Join Us!

A software to show ...
 
Notifications
Clear all

A software to show in a tree the FTK Imager filelists?  

Page 2 / 2
  RSS
rarosalion
(@rarosalion)
Junior Member

I know it's not exactly what you were after (it will only read from an existing directory, not from the FTK Imager CSV files), but I really like using Snap2HTML. It's easy to create really nice looking (searchable) directory trees with an HTML template.

ReplyQuote
Posted : 14/01/2014 3:27 am
chad131
(@chad131)
Member

Have you considered using the FTK Imager file listing to actually recreate the file system? I've done this in the past.

Just loop through the csv file and create 0 byte files retaining the directory structure and file names/extensions. If you want, you can even set the MAC times of the files so they match the csv.

It's not as clean as a separate app that will read the csv, but it does allow someone to browse around a file/directory structure and it takes virtually no space.

ReplyQuote
Posted : 14/01/2014 11:18 pm
jaclaz
(@jaclaz)
Community Legend

Have you considered using the FTK Imager file listing to actually recreate the file system? I've done this in the past.

Just loop through the csv file and create 0 byte files retaining the directory structure and file names/extensions. If you want, you can even set the MAC times of the files so they match the csv.

It's not as clean as a separate app that will read the csv, but it does allow someone to browse around a file/directory structure and it takes virtually no space.

This would be an interesting approach, but how will the user be able to view (besides the directory structure) the actual data in the "source" .csv.
IF ? the data in the .csv is within the limits of the available space, see
http//www.forensicfocus.com/Forums/viewtopic/t=10403/
one could use a NTFS filesystem and store the data in the same $MFT entry, i.e. using 1024 bytes per record, and if it would be possible to make a NTFS filesystem with the $MFT starting on cluster 2 (16 sectors before for the $boot), as I have seen a few examples recently (but without a definite answer on what OS/tool can make them) we could have a volume which is made of just the NTFS filesystem "standard" $-prefixed files.
As a matter of fact a filesystem is a database and viceversa, in theory one could make a "filesystem driver" to mount directly the .csv as if it was a volume, as Francesco mentioned before.

jaclaz

ReplyQuote
Posted : 15/01/2014 12:01 am
jaclaz
(@jaclaz)
Community Legend

NOT really useful/connected with the topic 😯 , but I happened to find casually this thingy here
http//www.primitivezone.com/primitive-disk-indexer.html

that seems like nice (creating "disk contents lists" browsable in an Explorer like interface) using a .pdi file (which is nothing but a .mdb JET database file).
It could maybe of inspiration.

jaclaz

ReplyQuote
Posted : 05/03/2014 12:55 am
francesco
(@francesco)
Member

NOT really useful/connected with the topic 😯 , but I happened to find casually this thingy here
http//www.primitivezone.com/primitive-disk-indexer.html

that seems like nice (creating "disk contents lists" browsable in an Explorer like interface) using a .pdi file (which is nothing but a .mdb JET database file).
It could maybe of inspiration.

jaclaz

Whoops, sorry for the lack of updates, the last month has been a mess. I had the program working but it still needs folder icons, localization removal, some error handling and a MDI file browser template from an older version of visual studio (the executable is currently 4Mb if I compile the latest C++ runtime statically but I use none of the new MFC features).

If anybody needs it already just PM me.

ReplyQuote
Posted : 07/03/2014 2:11 am
francesco
(@francesco)
Member

If somebody happens to have Visual Studio 2008 still installed (it can't be downloaded any longer) I'd need the files of an empty MFC MDI (Multiple documents) project created with the "Windows Explorer" style option, because the newer Visual Studio versions add a lot of bloat to the executables when the VCRT is linked statically due to the new ribbon/dock styling system.

ReplyQuote
Posted : 22/03/2014 6:56 am
jaclaz
(@jaclaz)
Community Legend

I uploaded a first test build here.

If somebody happens to have Visual Studio 2008 still installed (it can't be downloaded any longer) I'd need the files of an empty MFC MDI (Multiple documents) project created with the "Windows Explorer" style option, because the newer Visual Studio versions add a lot of bloat to the executables when the VCRT is linked statically due to the new ribbon/dock styling system.

If the "express" edition is OK, you can still get it through Wayback Machine
https://web.archive.org/web/20080902154840/http//www.microsoft.com/Express/Download/
http//download.microsoft.com/download/E/8/E/E8EEB394-7F42-4963-A2D8-29559B738298/VS2008ExpressWithSP1ENUX1504728.iso

jaclaz

ReplyQuote
Posted : 22/03/2014 3:58 pm
francesco
(@francesco)
Member

If the "express" edition is OK, you can still get it through Wayback Machine
https://web.archive.org/web/20080902154840/http//www.microsoft.com/Express/Download/
http//download.microsoft.com/download/E/8/E/E8EEB394-7F42-4963-A2D8-29559B738298/VS2008ExpressWithSP1ENUX1504728.iso

jaclaz

Unfortunately Visual Studio Express ships without MFC. It was the tab switchbar that required all the additional MFC feature pack code so I was forced to switch back to a SDI project to solve the issue.

I uploaded a test version of the tool here, now also with the proper deleted entries overlays.

ReplyQuote
Posted : 15/04/2014 5:08 am
jaclaz
(@jaclaz)
Community Legend

Can you upload *somewhere* or add into the tool download a "sample" .csv file?
I would like to have a look a such a .csv to explore in a non-FTK creation of the .csv and/or following the idea chad131 hinted.

jaclaz

ReplyQuote
Posted : 20/04/2014 7:07 pm
francesco
(@francesco)
Member

Can you upload *somewhere* or add into the tool download a "sample" .csv file?
I would like to have a look a such a .csv to explore in a non-FTK creation of the .csv and/or following the idea chad131 hinted.

jaclaz

You can create filelists from FTK imager without having to create a forensic image when you right-click a mounted physical/logical drive in the evidence tree you can generate a filelist from it. I uploaded a small example filelist here. It's easy to generate a real filesystem tree from the filelist but eventually you'll run in issues with the windows path limit (260 characters). You could store all the tree in a ZIP archive to work around the path length limit but then you'd run in other problems with deleted and duplicated entries there can be several different versions of files and folders, however it seems to be impossible to associate the correct file to every folder revision since they're not printed in order (that and files with streams being printed just like directories seem to be two major issues in the FTK filelist format).

ReplyQuote
Posted : 21/04/2014 8:28 am
jaclaz
(@jaclaz)
Community Legend

You can create filelists from FTK imager without having to create a forensic image when you right-click a mounted physical/logical drive in the evidence tree you can generate a filelist from it. I uploaded a small example filelist here.

Thanks.

It's easy to generate a real filesystem tree from the filelist but eventually you'll run in issues with the windows path limit (260 characters). You could store all the tree in a ZIP archive to work around the path length limit but then you'd run in other problems with deleted and duplicated entries there can be several different versions of files and folders, however it seems to be impossible to associate the correct file to every folder revision since they're not printed in order (that and files with streams being printed just like directories seem to be two major issues in the FTK filelist format).

Yep, I had expected a much more "complex" and "complete" set of data in it, it is pretty much basic.

I did a few experiments, and you are right, the result is pretty much "unuseful" anyway, though (will have to check better) while playing with it I found a *nice* "bug" (or "feature") of my XP's Explorer.
If I "touch" a file or a folder to 19800101 000000.0000000 with sfk
http//stahlworks.com/dev/swiss-file-knife.html
the file/folder appears in Explorer as having NO Creation/Modified/Accessed file date/time.
Of course using another file manager, like 7-zip, or using DIR from command prompt, everything goes back to normality.

jaclaz

ReplyQuote
Posted : 22/04/2014 1:06 am
Adam10541
(@adam10541)
Senior Member

Very neat little tool, thanks francesco

I quite often get clients who ask for exactly this, I've downloaded and tested and will definitely be using this in the future.

ReplyQuote
Posted : 22/04/2014 7:56 am
jaclaz
(@jaclaz)
Community Legend

The plot thickens. 😯
I am having/have had quite a bunch of other "queer" behaviour.
In order to not hijack this topic, I created a new one on reboot.pro
http//reboot.pro/topic/19746-queer-ntfs-andor-xp-behaviour/
as it's nature seem to me "generic" OS/filesystem related and - at the moment - forensics implications are nowhere to be seen.

jaclaz

ReplyQuote
Posted : 23/04/2014 6:07 pm
Page 2 / 2
Share: