I am experiencing some issues when using mmls command after having created an image with dcfldd/guymager in some particular situations. Usually this approach seems to be working fine to create physical images of devices, but with some USBs (working fine and undamaged) I manage to create the .dd disk image file, but then it won't be opened by mmls, nor fsstat.
fls does open the file system structure, but it seems like it won't show me any unallocated files just as if this was a logical image.
This is the command run to create a disk image using dcfldd:
sudo dcfldd if=/dev/sda hash=sha256 hashlog=usb.sha256hash of=./usb.dd bs=512 conv=noerror,sync,notrunc
Also, this is the output of usb.info, generated by guymager:
GUYMAGER ACQUISITION INFO FILE ============================== Guymager ======== Version : 0.8.13-1 Version timestamp : 2022-05-11-00.00.00 UTC Compiled with : gcc 12.1.1 20220507 (Red Hat 12.1.1-1) libewf version : 20140812 (not used as Guymager is configured to use its own EWF module) libguytools version: 2.0.2 Host name : lucafedora Domain name : (none) System : Linux lucafedora 6.1.7-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jan 18 18:37:43 UTC 2023 x86_64 Device information ================== Command executed: bash -c "search="`basename /dev/sda`: H..t P.......d A..a de.....d" && dmesg | grep -A3 "$search" || echo "No kernel HPA messages for /dev/sda"" Information returned: ---------------------------------------------------------------------------------------------------- No kernel HPA messages for /dev/sda Command executed: bash -c "smartctl -s on /dev/sda ; smartctl -a /dev/sda" Information returned: ---------------------------------------------------------------------------------------------------- /usr/bin/bash: line 1: smartctl: command not found /usr/bin/bash: line 1: smartctl: command not found Command executed: bash -c "hdparm -I /dev/sda" Information returned: ---------------------------------------------------------------------------------------------------- /usr/bin/bash: line 1: hdparm: command not found Command executed: bash -c "CIDFILE=/sys/block/$(basename /dev/sda)/device/cid; echo -n "CID: " ; if [ -e $CIDFILE ] ; then cat $CIDFILE ; else echo "not available" ; fi " Information returned: ---------------------------------------------------------------------------------------------------- CID: not available Hidden areas: unknown Acquisition =========== Linux device : /dev/sda Device size : 8053063680 (8.1GB) Format : Linux dd raw image - file extension is .dd Image path and file name: /home/HOMEDIR/case_usb/usb.dd Info path and file name: /home/HOMEDIR/case_usb/usb.info Hash calculation : SHA-256 Source verification : on Image verification : on No bad sectors encountered during acquisition. No bad sectors encountered during verification. State: Finished successfully MD5 hash : -- MD5 hash verified source : -- MD5 hash verified image : -- SHA1 hash : -- SHA1 hash verified source : -- SHA1 hash verified image : -- SHA256 hash : 7285a8b0a2b472a8f120c4ca4308a94a3aaa3e308a1dd86e3670041b07c27e76 SHA256 hash verified source: 7285a8b0a2b472a8f120c4ca4308a94a3aaa3e308a1dd86e3670041b07c27e76 SHA256 hash verified image : 7285a8b0a2b472a8f120c4ca4308a94a3aaa3e308a1dd86e3670041b07c27e76 Source verification OK. The device delivered the same data during acquisition and verification. Image verification OK. The image contains exactely the data that was written. Acquisition started : 2023-01-28 12:27:07 (ISO format YYYY-MM-DD HH:MM:SS) Verification started: 2023-01-28 12:30:11 Ended : 2023-01-28 12:35:24 (0 hours, 8 minutes and 16 seconds) Acquisition speed : 41.97 MByte/s (0 hours, 3 minutes and 3 seconds) Verification speed : 24.62 MByte/s (0 hours, 5 minutes and 12 seconds) Generated image files and their MD5 hashes ========================================== No MD5 hashes available (configuration parameter CalcImageFileMD5 is off) MD5 Image file n/a usb.dd
I firstly thought that I was creating an image of a partition, but I soon after discarded such idea as /dev/sda is the only device I see when running lsblk, there are no sub-partitions to that (sda1, sda2 ecc.)
Worth to mention that when mmls is run against usb.dd it produces no output whatsoever. I have to forcefully add -v option for it to spit out this kind of information:
sk_img_open: Type: 0 NumImg: 1 Img1: usb.dd aff_open: Error determining type of file: usb.dd aff_open: Success Error opening vmdk file Error checking file signature for vhd file tsk_img_findFiles: usb.dd found tsk_img_findFiles: 1 total segments found raw_open: segment: 0 size: 8053063680 max offset: 8053063680 path: usb.dd dos_load_prim: Table Sector: 0 raw_read: byte offset: 0 len: 65536 raw_read: found in image 0 relative offset: 0 len: 65536 raw_read_segment: opening file into slot 0: usb.dd dos_load_prim_table: Testing FAT/NTFS conditions dos_load_prim_table: MSDOS OEM name exists bsd_load_table: Table Sector: 1 gpt_load_table: Sector: 1 gpt_open: Trying other sector sizes gpt_open: Trying sector size: 512 gpt_load_table: Sector: 1 gpt_open: Trying sector size: 1024 gpt_load_table: Sector: 1 gpt_open: Trying sector size: 2048 gpt_load_table: Sector: 1 gpt_open: Trying sector size: 4096 gpt_load_table: Sector: 1 gpt_open: Trying sector size: 8192 gpt_load_table: Sector: 1 gpt_open: Trying secondary table gpt_load_table: Sector: 15728639 raw_read: byte offset: 8053063168 len: 512 raw_read: found in image 0 relative offset: 8053063168 len: 512 gpt_open: Trying secondary table sector size: 512 gpt_load_table: Sector: 15728639 gpt_open: Trying secondary table sector size: 1024 gpt_load_table: Sector: 7864319 raw_read: byte offset: 8053062656 len: 1024 raw_read: found in image 0 relative offset: 8053062656 len: 1024 gpt_open: Trying secondary table sector size: 2048 gpt_load_table: Sector: 3932159 raw_read: byte offset: 8053061632 len: 2048 raw_read: found in image 0 relative offset: 8053061632 len: 2048 gpt_open: Trying secondary table sector size: 4096 gpt_load_table: Sector: 1966079 raw_read: byte offset: 8053059584 len: 4096 raw_read: found in image 0 relative offset: 8053059584 len: 4096 gpt_open: Trying secondary table sector size: 8192 gpt_load_table: Sector: 983039 raw_read: byte offset: 8053055488 len: 8192 raw_read: found in image 0 relative offset: 8053055488 len: 8192 sun_load_table: Trying sector: 0 sun_load_table: Trying sector: 1 mac_load_table: Sector: 1 mac_load: Missing initial magic value mac_open: Trying 4096-byte sector size instead of 512-byte mac_load_table: Sector: 1 mac_load: Missing initial magic value
A file system can be created without a partition table. It looks like there is a FAT volume (created on the /dev/sda device directly).
dos_load_prim_table: MSDOS OEM name exists