Closed arothenhaeuser closed 2 years ago
If you can provide a test image or debug output (see: https://github.com/libyal/libbde/wiki/Troubleshooting#format-or-behavioral-errors) that could help narrow down the issue.
Though based on your Python code it looks like you're reading the start of the image not the start of the volume.
$ fdisk -l image.raw
Disk /mnt/e/image.raw: 2.75 TiB, 3000592982016 bytes, 5860533168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x9a69dc6b
Device Boot Start End Sectors Size Id Type
/mnt/e/image.raw1 256 732563999 732563744 349.3G c W95 FAT32 (LBA)
fdisk implies an offset of 256 * 512 = 131072, whereas manual search for "ëX.-FVE-FS-" implies an offset of 1048576. I tried pointing pybde to both positions, but receive the very same error message:
try:
file_object = open("/mnt/e/image.raw", "rb")
file_object.seek(131072)
bde_volume = pybde.volume()
bde_volume.open_file_object(file_object)
bde_volume.close()
except Exception as e:
print(e)
# pybde_volume_open_file_object: unable to open volume. libbde_io_handle_read_volume_header: unsupported volume boot entry point. libbde_volume_open_read: unable to read volume header. libbde_volume_open_file_io_handle: unable to read from file IO handle.
try:
file_object = open("/mnt/e/image.raw", "rb")
file_object.seek(1048576)
bde_volume = pybde.volume()
bde_volume.open_file_object(file_object)
bde_volume.close()
except Exception as e:
print(e)
# pybde_volume_open_file_object: unable to open volume. libbde_io_handle_read_volume_header: unsupported volume boot entry point. libbde_volume_open_read: unable to read volume header. libbde_volume_open_file_io_handle: unable to read from file IO handle.
Unfortunately I can't provide the image itself, nor was I able to produce the debug output you requested (I used setup.py to build your project). Any further help is much appreciated!
Your file_object should have the BDE volume at offset 0 (not the start of the image)
Have a look at the DataRangeFileObject in https://gist.github.com/joachimmetz/58962c679370518d54065f0f4dad685a#file-vshadow-store-read-py-L33
Okay, so after some modifications of the code you linked I can do this:
try:
drfo = DataRangeFileObject(1048576, 375072767488)
drfo.open("/mnt/e/image.raw")
print(binascii.hexlify(drfo.read(16), " "))
# b'eb 58 90 2d 46 56 45 2d 46 53 2d 00 10 40 20 00'
drfo.seek(0)
bde_volume = pybde.volume()
bde_volume.open_file_object(drfo)
bde_volume.close()
except Exception as e:
print(e)
# pybde_volume_open_file_object: unable to open volume. libbde_io_handle_read_volume_header: unsupported identifier. libbde_volume_open_read: unable to read volume header. libbde_volume_open_file_io_handle: unable to read from file IO handle.
I think my DataRangeFileObject now has the BDE volume at offset 0, but still I get the same error. What am I doing wrong this time? Please don't tell me its simply a corrupted disk image ;)
but still I get the same error.
No you're not. You now get libbde_io_handle_read_volume_header: unsupported identifier.
versus libbde_io_handle_read_volume_header: unsupported volume boot entry point.
This indicates an unsupported version of a BDE volume. Could this be related to https://github.com/libyal/libbde/issues/39 ? See the troubleshooting link I sent earlier to get more information about the data format.
I sent you some debug output via pm. I believe that used disk space only encryption was used, thus it was not working without debug mode.
Per out of band conversation this is a duplicate of https://github.com/libyal/libbde/issues/39
I tried to open an image of a hard drive, which I believe to be half-way encrypted, using python. Unfortunately pybde refuses to open it.
I manually verified, that there is an intact bitlocker volume header starting at offset 1048576 (dec):
Is there anything I can do to further narrow down the problem? Or is this simply not supported by the library?