±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 34173
New Yesterday: 4 Visitors: 164

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

A software to show in a tree the FTK Imager filelists?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4  Next 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Mon Jan 13, 2014 3:28 pm

- jaclaz
As I see it (but as said it's just my personal opinion) .Net=EVIL, but of course if it is not possible (or not convenient) to avoid using it, it is fine as well :), but it is - still IMHO - the worst possible choice (if a choice is available).

I'm pretty happy with .NET because of how easy it is to customize controls or to find many ready third-party ones. I wrote extensive .NET libraries for reading/writing binary data that like in this case would become a necessity since the built-in I/O functions available (same for those in Java or C++) are way too slow at handling text files: reading a filelist with 700k entries (200mb) on my machine takes more than one minute (!) with the built-in functions while just a couple of seconds with custom code with proper buffering.

- jaclaz

As a generic (again personal) opinion anything that has "dual panes" (not necessarily MDI) is useful when comparing file lists, think of *any* OFM :
www.softpanorama.org/O...ndex.shtml

I started writing the project in C++, with a listview and a tree side-panel on the left, very similar to the FTK Imager interface. With MDI you can put the internal windows side by side for comparison or you can use two program instances for the same result. I used a custom library (EZUTF) for dealing with the text-files due to the built-in functions taking minutes, I almost finished the code to read all the entries then the rest should be hopefully easy.

- jaclaz

I am not sure to have fully understood the .csv (actually .tsv) file issue, I mean, does FTK imager actually produce plain text Tab delimited files in the size of hundreds of megabytes? Shocked

Yes, when you create an image with FTK and check the option to create a list of the files it creates those huge text files. There doesn't seem to be an option to export in any other format.

- jaclaz

A Java based solution will most probably be slowish (and possibly cause another series of issues with the exact Java runtime needed/available), OT, but not much, one of the few programs that I know of that can actually manage very large "plain" databases is actually written in Java (and is slowish):
record-editor.sourcefo...cord02.htm

I'll have a look if I can find a suitable "native" component.

I was also (laterally Shocked ) thinking about *something else*, like mixing (liberally) these two projects:
code.google.com/p/mssqlfs/
sourceforge.net/projects/plisgo/
but of course it is not worth it for this single "quick and dirty" app you devised.


Maybe there won't be need for a database, I think parsing all the data could be done in an acceptable time if I write the code for parsing all the strings. The code could also be ported on one of those userfs filesystem drivers for Windows and have the structure shown in explorer but it wouldn't have much use since you couldn't interact with any of the files.  

francesco
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Mon Jan 13, 2014 10:27 pm

I know it's not exactly what you were after (it will only read from an existing directory, not from the FTK Imager CSV files), but I really like using Snap2HTML. It's easy to create really nice looking (searchable) directory trees with an HTML template.  

rarosalion
Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Tue Jan 14, 2014 6:18 pm

Have you considered using the FTK Imager file listing to actually recreate the file system? I've done this in the past.

Just loop through the csv file and create 0 byte files retaining the directory structure and file names/extensions. If you want, you can even set the MAC times of the files so they match the csv.

It's not as clean as a separate app that will read the csv, but it does allow someone to browse around a file/directory structure and it takes virtually no space.  

chad131
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Tue Jan 14, 2014 7:01 pm

- chad131
Have you considered using the FTK Imager file listing to actually recreate the file system? I've done this in the past.

Just loop through the csv file and create 0 byte files retaining the directory structure and file names/extensions. If you want, you can even set the MAC times of the files so they match the csv.

It's not as clean as a separate app that will read the csv, but it does allow someone to browse around a file/directory structure and it takes virtually no space.

This would be an interesting approach, but how will the user be able to view (besides the directory structure) the actual data in the "source" .csv.
IF Question the data in the .csv is within the limits of the available space, see:
www.forensicfocus.com/...c/t=10403/
one could use a NTFS filesystem and store the data in the same $MFT entry, i.e. using 1024 bytes per record, and if it would be possible to make a NTFS filesystem with the $MFT starting on cluster 2 (16 sectors before for the $boot), as I have seen a few examples recently (but without a definite answer on what OS/tool can make them) we could have a volume which is made of just the NTFS filesystem "standard" $-prefixed files.
As a matter of fact a filesystem is a database and viceversa, in theory one could make a "filesystem driver" to mount directly the .csv as if it was a volume, as Francesco mentioned before.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Tue Mar 04, 2014 7:55 pm

NOT really useful/connected with the topic Shocked , but I happened to find casually this thingy here:
www.primitivezone.com/...dexer.html

that seems like nice (creating "disk contents lists" browsable in an Explorer like interface) using a .pdi file (which is nothing but a .mdb JET database file).
It could maybe of inspiration.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Thu Mar 06, 2014 9:11 pm

- jaclaz
NOT really useful/connected with the topic Shocked , but I happened to find casually this thingy here:
www.primitivezone.com/...dexer.html

that seems like nice (creating "disk contents lists" browsable in an Explorer like interface) using a .pdi file (which is nothing but a .mdb JET database file).
It could maybe of inspiration.

jaclaz


Whoops, sorry for the lack of updates, the last month has been a mess. I had the program working but it still needs folder icons, localization removal, some error handling and a MDI file browser template from an older version of visual studio (the executable is currently 4Mb if I compile the latest C++ runtime statically but I use none of the new MFC features).



If anybody needs it already just PM me.  

francesco
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Sat Mar 22, 2014 1:56 am

If somebody happens to have Visual Studio 2008 still installed (it can't be downloaded any longer) I'd need the files of an empty MFC MDI (Multiple documents) project created with the "Windows Explorer" style option, because the newer Visual Studio versions add a lot of bloat to the executables when the VCRT is linked statically due to the new ribbon/dock styling system.  

Last edited by francesco on Mon Apr 14, 2014 10:08 pm; edited 1 time in total

francesco
Senior Member
 
 

Page 3 of 4
Go to page Previous  1, 2, 3, 4  Next