Re: [sleuthkit-users] bug in sleuthkit with sectorsize of 1024 bytes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Simson,

It looks like the data is not aligned on 1024-byte boundaries and is instead using 512-byte sectors. To use sectors other than 512, you need to give 'fls' the '-b' argument. If it is working without that argument, then it is using 512 and it seems to be happy with that.  Note that the partition table does not define a sector size and 'fls' finds the file system when it assumes the 512-byte sector size. 

Is there an API call for TSK to get the sector size from an AFF file?  I tried to find one, but couldn't.  So, currently, it assumes 512 unless it is told otherwise. 

With respect to the fallback to 512 if the non-512 fails, that is what I added for the Mac partition code because the iPods have a 4096-byte sector (as you reported).  So, it tries both before it fails. 

brian

On Jan 25, 2010, at 4:05 PM, Simson Garfinkel (CIV) wrote:

> Brian,
> 
> I have a disk called terry-2009-12-10.aff.
> 
> This disk has a 1024 byte sector size. 
> 
> We imaged it to an AFF file that also has a 1024 byte sector size.
> 
> mmls says:
> $ mmls /Volumes/Slim/m57/disks/terry-2009-12-10.aff 
> DOS Partition Table
> Offset Sector: 0
> Units are in 512-byte sectors
> 
>      Slot    Start        End          Length       Description
> 00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
> 01:  -----   0000000000   0000002047   0000002048   Unallocated
> 02:  00:00   0000002048   0080289791   0080287744   NTFS (0x07)
> 03:  -----   0080289792   0080293247   0000003456   Unallocated
> 12:07 domex:~/domex/src/fiwalk$ 
> 
> 
> fls says:
> 12:07 domex:~/domex/src/fiwalk$ fls -o 2048 /Volumes/Slim/m57/disks/terry-2009-12-10.aff 
> r/r 3-128-3:	$Volume
> r/r 4-128-4:	$AttrDef
> d/d 47639-144-1:	$AVG
> r/r 8-128-2:	$BadClus
> r/r 8-128-1:	$BadClus:$Bad
> r/r 6-128-1:	$Bitmap
> r/r 7-128-1:	$Boot
> d/d 11-144-4:	$Extend
> r/r 2-128-1:	$LogFile
> r/r 0-128-1:	$MFT
> r/r 1-128-1:	$MFTMirr
> d/d 59-144-1:	$Recycle.Bin
> r/r 9-144-16:	$Secure:$SDH
> r/r 9-144-18:	$Secure:$SII
> r/r 9-128-0:	$Secure:$SDS
> r/r 10-128-1:	$UpCase
> r/- * 0:	$Volume
> d/- * 0:	$WINDOWS.~BT
> d/r * 45-128-4:	$WINDOWS.~LS
> r/r 8559-128-1:	autoexec.bat
> d/d 46689-144-5:	Boot
> r/d * 46739-144-1(realloc):	bootmgr
> r/r 46750-128-3:	BOOTSECT.BAK
> r/r 8560-128-1:	config.sys
> d/d 8563-144-1:	Documents and Settings
> d/d 60-144-1:	PerfLogs
> d/d 62-144-6:	Program Files
> d/d 236-144-6:	ProgramData
> d/d 46762-144-6:	System Volume Information
> d/d 312-144-5:	Users
> d/d 456-144-8:	Windows
> r/r * 56-128-4(realloc):	WinPEpge.sys
> r/r 16321-128-1:	bootmgr
> d/d 48059-144-1:	dell
> r/r 49-128-1:	hiberfil.sys
> r/r 46764-128-1:	pagefile.sys
> d/d 78828-144-5:	Python26
> d/d 100288:	$OrphanFiles
> 12:07 domex:~/domex/src/fiwalk$ 
> 
> sector size is 1024 bytes.
> 
> $ afinfo  /Volumes/Slim/m57/disks/terry-2009-12-10.aff | grep sectorsize
> sectorsize                   1024          0   
> 
> 
> tsk_fs_open_img fails in fiwalk but not in fls.  After extensive debugging I determined that this is because the sector size in fls is set to 512 bytes in the *img_info structure, while in fiwalk it is correctly set to 1024 bytes....
> 
> fiwalk:
> 
>     /* Try it as a file system */
>     if ((fs_info = tsk_fs_open_img(img_info, start, TSK_FS_TYPE_DETECT)) == NULL) {
>         comment("TSK_Error '%s' at sector %"PRIuDADDR" offset %"PRIuDADDR,
>                 tsk_error_get(),start/sector_size,start);
>         /* We could do some carving on the volume data at this point */
>          return -1;
>     }
> 
> # TSK_Error 'Cannot determine file system type' at sector 2048 offset 2097152
> 
> 
> img_info:
> 
> (gdb) p *img_info
> $2 = {
>   itype = TSK_IMG_TYPE_AFF_AFF,
>   size = 41110142976,
>   sector_size = 1024,
>   cache = {"\001\000esources_31bf3856ad364e35_tr-tr_ad48d73a11cc78bc\\6.0\" name=\"6.0.6002.18156\" type=\"0x00000003\
> \" encoding=\"base64\" value=\"AQ==\"/>\n        <CreateKey path=\"\\Registry\\Machine\\COMPONENTS\\Winners\\x86_micr\
> o"..., "\001\00055e1_31bf3856ad364e35_6.0.6000.16942_12a3673458a9bb3c\" type=\"0x00000003\" encoding=\"base64\" value\
> =\"\"/>\n        <SetKeyValue path=\"\\Registry\\Machine\\COMPONENTS\\ServicingStackVersions\" name=\"6.0.6002.1"...,\
>  "\001\000/>\n        <HardlinkFile source=\"\\SystemRoot\\WinSxS\\x86_microsoft-windows-oleaccrc.resources_31bf3856a\
> d364e35_6.0.6002.18156_pt-br_03ab633e6087af09\\oleaccrc.dll.mui\" destination=\"\\??\\C:\\Windows\\Syst"..., "3\300\2\
> 16м\000|\216\300\216ؾ\000|\277\000\006\271\000\002\374\363\244Ph\034\006\313\373\271\004\000\275\276\a\200~\000\000|\v\017\205\020\001\203\305\020\342\361\315\030\210V\000U\306F\021\005\306F\020\000\264A\273\252U\315\023]r\017\201\373U\252u\t\367\301\001\000t\003\376F\020f`\200~\020\000t&fh\000\000\000\000f\377v\bh\000\000h\000|h\001\000h\020\000\264B\212V\000\213\364\315\023\237\203\304\020\236\353\024\270\001\002\273\000|\212V\000\212v\001\212N\002\212n\003\315\023fas\036\376N\021\017\205\f\000\200~\000\200\017\204\212\000\262\200\353\202U2\344\212V\000\315\023]뜁>\376}U\252un\377v\000"...},
>   cache_off = {2359296, 2162688, 2097152, 0},
>   cache_age = {997, 996, 1000, 992},
>   cache_len = {65536, 65536, 65536, 65536},
>   read = 0x1002fa20f <aff_read>,
>   close = 0x1002fac40 <aff_close>,
>   imgstat = 0x1002fa499 <aff_imgstat>
> }
> (gdb) 
> 
> 
> Here is the calling sequence in fiwalk:
> 
> =>  if ((fs_info = tsk_fs_open_img(img_info, start, TSK_FS_TYPE_DETECT)) == NULL) {
> 
> (gdb) p img_info->sector_size
> $9 = 1024
> (gdb) p start
> $10 = 2097152
> (gdb) 
> 
> 
> And here is the calling sequence in fls:
> 
> =>      if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
> 
> 
> (gdb) p img->sector_size
> $7 = 512
> (gdb) p imgaddr*img->sector_size
> $8 = 1048576
> (gdb) p fstype
> $9 = TSK_FS_TYPE_DETECT
> (gdb) 
> 
> Notice that the sector_size is set to 512.
> 
> (gdb) p *img
> $10 = {
>   itype = TSK_IMG_TYPE_AFF_AFF,
>   size = 41110142976,
>   sector_size = 512,
>   cache = {'\0' <repeats 65535 times>, '\0' <repeats 65535 times>, '\0' <repeats 65535 times>, '\0' <repeats 65535 ti\
> mes>},
>   cache_off = {0, 0, 0, 0},
>   cache_age = {0, 0, 0, 0},
>   cache_len = {0, 0, 0, 0},
>   read = 0x100003c20 <aff_read>,
>   close = 0x100003bf0 <aff_close>,
>   imgstat = 0x1000035c0 <aff_imgstat>
> }
> (gdb) 
> 
> 
> It may be that Windows was interpreting this disk as having a 512-byte sector size even though the hardware says 1024 bytes.  However the disk clearly has a sector size of 1024, because otherwise we wouldn't be able to find the partition.
> 
> We have the physical disk and the disk images.
> 
> I will be modifying fiwalk so that if opening a file system with a sector size something other than 512 fails, it falls back to 512 bytes.  Is there a better approach?
> 
> I haven't gone through fls to see if it tries a 512 byte sector size if the non-512 byte fails. However, if such code exists, it should be in tsk_fs_open_img...
> 
> 
> 
> 