From pablojr at gmail.com  Mon Nov 14 14:36:06 2011
From: pablojr at gmail.com (Pablo Rogina)
Date: Mon, 14 Nov 2011 10:36:06 -0300
Subject: [dff] Help using NSRL database with DFF
Message-ID: <CAL5OxRurwrdT72gj15u9A7=bY-aSNzdfCQZWRLYF7pf_Y7PKpw@mail.gmail.com>

Hi,

has anybody been lucky to use the NSRL database with DFF just to
identify (or exclude) all OS known files?

Thanks in advance.

Pablo J. Rogina

From fba at arxsys.fr  Mon Nov 14 15:53:35 2011
From: fba at arxsys.fr (=?ISO-8859-1?Q?Fr=E9d=E9ric_Baguelin?=)
Date: Mon, 14 Nov 2011 15:53:35 +0100
Subject: [dff] Help using NSRL database with DFF
In-Reply-To: <CAL5OxRurwrdT72gj15u9A7=bY-aSNzdfCQZWRLYF7pf_Y7PKpw@mail.gmail.com>
References: <CAL5OxRurwrdT72gj15u9A7=bY-aSNzdfCQZWRLYF7pf_Y7PKpw@mail.gmail.com>
Message-ID: <4EC12B6F.4090703@arxsys.fr>

Hi Pablo,

Romain worked on a PoC to integrate NSRL database in DFF. It's currently in 
stand-by but it would be great to provide this feature.

The main issue with NSRL is its default file format (an iso containing a zipped 
text file...). It is not directly usable, there's a need to pre-process the 
database in order to provide fast detection. Then, it also depends of what you 
really need, just defines if the signature is known or not, or being able from a 
hash to determine that it comes from Windows Vista Business SP2 x64.

Besides the ability to identify or exclude all OS known files we also wanted to 
add a tag in order to detect if the file has been tampered or replaced (same 
filename but different signature for example).

We could discuss what's best to do. Do not hesitate to tell us what's your needs 
exactly.

Regards,

On 11/14/2011 02:36 PM, Pablo Rogina wrote:
> Hi,
>
> has anybody been lucky to use the NSRL database with DFF just to
> identify (or exclude) all OS known files?
>
> Thanks in advance.
>
> Pablo J. Rogina
> _______________________________________________
> dff mailing list
> dff at digital-forensic.org
> http://lists.digital-forensic.org/listinfo/dff

-- 
Fr?d?ric Baguelin    frederic.baguelin at arxsys.fr
ArxSys SAS, Directeur technique
T?l: +33 146 362 522

From rlee at sans.org  Tue Nov 15 00:32:03 2011
From: rlee at sans.org (Rob Lee)
Date: Mon, 14 Nov 2011 15:32:03 -0800 (PST)
Subject: [dff] Building DFF within SIFT 2.11 - ewf error
In-Reply-To: <CAL5OxRurwrdT72gj15u9A7=bY-aSNzdfCQZWRLYF7pf_Y7PKpw@mail.gmail.com>
References: <CAL5OxRurwrdT72gj15u9A7=bY-aSNzdfCQZWRLYF7pf_Y7PKpw@mail.gmail.com>
Message-ID: <1321313523.19389.YahooMailNeo@web112115.mail.gq1.yahoo.com>

All,

Im trying to test build DFF withing the SIFT Workstation 2.11 and encountering some issues and wondering if anyone has a thought or a fix?? This is for a bugfix release that I was trying to get it built into it as an added bonus.

It is on Ubuntu 9.10 Linux SIFT-Workstation 2.6.31-23-generic #75-Ubuntu SMP Fri Mar 18 18:08:39 UTC 2011 i686 GNU/Linux

It builds successfully for AFF and Raw image types but hanging on the ewf support.

I have attempted the debian repository for libewf, the raw source for it (versions 20080501 and 20100226).? Still fails.? It detects it successfully during the build.? See output below.?? Id like to include the ewf support in this release as many use only .E01 files, but Im ok with just raw as mount_ewf.py still functions correctly as a cheat.? Just hate it when something fails.

Any advice?? --Rob

root at SIFT-Workstation:/usr/local/src/dff-build# cmake -DINSTALL=YES /usr/local/src/dff-1.2.0/ 
-- Will use -g for debugging -- no
-- Preparing installation mode
-- PFF installed version: 20110413
-- EWF installed version: 20080501
-- library: /usr/local/lib/libewf.so
-- Python library found: /usr/lib/libpython2.6.so
-- Python header found: /usr/include/python2.6
-- Python in: /usr/bin
-- Found Python executable: /usr/bin/python
-- Found Python version: 2.6.4
-- Found Python library: /usr/lib/libpython2.6.so
-- Found PyQt4 version: 4.6
-- Python magic found: /usr/lib/python2.6/dist-packages/magic.so
-- Python QT4 libraries bindings found: /usr/lib/pymodules/python2.6/PyQt4
-- Python Qt4 linguist translation files updater found: /usr/bin/pylupdate4
-- QT translation compiler found: /usr/bin/lrelease
-- Python Qt4 user interface compiler found: /usr/bin/pyuic4
-- Python Qt4 resource compiler found: /usr/bin/pyrcc4
-- BISON files already generated and setted to /usr/local/src/dff-1.2.0/api/filters/parser.cpp
-- FLEX files already generated and setted to /usr/local/src/dff-1.2.0/api/filters/{lexer.hpp,lexer.cpp}
-- 3.6.8
Updating '../../../ui/gui/i18n/Dff_de.ts'...
??? Found 315 source texts (0 new and 315 already existing)
Updating '../../../ui/gui/i18n/Dff_en.ts'...
??? Found 315 source texts (0 new and 315 already existing)
Updating '../../../ui/gui/i18n/Dff_es.ts'...
??? Found 315 source texts (0 new and 315 already existing)
Updating '../../../ui/gui/i18n/Dff_fr.ts'...
??? Found 315 source texts (0 new and 315 already existing)
Updating '../../../ui/gui/i18n/Dff_it.ts'...
??? Found 315 source texts (0 new and 315 already existing)
Updating '../../../ui/gui/i18n/Dff_nl.ts'...
??? Found 315 source texts (0 new and 315 already existing)
Updating '../../../ui/gui/i18n/Dff_zh.ts'...
??? Found 315 source texts (0 new and 315 already existing)
-- Configuring done
-- Generating done
-- Build files have been written to: /usr/local/src/dff-build

root at SIFT-Workstation:/usr/local/src/dff-build# make -j2
[ 91%] Building CXX object modules/connector/ewf/CMakeFiles/_EWF.dir/ewfPYTHON_wrap.cxx.o
[ 93%] Built target _AFF
[ 93%] Building CXX object modules/connector/ewf/CMakeFiles/_EWF.dir/ewf.cpp.o
In file included from /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:17:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: ISO C++ forbids declaration of ?libewf_error_t? with no type
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: expected ?;? before ?*? token
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:53: error: ?libewf_error_t? has not been declared
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:54: error: ?libewf_error_t? has not been declared
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In constructor ?ewf::ewf()?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:25: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__cleanup()?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:36: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:38: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:38: error: ?libewf_error_free? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:39: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:43: error: ?libewf_handle_close? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:44: error: ?libewf_handle_free? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__checkSignature(std::list<Variant*, std::allocator<Variant*> >)?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:65: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:72: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:75: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:75: error: ?libewf_error_backtrace_sprint? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: At global scope:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:92: error: ?libewf_error_t? has not been declared
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__initHandle(libewf_handle_t**, int**)?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:97: error: ?libewf_handle_initialize? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:102: error: ?libewf_error_backtrace_sprint? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: At global scope:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:113: error: ?libewf_error_t? has not been declared
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__openHandle(libewf_handle_t*, int**)?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:118: error: ?libewf_handle_open? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:123: error: ?libewf_error_backtrace_sprint? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__getVolumeName()?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:140: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:140: error: ?libewf_handle_get_utf8_header_value_size? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:145: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:145: error: ?libewf_handle_get_utf8_header_value? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__getVolumeSize()?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:158: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:158: error: ?libewf_handle_get_media_size? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:160: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:163: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:163: error: ?libewf_error_backtrace_sprint? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?virtual void ewf::start(std::map<std::basic_string<char, std::char_traits<char>, std::allocator<char> >, Variant*, std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, Variant*> > >)?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:189: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:191: error: ?class ewf? has no member named ?__ewf_error?
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?virtual int ewf::vread(int, void*, unsigned int)?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:240: error: ?libewf_handle_read_buffer? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?virtual int ewf::vclose(int)?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:262: error: ?libewf_handle_close? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:263: error: ?libewf_handle_free? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?virtual uint64_t ewf::vseek(int, uint64_t, int)?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:279: error: ?libewf_handle_seek_offset? was not declared in this scope
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?virtual uint64_t ewf::vtell(int32_t)?:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:303: error: ?libewf_handle_get_offset? was not declared in this scope
make[2]: *** [modules/connector/ewf/CMakeFiles/_EWF.dir/ewf.cpp.o] Error 1
make[2]: *** Waiting for unfinished jobs....
In file included from /usr/local/src/dff-build/modules/connector/ewf/ewfPYTHON_wrap.cxx:3663:
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: ISO C++ forbids declaration of ?libewf_error_t? with no type
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: expected ?;? before ?*? token
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:53: error: ?libewf_error_t? has not been declared
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:54: error: ?libewf_error_t? has not been declared
make[2]: *** [modules/connector/ewf/CMakeFiles/_EWF.dir/ewfPYTHON_wrap.cxx.o] Error 1
make[1]: *** [modules/connector/ewf/CMakeFiles/_EWF.dir/all] Error 2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digital-forensic.org/pipermail/dff/attachments/20111114/dd031127/attachment-0001.html>

From jmore at starmind.org  Tue Nov 15 00:39:28 2011
From: jmore at starmind.org (Josh More)
Date: Mon, 14 Nov 2011 17:39:28 -0600
Subject: [dff] [DFIR] Building DFF within SIFT 2.11 - ewf error
In-Reply-To: <1321313523.19389.YahooMailNeo@web112115.mail.gq1.yahoo.com>
References: <CAL5OxRurwrdT72gj15u9A7=bY-aSNzdfCQZWRLYF7pf_Y7PKpw@mail.gmail.com>
	<1321313523.19389.YahooMailNeo@web112115.mail.gq1.yahoo.com>
Message-ID: <CAB3GUt-4mwie6gxOf6bxJncroKaJc6uuLRtOXMFGrRTHW+WiFg@mail.gmail.com>

As a test, modify line 51 of
/usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp and assign a
type for ?libewf_error_t?

If it builds then, you either do not have something included properly
which defines the type or there is a bug in the ewf library.

I used to see stuff like this all the time as gcc and glibc updates
got released (on both Linux and SCO Unix).

-Josh



On Mon, Nov 14, 2011 at 5:32 PM, Rob Lee <rlee at sans.org> wrote:
> All,
>
> Im trying to test build DFF withing the SIFT Workstation 2.11 and
> encountering some issues and wondering if anyone has a thought or a fix?
> This is for a bugfix release that I was trying to get it built into it as an
> added bonus.
>
> It is on Ubuntu 9.10 Linux SIFT-Workstation 2.6.31-23-generic #75-Ubuntu SMP
> Fri Mar 18 18:08:39 UTC 2011 i686 GNU/Linux
>
> It builds successfully for AFF and Raw image types but hanging on the ewf
> support.
>
> I have attempted the debian repository for libewf, the raw source for it
> (versions 20080501 and 20100226).? Still fails.? It detects it successfully
> during the build.? See output below.?? Id like to include the ewf support in
> this release as many use only .E01 files, but Im ok with just raw as
> mount_ewf.py still functions correctly as a cheat.? Just hate it when
> something fails.
>
> Any advice?? --Rob
>
> root at SIFT-Workstation:/usr/local/src/dff-build# cmake -DINSTALL=YES
> /usr/local/src/dff-1.2.0/
> -- Will use -g for debugging -- no
> -- Preparing installation mode
> -- PFF installed version: 20110413
> -- EWF installed version: 20080501
> -- library: /usr/local/lib/libewf.so
> -- Python library found: /usr/lib/libpython2.6.so
> -- Python header found: /usr/include/python2.6
> -- Python in: /usr/bin
> -- Found Python executable: /usr/bin/python
> -- Found Python version: 2.6.4
> -- Found Python library: /usr/lib/libpython2.6.so
> -- Found PyQt4 version: 4.6
> -- Python magic found: /usr/lib/python2.6/dist-packages/magic.so
> -- Python QT4 libraries bindings found: /usr/lib/pymodules/python2.6/PyQt4
> -- Python Qt4 linguist translation files updater found: /usr/bin/pylupdate4
> -- QT translation compiler found: /usr/bin/lrelease
> -- Python Qt4 user interface compiler found: /usr/bin/pyuic4
> -- Python Qt4 resource compiler found: /usr/bin/pyrcc4
> -- BISON files already generated and setted to
> /usr/local/src/dff-1.2.0/api/filters/parser.cpp
> -- FLEX files already generated and setted to
> /usr/local/src/dff-1.2.0/api/filters/{lexer.hpp,lexer.cpp}
> -- 3.6.8
> Updating '../../../ui/gui/i18n/Dff_de.ts'...
> ??? Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_en.ts'...
> ??? Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_es.ts'...
> ??? Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_fr.ts'...
> ??? Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_it.ts'...
> ??? Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_nl.ts'...
> ??? Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_zh.ts'...
> ??? Found 315 source texts (0 new and 315 already existing)
> -- Configuring done
> -- Generating done
> -- Build files have been written to: /usr/local/src/dff-build
>
> root at SIFT-Workstation:/usr/local/src/dff-build# make -j2
> [ 91%] Building CXX object
> modules/connector/ewf/CMakeFiles/_EWF.dir/ewfPYTHON_wrap.cxx.o
> [ 93%] Built target _AFF
> [ 93%] Building CXX object
> modules/connector/ewf/CMakeFiles/_EWF.dir/ewf.cpp.o
> In file included from
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:17:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: ISO C++
> forbids declaration of ?libewf_error_t? with no type
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: expected
> ?;? before ?*? token
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:53: error:
> ?libewf_error_t? has not been declared
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:54: error:
> ?libewf_error_t? has not been declared
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In constructor
> ?ewf::ewf()?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:25: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?void ewf::__cleanup()?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:36: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:38: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:38: error:
> ?libewf_error_free? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:39: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:43: error:
> ?libewf_handle_close? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:44: error:
> ?libewf_handle_free? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?void ewf::__checkSignature(std::list<Variant*, std::allocator<Variant*>
>>)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:65: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:72: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:75: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:75: error:
> ?libewf_error_backtrace_sprint? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: At global scope:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:92: error:
> ?libewf_error_t? has not been declared
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?void ewf::__initHandle(libewf_handle_t**, int**)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:97: error:
> ?libewf_handle_initialize? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:102: error:
> ?libewf_error_backtrace_sprint? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: At global scope:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:113: error:
> ?libewf_error_t? has not been declared
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?void ewf::__openHandle(libewf_handle_t*, int**)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:118: error:
> ?libewf_handle_open? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:123: error:
> ?libewf_error_backtrace_sprint? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?void ewf::__getVolumeName()?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:140: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:140: error:
> ?libewf_handle_get_utf8_header_value_size? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:145: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:145: error:
> ?libewf_handle_get_utf8_header_value? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?void ewf::__getVolumeSize()?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:158: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:158: error:
> ?libewf_handle_get_media_size? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:160: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:163: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:163: error:
> ?libewf_error_backtrace_sprint? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?virtual void ewf::start(std::map<std::basic_string<char,
> std::char_traits<char>, std::allocator<char> >, Variant*,
> std::less<std::basic_string<char, std::char_traits<char>,
> std::allocator<char> > >, std::allocator<std::pair<const
> std::basic_string<char, std::char_traits<char>, std::allocator<char> >,
> Variant*> > >)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:189: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:191: error: ?class
> ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?virtual int ewf::vread(int, void*, unsigned int)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:240: error:
> ?libewf_handle_read_buffer? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?virtual int ewf::vclose(int)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:262: error:
> ?libewf_handle_close? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:263: error:
> ?libewf_handle_free? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?virtual uint64_t ewf::vseek(int, uint64_t, int)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:279: error:
> ?libewf_handle_seek_offset? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function
> ?virtual uint64_t ewf::vtell(int32_t)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:303: error:
> ?libewf_handle_get_offset? was not declared in this scope
> make[2]: *** [modules/connector/ewf/CMakeFiles/_EWF.dir/ewf.cpp.o] Error 1
> make[2]: *** Waiting for unfinished jobs....
> In file included from
> /usr/local/src/dff-build/modules/connector/ewf/ewfPYTHON_wrap.cxx:3663:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: ISO C++
> forbids declaration of ?libewf_error_t? with no type
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: expected
> ?;? before ?*? token
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:53: error:
> ?libewf_error_t? has not been declared
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:54: error:
> ?libewf_error_t? has not been declared
> make[2]: ***
> [modules/connector/ewf/CMakeFiles/_EWF.dir/ewfPYTHON_wrap.cxx.o] Error 1
> make[1]: *** [modules/connector/ewf/CMakeFiles/_EWF.dir/all] Error 2
>
>
>
> _______________________________________________
> DFIR mailing list
> DFIR at lists.sans.org
> https://lists.sans.org/mailman/listinfo/dfir
>
>

From fba at arxsys.fr  Tue Nov 15 10:04:39 2011
From: fba at arxsys.fr (=?UTF-8?B?RnLDqWTDqXJpYyBCYWd1ZWxpbg==?=)
Date: Tue, 15 Nov 2011 10:04:39 +0100
Subject: [dff] [DFIR] Building DFF within SIFT 2.11 - ewf error
In-Reply-To: <1321313523.19389.YahooMailNeo@web112115.mail.gq1.yahoo.com>
References: <CAL5OxRurwrdT72gj15u9A7=bY-aSNzdfCQZWRLYF7pf_Y7PKpw@mail.gmail.com>
	<1321313523.19389.YahooMailNeo@web112115.mail.gq1.yahoo.com>
Message-ID: <4EC22B27.5090907@arxsys.fr>

Hi Rob, hi lists,

First of all, great to read the integration of DFF in SIFT !

Concerning the building issue, it comes from the version of the ewf library (EWF 
installed version: 20080501). EWF module in DFF is now built from the latest API 
version of libewf (version 2). Unfortunately very few distributions actually 
have packaged it...

We are currently working with people of debian-forensics distribution to be able 
to have a dedicated package.

At the moment, you will need to fetch the latest tarball from Joachim Metz on 
sourceforge [1] and do the famous ./configure && make && make install.

If you need PST mailboxes support, you will need to fetch compile and install 
libbfio [2] first and then libpff [3].

Do not hesitate to provide feedback if there are new issues.

Regards,

[1] http://sourceforge.net/projects/libewf/files/latest/download?_test=goal
[2] http://sourceforge.net/projects/libbfio/files/latest/download?_test=goal
[3] http://sourceforge.net/projects/libpff/files/latest/download?_test=goal

On 11/15/2011 12:32 AM, Rob Lee wrote:
> All,
>
> Im trying to test build DFF withing the SIFT Workstation 2.11 and encountering some issues and wondering if anyone has a thought or a fix?  This is for a bugfix release that I was trying to get it built into it as an added bonus.
>
> It is on Ubuntu 9.10 Linux SIFT-Workstation 2.6.31-23-generic #75-Ubuntu SMP Fri Mar 18 18:08:39 UTC 2011 i686 GNU/Linux
>
> It builds successfully for AFF and Raw image types but hanging on the ewf support.
>
> I have attempted the debian repository for libewf, the raw source for it (versions 20080501 and 20100226).  Still fails.  It detects it successfully during the build.  See output below.   Id like to include the ewf support in this release as many use only .E01 files, but Im ok with just raw as mount_ewf.py still functions correctly as a cheat.  Just hate it when something fails.
>
> Any advice?  --Rob
>
> root at SIFT-Workstation:/usr/local/src/dff-build# cmake -DINSTALL=YES /usr/local/src/dff-1.2.0/
> -- Will use -g for debugging -- no
> -- Preparing installation mode
> -- PFF installed version: 20110413
> -- EWF installed version: 20080501
> -- library: /usr/local/lib/libewf.so
> -- Python library found: /usr/lib/libpython2.6.so
> -- Python header found: /usr/include/python2.6
> -- Python in: /usr/bin
> -- Found Python executable: /usr/bin/python
> -- Found Python version: 2.6.4
> -- Found Python library: /usr/lib/libpython2.6.so
> -- Found PyQt4 version: 4.6
> -- Python magic found: /usr/lib/python2.6/dist-packages/magic.so
> -- Python QT4 libraries bindings found: /usr/lib/pymodules/python2.6/PyQt4
> -- Python Qt4 linguist translation files updater found: /usr/bin/pylupdate4
> -- QT translation compiler found: /usr/bin/lrelease
> -- Python Qt4 user interface compiler found: /usr/bin/pyuic4
> -- Python Qt4 resource compiler found: /usr/bin/pyrcc4
> -- BISON files already generated and setted to /usr/local/src/dff-1.2.0/api/filters/parser.cpp
> -- FLEX files already generated and setted to /usr/local/src/dff-1.2.0/api/filters/{lexer.hpp,lexer.cpp}
> -- 3.6.8
> Updating '../../../ui/gui/i18n/Dff_de.ts'...
>      Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_en.ts'...
>      Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_es.ts'...
>      Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_fr.ts'...
>      Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_it.ts'...
>      Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_nl.ts'...
>      Found 315 source texts (0 new and 315 already existing)
> Updating '../../../ui/gui/i18n/Dff_zh.ts'...
>      Found 315 source texts (0 new and 315 already existing)
> -- Configuring done
> -- Generating done
> -- Build files have been written to: /usr/local/src/dff-build
>
> root at SIFT-Workstation:/usr/local/src/dff-build# make -j2
> [ 91%] Building CXX object modules/connector/ewf/CMakeFiles/_EWF.dir/ewfPYTHON_wrap.cxx.o
> [ 93%] Built target _AFF
> [ 93%] Building CXX object modules/connector/ewf/CMakeFiles/_EWF.dir/ewf.cpp.o
> In file included from /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:17:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: ISO C++ forbids declaration of ?libewf_error_t? with no type
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: expected ?;? before ?*? token
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:53: error: ?libewf_error_t? has not been declared
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:54: error: ?libewf_error_t? has not been declared
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In constructor ?ewf::ewf()?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:25: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__cleanup()?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:36: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:38: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:38: error: ?libewf_error_free? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:39: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:43: error: ?libewf_handle_close? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:44: error: ?libewf_handle_free? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__checkSignature(std::list<Variant*, std::allocator<Variant*>  >)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:65: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:72: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:75: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:75: error: ?libewf_error_backtrace_sprint? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: At global scope:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:92: error: ?libewf_error_t? has not been declared
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__initHandle(libewf_handle_t**, int**)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:97: error: ?libewf_handle_initialize? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:102: error: ?libewf_error_backtrace_sprint? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: At global scope:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:113: error: ?libewf_error_t? has not been declared
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__openHandle(libewf_handle_t*, int**)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:118: error: ?libewf_handle_open? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:123: error: ?libewf_error_backtrace_sprint? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__getVolumeName()?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:140: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:140: error: ?libewf_handle_get_utf8_header_value_size? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:145: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:145: error: ?libewf_handle_get_utf8_header_value? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?void ewf::__getVolumeSize()?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:158: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:158: error: ?libewf_handle_get_media_size? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:160: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:163: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:163: error: ?libewf_error_backtrace_sprint? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?virtual void ewf::start(std::map<std::basic_string<char, std::char_traits<char>, std::allocator<char>  >, Variant*, std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char>  >  >, std::allocator<std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char>  >, Variant*>  >  >)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:189: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:191: error: ?class ewf? has no member named ?__ewf_error?
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?virtual int ewf::vread(int, void*, unsigned int)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:240: error: ?libewf_handle_read_buffer? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?virtual int ewf::vclose(int)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:262: error: ?libewf_handle_close? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:263: error: ?libewf_handle_free? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?virtual uint64_t ewf::vseek(int, uint64_t, int)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:279: error: ?libewf_handle_seek_offset? was not declared in this scope
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp: In member function ?virtual uint64_t ewf::vtell(int32_t)?:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.cpp:303: error: ?libewf_handle_get_offset? was not declared in this scope
> make[2]: *** [modules/connector/ewf/CMakeFiles/_EWF.dir/ewf.cpp.o] Error 1
> make[2]: *** Waiting for unfinished jobs....
> In file included from /usr/local/src/dff-build/modules/connector/ewf/ewfPYTHON_wrap.cxx:3663:
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: ISO C++ forbids declaration of ?libewf_error_t? with no type
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:51: error: expected ?;? before ?*? token
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:53: error: ?libewf_error_t? has not been declared
> /usr/local/src/dff-1.2.0/modules/connector/ewf/ewf.hpp:54: error: ?libewf_error_t? has not been declared
> make[2]: *** [modules/connector/ewf/CMakeFiles/_EWF.dir/ewfPYTHON_wrap.cxx.o] Error 1
> make[1]: *** [modules/connector/ewf/CMakeFiles/_EWF.dir/all] Error 2
>
>
>
>
>
>
>
> _______________________________________________
> DFIR mailing list
> DFIR at lists.sans.org
> https://lists.sans.org/mailman/listinfo/dfir

-- 
Fr?d?ric Baguelin    frederic.baguelin at arxsys.fr
ArxSys SAS, Directeur technique
T?l: +33 146 362 522