pjrinaldi / wombatforensics

linux c++, fox-toolkit, multi-threaded forensic gui tool
GNU General Public License v2.0
47 stars 12 forks source link

Carving #312

Closed pjrinaldi closed 4 years ago

pjrinaldi commented 4 years ago

Implement a carving system using scalpel library call integration and gui support.

pjrinaldi commented 4 years ago

working on implementing a carving system. i might stage it from simple to more complex carving methods such as reading metadata of the file to get size and other carving techniques.

pjrinaldi commented 4 years ago

settings for carving are implemented. working on file carving selection gui options.

pjrinaldi commented 4 years ago

potential code example for treewidget for file carving type selections: QTreeWidgetItem* item = new QTreeWidgetItem(); item->setFlags(item->flags() | Qt::ItemIsUserCheckable | Qt::ItemIsSelectable); item->setCheckState(Qt::Checked); m_eventList->addTopLevelItem(item)

pjrinaldi commented 4 years ago

got initial layout working for file carving dialog.

partition loading works. need to add the fs type value to the open function though... so the no name will be no name (FAT16) etc... need to implement check control so the parent activates children's checks.

pjrinaldi commented 4 years ago

checking works. just need to fix the partition loading content so it matches the display, then i can work on actually carving...

pjrinaldi commented 4 years ago

pre carving gui functionality/framework implemented. Now for the tough part. Next steps are implementing the following:

pjrinaldi commented 4 years ago

I am going to try and implement 2-fold carving functionality. a smart/deep carver using file structures for known types, then let the user add simple carving for other types not covered by the smart carver...

I should be able to implement the revit-alpha-2007 for smart/deep carving and scalpel for the simple carving of other types.

pjrinaldi commented 4 years ago

working on simple carving....

starting to build the information i need to implement simple carving.

pjrinaldi commented 4 years ago

semi-smart carver is started.... need to fully implement the functionality into the tree, and on open with the stat/prop files...

also need to work out gui user layout functionality so it does more complex prior to simpler file type.... such as exif jpg versus jfif jpeg vs jpg...

Either present those options to the user for multiple types or have 1 type called JPG (EXIF, SPIFF, JFIF, Generic) and my code goes hardest to simplest in the header on its own...

pjrinaldi commented 4 years ago

I think the carving algorithm is semi-smart. got the jpeg diff's automatically calculated...

need to implement add to tree, open existing case, reporting, stat file/prop file, exporting, and any other functionalty i had to do with zip...

need a carve count variable for carved.

pjrinaldi commented 4 years ago

carve, open case with carved files works....

need to implement carving support in reporting, exporting, carving again without duplicating what already exists.

pjrinaldi commented 4 years ago

semi smart carving does file testing to check for valid file prior to adding it... still need to implement carving support in:

  1. Reporting
  2. Exporting
  3. Not duplicate carving when selected again.
  4. Status display updates when carving.

If carving allocated partitions, one method of comparison is to search all prop files, get byte offset and divide by blocksze to get block # and ensure the carved block with a header isn't in the list of already allocated files... This might be slower... I could generate this variable when opening existing or creating new case...

pjrinaldi commented 4 years ago

opening existing case wth carving puts the files in the correct place. need to work on exporting, reporting, tagging, not duplicate carving when carving again... status display while carving, logging as well.

pjrinaldi commented 4 years ago

Exporting, Tagging, and Reporting are working for carved files. checking is working as well. need to work on digging deeper for carved files.

also need to implement status display, logging, and avoiding duplicate carving when run twice.

pjrinaldi commented 4 years ago

Avoiding duplicate carving when run again is working. need to implement proper status display and logging. then carving functionality is implemented and then i need to implement further carving types and smart carving (pdf, docx,xlsx,pptx,mp4,mpg,webp,webm,...)

pjrinaldi commented 4 years ago

Status display and logging is in a "good enough" place, will modify as i test further and see if there needs to be anything else anywhere for either status display or logging.

pjrinaldi commented 4 years ago

Added PDF carving type with validation. will have to run further testing to see if files ever validate, currently my test image always has the files as invalid even though 1 file works.

Will work on implementing carving for docx,xlsx,pptx,mp4,mpg,webp,webm,etc...

pjrinaldi commented 4 years ago

carving for mpg is closer with validation. since the format lends the header all over a mpg video, I implemented a find footers and then look for the first instance of a header between the found footer blocks. This works pretty well, but I need to fix the carveoffset for the treeview so the right code is highlighted in the hexviewer... Will probably need to create a variable which stores the block of the header when it's found and write that to the stat file.

pjrinaldi commented 4 years ago

carving for mpg is fixed. I think it's good enough for v0.3 release... will add other features later...

I do need to add the ability to add other carvers manually for simple carving... so need to add that into the code for now... then i can wrap up carving for 0.3 and move onto v0.4

pjrinaldi commented 4 years ago

ticket finished for 0.3 release. will open new tickets for new carvers, new errors, etc.