Join Us!

Notifications
Clear all

"Forensic" plugin for 7-Zip  

Page 1 / 2
  RSS
Aniskin
(@aniskin)
New Member

Hello, world.

Maybe someone will be interested in the free plugin for 7-zip, which allows you to open various forensic disk images as archives

Forensic7z is a plugin for the popular 7-Zip archiver. You can use Forensic7z to open and browse disk images created by specialized software for forensic analysis, such as Encase or FTK Imager.

At the moment, the Forensic7z plugin supports images in the following formats

- ASR Expert Witness Compression Format (.S01)
- Encase Image File Format (.E01)
- Advanced Forensics Format (.AFF)
- AccessData FTK Imager Logical Image (.AD1)

I am the developer of this plugin, ready to answer on any question.

Quote
Posted : 21/11/2018 3:03 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Looks very interesting-

When you say “open” forensic image files, how does that differ from mounting a forensic image using Mount ImagePro, OSFMount, etc?

I can “open” forensic images with FTK Imager as well but I need to export native files from FTK Imager our mount the image file before I can meaningfully interact with the files in the image.

ReplyQuote
Posted : 22/11/2018 4:37 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Does your plugin also reveal slack space files in images or just logical NTFS files for example?

ReplyQuote
Posted : 22/11/2018 4:39 am
Aniskin
(@aniskin)
New Member

When you say “open” forensic image files, how does that differ from mounting a forensic image using Mount ImagePro, OSFMount, etc?

I don`t have Mount ImagePro so I don`t know how it works.

You must understand that plugin is not a professional tool and it is not a replacement for any professional tool. It does only one simple thing - it decompresses compressed image into RAW.

Does your plugin also reveal slack space files in images or just logical NTafS files for example?

Plugin does not parse internal structures of RAW images. 7-Zip has native support of some FS and when you open RAW file as nested archive 7-Zip uses its own algorithms for decoding FS.

ReplyQuote
Posted : 22/11/2018 4:58 am
jaclaz
(@jaclaz)
Community Legend

Very interesting, thanks for posting about it (and of course for actually making it ) ).

I have seen you made a lot of other plugins for 7zip
http//www.tc4shell.com/en/7zip/

Nice, particularly this one
http//www.tc4shell.com/en/7zip/wincrypthashers/

as I missed the MD5 in "plain" 7zip.

I didn't know that such plugins were possible, IMHO a missing function (cannot say if it is possible to implement it) is to have a way (when you open an "unknown" file) to know which specific "parser" (or plugin) 7zip is using, i.e. in which format it "sees" and "interprets" the file.

jaclaz

ReplyQuote
Posted : 22/11/2018 10:17 am
Aniskin
(@aniskin)
New Member

I didn't know that such plugins were possible, IMHO a missing function (cannot say if it is possible to implement it) is to have a way (when you open an "unknown" file) to know which specific "parser" (or plugin) 7zip is using, i.e. in which format it "sees" and "interprets" the file.

Just use Properties command. It will show used parser (Type parameter).

ReplyQuote
Posted : 22/11/2018 10:47 am
jaclaz
(@jaclaz)
Community Legend

Just use Properties command. It will show used parser (Type parameter).

Sure, thanks )

But that implies to first open the "unknown" file, and then right click "properties" on *any* file "inside" the (maybe) opened file.

I didn't explain myself properly.

I was thinking more of an added field in the tabular view, when you open the "container" file like Name/Size/Modified/Created/Accessed/Attributes/ … etc., which BTW would make it clearer (I almost always use 7Zip as two panes file manager) that the pane is relative to the "inside" of an archive (or "container").

Or even (this is another thing) a command pre-parsing the contents of the directory containing the unknown file(s) and adding a "presumed file type" (independent from file extension) to each file in it.

Of course since analyzing files in a directory would take computer time, this should be something that is generated only on demand.

jaclaz

ReplyQuote
Posted : 22/11/2018 11:39 am
Aniskin
(@aniskin)
New Member

7-Zip API does not provide such functionality.

ReplyQuote
Posted : 22/11/2018 11:43 am
jaclaz
(@jaclaz)
Community Legend

7-Zip API does not provide such functionality.

I suspected something like that.

Too bad … (

Thanks again for the nice plugins.

jaclaz

ReplyQuote
Posted : 22/11/2018 11:47 am
Aniskin
(@aniskin)
New Member

Could somebody provide me samples of EnCase Ex01 and Lx01 files? I would like to add support of this formats but cannot do it without samples.

ReplyQuote
Posted : 22/11/2018 1:15 pm
inVest
(@invest)
New Member

Aniskin,

Thanks for the plugin. I've recently run into an issue where I'm looking to convert my L01 file to a zip file. Was wondering if this is something that I can do with your plugin. One issue I'm running into is the image having a duplicate file name (described here) after mounting with MountImage Pro.

ReplyQuote
Posted : 23/11/2018 3:24 pm
Aniskin
(@aniskin)
New Member

I'm looking to convert my L01 file to a zip file.

L01 files are not supported yet (I don`t have samples for analysis).

ReplyQuote
Posted : 23/11/2018 3:30 pm
inVest
(@invest)
New Member

L01 files are not supported yet (I don`t have samples for analysis).

You should be able to find at least some L01 files from one of the test image and forensic challenge sites listed here https://www.forensicfocus.com/images-and-challenges

You can also use EnCase Imager (free software) to create all EnCase image types you need for testing. https://www.guidancesoftware.com/encase-forensic-imager/

ReplyQuote
Posted : 23/11/2018 8:06 pm
Aniskin
(@aniskin)
New Member

Thanks, I will check.

ReplyQuote
Posted : 24/11/2018 7:01 am
athulin
(@athulin)
Community Legend

Maybe someone will be interested in the free plugin for 7-zip, which allows you to open various forensic disk images as archives

From a purely forensic point of view this would be interesting if the plugin has passed appropriate validation tests. That is, basically, shown to retain and show all (relevant) information present in the original image, and preferably also extract files in the same way as the original application, or at least with well-documented differences, and possibly even a report showing where metadata (or even data) is lost in such extraction.

Of course, the original application should have passed the same test for the original file system, but I can't remember having seen anything like that published – does anyone know? If there is anything, the validation images from that may be possible to reuse …

ReplyQuote
Posted : 24/11/2018 7:53 am
Page 1 / 2
Share: