Processing a bsdlabel and UFS2 disk image

[Herbert-Karl]

Describe the problem:

I am using plaso to process a full disk image taken from a OpenBSD virtual machine. As typical for OpenBSD, the disk is split into multiple partitions, each containing some part of the file system. Plaso only processes data from a single partition. Other partitions are not processed and the respective data is missing in the resulting timeline. Given the technical details (see additional context below), I think even this processing of the single partition is only due to lucky alignment of partition offsets.

To Reproduce:

The version of Plaso you used:

self-built, based on public commit d3c314d4b5ce004570e13d07c6a9774f107a92ab

The operating system you are running Plaso on (Not the operating system of the image/files you're trying to analyze):

Debian 12

Steps to reproduce the behavior including command line and arguments and output:

running log2timeline --storage_file test.plaso ~/Downloads/openbsd/image.raw --partitions all produces a storage file containing info from only the "root" partition of OpenBSD. Following timeline was created with psort -w timeline.csv test.plaso timeline.csv To see that partitions are missing from the processing, notice the lack of data on files under /var

I am working with a sample disk image of 20GB size. If needed, I can see about uploading it somewhere and providing a link.

The method you used to install Plaso:

• pulled repo
• pip install -r requirements.txt
• python3 setup.py build && python3 setup.py install

Expected behavior:

the expected behavior has two aspects (see additional context for relevant technical details):

• first, plaso should consider that the one partition reported in the DOS partition table contains a BSD Disk Label with multiple smaller partitions
• second, plaso should process the partitions in the BSD Disk Label each as the UFS2 file systems that they are

Debug output/tracebacks:

running log2timeline -d --storage_file test.plaso ~/Downloads/openbsd/image.raw --partitions all

produces following compressed log file: log2timeline-20240808T142736.log.gz

Additional context

I am trying to parse a OpenBSD image because in parallel of some thesis work, I am experimenting with adding additional parsers to plaso to process OpenBSD-specific data.

Following is information about the partition layout:

$ mmls image.raw 
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000000063   0000000064   Unallocated
002:  000:003   0000000064   0041943039   0041942976   OpenBSD (0xa6)

$ mmls -o 64 image.raw 
BSD Disk Label
Offset Sector: 64
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  002       0000000000   0041943039   0041943040   Unused (0x00)
001:  Meta      0000000001   0000000001   0000000001   Partition Table
002:  000       0000000064   0001279839   0001279776   4.2BSD (0x07)
003:  001       0001279840   0003388859   0002109020   Swap (0x01)
004:  -------   0003388860   0003388863   0000000004   Unallocated
005:  003       0003388864   0005190751   0001801888   4.2BSD (0x07)
006:  004       0005190752   0007883295   0002692544   4.2BSD (0x07)
007:  005       0007883296   0012900447   0005017152   4.2BSD (0x07)
008:  006       0012900448   0014270431   0001369984   4.2BSD (0x07)
009:  007       0014270432   0019285343   0005014912   4.2BSD (0x07)
010:  008       0019285344   0022746367   0003461024   4.2BSD (0x07)
011:  009       0022746368   0034010175   0011263808   4.2BSD (0x07)
012:  010       0034010176   0041943039   0007932864   4.2BSD (0x07)

Even though the partitions are marked as "4.2BSD", they each contain UFS2 file systems.

$ fsstat -o 64 image.raw 
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: UFS 2
Last Written: 2024-04-30 20:51:20 (CEST)
Last Mount Point: /
Volume Name: 
System UID: 0

I have also extracted the partition with the BSD disk label (using mmcat image.raw 2 > rec_image.raw) and ran it through plaso with log2timeline -d --storage_file test.plaso ~/Downloads/openbsd/rec_image.raw --partitions all. It created following compressed log file:

2024-08-08 14:22:33,416 [ERROR] (MainProcess) PID:313327 <log2timeline> No supported file system found in source.

If further information is needed, do not hesitate to ask :)

[Herbert-Karl]

I stumbled around the source code of plaso and dfvfs a bit, but realized my knowledge is not enough to figure this problem out by myself.

I know OpenBSD is rather rare to encounter during investigations.

[joachimmetz]

I'll have a look when time permits, this is not on top of the priority list at the moment.