Skip to content
This repository was archived by the owner on Feb 14, 2026. It is now read-only.
This repository was archived by the owner on Feb 14, 2026. It is now read-only.

Artefact extraction fails - possibly due to multi-part E01? #33

@Bloggzy

Description

@Bloggzy

Firstly, I just want to say this project is awesome, and has a huge amount of potential, just well done, and keep up the amazing work!

Context: I was trying the project out and tried using the .e01 files from DFIRMadness ("The Case of the Stolen Szechuan Sauce"):

I tried extracting artefacts (Windows Event Logs) from the image, but it kept on failing.

Image

The log file reads as follows:

2025-07-13 10:23:30,220 [WARNING] (MainProcess) PID:21 <tools> This version of plaso is more than 6 months old. We strongly recommend to update it. 2025-07-13 10:23:30,285 [WARNING] (MainProcess) PID:21 <image_export> Unable to scan for a supported file system with error: Unable to scan source with error: Unable to process source path specification with error: OSError('pyewf_handle_read_buffer: unable to read data. libewf_read_io_handle_read_chunk_data: missing chunk data: 368639. libewf_handle_read_buffer: unable to read chunk data: 368639.') Most likely the image format is not supported by the tool.

I'm not sure why this is failing, but one thing that occurred to me was that the .e01 file is multi-part:

  • 20200918_0347_CDrive.E01
  • 20200918_0347_CDrive.E02

I tried creating my own (single-part) .e01 disk image and the process worked fine.

To replicate:

  • Download the "DC01-E01.zip" and try it for yourself.

Other info:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions