Qt to Fox Toolkit

[pjrinaldi]

After I convert the individual tools to fox toolkit, I should see what the probablility would be of switching wombatforensics from qt5 to fox toolkit. I'm not sure if it would be possible, but the only thing missing so far would be a html viewer. Which i could theoretically build by using netsurf and building one similar to the fltk implementation example, which is supposedly about 1000 lines, and since my viewer isn't a full featured browser, it might be smaller.

[pjrinaldi]

got initial layout test done in fox. and i think it will be more efficient than qt, as well as instead of replicating registry code between wombat and the standalone tool, i can simply build the standalone tool and call it from within wombat, either as a sub class or as a standalone program, but this will prevent managing 2 code bases between the 2 programs and any other standalone tool i work on.

[pjrinaldi]

working on toolbar icons for main program functionality. then i will work on implementing loading a new case file, saving a case file, opening an existing case file, and then see about pulling wombatregistry in in a simple test... and what would need to be done to integrate it into wombatforensics..

[pjrinaldi]

toolbar icons populated, working on implementing loading a new case. got a checktableitem implemented, much faster than the qt one, and easier to understand, so i'm loving working with fox more than qt. it is still early days and things may not work very well as it gets more complicated, but i like where it is going so far. after some progress, i'll see what happens with calling wombat registry from an evidence file.

[pjrinaldi]

new case is working, close current case is working, work in /tmp/ folder and save to tar file and remove the /tmp/ folder i used. settings are implemented as is manage carving file types. next to implement will be open case, then i'll start playing with adding evidence.

may not want to implement create image, because why do that when you can simply run my command line tools or any other tool available in linux. The same for verification... so i will probably remove those toolbar items and not include them.

[pjrinaldi]

Will want to look at just in time parsing, i.e. when you double click on a directory to open it's children, use a function to pull that information, rather than parsing everything up front. This would speed up load time, and it shouldn't be too costly to call it when needed. I will then have to figure out how to store the information i will need and how to apply/store a unique id for the items. I'm not even sure an ID is necessary though, it's full path/file name/offset,len provide a uniqueness.

[pjrinaldi]

added open case, save case, save current on exit.

[pjrinaldi]

combined add/remove evidence to manage evidence. got the evidence file which stores the evidence in the case working. currently working on implementing the forimg class to handle various forensic image formats. 1st step is raw image size within image format, then get the ability to read from the raw content in the image format. icons can go in tableitem, so the name tableitem can have an icon before text to represent the file type.

[pjrinaldi]

forimg class is working for returning image size for raw, ewf, aff4, split raw, wfi, and regular files. Next up is populating the tableitems for each image type. then i will implement ReadContent for each image type.

[pjrinaldi]

got readcontent implemented and it seems to work. table items for evidence are working, and i also have the size string comma'd out based on locale. next step is when double clicking on an evidence item, it will populate the pathtoolbar, replace the tablelist with teh partition information. the function to get the partition information will be created and it will handle the gui stuff as well, so i don't have to store and move too much around.

[pjrinaldi]

when you click on evidence, the tablelist loads the partition information. the pathtoolbar is not updated or functioning yet, that will come next once i get exfat and ntfs volume name's obtained. still need to implement mbr and no partition table as well as the other file system types. icon next to name in the tablelist works, so forensic images and partitions have an icon right now.

current issue to resolve is ensuring the double click in the table functions for it's respective item correctly, i.e. double click on a forensic image and partitions load, double click on partition and root directory loads, etc... I will have to work on how to manage this and if i can't figure it out, then i'll have to go back to the unique item id's and use those as a split... I could try setting the userdata for the id to a integer representing the itemtype..

[pjrinaldi]

Current work to implement:

• path toolbar creation and functionality
• extended partition table
• load partition for just a partition
• get other FS volume name's into the function.
• code cleanup to not repeat partition pieces
• code cleanup to reuse the general table loads at all. (pre/ content rows/ post formatting)

[pjrinaldi]

all above pieces are working. Starting to work on populating root directory for the file systems. Need to figure out what is required (variables to pass) to load this information and then figure out how to store/get that information in the most efficient way, and then how to get back to the partition from this point.

[pjrinaldi]

working on parsing root directory for fat filesystem. got to the loop over the directory entries.

once i get the information and what to return to the main cpp file to then populate the table with. probably have dirvector in the currentitem or it's own variable i pass as a pointer. and what to pass for the file's, probably a fileitem enum which contains the columns i need.

[pjrinaldi]

got the general content back from parsing root directory for fat. the values are included in a pointer to a vector of fileitem struct's. the next step would be how to store any digging deeper so it doesn't have to be redone every a file is accessed. Also, have to figure out how to reference the items with their unique id and so it doesn't overlap. it might be best to have a globalidindex variable which increments for every action regarding files and directories so i am always getting the latest id...

[pjrinaldi]

for the just in time content loading, i should right it to a file the first time it is loaded/activated. then i can check for the file's existence prior to loading/reloading the data from the source file. so using the global id, which will either be a number or the e#-p#-f# id from before. This will work for speed and efficiency in not loading everything ahead of time. have to figure out a naming convention and file storage method, whether i mirror what i had before or go with something new.

[pjrinaldi]

if i include the children id's at the end, and store them in text files by id, then i can easily reload the information from the files, rather than reparsing. if the files don't exist, then i can parse them and write the files out. i can multithread the file writing and file reading possibly, since i can get each tmpfileitem in a separate thread and then add them to the fileitemvector on the main thread to populate the table. will have to work on this with simple fat and see how it goes.

[pjrinaldi]

global id as a number is working with initial testing for forensic images and partitions. need to do more testing as well as write other required values to populate table to the respective files and also write the properties to another file. then i can work on the same implementation for files themselves and once working, then i look into possibly adding multithreading to the file's parsing/loading

[pjrinaldi]

got files reading from a file working. need to populate the tablelist and also write them to the file the first time, the code is in place, just need to implement writing to a file and populating the table.

[pjrinaldi]

populating files is working for the root directory, need to figure out what is need to implement the sub directory display and adjust functions accordingly. also need to do something with the file contents. and work on other wombat functionality such as external viewer manager, plain text viewer for file contents, file properties window, file hex viewer, etc...

[pjrinaldi]

external viewer manager is done. working on how sorting would get implemented. I think i would need to sort fileitems based on a struct value, then SortTable(&fileitems, int itemindex); which would draw the table values all the time, but default with id...

[pjrinaldi]

sorting for global id is working (asc/dsc), so now i can implement the other columns as i feel like it when i jump back and forth between implementing other features and more file system functionality with fat and other file systems.

[pjrinaldi]

if i load the parent globalid with the loaddirectory, either in currentitem or with the functions, i can use the parent to search for children, i.e. "fat.0.4.*" or by opening fat.0.4 to get the layout to then parse the directory contents from the layout information stored in the file.

[pjrinaldi]

the search for children based on parent is working. need to get hte layout info to read the current selected directory, then i think fat12/16 rootdir and its fat12/16 subdir will be working

[pjrinaldi]

got fat12/16 sub dir working, also got the code functioned to account for either the root dir or the sub dir. the only issue is the first double click of a child directory doesn't work, but the second one does. need to figure it out

[pjrinaldi]

userdata set for itemtype is the last itemtype i think, but that isn't right, cause it was working before when i would click on various other files listed in the root directory. i need to check if the fileval is working correctly.

[pjrinaldi]

removed userdata for itemtype, use iconid for the treelist icons to make the distinguishment between item type without having to store anything extra. now i am populating the right mouse click menu and finishing fat12/16 as well as other file systems and other features.

[pjrinaldi]

right click menu check/uncheck selected works. started on basic filtering functionality. my current implementation removes all non-matching items from what was displayed and only leaves what matched..

my other option is to see if i can change text color on a per row/cell basis which would require subclassing TableItem.

the other option is to open a new smaller table window which searches all parsed files, not just what is displayed and then lists them all together in a single table when they match... I think i like this one best, since it would provide the most useful results...

[pjrinaldi]

Got initial category signature functionality in place. will have a ton of cat/sig's to implement, but at least it is working and i will implement them as I get to them. next up is viewers for files and continuing to implement sorting and filtering and every other feature i need to rebuild.

[pjrinaldi]

testing a display of a docx file works, sort of, a few files open without issue and a fiew others crash the program. funnily enough, the issue is with the zip_fopen_index function and not the xml parsing. need to look into this, including how much memory is in use and also if i need the iobuffer or can rather just go with the uint8_t* content

[pjrinaldi]

got rid of iobuffer, went with a simple uint8_t* and it all works fine. implemented tmp file functionality for when the file is larger than the memory parsing. got docx 2 plain text parsing. also implemented a deletetmpfiles function for when program exits to clean up some.

[pjrinaldi]

closing cause now i will open up individual tickets for what i'm working on.