±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35742
New Yesterday: 3 Visitors: 101

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

e-zero - helps manage e01 files

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 

Useful?

10
100%

0
0%

 
Total Votes: 10

  

4144414D
Member
 

e-zero - helps manage e01 files

Post Posted: Aug 08, 15 16:47

Hello all,

I made a small tool to help automate FTK Imager CLI. This is mostly to save me the human time of moving forensic images, verifying a bunch of images, or reacquiring them to save space.

I tried to make it run in parallel as much as possible as possible, but only read or write once from a disk at a time. So if you have 2 source disks and 2 destinations it'll do 2 copies at a time, rather then 4 so that overall the copies go faster.

Hosted on GitHub so feel free to tell me how bad the code is!

https://4144414d.github.io/e-zero/

A quick preview:


and it has a context menu for "Right Click Forensics":


Adam  
 
  

jaclaz
Senior Member
 

Re: e-zero - helps manage e01 files

Post Posted: Aug 08, 15 22:20

Seems nice. Smile (voted yes).

Cannot say how common it is the need to verify "in bulk" a whole SAN (or whatever large storage media) filled of .E01 images, but the consolidating is probably the most useful feature.

I am failing (at first sight) to understand the *need* to use the thingy to re-acquire an image (in the sense of improvement over re-acquiring it directly with FTK CLI) Confused .

Three things (two small typos and a philosophical question):
  1. the link to DOCOPT is not working
  2. terrabytes seem like a rather large unit of measure Wink
  3. at its core, isn't it a (nice) Python script?

If #3 is correct, than maybe you could provide also just the script, while the self-contained installer is a nice idea, I believe that most of the "intended audience" will have already a Python interpreter installed (or add a link to the project page):
github.com/4144414D/e-zero


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

4144414D
Member
 

Re: e-zero - helps manage e01 files

Post Posted: Aug 09, 15 01:04

Should have gone with TERRORbytes! I did laugh to my self when I saw the link to docopt...
Code:
<a href="LINK TO DOCOPT">docopt</a>
thanks for the heads up on that one!

It sure is just a python script, you can get the source by clicking the 'Download Source' button or you can follow the 'View on GitHub' link to get to the main project page, maybe I should make the icon bigger. (or just click here for the script). The other small benefit of the installer is that it sets up the context menu for verifying, but thats about it.

For me I do mostly use it for consolidation, connect a few drives and leave it over night and the two copies are ready in the morning.

The re-acquire is mostly because it's offered by the FTK Imager, so I thought why not, maybe one day someone will need to compress 10+ images at once. I think I've only used it once myself.

Adam  
 
  

jaclaz
Senior Member
 

Re: e-zero - helps manage e01 files

Post Posted: Aug 09, 15 16:27

- 4144414D
The other small benefit of the installer is that it sets up the context menu for verifying, but thats about it.

Yep, which is something that can be seen as a feature Smile or as an annoyance Sad , being like beauty in the eye of the beholder.
Not a critic to your thingy, mind you, only if I had right-click menu provision for each program I have on my machine I would probably need a second monitor to allow all of them to show.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

4144414D
Member
 

Re: e-zero - helps manage e01 files

Post Posted: Aug 09, 15 18:15

- jaclaz
Yep, which is something that can be seen as a feature Smile or as an annoyance Sad , being like beauty in the eye of the beholder.
Not a critic to your thingy, mind you, only if I had right-click menu provision for each program I have on my machine I would probably need a second monitor to allow all of them to show.

jaclaz


Good point - I can probably make it optional during the installer. Then at least it gives the user the choice.  
 
  

4144414D
Member
 

Re: e-zero - helps manage e01 files

Post Posted: Aug 10, 15 22:53

jaclaz - I've set up the context menu to be optional now. Anything else you think should be changed/added/improved?

Thanks again!  
 
  

hydrocloricacid
Member
 

Re: e-zero - helps manage e01 files

Post Posted: Sep 02, 15 06:14

Works great. Will be very useful for the consolidation and mass verification of evidence.

FYI (from e-zero help page)

Note:
FTKi CLI does not support the verification of ad1, L01, Lx01, or Ex01
images. As such e-zero is only able to copy these files and cannot
verify them. Please let me know if you are aware of a command line
tool that can verify these formats.


I know you can use ewfverify of the ewflib tools and it will try to verify a L01 , but as L01 files don't contain a hash to verify it just creates a hash of the content.
This could be useful to make sure you have a hash for your L01 files. (log the hash to a file when verifying)


AD1 seems a lot better than L01 being that it stores hashes that can be verified, pity Encase still doesn't support AD1 like most products do as it would make my job a lot easier. Wink  
 

Page 1 of 2
Page 1, 2  Next