Missing files from L01 created by FEX Imager

[knispeja]

It seems to me like libewf will not discover files inside of L01 images created by FEX Imager. Sample L01 file zipped and attached (small_fex_test.zip) -- the L01 has just a single text file inside.

Discovered this because Autopsy also doesn't find these files, and seems to throw no errors. I think this might extend to any files created by FEX Imager, but I didn't do extensive testing.

[joachimmetz]

Thanks for the sample file I'll take a look when time permits.

Also note that L01 is a propriety format that is not forensically sound. Have a read of https://osdfir.blogspot.com/2023/07/whats-in-file-path.html for more context

[knispeja]

Thanks! I did find the inner error from libewf (below), Autopsy doesn't seem to surface this so I didn't find it at first. Guessing FEX is doing something weird with permissions groups:

libcdata_array_get_entry_by_index: invalid entry index value out of bounds.
libewf_single_files_get_permission_group_by_index: unable to retrieve entry: 1 from permission groups array.
libewf_file_entry_initialize: unable to retrieve permission group: 1.
libewf_file_entry_get_sub_file_entry: unable to initialize sub file entry.