mmls error CAINE Interface

View previous topic View next topic Go down

mmls error CAINE Interface

Post  slo.sleuth on Wed May 06, 2009 9:44 pm

I tried to use the CAINE interface to examine a split ewf image. I input the full path to the image as:
/media/sda1/081202009/100042/image_100042.e*
The mmls output window opened and reported the following error:
Code:
Error stat(ing) image file (/media/sda1/081202009/100042/image_100042.* : No such file or directory)
mmls died with exit status 1
No improvement with '-i ewf' pre-pended:
Code:
Error opening image file (ewf_open file: /media/sda1/081202009/100042/image_100042.*: Error opening)
mmls died with exit status 1
As you'd probably expect, img_stat and fstat don't work either.

However, on the command line:
Code:
$ mmls /media/sda1/081202009/100042/image_100042.*
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

    Slot    Start        End          Length      Description
00:  Meta    0000000000  0000000000  0000000001  Primary Table (#0)
01:  -----  0000000000  0000000062  0000000063  Unallocated
02:  00:00  0000000063  0234050984  0234050922  NTFS (0x07)

$ img_stat /media/sda1/081202009/100042/image_100042.*
IMAGE FILE INFORMATION
--------------------------------------------
Image Type:      ewf

Size of data in bytes:   119834104320
MD5 hash of data:   9cecb2e859ba3c61615bc85360561417

$ fsstat -o63 /media/sda1/081202009/100042/image_100042.*
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 7664DB6F64DB311B
OEM Name: NTFS   
Volume Name: SQ004109P02
Version: Windows XP

METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 14628182
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 83824
Root Directory: 5

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 29256364
Total Sector Range: 0 - 234050920

I'm running Installed CAINE 0.5. Any ideas as to the problem?
avatar
slo.sleuth

Number of posts : 43
Registration date : 2009-03-31

View user profile http://linuxsleuthing.blogspot.com

Back to top Go down

Re: mmls error CAINE Interface

Post  denis on Wed May 06, 2009 11:39 pm

hi slo.sleuth
I suppose could be a problem in some environment variable.
Now I have not the opportunity to start Caine, can you be kind enough to bring the output of:
$ echo $ PATH
typed in the terminal window opened by the GUI of Cain?

regardes
Denis

denis

Number of posts : 52
Località : Torino, Italy
Registration date : 2008-10-27

View user profile http://www.denisfrati.it

Back to top Go down

$PATH

Post  slo.sleuth on Thu May 07, 2009 12:01 am

Hi Denis,

I don't think this is a path issue from the mmls error output [notice the '(ewf_open file:...)'], but here you go, from the terminal launched with the CAINE panel launcher:
Code:
~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

$ sudo find /usr -name mmls
/usr/local/bin/mmls

As you can see, mmls is in the path. It's also there when viewed as superuser. Could it be the variable in /usr/share/caine/main.pl somehow prevents globbing? I don't really know perl to determine that for myself.

slo.sleuth
avatar
slo.sleuth

Number of posts : 43
Registration date : 2009-03-31

View user profile http://linuxsleuthing.blogspot.com

Back to top Go down

CAINE V.5 Interface and MMLS Error

Post  joetekno on Thu May 07, 2009 2:33 am

slo.sleuth,

Using the Live CD CAINE V.5 Interface and MMLS I also receive the error when trying to use the "*" asterisk wildcard.

When I give the exact file name it runs without issue. I'm sure it is in the handling of the asterisk in the CAINE/MMLS interface.

I tried several combination's to try and "force" it like whack star "\*" apostrophe star '*' quote star "*" and none of them worked, but that was just a shot in the dark.

Regards,

Joe
avatar
joetekno

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

View user profile http://network.nwtc.edu

Back to top Go down

globbing

Post  slo.sleuth on Thu May 07, 2009 2:38 am

Thanks joetekno,

That's my suspicion too. My problem is that all my images are split ewf in this case. Not a big deal, I can collect the data myself. I just wanted the devs to be aware of the issue for the next release of CAINE.

slo.sleuth
avatar
slo.sleuth

Number of posts : 43
Registration date : 2009-03-31

View user profile http://linuxsleuthing.blogspot.com

Back to top Go down

Re: mmls error CAINE Interface

Post  denis on Thu May 07, 2009 11:38 am

As you have noted, for some reason that we have to correctly identify, the terminal window opened by the Caine GUI does not accept the wilcard *.
So, assuming that you have the file listed below:

Code:
$ ls case_01/
sd_card.E01  sd_card.E02  sd_card.E03  sd_card.E04

forces us to use the following solutions

Code:
$ mmls sd_card.E01  sd_card.E02  sd_card.E03  sd_card.E04
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

    Slot    Start        End          Length      Description
00:  Meta    0000000000  0000000000  0000000001  Primary Table (#0)
01:  -----  0000000000  0000000015  0000000016  Unallocated
02:  00:00  0000000016  0000029119  0000029104  Win95 FAT32 (0x0B)

$ ewfinfo sd_card.E01  sd_card.E02  sd_card.E03  sd_card.E04
ewfinfo 20080501 (libewf 20080501, zlib 1.2.3.3, libcrypto 0.9.8)

Acquiry information
   Case number:      001
   Description:      test ewf split
   Examiner name:      denis
   Evidence number:   001-01
   Notes:         test split ewf per ptk
   Acquiry date:      Fri Nov 21 14:54:25 2008
   System date:      Fri Nov 21 14:54:25 2008
   Operating system used:   Linux
   Software version used:   20080501
   Password:      N/A

-----  cut  ---------------

otherwise

Code:
$ mmls sd_card.E0{1,2,3,4}

and

Code:
$ ewfinfo sd_card.E0{1,2,3,4}

which is certainly not practical in case our image is splitted into many parts.
So I found this solution:
Code:
$ mmls `find case_01/ -type f`
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

    Slot    Start        End          Length      Description
00:  Meta    0000000000  0000000000  0000000001  Primary Table (#0)
01:  -----  0000000000  0000000015  0000000016  Unallocated
02:  00:00  0000000016  0000029119  0000029104  Win95 FAT32 (0x0B)
and
Code:
$ ewfinfo `find case_01/ -type f`
ewfinfo 20080501 (libewf 20080501, zlib 1.2.3.3, libcrypto 0.9.8)

Acquiry information
   Case number:      001
   Description:      test ewf split
   Examiner name:      denis
   Evidence number:   001-01
   Notes:         test split ewf per ptk
   Acquiry date:      Fri Nov 21 14:54:25 2008
   System date:      Fri Nov 21 14:54:25 2008
   Operating system used:   Linux
   Software version used:   20080501
------  cut  -------------

where

Code:
find case_01/ -type f

generates the list of regular files in the directory and pass them to stk, ewf, aff, ecc.. command.

That way seems work properly.

Regardes.
Denis

denis

Number of posts : 52
Località : Torino, Italy
Registration date : 2008-10-27

View user profile http://www.denisfrati.it

Back to top Go down

***Partial Success*** Correct CAINE interface syntax

Post  slo.sleuth on Thu May 07, 2009 7:47 pm

Hi Denis,

Unfortunately, your syntax did not work for me, either from the terminal (launched from the panel launcher) or in the CAINE interface. However, I tried the alternate BASH syntax for you method an succeeded:
Code:
 $ mmls $(find /media/sda1/081202009/100042/ -name image*)
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

    Slot    Start        End          Length      Description
00:  Meta    0000000000  0000000000  0000000001  Primary Table (#0)
01:  -----  0000000000  0000000062  0000000063  Unallocated
02:  00:00  0000000063  0234050984  0234050922  NTFS (0x07)
In the CAINE, I have success with in mmls and img_stat with syntax:
Code:
$(find /media/sda1/081202009/100042/ -name image*)
However, fsstat does not work in the "Grissom Analyzer" with this code, complaining that it cannot determine the file system type (even with the proper offset entered). Running the command manually in the terminal launched in the "Collection" tab works, as does standard globbing, i.e. 'mmls /path/image*' and fsstat -o63 /path/image*' work for me). The problem seems to be how main.pl is handling the globbing.

I tried created a variable in a root terminal with the image segment names like this:
Code:
# export IMAGE=$(find /media/sda1/081202009/100042/ -name image*)

# # echo $IMAGE
/media/sda1/081202009/100042/image_100042.e01 /media/sda1/081202009/100042/image_100042.e02 /media/sda1/081202009/100042/image_100042.e03 /media/sda1/081202009/100042/image_100042.e04 /media/sda1/081202009/100042/image_100042.e05 /media/sda1/081202009/100042/image_100042.e06 /media/sda1/081202009/100042/image_100042.e07 /media/sda1/081202009/100042/image_100042.e08 /media/sda1/081202009/100042/image_100042.e09 /media/sda1/081202009/100042/image_100042.e10 /media/sda1/081202009/100042/image_100042.e11 /media/sda1/081202009/100042/image_100042.e12 /media/sda1/081202009/100042/image_100042.e13 /media/sda1/081202009/100042/image_100042.e14 /media/sda1/081202009/100042/image_100042.e15 /media/sda1/081202009/100042/image_100042.e16 /media/sda1/081202009/100042/image_100042.e17 /media/sda1/081202009/100042/image_100042.e18 /media/sda1/081202009/100042/image_100042.e19 /media/sda1/081202009/100042/image_100042.e20 /media/sda1/081202009/100042/image_100042.e21 /media/sda1/081202009/100042/image_100042.e22 /media/sda1/081202009/100042/image_100042.e23 /media/sda1/081202009/100042/image_100042.e24 /media/sda1/081202009/100042/image_100042.e25 /media/sda1/081202009/100042/image_100042.e26 /media/sda1/081202009/100042/image_100042.e27 /media/sda1/081202009/100042/image_100042.e28

# mmls $IMAGE
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

    Slot    Start        End          Length      Description
00:  Meta    0000000000  0000000000  0000000001  Primary Table (#0)
01:  -----  0000000000  0000000062  0000000063  Unallocated
02:  00:00  0000000063  0234050984  0234050922  NTFS (0x07)

# fsstat $IMAGE
Cannot determine file system type
root@caine-fc2:~# fsstat -o63 $IMAGE
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 7664DB6F64DB311B
OEM Name: NTFS   
Volume Name: SQ004109P02
Version: Windows XP

METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 14628182
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 83824
Root Directory: 5
...
I started the CAINE Interface from the same session to preserve the variable:
Code:
# perl /usr/share/caine/main.pl
Entering $IMAGE in the "Grissom Analyzer" tab, mmls and img_stat buttons work, but fsstat does not with "63" entered in the offest box.
avatar
slo.sleuth

Number of posts : 43
Registration date : 2009-03-31

View user profile http://linuxsleuthing.blogspot.com

Back to top Go down

Re: mmls error CAINE Interface

Post  denis on Fri May 08, 2009 12:48 am

Hi slo.sleuth

I tried to work with a splitted image file in EWF format, using Caine v0.5 operating system from live-cd.
I uploaded the 4 split on the desktop and I did some testing working with the terminal window opened by the GUI Caine,
as you can see in video linked below, either using the character * as a wildcard:

http://www.denisfrati.it/other/video/out_01.ogg
http://www.denisfrati.it/other/video/out_02.ogg

I used the commands mmls and ewfinfo with the following syntax:
mmls/ewfinfo image.E01 image.E02 image.E03 image.E04
mmls/ewfinfo image.E0{1,2,3,4}
mmls/ewfinfo 'find. -type f-'
mmls/ewfinfo image.E0 *

and in all cases the commands launched from the terminal window of Cain GUI worked correctly with the * wildcard

denis

Number of posts : 52
Località : Torino, Italy
Registration date : 2008-10-27

View user profile http://www.denisfrati.it

Back to top Go down

Re: mmls error CAINE Interface

Post  slo.sleuth on Fri May 08, 2009 1:15 am

Hi Denis,

Yes, I understand that works. I'm trying to indicate that the fsstat function of the Grissom Analyzer does not work with such syntax, even though the syntax you indicate works in the command line. Curiously, the mmls and img_stat functions do work in the Grissom Analyzer.

This causes me to believe that the perl script is not processing the variables as expected.

Thanks,
John
avatar
slo.sleuth

Number of posts : 43
Registration date : 2009-03-31

View user profile http://linuxsleuthing.blogspot.com

Back to top Go down

Re: mmls error CAINE Interface

Post  denis on Fri May 08, 2009 8:44 am

I have verified that the tools Grissom Analyzer tab in work fine for device and not slittedimages, even EWF, but fail in the split image file.
we check and correct this bug in next version.

regardes
Denis

denis

Number of posts : 52
Località : Torino, Italy
Registration date : 2008-10-27

View user profile http://www.denisfrati.it

Back to top Go down

Split Images Bug

Post  slo.sleuth on Fri May 08, 2009 6:43 pm

Thanks Denis.
avatar
slo.sleuth

Number of posts : 43
Registration date : 2009-03-31

View user profile http://linuxsleuthing.blogspot.com

Back to top Go down

Re: mmls error CAINE Interface

Post  Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum