`dissect.evidence.ewf.ewf`¶

Module Contents¶

Classes¶

`EWF`	Expert Witness Disk Image Format.
`EWFStream`	Basic buffered stream that provides aligned reads.
`Segment`
`HeaderSection`
`VolumeSection`
`TableSection`
`SectionDescriptor`

Functions¶

find_files

Find all related EWF files from the given path.

Attributes¶

`log`
`MAX_OPEN_SEGMENTS`

dissect.evidence.ewf.ewf.log¶

dissect.evidence.ewf.ewf.MAX_OPEN_SEGMENTS = 128¶

dissect.evidence.ewf.ewf.find_files(path: str | pathlib.Path) → list[pathlib.Path]¶: Find all related EWF files from the given path.

class dissect.evidence.ewf.ewf.EWF(fh: BinaryIO | list[BinaryIO] | pathlib.Path | list[pathlib.Path])¶

Expert Witness Disk Image Format.

fh¶

header: HeaderSection = None¶

volume: VolumeSection = None¶

chunk_size¶

size¶

segment(idx: int) → Segment¶

open() → BinaryIO¶

class dissect.evidence.ewf.ewf.EWFStream(ewf: EWF)¶

Bases: dissect.util.stream.AlignedStream

Basic buffered stream that provides aligned reads.

Must be subclassed for various stream implementations. Subclasses can implement:

_read()
_seek()

The offset and length for _read are guaranteed to be aligned for streams of a known size. If your stream has an unknown size (i.e. size == None), reads of length -1 (i.e. read until EOF) will be passed through to your implementation of _read. The only time that overriding _seek would make sense is if there’s no known size of your stream, but still want to provide SEEK_END functionality.

Most subclasses of AlignedStream take one or more file-like objects as source. Operations on these subclasses, like reading, will modify the source file-like object as a side effect.

Parameters:

size – The size of the stream. This is used in read and seek operations. None if unknown.
align – The alignment size. Read operations are aligned on this boundary. Also determines buffer size.

_read(offset: int, length: int) → bytes¶: Read method that backs this aligned stream.

_seek(pos: int, whence: int = 0) → int¶: Calculate and return the new stream position after a seek.

ewf¶

sector_size¶

class dissect.evidence.ewf.ewf.Segment(ewf: EWF, fh: BinaryIO)¶

ewf¶

fh¶

ewfheader¶

header¶

volume¶

sections: list[SectionDescriptor] = []¶

tables: list[TableSection] = []¶

table_offsets = []¶

chunk_count¶

sector_count¶

size¶

sector_offset = None¶

offset = None¶

read_sectors(sector: int, count: int) → bytes¶

class dissect.evidence.ewf.ewf.HeaderSection(segment: Segment, section: SectionDescriptor)¶

segment¶

section¶

data¶

__repr__() → str¶

class dissect.evidence.ewf.ewf.VolumeSection(segment: Segment, section: SectionDescriptor)¶

segment¶

section¶

volume¶

chunk_count¶

sector_count¶

sector_size¶

class dissect.evidence.ewf.ewf.TableSection(segment: Segment, section: SectionDescriptor)¶

segment¶

section¶

header¶

num_entries¶

base_offset¶

entries¶

sector_count¶

size¶

sector_offset = None¶

offset = None¶

read_chunk¶

read_sectors(sector: int, count: int) → bytes¶

class dissect.evidence.ewf.ewf.SectionDescriptor(fh: BinaryIO)¶

fh¶

offset¶

type¶

next¶

size¶

checksum¶

data_offset¶

__repr__() → str¶

dissect.evidence.ewf.ewf¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`dissect.evidence.ewf.ewf`¶