Code efficiency

[pjrinaldi]

As I implement the more memory efficient forensic image parsing, I need to move the allocated/unallocated partition parsing implementation to a function call, so I'm only writing that code once, rather than it's current implementation where it is called all over the place.

[pjrinaldi]

finished with FAT12/16/32 file/directory parsing. it seems to work with initial testing. need to check memory usage so far and see how it is looking. then move onto exfat,ext,ntfs...

[pjrinaldi]

working on exfat. root dir is working, need to implement virtual files as well as cat/sig for the $ALLOC and $UPCASE, recurse into sub directories and implement orphans.

[pjrinaldi]

virtual files are working, cat/sig is working as well as recursive dir's for exfat. working on exfat orphans now. once complete, will move onto ext2/3/4 and ntfs, then i can continue testing the new better memory management methodology and once that is done, re-implement the hex editor and other functionality and see how it works... reporting, digging, etc...

[pjrinaldi]

exfat is done. still need to test orphans code more, but will get to it. started working on ext2/3/4 parsing and began functionalizing the repetitive code to get the blocks depending on whether it uses extents or not. also fixed some code issues with group descriptor entry size which can be 64 instead of 32 depending on a flag, which i now account for.

[pjrinaldi]

ext2/3/4 is finished. working on ntfs now. about 50% done with initial implementation. need to figure out how to get the parts i need without using too much memory...

[pjrinaldi]

ntfs is mostly working... Still need to isolate and fix the following errors

1. I need to fix the i30 and file_name datetimes which are not displaying correctly.
2. catsig needs the correct if's for NTFS system files.
3. files are not being parsed, in particular for the 3-ntfs image the $Quota and it's ads as well as the _restore directory under System Volume Information aren't being parsed. (i'm guessing my while position code is ending prior to getting to those files, but I'll have to look into it and see.

Not bad really for the 1st implementation of ntfs without using hardly any memory to process.

[pjrinaldi]

ntfs is working except for orphan/deleted. i fixed i30/file_name date times by calling the right functions to convert the datetime. it helps if you remember what your functions do and call them accordingly. Added the NTFS system files to the catsig correctly. Fixed the index root parser to not skip too much when it's found an entry which cause it to skip the 2 files that were being skipped in the 3-ntfs image. just need to implement orphan/deleted and then test memory usage extensively.

[pjrinaldi]

working on ntfs orphan/deleted and also working on fixing the parsentfsdirectory so when reading the indexallocation it doesn't duplicate existing directories and files where the same ntinode/seqid occurs multiple times...

[pjrinaldi]

ntfs is almost there. fixed some issues with parsing ntfs directories and what layout from directories were getting sent for parsing as a directory. last thing i need to do is have index_root always parse for directories and then just do index allocation if it exists...

also will work on orphans/deleted as well for ntfs. then i can test memory usage for ntfs.

[pjrinaldi]

besides ntfs orphans/deleted, i also need to fix the ntfs directory with an ads data stream, the f# id doesn't increment properly.

[pjrinaldi]

fixed ntfs directory with an ads data stream.

need to do ntfs orphans/deleted. also need to fix the $i30 html view so it only works for ntfs and doesn't popup for other directories for other file systems.

[pjrinaldi]

since i moved mouse double click to open files, so i will move the $i30 directory to a right click item maybe, but for now i'll just not implement it as i go and leave it hanging out there since it works but just won't be called unless it's an empty directory.

[pjrinaldi]

need to add reporting back in somewhere after i get ntfs orphan/deleted implemented. also need to check and update all code to ensure it is working with the new system to include hexviewer, opening and saving cases, reporting, digging, tagging, hashing, exporting, publishing report, etc..... also see what i'm storing in evid.prop and see if its as efficient as it should be.

[pjrinaldi]

might attempt to add aff4 image reading again.

[pjrinaldi]

opening and saving cases is working. need to implement everything else.

[pjrinaldi]

attempting hexviewer implementation. need to implement my qiodevice hook using forimg or possibly just hook the forimg-readcontent() function... are qhexedit.cpp, qhexedit.h, chunks.h,chunks.cpp

have to look.

[pjrinaldi]

hexviewer is implemented and working. now to implement reporting.

[pjrinaldi]

reporting is working. need to create a ticket to include more filesystem information for partitions, but otherwise it works under the new paradigm..

[pjrinaldi]

working on filtering. almost got all the filters working just need to implement blake3 hashing. and hash listing

[pjrinaldi]

carving is working, except for the hexviewer isn't highlighting a carved file.

[pjrinaldi]

carved file fixed. conversion is complete as i can tell.