±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 3 Visitors: 207

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

QNX6 Parser

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

KuroSaru
Newbie
 

QNX6 Parser

Post Posted: Jul 18, 18 08:56



RELEASE CANDIDATE 0.2d:

Exclamation URL: nop.ninja/qnx6-0.2d.tar.xz

Idea USAGE
Code:
python qnx6-0.2d.py rawimage.001

Question Q&A

- QNX4FS supported? No

- QNX6FS 6.5.1+ (7.0.0) supported? 50/50 (multi partitions 2.1 - 2.8) not yet supported, current WIP.

- How can i give feedback, submit bugs / reports ? post here.

------ previous post contents---------

Currently working on a QNX6FS parser, that has been a pet project for a little while now.



The current goal now I'm happy I can read Inode, LongFileName and Bitmap data, is to detect deleted information, when a file is deleted in QNX6FS it is not fully erased the bitmap block is set to 0 and the link is remove from the corresponding Inode Directory entry.

Purpose for this post is to ask member of the community if they have any QNX6fs samples that only reads from within the QNX6 Development VM, or samples that the Linux open-source implementation is unable to read correctly, that they are able to share with me.

Long term goal is to release the code open-source, once my current todo list is finished.

Code:
  [DONE] Auto detect all QNX6 partitions from a .img/.raw/.dd/.001 image file

  [DONE] Detect last active SuperBlock

  [DONE] Process INODE data

  [DONE] Process LongFileName data

  [DONE] Generate complete file list for each detected QNX6FS partition.

  [ WIP ] Detect deleted files/data

  [ - ] Auto extract all files found

  [ - ] Test QNX6FS 6.5.0 SP0, SP1 and 7.0.0 implementations all work

 

Last edited by KuroSaru on Jul 26, 18 17:09; edited 6 times in total
 
  

DCS1094
Senior Member
 

Re: QNX6 Parser

Post Posted: Jul 18, 18 11:58

Have dropped you a PM.  
 
  

KuroSaru
Newbie
 

Re: QNX6 Parser

Post Posted: Jul 18, 18 12:53

Read & replyed.

Little update:

So QNX6 Bitmaps for block and inode usage is slow as sin to process & verify. however implementation is luckily easy enough.



It would seem that the Power-Safe implementation of QNX6 removes no sectors at all when deleting a file, so if your lucky enough and no new data has been added since a phone has be desynced, or TPEG data has been updated. it should possible to retrieve such information.  
 
  

KuroSaru
Newbie
 

Re: QNX6 Parser

Post Posted: Jul 25, 18 20:33


youtu.be/JGEjJE-wqTs

First fully extract file from QNX6FS file system...

Progress is going slowly. but I now have access to two other slightly strange versions of QNX6FS from the wild to implement support for. Beta version of script that auto-extracts to follow..  
 
  

matanshamir
Newbie
 

Re: QNX6 Parser

Post Posted: Feb 16, 20 08:41

Hi KuroSaru,

I have sent you a PM.  
 

Page 1 of 1