/src/libevt/libevt/libevt_file_header.c

Source
/*
 * File header functions
 *
 * Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
 *
 * Refer to AUTHORS for acknowledgements.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

#include <common.h>
#include <byte_stream.h>
#include <memory.h>
#include <types.h>

#include "libevt_file_header.h"
#include "libevt_libbfio.h"
#include "libevt_libcerror.h"
#include "libevt_libcnotify.h"

#include "evt_file_header.h"

/* Creates a file header
 * Make sure the value file_header is referencing, is set to NULL
 * Returns 1 if successful or -1 on error
 */
int libevt_file_header_initialize(
     libevt_file_header_t **file_header,
     libcerror_error_t **error )
{
  static char *function = "libevt_file_header_initialize";

  if( file_header == NULL )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
     LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
     "%s: invalid file header.",
     function );

    return( -1 );
  }
  if( *file_header != NULL )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_RUNTIME,
     LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
     "%s: invalid file header value already set.",
     function );

    return( -1 );
  }
  *file_header = memory_allocate_structure(
                  libevt_file_header_t );

  if( *file_header == NULL )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_MEMORY,
     LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
     "%s: unable to create file header.",
     function );

    goto on_error;
  }
  if( memory_set(
       *file_header,
       0,
       sizeof( libevt_file_header_t ) ) == NULL )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_MEMORY,
     LIBCERROR_MEMORY_ERROR_SET_FAILED,
     "%s: unable to clear file header.",
     function );

    goto on_error;
  }
  return( 1 );

on_error:
  if( *file_header != NULL )
  {
    memory_free(
     *file_header );

    *file_header = NULL;
  }
  return( -1 );
}

/* Frees a file header
 * Returns 1 if successful or -1 on error
 */
int libevt_file_header_free(
     libevt_file_header_t **file_header,
     libcerror_error_t **error )
{
  static char *function = "libevt_file_header_free";

  if( file_header == NULL )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
     LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
     "%s: invalid file header.",
     function );

    return( -1 );
  }
  if( *file_header != NULL )
  {
    memory_free(
     *file_header );

    *file_header = NULL;
  }
  return( 1 );
}

/* Reads the file header data
 * Returns 1 if successful or -1 on error
 */
int libevt_file_header_read_data(
     libevt_file_header_t *file_header,
     const uint8_t *data,
     size_t data_size,
     libcerror_error_t **error )
{
  static char *function = "libevt_file_header_read_data";

#if defined( HAVE_DEBUG_OUTPUT )
  uint32_t value_32bit  = 0;
#endif

  if( file_header == NULL )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
     LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
     "%s: invalid file header.",
     function );

    return( -1 );
  }
  if( data == NULL )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
     LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
     "%s: invalid data.",
     function );

    return( -1 );
  }
  if( ( data_size < sizeof( evt_file_header_t ) )
   || ( data_size > (size_t) SSIZE_MAX ) )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_RUNTIME,
     LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
     "%s: invalid data size value out of bounds.",
     function );

    return( -1 );
  }
#if defined( HAVE_DEBUG_OUTPUT )
  if( libcnotify_verbose != 0 )
  {
    libcnotify_printf(
     "%s: file header data:\n",
     function );
    libcnotify_print_data(
     data,
     sizeof( evt_file_header_t ),
     0 );
  }
#endif
  if( memory_compare(
       ( (evt_file_header_t *) data )->signature,
       "LfLe",
       4 ) != 0 )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_RUNTIME,
     LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE,
     "%s: invalid signature.",
     function );

    return( -1 );
  }
  byte_stream_copy_to_uint32_little_endian(
   ( (evt_file_header_t *) data )->size,
   file_header->size );

  byte_stream_copy_to_uint32_little_endian(
   ( (evt_file_header_t *) data )->major_format_version,
   file_header->major_format_version );

  byte_stream_copy_to_uint32_little_endian(
   ( (evt_file_header_t *) data )->minor_format_version,
   file_header->minor_format_version );

  byte_stream_copy_to_uint32_little_endian(
   ( (evt_file_header_t *) data )->first_record_offset,
   file_header->first_record_offset );

  byte_stream_copy_to_uint32_little_endian(
   ( (evt_file_header_t *) data )->end_of_file_record_offset,
   file_header->end_of_file_record_offset );

  byte_stream_copy_to_uint32_little_endian(
   ( (evt_file_header_t *) data )->file_flags,
   file_header->file_flags );

  byte_stream_copy_to_uint32_little_endian(
   ( (evt_file_header_t *) data )->copy_of_size,
   file_header->copy_of_size );

#if defined( HAVE_DEBUG_OUTPUT )
  if( libcnotify_verbose != 0 )
  {
    libcnotify_printf(
     "%s: (header) size\t\t\t\t: %" PRIu32 "\n",
     function,
     file_header->size );

    libcnotify_printf(
     "%s: signature\t\t\t\t\t: %c%c%c%c\n",
     function,
     ( (evt_file_header_t *) data )->signature[ 0 ],
     ( (evt_file_header_t *) data )->signature[ 1 ],
     ( (evt_file_header_t *) data )->signature[ 2 ],
     ( (evt_file_header_t *) data )->signature[ 3 ] );

    libcnotify_printf(
     "%s: major format version\t\t\t: %" PRIu32 "\n",
     function,
     file_header->major_format_version );

    libcnotify_printf(
     "%s: minor format version\t\t\t: %" PRIu32 "\n",
     function,
     file_header->minor_format_version );

    libcnotify_printf(
     "%s: first (oldest) record offset\t\t: 0x%08" PRIx32 "\n",
     function,
     file_header->first_record_offset );

    libcnotify_printf(
     "%s: end of file record offset\t\t\t: 0x%08" PRIx32 "\n",
     function,
     file_header->end_of_file_record_offset );

    byte_stream_copy_to_uint32_little_endian(
     ( (evt_file_header_t *) data )->last_record_number,
     value_32bit );
    libcnotify_printf(
     "%s: last (newest) record number\t\t: %" PRIu32 "\n",
     function,
     value_32bit );

    byte_stream_copy_to_uint32_little_endian(
     ( (evt_file_header_t *) data )->first_record_number,
     value_32bit );
    libcnotify_printf(
     "%s: first (oldest) record number\t\t: %" PRIu32 "\n",
     function,
     value_32bit );

    byte_stream_copy_to_uint32_little_endian(
     ( (evt_file_header_t *) data )->maximum_file_size,
     value_32bit );
    libcnotify_printf(
     "%s: maximum file size\t\t\t\t: %" PRIu32 "\n",
     function,
     value_32bit );

    libcnotify_printf(
     "%s: file flags\t\t\t\t: 0x%08" PRIx32 "\n",
     function,
     file_header->file_flags );

    byte_stream_copy_to_uint32_little_endian(
     ( (evt_file_header_t *) data )->retention,
     value_32bit );
    libcnotify_printf(
     "%s: retention\t\t\t\t\t: 0x%08" PRIx32 "\n",
     function,
     value_32bit );

    libcnotify_printf(
     "%s: copy of (header) size\t\t\t: %" PRIu32 "\n",
     function,
     file_header->copy_of_size );

    libcnotify_printf(
     "\n" );
  }
#endif /* defined( HAVE_DEBUG_OUTPUT ) */

  return( 1 );
}

/* Reads the file header from a Basic File IO (bfio) handle
 * Returns 1 if successful or -1 on error
 */
int libevt_file_header_read_file_io_handle(
     libevt_file_header_t *file_header,
     libbfio_handle_t *file_io_handle,
     off64_t file_offset,
     libcerror_error_t **error )
{
  uint8_t data[ sizeof( evt_file_header_t ) ];

  static char *function = "libevt_file_header_read_file_io_handle";
  ssize_t read_count    = 0;

#if defined( HAVE_DEBUG_OUTPUT )
  if( libcnotify_verbose != 0 )
  {
    libcnotify_printf(
     "%s: reading file header at offset: %" PRIi64 " (0x%08" PRIx64 ")\n",
     function,
     file_offset,
     file_offset );
  }
#endif
  read_count = libbfio_handle_read_buffer_at_offset(
                file_io_handle,
                data,
                sizeof( evt_file_header_t ),
                file_offset,
                error );

  if( read_count != (ssize_t) sizeof( evt_file_header_t ) )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_IO,
     LIBCERROR_IO_ERROR_READ_FAILED,
     "%s: unable to read file header at offset: %" PRIi64 " (0x%08" PRIx64 ").",
     function,
     file_offset,
     file_offset );

    return( -1 );
  }
  if( libevt_file_header_read_data(
       file_header,
       data,
       sizeof( evt_file_header_t ),
       error ) != 1 )
  {
    libcerror_error_set(
     error,
     LIBCERROR_ERROR_DOMAIN_IO,
     LIBCERROR_IO_ERROR_READ_FAILED,
     "%s: unable to read file header at offset: %" PRIi64 " (0x%08" PRIx64 ").",
     function,
     file_offset,
     file_offset );

    return( -1 );
  }
  return( 1 );
}


Coverage Report

Created: 2026-04-04 07:47

Line	Count	Source
1		/*
2		* File header functions
3		*
4		* Copyright (C) 2011-2025, Joachim Metz <joachim.metz@gmail.com>
5		*
6		* Refer to AUTHORS for acknowledgements.
7		*
8		* This program is free software: you can redistribute it and/or modify
9		* it under the terms of the GNU Lesser General Public License as published by
10		* the Free Software Foundation, either version 3 of the License, or
11		* (at your option) any later version.
12		*
13		* This program is distributed in the hope that it will be useful,
14		* but WITHOUT ANY WARRANTY; without even the implied warranty of
15		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16		* GNU General Public License for more details.
17		*
18		* You should have received a copy of the GNU Lesser General Public License
19		* along with this program. If not, see <https://www.gnu.org/licenses/>.
20		*/
21
22		#include <common.h>
23		#include <byte_stream.h>
24		#include <memory.h>
25		#include <types.h>
26
27		#include "libevt_file_header.h"
28		#include "libevt_libbfio.h"
29		#include "libevt_libcerror.h"
30		#include "libevt_libcnotify.h"
31
32		#include "evt_file_header.h"
33
34		/* Creates a file header
35		* Make sure the value file_header is referencing, is set to NULL
36		* Returns 1 if successful or -1 on error
37		*/
38		int libevt_file_header_initialize(
39		libevt_file_header_t **file_header,
40		libcerror_error_t **error )
41	3.89k	{
42	3.89k	static char *function = "libevt_file_header_initialize";
43
44	3.89k	if( file_header == NULL )
45	0	{
46	0	libcerror_error_set(
47	0	error,
48	0	LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
49	0	LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
50	0	"%s: invalid file header.",
51	0	function );
52
53	0	return( -1 );
54	0	}
55	3.89k	if( *file_header != NULL )
56	0	{
57	0	libcerror_error_set(
58	0	error,
59	0	LIBCERROR_ERROR_DOMAIN_RUNTIME,
60	0	LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
61	0	"%s: invalid file header value already set.",
62	0	function );
63
64	0	return( -1 );
65	0	}
66	3.89k	*file_header = memory_allocate_structure(
67	3.89k	libevt_file_header_t );
68
69	3.89k	if( *file_header == NULL )
70	0	{
71	0	libcerror_error_set(
72	0	error,
73	0	LIBCERROR_ERROR_DOMAIN_MEMORY,
74	0	LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
75	0	"%s: unable to create file header.",
76	0	function );
77
78	0	goto on_error;
79	0	}
80	3.89k	if( memory_set(
81	3.89k	*file_header,
82	3.89k	0,
83	3.89k	sizeof( libevt_file_header_t ) ) == NULL )
84	0	{
85	0	libcerror_error_set(
86	0	error,
87	0	LIBCERROR_ERROR_DOMAIN_MEMORY,
88	0	LIBCERROR_MEMORY_ERROR_SET_FAILED,
89	0	"%s: unable to clear file header.",
90	0	function );
91
92	0	goto on_error;
93	0	}
94	3.89k	return( 1 );
95
96	0	on_error:
97	0	if( *file_header != NULL )
98	0	{
99	0	memory_free(
100	0	*file_header );
101
102	0	*file_header = NULL;
103	0	}
104	0	return( -1 );
105	3.89k	}
106
107		/* Frees a file header
108		* Returns 1 if successful or -1 on error
109		*/
110		int libevt_file_header_free(
111		libevt_file_header_t **file_header,
112		libcerror_error_t **error )
113	3.89k	{
114	3.89k	static char *function = "libevt_file_header_free";
115
116	3.89k	if( file_header == NULL )
117	0	{
118	0	libcerror_error_set(
119	0	error,
120	0	LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
121	0	LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
122	0	"%s: invalid file header.",
123	0	function );
124
125	0	return( -1 );
126	0	}
127	3.89k	if( *file_header != NULL )
128	3.89k	{
129	3.89k	memory_free(
130	3.89k	*file_header );
131
132	3.89k	*file_header = NULL;
133	3.89k	}
134	3.89k	return( 1 );
135	3.89k	}
136
137		/* Reads the file header data
138		* Returns 1 if successful or -1 on error
139		*/
140		int libevt_file_header_read_data(
141		libevt_file_header_t *file_header,
142		const uint8_t *data,
143		size_t data_size,
144		libcerror_error_t **error )
145	3.87k	{
146	3.87k	static char *function = "libevt_file_header_read_data";
147
148		#if defined( HAVE_DEBUG_OUTPUT )
149		uint32_t value_32bit = 0;
150		#endif
151
152	3.87k	if( file_header == NULL )
153	0	{
154	0	libcerror_error_set(
155	0	error,
156	0	LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
157	0	LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
158	0	"%s: invalid file header.",
159	0	function );
160
161	0	return( -1 );
162	0	}
163	3.87k	if( data == NULL )
164	0	{
165	0	libcerror_error_set(
166	0	error,
167	0	LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
168	0	LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
169	0	"%s: invalid data.",
170	0	function );
171
172	0	return( -1 );
173	0	}
174	3.87k	if( ( data_size < sizeof( evt_file_header_t ) )
175	3.87k	\|\| ( data_size > (size_t) SSIZE_MAX ) )
176	0	{
177	0	libcerror_error_set(
178	0	error,
179	0	LIBCERROR_ERROR_DOMAIN_RUNTIME,
180	0	LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
181	0	"%s: invalid data size value out of bounds.",
182	0	function );
183
184	0	return( -1 );
185	0	}
186		#if defined( HAVE_DEBUG_OUTPUT )
187		if( libcnotify_verbose != 0 )
188		{
189		libcnotify_printf(
190		"%s: file header data:\n",
191		function );
192		libcnotify_print_data(
193		data,
194		sizeof( evt_file_header_t ),
195		0 );
196		}
197		#endif
198	3.87k	if( memory_compare(
199	3.87k	( (evt_file_header_t *) data )->signature,
200	3.87k	"LfLe",
201	3.87k	4 ) != 0 )
202	26	{
203	26	libcerror_error_set(
204	26	error,
205	26	LIBCERROR_ERROR_DOMAIN_RUNTIME,
206	26	LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE,
207	26	"%s: invalid signature.",
208	26	function );
209
210	26	return( -1 );
211	26	}
212	3.84k	byte_stream_copy_to_uint32_little_endian(
213	3.84k	( (evt_file_header_t *) data )->size,
214	3.84k	file_header->size );
215
216	3.84k	byte_stream_copy_to_uint32_little_endian(
217	3.84k	( (evt_file_header_t *) data )->major_format_version,
218	3.84k	file_header->major_format_version );
219
220	3.84k	byte_stream_copy_to_uint32_little_endian(
221	3.84k	( (evt_file_header_t *) data )->minor_format_version,
222	3.84k	file_header->minor_format_version );
223
224	3.84k	byte_stream_copy_to_uint32_little_endian(
225	3.84k	( (evt_file_header_t *) data )->first_record_offset,
226	3.84k	file_header->first_record_offset );
227
228	3.84k	byte_stream_copy_to_uint32_little_endian(
229	3.84k	( (evt_file_header_t *) data )->end_of_file_record_offset,
230	3.84k	file_header->end_of_file_record_offset );
231
232	3.84k	byte_stream_copy_to_uint32_little_endian(
233	3.84k	( (evt_file_header_t *) data )->file_flags,
234	3.84k	file_header->file_flags );
235
236	3.84k	byte_stream_copy_to_uint32_little_endian(
237	3.84k	( (evt_file_header_t *) data )->copy_of_size,
238	3.84k	file_header->copy_of_size );
239
240		#if defined( HAVE_DEBUG_OUTPUT )
241		if( libcnotify_verbose != 0 )
242		{
243		libcnotify_printf(
244		"%s: (header) size\t\t\t\t: %" PRIu32 "\n",
245		function,
246		file_header->size );
247
248		libcnotify_printf(
249		"%s: signature\t\t\t\t\t: %c%c%c%c\n",
250		function,
251		( (evt_file_header_t *) data )->signature[ 0 ],
252		( (evt_file_header_t *) data )->signature[ 1 ],
253		( (evt_file_header_t *) data )->signature[ 2 ],
254		( (evt_file_header_t *) data )->signature[ 3 ] );
255
256		libcnotify_printf(
257		"%s: major format version\t\t\t: %" PRIu32 "\n",
258		function,
259		file_header->major_format_version );
260
261		libcnotify_printf(
262		"%s: minor format version\t\t\t: %" PRIu32 "\n",
263		function,
264		file_header->minor_format_version );
265
266		libcnotify_printf(
267		"%s: first (oldest) record offset\t\t: 0x%08" PRIx32 "\n",
268		function,
269		file_header->first_record_offset );
270
271		libcnotify_printf(
272		"%s: end of file record offset\t\t\t: 0x%08" PRIx32 "\n",
273		function,
274		file_header->end_of_file_record_offset );
275
276		byte_stream_copy_to_uint32_little_endian(
277		( (evt_file_header_t *) data )->last_record_number,
278		value_32bit );
279		libcnotify_printf(
280		"%s: last (newest) record number\t\t: %" PRIu32 "\n",
281		function,
282		value_32bit );
283
284		byte_stream_copy_to_uint32_little_endian(
285		( (evt_file_header_t *) data )->first_record_number,
286		value_32bit );
287		libcnotify_printf(
288		"%s: first (oldest) record number\t\t: %" PRIu32 "\n",
289		function,
290		value_32bit );
291
292		byte_stream_copy_to_uint32_little_endian(
293		( (evt_file_header_t *) data )->maximum_file_size,
294		value_32bit );
295		libcnotify_printf(
296		"%s: maximum file size\t\t\t\t: %" PRIu32 "\n",
297		function,
298		value_32bit );
299
300		libcnotify_printf(
301		"%s: file flags\t\t\t\t: 0x%08" PRIx32 "\n",
302		function,
303		file_header->file_flags );
304
305		byte_stream_copy_to_uint32_little_endian(
306		( (evt_file_header_t *) data )->retention,
307		value_32bit );
308		libcnotify_printf(
309		"%s: retention\t\t\t\t\t: 0x%08" PRIx32 "\n",
310		function,
311		value_32bit );
312
313		libcnotify_printf(
314		"%s: copy of (header) size\t\t\t: %" PRIu32 "\n",
315		function,
316		file_header->copy_of_size );
317
318		libcnotify_printf(
319		"\n" );
320		}
321		#endif /* defined( HAVE_DEBUG_OUTPUT ) */
322
323	3.84k	return( 1 );
324	3.87k	}
325
326		/* Reads the file header from a Basic File IO (bfio) handle
327		* Returns 1 if successful or -1 on error
328		*/
329		int libevt_file_header_read_file_io_handle(
330		libevt_file_header_t *file_header,
331		libbfio_handle_t *file_io_handle,
332		off64_t file_offset,
333		libcerror_error_t **error )
334	3.89k	{
335	3.89k	uint8_t data[ sizeof( evt_file_header_t ) ];
336
337	3.89k	static char *function = "libevt_file_header_read_file_io_handle";
338	3.89k	ssize_t read_count = 0;
339
340		#if defined( HAVE_DEBUG_OUTPUT )
341		if( libcnotify_verbose != 0 )
342		{
343		libcnotify_printf(
344		"%s: reading file header at offset: %" PRIi64 " (0x%08" PRIx64 ")\n",
345		function,
346		file_offset,
347		file_offset );
348		}
349		#endif
350	3.89k	read_count = libbfio_handle_read_buffer_at_offset(
351	3.89k	file_io_handle,
352	3.89k	data,
353	3.89k	sizeof( evt_file_header_t ),
354	3.89k	file_offset,
355	3.89k	error );
356
357	3.89k	if( read_count != (ssize_t) sizeof( evt_file_header_t ) )
358	22	{
359	22	libcerror_error_set(
360	22	error,
361	22	LIBCERROR_ERROR_DOMAIN_IO,
362	22	LIBCERROR_IO_ERROR_READ_FAILED,
363	22	"%s: unable to read file header at offset: %" PRIi64 " (0x%08" PRIx64 ").",
364	22	function,
365	22	file_offset,
366	22	file_offset );
367
368	22	return( -1 );
369	22	}
370	3.87k	if( libevt_file_header_read_data(
371	3.87k	file_header,
372	3.87k	data,
373	3.87k	sizeof( evt_file_header_t ),
374	3.87k	error ) != 1 )
375	26	{
376	26	libcerror_error_set(
377	26	error,
378	26	LIBCERROR_ERROR_DOMAIN_IO,
379	26	LIBCERROR_IO_ERROR_READ_FAILED,
380	26	"%s: unable to read file header at offset: %" PRIi64 " (0x%08" PRIx64 ").",
381	26	function,
382	26	file_offset,
383	26	file_offset );
384
385	26	return( -1 );
386	26	}
387	3.84k	return( 1 );
388	3.87k	}
389