Creating custom forensic image format

[pjrinaldi]

might want to write the log into xml formatting at the beginning of the raw image and then at the end for the verification... place the "raw image" inside a and then i can possibly jump there for the image to load inside the zmg sparse compressed container.

[pjrinaldi]

might scrap zmg all together. not sure how to read it without fuse and i don't want to go down the fuse route. i'll stick with raw for now and go from there later, a forensic imager isn't even really necessary, omre just a fun side bit.

[pjrinaldi]

i added the basic image info into the forensic image at the end.

[pjrinaldi]

working on implementing a new forensic image format, why? cause why not...

it will be zstd compressed/decompressed, contain the metadata at the end of the image etiher before or after compression, probably before, and then be hashed with blake3 hash for verification while imaging. currently working on the command line tool and once finished will them implement it in here... the command line tool will be called wombat imager and the file will be a wombat forensic image or (.wfi or .wbi)

[pjrinaldi]

got the command line forensic imager and format written (wfi), working on tools to interact with it including verify, info, fuse. also need to work on logical imager (wli) and upgrade the tools to work with that.

Need to then backport this functionality for the forensic imager, verifier, and info to wombat and ensure wombat can then parse the lz4 image file without fully decompressing the entire file.

[pjrinaldi]

working on getting the custom forensic image imported and parsed without decompressing the whole image... progress is slow but getting there...

[pjrinaldi]

the latest parsing attempt is closer to working. i got the partitions read. Need to start debugging and figure out where it is going wrong now so i can fix it.

[pjrinaldi]

I've got reading the image working, except for it errors at while reading the GetNextCluster() loops for a file. If i comment out this code, it works, and if i parse the raw image, it works while getting clusters. I need to debug and figure out what is causing the error. it is a low level libc error, _IO_default_xsputn, error with a segfault, so there is a memory access error somewhere. might try to move free/clear/delete to after other calls and see if that helps.

[pjrinaldi]

reading the new forensic image format works properly now. I need to create other images to test and see if the code works correctly.

[pjrinaldi]

new forensic image format works, but i'm guessing the hash of the image doesn't work as with the fuse module.

working on initial import of a logical image. also need to work on creating logical image as well.

[pjrinaldi]

upgraded image format to not need the skippable frame and will simply find the frame list similar to the logical image. it works, but i'm assuming has the same issue as the fuse module, which reads most of the content except a little at the end which hoses the hash but not reading the contents of the image.

[pjrinaldi]

initial import test of logical image is working. it gets what i need into the code for testing purposes, will decide how i want to handle stuff as i go...

Still need to update the create forensic image code, verify code, and implement the export to logical image code.

[pjrinaldi]

Need to parse the file path correctly and add the directory items to the tree as i go.

[pjrinaldi]

verify code is working for wfi and wli. need to implement the create forensic image, export to logical image and the way i parse directories in the logical image.

[pjrinaldi]

Need to update the image dialogs to only offer the creation of wombat forensic image and export to wombat logical.

[pjrinaldi]

working on parsing logical directory path. It works sort of, I need to check and see if a directory exists before i blanket create it, right now it will create the directory path fro the logical image, but it will create the same path twice and assign the same unique id to each directory, which clearly doesn't work.