Unsupported L01 srce category format

[adenprince-relativity]

Some L01 files generated by EnCase 21.3 are receiving the following error:

libewf_single_files_parse_srce_category: invalid number of entries value out of bounds.
libewf_single_files_parse_utf8_string: unable to parse srce category.
libewf_single_files_read_data: unable to parse UTF-8 string.
libewf_internal_handle_open_read_segment_file_section_data: unable to parse single files.
libewf_internal_handle_open_read_segment_files: unable to read section data from segment file: 0.
libewf_internal_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open_wide: unable to open handle using a file IO pool.

After removing the check that results in the invalid number of entries value out of bounds error above and rebuilding the library, those files receive this error:

libewf_single_files_parse_srce_category: unsupported empty line string: 22 - not empty.
libewf_single_files_parse_utf8_string: unable to parse srce category.
libewf_single_files_read_data: unable to parse UTF-8 string.
libewf_internal_handle_open_read_segment_file_section_data: unable to parse single files.
libewf_internal_handle_open_read_segment_files: unable to read section data from segment file: 0.
libewf_internal_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open_wide: unable to open handle using a file IO pool.

Is it safe to remove the check that results in the unsupported empty line string: 22 - not empty error above? Are you aware of any settings in EnCase that would cause these errors? I'm not able to provide a test file. Thank you.

[joachimmetz]

L01 is a proprietary format.

I'm not able to provide a test file. Thank you.

are you able to provide debug/verbose output of the relevant data?

[adenprince-relativity]

Is it sufficient to provide the output of running .\ewfinfo.exe -v on one of the files, or is something else needed?

[joachimmetz]

see https://github.com/libyal/libewf/wiki/Troubleshooting#verbose-and-debug-output what is needed

[SerhiyBol]

When running verbose-and-debug-output it seems like it includes PII information.

Are you trying to see this part only from all that output?

FYI, this is from the file that works but there is possibility we can try to get this output from a bad file. Unfortunately, we cannot provide full verbose output.

[joachimmetz]

FYI, this is from the file that works but there is possibility we can try to get this output from a bad file. Unfortunately, we cannot provide full verbose output.

either sanitize the output or provide the information related to the warning

[SerhiyBol]

This is the s.r.c.e category data we were able to extract from the problematic file.

00000180: 30 00 0a 00 0a 00 73 00 72 00 63 00 65 00 0a 00 0.....s. r.c.e...
00000190: 30 00 09 00 31 00 0a 00 70 00 09 00 6e 00 09 00 0...1... p...n...
000001a0: 69 00 64 00 09 00 65 00 76 00 09 00 64 00 6f 00 i.d...e. v...d.o.
000001b0: 09 00 6c 00 6f 00 63 00 09 00 73 00 65 00 09 00 ..l.o.c. ..s.e...
000001c0: 6d 00 66 00 72 00 09 00 6d 00 6f 00 09 00 74 00 m.f.r... m.o...t.
000001d0: 62 00 09 00 6c 00 6f 00 09 00 70 00 6f 00 09 00 b...l.o. ..p.o...
000001e0: 61 00 68 00 09 00 73 00 68 00 09 00 67 00 75 00 a.h...s. h...g.u.
000001f0: 09 00 70 00 67 00 75 00 09 00 61 00 71 00 09 00 ..p.g.u. ..a.q...
00000200: 69 00 70 00 09 00 73 00 69 00 09 00 6d 00 61 00 i.p...s. i...m.a.
00000210: 09 00 64 00 74 00 0a 00 30 00 09 00 30 00 0a 00 ..d.t... 0...0...
00000220: 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 ........ ........
00000230: 09 00 09 00 2d 00 31 00 09 00 2d 00 31 00 09 00 ....-.1. ..-.1...
00000240: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
00000250: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
00000260: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
00000270: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
00000280: 09 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 ..0.0.0. 0.0.0.0.
00000290: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
000002a0: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
000002b0: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
000002c0: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
000002d0: 30 00 09 00 30 00 30 00 30 00 30 00 30 00 30 00 0...0.0. 0.0.0.0.
000002e0: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
000002f0: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
00000300: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
00000310: 30 00 30 00 09 00 30 00 30 00 30 00 30 00 30 00 0.0...0. 0.0.0.0.
00000320: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
00000330: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
00000340: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
00000350: 30 00 30 00 30 00 09 00 09 00 09 00 09 00 30 00 0.0.0... ......0.
00000360: 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 0.0.0.0. 0.0.0.0.
00000370: 30 00 30 00 30 00 09 00 66 00 0a 00 0a 00 73 00 0.0.0... f.....s.
00000380: 75 00 62 00 0a 00 30 00 09 00 31 00 0a 00 70 00 u.b...0. ..1...p.

[SerhiyBol]

@joachimmetz does the above s.r.c.e. binary data reveal any clues to why the error is thrown?

[joachimmetz]

I'll have a look when time permits, which is scarce at the moment