e-zero - helps mana...
 
Notifications
Clear all

e-zero - helps manage e01 files

14 Posts
6 Users
0 Likes
1,577 Views
(@4144414d)
Posts: 33
Eminent Member
Topic starter
 

Hello all,

I made a small tool to help automate FTK Imager CLI. This is mostly to save me the human time of moving forensic images, verifying a bunch of images, or reacquiring them to save space.

I tried to make it run in parallel as much as possible as possible, but only read or write once from a disk at a time. So if you have 2 source disks and 2 destinations it'll do 2 copies at a time, rather then 4 so that overall the copies go faster.

Hosted on GitHub so feel free to tell me how bad the code is!

https://4144414d.github.io/e-zero/

A quick preview

and it has a context menu for "Right Click Forensics"

Adam

 
Posted : 08/08/2015 4:47 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Seems nice. ) (voted yes).

Cannot say how common it is the need to verify "in bulk" a whole SAN (or whatever large storage media) filled of .E01 images, but the consolidating is probably the most useful feature.

I am failing (at first sight) to understand the *need* to use the thingy to re-acquire an image (in the sense of improvement over re-acquiring it directly with FTK CLI) ? .

Three things (two small typos and a philosophical question)

  1. the link to DOCOPT is not working
  2. terrabytes seem like a rather large unit of measure wink
  3. at its core, isn't it a (nice) Python script?
  4. [/listo]

    If #3 is correct, than maybe you could provide also just the script, while the self-contained installer is a nice idea, I believe that most of the "intended audience" will have already a Python interpreter installed (or add a link to the project page)
    https://github.com/4144414D/e-zero

    jaclaz

 
Posted : 08/08/2015 10:20 pm
(@4144414d)
Posts: 33
Eminent Member
Topic starter
 

Should have gone with TERRORbytes! I did laugh to my self when I saw the link to docopt… <a href="LINK TO DOCOPT">docopt</a> thanks for the heads up on that one!

It sure is just a python script, you can get the source by clicking the 'Download Source' button or you can follow the 'View on GitHub' link to get to the main project page, maybe I should make the icon bigger. (or just click here for the script). The other small benefit of the installer is that it sets up the context menu for verifying, but thats about it.

For me I do mostly use it for consolidation, connect a few drives and leave it over night and the two copies are ready in the morning.

The re-acquire is mostly because it's offered by the FTK Imager, so I thought why not, maybe one day someone will need to compress 10+ images at once. I think I've only used it once myself.

Adam

 
Posted : 09/08/2015 1:04 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The other small benefit of the installer is that it sets up the context menu for verifying, but thats about it.

Yep, which is something that can be seen as a feature ) or as an annoyance ( , being like beauty in the eye of the beholder.
Not a critic to your thingy, mind you, only if I had right-click menu provision for each program I have on my machine I would probably need a second monitor to allow all of them to show.

jaclaz

 
Posted : 09/08/2015 4:27 pm
(@4144414d)
Posts: 33
Eminent Member
Topic starter
 

Yep, which is something that can be seen as a feature ) or as an annoyance ( , being like beauty in the eye of the beholder.
Not a critic to your thingy, mind you, only if I had right-click menu provision for each program I have on my machine I would probably need a second monitor to allow all of them to show.

jaclaz

Good point - I can probably make it optional during the installer. Then at least it gives the user the choice.

 
Posted : 09/08/2015 6:15 pm
(@4144414d)
Posts: 33
Eminent Member
Topic starter
 

jaclaz - I've set up the context menu to be optional now. Anything else you think should be changed/added/improved?

Thanks again!

 
Posted : 10/08/2015 10:53 pm
(@hydrocloricacid)
Posts: 37
Eminent Member
 

Works great. Will be very useful for the consolidation and mass verification of evidence.

FYI (from e-zero help page)

Note
FTKi CLI does not support the verification of ad1, L01, Lx01, or Ex01
images. As such e-zero is only able to copy these files and cannot
verify them. Please let me know if you are aware of a command line
tool that can verify these formats.

