search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
884 stars 209 forks source link

Handle new UFDR attachment's extracted path #2149

Closed marcosammoura closed 2 months ago

marcosammoura commented 3 months ago

Refers to issue #2028

Analysis of report.xml files in UFDR reports generated by PA 8.7.100.106 and PA 10.0.100.93 has shown that attachment_extracted_path field for some instant message attachments point to non-existent files.

I have made the following main changes to UfedXmlReader class so that the correct attachment path is set, according to path information obtained using the file_id attachment attribute: 1- ufedFileIdToLocalPath HashMap was created to hold the Local Path information corresponding to each file tag within the report (file tag id attribute is the key and Local Path is the value) 2- handleAttachment method was changed so that if extracted_path is non-existent, file_id attachment attribute is used to get file path stored within the ufedFileIdToLocalPath HashMap, which then is set as the extracted_path

With such changes in place I have successfully processed IPED cases configured to use external phone parsers in which there were broken links to some chats' attachments.

lfcnassif commented 3 months ago

Thank you @marcosammoura for this contribution! I'll try to review it in the next week. But I would need some UFDR samples from PA 8 or 10 for testing, I don't have any. For those who can help, please send a private link to me, thanks.

patrickdalla commented 2 months ago

Hi @marcosammoura , Nassif asked me to test and review this. Though I have processed one case with Inseyets, and for this case I could not find any occurence of the problem you solved. Could you provide me with some problematic sample case?

patrickdalla commented 2 months ago

Have you processed these problematic cases with PA 7. or older? Maybe this is not a problem specific to IPED processing PA 8..

I suppose that it can occur when the file is moved from the original folder where the IM app downloaded it, so it does not exists there anymore, but its file id can be used to find its new path.

patrickdalla commented 2 months ago

@lfcnassif I approved this correction.

lfcnassif commented 2 months ago

Thanks @patrickdalla! Last week I got a few UFDRs generated by PA 10 from a colleague. I'll share them with you. Ideally we should reproduce the issue to be sure this proposal fixes it. If @marcosammoura could share a triggering sample UFDR privately, that would help a lot.

patrickdalla commented 2 months ago

I found a triggering sample from the cases you sent me and the solution implemented by @marcosammoura worked, as I have reported to you via Teams.

lfcnassif commented 2 months ago

Thanks @patrickdalla for reproducing the issue and confirming the fix and thanks @marcosammoura for submitting this PR!