A software to show ...
 
Notifications
Clear all

A software to show in a tree the FTK Imager filelists?

28 Posts
8 Users
0 Likes
3,762 Views
(@francesco)
Posts: 79
Trusted Member
Topic starter
 

Update I wrote a tool for loading the filelists and made it freely available here.

The text below is the original forum post

As the title says I'm looking for a software that can load the FTK Imager filelist (CSV) and show it in a explorer-like tree, is there any?

In case there isn't, would it be a good idea to write one?

Edit I made an example image, I need something like this, a tool that loads the CSV and shows it similarly to how the disk image it was generated from looked when loaded in Encase/FTK, allowing to easily browse the contained files

 
Posted : 10/01/2014 6:17 am
(@jonathan)
Posts: 878
Prominent Member
 

I'm not aware of one - it'd certainly be very useful. Have been asked by clients for similar before. Are you proposing to write one?

 
Posted : 10/01/2014 2:26 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Something (loosely) similar to this
http//www.dhtmlgoodies.com/index.html?whichScript=folder_tree_static
but parsing a .csv?

I would say (cannot say if you use or can use Delphi) the best choice would be to put together a small app making use of this
http//www.soft-gems.net/index.php/controls/virtual-treeview

or similar.

jaclaz

 
Posted : 10/01/2014 5:14 pm
 Doug
(@doug)
Posts: 185
Estimable Member
 

Whilst it doesn't take the .CSV file in, TreeSize has proven very handy on occasions!

http//www.jam-software.com/treesize_free/

 
Posted : 10/01/2014 6:29 pm
(@francesco)
Posts: 79
Trusted Member
Topic starter
 

I'm not aware of one - it'd certainly be very useful. Have been asked by clients for similar before. Are you proposing to write one?

I basically already wrote one, the screenshot above is an implementation I put together shortly after posting but will that be enough? People would very likely want to search the filelists, for example to have all the folders containing documents, mail archives or instant-messengering databases pointed out.

Something (loosely) similar to this
http//www.dhtmlgoodies.com/index.html?whichScript=folder_tree_static
but parsing a .csv?

I would say (cannot say if you use or can use Delphi) the best choice would be to put together a small app making use of this
http//www.soft-gems.net/index.php/controls/virtual-treeview

or similar.

jaclaz

I learned several languages through the years but never Delphi (I settled with C++, C# and Java) so unfortunately I can't use that. I'm pretty happy with ObjectListView (.NET), the one in the screenshot (it implements a virtual mode as well). It's not very fast (though extremely customizable) but unless the entries in a single directory surpass the dozens of thousands hopefully there shouldn't be any noticeable delay. Using WPF would be the easiest way due to all the automatic data binding but unfortunately I still haven't got enough experience with it.

 
Posted : 10/01/2014 7:31 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Here are two great applications that make Windows Explorer type spreadsheet reports

1) SizeExplorer http//www.sizeexplorer.com/

2) Drive Inventory http//www.elegantpie.com/driveinventory.html

 
Posted : 10/01/2014 9:59 pm
(@francesco)
Posts: 79
Trusted Member
Topic starter
 

Here are two great applications that make Windows Explorer type spreadsheet reports

1) SizeExplorer http//www.sizeexplorer.com/

2) Drive Inventory http//www.elegantpie.com/driveinventory.html

I don't understand how that would work, I only have the CSV files, not the disk images.

 
Posted : 10/01/2014 10:48 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Francesco -

Sorry, I assumed you also had the disk images. If you can get a hold of the disk images, you could either mount the image in FTK imager as a virtual drive and point either SizeExplorer or DriveInventory at the virtual drive.

Another option is to export the desired directory from FTK imager (again assuming you can get a hold of the forensic image) and then just point SE or DI at the exported folder of files.

I guess it might help to know what your end goal is? Are you creating a report of some sort or performing further analysis?

 
Posted : 10/01/2014 10:55 pm
(@francesco)
Posts: 79
Trusted Member
Topic starter
 

Francesco -

Sorry, I assumed you also had the disk images. If you can get a hold of the disk images, you could either mount the image in FTK imager as a virtual drive and point either SizeExplorer or DriveInventory at the virtual drive.

Another option is to export the desired directory from FTK imager (again assuming you can get a hold of the forensic image) and then just point SE or DI at the exported folder of files.

I guess it might help to know what your end goal is? Are you creating a report of some sort or performing further analysis?

It was mainly to know what was inside the evidences when they ask me something about them without having to keep additional metadata files around. I could use cataloging applications but they don't handle eventual orphan or deleted files that the filelist however includes.

Also quickly identifying all the folders containing documents, mail or backups would be a quick way to double-check if you did miss anything.

 
Posted : 11/01/2014 12:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It was mainly to know what was inside the evidences when they ask me something about them without having to keep additional metadata files around. I could use cataloging applications but they don't handle eventual orphan or deleted files that the filelist however includes.

Also quickly identifying all the folders containing documents, mail or backups would be a quick way to double-check if you did miss anything.

I find it a very good idea ) more practical than the "usual" printed list of the directory tree, giving IMHO an advantage (in data recovery, not in forensics) that since the thingy would represent the filesystem "as it was seen before" (and can be navigated as before) a customer may additionally be able to "visually remember" some structure/lost directory or file name.
Personally (but this is of course only my own "queer" stance on it) the use of .Net is in itself a show-stopper, though ( .

jaclaz

 
Posted : 11/01/2014 3:52 pm
Page 1 / 3
Share: