±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36474
New Yesterday: 1 Visitors: 198

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

A software to show in a tree the FTK Imager filelists?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

UnallocatedClusters
Senior Member
 

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Jan 10, 14 22:55

Francesco -

Sorry, I assumed you also had the disk images. If you can get a hold of the disk images, you could either mount the image in FTK imager as a virtual drive and point either SizeExplorer or DriveInventory at the virtual drive.

Another option is to export the desired directory from FTK imager (again assuming you can get a hold of the forensic image) and then just point SE or DI at the exported folder of files.

I guess it might help to know what your end goal is? Are you creating a report of some sort or performing further analysis?  
 
  

francesco
Senior Member
 

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Jan 11, 14 12:13

- UnallocatedClusters
Francesco -

Sorry, I assumed you also had the disk images. If you can get a hold of the disk images, you could either mount the image in FTK imager as a virtual drive and point either SizeExplorer or DriveInventory at the virtual drive.

Another option is to export the desired directory from FTK imager (again assuming you can get a hold of the forensic image) and then just point SE or DI at the exported folder of files.

I guess it might help to know what your end goal is? Are you creating a report of some sort or performing further analysis?


It was mainly to know what was inside the evidences when they ask me something about them without having to keep additional metadata files around. I could use cataloging applications but they don't handle eventual orphan or deleted files that the filelist however includes.

Also quickly identifying all the folders containing documents, mail or backups would be a quick way to double-check if you did miss anything.  
 
  

jaclaz
Senior Member
 

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Jan 11, 14 15:52

- francesco

It was mainly to know what was inside the evidences when they ask me something about them without having to keep additional metadata files around. I could use cataloging applications but they don't handle eventual orphan or deleted files that the filelist however includes.

Also quickly identifying all the folders containing documents, mail or backups would be a quick way to double-check if you did miss anything.

I find it a very good idea Smile more practical than the "usual" printed list of the directory tree, giving IMHO an advantage (in data recovery, not in forensics) that since the thingy would represent the filesystem "as it was seen before" (and can be navigated as before) a customer may additionally be able to "visually remember" some structure/lost directory or file name.
Personally (but this is of course only my own "queer" stance on it) the use of .Net is in itself a show-stopper, though Sad .

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

francesco
Senior Member
 

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Jan 11, 14 22:35

[quote="jaclaz"]
- francesco

Personally (but this is of course only my own "queer" stance on it) the use of .Net is in itself a show-stopper, though Sad .


Because of portability or because of performance? If I used Java I'm pretty sure that the UI performance would be much worse and if I used C++ I wouldn't even know where to start to find controls flexible enough with that amount of data (a Linux or OS X filelist can be hundreds of megabytes big and that's entries in the orders of millions).  
 
  

jaclaz
Senior Member
 

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Jan 11, 14 23:59

- francesco

Because of portability or because of performance?

Because of portability (of course if the idea is to provide it to "third parties" or customers).
I don't think that TreeView was invented together with .Net Wink , on the other hand if you are talking of hundreds of megabytes of data and millions entries, than .csv is probably not the "best" choice as a "database".

I don't know if it can suite this task, but this might do:
www.codeproject.com/Ar...-Home-Page

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

francesco
Senior Member
 

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Jan 12, 14 15:37

- jaclaz
- francesco

Because of portability or because of performance?

Because of portability (of course if the idea is to provide it to "third parties" or customers).

I assume you meant portability across Windows systems since you suggested that nice treeview library in your previous post, however I think it's very hard to find a Windows install where a .NET framework isn't installed, either installed by the computer manufacturer software or third party (especially printing/scanning) software. Targeting 3.5 would be a safe bet to cover almost every Windows install.
- jaclaz

I don't think that TreeView was invented together with .Net :wink:,

Certainly not, but a treeview that supports columns and virtual mode would require a third party library in a native win32 application because the native Windows control has only the most basic features.
- jaclaz

on the other hand if you are talking of hundreds of megabytes of data and millions entries, than .csv is probably not the "best" choice as a "database".

That's unfortunately what FTK Imager creates, not much to do about that. At least it's very easy to process (TAB is the separator and there are no double quotes).
- jaclaz

I don't know if it can suite this task, but this might do:
www.codeproject.com/Ar...-Home-Page

I gave a look but unfortunately the provided TreeView (COXTreeCtrl) doesn't seem to support virtual mode, it does have columns though. Virtual mode would be pretty essential if I want to show the associated file icons so I think we could rule out writing a native app due to the difficulty of finding the appropriate controls.

I started writing a native version and ported all the filelist reading however I'm still puzzled about the interface. Should I use a single Window where you load everything in the same tree like FTK Imager does or multiple tabbed windows (MDI), one for each filelist to allow comparing the lists?  
 
  

jaclaz
Senior Member
 

Re: A software to show in a tree the FTK Imager filelists?

Post Posted: Jan 12, 14 18:33

As I see it (but as said it's just my personal opinion) .Net=EVIL, but of course if it is not possible (or not convenient) to avoid using it, it is fine as well :), but it is - still IMHO - the worst possible choice (if a choice is available).

As a generic (again personal) opinion anything that has "dual panes" (not necessarily MDI) is useful when comparing file lists, think of *any* OFM :
www.softpanorama.org/O...ndex.shtml

I am not sure to have fully understood the .csv (actually .tsv) file issue, I mean, does FTK imager actually produce plain text Tab delimited files in the size of hundreds of megabytes? Shocked

A Java based solution will most probably be slowish (and possibly cause another series of issues with the exact Java runtime needed/available), OT, but not much, one of the few programs that I know of that can actually manage very large "plain" databases is actually written in Java (and is slowish):
record-editor.sourcefo...cord02.htm

I'll have a look if I can find a suitable "native" component.

I was also (laterally Shocked ) thinking about *something else*, like mixing (liberally) these two projects:
code.google.com/p/mssqlfs/
sourceforge.net/projects/plisgo/
but of course it is not worth it for this single "quick and dirty" app you devised.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 2 of 4
Page Previous  1, 2, 3, 4  Next