Hello, world.
Maybe someone will be interested in the free
Forensic7z is a plugin for the popular 7-Zip archiver. You can use Forensic7z to open and browse disk images created by specialized software for forensic analysis, such as Encase or FTK Imager.
At the moment, the Forensic7z plugin supports images in the following formats
- ASR Expert Witness Compression Format (.S01)
- Encase Image File Format (.E01)
- Advanced Forensics Format (.AFF)
- AccessData FTK Imager Logical Image (.AD1)
I am the developer of this plugin, ready to answer on any question.
Looks very interesting-
When you say “open” forensic image files, how does that differ from mounting a forensic image using Mount ImagePro, OSFMount, etc?
I can “open” forensic images with FTK Imager as well but I need to export native files from FTK Imager our mount the image file before I can meaningfully interact with the files in the image.
Does your plugin also reveal slack space files in images or just logical NTFS files for example?
When you say “open” forensic image files, how does that differ from mounting a forensic image using Mount ImagePro, OSFMount, etc?
I don`t have Mount ImagePro so I don`t know how it works.
You must understand that plugin is not a professional tool and it is not a replacement for any professional tool. It does only one simple thing - it decompresses compressed image into RAW.
Does your plugin also reveal slack space files in images or just logical NTafS files for example?
Plugin does not parse internal structures of RAW images. 7-Zip has native support of some FS and when you open RAW file as nested archive 7-Zip uses its own algorithms for decoding FS.
Very interesting, thanks for posting about it (and of course for actually making it ) ).
I have seen you made a lot of other plugins for 7zip
http//
Nice, particularly this one
http//
as I missed the MD5 in "plain" 7zip.
I didn't know that such plugins were possible, IMHO a missing function (cannot say if it is possible to implement it) is to have a way (when you open an "unknown" file) to know which specific "parser" (or plugin) 7zip is using, i.e. in which format it "sees" and "interprets" the file.
jaclaz
I didn't know that such plugins were possible, IMHO a missing function (cannot say if it is possible to implement it) is to have a way (when you open an "unknown" file) to know which specific "parser" (or plugin) 7zip is using, i.e. in which format it "sees" and "interprets" the file.
Just use Properties command. It will show used parser (Type parameter).
Just use Properties command. It will show used parser (Type parameter).
Sure, thanks )
But that implies to first open the "unknown" file, and then right click "properties" on *any* file "inside" the (maybe) opened file.
I didn't explain myself properly.
I was thinking more of an added field in the tabular view, when you open the "container" file like Name/Size/Modified/Created/Accessed/Attributes/ … etc., which BTW would make it clearer (I almost always use 7Zip as two panes file manager) that the pane is relative to the "inside" of an archive (or "container").
Or even (this is another thing) a command pre-parsing the contents of the directory containing the unknown file(s) and adding a "presumed file type" (independent from file extension) to each file in it.
Of course since analyzing files in a directory would take computer time, this should be something that is generated only on demand.
jaclaz
7-Zip API does not provide such functionality.
7-Zip API does not provide such functionality.
I suspected something like that.
Too bad … (
Thanks again for the nice plugins.
jaclaz
Could somebody provide me samples of EnCase Ex01 and Lx01 files? I would like to add support of this formats but cannot do it without samples.