Difference between pages "Libewf" and "UniCDMA"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
 
Line 1: Line 1:
{{Infobox_Software |
+
{{Wikify}}
  name = libewf |
+
  maintainer = [[Joachim Metz]], [[David Loveall]] |
+
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
+
  genre = {{Disk imaging}} |
+
  license = {{LGPL}} |
+
  website = [http://code.google.com/p/libewf/ code.google.com/p/libewf/] |
+
}}
+
  
'''Libewf''' is a library to access the [[Encase image file format|Expert Witness Compression Format (EWF)]].
+
==Features==
 +
===Modes===
 +
*Hyndai HWT /HWP-110/120/220
 +
*Hyndai HGC-310e, HGC-600e
 +
*LG
 +
*Qualcomm
 +
*Samsung SPH-A460
 +
*Samsung (general)
 +
*Samsung SCH-X127/X250/X350/…
 +
*Sky IM-1200/1400/2000/etc.
 +
*Withus
  
== Features ==  
+
===Read===
Read or write supported EWF formats:
+
*Hardware date
* [[SMART]] .s01 (EWF-S01)
+
*Software date
* [[EnCase]] .E01 (EWF-E01) and .Ex01 (EWF2-Ex01)
+
*Software version
 +
*CAI rev
 +
*SCM
 +
*ESN
 +
*Analog MIN
 +
*Digital MIN
 +
*Security Code
 +
*Lock Code
 +
*EEPROM
 +
**Size
 +
***custom or 16384, 32768, 65536
 +
**Memory
 +
***Starting Address
 +
***Length (bytes)
 +
****custom or 524288, 786432, 1310720, 1703936
  
Read-only supported EWF formats:
+
===Write===
* Logical Evidence File (LEF) .L01 (EWF-L01) and .Lx01 (EWF2-Lx01)
+
*ESN
 +
*SCM
 +
*A-KEY
 +
 +
===Scan===
 +
*Memory
 +
**Range
 +
**Step (bytes)
 +
***custom or 256, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 131072, 262144, 524288, 1048576
  
Other features:
+
===Settings===
* empty-block compression
+
*COM Port
* read/write access using delta (or shadow) files
+
**1 to 4
* write resume
+
*Baud rate
 +
**19200, 38400, 57600, 115200
  
== Tools ==
 
The '''libewf''' package contains the following tools:
 
* '''ewfacquire''', which writes storage media data from devices and files to EWF files.
 
* '''ewfacquirestream''', which writes data from stdin to EWF files.
 
* '''ewfdebug'''; experimental tool does nothing at the moment.
 
* '''ewfexport''', which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
 
* '''ewfinfo''', which shows the metadata in EWF files.
 
* '''ewfmount''', which FUSE mounts EWF files.
 
* '''ewfverify''', which verifies the storage media data in EWF files.
 
  
The '''libewf''' package also contains the following bindings:
+
==Forensics==
* '''ewf.net''', bindings for .Net
+
UniCDMA can be used in cell phone forensics to access or modify the following:
* '''pyewf''', bindings for Python contributed by [[David Collett]] in 2008
+
*ESN
 +
*Security Code
 +
*Lock Code
 +
*Firmware
 +
*File System
  
=== Contributions ===
+
==Troubleshooting==
Tools that have been contributed to the project are provided as separate tools on the sourceforge libewf project site. These are:
+
===LG===
* '''mount_ewf.py''', which allows the storage media data in a EWF files to be mounted, contributed by [[David Loveall]] in 2007.
+
If UniCDMA cannot be used to place an LG cell phone in DM Mode, the following procedures may be followed:
* '''libewf-java''', Java (JNA) bindings were contributed by [[Bradley Schatz]] in 2009.
+
*Close UniCDMA
* '''delphi imdisk proxy''', Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by [[Brendan Berney]] in 2010.
+
*Connect LG cell phone to computer using USB data cable
* '''jlibewf''', native Java EWF reader contributed by [[Bruce Allen]] in 2010.
+
*Open Hyperterminal
* '''libewfcs''', native C# EWF reader contributed by [[Bruce Allen]] in 2011.
+
*Connect to LG cellphone on correct COM port at 115200 bits per second
 
+
*Place LG cellphone into DM mode by typing "AT$QCDMG"
A menu based interface for ewfacquirestream called pyEWF, contributed by [[Dennis Schreiber]], was originally also available on the uitwisselplatform project site. However this is currently no longer maintained and was not moved to the sourceforge project size. The uitwisselplatform no longer exists. The name pyewf was reused for the libewf Python bindings created by [[David Collett]] which is now included in the libewf package.
+
*Close Hyperterminal
 
+
=== Examples ===
+
 
+
Imaging a device on a Unix-based system:
+
<pre>
+
ewfacquire /dev/sda
+
</pre>
+
 
+
Imaging a device on a Windows system:
+
<pre>
+
ewfacquire \\.\PhysicalDrive0
+
</pre>
+
 
+
Converting a split RAW into an EWF image
+
<pre>
+
ewfacquire split.raw.???
+
</pre>
+
 
+
or
+
 
+
<pre>
+
cat split.raw.??? | ewfacquirestream
+
</pre>
+
 
+
Converting an optical disc (split) RAW into an EWF image (libewf 20110109 or later)
+
<pre>
+
ewfacquire -T optical.cue optical.iso
+
</pre>
+
 
+
Converting an EWF into another EWF format or a (split) RAW image
+
<pre>
+
ewfexport image.E01
+
</pre>
+
 
+
Exporting files from a logical image (L01)
+
<pre>
+
ewfexport image.L01
+
</pre>
+
 
+
FUSE mounting an EWF image (libewf 20110828 or later)
+
<pre>
+
ewfmount image.E01 mount_point
+
</pre>
+
 
+
FUSE mounting a logical image (L01) (libewf 20111016 or later)
+
<pre>
+
ewfmount -f files image.L01 mount_point
+
</pre>
+
 
+
== History ==
+
 
+
Libewf was created by [[Joachim Metz]] in 2006, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
+
 
+
Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [[:File:ASR Data's Expert Witness Compression Format.pdf|Expert Witness Compression Format]] Specification by [[Andrew Rosen]]. It has been updated to read and write EnCase version 1 to 7 .E01 files, EnCase 5 to 7 .L01 files, EnCase 7 .Ex01 and .Lx01 files and SMART .s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by the EnCase .E01 format.
+
 
+
In 2007 [[David Loveall]] contributed mount_ewf.py to the libewf project. This application allows a [[fuse]] based mount of the storage media data in the EWF files to be mounted. Due to repeated issues with Python and the fuse Python-bindings on [[Mac OS X]] part of the functionality of these scripts has been rewritten into '''ewfmount'''.
+
 
+
As of version 20120715 support for EWF version 2 (.Ex01 and .Lx01) was added.
+
 
+
== External Links ==
+
 
+
* [http://code.google.com/p/libewf/ Project site]
+
* [http://libewf.sourceforge.net Old project site]
+

Revision as of 10:39, 14 April 2009

File:40px-Ambox warning pn.png

This article, and others, needs to be wikified.
Please remove this template after wikifying.

Contents

Features

Modes

  • Hyndai HWT /HWP-110/120/220
  • Hyndai HGC-310e, HGC-600e
  • LG
  • Qualcomm
  • Samsung SPH-A460
  • Samsung (general)
  • Samsung SCH-X127/X250/X350/…
  • Sky IM-1200/1400/2000/etc.
  • Withus

Read

  • Hardware date
  • Software date
  • Software version
  • CAI rev
  • SCM
  • ESN
  • Analog MIN
  • Digital MIN
  • Security Code
  • Lock Code
  • EEPROM
    • Size
      • custom or 16384, 32768, 65536
    • Memory
      • Starting Address
      • Length (bytes)
        • custom or 524288, 786432, 1310720, 1703936

Write

  • ESN
  • SCM
  • A-KEY

Scan

  • Memory
    • Range
    • Step (bytes)
      • custom or 256, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 131072, 262144, 524288, 1048576

Settings

  • COM Port
    • 1 to 4
  • Baud rate
    • 19200, 38400, 57600, 115200


Forensics

UniCDMA can be used in cell phone forensics to access or modify the following:

  • ESN
  • Security Code
  • Lock Code
  • Firmware
  • File System

Troubleshooting

LG

If UniCDMA cannot be used to place an LG cell phone in DM Mode, the following procedures may be followed:

  • Close UniCDMA
  • Connect LG cell phone to computer using USB data cable
  • Open Hyperterminal
  • Connect to LG cellphone on correct COM port at 115200 bits per second
  • Place LG cellphone into DM mode by typing "AT$QCDMG"
  • Close Hyperterminal
Retrieved from "http://www.forensicswiki.org/w/index.php?title=Libewf&oldid=9450"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox