 bytes/second).
Acquiry completed at: Sat Feb 28 11:32:42 2009
Written: 1.4 MiB (1474560 bytes) in 1 second(s) with 1 MiB/s (1474560 bytes/second).
MD5 hash calculated over data: ae1ce8f5ac079d3ee93f97fe3792bda3

DIAGNOSTICS

Errors, verbose and debug output are printed to stderr when verbose output -v is enabled. Verbose and debug output are only printed when enabled at compilation.

BUGS

Please report bugs of any kind to <forensics@hoffmannbv.nl> or on the
project website: http://libewf.sourceforge.net/

AUTHOR

These man pages were written by Kees Mastwijk.

Alterations for distribution have been made by Joachim Metz.

COPYRIGHT

Copyright 2006-2009 Kees Mastwijk, Hoffmann Investigations <forensics@hoffmannbv.nl> and contributors.

This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

SEE ALSO

ewfacquirestream(1), ewfexport(1), ewfinfo(1), ewfverify(1)

libewf January 9, 2010 libewf

Copyright © 2010-2025 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout