search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
884 stars 209 forks source link

VLC Parser from issue #2034 #2085

Closed marcus6n closed 3 months ago

marcus6n commented 4 months ago

Suggestion for improvement of Issue #2034 regarding a new analysis feature for the vlc-qt-interface.ini file, extracting information about recently opened files.

lfcnassif commented 4 months ago

Thanks @marcus6n!

lfcnassif commented 3 months ago

@marcus6n, one doubt, how did you get the sample pushed here? I collected 108 samples from real past cases and all of them use a different format in the relevant content section...

marcus6n commented 3 months ago

@lfcnassif I wrote this test file that I used to get the recent media that was opened using the VLC media player, but as I didn't generate a file directly from my VLC I believe I may not have put the correct session to be analyzed.

I can download vlc again and generate a test file to update the sessions that will contain the information we need returned.

marcus6n commented 3 months ago

@lfcnassif I got the vlc-qt-interface.ini with the correct information:

[General]
geometry=@ByteArray(\x1\xd9\xd0\xcb\0\x2\0\0\xff\xff\xff\xf5\xff\xff\xff\xf5\0\0\a\x8a\0\0\x4r\0\0\x2\x94\0\0\x1\x62\0\0\x4\xeb\0\0\x3\x5\0\0\0\0\x2\0\0\0\a\x80)
filedialog-path=@Variant(\0\0\0\x11\0\0\0\x1e\x63:%5CUsers%5Cteste%5CDocuments)
updatedate=@Variant(\0\0\0\xe\0%\x8a\xe5)

[FullScreen]
pos=@Point(0 0)
screen=@Rect(0 0 0 0)
wide=false

[MainWindow]
pl-dock-status=true
playlist-visible=false
adv-controls=0
status-bar-visible=false
bgSize=@Size(1920 1010)
playlistSize=@Size(-1 -1)

[RecentsMRL]
list=file:///C:/Users/teste/Desktop/Um%20churrasco%20diferenciado%20%EF%BD%9C%20Shark%20Tank%20Brasil%20%5BYRMN8tm1zJM%5D.webm, file:///C:/Users/teste/Desktop/TESTEI%20INTELIG%C3%8ANCIA%20ARTIFICIAL%20DO%20S24%20ULTRA%20%E2%80%B9%20EduKof%20%E2%80%BA%20%5Bx2TOevkEpsk%5D.webm, file:///C:/Users/teste/Desktop/App%20MyGoals%20%EF%BD%9C%20React%20Native%20na%20Pr%C3%A1tica%20%EF%BD%9C%20Aula%2002%20%5BFdoq7I39xOI%5D.mkv, file:///C:/Users/teste/Desktop/Cook%20app%20%EF%BD%9C%20React%20Native%20na%20Pr%C3%A1tica%20%EF%BD%9C%20Aula%20%2301%20%5BxmtDatG6SZk%5D.mkv, file:///C:/Users/teste/Desktop/PILL%EF%BC%9A%20%EF%BC%82N%C3%A3o%20existe%20estabilidade%20na%20%C3%A1rea%20de%20tecnologia%EF%BC%82%20%5BxA8g1mappsM%5D.webm
times=494728, 410790, 4461088, 7588506, 575083

[Update]
geometry=@ByteArray(\x1\xd9\xd0\xcb\0\x2\0\0\0\0\x2\xc6\0\0\x1\x9e\0\0\x4\xb9\0\0\x2\xc9\0\0\x2\xc6\0\0\x1\x9e\0\0\x4\xb9\0\0\x2\xc9\0\0\0\0\0\0\0\0\a\x80)

The correct section to read and return recent media is [RecentMRL] and not [RecentMedia], sorry for the mistake.

lfcnassif commented 3 months ago

Thanks @marcus6n for your quick response, so I'll remove the incorrect code.

lfcnassif commented 3 months ago

Now all crawled 108 samples are parsed correctly. One important thing is left: image

We should convert those numbers to a meaningful Date, but I don't know what they mean (unix epoch, etc). @marcus6n could you research what date format is used above? I also ask you to replace the test file for the correct one and to write a proper unit test for the new parser after my fixes, you can take a look at other existing tests.

lfcnassif commented 3 months ago

Maybe those numbers are related to media duration? They don't seem Dates: 40867, 137646, 649541 & 2824851 for example.

marcus6n commented 3 months ago

exactly that times=xxxxxx, is the duration of the file, in this case the video played.

lfcnassif commented 3 months ago

exactly that times=xxxxxx, is the duration of the file, in this case the video played.

Have you double checked it with your files? Because I have many samples where those numbers are zero for videos (maybe those videos are corrupted).

PS: Is it in milliseconds?

lfcnassif commented 3 months ago

PS2: Or maybe those numbers are the played video time?

wladimirleite commented 3 months ago

PS2: Or maybe those numbers are the played video time?

I replied in the issue: https://github.com/sepinf-inc/IPED/issues/2034#issuecomment-2008376993.

marcus6n commented 3 months ago

@lfcnassif That's right, it's in millisecond.

marcus6n commented 3 months ago

@lfcnassif I fixed the code in the test file https://github.com/sepinf-inc/IPED/pull/2085/commits/ec562be7e50f38793866597e8c8421ebbb373d17 and created the unit test https://github.com/sepinf-inc/IPED/pull/2085/commits/540d0725c8cbed0bb8a78b31715916ee28e93c2a. Everything should be working smoothly now. Looking forward to your feedback!

lfcnassif commented 3 months ago

PS: please also close the opened InputStream

lfcnassif commented 3 months ago

You can focus on #2135 testing.

marcus6n commented 3 months ago

Ok, I'll focus on this issue. Thanks for PR review and fix.