'[sleuthkit-developers] Tsk_recover failure with ewf file'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sleuthkit-developers
Subject:    [sleuthkit-developers] Tsk_recover failure with ewf file
From:       Edward Diener <eldlistmailingz () tropicsoft ! com>
Date:       2016-07-22 15:55:40
Message-ID: 9d422897-5235-15af-aa64-172ba5beceb1 () tropicsoft ! com
[Download RAW message or body]

The failure I am about to describe occurs on both TSK 4.2.0 and the 
recently released TSK 4.3.0 on Windows 8.1 using the binaries provided.

I use a program called FTK Imager Lite 3.1.1.8 from AccessData to create 
ewf images. If I create ewf images from a single logical drive, which 
naturally has a single file system, TSK and tsk_recover work fine. 
Instead my problem with TSK is when creating ewf images from a physical 
drive, which has a number of different file systems. In my example I 
create ewf images from a physical drive which has separate FAT32, NTFS, 
EXT3, and EXT4 with files in each logical partition. The FTK Imager Lite 
program creates the ewf image for me in the directory of my choice from 
the physical drive without any problems. I then run tsk_recover with the 
-v verbose option, passing the full path to the ewf image and the 
directory where I want the files to be put. The results of running 
tsk_recover are:

------------------------------------------------------------------------------------------------------------------------


E:\Utilities\sleuthkit-4.3.0-win32\bin>tsk_recover -v 
C:\Utilities\FTImages\PhysDrive\MyPhys.E01 
C:\Utilities\TSKDirs\Rec1\Unallocated
tsk_img_open: Type: 0   NumImg: 1  Img1: 
C:\Utilities\FTImages\PhysDrive\MyPhys.E01
ewf_open: found 1 segment files via libewf_glob
Error opening vmdk file
Error checking file signature for vhd file
fsopen: Auto detection mode at offset 0
ewf_image_read: byte offset: 0 len: 65536
ntfs_open: invalid cluster size: 0
fatxxfs_open: Invalid sector size (23552)
exfatfs_get_fs_size_params: Invalid sector size base 2 logarithm 
(23552), not in
   range (9 - 12)
fatxxfs_open: Invalid sector size (23552)
ext2fs_open: invalid magic
ewf_image_read: byte offset: 65536 len: 65536
ufs_open: Trying 256KB UFS2 location
ewf_image_read: byte offset: 262144 len: 65536
ufs_open: Trying UFS1 location
ufs_open: No UFS magic found
ewf_image_read: byte offset: 156160 len: 65536
ewf_image_read: byte offset: 426496 len: 65536
ewf_image_read: byte offset: 561664 len: 65536
ewf_image_read: byte offset: 696832 len: 65536
ewf_image_read: byte offset: 832000 len: 65536
ewf_image_read: byte offset: 967168 len: 65536
ewf_image_read: byte offset: 1102336 len: 65536
ewf_image_read: byte offset: 1237504 len: 65536
ewf_image_read: byte offset: 1372672 len: 65536
ewf_image_read: byte offset: 1507840 len: 65536
ewf_image_read: byte offset: 1643008 len: 65536
ewf_image_read: byte offset: 1778176 len: 65536
ewf_image_read: byte offset: 1913344 len: 65536
ewf_image_read: byte offset: 2048512 len: 65536
ewf_image_read: byte offset: 2183680 len: 65536
ewf_image_read: byte offset: 2318848 len: 65536
ewf_image_read: byte offset: 2454016 len: 65536
ewf_image_read: byte offset: 2589184 len: 65536
ewf_image_read: byte offset: 2724352 len: 65536
ewf_image_read: byte offset: 2859520 len: 65536
ewf_image_read: byte offset: 2994688 len: 65536
ewf_image_read: byte offset: 3129856 len: 65536
ewf_image_read: byte offset: 3265024 len: 65536
ewf_image_read: byte offset: 3400192 len: 65536
ewf_image_read: byte offset: 3535360 len: 65536
ewf_image_read: byte offset: 3670528 len: 65536
ewf_image_read: byte offset: 3805696 len: 65536
ewf_image_read: byte offset: 3940864 len: 65536
ewf_image_read: byte offset: 4076032 len: 65536
ewf_image_read: byte offset: 4211200 len: 65536
ewf_image_read: byte offset: 4346368 len: 65536
ewf_image_read: byte offset: 4481536 len: 65536
ewf_image_read: byte offset: 4616704 len: 65536
ewf_image_read: byte offset: 4751872 len: 65536
ewf_image_read: byte offset: 4732928 len: 65536
ewf_image_read: byte offset: 4887040 len: 65536
ewf_image_read: byte offset: 5022208 len: 65536
ewf_image_read: byte offset: 5157376 len: 65536
ewf_image_read: byte offset: 5292544 len: 65536
ewf_image_read: byte offset: 5427712 len: 65536
ewf_image_read: byte offset: 5562880 len: 65536
ewf_image_read: byte offset: 5698048 len: 65536
ewf_image_read: byte offset: 5833216 len: 65536
ewf_image_read: byte offset: 5968384 len: 65536
ewf_image_read: byte offset: 6103552 len: 65536
ewf_image_read: byte offset: 6238720 len: 65536
ewf_image_read: byte offset: 6373888 len: 65536
ewf_image_read: byte offset: 6509056 len: 65536
ewf_image_read: byte offset: 6644224 len: 65536
ewf_image_read: byte offset: 6779392 len: 65536
ewf_image_read: byte offset: 6914560 len: 65536
ewf_image_read: byte offset: 7049728 len: 65536
ewf_image_read: byte offset: 7184896 len: 65536
ewf_image_read: byte offset: 7320064 len: 65536
ewf_image_read: byte offset: 7455232 len: 65536
ewf_image_read: byte offset: 7590400 len: 65536
ewf_image_read: byte offset: 7725568 len: 65536
ewf_image_read: byte offset: 7860736 len: 65536
ewf_image_read: byte offset: 7995904 len: 65536
ewf_image_read: byte offset: 8131072 len: 65536
ewf_image_read: byte offset: 8266240 len: 65536
ewf_image_read: byte offset: 8401408 len: 65536
ewf_image_read: byte offset: 8536576 len: 65536
ewf_image_read: byte offset: 8671744 len: 65536
ewf_image_read: byte offset: 8806912 len: 65536
ewf_image_read: byte offset: 8942080 len: 65536
ewf_image_read: byte offset: 9077248 len: 65536
ewf_image_read: byte offset: 9212416 len: 65536
ewf_image_read: byte offset: 9347584 len: 65536
ewf_image_read: byte offset: 9482752 len: 65536
ewf_image_read: byte offset: 9617920 len: 65536
ewf_image_read: byte offset: 9753088 len: 65536
ewf_image_read: byte offset: 9888256 len: 65536
ewf_image_read: byte offset: 10023424 len: 65536
ewf_image_read: byte offset: 10158592 len: 65536
ewf_image_read: byte offset: 10293760 len: 65536
ewf_image_read: byte offset: 10428928 len: 65536
ewf_image_read: byte offset: 10564096 len: 65536
ewf_image_read: byte offset: 10699264 len: 65536
ewf_image_read: byte offset: 10834432 len: 65536
ewf_image_read: byte offset: 10969600 len: 65536
ewf_image_read: byte offset: 11104768 len: 65536
ewf_image_read: byte offset: 11239936 len: 65536
ewf_image_read: byte offset: 11375104 len: 65536
ewf_image_read: byte offset: 11510272 len: 65536
ewf_image_read: byte offset: 11645440 len: 65536
ewf_image_read: byte offset: 11780608 len: 65536
ewf_image_read: byte offset: 11915776 len: 65536
ewf_image_read: byte offset: 12050944 len: 65536
ewf_image_read: byte offset: 12186112 len: 65536
ewf_image_read: byte offset: 12321280 len: 65536
ewf_image_read: byte offset: 12456448 len: 65536
ewf_image_read: byte offset: 12591616 len: 65536
ewf_image_read: byte offset: 12726784 len: 65536
ewf_image_read: byte offset: 12861952 len: 65536
ewf_image_read: byte offset: 12997120 len: 65536
ewf_image_read: byte offset: 13132288 len: 65536
ewf_image_read: byte offset: 13267456 len: 65536
ewf_image_read: byte offset: 13402624 len: 65536
ewf_image_read: byte offset: 13537792 len: 65536
ewf_image_read: byte offset: 13672960 len: 65536
ewf_image_read: byte offset: 13808128 len: 65536
ewf_image_read: byte offset: 13943296 len: 65536
ewf_image_read: byte offset: 14078464 len: 65536
ewf_image_read: byte offset: 14213632 len: 65536
ewf_image_read: byte offset: 14348800 len: 65536
ewf_image_read: byte offset: 14483968 len: 65536
ewf_image_read: byte offset: 14619136 len: 65536
ewf_image_read: byte offset: 14754304 len: 65536
ewf_image_read: byte offset: 14889472 len: 65536
ewf_image_read: byte offset: 15024640 len: 65536
ewf_image_read: byte offset: 15159808 len: 65536
ewf_image_read: byte offset: 15294976 len: 65536
ewf_image_read: byte offset: 15276032 len: 65536
ewf_image_read: byte offset: 15430144 len: 65536
ewf_image_read: byte offset: 15411200 len: 65536
ewf_image_read: byte offset: 15565312 len: 65536
ewf_image_read: byte offset: 15546368 len: 65536
ewf_image_read: byte offset: 15700480 len: 65536
ewf_image_read: byte offset: 15681536 len: 65536
ewf_image_read: byte offset: 15835648 len: 65536
ewf_image_read: byte offset: 15816704 len: 65536
ewf_image_read: byte offset: 15970816 len: 65536
ewf_image_read: byte offset: 15951872 len: 65536
ewf_image_read: byte offset: 16105984 len: 65536
ewf_image_read: byte offset: 16087040 len: 65536
ewf_image_read: byte offset: 16241152 len: 65536
ewf_image_read: byte offset: 16222208 len: 65536
ewf_image_read: byte offset: 16376320 len: 65536
ewf_image_read: byte offset: 16357376 len: 65536
yaffsfs_open: could not find valid spare area format
See http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2 
configuration
ewf_image_read: byte offset: 1024 len: 65536
iso9660_open img_info: 34734152 ftype: 2048 test: 1
iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
Trying RAW ISO9660 with 16-byte pre-block size
fs_prepost_read: Mapped 32768 to 37648
iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
Trying RAW ISO9660 with 24-byte pre-block size
fs_prepost_read: Mapped 32768 to 37656
iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
iso9660_open: Error loading volume descriptor
Cannot determine file system type (Sector offset: 0)Files Recovered: 0

--------------------------------------------------------------------------------------------------------------------------------


Yet if I ask FTK Imager to show me the file in the ewf image, using its 
Add Evidence Item...
functionality it does indeed show me the files in the image without any 
errors.

Is TSK supposed to work with physical drives containin different file 
systems ? If so can anyone
suggest how I can get TSK to work properly ?

Eddie Diener

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic