EWF support doesn't seem to work with segmented or compressed image files

[GoogleCodeExporter]

EWF support doesn't seem to work with segmented or compressed image files

This may be more than one problem, or could be some sort of external 
dependency...

I tested with r3587, under the SIFT Kit 2.14rev2 VM.

Attempting to do a pslist on a segmented, max-compressed EWF image file 
(created using winen, from a Win7 x64 system with 8GB of RAM)using either the 
full path to the first segment, or path/filename.E* fails with the following 
traceback:

sansforensics@SIFT-Workstation:~/Desktop/volatility-read-only$ python vol.py  
--profile=Win7SP1x64 -f /mnt/hgfs/G/Desktop.E01 pslist
Volatility Foundation Volatility Framework 2.3.1
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  
Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ 
------ ------------------------------ ------------------------------
Traceback (most recent call last):
  File "vol.py", line 183, in <module>
    main()
  File "vol.py", line 174, in main
    command.execute()
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/commands.py", line 121, in execute
    func(outfd, data)
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/plugins/taskmods.py", line 140, in render_text
    for task in data:
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/win32/tasks.py", line 70, in pslist
    for p in get_kdbg(addr_space).processes():
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/win32/tasks.py", line 46, in get_kdbg
    kdbgo = obj.VolMagic(addr_space).KDBG.v()
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/obj.py", line 780, in v
    return self.get_best_suggestion()
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/obj.py", line 806, in get_best_suggestion
    for val in self.get_suggestions():
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/obj.py", line 798, in get_suggestions
    for x in self.generate_suggestions():
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/plugins/overlays/windows/windows.py", line 764, in generate_suggestions
    for val in scanner.scan(self.obj_vm):
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/plugins/kdbgscan.py", line 85, in scan
    for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen):
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/scan.py", line 95, in scan
    for (range_start, range_size) in sorted(address_space.get_available_addresses()):
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/plugins/addrspaces/paged.py", line 101, in get_available_addresses
    for (offset, size) in self.get_available_pages():
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/plugins/addrspaces/amd64.py", line 249, in get_available_pages
    pte_entry = self.read_long_long_phys(pte_curr)
  File "/home/sansforensics/Desktop/volatility-read-only/volatility/plugins/addrspaces/amd64.py", line 211, in read_long_long_phys
    (longlongval,) = struct.unpack('<Q', string)
struct.error: unpack requires a string argument of length 8
sansforensics@SIFT-Workstation:~/Desktop/volatility-read-only$ python vol.py  
--profile=Win7SP1x64 -f /mnt/hgfs/G/Desktop.E01 pslist

If I use FTK Imager to copy the same image into a single unsegmented 
max-compressed .E01 file, it fails similarly.

If I copy the same image to a dd-style flat file, it succeeds.

If I copy the image to an unsegmented E01 file, using 'fastest' compression, I 
get essentially the same failure as above

But if I use FTK Imager to copy the image to an unsegmented E01 file, using 
'no' compression, it works correctly.

Finally, If I copy the file to a segmented but not compressed image, I fail 
with the following different error:

sansforensics@SIFT-Workstation:~/Desktop/volatility-read-only$ python vol.py  
--profile=Win7SP1x64 -f /mnt/hgfs/G/Desktop4.E01 pslist
Volatility Foundation Volatility Framework 2.3.1
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 EWFAddressSpace: No base address space provided
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareSnapshotFile: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: No xpress signature found
 EWFAddressSpace - EXCEPTION: Unable to open ewf file
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VMWareSnapshotFile: Invalid VMware signature: 0x9465645
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile Win7SP1x64 selected
 IA32PagedMemory: Incompatible profile Win7SP1x64 selected
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Profile does not have valid Address Space check

sansforensics@SIFT-Workstation:~/Desktop/volatility-read-only$ 

The ewf and zlib package versions on the 2.14rev2 SIFT Kit are as follows:

sansforensics@SIFT-Workstation:~/Desktop/volatility-read-only$ dpkg -l|grep -i 
ewf
rc  libewf                               20080501-1                             
    Library and tools to support the Expert Witn
ii  libewf-dbg                           20080501+debian-2                      
    support for Expert Witness Compression forma
ii  libewf-dev                           20080501+debian-2                      
    support for Expert Witness Compression forma
ii  libewf1                              20080501+debian-2                      
    support for Expert Witness Compression forma
sansforensics@SIFT-Workstation:~/Desktop/volatility-read-only$ dpkg -l|grep -i 
zlib
ii  zlib-bin                             1:1.2.3.3.dfsg-13ubuntu3               
    compression library - sample programs
ii  zlib1g                               1:1.2.3.3.dfsg-13ubuntu3               
    compression library - runtime
ii  zlib1g-dev                           1:1.2.3.3.dfsg-13ubuntu3               
    compression library - development
sansforensics@SIFT-Workstation:~/Desktop/volatility-read-only$ 

Original issue reported on code.google.com by johnmcca...@gmail.com on 19 Feb 2014 at 6:54

• Merged into: #472

[GoogleCodeExporter]

Not sure if this is the issue, but can you see if it sees the memory sample as 
RAM or a disk?  You can figure this out using EnCase or ewfinfo:

Memory sample saved as "disk":

$ ewfinfo [memory sample]

[snip]
Media information
    Media type:     fixed disk
[snip]

Memory sample saved as RAM:

[snip]
Media information
    Media type:     memory (RAM)
[snip]

Original comment by jamie.l...@gmail.com on 25 Feb 2014 at 8:36

[GoogleCodeExporter]

Media information
    Media type:     memory (RAM)
    Is physical:        yes
    Bytes per sector:   4096
    Number of sectors:  2221568
    Media size:     8.4 GiB (9099542528 bytes)

Original comment by johnmcca...@gmail.com on 26 Feb 2014 at 3:21

[GoogleCodeExporter]

Sorry for the delay.  Until we figure out what the issue is with the address 
space, you could, as a work around, mount the memory files using xmount [1] and 
run volatility over the mounted file.  That should at least save you the 
conversion step.

[1] http://manpages.ubuntu.com/manpages/lucid/man1/xmount.1.html

Original comment by jamie.l...@gmail.com on 7 Mar 2014 at 4:16

[GoogleCodeExporter]

merging ewf issues

Original comment by jamie.l...@gmail.com on 7 Mar 2014 at 4:48

• Changed state: Duplicate

[GoogleCodeExporter]

I do have workarounds. Was just reporting that the built-in functionality
didn't appear to work as advertised.

Original comment by johnmcca...@gmail.com on 10 Mar 2014 at 7:21