search

harelsegev / INDXRipper

Carve file metadata from NTFS index ($I30) attributes
MIT License
58 stars 4 forks source link

construct.core.StreamError: Error in path (parsing) #10

Closed ezaspy closed 2 years ago

ezaspy commented 2 years ago

I have followed the updated instructions for setting up a venv and have ran into the following error:

$ sudo venv/bin/python tools/INDXRipper/INDXRipper.py -w csv -o 576716800 /mnt/i30_disk1.E01/ewf1 outfile
Traceback (most recent call last):
  File "/opt/elrond/elrond/tools/INDXRipper/INDXRipper.py", line 309, in <module>
    main()
  File "/opt/elrond/elrond/tools/INDXRipper/INDXRipper.py", line 300, in main
    vbr = get_boot_sector(raw_image, args.o * args.b)
  File "/opt/elrond/elrond/tools/INDXRipper/ntfs.py", line 160, in get_boot_sector
    return BOOT_SECTOR.parse_stream(raw_image)
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 300, in parse_stream
    return self._parsereport(stream, context, "(parsing)")
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 312, in _parsereport
    obj = self._parse(stream, context, path)
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 2120, in _parse
    subobj = sc._parsereport(stream, context, path)
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 312, in _parsereport
    obj = self._parse(stream, context, path)
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 4101, in _parse
    stream_read(stream, pad, path)
  File "/opt/elrond/elrond/venv/lib/python3.9/site-packages/construct/core.py", line 91, in stream_read
    raise StreamError("stream read less than specified amount, expected %d, found %d" % (length, len(data)), path=path)
construct.core.StreamError: Error in path (parsing)
stream read less than specified amount, expected 3, found 0

I have two offsets for the disk:

And I can't not run it as sudo, as the mount point permissions for /mnt/i30_disk1/ewf1 cannot be altered:

chmod: changing permissions of '/mnt/i30_disk1.E01': Function not implemented
chmod: changing permissions of '/mnt/i30_disk1.E01/ewf1': Function not implemented
harelsegev commented 2 years ago

INDXRipper expects the offset you give it to be in sectors, not in bytes. If 2048 is the offset in sectors, don't multiply it by 512.

ezaspy commented 2 years ago

Excellent, it works. My bad! Thanks again