pjrinaldi / wombatforensics

linux c++, fox-toolkit, multi-threaded forensic gui tool
GNU General Public License v2.0
47 stars 12 forks source link

APFS support #310

Closed pjrinaldi closed 4 years ago

pjrinaldi commented 4 years ago
  1. implement initial sleuthkit code for apfs support for ingest and processing.
  2. implement libapfs for support for loading into hexviewer.
pjrinaldi commented 4 years ago
  1. is not needed to load into hexviewer.... it isn't a forensic image format...
  2. I have a start for apfs, but i am running into an error with tsklock that I wasn't running into before when loading different forensic images... not sure if it is my code, but i am guessing it is some c/pthread library upgrade which now causes tsklock stuff to fail. need to compare apfs with other FS's in sleuthkit and see if i can figure it out. Not sure how I would report as an issue to tsk.
pjrinaldi commented 4 years ago

Initial APFS support is implemented. need to implement apfs fs properties, get the volume name and place into stat file.

pjrinaldi commented 4 years ago

also need password ingest functionality for encrypted volumes...

pjrinaldi commented 4 years ago

started implementing APFS properties.

  1. need to implement apfs vol name in the treenode.
  2. implement the rest of the APFS properties.
  3. implement the password input functionality.
  4. implement the open apfs functionality
pjrinaldi commented 4 years ago
  1. done. 2, 3, 4 - in progress.
pjrinaldi commented 4 years ago
  1. done starting 4 now, then i'll get to 3.
pjrinaldi commented 4 years ago

working on 4.

For 3, i also need to save the qhash to text and then reopen and read when opening case...

pjrinaldi commented 4 years ago

4 is done. need to start working on 3, implement password input functionality for password protected fs... then store and open the pasword QHash to text for open and reopening.

pjrinaldi commented 4 years ago

password input by user is implemented. Need to implement the following:

  1. Storing in hash variable for use in Initializing/processing.
  2. Writing to a text file for use later.
  3. Reading the text file and opening/reading into password hash for use during the session...
  4. Way for the user to change the password at new/open including trying again if it doesn't work or continuing without password.
  5. optional - try different passwords from a list and save the one that works..
  6. optional - add checkbox to add the password to password list for all cases...
pjrinaldi commented 4 years ago

initial password input is implemented. 1, 2, 3 are done. need to work on 4,5,6 later on will add to new ticket and close this one since TSK doesn't support password protected APFS yet.