Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TSKVolumeSystem bytes_per_sector #45

Open
forensicmatt opened this issue Jul 21, 2015 · 3 comments
Open

TSKVolumeSystem bytes_per_sector #45

forensicmatt opened this issue Jul 21, 2015 · 3 comments
Assignees
@joachimmetz
Labels
enhancement question This issue is a question

Comments

@forensicmatt
Copy link

I have a drive that has geometry with 4096 bytes per sector.

When I create a TSKVolumeSystem, and feed it the volume_system_path_spec of TYPE_INDICATOR_TSK_PARTITION, it shows that the TSKVolumeSystem.bytes_per_sector attribute as 512. This interns shows the incorrect offset for the partitions.

Is there a way to find and set the bytes per sector for a TSKVolumeSystem?

Here is what FTK Imager shows for the drive:
image

Partition Start Sector [2048]:
image

Offset then to partition is 2048 * 4096 = 8388608

I see in dfvfs TSKVolumeSystem._Parse() there is:
self.bytes_per_sector = tsk_partition.TSKVolumeGetBytesPerSector(tsk_volume)

Am I not passing something or are the BytesPerSector not being found correctly?

Here is output and an example code I used.

###########################################################
#Output 
###########################################################
bytes_per_sector: 512
address: 2; description: NTFS (0x07); offset: 1048576; size 250048817664

###########################################################
#Example 
###########################################################

import sys
from dfvfs.path import factory as path_spec_factory
from dfvfs.lib import definitions as dfvfs_definitions
from dfvfs.volume import tsk_volume_system

from dfvfs.lib import tsk_image

os_path_spec = path_spec_factory.Factory.NewPathSpec(
    dfvfs_definitions.TYPE_INDICATOR_OS,
    location='\\\\.\\PHYSICALDRIVE1'
)

volume_system_path_spec = path_spec_factory.Factory.NewPathSpec(
    dfvfs_definitions.TYPE_INDICATOR_TSK_PARTITION,
    start_offset=0,
    parent=os_path_spec
)

image_system = tsk_volume_system.TSKVolumeSystem()
image_system.Open(volume_system_path_spec)

print 'bytes_per_sector: {}'.format(image_system.bytes_per_sector)

for volume in image_system.volumes:
    volume_identifier = getattr(volume, 'identifier', None)
    if volume_identifier:
        info = {}
        for attrib in volume.attributes:
            info[attrib.identifier] = attrib.value
        for extent in volume.extents:
            info['offset'] = extent.offset
            info['size'] = extent.size

        print 'address: {}; description: {}; offset: {}; size {}'.format(info['address'],info['description'],info['offset'],info['size'])
@joachimmetz joachimmetz added question This issue is a question enhancement labels Jul 22, 2015
@joachimmetz
Copy link
Member

joachimmetz commented Jul 22, 2015
edited
Loading 

Is there a way to find and set the bytes per sector for a TSKVolumeSystem?

Not at the moment. I would also need to check if and how that can be propagated in pytsk and TSK.

os_path_spec = path_spec_factory.Factory.NewPathSpec(
    dfvfs_definitions.TYPE_INDICATOR_OS,
    location='\\\\.\\PHYSICALDRIVE1'
)

Since Python os does not support \.\PhysicalDrive1 as a file, dfvfs TYPE_INDICATOR_OS uses pysmdev instead. Also see: https://github.com/log2timeline/dfvfs/blob/master/dfvfs/file_io/os_file_io.py#L65

Hence try:

import pysmdev
smdev_handle = pysmdev.handle()
smdev_handle.open('\\\\.\\PHYSICALDRIVE1')
print(smdev_handle.bytes_per_sector)
smdev_handle.close()

@joachimmetz joachimmetz self-assigned this Jul 22, 2015
@joachimmetz
Copy link
Member

joachimmetz commented Jan 21, 2022
edited
Loading

Generated a 4k MBR test image

mmls test_data/mbr_4k_sector.raw 
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000000000   0000000001   Unallocated
002:  000:000   0000000001   0000000017   0000000017   Linux (0x83)
003:  Meta      0000000018   0000001023   0000001006   DOS Extended (0x05)
004:  -------   0000000018   0000008191   0000008174   Unallocated

By default mmls (and therefore assuming libtsk/pytsk as well) this as 512 bytes per sector. With a manual override:

mmls -b 4096 test_data/mbr_4k_sector.raw 
DOS Partition Table
Offset Sector: 0
Units are in 4096-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000000000   0000000001   Unallocated
002:  000:000   0000000001   0000000017   0000000017   Linux (0x83)
003:  Meta      0000000018   0000001023   0000001006   DOS Extended (0x05)
004:  Meta      0000000018   0000000018   0000000001   Extended Table (#1)
005:  -------   0000000018   0000000018   0000000001   Unallocated
006:  001:000   0000000019   0000000035   0000000017   Linux (0x83)
007:  -------   0000000036   0000001023   0000000988   Unallocated

To consider:

  • support manual override of sector size?
  • add sector size detection in dfVFS to work around limitation in libtsk/pytsk?
  • alternative MBR support also see Improve volume system support #83

@joachimmetz joachimmetz mentioned this issue Jan 21, 2022
Closed
5 tasks
@joachimmetz
Copy link
Member

Looks like sleuthkit has a long standing issue about this sleuthkit/sleuthkit#752

@joachimmetz joachimmetz mentioned this issue Sep 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachimmetz joachimmetz

Labels
enhancement question This issue is a question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joachimmetz @forensicmatt