mmls error CAINE Interface

[slo.sleuth]

I tried to use the CAINE interface to examine a split ewf image. I input the full path to the image as:

/media/sda1/081202009/100042/image_100042.e*

The mmls output window opened and reported the following error:

Code:

Error stat(ing) image file (/media/sda1/081202009/100042/image_100042.* : No such file or directory)
mmls died with exit status 1

No improvement with '-i ewf' pre-pended:

Code:

Error opening image file (ewf_open file: /media/sda1/081202009/100042/image_100042.*: Error opening)
mmls died with exit status 1

As you'd probably expect, img_stat and fstat don't work either.

However, on the command line:

Code:

$ mmls /media/sda1/081202009/100042/image_100042.*
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

    Slot    Start        End          Length      Description
00:  Meta    0000000000  0000000000  0000000001  Primary Table (#0)
01:  -----  0000000000  0000000062  0000000063  Unallocated
02:  00:00  0000000063  0234050984  0234050922  NTFS (0x07)

$ img_stat /media/sda1/081202009/100042/image_100042.*
IMAGE FILE INFORMATION
--------------------------------------------
Image Type:      ewf

Size of data in bytes:   119834104320
MD5 hash of data:   9cecb2e859ba3c61615bc85360561417

$ fsstat -o63 /media/sda1/081202009/100042/image_100042.*
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 7664DB6F64DB311B
OEM Name: NTFS   
Volume Name: SQ004109P02
Version: Windows XP

METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 14628182
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 83824
Root Directory: 5

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 29256364
Total Sector Range: 0 - 234050920


I'm running Installed CAINE 0.5. Any ideas as to the problem?

[denis]

hi slo.sleuth
I suppose could be a problem in some environment variable.
Now I have not the opportunity to start Caine, can you be kind enough to bring the output of:
$ echo $ PATH
typed in the terminal window opened by the GUI of Cain?

regardes
Denis

[slo.sleuth]

Hi Denis,

I don't think this is a path issue from the mmls error output [notice the '(ewf_open file:...)'], but here you go, from the terminal launched with the CAINE panel launcher:

Code:

~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

$ sudo find /usr -name mmls
/usr/local/bin/mmls

As you can see, mmls is in the path. It's also there when viewed as superuser. Could it be the variable in /usr/share/caine/main.pl somehow prevents globbing? I don't really know perl to determine that for myself.

slo.sleuth

[joetekno]

slo.sleuth,

Using the Live CD CAINE V.5 Interface and MMLS I also receive the error when trying to use the "*" asterisk wildcard.

When I give the exact file name it runs without issue. I'm sure it is in the handling of the asterisk in the CAINE/MMLS interface.

I tried several combination's to try and "force" it like whack star "\*" apostrophe star '*' quote star "*" and none of them worked, but that was just a shot in the dark.

Regards,

Joe

[slo.sleuth]

Thanks joetekno,

That's my suspicion too. My problem is that all my images are split ewf in this case. Not a big deal, I can collect the data myself. I just wanted the devs to be aware of the issue for the next release of CAINE.

slo.sleuth

[denis]

As you have noted, for some reason that we have to correctly identify, the terminal window opened by the Caine GUI does not accept the wilcard *.
So, assuming that you have the file listed below:

Code:

$ ls case_01/
sd_card.E01  sd_card.E02  sd_card.E03  sd_card.E04


forces us to use the following solutions

Code:

$ mmls sd_card.E01  sd_card.E02  sd_card.E03  sd_card.E04
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

    Slot    Start        End          Length      Description
00:  Meta    0000000000  0000000000  0000000001  Primary Table (#0)
01:  -----  0000000000  0000000015  0000000016  Unallocated
02:  00:00  0000000016  0000029119  0000029104  Win95 FAT32 (0x0B)

$ ewfinfo sd_card.E01  sd_card.E02  sd_card.E03  sd_card.E04
ewfinfo 20080501 (libewf 20080501, zlib 1.2.3.3, libcrypto 0.9.8)

Acquiry information
   Case number:      001
   Description:      test ewf split
   Examiner name:      denis
   Evidence number:   001-01
   Notes:         test split ewf per ptk
   Acquiry date:      Fri Nov 21 14:54:25 2008
   System date:      Fri Nov 21 14:54:25 2008
   Operating system used:   Linux
   Software version used:   20080501
   Password:      N/A

-----  cut  ---------------


otherwise

Code:

$ mmls sd_card.E0{1,2,3,4}

and

Code:

$ ewfinfo sd_card.E0{1,2,3,4}

which is certainly not practical in case our image is splitted into many parts.
So I found this solution:

Code:

$ mmls `find case_01/ -type f`
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

    Slot    Start        End          Length      Description
00:  Meta    0000000000  0000000000  0000000001  Primary Table (#0)
01:  -----  0000000000  0000000015  0000000016  Unallocated
02:  00:00  0000000016  0000029119  0000029104  Win95 FAT32 (0x0B)


and

Code:

$ ewfinfo `find case_01/ -type f`
ewfinfo 20080501 (libewf 20080501, zlib 1.2.3.3, libcrypto 0.9.8)

Acquiry information
   Case number:      001
   Description:      test ewf split
   Examiner name:      denis
   Evidence number:   001-01
   Notes:         test split ewf per ptk
   Acquiry date:      Fri Nov 21 14:54:25 2008
   System date:      Fri Nov 21 14:54:25 2008
   Operating system used:   Linux
   Software version used:   20080501
------  cut  -------------


where

Code:

find case_01/ -type f

generates the list of regular files in the directory and pass them to stk, ewf, aff, ecc.. command.

That way seems work properly.

Regardes.
Denis

[slo.sleuth]

Hi Denis,

Unfortunately, your syntax did not work for me, either from the terminal (launched from the panel launcher) or in the CAINE interface. However, I tried the alternate BASH syntax for you method an succeeded:

Code:

 $ mmls $(find /media/sda1/081202009/100042/ -name image*)
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

    Slot    Start        End          Length      Description
00:  Meta    0000000000  0000000000  0000000001  Primary Table (#0)
01:  -----  0000000000  0000000062  0000000063  Unallocated
02:  00:00  0000000063  0234050984  0234050922  NTFS (0x07)

In the CAINE, I have success with in mmls and img_stat with syntax:

Code:

$(find /media/sda1/081202009/100042/ -name image*)

However, fsstat does not work in the "Grissom Analyzer" with this code, complaining that it cannot determine the file system type (even with the proper offset entered). Running the command manually in the terminal launched in the "Collection" tab works, as does standard globbing, i.e. 'mmls /path/image*' and fsstat -o63 /path/image*' work for me). The problem seems to be how main.pl is handling the globbing.

I tried created a variable in a root terminal with the image segment names like this:

Code:

# export IMAGE=$(find /media/sda1/081202009/100042/ -name image*)

# # echo $IMAGE
/media/sda1/081202009/100042/image_100042.e01 /media/sda1/081202009/100042/image_100042.e02 /media/sda1/081202009/100042/image_100042.e03 /media/sda1/081202009/100042/image_100042.e04 /media/sda1/081202009/100042/image_100042.e05 /media/sda1/081202009/100042/image_100042.e06 /media/sda1/081202009/100042/image_100042.e07 /media/sda1/081202009/100042/image_100042.e08 /media/sda1/081202009/100042/image_100042.e09 /media/sda1/081202009/100042/image_100042.e10 /media/sda1/081202009/100042/image_100042.e11 /media/sda1/081202009/100042/image_100042.e12 /media/sda1/081202009/100042/image_100042.e13 /media/sda1/081202009/100042/image_100042.e14 /media/sda1/081202009/100042/image_100042.e15 /media/sda1/081202009/100042/image_100042.e16 /media/sda1/081202009/100042/image_100042.e17 /media/sda1/081202009/100042/image_100042.e18 /media/sda1/081202009/100042/image_100042.e19 /media/sda1/081202009/100042/image_100042.e20 /media/sda1/081202009/100042/image_100042.e21 /media/sda1/081202009/100042/image_100042.e22 /media/sda1/081202009/100042/image_100042.e23 /media/sda1/081202009/100042/image_100042.e24 /media/sda1/081202009/100042/image_100042.e25 /media/sda1/081202009/100042/image_100042.e26 /media/sda1/081202009/100042/image_100042.e27 /media/sda1/081202009/100042/image_100042.e28

# mmls $IMAGE
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

    Slot    Start        End          Length      Description
00:  Meta    0000000000  0000000000  0000000001  Primary Table (#0)
01:  -----  0000000000  0000000062  0000000063  Unallocated
02:  00:00  0000000063  0234050984  0234050922  NTFS (0x07)

# fsstat $IMAGE
Cannot determine file system type
root@caine-fc2:~# fsstat -o63 $IMAGE
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 7664DB6F64DB311B
OEM Name: NTFS   
Volume Name: SQ004109P02
Version: Windows XP

METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 14628182
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 83824
Root Directory: 5
...

I started the CAINE Interface from the same session to preserve the variable:

Code:

# perl /usr/share/caine/main.pl

Entering $IMAGE in the "Grissom Analyzer" tab, mmls and img_stat buttons work, but fsstat does not with "63" entered in the offest box.

[denis]

Hi slo.sleuth

I tried to work with a splitted image file in EWF format, using Caine v0.5 operating system from live-cd.
I uploaded the 4 split on the desktop and I did some testing working with the terminal window opened by the GUI Caine,
as you can see in video linked below, either using the character * as a wildcard:

http://www.denisfrati.it/other/video/out_01.ogg
http://www.denisfrati.it/other/video/out_02.ogg

I used the commands mmls and ewfinfo with the following syntax:
mmls/ewfinfo image.E01 image.E02 image.E03 image.E04
mmls/ewfinfo image.E0{1,2,3,4}
mmls/ewfinfo 'find. -type f-'
mmls/ewfinfo image.E0 *

and in all cases the commands launched from the terminal window of Cain GUI worked correctly with the * wildcard

[slo.sleuth]

Hi Denis,

Yes, I understand that works. I'm trying to indicate that the fsstat function of the Grissom Analyzer does not work with such syntax, even though the syntax you indicate works in the command line. Curiously, the mmls and img_stat functions do work in the Grissom Analyzer.

This causes me to believe that the perl script is not processing the variables as expected.

Thanks,
John

[denis]

I have verified that the tools Grissom Analyzer tab in work fine for device and not slittedimages, even EWF, but fail in the split image file.
we check and correct this bug in next version.

regardes
Denis

[slo.sleuth]

Thanks Denis.

[Sponsored content]