[sleuthkit-users] seluthkit/libewf problems
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] seluthkit/libewf problems
|
From: Donald M. <don...@ny...> - 2014-06-03 17:15:50
|
Hello, I recently acquired a large (2 TB) disk image using FTK Imager. The image of an HFS+ drive is partitioned into 1.5gb segments and I had the compression set to 0 while it was imaging. There are over 1,200 segments that make up the image. The disk image loads into FTK fine and seems to be working great. I cannot get any of the the Sleuthkit or EwfTools bins to work with the image though. I've created images of several images of smaller disk drives (60gb, 100gb, 160gb) and they all work fin with the bins. I'd like to know if there is something fundamentally wrong with the 2TB disk image. I'm running the tools on a Fedora 20 machine with both libraries having been built from the sources. Here's what the verbose output of *ewfinfo* looks like for the image. $ ewfinfo FA_MSS_343_1.E01 ewfinfo 20140227 Unable to open EWF file(s). libcfile_file_open_with_error_code: unable to open file: /mnt/staging/Fales/MSS/343/FA_MSS_343_1/FA_MSS_343_1.FJM with error: Too many open files libcfile_file_open: unable to open file. libbfio_file_open: unable to open file: /mnt/staging/Fales/MSS/343/FA_MSS_343_1/FA_MSS_343_1.FJM. libcfile_file_seek_offset: invalid file - missing descriptor. libbfio_file_seek_offset: unable to find offset in file: /mnt/staging/Fales/MSS/343/FA_MSS_343_1/FA_MSS_343_1.FJM. libbfio_handle_seek_offset: unable to find offset: -1 in handle. libbfio_pool_open_handle: unable to seek offset. libbfio_pool_seek_offset: unable to open entry: 1021. libewf_segment_file_read_file_header: unable to seek file header offset: 0. libewf_handle_open_file_io_pool: unable to read segment file header. libewf_handle_open: unable to open handle using a file IO pool. info_handle_open_input: unable to open file(s). And the verbose output from *mmls*: $ mmls -V The Sleuth Kit ver 4.1.3 $ mmls -v FA_MSS_343_1.E01 tsk_img_open: Type: 0 NumImg: 1 Img1: FA_MSS_343_1.E01 ewf_open: found 1273 segment files via libewf_glob Error opening EWF file tsk_img_findFiles: FA_MSS_343_1.E01 found tsk_img_findFiles: 1 total segments found raw_open: segment: 0 size: 1572786931 max offset: 1572786931 path: FA_MSS_343_1.E01 dos_load_prim: Table Sector: 0 raw_read: byte offset: 0 len: 65536 raw_read: found in image 0 relative offset: 0 len: 65536 raw_read_segment: opening file into slot 0: FA_MSS_343_1.E01 File is not a DOS partition (invalid primary magic) (Sector: 0)bsd_load_table: Table Sector: 1 gpt_load_table: Sector: 0 gpt_open: Trying other sector sizes gpt_open: Trying sector size: 512 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 1024 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 2048 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 4096 gpt_load_table: Sector: 0 gpt_open: Trying sector size: 8192 gpt_load_table: Sector: 0 sun_load_table: Trying sector: 0 sun_load_table: Trying sector: 1 mac_load_table: Sector: 1 mac_load: Missing initial magic value mac_open: Trying 4096-byte sector size instead of 512-byte mac_load_table: Sector: 1 mac_load: Missing initial magic value Cannot determine partition type I'd be really curious to know what those more knowledgeable on both libewf and tsk would make of these outputs, hopefully I'm just doing something completely stupid. Thanks, Don |
