Tsk_recover failure with ewf file

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Tsk_recover failure with ewf file

Edward Diener
The failure I am about to describe occurs on both TSK 4.2.0 and the
recently released TSK 4.3.0 on Windows 8.1 using the binaries provided.

I use a program called FTK Imager Lite 3.1.1.8 from AccessData to create
ewf images. If I create ewf images from a single logical drive, which
naturally has a single file system, TSK and tsk_recover work fine.
Instead my problem with TSK is when creating ewf images from a physical
drive, which has a number of different file systems. In my example I
create ewf images from a physical drive which has separate FAT32, NTFS,
EXT3, and EXT4 with files in each logical partition. The FTK Imager Lite
program creates the ewf image for me in the directory of my choice from
the physical drive without any problems. I then run tsk_recover with the
-v verbose option, passing the full path to the ewf image and the
directory where I want the files to be put. The results of running
tsk_recover are:

------------------------------------------------------------------------------------------------------------------------

E:\Utilities\sleuthkit-4.3.0-win32\bin>tsk_recover -v
C:\Utilities\FTImages\PhysDrive\MyPhys.E01
C:\Utilities\TSKDirs\Rec1\Unallocated
tsk_img_open: Type: 0   NumImg: 1  Img1:
C:\Utilities\FTImages\PhysDrive\MyPhys.E01
ewf_open: found 1 segment files via libewf_glob
Error opening vmdk file
Error checking file signature for vhd file
fsopen: Auto detection mode at offset 0
ewf_image_read: byte offset: 0 len: 65536
ntfs_open: invalid cluster size: 0
fatxxfs_open: Invalid sector size (23552)
exfatfs_get_fs_size_params: Invalid sector size base 2 logarithm
(23552), not in
  range (9 - 12)
fatxxfs_open: Invalid sector size (23552)
ext2fs_open: invalid magic
ewf_image_read: byte offset: 65536 len: 65536
ufs_open: Trying 256KB UFS2 location
ewf_image_read: byte offset: 262144 len: 65536
ufs_open: Trying UFS1 location
ufs_open: No UFS magic found
ewf_image_read: byte offset: 156160 len: 65536
ewf_image_read: byte offset: 426496 len: 65536
ewf_image_read: byte offset: 561664 len: 65536
ewf_image_read: byte offset: 696832 len: 65536
ewf_image_read: byte offset: 832000 len: 65536
ewf_image_read: byte offset: 967168 len: 65536
ewf_image_read: byte offset: 1102336 len: 65536
ewf_image_read: byte offset: 1237504 len: 65536
ewf_image_read: byte offset: 1372672 len: 65536
ewf_image_read: byte offset: 1507840 len: 65536
ewf_image_read: byte offset: 1643008 len: 65536
ewf_image_read: byte offset: 1778176 len: 65536
ewf_image_read: byte offset: 1913344 len: 65536
ewf_image_read: byte offset: 2048512 len: 65536
ewf_image_read: byte offset: 2183680 len: 65536
ewf_image_read: byte offset: 2318848 len: 65536
ewf_image_read: byte offset: 2454016 len: 65536
ewf_image_read: byte offset: 2589184 len: 65536
ewf_image_read: byte offset: 2724352 len: 65536
ewf_image_read: byte offset: 2859520 len: 65536
ewf_image_read: byte offset: 2994688 len: 65536
ewf_image_read: byte offset: 3129856 len: 65536
ewf_image_read: byte offset: 3265024 len: 65536
ewf_image_read: byte offset: 3400192 len: 65536
ewf_image_read: byte offset: 3535360 len: 65536
ewf_image_read: byte offset: 3670528 len: 65536
ewf_image_read: byte offset: 3805696 len: 65536
ewf_image_read: byte offset: 3940864 len: 65536
ewf_image_read: byte offset: 4076032 len: 65536
ewf_image_read: byte offset: 4211200 len: 65536
ewf_image_read: byte offset: 4346368 len: 65536
ewf_image_read: byte offset: 4481536 len: 65536
ewf_image_read: byte offset: 4616704 len: 65536
ewf_image_read: byte offset: 4751872 len: 65536
ewf_image_read: byte offset: 4732928 len: 65536
ewf_image_read: byte offset: 4887040 len: 65536
ewf_image_read: byte offset: 5022208 len: 65536
ewf_image_read: byte offset: 5157376 len: 65536
ewf_image_read: byte offset: 5292544 len: 65536
ewf_image_read: byte offset: 5427712 len: 65536
ewf_image_read: byte offset: 5562880 len: 65536
ewf_image_read: byte offset: 5698048 len: 65536
ewf_image_read: byte offset: 5833216 len: 65536
ewf_image_read: byte offset: 5968384 len: 65536
ewf_image_read: byte offset: 6103552 len: 65536
ewf_image_read: byte offset: 6238720 len: 65536
ewf_image_read: byte offset: 6373888 len: 65536
ewf_image_read: byte offset: 6509056 len: 65536
ewf_image_read: byte offset: 6644224 len: 65536
ewf_image_read: byte offset: 6779392 len: 65536
ewf_image_read: byte offset: 6914560 len: 65536
ewf_image_read: byte offset: 7049728 len: 65536
ewf_image_read: byte offset: 7184896 len: 65536
ewf_image_read: byte offset: 7320064 len: 65536
ewf_image_read: byte offset: 7455232 len: 65536
ewf_image_read: byte offset: 7590400 len: 65536
ewf_image_read: byte offset: 7725568 len: 65536
ewf_image_read: byte offset: 7860736 len: 65536
ewf_image_read: byte offset: 7995904 len: 65536
ewf_image_read: byte offset: 8131072 len: 65536
ewf_image_read: byte offset: 8266240 len: 65536
ewf_image_read: byte offset: 8401408 len: 65536
ewf_image_read: byte offset: 8536576 len: 65536
ewf_image_read: byte offset: 8671744 len: 65536
ewf_image_read: byte offset: 8806912 len: 65536
ewf_image_read: byte offset: 8942080 len: 65536
ewf_image_read: byte offset: 9077248 len: 65536
ewf_image_read: byte offset: 9212416 len: 65536
ewf_image_read: byte offset: 9347584 len: 65536
ewf_image_read: byte offset: 9482752 len: 65536
ewf_image_read: byte offset: 9617920 len: 65536
ewf_image_read: byte offset: 9753088 len: 65536
ewf_image_read: byte offset: 9888256 len: 65536
ewf_image_read: byte offset: 10023424 len: 65536
ewf_image_read: byte offset: 10158592 len: 65536
ewf_image_read: byte offset: 10293760 len: 65536
ewf_image_read: byte offset: 10428928 len: 65536
ewf_image_read: byte offset: 10564096 len: 65536
ewf_image_read: byte offset: 10699264 len: 65536
ewf_image_read: byte offset: 10834432 len: 65536
ewf_image_read: byte offset: 10969600 len: 65536
ewf_image_read: byte offset: 11104768 len: 65536
ewf_image_read: byte offset: 11239936 len: 65536
ewf_image_read: byte offset: 11375104 len: 65536
ewf_image_read: byte offset: 11510272 len: 65536
ewf_image_read: byte offset: 11645440 len: 65536
ewf_image_read: byte offset: 11780608 len: 65536
ewf_image_read: byte offset: 11915776 len: 65536
ewf_image_read: byte offset: 12050944 len: 65536
ewf_image_read: byte offset: 12186112 len: 65536
ewf_image_read: byte offset: 12321280 len: 65536
ewf_image_read: byte offset: 12456448 len: 65536
ewf_image_read: byte offset: 12591616 len: 65536
ewf_image_read: byte offset: 12726784 len: 65536
ewf_image_read: byte offset: 12861952 len: 65536
ewf_image_read: byte offset: 12997120 len: 65536
ewf_image_read: byte offset: 13132288 len: 65536
ewf_image_read: byte offset: 13267456 len: 65536
ewf_image_read: byte offset: 13402624 len: 65536
ewf_image_read: byte offset: 13537792 len: 65536
ewf_image_read: byte offset: 13672960 len: 65536
ewf_image_read: byte offset: 13808128 len: 65536
ewf_image_read: byte offset: 13943296 len: 65536
ewf_image_read: byte offset: 14078464 len: 65536
ewf_image_read: byte offset: 14213632 len: 65536
ewf_image_read: byte offset: 14348800 len: 65536
ewf_image_read: byte offset: 14483968 len: 65536
ewf_image_read: byte offset: 14619136 len: 65536
ewf_image_read: byte offset: 14754304 len: 65536
ewf_image_read: byte offset: 14889472 len: 65536
ewf_image_read: byte offset: 15024640 len: 65536
ewf_image_read: byte offset: 15159808 len: 65536
ewf_image_read: byte offset: 15294976 len: 65536
ewf_image_read: byte offset: 15276032 len: 65536
ewf_image_read: byte offset: 15430144 len: 65536
ewf_image_read: byte offset: 15411200 len: 65536
ewf_image_read: byte offset: 15565312 len: 65536
ewf_image_read: byte offset: 15546368 len: 65536
ewf_image_read: byte offset: 15700480 len: 65536
ewf_image_read: byte offset: 15681536 len: 65536
ewf_image_read: byte offset: 15835648 len: 65536
ewf_image_read: byte offset: 15816704 len: 65536
ewf_image_read: byte offset: 15970816 len: 65536
ewf_image_read: byte offset: 15951872 len: 65536
ewf_image_read: byte offset: 16105984 len: 65536
ewf_image_read: byte offset: 16087040 len: 65536
ewf_image_read: byte offset: 16241152 len: 65536
ewf_image_read: byte offset: 16222208 len: 65536
ewf_image_read: byte offset: 16376320 len: 65536
ewf_image_read: byte offset: 16357376 len: 65536
yaffsfs_open: could not find valid spare area format
See http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2
configuration
ewf_image_read: byte offset: 1024 len: 65536
iso9660_open img_info: 34734152 ftype: 2048 test: 1
iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
Trying RAW ISO9660 with 16-byte pre-block size
fs_prepost_read: Mapped 32768 to 37648
iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
Trying RAW ISO9660 with 24-byte pre-block size
fs_prepost_read: Mapped 32768 to 37656
iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
iso9660_open: Error loading volume descriptor
Cannot determine file system type (Sector offset: 0)Files Recovered: 0

--------------------------------------------------------------------------------------------------------------------------------

Yet if I ask FTK Imager to show me the file in the ewf image, using its
Add Evidence Item...
functionality it does indeed show me the files in the image without any
errors.

Is TSK supposed to work with physical drives containin different file
systems ? If so can anyone
suggest how I can get TSK to work properly ?

Eddie Diener

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Tsk_recover failure with ewf file

Grundy Barry J TIGTA
Eddie,

Are you providing tsk_recover with an offset to the filesysytem?  You have to tell the tool which partition (filesystem) you are interested in.  Have a look at the '--help' output for more info on the syntax.

If you run mmls from TSK on the ewf first, it will show you the partitions in the image and the offset (in sectors) to the partition within the physical image.   Use this in your tsk_recover command.

/*******************************************
Barry J. Grundy
Assistant Special Agent in Charge
Digital Forensic Support Group
Treasury Inspector General for Tax Administration
(301) 210-8741 (desk)
(202) 527-5778 (cell)
[hidden email]
********************************************\


> -----Original Message-----
> From: Edward Diener [mailto:[hidden email]]
> Sent: Friday, July 22, 2016 11:54 AM
> To: [hidden email]
> Subject: [sleuthkit-users] Tsk_recover failure with ewf file
>
> The failure I am about to describe occurs on both TSK 4.2.0 and the recently
> released TSK 4.3.0 on Windows 8.1 using the binaries provided.
>
> I use a program called FTK Imager Lite 3.1.1.8 from AccessData to create ewf
> images. If I create ewf images from a single logical drive, which naturally has a
> single file system, TSK and tsk_recover work fine.
> Instead my problem with TSK is when creating ewf images from a physical
> drive, which has a number of different file systems. In my example I create
> ewf images from a physical drive which has separate FAT32, NTFS, EXT3, and
> EXT4 with files in each logical partition. The FTK Imager Lite program creates
> the ewf image for me in the directory of my choice from the physical drive
> without any problems. I then run tsk_recover with the -v verbose option,
> passing the full path to the ewf image and the directory where I want the
> files to be put. The results of running tsk_recover are:
>
> ----------------------------------------------------------------------------------------------
> --------------------------
>
> E:\Utilities\sleuthkit-4.3.0-win32\bin>tsk_recover -v
> C:\Utilities\FTImages\PhysDrive\MyPhys.E01
> C:\Utilities\TSKDirs\Rec1\Unallocated
> tsk_img_open: Type: 0   NumImg: 1  Img1:
> C:\Utilities\FTImages\PhysDrive\MyPhys.E01
> ewf_open: found 1 segment files via libewf_glob Error opening vmdk file
> Error checking file signature for vhd file
> fsopen: Auto detection mode at offset 0
> ewf_image_read: byte offset: 0 len: 65536
> ntfs_open: invalid cluster size: 0
> fatxxfs_open: Invalid sector size (23552)
> exfatfs_get_fs_size_params: Invalid sector size base 2 logarithm (23552), not
> in
>   range (9 - 12)
> fatxxfs_open: Invalid sector size (23552)
> ext2fs_open: invalid magic
> ewf_image_read: byte offset: 65536 len: 65536
> ufs_open: Trying 256KB UFS2 location
> ewf_image_read: byte offset: 262144 len: 65536
> ufs_open: Trying UFS1 location
> ufs_open: No UFS magic found
> ewf_image_read: byte offset: 156160 len: 65536
> ewf_image_read: byte offset: 426496 len: 65536
> ewf_image_read: byte offset: 561664 len: 65536
> ewf_image_read: byte offset: 696832 len: 65536
> ewf_image_read: byte offset: 832000 len: 65536
> ewf_image_read: byte offset: 967168 len: 65536
> ewf_image_read: byte offset: 1102336 len: 65536
> ewf_image_read: byte offset: 1237504 len: 65536
> ewf_image_read: byte offset: 1372672 len: 65536
> ewf_image_read: byte offset: 1507840 len: 65536
> ewf_image_read: byte offset: 1643008 len: 65536
> ewf_image_read: byte offset: 1778176 len: 65536
> ewf_image_read: byte offset: 1913344 len: 65536
> ewf_image_read: byte offset: 2048512 len: 65536
> ewf_image_read: byte offset: 2183680 len: 65536
> ewf_image_read: byte offset: 2318848 len: 65536
> ewf_image_read: byte offset: 2454016 len: 65536
> ewf_image_read: byte offset: 2589184 len: 65536
> ewf_image_read: byte offset: 2724352 len: 65536
> ewf_image_read: byte offset: 2859520 len: 65536
> ewf_image_read: byte offset: 2994688 len: 65536
> ewf_image_read: byte offset: 3129856 len: 65536
> ewf_image_read: byte offset: 3265024 len: 65536
> ewf_image_read: byte offset: 3400192 len: 65536
> ewf_image_read: byte offset: 3535360 len: 65536
> ewf_image_read: byte offset: 3670528 len: 65536
> ewf_image_read: byte offset: 3805696 len: 65536
> ewf_image_read: byte offset: 3940864 len: 65536
> ewf_image_read: byte offset: 4076032 len: 65536
> ewf_image_read: byte offset: 4211200 len: 65536
> ewf_image_read: byte offset: 4346368 len: 65536
> ewf_image_read: byte offset: 4481536 len: 65536
> ewf_image_read: byte offset: 4616704 len: 65536
> ewf_image_read: byte offset: 4751872 len: 65536
> ewf_image_read: byte offset: 4732928 len: 65536
> ewf_image_read: byte offset: 4887040 len: 65536
> ewf_image_read: byte offset: 5022208 len: 65536
> ewf_image_read: byte offset: 5157376 len: 65536
> ewf_image_read: byte offset: 5292544 len: 65536
> ewf_image_read: byte offset: 5427712 len: 65536
> ewf_image_read: byte offset: 5562880 len: 65536
> ewf_image_read: byte offset: 5698048 len: 65536
> ewf_image_read: byte offset: 5833216 len: 65536
> ewf_image_read: byte offset: 5968384 len: 65536
> ewf_image_read: byte offset: 6103552 len: 65536
> ewf_image_read: byte offset: 6238720 len: 65536
> ewf_image_read: byte offset: 6373888 len: 65536
> ewf_image_read: byte offset: 6509056 len: 65536
> ewf_image_read: byte offset: 6644224 len: 65536
> ewf_image_read: byte offset: 6779392 len: 65536
> ewf_image_read: byte offset: 6914560 len: 65536
> ewf_image_read: byte offset: 7049728 len: 65536
> ewf_image_read: byte offset: 7184896 len: 65536
> ewf_image_read: byte offset: 7320064 len: 65536
> ewf_image_read: byte offset: 7455232 len: 65536
> ewf_image_read: byte offset: 7590400 len: 65536
> ewf_image_read: byte offset: 7725568 len: 65536
> ewf_image_read: byte offset: 7860736 len: 65536
> ewf_image_read: byte offset: 7995904 len: 65536
> ewf_image_read: byte offset: 8131072 len: 65536
> ewf_image_read: byte offset: 8266240 len: 65536
> ewf_image_read: byte offset: 8401408 len: 65536
> ewf_image_read: byte offset: 8536576 len: 65536
> ewf_image_read: byte offset: 8671744 len: 65536
> ewf_image_read: byte offset: 8806912 len: 65536
> ewf_image_read: byte offset: 8942080 len: 65536
> ewf_image_read: byte offset: 9077248 len: 65536
> ewf_image_read: byte offset: 9212416 len: 65536
> ewf_image_read: byte offset: 9347584 len: 65536
> ewf_image_read: byte offset: 9482752 len: 65536
> ewf_image_read: byte offset: 9617920 len: 65536
> ewf_image_read: byte offset: 9753088 len: 65536
> ewf_image_read: byte offset: 9888256 len: 65536
> ewf_image_read: byte offset: 10023424 len: 65536
> ewf_image_read: byte offset: 10158592 len: 65536
> ewf_image_read: byte offset: 10293760 len: 65536
> ewf_image_read: byte offset: 10428928 len: 65536
> ewf_image_read: byte offset: 10564096 len: 65536
> ewf_image_read: byte offset: 10699264 len: 65536
> ewf_image_read: byte offset: 10834432 len: 65536
> ewf_image_read: byte offset: 10969600 len: 65536
> ewf_image_read: byte offset: 11104768 len: 65536
> ewf_image_read: byte offset: 11239936 len: 65536
> ewf_image_read: byte offset: 11375104 len: 65536
> ewf_image_read: byte offset: 11510272 len: 65536
> ewf_image_read: byte offset: 11645440 len: 65536
> ewf_image_read: byte offset: 11780608 len: 65536
> ewf_image_read: byte offset: 11915776 len: 65536
> ewf_image_read: byte offset: 12050944 len: 65536
> ewf_image_read: byte offset: 12186112 len: 65536
> ewf_image_read: byte offset: 12321280 len: 65536
> ewf_image_read: byte offset: 12456448 len: 65536
> ewf_image_read: byte offset: 12591616 len: 65536
> ewf_image_read: byte offset: 12726784 len: 65536
> ewf_image_read: byte offset: 12861952 len: 65536
> ewf_image_read: byte offset: 12997120 len: 65536
> ewf_image_read: byte offset: 13132288 len: 65536
> ewf_image_read: byte offset: 13267456 len: 65536
> ewf_image_read: byte offset: 13402624 len: 65536
> ewf_image_read: byte offset: 13537792 len: 65536
> ewf_image_read: byte offset: 13672960 len: 65536
> ewf_image_read: byte offset: 13808128 len: 65536
> ewf_image_read: byte offset: 13943296 len: 65536
> ewf_image_read: byte offset: 14078464 len: 65536
> ewf_image_read: byte offset: 14213632 len: 65536
> ewf_image_read: byte offset: 14348800 len: 65536
> ewf_image_read: byte offset: 14483968 len: 65536
> ewf_image_read: byte offset: 14619136 len: 65536
> ewf_image_read: byte offset: 14754304 len: 65536
> ewf_image_read: byte offset: 14889472 len: 65536
> ewf_image_read: byte offset: 15024640 len: 65536
> ewf_image_read: byte offset: 15159808 len: 65536
> ewf_image_read: byte offset: 15294976 len: 65536
> ewf_image_read: byte offset: 15276032 len: 65536
> ewf_image_read: byte offset: 15430144 len: 65536
> ewf_image_read: byte offset: 15411200 len: 65536
> ewf_image_read: byte offset: 15565312 len: 65536
> ewf_image_read: byte offset: 15546368 len: 65536
> ewf_image_read: byte offset: 15700480 len: 65536
> ewf_image_read: byte offset: 15681536 len: 65536
> ewf_image_read: byte offset: 15835648 len: 65536
> ewf_image_read: byte offset: 15816704 len: 65536
> ewf_image_read: byte offset: 15970816 len: 65536
> ewf_image_read: byte offset: 15951872 len: 65536
> ewf_image_read: byte offset: 16105984 len: 65536
> ewf_image_read: byte offset: 16087040 len: 65536
> ewf_image_read: byte offset: 16241152 len: 65536
> ewf_image_read: byte offset: 16222208 len: 65536
> ewf_image_read: byte offset: 16376320 len: 65536
> ewf_image_read: byte offset: 16357376 len: 65536
> yaffsfs_open: could not find valid spare area format See
> http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2
> configuration
> ewf_image_read: byte offset: 1024 len: 65536 iso9660_open img_info:
> 34734152 ftype: 2048 test: 1
> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying
> RAW ISO9660 with 16-byte pre-block size
> fs_prepost_read: Mapped 32768 to 37648
> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying
> RAW ISO9660 with 24-byte pre-block size
> fs_prepost_read: Mapped 32768 to 37656
> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
> iso9660_open: Error loading volume descriptor Cannot determine file system
> type (Sector offset: 0)Files Recovered: 0
>
> ----------------------------------------------------------------------------------------------
> ----------------------------------
>
> Yet if I ask FTK Imager to show me the file in the ewf image, using its Add
> Evidence Item...
> functionality it does indeed show me the files in the image without any
> errors.
>
> Is TSK supposed to work with physical drives containin different file systems
> ? If so can anyone suggest how I can get TSK to work properly ?
>
> Eddie Diener
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic patterns at an interface-level. Reveals which users, apps, and
> protocols are consuming the most bandwidth. Provides multi-vendor support
> for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using
> capacity planning reports.http://sdm.link/zohodev2dev
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Tsk_recover failure with ewf file

Edward Diener
On 7/22/2016 3:03 PM, Grundy Barry J TIGTA wrote:
> Eddie,
>
> Are you providing tsk_recover with an offset to the filesysytem?
No I am not. I thought it could recover files from all partitions (
filesystems ) in the image automatically. Are you saying TSK can only
recover one partition at a time from the ewf image, and that I tell it
which partition to recover by passing an '-o sector offset' parameter to
tell it where in the image the partition I want it to recover begins ?
That's not what I thought from the --help output for tsk_recover or from
the man page.

>    You have to tell the tool which partition (filesystem) you are interested in.  Have a look at the '--help' output for more info on the syntax.
>
> If you run mmls from TSK on the ewf first, it will show you the partitions in the image and the offset (in sectors) to the partition within the physical image.   Use this in your tsk_recover command.
Thanks ! I am testing that now. But the doc for tsk_recover implies that
it can recover files from all partitions in an image instead of just a
single partition at a time in the image via the '-o sector offset'
parameter. Hopefully you or someone else can clarify this for me.

Eddie Diener

>
> /*******************************************
> Barry J. Grundy
> Assistant Special Agent in Charge
> Digital Forensic Support Group
> Treasury Inspector General for Tax Administration
> (301) 210-8741 (desk)
> (202) 527-5778 (cell)
> [hidden email]
> ********************************************\
>
>
>> -----Original Message-----
>> From: Edward Diener [mailto:[hidden email]]
>> Sent: Friday, July 22, 2016 11:54 AM
>> To: [hidden email]
>> Subject: [sleuthkit-users] Tsk_recover failure with ewf file
>>
>> The failure I am about to describe occurs on both TSK 4.2.0 and the recently
>> released TSK 4.3.0 on Windows 8.1 using the binaries provided.
>>
>> I use a program called FTK Imager Lite 3.1.1.8 from AccessData to create ewf
>> images. If I create ewf images from a single logical drive, which naturally has a
>> single file system, TSK and tsk_recover work fine.
>> Instead my problem with TSK is when creating ewf images from a physical
>> drive, which has a number of different file systems. In my example I create
>> ewf images from a physical drive which has separate FAT32, NTFS, EXT3, and
>> EXT4 with files in each logical partition. The FTK Imager Lite program creates
>> the ewf image for me in the directory of my choice from the physical drive
>> without any problems. I then run tsk_recover with the -v verbose option,
>> passing the full path to the ewf image and the directory where I want the
>> files to be put. The results of running tsk_recover are:
>>
>> ----------------------------------------------------------------------------------------------
>> --------------------------
>>
>> E:\Utilities\sleuthkit-4.3.0-win32\bin>tsk_recover -v
>> C:\Utilities\FTImages\PhysDrive\MyPhys.E01
>> C:\Utilities\TSKDirs\Rec1\Unallocated
>> tsk_img_open: Type: 0   NumImg: 1  Img1:
>> C:\Utilities\FTImages\PhysDrive\MyPhys.E01
>> ewf_open: found 1 segment files via libewf_glob Error opening vmdk file
>> Error checking file signature for vhd file
>> fsopen: Auto detection mode at offset 0
>> ewf_image_read: byte offset: 0 len: 65536
>> ntfs_open: invalid cluster size: 0
>> fatxxfs_open: Invalid sector size (23552)
>> exfatfs_get_fs_size_params: Invalid sector size base 2 logarithm (23552), not
>> in
>>    range (9 - 12)
>> fatxxfs_open: Invalid sector size (23552)
>> ext2fs_open: invalid magic
>> ewf_image_read: byte offset: 65536 len: 65536
>> ufs_open: Trying 256KB UFS2 location
>> ewf_image_read: byte offset: 262144 len: 65536
>> ufs_open: Trying UFS1 location
>> ufs_open: No UFS magic found
>> ewf_image_read: byte offset: 156160 len: 65536
>> ewf_image_read: byte offset: 426496 len: 65536
>> ewf_image_read: byte offset: 561664 len: 65536
>> ewf_image_read: byte offset: 696832 len: 65536
>> ewf_image_read: byte offset: 832000 len: 65536
>> ewf_image_read: byte offset: 967168 len: 65536
>> ewf_image_read: byte offset: 1102336 len: 65536
>> ewf_image_read: byte offset: 1237504 len: 65536
>> ewf_image_read: byte offset: 1372672 len: 65536
>> ewf_image_read: byte offset: 1507840 len: 65536
>> ewf_image_read: byte offset: 1643008 len: 65536
>> ewf_image_read: byte offset: 1778176 len: 65536
>> ewf_image_read: byte offset: 1913344 len: 65536
>> ewf_image_read: byte offset: 2048512 len: 65536
>> ewf_image_read: byte offset: 2183680 len: 65536
>> ewf_image_read: byte offset: 2318848 len: 65536
>> ewf_image_read: byte offset: 2454016 len: 65536
>> ewf_image_read: byte offset: 2589184 len: 65536
>> ewf_image_read: byte offset: 2724352 len: 65536
>> ewf_image_read: byte offset: 2859520 len: 65536
>> ewf_image_read: byte offset: 2994688 len: 65536
>> ewf_image_read: byte offset: 3129856 len: 65536
>> ewf_image_read: byte offset: 3265024 len: 65536
>> ewf_image_read: byte offset: 3400192 len: 65536
>> ewf_image_read: byte offset: 3535360 len: 65536
>> ewf_image_read: byte offset: 3670528 len: 65536
>> ewf_image_read: byte offset: 3805696 len: 65536
>> ewf_image_read: byte offset: 3940864 len: 65536
>> ewf_image_read: byte offset: 4076032 len: 65536
>> ewf_image_read: byte offset: 4211200 len: 65536
>> ewf_image_read: byte offset: 4346368 len: 65536
>> ewf_image_read: byte offset: 4481536 len: 65536
>> ewf_image_read: byte offset: 4616704 len: 65536
>> ewf_image_read: byte offset: 4751872 len: 65536
>> ewf_image_read: byte offset: 4732928 len: 65536
>> ewf_image_read: byte offset: 4887040 len: 65536
>> ewf_image_read: byte offset: 5022208 len: 65536
>> ewf_image_read: byte offset: 5157376 len: 65536
>> ewf_image_read: byte offset: 5292544 len: 65536
>> ewf_image_read: byte offset: 5427712 len: 65536
>> ewf_image_read: byte offset: 5562880 len: 65536
>> ewf_image_read: byte offset: 5698048 len: 65536
>> ewf_image_read: byte offset: 5833216 len: 65536
>> ewf_image_read: byte offset: 5968384 len: 65536
>> ewf_image_read: byte offset: 6103552 len: 65536
>> ewf_image_read: byte offset: 6238720 len: 65536
>> ewf_image_read: byte offset: 6373888 len: 65536
>> ewf_image_read: byte offset: 6509056 len: 65536
>> ewf_image_read: byte offset: 6644224 len: 65536
>> ewf_image_read: byte offset: 6779392 len: 65536
>> ewf_image_read: byte offset: 6914560 len: 65536
>> ewf_image_read: byte offset: 7049728 len: 65536
>> ewf_image_read: byte offset: 7184896 len: 65536
>> ewf_image_read: byte offset: 7320064 len: 65536
>> ewf_image_read: byte offset: 7455232 len: 65536
>> ewf_image_read: byte offset: 7590400 len: 65536
>> ewf_image_read: byte offset: 7725568 len: 65536
>> ewf_image_read: byte offset: 7860736 len: 65536
>> ewf_image_read: byte offset: 7995904 len: 65536
>> ewf_image_read: byte offset: 8131072 len: 65536
>> ewf_image_read: byte offset: 8266240 len: 65536
>> ewf_image_read: byte offset: 8401408 len: 65536
>> ewf_image_read: byte offset: 8536576 len: 65536
>> ewf_image_read: byte offset: 8671744 len: 65536
>> ewf_image_read: byte offset: 8806912 len: 65536
>> ewf_image_read: byte offset: 8942080 len: 65536
>> ewf_image_read: byte offset: 9077248 len: 65536
>> ewf_image_read: byte offset: 9212416 len: 65536
>> ewf_image_read: byte offset: 9347584 len: 65536
>> ewf_image_read: byte offset: 9482752 len: 65536
>> ewf_image_read: byte offset: 9617920 len: 65536
>> ewf_image_read: byte offset: 9753088 len: 65536
>> ewf_image_read: byte offset: 9888256 len: 65536
>> ewf_image_read: byte offset: 10023424 len: 65536
>> ewf_image_read: byte offset: 10158592 len: 65536
>> ewf_image_read: byte offset: 10293760 len: 65536
>> ewf_image_read: byte offset: 10428928 len: 65536
>> ewf_image_read: byte offset: 10564096 len: 65536
>> ewf_image_read: byte offset: 10699264 len: 65536
>> ewf_image_read: byte offset: 10834432 len: 65536
>> ewf_image_read: byte offset: 10969600 len: 65536
>> ewf_image_read: byte offset: 11104768 len: 65536
>> ewf_image_read: byte offset: 11239936 len: 65536
>> ewf_image_read: byte offset: 11375104 len: 65536
>> ewf_image_read: byte offset: 11510272 len: 65536
