search

Aorimn / dislocker

FUSE driver to read/write Windows' BitLocker-ed volumes under Linux / Mac OSX
GNU General Public License v2.0
1.59k stars 196 forks source link

Error in `dislocker': munmap_chunk() #176

Open lcfut opened 5 years ago

lcfut commented 5 years ago

System is RHEL 7.6 Workstation Security Profile Applied - USGCB/STIG FIPS Enabled

Used a Ditto DX Forensic Fieldstation to create an physical collection out to E01 file of the source drive. Source drive was encrypted with BitLocker - Win10 RS3 I have tried the same operation on the E01 file itself, as well as the file after using 'ewfmount' with the same result.

[root@computer S_20190605151253]# mmls ditto-file.E01 GUID Partition Table (EFI) Offset Sector: 0 Units are in 512-byte sectors

  Slot      Start        End          Length       Description

000: Meta 0000000000 0000000000 0000000001 Safety Table 001: ------- 0000000000 0000002047 0000002048 Unallocated 002: Meta 0000000001 0000000001 0000000001 GPT Header 003: Meta 0000000002 0000000033 0000000032 Partition Table 004: 000 0000002048 0000718847 0000716800 Basic data partition 005: 001 0000718848 0001742847 0001024000 EFI system partition 006: 002 0001742848 0002004991 0000262144 Microsoft reserved partition 007: 003 0002004992 1000214527 0998209536 Basic data partition 008: ------- 1000214528 1000215215 0000000688 Unallocated

StartSector*512 to obtain offset value

[root@computer S_20190605151253]# dislocker -O 1026555904 -V ditto-file.E01 /mnt/windows_mount/ Thu Jun 6 10:58:01 2019 [CRITICAL] Cannot parse volume header. Abort. Error in `dislocker': munmap_chunk(): invalid pointer: 0x00005566d896eba0 ======= Backtrace: ========= /lib64/libc.so.6(+0x7f5d4)[0x7f5a5831c5d4] /lib64/libdislocker.so.0.7(dis_free+0x25)[0x7f5a591824c2] /lib64/libdislocker.so.0.7(dis_metadata_destroy+0x16)[0x7f5a59185206] /lib64/libdislocker.so.0.7(dis_destroy+0x35)[0x7f5a59180602] dislocker(main+0xd6)[0x5566d7c5dff6] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f5a582bf3d5] dislocker(+0xe29)[0x5566d7c5de29] ======= Memory map: ======== The data here is rather long and has been omitted on purpose.

lcfut commented 5 years ago

Been a few months now - any chance of this getting addressed?

Aorimn commented 5 years ago

dislocker tells you it cannot understand the first sector you're giving it. Can you provide the output of the following command: hexdump -C -s 1026555904 -n 512 ditto-file.E01?

Note that I don't know anything about the tools you're using, in particular, do they take a byte-to-byte copy of the physical drive? Or do they store it in some other format?

The munmap_chunk() error is ugly but unrelated to the issue you have of not being able to read the partition.