ntfs_make_run: Run length is larger than file system

[Dave]

Mounted E01 image of a 1TB hard drive. log2timeline version 20180930. 

log2timeline appears to be calculating the wrong size for partition 3 and then errors out and will not process the dd image.

Both mount and xmount were tested and had the same result.

2018-10-22 18:40:23,507 [ERROR] (MainProcess) PID:10381 <extraction_tool> Unable to preprocess with error: FS_Info_open_meta: (tsk3.c:291) Unable to open file: Error in metadata structure (ntfs_make_run: Run length is larger than file system) (  - proc_attrseq)

# mmls /mnt/ewf_mount2/LI001_HDD_0642.dd 

GUID Partition Table (EFI)

Offset Sector: 0

Units are in 512-byte sectors

      Slot      Start        End          Length       Description

000:  Meta      0000000000   0000000000   0000000001   Safety Table

001:  -------   0000000000   0000002047   0000002048   Unallocated

002:  Meta      0000000001   0000000001   0000000001   GPT Header

003:  Meta      0000000002   0000000033   0000000032   Partition Table

004:  000       0000002048   0000197958   0000195911   EFI system partition

005:  -------   0000197959   0000197959   0000000001   Unallocated

006:  001       0000197960   0000460111   0000262152   Microsoft reserved partition

007:  002       0000460112   1879045657   1878585546   Basic data partition

008:  -------   1879045658   1879045663   0000000006   Unallocated

009:  003       1879045664   1953512048   0074466385   Basic data partition

010:  -------   1953512049   1953525167   0000013119   Unallocated

# fdisk -l /mnt/ewf_mount2/LI001_HDD_0642.dd

Disk /mnt/ewf_mount2/LI001_HDD_0642.dd: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors

Units: sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disklabel type: gpt

Disk identifier: CC9ED63B-4F40-426C-91D6-30A13AE8D041

Device                                  Start        End    Sectors   Size Type

/mnt/ewf_mount2/LI001_HDD_0642.dd1       2048     197958     195911  95.7M EFI System

/mnt/ewf_mount2/LI001_HDD_0642.dd2     197960     460111     262152   128M Microsoft reserved

/mnt/ewf_mount2/LI001_HDD_0642.dd3     460112 1879045657 1878585546 895.8G Microsoft basic data

/mnt/ewf_mount2/LI001_HDD_0642.dd4 1879045664 1953512048   74466385  35.5G Microsoft basic data

plaso - log2timeline version 20180930

The following partitions were found:

Identifier      Offset (in bytes)               Size (in bytes)

p1              1048576 (0x00100000)            95.7MiB / 100.3MB (100306432 B)

p2              101355520 (0x060a9000)          128.0MiB / 134.2MB (134221824 B)

p3              235577344 (0x0e0aa000)          895.8GiB / 961.8GB (961835799552 B)

p4              962071379968 (0xdfffec4000)     35.5GiB / 38.1GB (38126789120 B)

thanks,

dave

[Joachim Metz]

> log2timeline appears to be calculating the wrong size for partition 3

Where do you base this on?

1879045664 * 512 = 962071379968
74466385 * 512 = 38126789120

> and then errors out and will not process the dd image

What error? The following?

> 2018-10-22 18:40:23,507 [ERROR] (MainProcess) PID:10381 <extraction_tool> Unable to preprocess with error: FS_Info_open_meta: (tsk3.c:291) Unable to open file: Error in metadata structure (ntfs_make_run: Run length is larger than file system) ( - proc_attrseq)

What version of libewf are you using?

> --
> You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
> To post to this group, send email to log2timeli...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[foo bar]

Thanks for replying so quickly.

I was just trying to guess at the problem based on the referenced error message.

I'm using the latest SANS SIFT, so hopefully it has the latest version of libewf, but I will get you the version number tomorrow.

dave

[Dave]

libewf version is 20140804

[Joachim Metz]

But what is the actual error you are experiencing?

[Dave]

It prints the one error "<extraction_tool> Unable to preprocess with error: FS_Info_open_meta: (tsk3.c:291) Unable to open file: Error in metadata structure (ntfs_make_run: Run length is larger than file system) (  - proc_attrseq)" and aborts.  There are no other errors written to the log file as all processing stops at that point.

Also tested with the latest windows version of log2timeline and had the exact same issue and error message.

dave

[Joachim Metz]

this error originates from libtsk/pytsk I'm wondering what is causing
it. Does fls yield the same error?

[Dave]

fls (version 4.2.0) worked with no issues using the following command:

fls -r -o 460122 -f ntfs -m C: image.E01 > image_bodyfile

[Dave]

I ran log2timeline with --debug and attached the log files.

[Dave]

Correcting my post about fls working.  The following shows 3 different fls commands.  The first two did not work and the last one did.

fls -r -o 460122  -m C: image.E01 > image_c_bodyfile

Cannot determine file system type

fls -r -o 460122 -f ntfs -m C: image.E01 > testbody

Invalid magic value (Not a NTFS file system (magic))

fls -r -o 460112 -f ntfs -m C: /mnt/ewf_mount2/image.dd > worked_c_bodyfile

More info:

fsstat -o 460112 image.E01 

FILE SYSTEM INFORMATION

--------------------------------------------

File System Type: NTFS

Volume Serial Number: 771D3EE3AA5875D8

OEM Name: NTFS    

Version: Windows XP

METADATA INFORMATION

--------------------------------------------

First Cluster of MFT: 781343

First Cluster of MFT Mirror: 2

Size of MFT Entries: 1024 bytes

Size of Index Records: 4096 bytes

Range: 0 - 543744

Root Directory: 5

CONTENT INFORMATION

--------------------------------------------

Sector Size: 512

Cluster Size: 4096

Total Cluster Range: 0 - 234823192

Total Sector Range: 0 - 1878585543