I know you can use ewfverify of the ewflib tools and it will try to verify a L01 , but as L01 files don't contain a hash to verify it just creates a hash of the content.
This could be useful to make sure you have a hash for your L01 files. (log the hash to a file when verifying)

AD1 seems a lot better than L01 being that it stores hashes that can be verified, pity Encase still doesn't support AD1 like most products do as it would make my job a lot easier. 😉

 
Posted : 02/09/2015 6:14 am
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

I like this, and I plan to use it in my archiving routine once the kinks are worked out.

I'm having an issue with the verify routine. It works fine when the E01 files verify without error, but when I throw it at a set of segmented E01 files that I know have CRC errors and md5 hash mismatches I get the following

C\Users\XXX_Lab\e-zero-master\e-zero python>python e-zero.py verify F\2014-00-00_00-00-00\

Total images 1
Total sources 1
Total size 183GB

2015-09-03 211500 ftkimager.exe --verify "F\2014-00-00_00-00-00\XX-0000-XXXX.E01"
Traceback (most recent call last)
File "e-zero.py", line 443, in <module>
verify(arguments)
File "e-zero.py", line 372, in verify
dispatcher(False,True,[],files)
File "e-zero.py", line 350, in dispatcher
elif sha1_match.group(1) == 'Match'
AttributeError 'NoneType' object has no attribute 'group'

My installation is this
Python 2.7.10 running on Windows Server 2012 R2 x64. I have e-zero.py, docopt.py, and ftkimager CLI all located in the same directory. You can see I'm running it with the line "python e-zero.py verify <target folder>"

Any ideas?

 
Posted : 04/09/2015 3:57 am
(@4144414d)
Posts: 33
Eminent Member
Topic starter
 

Bulldawg - Thanks for that. I do love a good bug, thank you for letting me know. I think I know exactly what the problem is. Your image probably doesn't have an embedded md5 or a sha1 (i.e. it only has one) and my logic for dealing with that is wrong!

This is the line that is broken.
if md5_match or sha1_match Which basically means if we have either an valid MD5 or a valid SHA1 then we can continue and look for the matches. Which will give you an error if the MD5 works but the SHA1 doesn't, it looks for the match.group(1) which doesn't exist.

In this part
#Line 345
md5_match = md5_regex.search(result[3])
sha1_match = sha1_regex.search(result[3])
if md5_match or sha1_match
if md5_match.group(1) == 'Match'
verified_md5_only.append(result[2])
elif sha1_match.group(1) == 'Match'
verified_sha1_only.append(result[2])
else
failed_to_verify.append(result[2])

If you need a fix quickly I think chaining those lines to this should work. I haven't tested it yet properly enough, but I'll commit it to GitHub soon.


md5_match = md5_regex.search(result[3])
sha1_match = sha1_regex.search(result[3])
if md5_match
if md5_match.group(1) == 'Match'
verified_md5_only.append(result[2])
elif sha1_match
if sha1_match.group(1) == 'Match'
verified_sha1_only.append(result[2])
else
failed_to_verify.append(result[2])

If you could run ftkimager.exe outside of e-zero and let me know the output that will be very helpful as well, I can test the regex my end a bit more. So this
ftkimager.exe --verify "F\2014-00-00_00-00-00\XX-0000-XXXX.E01"

Otherwise if you go to the previous version of the script before I tried to implement this whole MD5 or SHA1 matching and it should work. https://github.com/4144414D/e-zero/blob/146f7d4bdd24ca989b111c675467db229b78b857/e-zero%20python/e-zero.py

 
Posted : 06/09/2015 3:34 pm
(@4144414d)
Posts: 33
Eminent Member
Topic starter
 

Bulldawg - This should hopefully fix your issue, my 'temp' fix also didn't work, so please try this one instead. Seems to work with my test data but I'd be really keen to see if it works on your image.

https://github.com/4144414D/e-zero/blob/master/e-zero%20python/e-zero.py#L345-L357

 
Posted : 06/09/2015 6:01 pm
Page 1 / 2
Share: