±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 34173
New Yesterday: 4 Visitors: 148

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

A software to show in a tree the FTK Imager filelists?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Sat Mar 22, 2014 10:58 am

- francesco
I uploaded a first test build here.

If somebody happens to have Visual Studio 2008 still installed (it can't be downloaded any longer) I'd need the files of an empty MFC MDI (Multiple documents) project created with the "Windows Explorer" style option, because the newer Visual Studio versions add a lot of bloat to the executables when the VCRT is linked statically due to the new ribbon/dock styling system.

If the "express" edition is OK, you can still get it through Wayback Machine:
web.archive.org/web/20.../Download/
download.microsoft.com...504728.iso

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Mon Apr 14, 2014 10:08 pm

- jaclaz

If the "express" edition is OK, you can still get it through Wayback Machine:
web.archive.org/web/20.../Download/
download.microsoft.com...504728.iso

jaclaz


Unfortunately Visual Studio Express ships without MFC. It was the tab switchbar that required all the additional MFC feature pack code so I was forced to switch back to a SDI project to solve the issue.

I uploaded a test version of the tool here, now also with the proper deleted entries overlays.  

francesco
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Sun Apr 20, 2014 12:07 pm

Can you upload *somewhere* or add into the tool download a "sample" .csv file?
I would like to have a look a such a .csv to explore in a non-FTK creation of the .csv and/or following the idea chad131 hinted.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Mon Apr 21, 2014 1:28 am

- jaclaz
Can you upload *somewhere* or add into the tool download a "sample" .csv file?
I would like to have a look a such a .csv to explore in a non-FTK creation of the .csv and/or following the idea chad131 hinted.

jaclaz


You can create filelists from FTK imager without having to create a forensic image: when you right-click a mounted physical/logical drive in the evidence tree you can generate a filelist from it. I uploaded a small example filelist here. It's easy to generate a real filesystem tree from the filelist but eventually you'll run in issues with the windows path limit (260 characters). You could store all the tree in a ZIP archive to work around the path length limit but then you'd run in other problems with deleted and duplicated entries: there can be several different versions of files and folders, however it seems to be impossible to associate the correct file to every folder revision since they're not printed in order (that and files with streams being printed just like directories seem to be two major issues in the FTK filelist format).  

francesco
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Mon Apr 21, 2014 6:06 pm

- francesco

You can create filelists from FTK imager without having to create a forensic image: when you right-click a mounted physical/logical drive in the evidence tree you can generate a filelist from it. I uploaded a small example filelist here.

Thanks.
- francesco

It's easy to generate a real filesystem tree from the filelist but eventually you'll run in issues with the windows path limit (260 characters). You could store all the tree in a ZIP archive to work around the path length limit but then you'd run in other problems with deleted and duplicated entries: there can be several different versions of files and folders, however it seems to be impossible to associate the correct file to every folder revision since they're not printed in order (that and files with streams being printed just like directories seem to be two major issues in the FTK filelist format).

Yep, I had expected a much more "complex" and "complete" set of data in it, it is pretty much basic.

I did a few experiments, and you are right, the result is pretty much "unuseful" anyway, though (will have to check better) while playing with it I found a *nice* "bug" (or "feature") of my XP's Explorer.
If I "touch" a file or a folder to 19800101 00:00:00.0000000 with sfk:
stahlworks.com/dev/swi...knife.html
the file/folder appears in Explorer as having NO Creation/Modified/Accessed file date/time.
Of course using another file manager, like 7-zip, or using DIR from command prompt, everything goes back to normality.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Tue Apr 22, 2014 12:56 am

Very neat little tool, thanks francesco

I quite often get clients who ask for exactly this, I've downloaded and tested and will definitely be using this in the future.  

Adam10541
Senior Member
 
 
  

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Wed Apr 23, 2014 11:07 am

The plot thickens. Shocked
I am having/have had quite a bunch of other "queer" behaviour.
In order to not hijack this topic, I created a new one on reboot.pro:
reboot.pro/topic/19746...behaviour/
as it's nature seem to me "generic" OS/filesystem related and - at the moment - forensics implications are nowhere to be seen.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 4 of 4
Go to page Previous  1, 2, 3, 4