Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to acquire input. libmfdata_array_resize: invalid entries size value exceeds maximum. #24

Open
layer7gmbh opened this issue May 3, 2023 · 9 comments
Assignees
Labels

Comments

@layer7gmbh
Copy link

Hi,

The following acquiry parameters were provided:
Image path and filename:		/backup/hdd1.E01
Case number:				
Description:				
Evidence number:			
Examiner name:				
Notes:					
Media type:				fixed disk
Is physical:				yes
EWF file format:			EnCase 6 (.E01)
Compression method:			deflate
Compression level:			none
Acquiry start offset:			0
Number of bytes to acquire:		5.4 TiB (5997921828864 bytes)
Evidence segment file size:		1.4 GiB (1572864000 bytes)
Bytes per sector:			512
Block size:				64 sectors
Error granularity:			64 sectors
Retries on read error:			2
Zero sectors on read error:		no

results in:

Acquiry started at: May 03, 2023 13:58:45
This could take a while.

Acquiry failed at: May 03, 2023 13:58:45
Unable to acquire input.
libmfdata_array_resize: invalid entries size value exceeds maximum.
libmfdata_list_resize: unable to resize elements array.
libewf_write_io_handle_write_new_chunk: unable to resize chunk table.
libewf_handle_write_buffer: unable to write new chunk.
imaging_handle_write_buffer: unable to write storage media buffer.
ewfacquire_read_input: unable to write data to file.
Unable to close output file(s).
libmfdata_array_resize: invalid entries size value exceeds maximum.
libmfdata_list_resize: unable to resize elements array.
libewf_write_io_handle_write_new_chunk: unable to resize chunk table.
libewf_handle_write_finalize: unable to write new chunk.
libewf_handle_close: unable to finalize write.
imaging_handle_close: unable to close output handle.

If the bytes to aquire is reduced, it will work:

Image path and filename:		/backup/hdd1.E01
Case number:				
Description:				
Evidence number:			
Examiner name:				
Notes:					
Media type:				fixed disk
Is physical:				yes
EWF file format:			EnCase 6 (.E01)
Compression method:			deflate
Compression level:			none
Acquiry start offset:			0
Number of bytes to acquire:		286 MiB (300000000 bytes)
Evidence segment file size:		1.4 GiB (1572864000 bytes)
Bytes per sector:			512
Block size:				64 sectors
Error granularity:			64 sectors
Retries on read error:			2
Zero sectors on read error:		no

Continue acquiry with these values (yes, no) [yes]: 

Acquiry started at: May 03, 2023 14:00:45
This could take a while.

Status: at 50%.
        acquired 144 MiB (151650304 bytes) of total 286 MiB (300000000 bytes).
        completion in 4 second(s) with 35 MiB/s (37500000 bytes/second).

Acquiry completed at: May 03, 2023 14:00:52

Written: 286 MiB (300001316 bytes) in 7 second(s) with 40 MiB/s (42857330 bytes/second).
MD5 hash calculated over data:		6f0250647748b3925ba1738e0bfdc883
ewfacquire: SUCCESS

Also everything < 4 TB will work.

Is there some more elegant way to get this done, but to manipulate the starting offset to virtually slice the device in multiple logical parts?

Thank you and great project work!

Greetings
Oliver

@joachimmetz
Copy link
Member

Which version of libewf are you using? libmfdata is part of the legacy version, so moving this to a different issue tracker.

@joachimmetz joachimmetz transferred this issue from libyal/libewf May 3, 2023
@joachimmetz joachimmetz self-assigned this May 3, 2023
@joachimmetz
Copy link
Member

Possible duplicate of #9

@layer7gmbh
Copy link
Author

Hi Joachim,

sorry for that stupid mistake....

ewfacquire is version 20140813 on the current kali linux live iso.

@joachimmetz
Copy link
Member

That is still relatively recent, see https://github.com/libyal/libewf-legacy/releases you might are hitting the limits of the legacy version. You can try the experimenting with changing the hard memory limit in the legacy version or try the experimental version.

@layer7gmbh
Copy link
Author

Hi,

unfortunatelly no change with:

ewfacquire -V
ewfacquire 20140814

@joachimmetz
Copy link
Member

Experimental version is https://github.com/libyal/libewf/releases

@layer7gmbh
Copy link
Author

Hi,

sorry for the delay!

Tested now the latest experimental version and did the usual

configure
make
make install

ending up in:

[/usr/src/libewf-20230212]
# ewfacquire --version
ewfacquire: error while loading shared libraries: libewf.so.3: cannot open shared object file: No such file or directory

doing installcheck:

└─# make installcheck
Making installcheck in include
make[1]: Entering directory '/usr/src/libewf-20230212/include'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/include'
Making installcheck in common
make[1]: Entering directory '/usr/src/libewf-20230212/common'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/common'
Making installcheck in libcerror
make[1]: Entering directory '/usr/src/libewf-20230212/libcerror'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcerror'
Making installcheck in libcthreads
make[1]: Entering directory '/usr/src/libewf-20230212/libcthreads'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcthreads'
Making installcheck in libcdata
make[1]: Entering directory '/usr/src/libewf-20230212/libcdata'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcdata'
Making installcheck in libcdatetime
make[1]: Entering directory '/usr/src/libewf-20230212/libcdatetime'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcdatetime'
Making installcheck in libclocale
make[1]: Entering directory '/usr/src/libewf-20230212/libclocale'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libclocale'
Making installcheck in libcnotify
make[1]: Entering directory '/usr/src/libewf-20230212/libcnotify'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcnotify'
Making installcheck in libcsplit
make[1]: Entering directory '/usr/src/libewf-20230212/libcsplit'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcsplit'
Making installcheck in libuna
make[1]: Entering directory '/usr/src/libewf-20230212/libuna'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libuna'
Making installcheck in libcfile
make[1]: Entering directory '/usr/src/libewf-20230212/libcfile'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcfile'
Making installcheck in libcpath
make[1]: Entering directory '/usr/src/libewf-20230212/libcpath'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcpath'
Making installcheck in libbfio
make[1]: Entering directory '/usr/src/libewf-20230212/libbfio'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libbfio'
Making installcheck in libfcache
make[1]: Entering directory '/usr/src/libewf-20230212/libfcache'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libfcache'
Making installcheck in libfdata
make[1]: Entering directory '/usr/src/libewf-20230212/libfdata'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libfdata'
Making installcheck in libfdatetime
make[1]: Entering directory '/usr/src/libewf-20230212/libfdatetime'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libfdatetime'
Making installcheck in libfguid
make[1]: Entering directory '/usr/src/libewf-20230212/libfguid'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libfguid'
Making installcheck in libfvalue
make[1]: Entering directory '/usr/src/libewf-20230212/libfvalue'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libfvalue'
Making installcheck in libhmac
make[1]: Entering directory '/usr/src/libewf-20230212/libhmac'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libhmac'
Making installcheck in libcaes
make[1]: Entering directory '/usr/src/libewf-20230212/libcaes'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libcaes'
Making installcheck in libewf
make[1]: Entering directory '/usr/src/libewf-20230212/libewf'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libewf'
Making installcheck in libodraw
make[1]: Entering directory '/usr/src/libewf-20230212/libodraw'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libodraw'
Making installcheck in libsmdev
make[1]: Entering directory '/usr/src/libewf-20230212/libsmdev'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libsmdev'
Making installcheck in libsmraw
make[1]: Entering directory '/usr/src/libewf-20230212/libsmraw'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/libsmraw'
Making installcheck in ewftools
make[1]: Entering directory '/usr/src/libewf-20230212/ewftools'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/ewftools'
Making installcheck in ewf.net
make[1]: Entering directory '/usr/src/libewf-20230212/ewf.net'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/ewf.net'
Making installcheck in pyewf
make[1]: Entering directory '/usr/src/libewf-20230212/pyewf'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/pyewf'
Making installcheck in pyewf-python2
make[1]: Entering directory '/usr/src/libewf-20230212/pyewf-python2'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/pyewf-python2'
Making installcheck in pyewf-python3
make[1]: Entering directory '/usr/src/libewf-20230212/pyewf-python3'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/pyewf-python3'
Making installcheck in po
make[1]: Entering directory '/usr/src/libewf-20230212/po'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/po'
Making installcheck in manuals
make[1]: Entering directory '/usr/src/libewf-20230212/manuals'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/manuals'
Making installcheck in tests
make[1]: Entering directory '/usr/src/libewf-20230212/tests'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/tests'
Making installcheck in ossfuzz
make[1]: Entering directory '/usr/src/libewf-20230212/ossfuzz'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/ossfuzz'
Making installcheck in msvscpp
make[1]: Entering directory '/usr/src/libewf-20230212/msvscpp'
make[1]: Nothing to be done for 'installcheck'.
make[1]: Leaving directory '/usr/src/libewf-20230212/msvscpp'
make[1]: Entering directory '/usr/src/libewf-20230212'
make[1]: Nothing to be done for 'installcheck-am'.
make[1]: Leaving directory '/usr/src/libewf-20230212'

OS is latest Kali linux:

# cat /etc/os-release 
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
VERSION="2023.1"
VERSION_ID="2023.1"
VERSION_CODENAME="kali-rolling"
ID=kali
ID_LIKE=debian
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
ANSI_COLOR="1;31"

Here is the whole compile process:

https://pastebin.com/DVEcrVUw

Some additional debugging informations:

└─# find / -name "libewf.so.3"
find: ‘/run/user/1000/gvfs’: Permission denied
/run/live/overlay/rw/usr/local/lib/libewf.so.3
/run/live/overlay/rw/usr/src/libewf-20230212/libewf/.libs/libewf.so.3
/usr/lib/live/mount/overlay/rw/usr/local/lib/libewf.so.3
/usr/lib/live/mount/overlay/rw/usr/src/libewf-20230212/libewf/.libs/libewf.so.3
/usr/local/lib/libewf.so.3
/usr/src/libewf-20230212/libewf/.libs/libewf.so.3
└─# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.dotnet/tools:/usr/local/lib
# ls -lah /usr/local/lib/libewf.so.3
lrwxrwxrwx 1 root root 15 May 18 10:41 /usr/local/lib/libewf.so.3 -> libewf.so.3.0.0
└─# ls -lah /usr/local/lib/libewf.so.3.0.0
-rwxr-xr-x 1 root root 5.3M May 18 10:41 /usr/local/lib/libewf.so.3.0.0          

So the file is there, but seems the ewfacquire binary expect it somewhere else ( where ever this might be :-) )

@joachimmetz
Copy link
Member

So the file is there, but seems the ewfacquire binary expect it somewhere else ( where ever this might be :-) )

did you update your ldcache ?

@layer7gmbh
Copy link
Author

Hi,

adding the lib path to ldconfig and rebuilding the cache helped. Thank you!

Unfortunatelly it now tells me that the chosen options are not supported.

Image path and filename:		/backup/test.E01
Case number:				
Description:				
Evidence number:			
Examiner name:				
Notes:					HDD1-part2
Media type:				fixed disk
Is physical:				yes
EWF file format:			EnCase 6 (.E01)
Compression method:			deflate
Compression level:			none
Acquiry start offset:			0
Number of bytes to acquire:		14 TiB (16000900661248 bytes)
Evidence segment file size:		1.0 TiB (1099511627776 bytes)
Bytes per sector:			512
Block size:				64 sectors
Error granularity:			64 sectors
Retries on read error:			2
Zero sectors on read error:		no

will result in:

Continue acquiry with these values (yes, no) [yes]: y
Selected option not supported, please try again or terminate using Ctrl^C.
Continue acquiry with these values (yes, no) [yes]: ^C

while this will work:

Image path and filename:		/backup/test.E01
Case number:				
Description:				
Evidence number:			
Examiner name:				
Notes:					
Media type:				fixed disk
Is physical:				yes
EWF file format:			EnCase 6 (.E01)
Compression method:			deflate
Compression level:			none
Acquiry start offset:			0
Number of bytes to acquire:		279 GiB (300000000000 bytes)
Evidence segment file size:		1.0 TiB (1099511627776 bytes)
Bytes per sector:			512
Block size:				64 sectors
Error granularity:			64 sectors
Retries on read error:			2
Zero sectors on read error:		no

So actually nothing changed between the versions, except that the code will now tell that its unsupported to get more than 4mio. bytes...

Greetings
Oliver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants