search

libyal / libewf

Libewf is a library to access the Expert Witness Compression Format (EWF)
GNU Lesser General Public License v3.0
256 stars 75 forks source link

Unsupported L01 srce category format #205

Open adenprince-relativity opened 1 month ago

adenprince-relativity commented 1 month ago

Some L01 files generated by EnCase 21.3 are receiving the following error:

libewf_single_files_parse_srce_category: invalid number of entries value out of bounds.
libewf_single_files_parse_utf8_string: unable to parse srce category.
libewf_single_files_read_data: unable to parse UTF-8 string.
libewf_internal_handle_open_read_segment_file_section_data: unable to parse single files.
libewf_internal_handle_open_read_segment_files: unable to read section data from segment file: 0.
libewf_internal_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open_wide: unable to open handle using a file IO pool.

After removing the check that results in the invalid number of entries value out of bounds error above and rebuilding the library, those files receive this error:

libewf_single_files_parse_srce_category: unsupported empty line string: 22 - not empty.
libewf_single_files_parse_utf8_string: unable to parse srce category.
libewf_single_files_read_data: unable to parse UTF-8 string.
libewf_internal_handle_open_read_segment_file_section_data: unable to parse single files.
libewf_internal_handle_open_read_segment_files: unable to read section data from segment file: 0.
libewf_internal_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open_wide: unable to open handle using a file IO pool.

Is it safe to remove the check that results in the unsupported empty line string: 22 - not empty error above? Are you aware of any settings in EnCase that would cause these errors? I'm not able to provide a test file. Thank you.

joachimmetz commented 1 month ago

L01 is a proprietary format.

I'm not able to provide a test file. Thank you.

are you able to provide debug/verbose output of the relevant data?

adenprince-relativity commented 4 weeks ago

Is it sufficient to provide the output of running .\ewfinfo.exe -v on one of the files, or is something else needed?

joachimmetz commented 4 weeks ago

see https://github.com/libyal/libewf/wiki/Troubleshooting#verbose-and-debug-output what is needed

SerhiyBol commented 3 weeks ago

When running verbose-and-debug-output it seems like it includes PII information.

Are you trying to see this part only from all that output? image

FYI, this is from the file that works but there is possibility we can try to get this output from a bad file. Unfortunately, we cannot provide full verbose output.

joachimmetz commented 3 weeks ago

FYI, this is from the file that works but there is possibility we can try to get this output from a bad file. Unfortunately, we cannot provide full verbose output.

either sanitize the output or provide the information related to the warning

SerhiyBol commented 4 days ago

This is the s.r.c.e category data we were able to extract from the problematic file.

00000180: 30 00 0a 00 0a 00 73 00 72 00 63 00 65 00 0a 00 0.....s. r.c.e... 00000190: 30 00 09 00 31 00 0a 00 70 00 09 00 6e 00 09 00 0...1... p...n... 000001a0: 69 00 64 00 09 00 65 00 76 00 09 00 64 00 6f 00 i.d...e. v...d.o. 000001b0: 09 00 6c 00 6f 00 63 00 09 00 73 00 65 00 09 00 ..l.o.c. ..s.e... 000001c0: 6d 00 66 00 72 00 09 00 6d 00 6f 00 09 00 74 00 m.f.r... m.o...t. 000001d0: 62 00 09 00 6c 00 6f 00 09 00 70 00 6f 00 09 00 b...l.o. ..p.o... 000001e0: 61 00 68 00 09 00 73 00 68 00 09 00 67 00 75 00 a.h...s. h...g.u. 000001f0: 09 00 70 00 67 00 75 00 09 00 61 00 71 00 09 00 ..p.g.u. ..a.q... 00000200: 69 00 70 00 09 00 73 00 69 00 09 00 6d 00 61 00 i.p...s. i...m.a. 00000210: 09 00 64 00 74 00 0a 00 30 00 09 00 30 00 0a 00 ..d.t... 0...0... 00000220: 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 ........ ........ 00000230: 09 00 09 00 2d 00 31 00 09 00 2d 00 31 00 09 00 ....-.1. ..-.1... 00000240: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 00000250: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 00000260: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 00000270: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 00000280: 09 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 ..0.0.0. 0.0.0.0. 00000290: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 000002a0: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 000002b0: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 000002c0: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 000002d0: 30 00 09 00 30 00 30 00 30 00 30 00 30 00 30 00 0...0.0. 0.0.0.0. 000002e0: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 000002f0: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 00000300: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 00000310: 30 00 30 00 09 00 30 00 30 00 30 00 30 00 30 00 0.0...0. 0.0.0.0. 00000320: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 00000330: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 00000340: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 00000350: 30 00 30 00 30 00 09 00 09 00 09 00 09 00 30 00 0.0.0... ......0. 00000360: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0. 00000370: 30 00 30 00 30 00 09 00 66 00 0a 00 0a 00 73 00 0.0.0... f.....s. 00000380: 75 00 62 00 0a 00 30 00 09 00 31 00 0a 00 70 00 u.b...0. ..1...p.