#223 TSK fails on image from Advance Format disk

[Josef Eklann]

Sleuthkit version: 4.3.0

Platform: Windows 8.1

Downloaded from this package:
https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-4.3.0/sleuthkit-4.3.0-win32.zip

Issue:
I have .e01 images that are taken from disks with the so called "Advanced Format" (See https://en.wikipedia.org/wiki/Advanced_Format), and I suspect that something relating to the sector size makes TSK fail.

The image that I am using to reproduce this is taken from a WD3003FZEX drive that was partitioned to trigger this behavior, and I would be happy to share the image files (totalling about 5.1GiB) if you would like it to reproduce. I should however mention that there are other images that triggers this behavior that I do not have access to, and they have very similar mmls output.

If I run mmls on the image, this is the output:

> mmls.exe Image.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000000062   0000000063   Unallocated
002:  000:000   0000000063   0732564062   0732564000   NTFS / exFAT (0x07)
003:  -------   0732564063   5860533167   5127969105   Unallocated

If I run fls on the image, this is the output:

> fls.exe -o 63 Image.E01
Cannot determine file system type

The result is exactly the same if I add the parameter "-b 4096"

It seems that I can not read any files in the filesystem with TSK at all. All I can successfully do is to see the partition table - which might be false, since the sector size seems to be reported as 512.

I suspect that there might be a bug in TSK that makes images taken of disks with "Advanced Format" fail, at least under some circumstances. For example the offset of the first partition is not very well aligned.

If you would like me to send you the image that reproduces this behavior please respond to this ticket.