:py:mod:`dissect.evidence.ewf`
==============================

.. py:module:: dissect.evidence.ewf


Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.evidence.ewf.EWF
   dissect.evidence.ewf.EWFStream
   dissect.evidence.ewf.Segment
   dissect.evidence.ewf.HeaderSection
   dissect.evidence.ewf.VolumeSection
   dissect.evidence.ewf.TableSection
   dissect.evidence.ewf.SectionDescriptor



Functions
~~~~~~~~~

.. autoapisummary::
   :nosignatures:

   dissect.evidence.ewf.find_files



Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.evidence.ewf.log
   dissect.evidence.ewf.ewf_def
   dissect.evidence.ewf.c_ewf
   dissect.evidence.ewf.MAX_OPEN_SEGMENTS


.. py:data:: log

   

.. py:data:: ewf_def
   :value: Multiline-String

    .. raw:: html

        <details><summary>Show Value</summary>

    .. code-block:: python

        """
        enum MediaType : uint8 {
            Removable   = 0x00,
            Fixed       = 0x01,
            Optical     = 0x03,
            Logical     = 0x0e,
            RAM         = 0x10
        };
        
        enum MediaFlags : uint8 {
            Image       = 0x01,
            Physical    = 0x02,
            Fastbloc    = 0x04,
            Tablaeu     = 0x08
        };
        
        enum CompressionLevel : uint8 {
            None        = 0x00,
            Good        = 0x01,
            Best        = 0x02
        };
        
        typedef struct {
            char        signature[8];
            uint8       fields_start;
            uint16      segment_number;
            uint16      fields_end;
        } EWFHeader;
        
        typedef struct {
            char    type[16];
            uint64  next;
            uint64  size;
            uint8   pad[40];
            uint32  checksum;
        } EWFSectionDescriptor;
        
        typedef struct {
            uint32  reserved_1;
            uint32  chunk_count;
            uint32  sector_count;
            uint32  sector_size;
            uint32  total_sector_count;
            uint8   reserved[20];
            uint8   pad[45];
            char    signature[5];
            uint32  checksum;
        } EWFVolumeSectionSpec;
        
        typedef struct {
            MediaType           media_type;
            uint8               reserved_1[3];
            uint32              chunk_count;
            uint32              sector_count;
            uint32              sector_size;
            uint64              total_sector_count;
            uint32              num_cylinders;
            uint32              num_heads;
            uint32              num_sectors;
            uint8               media_flags;
            uint8               unknown_1[3];
            uint32              palm_start_sector;
            uint32              unknown_2;
            uint32              smart_start_sector;
            CompressionLevel    compression_level;
            uint8               unknown_3[3];
            uint32              error_granularity;
            uint32              unknown_4;
            uint8               uuid[16];
            uint8               pad[963];
            char                signature[5];
            uint32              checksum;
        } EWFVolumeSection;
        
        typedef struct {
            uint32  num_entries;
            uint32  _;
            uint64  base_offset;
            uint32  _;
            uint32  checksum;
            uint32  entries[num_entries];
        } EWFTableSection;
        """

    .. raw:: html

        </details>

   

.. py:data:: c_ewf

   

.. py:data:: MAX_OPEN_SEGMENTS
   :value: 128

   

.. py:function:: find_files(path: Union[str, pathlib.Path]) -> list[pathlib.Path]

   Find all related EWF files from the given path.


.. py:class:: EWF(fh: Union[BinaryIO, list[BinaryIO]])


   Expert Witness Disk Image Format.

   .. py:method:: open_segment(idx: int) -> Segment


   .. py:method:: open() -> BinaryIO



.. py:class:: EWFStream(ewf: EWF)


   Bases: :py:obj:`dissect.util.stream.AlignedStream`

   Basic buffered stream that provides easy aligned reads.

   Must be subclassed for various stream implementations. Subclasses can implement:
       - _read(offset, length)
       - _seek(pos, whence=io.SEEK_SET)

   The offset and length for _read are guaranteed to be aligned. The only time
   that overriding _seek would make sense is if there's no known size of your stream,
   but still want to provide SEEK_END functionality.

   Most subclasses of AlignedStream take one or more file-like objects as source.
   Operations on these subclasses, like reading, will modify the source file-like object as a side effect.

   :param size: The size of the stream. This is used in read and seek operations. None if unknown.
   :param align: The alignment size. Read operations are aligned on this boundary. Also determines buffer size.


.. py:class:: Segment(ewf: EWF, fh: BinaryIO)


   .. py:method:: read_sectors(sector: int, count: int) -> bytes



.. py:class:: HeaderSection(segment: Segment, section: SectionDescriptor)


   .. py:method:: __repr__() -> str

      Return repr(self).



.. py:class:: VolumeSection(segment: Segment, section: SectionDescriptor)



.. py:class:: TableSection(segment: Segment, section: SectionDescriptor)


   .. py:method:: read_chunk(chunk: int) -> bytes


   .. py:method:: read_sectors(sector: int, count: int) -> bytes



.. py:class:: SectionDescriptor(fh: BinaryIO)


   .. py:method:: __repr__() -> str

      Return repr(self).