RevEnge development...
 
Notifications
Clear all

RevEnge developments

5 Posts
2 Users
0 Likes
896 Views
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
Topic starter
 

Some of you may be aware of my Reverse Engineering tool RevEnge.

I just wanted to show you a feature that I am currently working on with RevEnge. Basically it is a rewrite of the structure editor to include a new Structure Definition Language (SDL). The SDL allows the user to code parsers for some quite complex structures to allow RevEnge to display them in decoded form. Once a SDL is written for a structure it can be shared with other users. A nice feature is the report which writes an HTML file containing the raw data, the decoded data and the SDL used to decode the data.

By way of example I have attached two reports below, one for a FastTrack DBB file (now pretty much defunct but is serves as a simple example) the second is for an MFT record where, in this example, you can see 12 of the possible dates associated with this file entry.

www.sandersonforensics.com/Files/dbb.html

www.sandersonforensics.com/Files/mft.html

I am also working on a feature whereby you could, after defining a suitable SDL file, point RevEnge at say an extracted MFT and all of the records would be written to a either an HTML report or a CSV file.

 
Posted : 22/01/2009 10:37 pm
(@athulin)
Posts: 1156
Noble Member
 

The links look odd … some mistake somewhere? Add a tailing ';' to all those '& n b s p ' without one.

 
Posted : 22/01/2009 10:59 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
Topic starter
 

Hmmm - I had not checked the reports in Firefox - Explorer displays the reports OK.

 
Posted : 23/01/2009 2:10 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
Topic starter
 

OK sorted now - cheers.

 
Posted : 23/01/2009 2:34 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
Topic starter
 

Some of the features now in RevEnge

The PDU stuff is particularly useful for hex dump analysis on mobile phones on a recent job it probably saved me hours.

Support for PDU (SMS) encoded data
- dynamic decode and display at cursor position
- search for PDU encoded words
- search for possible PDU encoded data
Support for 24 different date types (39 including big endian variants)
- includes date formats seen on mobile phones and GPSs
- dynamic decode and display of all date formats at cursor position
- search for one or more dates in a given date range
- auto highlight of dates in user specified range
Dynamic decode and display at cursor position of
- ZLib data (used in encase compressed files)
- UUencoded data
- Base64 encoded data
- ROT13/18 and 47
- Nokia encoded telephone numbers
- Binary coded decimal (BCD)
- Nibble swapped BCD
Comprehensive data description language (DDL)
- dynamic display of data at cursor based on DDL
- export of DDL decoded data as HTML report
- export of DDL decoded data as CSV (e.g. complete contents of an MFT file as CSV)
Context highlighting
- specify specific words and have all occurrences highlighted (e.g. JFIF, EVF, sanderson)
Search for
- multiple keywords
- specific date ranges in all support formats (at once if required)
- hex values
- blank or non blank sectors
- PDU (SMS) encoded text strings
- Possible PDU encoded data (when you don’t have specific keywords)
Calculate MD5/SHA/encase CRC (more to come)
Overwrite data with specific pattern
Check disk (or selected area) is blank
Supports
- Drives and logical volumes
- Files > 4GB
- Encase image files

 
Posted : 19/03/2009 12:11 am
Share: