Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#991269: guymager: "AvoidEncaseProblems" is set to off in config file
271 views
Skip to first unread message
Zack Lau
Jul 19, 2021, 6:20:03 AM7/19/21
to
Package: guymager
Version: 0.8.12-1
Severity: important
Tags: patch
X-Debbugs-Cc: za...@zack.idv.hk
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
I believe the root cause is the default config file "guymager.cfg" from the
offical repo does not have the option "AvoidEncaseProblems" enabled. The
majority of forensic images created using the latest Guymager with
"AvoidEncaseProblems" disabled causes error. Thus, cannot be be added to a case
in EnCase v8 or up.
* What exactly did you do (or not do) that was effective (or
ineffective)?
As I use Guymager from live CD, I have to change the "AvoidEncaseProblems"
option in line 426 of "/etc/guymager/guymager.cfg" from "off" to "on" everytime
I launch Guymager.
* What was the outcome of this action?
After setting the "AvoidEncaseProblems" option to "on", forensic images created
by Guymager can be loaded in EnCase v8 or up with no issue.
* What outcome did you expect instead?
I expect the "AvoidEncaseProblems" option can be set to "on" by default.
Suprisingly, this option is not known by a lot of people.
*** End of the template - remove these template lines ***
-- System Information:
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2021.2
Codename: kali-rolling
Architecture: x86_64
Kernel: Linux 5.10.0-kali7-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages guymager depends on:
ii hdparm 9.60+ds-1
ii libc6 2.31-11
ii libewf2 20140807-2+b2
ii libgcc-s1 10.2.1-6
ii libguytools2 2.1.0-1
ii libparted2 [libparted] 3.4-1
ii libqt5core5a 5.15.2+dfsg-5
ii libqt5dbus5 5.15.2+dfsg-5
ii libqt5gui5 5.15.2+dfsg-5
ii libqt5widgets5 5.15.2+dfsg-5
ii libstdc++6 10.2.1-6
ii smartmontools 7.2-1
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages guymager recommends:
ii policykit-1 0.105-30+kali2
guymager suggests no packages.
Version: 0.8.12-1
Severity: important
Tags: patch
X-Debbugs-Cc: za...@zack.idv.hk
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
I believe the root cause is the default config file "guymager.cfg" from the
offical repo does not have the option "AvoidEncaseProblems" enabled. The
majority of forensic images created using the latest Guymager with
"AvoidEncaseProblems" disabled causes error. Thus, cannot be be added to a case
in EnCase v8 or up.
* What exactly did you do (or not do) that was effective (or
ineffective)?
As I use Guymager from live CD, I have to change the "AvoidEncaseProblems"
option in line 426 of "/etc/guymager/guymager.cfg" from "off" to "on" everytime
I launch Guymager.
* What was the outcome of this action?
After setting the "AvoidEncaseProblems" option to "on", forensic images created
by Guymager can be loaded in EnCase v8 or up with no issue.
* What outcome did you expect instead?
I expect the "AvoidEncaseProblems" option can be set to "on" by default.
Suprisingly, this option is not known by a lot of people.
*** End of the template - remove these template lines ***
-- System Information:
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2021.2
Codename: kali-rolling
Architecture: x86_64
Kernel: Linux 5.10.0-kali7-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages guymager depends on:
ii hdparm 9.60+ds-1
ii libc6 2.31-11
ii libewf2 20140807-2+b2
ii libgcc-s1 10.2.1-6
ii libguytools2 2.1.0-1
ii libparted2 [libparted] 3.4-1
ii libqt5core5a 5.15.2+dfsg-5
ii libqt5dbus5 5.15.2+dfsg-5
ii libqt5gui5 5.15.2+dfsg-5
ii libqt5widgets5 5.15.2+dfsg-5
ii libstdc++6 10.2.1-6
ii smartmontools 7.2-1
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages guymager recommends:
ii policykit-1 0.105-30+kali2
guymager suggests no packages.
Michael Prokop
Jul 23, 2021, 11:00:03 AM7/23/21
to
Hi,
* Zack Lau [Mon Jul 19, 2021 at 10:11:44AM +0000]:
> Tags: patch
I don't see any patch in the BTS nor a MR at
https://salsa.debian.org/pkg-security-team/guymager/, so I'll
remove this tag
> * What led up to the situation?
> I believe the root cause is the default config file "guymager.cfg" from the
> offical repo does not have the option "AvoidEncaseProblems" enabled. The
> majority of forensic images created using the latest Guymager with
> "AvoidEncaseProblems" disabled causes error. Thus, cannot be be added to a case
> in EnCase v8 or up.
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
> As I use Guymager from live CD, I have to change the "AvoidEncaseProblems"
> option in line 426 of "/etc/guymager/guymager.cfg" from "off" to "on" everytime
> I launch Guymager.
> * What was the outcome of this action?
> After setting the "AvoidEncaseProblems" option to "on", forensic images created
> by Guymager can be loaded in EnCase v8 or up with no issue.
> * What outcome did you expect instead?
> I expect the "AvoidEncaseProblems" option can be set to "on" by default.
> Suprisingly, this option is not known by a lot of people.
Well, the configuration option is clearly documented in the
configuration file and also explains the situation:
| REM AvoidEncaseProblems Encase produces strange error messages if the EWF internal fields "Imager Version" and
| REM "OS Version" contain more than 11 or 23 characters, respectively. Leave this flag OFF
| REM if you don't work with Encase (default setting). Set it to ON if ever you work with
| REM Encase and want to avoid the Encase problems.
So I don't see how this could be enabled by default, given that not
everybody uses Encase by default. But I'll ask upstream, whether
they are aware of any possible better solutions.
regards
-mika-
* Zack Lau [Mon Jul 19, 2021 at 10:11:44AM +0000]:
> Tags: patch
I don't see any patch in the BTS nor a MR at
https://salsa.debian.org/pkg-security-team/guymager/, so I'll
remove this tag
> * What led up to the situation?
> I believe the root cause is the default config file "guymager.cfg" from the
> offical repo does not have the option "AvoidEncaseProblems" enabled. The
> majority of forensic images created using the latest Guymager with
> "AvoidEncaseProblems" disabled causes error. Thus, cannot be be added to a case
> in EnCase v8 or up.
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
> As I use Guymager from live CD, I have to change the "AvoidEncaseProblems"
> option in line 426 of "/etc/guymager/guymager.cfg" from "off" to "on" everytime
> I launch Guymager.
> * What was the outcome of this action?
> After setting the "AvoidEncaseProblems" option to "on", forensic images created
> by Guymager can be loaded in EnCase v8 or up with no issue.
> * What outcome did you expect instead?
> I expect the "AvoidEncaseProblems" option can be set to "on" by default.
> Suprisingly, this option is not known by a lot of people.
configuration file and also explains the situation:
| REM AvoidEncaseProblems Encase produces strange error messages if the EWF internal fields "Imager Version" and
| REM "OS Version" contain more than 11 or 23 characters, respectively. Leave this flag OFF
| REM if you don't work with Encase (default setting). Set it to ON if ever you work with
| REM Encase and want to avoid the Encase problems.
So I don't see how this could be enabled by default, given that not
everybody uses Encase by default. But I'll ask upstream, whether
they are aware of any possible better solutions.
regards
-mika-
Zack Lau
Jul 26, 2021, 6:00:03 AM7/26/21
to
Hi Mika,
Thanks for looking into this.
I understand this option is well explained in the configuration file.
However, in most situations, forensic practitioners run the forensic
imaging process using Guymager in forensics mode booted up from Live CD.
In order words, the configuration file needs to be updated after every
boot up. It would be great if this can be enabled by default.
Enabling this option in the configuration file does not prevent a
Guymager created forensic image to load properly in other forensic
software (i.e. FTK, Autopsy or X-Ways). Instead, it resolves the error
issue when people try to load a Guymager created E01 in EnCase.
I find this topic interesting. I saw comments in different forums think
the EnCase error issue was caused by other settings, or what people put
in the case data fields. There were only a few people mentioned this
option, so I think this "AvoidEncaseProblems" option is not widely aware
of among the forensics community.
Regards,
Zack
Thanks for looking into this.
I understand this option is well explained in the configuration file.
However, in most situations, forensic practitioners run the forensic
imaging process using Guymager in forensics mode booted up from Live CD.
In order words, the configuration file needs to be updated after every
boot up. It would be great if this can be enabled by default.
Enabling this option in the configuration file does not prevent a
Guymager created forensic image to load properly in other forensic
software (i.e. FTK, Autopsy or X-Ways). Instead, it resolves the error
issue when people try to load a Guymager created E01 in EnCase.
I find this topic interesting. I saw comments in different forums think
the EnCase error issue was caused by other settings, or what people put
in the case data fields. There were only a few people mentioned this
option, so I think this "AvoidEncaseProblems" option is not widely aware
of among the forensics community.
Regards,
Zack
Michael Prokop
Jul 26, 2021, 6:10:03 AM7/26/21
to
* Zack Lau [Mon Jul 26, 2021 at 09:49:16AM +0000]:
> Thanks for looking into this.
> I understand this option is well explained in the configuration file.
> However, in most situations, forensic practitioners run the forensic
> imaging process using Guymager in forensics mode booted up from Live
> CD. In order words, the configuration file needs to be updated after
> every boot up. It would be great if this can be enabled by default.
I talked to the upstream author in the meanwhile, and upstream
agreed to my suggestion, to use output of `uname -r` for the kernel
version information, and keep the strings below the limit that's
known to be needed for EnCase. So there shouldn't be any need for
changing this option, once a new upstream version with the new
behavior is there.
> Enabling this option in the configuration file does not prevent a
> Guymager created forensic image to load properly in other forensic
> software (i.e. FTK, Autopsy or X-Ways). Instead, it resolves the
> error issue when people try to load a Guymager created E01 in EnCase.
ACK, but I don't like diverging from upstream defaults, as there's
usually a good reason behind it. :)
> I find this topic interesting. I saw comments in different forums
> think the EnCase error issue was caused by other settings, or what
> people put in the case data fields. There were only a few people
> mentioned this option, so I think this "AvoidEncaseProblems" option
> is not widely aware of among the forensics community.
Thanks for your input!
regards
-mika-
> Thanks for looking into this.
> I understand this option is well explained in the configuration file.
> However, in most situations, forensic practitioners run the forensic
> imaging process using Guymager in forensics mode booted up from Live
> CD. In order words, the configuration file needs to be updated after
> every boot up. It would be great if this can be enabled by default.
agreed to my suggestion, to use output of `uname -r` for the kernel
version information, and keep the strings below the limit that's
known to be needed for EnCase. So there shouldn't be any need for
changing this option, once a new upstream version with the new
behavior is there.
> Enabling this option in the configuration file does not prevent a
> Guymager created forensic image to load properly in other forensic
> software (i.e. FTK, Autopsy or X-Ways). Instead, it resolves the
> error issue when people try to load a Guymager created E01 in EnCase.
usually a good reason behind it. :)
> I find this topic interesting. I saw comments in different forums
> think the EnCase error issue was caused by other settings, or what
> people put in the case data fields. There were only a few people
> mentioned this option, so I think this "AvoidEncaseProblems" option
> is not widely aware of among the forensics community.
regards
-mika-
Zack Lau
Jul 26, 2021, 10:30:04 PM7/26/21
to
Hi Mika,
Yeah, I agree with your approach and think it makes more sense. Learned
something new from you. Thanks again!
Regards,
Zack
Yeah, I agree with your approach and think it makes more sense. Learned
something new from you. Thanks again!
Regards,
Zack
0 new messages