Open knispeja opened 2 months ago
joachimmetz
commented
2 months ago Thanks for the sample file I'll take a look when time permits.
Also note that L01 is a propriety format that is not forensically sound. Have a read of https://osdfir.blogspot.com/2023/07/whats-in-file-path.html for more context
knispeja
commented
2 months ago Thanks! I did find the inner error from libewf (below), Autopsy doesn't seem to surface this so I didn't find it at first. Guessing FEX is doing something weird with permissions groups:
libcdata_array_get_entry_by_index: invalid entry index value out of bounds.
libewf_single_files_get_permission_group_by_index: unable to retrieve entry: 1 from permission groups array.
libewf_file_entry_initialize: unable to retrieve permission group: 1.
libewf_file_entry_get_sub_file_entry: unable to initialize sub file entry.
It seems to me like libewf will not discover files inside of L01 images created by FEX Imager. Sample L01 file zipped and attached (small_fex_test.zip) -- the L01 has just a single text file inside.
Discovered this because Autopsy also doesn't find these files, and seems to throw no errors. I think this might extend to any files created by FEX Imager, but I didn't do extensive testing.