EWF_TYPES
|
| Trees | Indices | Help |
|
|---|
|
|
This file provides read/write support for EWF files.
EWF files are generated by Encase/FTK and are a common compressible storage format for digital evidence.
The below code is based on libewf: https://github.com/libyal/libewf https://googledrive.com/host/0B3fBvzttpiiSMTdoaVExWWNsRjg/
NOTE: Since EWFv1 files are unable to represent sparse data they are not directly suitable for storing memory images. Therefore in Rekall we generally use EWF files as containers for other formats, such as ELF core dumps.
NOTE: EWF files produced by the ewfacquire plugin are _NOT_ compatible with Encase/FTK and can not be analyzed by those programs. We merely use the EWF container as a container providing seekable compression for more traditional memory image formats such as ELF.
When using the ewfacquire plugin, if the source address space contains a single run of data, we generate a single EWF file of this run (e.g. for a disk image). If, however, the source address space contains more than one run, we automatically create an ELF core dump to contain the sparse runs, and that is compressed into the EWF file instead. This is not generally compatible with Encase or FTK since they do not understand layered address spaces! For Rekall this works because Rekall automatically detects that the EWF file contains an ELF core dump and stacks the relevant address spaces.
Author: Michael Cohen <scudette@google.com>
| Classes | |
| ewf_section_descriptor_v1 | |
| ewf_table_header_v1 | |
| ewf_volume | |
|
EWFProfile Basic profile for EWF files. |
|
|
EWFFile A helper for parsing an EWF file. |
|
|
EWFFileWriter A writer for EWF files. |
|
|
EWFAcquire Copy the physical address space to an EWF file. |
|
| TestEWFAcquire | |
| Variables | |
EWF_TYPES = |
|
__package__ = |
|
| Variables Details |
EWF_TYPES
|
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:47 2017 | http://epydoc.sourceforge.net |
