Open mischw opened 1 month ago
Hello @mischw, thank you for raising this issue! Just to make it clear for us; Is this regular behaviour for acquisition tools?
I recall that most of these tools create a test.e01.txt
file instead of a test.txt
file, since the .txt
extension can technically occur during large acquisition. Would you be able to tell what tool produced this output file?
In the meantime we will try and think of a possible solution.
This looks like a bug in the way we open EWF segments. In the initial iteration of the segments, it will be properly skipped: https://github.com/fox-it/dissect.evidence/blob/852ced41dea9fc0a506f881847606499214c3a37/dissect/evidence/ewf.py#L143-L147
But then a few lines later we always assume the last file-like object is a valid segment: https://github.com/fox-it/dissect.evidence/blob/852ced41dea9fc0a506f881847606499214c3a37/dissect/evidence/ewf.py#L168
The (in)valid segment indices should be recorded and also checked in open_segment
, or cleaned up from the list of file-like objects.
@Horofic Unfortunately X-Ways Forensics does write a test.txt
instead of a test.e01.txt
when acquiring an EWF image.
@Schamper Now that I took a closer look I think you are right. It does skip the txt file initially and then fails at the last call to open_segment
. Might make sense to remove them early in the process so one does not need to worry about bad segments further down the line.
There is an issue with loading EWF files when there are other similar named files in the same folder which are not part of the image. Example:
Here it fails to load the image because of the
test.txt
file, which is not actually part of the image. It does think so because the glob in this function for finding the EWF files may include many other file extensions. For example renaming thetest.txt
totest.png
results in the same error. When deleting the filetest.txt
it works fine again. Unfortunately a txt file is often accompanying the image to provide further metadata.To resolve this I think dissect should check if the files found are actually part of the image. The easiest approach might be to check if all files found start with the EWF magic bytes ("EVF") and discard the ones which do not. Since the Magic Bytes are already checked here this could be done by showing a warning instead of raising an exception.