search

pjrinaldi / wombatforensics

linux c++, fox-toolkit, multi-threaded forensic gui tool
GNU General Public License v2.0
47 stars 12 forks source link

Respective Properties Population #113

Closed pjrinaldi closed 9 years ago

pjrinaldi commented 9 years ago

Original issue 114 created by pjrinaldi on 2014-07-15T13:55:04.000Z:

Need to properly specify the file system volume name in the file system node.

pjrinaldi commented 9 years ago

Comment #1 originally posted by pjrinaldi on 2014-07-15T14:00:27.000Z:

Started.

pjrinaldi commented 9 years ago

Comment #2 originally posted by pjrinaldi on 2014-07-15T14:16:02.000Z:

This appears to be dependent on the file system type. So i'll have to combine the code since it doesn't appear to be stored in tsk's INFO* files of any kind.

pjrinaldi commented 9 years ago

Comment #3 originally posted by pjrinaldi on 2014-07-15T14:32:50.000Z:

open file system automatically links TSK_FS_INFO*->fsstat to the correct function such as ntfs_fsstat for ntfs, exfatfs_fsstat for exfat, etc...

So I will need to go into each respective c file and pull out the functions i need or i will have to fork it, which i don't want to do.

pjrinaldi commented 9 years ago

Comment #4 originally posted by pjrinaldi on 2014-07-15T21:43:11.000Z:

i can possibly get the TSK_FS_FILE* for the root inum. Then I can get the attribute which might have the volume name using tsk_fs_file_attr_get_type( with a TSK_FS_ATTR_TYPE_NTFS_VNAME = 0x60 from the TSK_FS_ATTR_TYPE_ENUM. and an id_used of 0 or whatever. try to find examples of using the tsk_fs_file_attr_get_type function...

pjrinaldi commented 9 years ago

Comment #5 originally posted by pjrinaldi on 2014-07-23T12:41:05.000Z:

I know how to access attributes to get more information for each file. The are 2 ways to try and obtain the file system label (volume name) for different file system types:

  1. cast (ISO_INFO* | EXT2FS_INFO* | NTFS_INFO* | etc...) TSK_FS_INFO* tmpfsinfo and then I can access the respective functions from each .c file (ntfs.c, ext2fs.c, iso9660.c, etc) to get what I need. A switch statement for each FS_TYPE should work swimmingly.
  2. If this doesn't work, then I can't simply cast it, but have to generate it. Method 1 should work out very nicely.
pjrinaldi commented 9 years ago

Comment #6 originally posted by pjrinaldi on 2014-07-23T21:10:35.000Z:

It works. I can now get the NTFS file system label (volume name).

I now need to do the following:

  1. determine what extra information i want to obtain from the fs code.
  2. complete switch for each option writing the results to the case.db
  3. use this information to populate the rest of the properties for each respective element.
pjrinaldi commented 9 years ago

Comment #7 originally posted by pjrinaldi on 2014-07-24T13:28:19.000Z:

making more progress trying to figure out the most efficient way to determine the value making the most use of the tsk functions.

pjrinaldi commented 9 years ago

Comment #8 originally posted by pjrinaldi on 2014-08-01T01:34:57.000Z:

got the volume names from the one's that contain volume names. need to finish hfs, since its a pain with a lot of custom functions that I either need to rewrite in wombatfunctions or learn how to link the c file output and call them that way without reinventing the wheel a bunch of times.

pjrinaldi commented 9 years ago

Comment #9 originally posted by pjrinaldi on 2014-08-05T11:28:14.000Z:

I can make use of the tsk_fatxxfs.h fatfs->sb->values to get the values for fat. If i want to stay generic, then i can simply get use tsk-blockread to get the respective values.

pjrinaldi commented 9 years ago

Comment #10 originally posted by pjrinaldi on 2014-08-05T11:36:20.000Z:

updated the summary to more accurately reflect the task.

pjrinaldi commented 9 years ago

Comment #11 originally posted by pjrinaldi on 2014-08-05T17:06:21.000Z:

UFS#, fat, exfat, ext#, iso9660 allows for fs_info->struct->item_properties.

NTFS requires some functional information to get it, but still has some struct->item_properties that can be used.

hfs may or may not, depending on the hfs/hfs+ bit. I'll have to look into it further.

pjrinaldi commented 9 years ago

Comment #12 originally posted by pjrinaldi on 2014-08-05T17:07:29.000Z:

collection of sample images to test against.

pjrinaldi commented 9 years ago

Comment #13 originally posted by pjrinaldi on 2014-08-06T10:17:21.000Z:

raw image - has image part list. aff image - has aff type (aff, afd, afm), as well as md5 or sha1 hash and information from examiner when the image was created. ewf image - has the md5 hash only. Should be able to upgrade that to find the other bits of information at some point in the future.

pjrinaldi commented 9 years ago

Comment #14 originally posted by pjrinaldi on 2014-08-10T02:00:38.000Z:

got aff propertinformation input. now need to do raw and ewf.

pjrinaldi commented 9 years ago

Comment #15 originally posted by pjrinaldi on 2014-08-10T02:05:12.000Z:

For the Description property, I can tell what byte offset its at and then for the given image/property display the respective hex value.

pjrinaldi commented 9 years ago

Comment #16 originally posted by pjrinaldi on 2014-08-19T13:04:06.000Z:

got all the ewf property information input. now i need to reorder it and fill in the description values for each entity.

pjrinaldi commented 9 years ago

Comment #17 originally posted by pjrinaldi on 2014-08-20T01:02:32.000Z:

need to do the volume properties information. then i can go back and integrate the file system property information.

pjrinaldi commented 9 years ago

Comment #18 originally posted by pjrinaldi on 2014-08-20T01:03:42.000Z:

also need to do the ewf descriptions as well at some point

pjrinaldi commented 9 years ago

Comment #19 originally posted by pjrinaldi on 2014-08-25T21:53:58.000Z:

Not really anything from the volume properties information. the only thing I really need to do is list the starting sector, ending sector and the length of each partition. should do this in three info values...

pjrinaldi commented 9 years ago

Comment #20 originally posted by pjrinaldi on 2014-08-26T17:59:14.000Z:

got initial extX code in place. need to convert the given variables to string properly, otherwise we're good to go.

pjrinaldi commented 9 years ago

Comment #21 originally posted by pjrinaldi on 2014-08-26T19:26:58.000Z:

figured out a way to convert the values. Now I need to determine where i will get these values, whether it will be from the objects table, or the properties table, or whether i should move some of the objects properties that aren't used into the properties table where they will be used. for example, if there is no column in the treeview, move it into the properties table. if the value is not used to calculate something, move it into the properties table.

pjrinaldi commented 9 years ago

Comment #22 originally posted by pjrinaldi on 2014-08-27T02:53:23.000Z:

working on ext2fs properties information. Need to finish the rest of the useful properties and then move on to the next filesystem, etc.

pjrinaldi commented 9 years ago

Comment #23 originally posted by pjrinaldi on 2014-08-30T02:18:39.000Z:

ext2fs done. moving on to ufs1 and ufs2 next.

pjrinaldi commented 9 years ago

Comment #24 originally posted by pjrinaldi on 2014-10-01T18:34:46.000Z:

Done with dos, bsd, mac/apple sun sparc and sun i386 volume systems. now onto gpt volume systems. then back to file systems.

pjrinaldi commented 9 years ago

Comment #25 originally posted by pjrinaldi on 2014-10-02T20:04:58.000Z:

done with the partitions. Finished fat and ntfs file systems. need to do exfat, hfs, iso, yaffs2

pjrinaldi commented 9 years ago

Comment #26 originally posted by pjrinaldi on 2014-10-05T17:15:43.000Z:

figured out how to display the datetime, just need to implement the functionality for fit in a generic function

pjrinaldi commented 9 years ago

Comment #27 originally posted by pjrinaldi on 2014-10-05T17:16:32.000Z:

From the ISO spec:

Offset Size Datatype Description 0 4 strD Year from 1 to 9999. 4 2 strD Month from 1 to 12. 6 2 strD Day from 1 to 31. 8 2 strD Hour from 0 to 23. 10 2 strD Minute from 0 to 59. 12 2 strD Second from 0 to 59. 14 2 strD Hundredths of a second from 0 to 99. 16 1 int8 Time zone offset from GMT in 15 minute intervals, starting at interval -48 (west) and running up to interval 52 (east). So value 0 indicates interval -48 which equals GMT-12 hours, and value 100 indicates interval 52 which equals GMT+13 hours. All fields except for the offset from GMT are in ASCII digits. When the date and time is not specified, all string fields are ASCII '0' (for a total of 16 ASCII zeroes) and the last field is binary zero

pjrinaldi commented 9 years ago

Comment #28 originally posted by pjrinaldi on 2014-10-08T14:36:36.000Z:

got the date working. had to convert ascii decimal to char %c so it would display the actual ascii human readable value.

pjrinaldi commented 9 years ago

Comment #29 originally posted by pjrinaldi on 2014-10-08T17:54:53.000Z:

fixed the date/times and the other identifiers. now i need to implement the rest of the pvd for iso, then the svd. then i can work on yaffs2 and then hfs and be done with properties for now.

pjrinaldi commented 9 years ago

Comment #30 originally posted by pjrinaldi on 2014-10-12T19:25:47.000Z:

primary volume descriptor is complete. need to implement the secondary volume descriptor and then iso is complete.

pjrinaldi commented 9 years ago

Comment #31 originally posted by pjrinaldi on 2014-10-13T16:18:08.000Z:

iso is done. no need to do yaffs2 and then hfs

pjrinaldi commented 9 years ago

Comment #32 originally posted by pjrinaldi on 2014-10-13T17:13:31.000Z:

yaffs2 is done. need to determine the byte offset structure though as well as test it out. but otherwise its done. i'm moving on to the final fs structure hfs, which has yet to make sense to me.

pjrinaldi commented 9 years ago

Comment #33 originally posted by pjrinaldi on 2014-10-15T22:56:23.000Z:

working on hfs+.

pjrinaldi commented 9 years ago

Comment #34 originally posted by pjrinaldi on 2014-10-16T00:22:42.000Z:

finished HFS+. now starting on file properties and the hex editor modification

pjrinaldi commented 9 years ago

Comment #35 originally posted by pjrinaldi on 2014-10-16T12:51:54.000Z:

properties are working. need to work on any display errors as they occur, such as the FAT properties and the length issue's.

pjrinaldi commented 9 years ago

Comment #36 originally posted by pjrinaldi on 2014-11-12T18:26:18.000Z:

huge error occurs when looking for properties on an image that has a volume system with partitions. need to review the code and see what is going wrong with that.

pjrinaldi commented 9 years ago

Comment #37 originally posted by pjrinaldi on 2015-01-06T15:32:55.000Z:

need to work on file properties. decide what i want to display that doesn't duplicate what exists in the treeview columns.

pjrinaldi commented 9 years ago

Comment #38 originally posted by pjrinaldi on 2015-01-12T01:37:51.000Z:

would like to put the mode::uid/gid (Permissions), block addresses in the file properties. might also put metatype, dirtype, metaflags, dirflags and status in the file properties depending on what they mean again.

pjrinaldi commented 9 years ago

Comment #39 originally posted by pjrinaldi on 2015-01-13T02:59:40.000Z:

got file permissions implemented sufficiently for now. will come back to if i decide there is other information i should include in the file properties.