search

libyal / libewf

Libewf is a library to access the Expert Witness Compression Format (EWF)
GNU Lesser General Public License v3.0
264 stars 76 forks source link

Lx01: unsupported category header #187

Closed certxlm closed 1 year ago

certxlm commented 1 year ago

Hello,

We recently encountered an issue with an encase logical image (2 files, Fx01 + Fx02). Neither ewfmount nor ewfinfo could make sense of it.

We work on Ubuntu 22.04, so at first we tried with the available version....

ewfinfo 20140807

Unable to open EWF file(s). libewf_glob: invalid filename - missing extension. info_handle_open_input: unable to resolve filename(s).

But a newer version (built from the tarball) failed as well:

ewfinfo 20230212

Unable to open EWF file(s). libewf_single_files_parse_rec_category: unsupported category header. libewf_single_files_parse_utf8_string: unable to parse rec category. libewf_single_files_read_data: unable to parse UTF-8 string. libewf_internal_handle_open_read_segment_file_section_data: unable to parse single files. libewf_internal_handle_open_read_segment_files: unable to read section data from segment file: 1. libewf_internal_handle_open_file_io_pool: unable to read segment files. libewf_handle_open: unable to open handle using a file IO pool. info_handle_open_input: unable to open file(s).

After looking at the code (and adding some more debug), we realized that the issue lies in the _libewf_single_files_parse_utf8string function. More specifically, the function checks the number of categories (must be 5 of them), then proceed to parse them in a fixed order, starting with "libewf_single_files_parse_rec_category".

Strangely, in the files provided to us, the categories appear in this order:

  1. entry
  2. perm
  3. rec
  4. srce
  5. sub

To be able to work on our case, we made a quick and dirty patch that was functionnal enough. You can find it here with details on how the encase file was created. Note that the patch isn't good enough for a PR:

Unfortunately, we cannot provide you with the encase files, but we hope that this issue helps.

joachimmetz commented 1 year ago

Unfortunately, we cannot provide you with the encase files, but we hope that this issue helps.

Can you create a test file with this scenario you can share?

certxlm commented 1 year ago

The encase file was made by another team, but we'll ask nonetheless, should be able to get an answer soon enough

joachimmetz commented 1 year ago

This might be something specific to 

        Operating system used:  TX1 20.2.0
        Software version used:  LIE 4.2.0
joachimmetz commented 1 year ago

So L01/Lx01 does not appear to be a single format, there are L01 files generated by Encase that other tools fails to process. I strongly discourage using this format for anything serious. If you want better support for it in libewf, I'll need test files. Closing issue, reopen if there are test files.