Join Us!

A software to show ...
 
Notifications
Clear all

A software to show in a tree the FTK Imager filelists?  

Page 1 / 2
  RSS
francesco
(@francesco)
Member

Update I wrote a tool for loading the filelists and made it freely available here.

The text below is the original forum post

As the title says I'm looking for a software that can load the FTK Imager filelist (CSV) and show it in a explorer-like tree, is there any?

In case there isn't, would it be a good idea to write one?

Edit I made an example image, I need something like this, a tool that loads the CSV and shows it similarly to how the disk image it was generated from looked when loaded in Encase/FTK, allowing to easily browse the contained files

Quote
Posted : 10/01/2014 6:17 am
Jonathan
(@jonathan)
Senior Member

I'm not aware of one - it'd certainly be very useful. Have been asked by clients for similar before. Are you proposing to write one?

ReplyQuote
Posted : 10/01/2014 2:26 pm
jaclaz
(@jaclaz)
Community Legend

Something (loosely) similar to this
http//www.dhtmlgoodies.com/index.html?whichScript=folder_tree_static
but parsing a .csv?

I would say (cannot say if you use or can use Delphi) the best choice would be to put together a small app making use of this
http//www.soft-gems.net/index.php/controls/virtual-treeview

or similar.

jaclaz

ReplyQuote
Posted : 10/01/2014 5:14 pm
Doug
 Doug
(@doug)
Active Member

Whilst it doesn't take the .CSV file in, TreeSize has proven very handy on occasions!

http//www.jam-software.com/treesize_free/

ReplyQuote
Posted : 10/01/2014 6:29 pm
francesco
(@francesco)
Member

I'm not aware of one - it'd certainly be very useful. Have been asked by clients for similar before. Are you proposing to write one?

I basically already wrote one, the screenshot above is an implementation I put together shortly after posting but will that be enough? People would very likely want to search the filelists, for example to have all the folders containing documents, mail archives or instant-messengering databases pointed out.

Something (loosely) similar to this
http//www.dhtmlgoodies.com/index.html?whichScript=folder_tree_static
but parsing a .csv?

I would say (cannot say if you use or can use Delphi) the best choice would be to put together a small app making use of this
http//www.soft-gems.net/index.php/controls/virtual-treeview

or similar.

jaclaz

I learned several languages through the years but never Delphi (I settled with C++, C# and Java) so unfortunately I can't use that. I'm pretty happy with ObjectListView (.NET), the one in the screenshot (it implements a virtual mode as well). It's not very fast (though extremely customizable) but unless the entries in a single directory surpass the dozens of thousands hopefully there shouldn't be any noticeable delay. Using WPF would be the easiest way due to all the automatic data binding but unfortunately I still haven't got enough experience with it.

ReplyQuote
Posted : 10/01/2014 7:31 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Here are two great applications that make Windows Explorer type spreadsheet reports

1) SizeExplorer http//www.sizeexplorer.com/

2) Drive Inventory http//www.elegantpie.com/driveinventory.html

ReplyQuote
Posted : 10/01/2014 9:59 pm
francesco
(@francesco)
Member

Here are two great applications that make Windows Explorer type spreadsheet reports

1) SizeExplorer http//www.sizeexplorer.com/

2) Drive Inventory http//www.elegantpie.com/driveinventory.html

I don't understand how that would work, I only have the CSV files, not the disk images.

ReplyQuote
Posted : 10/01/2014 10:48 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Francesco -

Sorry, I assumed you also had the disk images. If you can get a hold of the disk images, you could either mount the image in FTK imager as a virtual drive and point either SizeExplorer or DriveInventory at the virtual drive.

Another option is to export the desired directory from FTK imager (again assuming you can get a hold of the forensic image) and then just point SE or DI at the exported folder of files.

I guess it might help to know what your end goal is? Are you creating a report of some sort or performing further analysis?

ReplyQuote
Posted : 10/01/2014 10:55 pm
francesco
(@francesco)
Member

Francesco -

Sorry, I assumed you also had the disk images. If you can get a hold of the disk images, you could either mount the image in FTK imager as a virtual drive and point either SizeExplorer or DriveInventory at the virtual drive.

Another option is to export the desired directory from FTK imager (again assuming you can get a hold of the forensic image) and then just point SE or DI at the exported folder of files.

I guess it might help to know what your end goal is? Are you creating a report of some sort or performing further analysis?

It was mainly to know what was inside the evidences when they ask me something about them without having to keep additional metadata files around. I could use cataloging applications but they don't handle eventual orphan or deleted files that the filelist however includes.

Also quickly identifying all the folders containing documents, mail or backups would be a quick way to double-check if you did miss anything.

ReplyQuote
Posted : 11/01/2014 12:13 pm
jaclaz
(@jaclaz)
Community Legend

It was mainly to know what was inside the evidences when they ask me something about them without having to keep additional metadata files around. I could use cataloging applications but they don't handle eventual orphan or deleted files that the filelist however includes.

Also quickly identifying all the folders containing documents, mail or backups would be a quick way to double-check if you did miss anything.

I find it a very good idea ) more practical than the "usual" printed list of the directory tree, giving IMHO an advantage (in data recovery, not in forensics) that since the thingy would represent the filesystem "as it was seen before" (and can be navigated as before) a customer may additionally be able to "visually remember" some structure/lost directory or file name.
Personally (but this is of course only my own "q***r" stance on it) the use of .Net is in itself a show-stopper, though ( .

jaclaz

ReplyQuote
Posted : 11/01/2014 3:52 pm
francesco
(@francesco)
Member

Personally (but this is of course only my own "q***r" stance on it) the use of .Net is in itself a show-stopper, though ( .

Because of portability or because of performance? If I used Java I'm pretty sure that the UI performance would be much worse and if I used C++ I wouldn't even know where to start to find controls flexible enough with that amount of data (a Linux or OS X filelist can be hundreds of megabytes big and that's entries in the orders of millions).

ReplyQuote
Posted : 11/01/2014 10:35 pm
jaclaz
(@jaclaz)
Community Legend

Because of portability or because of performance?

Because of portability (of course if the idea is to provide it to "third parties" or customers).
I don't think that TreeView was invented together with .Net wink , on the other hand if you are talking of hundreds of megabytes of data and millions entries, than .csv is probably not the "best" choice as a "database".

I don't know if it can suite this task, but this might do
http//www.codeproject.com/Articles/20182/The-Ultimate-Toolbox-Home-Page

jaclaz

ReplyQuote
Posted : 11/01/2014 11:59 pm
francesco
(@francesco)
Member

Because of portability or because of performance?

Because of portability (of course if the idea is to provide it to "third parties" or customers).

I assume you meant portability across Windows systems since you suggested that nice treeview library in your previous post, however I think it's very hard to find a Windows install where a .NET framework isn't installed, either installed by the computer manufacturer software or third party (especially printing/scanning) software. Targeting 3.5 would be a safe bet to cover almost every Windows install.

I don't think that TreeView was invented together with .Net wink,

Certainly not, but a treeview that supports columns and virtual mode would require a third party library in a native win32 application because the native Windows control has only the most basic features.

on the other hand if you are talking of hundreds of megabytes of data and millions entries, than .csv is probably not the "best" choice as a "database".

That's unfortunately what FTK Imager creates, not much to do about that. At least it's very easy to process (TAB is the separator and there are no double quotes).

I don't know if it can suite this task, but this might do
http//www.codeproject.com/Articles/20182/The-Ultimate-Toolbox-Home-Page

I gave a look but unfortunately the provided TreeView (COXTreeCtrl) doesn't seem to support virtual mode, it does have columns though. Virtual mode would be pretty essential if I want to show the associated file icons so I think we could rule out writing a native app due to the difficulty of finding the appropriate controls.

I started writing a native version and ported all the filelist reading however I'm still puzzled about the interface. Should I use a single Window where you load everything in the same tree like FTK Imager does or multiple tabbed windows (MDI), one for each filelist to allow comparing the lists?

ReplyQuote
Posted : 12/01/2014 3:37 pm
jaclaz
(@jaclaz)
Community Legend

As I see it (but as said it's just my personal opinion) .Net=EVIL, but of course if it is not possible (or not convenient) to avoid using it, it is fine as well ), but it is - still IMHO - the worst possible choice (if a choice is available).

As a generic (again personal) opinion anything that has "dual panes" (not necessarily MDI) is useful when comparing file lists, think of *any* OFM
http//www.softpanorama.org/OFM/index.shtml

I am not sure to have fully understood the .csv (actually .tsv) file issue, I mean, does FTK imager actually produce plain text Tab delimited files in the size of hundreds of megabytes? 😯

A Java based solution will most probably be slowish (and possibly cause another series of issues with the exact Java runtime needed/available), OT, but not much, one of the few programs that I know of that can actually manage very large "plain" databases is actually written in Java (and is slowish)
http//record-editor.sourceforge.net/Record02.htm

I'll have a look if I can find a suitable "native" component.

I was also (laterally 😯 ) thinking about *something else*, like mixing (liberally) these two projects
http//code.google.com/p/mssqlfs/
http//sourceforge.net/projects/plisgo/
but of course it is not worth it for this single "quick and dirty" app you devised.

jaclaz

ReplyQuote
Posted : 12/01/2014 6:33 pm
francesco
(@francesco)
Member

As I see it (but as said it's just my personal opinion) .Net=EVIL, but of course if it is not possible (or not convenient) to avoid using it, it is fine as well ), but it is - still IMHO - the worst possible choice (if a choice is available).

I'm pretty happy with .NET because of how easy it is to customize controls or to find many ready third-party ones. I wrote extensive .NET libraries for reading/writing binary data that like in this case would become a necessity since the built-in I/O functions available (same for those in Java or C++) are way too slow at handling text files reading a filelist with 700k entries (200mb) on my machine takes more than one minute (!) with the built-in functions while just a couple of seconds with custom code with proper buffering.

As a generic (again personal) opinion anything that has "dual panes" (not necessarily MDI) is useful when comparing file lists, think of *any* OFM
http//www.softpanorama.org/OFM/index.shtml

I started writing the project in C++, with a listview and a tree side-panel on the left, very similar to the FTK Imager interface. With MDI you can put the internal windows side by side for comparison or you can use two program instances for the same result. I used a custom library (EZUTF) for dealing with the text-files due to the built-in functions taking minutes, I almost finished the code to read all the entries then the rest should be hopefully easy.

I am not sure to have fully understood the .csv (actually .tsv) file issue, I mean, does FTK imager actually produce plain text Tab delimited files in the size of hundreds of megabytes? 😯

Yes, when you create an image with FTK and check the option to create a list of the files it creates those huge text files. There doesn't seem to be an option to export in any other format.

A Java based solution will most probably be slowish (and possibly cause another series of issues with the exact Java runtime needed/available), OT, but not much, one of the few programs that I know of that can actually manage very large "plain" databases is actually written in Java (and is slowish)
http//record-editor.sourceforge.net/Record02.htm

I'll have a look if I can find a suitable "native" component.

I was also (laterally 😯 ) thinking about *something else*, like mixing (liberally) these two projects
http//code.google.com/p/mssqlfs/
http//sourceforge.net/projects/plisgo/
but of course it is not worth it for this single "quick and dirty" app you devised.

Maybe there won't be need for a database, I think parsing all the data could be done in an acceptable time if I write the code for parsing all the strings. The code could also be ported on one of those userfs filesystem drivers for Windows and have the structure shown in explorer but it wouldn't have much use since you couldn't interact with any of the files.

ReplyQuote
Posted : 13/01/2014 8:28 pm
Page 1 / 2
Share: