Manually Parsing FileSystems

[pjrinaldi]

Certain forensic images crash when processing using the TSK sometimes and succeed other times without any code changes. This is an issue that has been persistent and bothering me since initial testing prior to v0.1. I have tried to resolve this issue but I think it is an issue with the TSK lib and QtConcurrent or how I attempted to code the two to do what I needed.

For the hex editor and being able to jump to content within an NTFS file system, I had to basically manually parse the MFT anyway, so now I have decided to remove the TSK dependency and manually parse whatever file systems I am going to support.

This is going to be slow going and cause a major delay in the v0.4 release, but it is required to ensure consistency in processing forensic images.

[pjrinaldi]

Currently, I parse MBR, GPT, and no partition table images. I parse the partitions and currently get volume name and information for FAT12, FAT16, and FAT32. I will also add NTFS, EXFAT, EXT2/3/4 next. Then I will add BTRFS, XFS, APFS, HFS+, BITLOCKER, ISO, UDF, ZFS.

v0.4 should contain FAT variants, NTFS, and EXT2/3/4. then I will work on some more for v0.5 and then more for v0.6, etc... also while continuing to work on implementing new end user features such as an mbox viewer, etc....

[pjrinaldi]

working on initial detection of fs type for various file system types:

• FAT12/16/32, EXFAT, NTFS, EXT2/3/4, BTRFS, XFS, BITLOCKER, BFS (Detection Working)
• APFS, HFS, HFS+/X (detection half working)
• ISO, UDF, ZFS, UFS1/2, YAFFS2, F2FS (detection not started),

and starting to work on parsing FAT12/16 for population of treeview.

[pjrinaldi]

a few minor issues with FAT12 to work out such as access date to not display vs 01-01-1970 12:00:00 AM. also some random characters i need to remove from long name and alias name. Otherwise I'm pretty sure FAT12 is finished and working...

Then I can re-implement the file type signature and category code as well as figure out what information i will need to save to be able to quickly open a case. Also want to get hexviewer working again as well as all the other code such as file hex viewer, etc.

Then I can implement FAT16, FAT32, EXFAT, NTFS, and EXT2/3/4.

[pjrinaldi]

FAT12 is implemented except for orphaned longname direntry i need to do something with.

also working on hex content to include going to offsets and color highlighting.

[pjrinaldi]

this issue will now be the overall info update for what is going on and i'll create individual tickets for each filesystem...

hexviewer is working with offset and highlighting.

FAT12 is implemented.

Overall, I still need to fix:

• the properties viewer code.
• saving the tree......
• opening an existing case and ensuring everything opens correctly...
• writing the content to a temporary file for loading in filehexviewer as well as external viewers.
• generally updating the id switch, and file storage switch everywhere in the code base...
• other stuff i can't think of without looking through my code.

[pjrinaldi]

Fixed

• properties viewer
• saving the tree to a file
• opening a case and loading the tree back from the file
• writing content to a temporary file and filehexviewer works

Still to Fix

• reporting
• tagging
• checking
• exporting
• external viewers
• other stuff i can't think of but will check out as i look at code and test it.

[pjrinaldi]

Fixed

• checking
• reporting
• tagging
• digging

Still to Fix

• exporting
• external viewers
• filters
• other stuff i can't think of but will check out as I look at code and test it.

[pjrinaldi]

Fixed

• exporting
• external viewers
• byteconverter

Still to Fix

• filters
• other stuff i can't think of but will check out as i look at the code and test it.

[pjrinaldi]

Fixed

• filters

Still to Fix

• Manual Carving
• File Carving
• Image Thumbnailer (test once i have images in an image i can process)

[pjrinaldi]

Fixing

• Manual Carving is working - just need to implement the ancillary features such as the tmp file e0-c0-fhex and such...

Still to Fix

• TransferFiles() for carving and regular files/dir's which is part of publishing report
• File Carving
• Image Thumbnailer (possibly, just need to test...)

[pjrinaldi]

Fixed

• manual carved

Stil to Fix

• file carving

Full Testing as it stands

[pjrinaldi]

Fixed

• file carving

Still to Fix

• archive expansion

[pjrinaldi]

Fixing

• working on archive expansion (zip files). still need to implement code in populatehexcontents, returnfilecontent, transferfiles, and export so far.

[pjrinaldi]

Fixed

• archive expansion
• handling expanded archive files

leave this ticket open for now, but everything should be working unless I missed something.

[pjrinaldi]

Will open individual tickets for each FS I intend to implement: FAT12/16/32, EXFAT, NTFS, EXT2/3/4, BTRFS, XFS, BITLOCKER, BFS, APFS, HFS, HFS+/X, ISO, UDF, ZFS, UFS1/2, YAFFS2, F2FS