>> ewf_image_read: byte offset: 11645440 len: 65536
>> ewf_image_read: byte offset: 11780608 len: 65536
>> ewf_image_read: byte offset: 11915776 len: 65536
>> ewf_image_read: byte offset: 12050944 len: 65536
>> ewf_image_read: byte offset: 12186112 len: 65536
>> ewf_image_read: byte offset: 12321280 len: 65536
>> ewf_image_read: byte offset: 12456448 len: 65536
>> ewf_image_read: byte offset: 12591616 len: 65536
>> ewf_image_read: byte offset: 12726784 len: 65536
>> ewf_image_read: byte offset: 12861952 len: 65536
>> ewf_image_read: byte offset: 12997120 len: 65536
>> ewf_image_read: byte offset: 13132288 len: 65536
>> ewf_image_read: byte offset: 13267456 len: 65536
>> ewf_image_read: byte offset: 13402624 len: 65536
>> ewf_image_read: byte offset: 13537792 len: 65536
>> ewf_image_read: byte offset: 13672960 len: 65536
>> ewf_image_read: byte offset: 13808128 len: 65536
>> ewf_image_read: byte offset: 13943296 len: 65536
>> ewf_image_read: byte offset: 14078464 len: 65536
>> ewf_image_read: byte offset: 14213632 len: 65536
>> ewf_image_read: byte offset: 14348800 len: 65536
>> ewf_image_read: byte offset: 14483968 len: 65536
>> ewf_image_read: byte offset: 14619136 len: 65536
>> ewf_image_read: byte offset: 14754304 len: 65536
>> ewf_image_read: byte offset: 14889472 len: 65536
>> ewf_image_read: byte offset: 15024640 len: 65536
>> ewf_image_read: byte offset: 15159808 len: 65536
>> ewf_image_read: byte offset: 15294976 len: 65536
>> ewf_image_read: byte offset: 15276032 len: 65536
>> ewf_image_read: byte offset: 15430144 len: 65536
>> ewf_image_read: byte offset: 15411200 len: 65536
>> ewf_image_read: byte offset: 15565312 len: 65536
>> ewf_image_read: byte offset: 15546368 len: 65536
>> ewf_image_read: byte offset: 15700480 len: 65536
>> ewf_image_read: byte offset: 15681536 len: 65536
>> ewf_image_read: byte offset: 15835648 len: 65536
>> ewf_image_read: byte offset: 15816704 len: 65536
>> ewf_image_read: byte offset: 15970816 len: 65536
>> ewf_image_read: byte offset: 15951872 len: 65536
>> ewf_image_read: byte offset: 16105984 len: 65536
>> ewf_image_read: byte offset: 16087040 len: 65536
>> ewf_image_read: byte offset: 16241152 len: 65536
>> ewf_image_read: byte offset: 16222208 len: 65536
>> ewf_image_read: byte offset: 16376320 len: 65536
>> ewf_image_read: byte offset: 16357376 len: 65536
>> yaffsfs_open: could not find valid spare area format See
>> http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2
>> configuration
>> ewf_image_read: byte offset: 1024 len: 65536 iso9660_open img_info:
>> 34734152 ftype: 2048 test: 1
>> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying
>> RAW ISO9660 with 16-byte pre-block size
>> fs_prepost_read: Mapped 32768 to 37648
>> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying
>> RAW ISO9660 with 24-byte pre-block size
>> fs_prepost_read: Mapped 32768 to 37656
>> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
>> iso9660_open: Error loading volume descriptor Cannot determine file system
>> type (Sector offset: 0)Files Recovered: 0
>>
>> ----------------------------------------------------------------------------------------------
>> ----------------------------------
>>
>> Yet if I ask FTK Imager to show me the file in the ewf image, using its Add
>> Evidence Item...
>> functionality it does indeed show me the files in the image without any
>> errors.
>>
>> Is TSK supposed to work with physical drives containin different file systems
>> ? If so can anyone suggest how I can get TSK to work properly ?
>>
>> Eddie Diener
>>
>> ------------------------------------------------------------------------------
>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>> traffic patterns at an interface-level. Reveals which users, apps, and
>> protocols are consuming the most bandwidth. Provides multi-vendor support
>> for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using
>> capacity planning reports.http://sdm.link/zohodev2dev
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org



------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org