search

KBNLresearch / ipmlab

Image Portable Media Like A Boss
Apache License 2.0
3 stars 1 forks source link

IsoBuster DFXML report doesn't list files #6

Closed bitsgalore closed 2 years ago

bitsgalore commented 2 years ago

Example (floppy with FAT 12 fs):

<?xml version="1.0" encoding="UTF-8" ?>
<dfxml xmlns='http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xmlns:dc='http://purl.org/dc/elements/1.1/'
 xmlns:hfs='http://www.forensicswiki.org/wiki/HFS' version='1.0'>

 <metadata>
 <dc:type>Floppy Disk</dc:type>
 </metadata>

 <creator>
 <program>IsoBuster</program>
 <version>4.9.1.00</version>
 <execution_environment>
 <start_time>2022-06-02T16:42:28</start_time><!--GMT-->
 <os_version>Windows 10 (2.10.0.19042)</os_version>
 <username>johan</username>
 </execution_environment>
 </creator>

 <source>
 <device_model>Logical Volume (Floppy Drive)</device_model>
 <image_filename></image_filename>
 <image_size></image_size>
 <sectorsize>512</sectorsize>
 <devicesectors coding='base10'>2880</devicesectors>
 </source>

 <volume>
 <partition_offset>0</partition_offset>
 <ftype_str>FAT 12</ftype_str>

 <fileobject>
 <filename>\System Volume Information</filename>
 <name_type>d</name_type>
 <filesize>512</filesize>
 <alloc>1</alloc>
 <inode>2664</inode>
 <mtime>2022-05-25T14:54:42</mtime><!--GMT-->
 <byte_runs>
 <byte_run img_offset='1363968' len='512' />
 </byte_runs>
 </fileobject>
 </volume>

 <runstats>
 <stop_time>2022-06-02T16:42:28</stop_time><!--GMT-->
 <clock_seconds>0</clock_seconds>
 </runstats>

</dfxml>
<!-- For more information: https://www.isobuster.com/reports -->

When I open this image in IsoBuster's GUI it does list all the files, and export to DFXML results in the following output:

<?xml version="1.0" encoding="UTF-8" ?>
<dfxml xmlns='http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML'
      xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
      xmlns:dc='http://purl.org/dc/elements/1.1/'
      xmlns:hfs='http://www.forensicswiki.org/wiki/HFS' version='1.0'>

   <metadata>
      <dc:type>Image File</dc:type>
   </metadata>

   <creator>
      <program>IsoBuster</program>
      <version>4.9.1.00</version>
      <execution_environment>
        <start_time>2022-06-02T17:10:55Z</start_time>
        <os_version>Windows 10 (2.10.0.19042)</os_version>
        <username>johan</username>
      </execution_environment>
   </creator>

   <source>
       <device_model>disc.img</device_model>
       <image_filename>X:\iromlab-test\kb-e3b7ff89-e292-11ec-9d0a-0800272c26ff\05afb8e3-e293-11ec-b5dd-0800272c26ff\disc.img</image_filename>
       <image_size>1474560</image_size>
       <sectorsize>512</sectorsize>
       <devicesectors coding='base10'>2880</devicesectors>
   </source>

   <volume>
      <partition_offset>0</partition_offset>
      <ftype_str>FAT 12</ftype_str>

      <fileobject>
         <filename>\System Volume Information</filename>
         <name_type>d</name_type>
         <filesize>512</filesize>
         <alloc>1</alloc>
         <inode>2664</inode>
         <mtime>2022-05-25T16:54:42+02:00</mtime>
         <byte_runs>
            <byte_run img_offset='1363968' len='512' />
         </byte_runs>
      </fileobject>

      <fileobject>
         <filename>\ARJ.EXE</filename>
         <name_type>r</name_type>
         <filesize>116260</filesize>
         <alloc>1</alloc>
         <inode>33</inode>
         <mtime>2022-05-25T16:46:50+02:00</mtime>
         <hfs:HFStype_creator>EXE File/</hfs:HFStype_creator><!--Only relevant if MAC File System-->
         <byte_runs>
            <byte_run img_offset='16896' len='116260' />
         </byte_runs>
      </fileobject>

      <fileobject>
         <filename>\EXAMPLE.XLS</filename>
         <name_type>r</name_type>
         <filesize>35840</filesize>
         <alloc>1</alloc>
         <inode>261</inode>
         <mtime>2022-05-25T16:46:50+02:00</mtime>
         <hfs:HFStype_creator>XLS File/</hfs:HFStype_creator><!--Only relevant if MAC File System-->
         <byte_runs>
            <byte_run img_offset='133632' len='35840' />
         </byte_runs>
      </fileobject>

      <fileobject>
         <filename>\MODELBES.WPD</filename>
         <name_type>r</name_type>
         <filesize>505075</filesize>
         <alloc>1</alloc>
         <inode>331</inode>
         <mtime>2022-05-25T16:46:50+02:00</mtime>
         <hfs:HFStype_creator>WPD File/</hfs:HFStype_creator><!--Only relevant if MAC File System-->
         <byte_runs>
            <byte_run img_offset='169472' len='505075' />
         </byte_runs>
      </fileobject>

      <fileobject>
         <filename>\PEYSUB.XLS</filename>
         <name_type>r</name_type>
         <filesize>106496</filesize>
         <alloc>1</alloc>
         <inode>1318</inode>
         <mtime>2022-05-25T16:46:50+02:00</mtime>
         <hfs:HFStype_creator>XLS File/</hfs:HFStype_creator><!--Only relevant if MAC File System-->
         <byte_runs>
            <byte_run img_offset='674816' len='106496' />
         </byte_runs>
      </fileobject>

      <fileobject>
         <filename>\SENS.XLS</filename>
         <name_type>r</name_type>
         <filesize>395264</filesize>
         <alloc>1</alloc>
         <inode>1526</inode>
         <mtime>2022-05-25T16:46:50+02:00</mtime>
         <hfs:HFStype_creator>XLS File/</hfs:HFStype_creator><!--Only relevant if MAC File System-->
         <byte_runs>
            <byte_run img_offset='781312' len='395264' />
         </byte_runs>
      </fileobject>

      <fileobject>
         <filename>\SERIEVAL.XLS</filename>
         <name_type>r</name_type>
         <filesize>33280</filesize>
         <alloc>1</alloc>
         <inode>2298</inode>
         <mtime>2022-05-25T16:46:50+02:00</mtime>
         <hfs:HFStype_creator>XLS File/</hfs:HFStype_creator><!--Only relevant if MAC File System-->
         <byte_runs>
            <byte_run img_offset='1176576' len='33280' />
         </byte_runs>
      </fileobject>

      <fileobject>
         <filename>\THSERV1.XLS</filename>
         <name_type>r</name_type>
         <filesize>141824</filesize>
         <alloc>1</alloc>
         <inode>2363</inode>
         <mtime>2022-05-25T16:46:50+02:00</mtime>
         <hfs:HFStype_creator>XLS File/</hfs:HFStype_creator><!--Only relevant if MAC File System-->
         <byte_runs>
            <byte_run img_offset='1209856' len='141824' />
         </byte_runs>
      </fileobject>

      <fileobject>
         <filename>\WB.MOD</filename>
         <name_type>r</name_type>
         <filesize>11840</filesize>
         <alloc>1</alloc>
         <inode>2640</inode>
         <mtime>2022-05-25T16:46:50+02:00</mtime>
         <hfs:HFStype_creator>MOD File/</hfs:HFStype_creator><!--Only relevant if MAC File System-->
         <byte_runs>
            <byte_run img_offset='1351680' len='11840' />
         </byte_runs>
      </fileobject>

      <fileobject>
         <filename>\System Volume Information\IndexerVolumeGuid</filename>
         <name_type>r</name_type>
         <filesize>76</filesize>
         <alloc>1</alloc>
         <inode>2665</inode>
         <mtime>2022-05-25T16:54:42+02:00</mtime>
         <hfs:HFStype_creator>File/</hfs:HFStype_creator><!--Only relevant if MAC File System-->
         <byte_runs>
            <byte_run img_offset='1364480' len='76' />
         </byte_runs>
      </fileobject>
   </volume>

   <runstats>
      <stop_time>2022-06-02T17:10:55Z</stop_time>
      <clock_seconds>0</clock_seconds>
   </runstats>

</dfxml>
<!-- For more information: https://www.isobuster.com/reports -->
bitsgalore commented 2 years ago

Addition: tried replacing the existing format string with the 2 examples listed here, but to no avail.

bitsgalore commented 2 years ago

Contacted IsoBuster developer about this.

bitsgalore commented 2 years ago

This happens bc medium contains 2 file systems (one of which is empty), and output for fs that contains the files gets overwritten by output for empty fs. IsoBuster developer suggested to use <%FN> parameter to report output for these file systems to separate files. Implemented as per here. Further thoughts:

  1. Where is the empty file system coming from anyway? Can we suppress output for empty fs?
  2. Cleaner solution might be to use the file system index (<%FI> parameter) rather than its name, see also here
bitsgalore commented 2 years ago

From the IsoBuster documentation:

https://www.isobuster.com/nl/help/fat_bestandssysteem_instellingen

During the mounting of the FAT file-system, IsoBuster also runs into deleted file and folder entries. These deleted files and folders are automatically added to a separate FAT file-system. Uncheck this option if you do not want this to happen automatically.

Since we're not really interested in any deleted files and folders this option should be unchecked.

bitsgalore commented 2 years ago

Removed <%FN> parameter in the end: https://github.com/KBNLresearch/ipmlab/commit/07fca84e1a820237510bd3cb9f7e9b7cfa968d82