search

libyal / libewf-legacy

Legacy version of libewf
GNU Lesser General Public License v3.0
10 stars 5 forks source link

Unable to acquire input. libmfdata_array_resize: invalid entries size value exceeds maximum. #24

Open layer7gmbh opened 1 year ago

layer7gmbh commented 1 year ago

Hi, 

The following acquiry parameters were provided:
Image path and filename:        /backup/hdd1.E01
Case number:                
Description:                
Evidence number:            
Examiner name:              
Notes:                  
Media type:             fixed disk
Is physical:                yes
EWF file format:            EnCase 6 (.E01)
Compression method:         deflate
Compression level:          none
Acquiry start offset:           0
Number of bytes to acquire:     5.4 TiB (5997921828864 bytes)
Evidence segment file size:     1.4 GiB (1572864000 bytes)
Bytes per sector:           512
Block size:             64 sectors
Error granularity:          64 sectors
Retries on read error:          2
Zero sectors on read error:     no

results in:

Acquiry started at: May 03, 2023 13:58:45
This could take a while.

Acquiry failed at: May 03, 2023 13:58:45
Unable to acquire input.
libmfdata_array_resize: invalid entries size value exceeds maximum.
libmfdata_list_resize: unable to resize elements array.
libewf_write_io_handle_write_new_chunk: unable to resize chunk table.
libewf_handle_write_buffer: unable to write new chunk.
imaging_handle_write_buffer: unable to write storage media buffer.
ewfacquire_read_input: unable to write data to file.
Unable to close output file(s).
libmfdata_array_resize: invalid entries size value exceeds maximum.
libmfdata_list_resize: unable to resize elements array.
libewf_write_io_handle_write_new_chunk: unable to resize chunk table.
libewf_handle_write_finalize: unable to write new chunk.
libewf_handle_close: unable to finalize write.
imaging_handle_close: unable to close output handle.

If the bytes to aquire is reduced, it will work:

Image path and filename:        /backup/hdd1.E01
Case number:                
Description:                
Evidence number:            
Examiner name:              
Notes:                  
Media type:             fixed disk
Is physical:                yes
EWF file format:            EnCase 6 (.E01)
Compression method:         deflate
Compression level:          none
Acquiry start offset:           0
Number of bytes to acquire:     286 MiB (300000000 bytes)
Evidence segment file size:     1.4 GiB (1572864000 bytes)
Bytes per sector:           512
Block size:             64 sectors
Error granularity:          64 sectors
Retries on read error:          2
Zero sectors on read error:     no

Continue acquiry with these values (yes, no) [yes]: 

Acquiry started at: May 03, 2023 14:00:45
This could take a while.

Status: at 50%.
        acquired 144 MiB (151650304 bytes) of total 286 MiB (300000000 bytes).
        completion in 4 second(s) with 35 MiB/s (37500000 bytes/second).

Acquiry completed at: May 03, 2023 14:00:52

Written: 286 MiB (300001316 bytes) in 7 second(s) with 40 MiB/s (42857330 bytes/second).
MD5 hash calculated over data:      6f0250647748b3925ba1738e0bfdc883
ewfacquire: SUCCESS

Also everything < 4 TB will work.

Is there some more elegant way to get this done, but to manipulate the starting offset to virtually slice the device in multiple logical parts?

Thank you and great project work!

Greetings Oliver

joachimmetz commented 1 year ago

Which version of libewf are you using? libmfdata is part of the legacy version, so moving this to a different issue tracker.

joachimmetz commented 1 year ago

Possible duplicate of https://github.com/libyal/libewf-legacy/issues/9

layer7gmbh commented 1 year ago

Hi Joachim,

sorry for that stupid mistake....

ewfacquire is version 20140813 on the current kali linux live iso.

joachimmetz commented 1 year ago

That is still relatively recent, see https://github.com/libyal/libewf-legacy/releases you might are hitting the limits of the legacy version. You can try the experimenting with changing the hard memory limit in the legacy version or try the experimental version.

layer7gmbh commented 1 year ago

Hi,

unfortunatelly no change with:

ewfacquire -V ewfacquire 20140814

joachimmetz commented 1 year ago

Experimental version is https://github.com/libyal/libewf/releases

layer7gmbh commented 1 year ago

Hi,

sorry for the delay!

Tested now the latest experimental version and did the usual

configure make make install

ending up in:

[/usr/src/libewf-20230212]
# ewfacquire --version
ewfacquire: error while loading shared libraries: libewf.so.3: cannot open shared object file: No such file or directory

doing installcheck:

└─# make installcheck
Making installcheck in include
make[1]: Entering directory '/usr/src/libewf-20230212/include'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/include'
Making installcheck in common
make[1]: Entering directory '/usr/src/libewf-20230212/common'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/common'
Making installcheck in libcerror
make[1]: Entering directory '/usr/src/libewf-20230212/libcerror'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcerror'
Making installcheck in libcthreads
make[1]: Entering directory '/usr/src/libewf-20230212/libcthreads'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcthreads'
Making installcheck in libcdata
make[1]: Entering directory '/usr/src/libewf-20230212/libcdata'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcdata'
Making installcheck in libcdatetime
make[1]: Entering directory '/usr/src/libewf-20230212/libcdatetime'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcdatetime'
Making installcheck in libclocale
make[1]: Entering directory '/usr/src/libewf-20230212/libclocale'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libclocale'
Making installcheck in libcnotify
make[1]: Entering directory '/usr/src/libewf-20230212/libcnotify'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcnotify'
Making installcheck in libcsplit
make[1]: Entering directory '/usr/src/libewf-20230212/libcsplit'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcsplit'
Making installcheck in libuna
make[1]: Entering directory '/usr/src/libewf-20230212/libuna'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libuna'
Making installcheck in libcfile
make[1]: Entering directory '/usr/src/libewf-20230212/libcfile'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcfile'
Making installcheck in libcpath
make[1]: Entering directory '/usr/src/libewf-20230212/libcpath'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcpath'
Making installcheck in libbfio
make[1]: Entering directory '/usr/src/libewf-20230212/libbfio'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libbfio'
Making installcheck in libfcache
make[1]: Entering directory '/usr/src/libewf-20230212/libfcache'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libfcache'
Making installcheck in libfdata
make[1]: Entering directory '/usr/src/libewf-20230212/libfdata'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libfdata'
Making installcheck in libfdatetime
make[1]: Entering directory '/usr/src/libewf-20230212/libfdatetime'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libfdatetime'
Making installcheck in libfguid
make[1]: Entering directory '/usr/src/libewf-20230212/libfguid'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libfguid'
Making installcheck in libfvalue
make[1]: Entering directory '/usr/src/libewf-20230212/libfvalue'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libfvalue'
Making installcheck in libhmac
make[1]: Entering directory '/usr/src/libewf-20230212/libhmac'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libhmac'
Making installcheck in libcaes
make[1]: Entering directory '/usr/src/libewf-20230212/libcaes'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcaes'
Making installcheck in libewf
make[1]: Entering directory '/usr/src/libewf-20230212/libewf'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libewf'
Making installcheck in libodraw
make[1]: Entering directory '/usr/src/libewf-20230212/libodraw'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libodraw'
Making installcheck in libsmdev
make[1]: Entering directory '/usr/src/libewf-20230212/libsmdev'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libsmdev'
Making installcheck in libsmraw
make[1]: Entering directory '/usr/src/libewf-20230212/libsmraw'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libsmraw'
Making installcheck in ewftools
make[1]: Entering directory '/usr/src/libewf-20230212/ewftools'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/ewftools'
Making installcheck in ewf.net
make[1]: Entering directory '/usr/src/libewf-20230212/ewf.net'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/ewf.net'
Making installcheck in pyewf
make[1]: Entering directory '/usr/src/libewf-20230212/pyewf'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/pyewf'
Making installcheck in pyewf-python2
make[1]: Entering directory '/usr/src/libewf-20230212/pyewf-python2'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/pyewf-python2'
Making installcheck in pyewf-python3
make[1]: Entering directory '/usr/src/libewf-20230212/pyewf-python3'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/pyewf-python3'
Making installcheck in po
make[1]: Entering directory '/usr/src/libewf-20230212/po'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/po'
Making installcheck in manuals
make[1]: Entering directory '/usr/src/libewf-20230212/manuals'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/manuals'
Making installcheck in tests
make[1]: Entering directory '/usr/src/libewf-20230212/tests'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/tests'
Making installcheck in ossfuzz
make[1]: Entering directory '/usr/src/libewf-20230212/ossfuzz'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/ossfuzz'
Making installcheck in msvscpp
make[1]: Entering directory '/usr/src/libewf-20230212/msvscpp'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/msvscpp'
make[1]: Entering directory '/usr/src/libewf-20230212'
make[1]: Nothing to be done for 'installcheck-am'.
make[1]: Leaving directory '/usr/src/libewf-20230212'

OS is latest Kali linux:

# cat /etc/os-release 
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
VERSION="2023.1"
VERSION_ID="2023.1"
VERSION_CODENAME="kali-rolling"
ID=kali
ID_LIKE=debian
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
ANSI_COLOR="1;31"

Here is the whole compile process:

https://pastebin.com/DVEcrVUw

Some additional debugging informations:

└─# find / -name "libewf.so.3"
find: ‘/run/user/1000/gvfs’: Permission denied
/run/live/overlay/rw/usr/local/lib/libewf.so.3
/run/live/overlay/rw/usr/src/libewf-20230212/libewf/.libs/libewf.so.3
/usr/lib/live/mount/overlay/rw/usr/local/lib/libewf.so.3
/usr/lib/live/mount/overlay/rw/usr/src/libewf-20230212/libewf/.libs/libewf.so.3
/usr/local/lib/libewf.so.3
/usr/src/libewf-20230212/libewf/.libs/libewf.so.3
└─# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.dotnet/tools:/usr/local/lib
# ls -lah /usr/local/lib/libewf.so.3
lrwxrwxrwx 1 root root 15 May 18 10:41 /usr/local/lib/libewf.so.3 -> libewf.so.3.0.0
└─# ls -lah /usr/local/lib/libewf.so.3.0.0
-rwxr-xr-x 1 root root 5.3M May 18 10:41 /usr/local/lib/libewf.so.3.0.0

So the file is there, but seems the ewfacquire binary expect it somewhere else ( where ever this might be :-) )

joachimmetz commented 1 year ago

So the file is there, but seems the ewfacquire binary expect it somewhere else ( where ever this might be :-) )

did you update your ldcache ?

layer7gmbh commented 1 year ago

Hi,

adding the lib path to ldconfig and rebuilding the cache helped. Thank you!

Unfortunatelly it now tells me that the chosen options are not supported.

Image path and filename:        /backup/test.E01
Case number:                
Description:                
Evidence number:            
Examiner name:              
Notes:                  HDD1-part2
Media type:             fixed disk
Is physical:                yes
EWF file format:            EnCase 6 (.E01)
Compression method:         deflate
Compression level:          none
Acquiry start offset:           0
Number of bytes to acquire:     14 TiB (16000900661248 bytes)
Evidence segment file size:     1.0 TiB (1099511627776 bytes)
Bytes per sector:           512
Block size:             64 sectors
Error granularity:          64 sectors
Retries on read error:          2
Zero sectors on read error:     no

will result in:

Continue acquiry with these values (yes, no) [yes]: y
Selected option not supported, please try again or terminate using Ctrl^C.
Continue acquiry with these values (yes, no) [yes]: ^C

while this will work:

Image path and filename:        /backup/test.E01
Case number:                
Description:                
Evidence number:            
Examiner name:              
Notes:                  
Media type:             fixed disk
Is physical:                yes
EWF file format:            EnCase 6 (.E01)
Compression method:         deflate
Compression level:          none
Acquiry start offset:           0
Number of bytes to acquire:     279 GiB (300000000000 bytes)
Evidence segment file size:     1.0 TiB (1099511627776 bytes)
Bytes per sector:           512
Block size:             64 sectors
Error granularity:          64 sectors
Retries on read error:          2
Zero sectors on read error:     no

So actually nothing changed between the versions, except that the code will now tell that its unsupported to get more than 4mio. bytes...

Greetings Oliver