search

sleuthkit / sleuthkit

The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
http://www.sleuthkit.org/sleuthkit/
2.63k stars 608 forks source link

ifind does not work. #2982

Open mvasi90 opened 2 months ago

mvasi90 commented 2 months ago

Hello everyone.

I'm trying to find the inode of a given sector with ifind but it does not work. The exit code is 1.

By default it does not detect the filesystem type. It is fat32 (virtual fat). The detected filelsystem is YAFFS2.

ifind -v -o 2048 -d 1346236920 sda.img (expand) ``` tsk_img_open: Type: 0 NumImg: 1 Img1: sda.img tsk_img_findFiles: sda.img found tsk_img_findFiles: 1 total segments found raw_open: segment: 0 size: 2000398934016 max offset: 2000398934016 path: sda.img fsopen: Auto detection mode at offset 1048576 raw_read: byte offset: 1048576 len: 65536 raw_read: found in image 0 relative offset: 1048576 len: 65536 raw_read_segment: opening file into slot 0: sda.img ntfs_open: invalid MFT entry size fatfs_dir_open_meta: Processing directory 2 tsk_fs_file_walk: Processing file 2 fatfs_make_data_runs: Processing file 2 in normal mode raw_read: byte offset: 489324544 len: 65536 raw_read: found in image 0 relative offset: 489324544 len: 65536 fatfs_dir_open_meta: Parsing directory 2 fatfs_dent_parse_buf: Parsing sector 953664 for dir 2 fatfs_dent_parse_buf: Parsing sector 953665 for dir 2 fatfs_dent_parse_buf: Parsing sector 953666 for dir 2 fatfs_dent_parse_buf: Parsing sector 953667 for dir 2 ... fatfs_dent_parse_buf: Parsing sector 953727 for dir 2 fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 0 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 1 is invalid ... fatfs_dent_parse_buf: Entry 14 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 15 is invalid ext2fs_open: invalid magic raw_read: byte offset: 1114112 len: 65536 raw_read: found in image 0 relative offset: 1114112 len: 65536 ufs_open: Trying 256KB UFS2 location raw_read: byte offset: 1310720 len: 65536 raw_read: found in image 0 relative offset: 1310720 len: 65536 ufs_open: Trying UFS1 location ufs_open: No UFS magic found raw_read: byte offset: 20992 len: 65536 raw_read: found in image 0 relative offset: 20992 len: 65536 raw_read: byte offset: 2048 len: 65536 ... raw_read: found in image 0 relative offset: 2048512 len: 65536 raw_read: byte offset: 2029568 len: 65536 raw_read: found in image 0 relative offset: 2029568 len: 65536 raw_read: byte offset: 2183680 len: 65536 raw_read: found in image 0 relative offset: 2183680 len: 65536 raw_read: byte offset: 2164736 len: 65536 raw_read: found in image 0 relative offset: 2164736 len: 65536 yaffsfs_open: could not find valid spare area format See http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2 configuration iso9660_open img_info: 108881390572128 ftype: 2048 test: 1 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying RAW ISO9660 with 16-byte pre-block size fs_prepost_read: Mapped 32768 to 1086224 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying RAW ISO9660 with 24-byte pre-block size fs_prepost_read: Mapped 32768 to 1086232 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 iso9660_open: Error loading volume descriptor fatfs_inode_walk: Inode walking 2 to 62497139718 fatfs_make_data_runs: Processing file 2 in normal mode ```
ifind -f fat -v -o 2048 -d 1346236920 sda.img (expand) ``` tsk_img_open: Type: 0 NumImg: 1 Img1: sda.img tsk_img_findFiles: sda.img found tsk_img_findFiles: 1 total segments found raw_open: segment: 0 size: 2000398934016 max offset: 2000398934016 path: sda.img raw_read: byte offset: 1048576 len: 65536 raw_read: found in image 0 relative offset: 1048576 len: 65536 raw_read_segment: opening file into slot 0: sda.img fatfs_dir_open_meta: Processing directory 2 tsk_fs_file_walk: Processing file 2 fatfs_make_data_runs: Processing file 2 in normal mode raw_read: byte offset: 489324544 len: 65536 raw_read: found in image 0 relative offset: 489324544 len: 65536 fatfs_dir_open_meta: Parsing directory 2 fatfs_dent_parse_buf: Parsing sector 953664 for dir 2 ... fatfs_dent_parse_buf: Parsing sector 953681 for dir 2 fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 2 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 3 is invalid fatfs_is_83_name: name[0] is invalid ... fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 15 is invalid fatfs_dent_parse_buf: Parsing sector 953724 for dir 2 fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 0 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 1 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 2 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 3 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 4 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 5 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 6 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 7 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 8 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 9 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 10 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 11 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 12 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 13 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 14 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 15 is invalid fatfs_dent_parse_buf: Parsing sector 953725 for dir 2 fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 0 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 1 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 2 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 3 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 4 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 5 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 6 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 7 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 8 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 9 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 10 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 11 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 12 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 13 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 14 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 15 is invalid fatfs_dent_parse_buf: Parsing sector 953726 for dir 2 fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 0 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 1 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 2 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 3 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 4 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 5 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 6 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 7 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 8 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 9 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 10 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 11 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 12 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 13 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 14 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 15 is invalid fatfs_dent_parse_buf: Parsing sector 953727 for dir 2 fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 0 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 1 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 2 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 3 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 4 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 5 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 6 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 7 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 8 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 9 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 10 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 11 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 12 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 13 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 14 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 15 is invalid fatfs_inode_walk: Inode walking 2 to 62497139718 fatfs_make_data_runs: Processing file 2 in normal mode ```
mvasi90 commented 2 months ago

Find by name, works:

ifind -v -o 2048 -n "System Volume Information" sda.img (expand) tsk_img_open: Type: 0 NumImg: 1 Img1: sda.img tsk_img_findFiles: sda.img found tsk_img_findFiles: 1 total segments found raw_open: segment: 0 size: 2000398934016 max offset: 2000398934016 path: sda.img fsopen: Auto detection mode at offset 1048576 raw_read: byte offset: 1048576 len: 65536 raw_read: found in image 0 relative offset: 1048576 len: 65536 raw_read_segment: opening file into slot 0: sda.img ntfs_open: invalid MFT entry size fatfs_dir_open_meta: Processing directory 2 tsk_fs_file_walk: Processing file 2 fatfs_make_data_runs: Processing file 2 in normal mode raw_read: byte offset: 489324544 len: 65536 raw_read: found in image 0 relative offset: 489324544 len: 65536 fatfs_dir_open_meta: Parsing directory 2 fatfs_dent_parse_buf: Parsing sector 953664 for dir 2 fatfs_dent_parse_buf: Parsing sector 953665 for dir 2 ... fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 2 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 3 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 4 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 5 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 6 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 7 is invalid ... fatfs_dent_parse_buf: Entry 2 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 3 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 4 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 5 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 6 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 7 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 8 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 9 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 10 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 11 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 12 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 13 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 14 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 15 is invalid ext2fs_open: invalid magic raw_read: byte offset: 1114112 len: 65536 raw_read: found in image 0 relative offset: 1114112 len: 65536 ufs_open: Trying 256KB UFS2 location raw_read: byte offset: 1310720 len: 65536 raw_read: found in image 0 relative offset: 1310720 len: 65536 ufs_open: Trying UFS1 location ufs_open: No UFS magic found raw_read: byte offset: 20992 len: 65536 raw_read: found in image 0 relative offset: 20992 len: 65536 raw_read: byte offset: 2048 len: 65536 raw_read: found in image 0 relative offset: 2048 len: 65536 raw_read: byte offset: 156160 len: 65536 raw_read: found in image 0 relative offset: 156160 len: 65536 raw_read: byte offset: 291328 len: 65536 raw_read: found in image 0 relative offset: 291328 len: 65536 raw_read: byte offset: 426496 len: 65536 raw_read: found in image 0 relative offset: 426496 len: 65536 raw_read: byte offset: 561664 len: 65536 raw_read: found in image 0 relative offset: 561664 len: 65536 raw_read: byte offset: 696832 len: 65536 raw_read: found in image 0 relative offset: 696832 len: 65536 raw_read: byte offset: 832000 len: 65536 raw_read: found in image 0 relative offset: 832000 len: 65536 raw_read: byte offset: 967168 len: 65536 raw_read: found in image 0 relative offset: 967168 len: 65536 raw_read: byte offset: 1237504 len: 65536 raw_read: found in image 0 relative offset: 1237504 len: 65536 raw_read: byte offset: 1218560 len: 65536 raw_read: found in image 0 relative offset: 1218560 len: 65536 raw_read: byte offset: 1507840 len: 65536 raw_read: found in image 0 relative offset: 1507840 len: 65536 raw_read: byte offset: 1488896 len: 65536 raw_read: found in image 0 relative offset: 1488896 len: 65536 raw_read: byte offset: 1643008 len: 65536 raw_read: found in image 0 relative offset: 1643008 len: 65536 raw_read: byte offset: 1624064 len: 65536 raw_read: found in image 0 relative offset: 1624064 len: 65536 raw_read: byte offset: 1778176 len: 65536 raw_read: found in image 0 relative offset: 1778176 len: 65536 raw_read: byte offset: 1759232 len: 65536 raw_read: found in image 0 relative offset: 1759232 len: 65536 raw_read: byte offset: 1913344 len: 65536 raw_read: found in image 0 relative offset: 1913344 len: 65536 raw_read: byte offset: 1894400 len: 65536 raw_read: found in image 0 relative offset: 1894400 len: 65536 raw_read: byte offset: 2048512 len: 65536 raw_read: found in image 0 relative offset: 2048512 len: 65536 raw_read: byte offset: 2029568 len: 65536 raw_read: found in image 0 relative offset: 2029568 len: 65536 raw_read: byte offset: 2183680 len: 65536 raw_read: found in image 0 relative offset: 2183680 len: 65536 raw_read: byte offset: 2164736 len: 65536 raw_read: found in image 0 relative offset: 2164736 len: 65536 yaffsfs_open: could not find valid spare area format See http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2 configuration iso9660_open img_info: 109129768252000 ftype: 2048 test: 1 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying RAW ISO9660 with 16-byte pre-block size fs_prepost_read: Mapped 32768 to 1086224 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying RAW ISO9660 with 24-byte pre-block size fs_prepost_read: Mapped 32768 to 1086232 iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 iso9660_open: Error loading volume descriptor Looking for System Volume Information fatfs_dir_open_meta: Processing directory 2 tsk_fs_file_walk: Processing file 2 fatfs_make_data_runs: Processing file 2 in normal mode fatfs_dir_open_meta: Parsing directory 2 ... fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 7 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 8 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 9 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 10 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 11 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 12 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 13 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 14 is invalid fatfs_is_83_name: name[0] is invalid fatfs_dent_parse_buf: Entry 15 is invalid raw_read: byte offset: 2164224 len: 65536 raw_read: found in image 0 relative offset: 2164224 len: 65536 raw_read: byte offset: 3996160 len: 65536 raw_read: found in image 0 relative offset: 3996160 len: 65536 raw_read: byte offset: 2856448 len: 65536 raw_read: found in image 0 relative offset: 2856448 len: 65536 raw_read: byte offset: 35628544 len: 65536 raw_read: found in image 0 relative offset: 35628544 len: 65536 raw_read: byte offset: 5415936 len: 65536 raw_read: found in image 0 relative offset: 5415936 len: 65536 raw_read: byte offset: 14822912 len: 65536 raw_read: found in image 0 relative offset: 14822912 len: 65536 raw_read: byte offset: 1212416 len: 65536 raw_read: found in image 0 relative offset: 1212416 len: 65536 raw_read: byte offset: 22561792 len: 65536 raw_read: found in image 0 relative offset: 22561792 len: 65536 Found it (System Volume Information), now looking for (null) 57
simsong commented 2 months ago

Thanks. Have you validated your compiled command on a fat32 file system image that is known to be good? Do you have a the ability to share the file system? Are you sure that it is a fat32 file system?

mvasi90 commented 2 months ago

Note: I'm using Arch Linux. The compiled command is already compiled by the distro.

Is a 2TB partition, so the file system is vfat. But it works with -n filename parameter and -f fat or -f fat32 or without -f.

As you can imagine I can't share the whole partition. It is too large. But if you want a partial image to test, I can share it.

simsong commented 2 months ago

2TB is too large for FAT32.

https://www.easeus.com/amp/partition-manager-software/fat32-partition-size-limit.html

mvasi90 commented 2 months ago

This is the default file system that came with the disk. I have kept it this way for compatibility with other multimedia devices.

Could this be the reason why it is impossible to obtain the inode of a allocated file, given the sectors it occupies?

simsong commented 2 months ago

Is this a commercial disk that you purchased?

On Wed, Sep 18, 2024 at 1:59 PM mvasi90 @.***> wrote:

This is the default file system that came with the disk. I have kept it this way for compatibility with other multimedia devices.

— Reply to this email directly, view it on GitHub https://github.com/sleuthkit/sleuthkit/issues/2982#issuecomment-2359089258, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAMFHLANA37POJU6HYF3U7LZXG5QPAVCNFSM6AAAAABOILNHCOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNJZGA4DSMRVHA . You are receiving this because you commented.Message ID: @.***>

mvasi90 commented 2 months ago

Yes. I bought it about 10 or 12 years ago. (Verbatim 3.5" HDD)

I know you have a lot of work. Do not spend much time on this for now. I'm going to perform some tests on a loopback file these days.