Closed pjrinaldi closed 4 years ago
working on implementing a carving system. i might stage it from simple to more complex carving methods such as reading metadata of the file to get size and other carving techniques.
settings for carving are implemented. working on file carving selection gui options.
potential code example for treewidget for file carving type selections: QTreeWidgetItem* item = new QTreeWidgetItem(); item->setFlags(item->flags() | Qt::ItemIsUserCheckable | Qt::ItemIsSelectable); item->setCheckState(Qt::Checked); m_eventList->addTopLevelItem(item)
got initial layout working for file carving dialog.
partition loading works. need to add the fs type value to the open function though... so the no name will be no name (FAT16) etc... need to implement check control so the parent activates children's checks.
checking works. just need to fix the partition loading content so it matches the display, then i can work on actually carving...
pre carving gui functionality/framework implemented. Now for the tough part. Next steps are implementing the following:
I am going to try and implement 2-fold carving functionality. a smart/deep carver using file structures for known types, then let the user add simple carving for other types not covered by the smart carver...
I should be able to implement the revit-alpha-2007 for smart/deep carving and scalpel for the simple carving of other types.
working on simple carving....
starting to build the information i need to implement simple carving.
semi-smart carver is started.... need to fully implement the functionality into the tree, and on open with the stat/prop files...
also need to work out gui user layout functionality so it does more complex prior to simpler file type.... such as exif jpg versus jfif jpeg vs jpg...
Either present those options to the user for multiple types or have 1 type called JPG (EXIF, SPIFF, JFIF, Generic) and my code goes hardest to simplest in the header on its own...
I think the carving algorithm is semi-smart. got the jpeg diff's automatically calculated...
need to implement add to tree, open existing case, reporting, stat file/prop file, exporting, and any other functionalty i had to do with zip...
need a carve count variable for carved.
carve, open case with carved files works....
need to implement carving support in reporting, exporting, carving again without duplicating what already exists.
semi smart carving does file testing to check for valid file prior to adding it... still need to implement carving support in:
If carving allocated partitions, one method of comparison is to search all prop files, get byte offset and divide by blocksze to get block # and ensure the carved block with a header isn't in the list of already allocated files... This might be slower... I could generate this variable when opening existing or creating new case...
opening existing case wth carving puts the files in the correct place. need to work on exporting, reporting, tagging, not duplicate carving when carving again... status display while carving, logging as well.
Exporting, Tagging, and Reporting are working for carved files. checking is working as well. need to work on digging deeper for carved files.
also need to implement status display, logging, and avoiding duplicate carving when run twice.
Avoiding duplicate carving when run again is working. need to implement proper status display and logging. then carving functionality is implemented and then i need to implement further carving types and smart carving (pdf, docx,xlsx,pptx,mp4,mpg,webp,webm,...)
Status display and logging is in a "good enough" place, will modify as i test further and see if there needs to be anything else anywhere for either status display or logging.
Added PDF carving type with validation. will have to run further testing to see if files ever validate, currently my test image always has the files as invalid even though 1 file works.
Will work on implementing carving for docx,xlsx,pptx,mp4,mpg,webp,webm,etc...
carving for mpg is closer with validation. since the format lends the header all over a mpg video, I implemented a find footers and then look for the first instance of a header between the found footer blocks. This works pretty well, but I need to fix the carveoffset for the treeview so the right code is highlighted in the hexviewer... Will probably need to create a variable which stores the block of the header when it's found and write that to the stat file.
carving for mpg is fixed. I think it's good enough for v0.3 release... will add other features later...
I do need to add the ability to add other carvers manually for simple carving... so need to add that into the code for now... then i can wrap up carving for 0.3 and move onto v0.4
ticket finished for 0.3 release. will open new tickets for new carvers, new errors, etc.
Implement a carving system using scalpel library call integration and gui support.