how to get segment files that are > 2G ?

[SirHenryTheNerd]

Hi!

Since the latest update to macOS ewfacquire keeps throwing "Value not within specified range" when you enter a segment size that is larger than about 2 GB. I tried to re-compile the whole libewf but this error sticks.

Could you please have a look what could cause this?

[joachimmetz]

Can you provide more detail on how you built ewfacquire with which versions of Mac OS and Xcode?

[SirHenryTheNerd]

I built the 20201230 version quite a time ago (don't know when). Everything worked fine. Yesterday I made an update to 10.15.7 (Catalina) and after that I found 1.6 GB segments while having 8 GB hard-coded in the script I use. So I did some manual testing and found, that the -S parameter gets ignored when over (roughly) 2 GB.

So I downloaded everything from GitHub, recompiled using Xcode 12.4 on the 10.15.7 and nothing changed.

As everything has been working fine for months I really think this I connected to the latest macOS update.

Note: I remove the self-compiled version and installed an old ewflib version using Homebrew and it showed the same error.

Please tell if I can do some testing that helps find the bug.

[joachimmetz]

• Why 10.15.7 the latest Mac OS is 12.0.1 by now?
• can you attach config.log
• what output ewf format are you using?

[SirHenryTheNerd]

It's an 2013 iMac. 10.15.7 is the latest supported version and I think it's not very smart to dump a working device just because it's old.

config.log is attached.

I tried ewf and ewfx. Both show the same error. config.log

[joachimmetz]

you might need encase6 (or later) output format since most versions of EWF formats before are limited to < 2G segment files

It's an 2013 iMac. 10.15.7 is the latest supported version and I think it's not very smart to dump a working device just because it's old.

ewfaquire is typically used to image disks, which is often faster on newer hardware, hence the question; should not change the situation too much

config.log

see no obvious limitations/issues there

[SirHenryTheNerd]

The strange thing is that it has been working for quite a while and just stopped after the update. I never changed anything (even not the segment size). From one day to another (after the update) it just stopped to work. I will give it a try using encase6.

[SirHenryTheNerd]

Ok, with encase6 it seems to work.

encase7 and encase7-v2: Evidence segment file size in bytes (1.0 MiB <= value <= 7.9 EiB) [1.4 GiB]: 8 GB Unsupported maximum segment size defaulting to: 1572864000.

Same with ewfx. Shouldn't this support 8 GB?

[joachimmetz]

encase7 and encase7-v2

might need to be still implemented, realize you're running an experimental / under-development version

Same with ewfx. Shouldn't this support 8 GB?

why ?

[joachimmetz]

The strange thing is that it has been working for quite a while and just stopped after the update. I never changed anything (even not the segment size). From one day to another (after the update) it just stopped to work.

impossible for me to assess what happened there, since I have no visibility on what happened on the system

[SirHenryTheNerd]

Thanks for your support!