Toolkit for Retrieval and Analysis of Cyber Evidence (TRACE)
TRACE is a digital forensic tool I developed as my final year project. It provides an intuitive interface for analyzing disk images and includes a range of functionalities to assist forensic examiners in extracting and viewing the contents of various image file formats.
Navigation ๐งญ
- Preview ๐
- Features ๐
- Screenshots ๐ธ
- Supported Image Formats ๐พ
- Tested File Systems ๐๏ธ
- Cross-Platform Compatibility ๐ฅ๏ธ๐ป
- Getting Started ๐
- Built With ๐งฑ
- Work in Progress ๐ ๏ธ
- Testing & Feedback ๐งช
- Contributing ๐ค
- Socials ๐จโ๐ป
Preview ๐ โฌ๏ธ
Features ๐ โฌ๏ธ
โ *Image Mounting: Mount forensic disk images. (Windows only) \ โ Tree Viewer: Navigate through the disk image structure, including partitions and files.\ โ Detailed File Analysis: View file content in different formats, such as HEX, text, and application-specific views.\ โ EXIF Data Extraction: Extract and display EXIF metadata from photos.\ โ Registry Viewer: View and examine Windows registry files.\ โ Basic File Carving: Recover deleted files from disk images.\ โ Virus Total API Integration: Check files for malware using the Virus Total API.\ โ E01 Image Verification: Verify the integrity of E01 disk images.\ โ Convert E01 to Raw: Convert E01 disk images to raw format.\ โ Message Decoding: Decode messages from base64, binary, and other encodings.
Screenshots ๐ธ โฌ๏ธ
Registry Browser ๐๏ธ
File Carving ๐ช
File Search ๐
Image Verification โ
Supported Image Formats ๐พ โฌ๏ธ
| Image Format | Extensions | Split | Unsplit |
|---|---|---|---|
| EnCaseยฎ Image File (EVF / Expert Witness Format) | *.E01 *.Ex01 |
โ๏ธ | โ๏ธ |
| SMART/Expert Witness Image File | *.s01 |
โ๏ธ | โ๏ธ |
| Single Image Unix / Linux DD / Raw | *.dd, *.img, *.raw |
โ๏ธ | โ๏ธ |
| ISO Image File | *.iso |
โ๏ธ | |
| AccessData Image File | *.ad1 |
โ๏ธ | โ๏ธ |
Tested File Systems ๐๏ธ โฌ๏ธ
| File System | Tested |
|---|---|
| NTFS | โ๏ธ |
| FAT32 | |
| exFAT | |
| HFS+ | |
| APFS | |
| EXT2,3,4 |
Cross-Platform Compatibility ๐ป๐ฅ๏ธ โฌ๏ธ
| Operating System | Screenshot |
|---|---|
| macOS Sonoma ๐ |  |
| Kali Linux 2024 ๐ง |  |
| *WSL2 - Ubuntu 22.04.3 LTS ๐ง |  |
| Windows 10 ๐ |  |
Getting Started ๐ โฌ๏ธ
Prerequisites ๐ง
For Windows:
*There's a compatibility issue with Python 3.12. Please install Python 3.11 from the official Python website: https://www.python.org/downloads/release/python-3110/
If you don't already have Microsoft C++ Build Tools installed, you'll need to install them to compile required packages like libewf-python and pytsk3.
Step 1: Download and Install Microsoft C++ Build Tools - https://visualstudio.microsoft.com/visual-cpp-build-tools/ During the installation, make sure to select the following workloads:
- Desktop development with C++
- C++ build tools
Step 2: Install the Dependencies
pip install -r requirements.txtFor macOS - Apple Silicon:
Create a virtual environment with python 3.11
python3.11 -m venv venv
source venv/bin/activatechmod +x install_macos_silicon.sh./install_macos_silicon.shThis script will:
- Check if Homebrew is installed and offer to install it if itโs not.
- Install necessary system dependencies (ffmpeg and poppler) using Homebrew.
- Install all Python dependencies specified in requirements_macos_silicon.txt using pip.
For Ubuntu on WSL:
chmod +x WSL_Ubuntu_install.sh./WSL_Ubuntu_install.shThis script will:
- Update package lists and install necessary system packages including graphics libraries and sound management tools.
- Install necessary Python dependencies from requirements_macos_silicon.txt (same requirements for Ubuntu).
Configuration โ๏ธ
API Keys Configuration:The tool integrates with VirusTotal and Veriphone APIs, and you will need to provide your own API keys to use these features. To update the API keys, go to the Options menu and select API Keys submenu.
Running the Tool โถ๏ธ
python main.pyBuilt With ๐งฑ โฌ๏ธ
- pytsk3 - Python bindings for the SleuthKit
- libewf-python - Library to access the Expert Witness Compression Format (EWF)
- PySide6 - Used for the GUI components.
- Arsenal Image Mounter - For mounting forensic disk images.
Work in Progress ๐งโ๐ง โฌ๏ธ
- Direct Video/Audio Playback: Currently, the video and audio player saves files temporarily before playing them, which can cause delays. The goal is to enable direct playback for faster performance.
- Integrated File Search and Viewer: The file search functionality is not yet connected to the "Viewer Tab," which displays HEX, text, application-specific views, metadata, and other details. This integration needs to be implemented.
- Cross-Platform Image Mounting: Image mounting currently works only on Windows using the Arsenal Image Mounter executable. The aim is to make this feature work across all platforms without relying on external executables.
- File Carving and Viewer Integration: The file carving functionality is not yet connected to the "Viewer Tab," where users can view HEX, text, application-specific views, and metadata. Additionally, the current file carving process does not distinguish between deleted and non-deleted files; it will "carve" all files of the selected type from the disk image.
- Color Issues in Dark Mode: The software currently has some colour display issues on Linux and macOS systems when using dark mode. Certain UI elements may not be clearly visible or may appear incorrectly.
Testing & Feedback ๐งช โฌ๏ธ
- Tested Formats: The tool has primarily been tested with
ddandE01files. While these formats are well-supported, additional testing with other formats, such asEx01,Lx01,s01, and others, is needed. - Tested File Systems: Currently, the tool has only been tested on the NTFS file system. Testing on additional file systems like FAT32, exFAT, HFS+, APFS, EXT4, and others is needed to ensure broader compatibility.
- Call for Samples: If you have disk images in formats that are less tested (
Ex01,Lx01,s01, etc.), your contributions would be greatly appreciated to help improve the tool's compatibility and robustness. - Feedback Welcome: Please report any issues or unexpected behaviour to help improve the tool. Contributions and testing feedback are encouraged and welcomed.
Contributing ๐ค โฌ๏ธ
I welcome contributions from the community to help improve TRACE! If you're interested in contributing, hereโs how you can get involved:
How to Contribute
- Report Issues: If you find any bugs or have suggestions for improvements, please open an issue on GitHub. Provide as much detail as possible to help address the issue effectively.
- Submit a Pull Request: If you have a fix or feature youโd like to contribute, please fork the repository, make your changes, and submit a pull request. Ensure your code adheres to the coding standards and includes tests where applicable.
- Provide Testing Samples: If you have disk images in formats that are less tested (
Ex01,Lx01,s01, etc.), your contributions would be greatly appreciated to help improve the toolโs compatibility and robustness. You can share these samples by contacting me. - Review and Feedback: Review the changes submitted by others and provide feedback to help refine and enhance the tool.
Socials ๐จโ๐ป โฌ๏ธ
