internal

package
v0.0.0-...-28800eb Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 19, 2025 License: MIT Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// MediaType
	RemovableStorageMediaDevice = 0x00
	FixedStorageMediaDevice     = 0x01
	OpticalDiscDevice           = 0x03
	LogicalEvidenceFile         = 0x0e
	RAM                         = 0x10
)

3.5.5

View Source 
const (
	// MediaFlag
	ImageFile            = 0x01
	PhysicalDevice       = 0x02
	FastblocWriteBlocker = 0x04
	TableauWriteBlocker  = 0x08
)

3.5.6

View Source 
const (
	// CompressionLevel
	NoCompression   = 0x00
	GoodCompression = 0x01
	BestCompression = 0x02
)

3.5.7

Variables

View Source 
var DiskSMARTLength = int64(1052)
View Source 
var EVFSignature = [8]byte{'E', 'V', 'F', 0x09, 0x0d, 0x0a, 0xff, 0x00}
View Source 
var EWFFileHeaderLength = int64(13)
View Source 
var EWFSpecificationLength = int64(94)
View Source 
var SectionLength = int64(76)
View Source 
var TableSectionLength = int64(24)

Functions

func ParseGPT 

func ParseGPT(ewf *EWFImage)

func ParseMBR 

func ParseMBR(ewf *EWFImage)

func PrintGPT 

func PrintGPT(gpt GPT)

func PrintMBR 

func PrintMBR(mbr MBR)

Types

type DataSection 

type DataSection struct {
	MediaType                uint8     // 媒体类型
	Space                    [3]byte   // 分割 - 无意义
	ChunkCount               uint32    // 块数
	ChunkSectors             uint32    // 每个块的扇区数
	SectorBytes              uint32    // 每个扇区的字节数
	SectorsCount             uint64    // 总扇区数
	CHScylinders             uint32    // CHS柱面数
	CHSheads                 uint32    // CHS磁头数
	CHSsectors               uint32    // CHS扇区数
	MediaFlag                uint8     // 媒体标志
	Space2                   [3]byte   // 分割 - 无意义
	PALMVolumeStartSector    uint32    // PALM卷起始扇区
	Space3                   uint32    // 分割 - 无意义
	SMARTLogsStartSector     uint32    // SMART日志起始扇区
	CompressionLevel         uint8     // 压缩级别
	Space4                   [3]byte   // 分割 - 无意义
	SectorErrorGranularity   uint32    // 扇区错误粒度
	Space5                   uint32    // 分割 - 无意义
	SegmentFileSetIdentifier [16]byte  // 段文件集标识符 GUID/UUID
	Space6                   [963]byte // 分割 - 无意义
	Signature                [5]byte   // 标记
	CheckSum                 uint32    // 校验和
}

3.7 Data

type DigestSection 

type DigestSection struct{}

3.17 Digest

type DiskSMART 

type DiskSMART struct {
	MediaType                uint8     // 媒体类型
	Space                    [3]byte   // 分割 - 无意义
	ChunkCount               uint32    // 块数
	ChunkSectors             uint32    // 每个块的扇区数
	SectorBytes              uint32    // 每个扇区的字节数
	SectorsCount             uint64    // 总扇区数
	CHScylinders             uint32    // CHS柱面数
	CHSheads                 uint32    // CHS磁头数
	CHSsectors               uint32    // CHS扇区数
	MediaFlag                uint8     // 媒体标志
	Space2                   [3]byte   // 分割 - 无意义
	PALMVolumeStartSector    uint32    // PALM卷起始扇区
	Space3                   uint32    // 分割 - 无意义
	SMARTLogsStartSector     uint32    // SMART日志起始扇区
	CompressionLevel         uint8     // 压缩级别
	Space4                   [3]byte   // 分割 - 无意义
	SectorErrorGranularity   uint32    // 扇区错误粒度
	Space5                   uint32    // 分割 - 无意义
	SegmentFileSetIdentifier [16]byte  // 段文件集标识符 GUID/UUID
	Space6                   [963]byte // 分割 - 无意义
	Signature                [5]byte   // 标记
	CheckSum                 uint32    // 校验和
}

3.5 Volume and 3.6 Disk 1052 bytes

type DoneSection 

type DoneSection struct{}

3.19 Done

type EWFFileHeader 

type EWFFileHeader struct {
	EVFSignature  [8]byte // "EVF\0x09\0x0d\0x0a\0xff\0x00"
	FieldsStart   uint8   // 1
	SegmentNumber uint16  // 256
	FieldsEnd     uint16  // 0
}

2.1.1 13 bytes

type EWFImage 

type EWFImage struct {
	Sections       []SectionWithAddress
	Headers        []HeaderSectionString
	Volumes        []EWFSpecification
	DiskSMART      []DiskSMART
	SectorsAddress []SectionWithAddress
	TableAddress   []SectionWithAddress
	Sectors        []SectorAndTableWithAddress
	// contains filtered or unexported fields
}

func (*EWFImage) AddSectorsAddress 

func (e *EWFImage) AddSectorsAddress(s SectionWithAddress) error

3.8 Sector

func (*EWFImage) AddTableAddress 

func (e *EWFImage) AddTableAddress(s SectionWithAddress) error

3.9 Table

func (*EWFImage) IsEWFFile 

func (e *EWFImage) IsEWFFile() bool

func (*EWFImage) Open 

func (e *EWFImage) Open(file string) (*EWFImage, error)

func (*EWFImage) ParseData 

func (e *EWFImage) ParseData(s SectionWithAddress)

3.7 Data

func (*EWFImage) ParseDisk 

func (e *EWFImage) ParseDisk(s SectionWithAddress)

3.6 Disk

func (*EWFImage) ParseHeader 

func (e *EWFImage) ParseHeader(s SectionWithAddress) error

3.3 3.4

func (*EWFImage) ParseSections 

func (e *EWFImage) ParseSections() error

func (*EWFImage) ParseSectors 

func (e *EWFImage) ParseSectors(s SectionWithAddress) (io.ReadCloser, error)

func (*EWFImage) ParseTable 

func (e *EWFImage) ParseTable(s SectionWithAddress) ([]uint32, error)

func (*EWFImage) ParseTable2 

func (e *EWFImage) ParseTable2(s SectionWithAddress) error

3.10 Table2

func (*EWFImage) ParseVolume 

func (e *EWFImage) ParseVolume(s SectionWithAddress) error

3.5 Volume

func (*EWFImage) ParsesDigest 

func (e *EWFImage) ParsesDigest(s SectionWithAddress)

3.17 Digest

func (*EWFImage) ParsesDone 

func (e *EWFImage) ParsesDone(s SectionWithAddress)

3.19 Done

func (*EWFImage) ParsesError2 

func (e *EWFImage) ParsesError2(s SectionWithAddress)

3.16 Error2

func (*EWFImage) ParsesHash 

func (e *EWFImage) ParsesHash(s SectionWithAddress)

3.18 Hash

func (*EWFImage) ParsesLtree 

func (e *EWFImage) ParsesLtree(s SectionWithAddress)

3.13 Ltree

func (*EWFImage) ParsesLtype 

func (e *EWFImage) ParsesLtype(s SectionWithAddress)

3.12 Ltype

func (*EWFImage) ParsesMap 

func (e *EWFImage) ParsesMap(s SectionWithAddress)

3.14 Map

func (*EWFImage) ParsesNext 

func (e *EWFImage) ParsesNext(s SectionWithAddress)

3.11 Next

func (*EWFImage) ParsesSession 

func (e *EWFImage) ParsesSession(s SectionWithAddress)

3.15 Session

func (*EWFImage) ReadAt 

func (e *EWFImage) ReadAt(addr int64, length int64) []byte

读取某位置的多少个字节

func (*EWFImage) ReadSection 

func (e *EWFImage) ReadSection(address int64) (*Section, error)

func (*EWFImage) ReadSections 

func (e *EWFImage) ReadSections() error

type EWFSpecification 

type EWFSpecification struct {
	Reserved     uint32
	SegmentChunk uint32
	ChunkSectors uint32
	SectorsBytes uint32
	SectorCounts uint32
	Reserved2    [20]byte
	Padding      [45]byte
	Signature    [5]byte
	CheckSum     uint32
}

3.5 Volume and 3.6 Disk 94 bytes

type Error2Section 

type Error2Section struct{}

3.16 Error2

type GPT 

type GPT struct {
	GPTHeader         GPTHeader
	GPTPartitionTable [128]GPTPartitionTable
}

type GPTHeader 

type GPTHeader struct {
	Signature         [8]byte
	Version           uint32
	HeaderSize        uint32
	HeaderCRC         uint32
	Reserved          uint32
	CurrentLBA        uint64
	BackupLBA         uint64
	FirstLBA          uint64
	LastLBA           uint64
	GUID              [16]byte
	PartitionStartLBA uint64
	PartitionNumber   uint32
	PartitionSize     uint32
	PartitionCRC      uint32
	Save              [420]byte
}

type GPTPartitionTable 

type GPTPartitionTable struct {
	PartitionTypeGUID [16]byte
	PartitionGUID     [16]byte
	StartLBA          uint64
	EndLBA            uint64
	AttributeFlag     [8]byte
	PartitionName     [72]byte
}

type HashSection 

type HashSection struct{}

3.18 Hash

type Header2Section 

type Header2Section struct {
	ByteOrderMark [2]byte  // 0xfffe UTF-16 little-endian | 0xfeff big-endian
	Header2       [74]byte // zlib
}

3.3 header2 76 bytes

type HeaderSection 

type HeaderSection struct {
	ByteOrderMark [2]byte  // 0xfffe UTF-16 little-endian | 0xfeff big-endian
	Header        [74]byte // zlib
}

3.4 header 76 bytes

type HeaderSectionString 

type HeaderSectionString struct {

	// line 3 for encase 4
	L3_a  string // Unique description
	L3_c  string // Case number
	L3_n  string // Evidence number
	L3_e  string // Examiner name
	L3_t  string // Notes
	L3_av string // Version
	L3_ov string // Platform
	L3_m  string // Acquisition date and time
	L3_u  string // System date and time
	L3_p  string // Password hash
	// line 3 for encase 5 to 7
	L3_md  string // The model of the media, i.e. hard disk model
	L3_sn  string // The serial number of media
	L3_l   string // The device label
	L3_pid string // Process identifier
	L3_dc  string // Unknown
	L3_ext string // Extents
	// line 4
	// line 5
	// empty
	// line 6 for encase 5 to 7
	// srce
	// line 7 for encase 5 to 7
	// Line 7 consists of 2 values, namely the values are "0 1".
	// line 8 for encase 5 to 7
	L8_p   string // p
	L8_n   string // n
	L8_id  string // Identifier
	L8_ev  string // Evidence number
	L8_tb  string // Total bytes
	L8_lo  string // Logical offset
	L8_po  string // Physical offset
	L8_ah  string // MD5 hash
	L8_sh  string // SHA1 hash
	L8_gu  string // Device GUID
	L8_pgu string // Primary device GUID
	L8_aq  string // Acquisition date and time
	// line 9 for encase 5 to 7
	// line 10 for encase 5 to 7
	// line 11 for encase 5 to 7
	// empty
	// line 12 for encase 5 to 7
	// sub
	// line 13 for encase 5 to 7
	// line 14 for encase 5 to 7
	L14_p  string // p
	L14_n  string // p
	L14_id string // Identifier
	L14_nu string // Unknown (Number)
	L14_co string // Unknown (Comment)
	L14_gu string // Unknown (GUID)

	// header
	// line 1
	// 1
	// line 2
	// main
	// line 3
	L3_r string // Compression level

}

3.3

type LtreeSection 

type LtreeSection struct{}

3.13 Ltree

type LtypeSection 

type LtypeSection struct{}

3.12 Ltype

type MBR 

type MBR struct {
	BootCode       [440]byte         // 引导代码(GRUB/Windows Boot Manager)
	DiskSignature  uint32            // 磁盘签名(Windows NTFS 等使用)
	Reserved       uint16            // 保留字段(通常 0x0000)
	PartitionTable [4]PartitionEntry // 4个分区表项(每项16字节)
	BootSignature  uint16            // 结束标志(0x55AA)
}

type MapSection 

type MapSection struct{}

3.14 Map

type NextSection 

type NextSection struct {
}

3.11 Next

type PartitionEntry 

type PartitionEntry struct {
	BootFlag      uint8   // 0x80=可启动,0x00=非启动
	StartCHS      [3]byte // CHS 起始地址(传统BIOS)
	PartitionType uint8   // 分区类型标识(0x07=NTFS,0x83=Linux…)
	EndCHS        [3]byte // CHS 结束地址
	StartLBA      uint32  // 分区起始扇区(LBA逻辑寻址)
	PartitionSize uint32  // 分区大小(扇区数)
}

type Section 

type Section struct {
	SectionTypeDefinition [16]byte // A string containing the section type definition. E.g. "header", "volume", etc.
	NextOffset            uint64   // Next section offset The offset is relative from the start of the segment file
	SectionSize           uint64   // Section size
	Padding               [40]byte // 填充
	CheckSum              uint32   // 校验和
}

3 Section 76 bytes

type SectionWithAddress 

type SectionWithAddress struct {
	Section
	Address int64
}

type SectorAndTableWithAddress 

type SectorAndTableWithAddress struct {
	Address    int64    // sector address
	TableEntry []uint32 // offsets
}

type SectorsSection 

type SectorsSection struct {
}

3.8 Sector

type SessionSection 

type SessionSection struct{}

3.15 Session

type Table2Section 

type Table2Section struct {
	EntryNumber uint32   // 表项数
	Padding     [16]byte // 分割 - 无意义
	CheckSum    uint32   // 校验和
}

3.10 Table2

type TableSection 

type TableSection struct {
	EntryNumber uint32   // 表项数
	Padding     [16]byte // 分割 - 无意义
	CheckSum    uint32   // 校验和
}

3.9 Table

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.