search

pjrinaldi / wombatforensics

linux c++, fox-toolkit, multi-threaded forensic gui tool
GNU General Public License v2.0
47 stars 12 forks source link

APFS parsing #367

Open pjrinaldi opened 3 years ago

pjrinaldi commented 3 years ago

Implement APFS parsing

pjrinaldi commented 2 years ago

starting on apfs. got superblock, which leads to the object map id, which leads to the object map btree, which should give me the physical block for the apfs volumes objectid.

pjrinaldi commented 2 years ago

got the physical block for the apfs volume super block object. got setup to parse them, just need to parse them and then populate the volume properties file and the volume node object.

pjrinaldi commented 2 years ago

parsed apfs volume properties. have a basic way of implementing within my wombat case structure. will just have to add this new p#v# methodology everywhere.

as for APFS, I am working on using the virtual root folder btree oid and the apfs volume object map physical oid to then get the location of the apfs volume object map btree which will contain the virtual to physical mapping so i can get the physical oid (block number) using the virtual oid so i can then read and parse the root btree.

I did this once for the container object map oid, and will try to generalize this object mapping to a function so i can simplify the code.

pjrinaldi commented 2 years ago

generalized mapping function does the following: for an object, it takes the physical omap oid for the object and the virtual tree oid for the object i want to parse, this let's me get the physical omap tree id from the physical object map oid. then i parse the physical object map tree node for the virtual oid key i want, then i get the offset plus the size for the physical tree for the object to parse... generalized mapping function works and returns the respective btree layout..., whcih should be the tree for the root directory or other sub directories...

i need to fix the issues in my volume object map code, and then see if i can use my general mapping function for the treeoid

once i parse the root directory after fixing the volume, i can determine if there is something i'm missing or some better way to automate or if i don't quite understand it fully yet and then have to modify either of the above functions... but PROGRESS CONTINUES

pjrinaldi commented 2 years ago

volume object map is working. moving on to root dir parsing and creating a generic rootbtreelayout function.