"Forensic" plugin for 7-Zip

Aniskin,

Thanks for the plugin. I've recently run into an issue where I'm looking to convert my L01 file to a zip file. Was wondering if this is something that I can do with your plugin. One issue I'm running into is the image having a duplicate file name (described here) after mounting with MountImage Pro.

I'm looking to convert my L01 file to a zip file.

L01 files are not supported yet (I don`t have samples for analysis).

L01 files are not supported yet (I don`t have samples for analysis).

You should be able to find at least some L01 files from one of the test image and forensic challenge sites listed here https://www.forensicfocus.com/images-and-challenges

You can also use EnCase Imager (free software) to create all EnCase image types you need for testing. https://www.guidancesoftware.com/encase-forensic-imager/

Thanks, I will check.

Maybe someone will be interested in the free plugin for 7-zip, which allows you to open various forensic disk images as archives

From a purely forensic point of view this would be interesting if the plugin has passed appropriate validation tests. That is, basically, shown to retain and show all (relevant) information present in the original image, and preferably also extract files in the same way as the original application, or at least with well-documented differences, and possibly even a report showing where metadata (or even data) is lost in such extraction.

Of course, the original application should have passed the same test for the original file system, but I can't remember having seen anything like that published – does anyone know? If there is anything, the validation images from that may be possible to reuse …

From a purely forensic point of view this would be interesting if the plugin has passed appropriate validation tests.

As I see it, that is the purely forensic passive/lazy 😯 point of view.

The Author nicely made the thingy and made it freely available, the validation is IMHO up to the forensic guys.

The tool being not (yet) validated doesn't in any way make it less interesting.

I would say that 90 to 99.99% of tools used in digital forensics are not (properly/officially/publicly) validated by reliable independent parties, including all or nearly all the "big names" Commercial ones.

Even the (very few) validations by the NIST are either "narrow" or related to old/obsolete versions of the programs.

Welcome to ISO 17025 (and its madness) wink .

jaclaz

From a purely forensic point of view this would be interesting if the plugin has passed appropriate validation tests.

As I see it, that is the purely forensic passive/lazy 😯 point of view.

In a way, yes. It's like me buying a table lamp. "Does it work?" I ask the seller "Has it passed Underwriters Labs testing? Show me the stamp". "What? Are you lazy? Test it for yourself!" he replies. Yes, not quite the situation here – but it wouldn't matter if it was someone who gave lamps away for free – I would still want to see an UL stamp, or reasonably close equivalent. And I would not take "but it's free!" for an answer.

The Author nicely made the thingy and made it freely available, the validation is IMHO up to the forensic guys.

Let me dial down on the term 'validation' then and just ask for basic system test. How do I know it even works? Why should I even look at this software? See it as a suggestion to this and other authors without some basic assurance that this software works to claims why bother? computer forensic tools are expected to have a certain level of quality. Show us that they do.

A lot of free software comes with test data these days. That way I can inspect it, form an opinion of how well the tests have been designed, and decide worth looking closer at? No tests, thumbs down.

I would say that 90 to 99.99% of tools used in digital forensics are not (properly/officially/publicly) validated by reliable independent parties, including all or nearly all the "big names" Commercial ones.

And? I see that as a major problem.

In my book that's the problem that needs to be fixed. And that's what I try to do I suggest that we don't need another tool unless it can easily be verified to perform correctly.

Welcome to ISO 17025 (and its madness)

But ISO 17025 applied to computer forensics is not something a evil overlord has instituted out of perverted malice. It's there because forensics as a whole does not deliver required quality. (Or as someone put it, 'does not fulfill requirements of the 'trier of facts'.) For computer forensics, I would not be surprised if it is there partly because 90-99.99% of tools have *not* been validated to work.

Change of track So … what tools would be necessary in this case?

File system images for testing. Something like the Zwicky test images for Unix, but for additional file systems FAT, NTFS, HFS, … . Contents must be fully known.

Tools for creating such images.

Test protocols/specifications for each such image "this is what the image contains, this is what any tool operating on this image should show or retain. If it doesn't, … "

Some kind of tool to compare filesystem 1 to filesystem 2 "this is the master file system, this the resulting file system. What changed in the process?"

That would make toolmakers testing acceptably easy build master file system, image, run tool on image, extract result to new
file system, compare and note differences.

That would help all tool makers working on file system images. It would help all users of their tools to decide if the tools were adequately tested.

(I call this validation, but as the term seems to be emotionally overloaded, just 'system testing' will do as well.)

A lot of free software comes with test data these days. That way I can inspect it, form an opinion of how well the tests have been designed, and decide worth looking closer at? No tests, thumbs down.

Oww, come off it.

Please post a list of the "lot" of software (free or otherwise) that comes with test data AND that is interesting/does something non-trivial…

ISO 17025 is and remains madness because the validation is (made compulsory) on the actual program user (the professional forensic guy) side and it is EXACTLY

something a evil overlord has instituted

the debate is whether it came

out of perverted malice.

or out of sheer incompetence/cluelessness.

Seriously, provided that I could (hypothetically, in the sense of being capable of) validate a (very simple) software tool, you could not use "my" validation (even if I had published the data, tests and their results) along ISO 17025, unless you read very transversally the requisites of the norm and/or if you believe that declarations such as this example (Italian, but not at all bad via Google Translate) have actually *any* relevance

www.agribioeco.it/certificati/Dichiarazione%20validazione%20EuSoft.pdf

jaclaz

Please post a list of the "lot" of software (free or otherwise) that comes with test data AND that is interesting/does something non-trivial…

Those I've been looking at recently GNU gzip, tar, cpio, ddrescue, everything (or close to everything … I did not inventory all of them) in coreutils, sysutils … and gcc. (A quick glance at some GNU projects I haven't used suggest that they too have test suites included.)

For non-GNU, lzip.

For example, even if the gzip documentation didn't already tell me that gzip does not follow the gzip RFC requirements, I would not have any serious problem in discovering that there certainly are no tests for concatenated gzip archives, as required by RFC 1952 section 2.2. And that would tell me that gzip (as a tool) is not as forensically capable as I would prefer it to be, but that everything else about it appears to be well tested. (All things I wanted to see tests for are in there, so far.)

I've also been doing a lot with Apache Commons – which is Java components, not standalone tools, and so does not strictly speaking come with system tests. But they come with unit tests, and that is sufficient for my purposes. No, they're not complete – I sometimes find tests that should have been present, but I also find many tests that are already present.

For this particular purpose open source vs closed source (as in this particular case) is of minor relevance, as long as I can inspect the tests the tool or component is subjected to.

Perhaps I'm just getting spoiled by all this professional or semi-professional approach to software development …

I am the developer of this plugin, ready to answer on any question.

Thanks a lot for this plugin and your contribution to the Digital Forensics Community. Your plugin allows me to extract files from an image in a very fast and logical way. Fine work!

regards,
Robin