search

libyal / libewf

Libewf is a library to access the Expert Witness Compression Format (EWF)
GNU Lesser General Public License v3.0
265 stars 76 forks source link

What pre-dated libewf_set_volume_type, if anything? #25

Closed tedsmith closed 9 years ago

tedsmith commented 9 years ago

I note the function : libewf_set_volume_type (https://github.com/libyal/libewf/blob/54b0eada69defd015c49e4e1e1e4e26a27409ba3/libewf/libewf_legacy.c#L2373) and the accompanying byte values of

LIBEWF_VOLUME_TYPE_LOGICAL = 0x00, LIBEWF_VOLUME_TYPE_PHYSICAL = 0x01 (https://github.com/libyal/libewf/blob/54b0eada69defd015c49e4e1e1e4e26a27409ba3/libewf/libewf_definitions.h.in#L162)

From what I can gather, these should be passed to libewf_set_volume_type so that the resulting E01 'knows' whether it is an E01 of a physical item (.\PhysicalDiskX) or logical volume?

However, the compiled DLL I have dates back to June 2014 and using DLL Explorer, the function libewf_set_volume_type is not listed in it, so I assume it dates later than my DLL.

Was there another function that predated libewf_set_volume_type but which did the same thing? If so, could you tell me what it was called? I can't find anything that reselmbles it - libewf_set_media_type is the nearest but I think that's things like "CD\USB\Disk" etc I realise the best thing would be to generate a new DLL from the latest source code but having tried that the other day, I found it didn't work with my project (I use Delphi\Freepascal).

Thanks

joachimmetz commented 9 years ago

Nothing that predates it: https://github.com/libyal/libewf/blob/54b0eada69defd015c49e4e1e1e4e26a27409ba3/include/libewf.h.in#L3119

But it got superseded by libewf_handle_set_media_flags if not compiled with v1 api support it might not have been included.

joachimmetz commented 9 years ago

From what I can gather, these should be passed to libewf_set_volume_type so that the resulting E01 'knows' whether it is an E01 of a physical item (.\PhysicalDiskX) or logical volume?

This only is needed for compatibility with EnCase, most other tools look at the actual content of the EWF.

joachimmetz commented 9 years ago

found it didn't work with my project (I use Delphi\Freepascal).

Can you be more specific what did not work?

tedsmith commented 9 years ago

OK. libewf_handle_set_media_flags is in my DLL so I have converted libewf_set_volume_type to that and that seems to work.

I have added LIBEWF_MEDIA_FLAG_PHYSICAL = $02; to my Pascal unit and called libewf_handle_set_media_flags(LIBEWF_MEDIA_FLAG_PHYSICAL); in my program code if the user has selected a physcial disk.

The reason I have asked the question is this: even before I looked into setting these flags, my generated E01 images seemed to be fine. They could be opened in FTK Imager and a couple of others. No problems. However, when I open them using X-Ways Forensics, I got a message telling me that "whatever created the image has marked it as a volume whereas it appears to be physical disk. Press shift when opening the image to have it interpreted as a disk" (or words to that effect). If I don't press shift, its opened as a logical volume, and no detectable filesystem. If I do the shift key thing, it opens fine - recognises the filesystem and so on. So it seems that XWF detects a "volume" label somewhere in the image even though the image is of a physcial disk (so it expects a "disk" label). However, now I have set the LIBEWF_MEDIA_FLAG_PHYSICAL flag to 0x02, XWF opens the image just fine too. THANKS!!

I note that there is not a flag for a logical volume as there used to be in the V1. So LIBEWF_MEDIA_FLAG_PHYSICAL = 0x02 and is defined along with values for Tableau and Fastblock (https://github.com/libyal/libewf/blob/54b0eada69defd015c49e4e1e1e4e26a27409ba3/libewf/libewf_definitions.h.in#L154).

There doesn't appear to be a value of LIBEWF_MEDIA_FLAG_LOGICAL? Whereas in the deprecated version the choices were :

LIBEWF_VOLUME_TYPE_LOGICAL = 0x00, LIBEWF_VOLUME_TYPE_PHYSICAL = 0x01 (https://github.com/libyal/libewf/blob/54b0eada69defd015c49e4e1e1e4e26a27409ba3/libewf/libewf_definitions.h.in#L164)

Is this due to the fact that E01 is not really designed for logical partition acquistion?

Regarding the DLL - if you don't mind I will post that as a seperate issue so as not to confuse matters with this. It's a long story and I will detail each step. In brief, whenever the calls were made to any of the DLL functions, my IDE just choked, generated a general error that it does when it can't find something it expects.

joachimmetz commented 9 years ago

There doesn't appear to be a value of LIBEWF_MEDIA_FLAG_LOGICAL?

As you can see it is zero, so technically not a flag by itself, and thus not really needed.

Is this due to the fact that E01 is not really designed for logical partition acquistion?

E01 is a container format, technically you don't need this metadata. e.g. sleuthkit handles volume or partition detection very well by just ignoring the flag.