Friday, January 9, 2015

Forensic Framework - Teaser 1

I've been working a forensic application for quite a time now. More time than I would like to admit; as work called me away, life interrupted, or my interest waned for a period of time. It has mainly been a testing ground for my ideas, and frustrations .. when whatever main stream tool I was using failed or crashed.

I'm publicly referring to it as the generic name "Forensic Framework" as I decide whether I'm going to commercialize it or not. Here is the crash list of features. I'm sure I've overlooked a couple. I have made the attempt to line it up under existing, partial/in-progress, or planned. Not a finalized list; it may undergo some shifting later as I shake out the broken bits, or as features get pushed down in favor of others.

I’ll have a follow up post with pictures later. I’m working on a clean up of the Registry Explore code this weekend, so may not happen until next week.

It supports the following features:
  • Supported Media
    • Reading EWF Images (multi-segment, and verification)
    • Reading DD Images (monolithic, and multi-segment)
    • Reading Physical Media
    • Reading local files and folders.
  • FileSystem
    • FAT
      • FAT12
      • FAT16
      • FAT32
    • Deleted Files
    • Volume Recovery
      • Scans for NTFS and FAT
      • Recovery of FAT
  • Hex Display
    • Changes to encodings for display.
    • Searching content
    • Seek until
      • Run end
      • Zero
      • Printable ASCII
      • Not printable ASCII
  • Hashing
    • MD5
    • SHA1
    • SHA256
    • SHA384
    • SHA512
  • Entropy Calculation
  • Intelligent selection of data
    • JSON Objects
    • ASCII Printable
    • Base64
    • MFTRecord
    • PST Compressible Text
    • Unicode BE Arabic
    • Unicode BE
    • Unicode BE English
    • Unicode LE English
    • Email Address
    • .. and many more around the corner
  • Strings
    • ASCII
    • GSM03.38
    • KOI8 R Cyrillic
    • UTF-8
    • UTF-16
      • Arabic
      • Armenian
      • Cyrillic
      • + 27 other character ranges.
    • PST Strings (Outlook)
      • UTF-16 (see UTF-16 above)
      • ASCII
    • ISO 
      • Thai, Portugese. Romanian, Czech, Polish, Serbian, Slovene, Turkish, Cyrillic
    • CP 866 - Cyrillic
    • Compressed Unicode
      • Arabic 
      • Cyrillic
      • +10 other character ranges
  • Data Visualization
    • Drive Map (sectors)
    • Binary data with color value per byte
  • Bookmarking
    • Images (PNG,TIF,BMP,JPG, GIF, EMF, WMF, XBM, Base64Encoded)
    • File/Files 
    • Overlays
      • Includes text encodings
  • Mountable Files
    • Nokia Backup.arc
  • Overlays
    • Use_Encoding,
    • Byte,Int 16Bit ,Int 32Bit , Int 64Bit,UInt 16Bit, UInt 32Bit, UInt 64Bit,
    • Double 64Bit , Char UTF16, Single Float, 
    • Hex, Binary
    • ROT5, ROT13, ROT18, ROT47,
    • ASCII_7Bit, Base64 , QuotePrintable, ASCIIPrintable
    • Raw_Binary
    • YahooBase64, YahooUsernameEncoding  
    • URL, URLEncoding, StripHTMLTags,  HTMLEntities,
    • CompressedUnicode, MP3Frame
    • PSTCompressibleASCII, PSTCompressibleUnicode,
    • GUID,
    • MFTEntry, FATVBR, NTFSVBR, DOSPartitionEntry, DOSPartitionTable, FATDirectoryEntry
    • BPList Object,
    • MAC Absolute Time, Windows64bit  date time, FileTime, MS-DOS date time, Unix time, Symbian time
    • NokiaNibbleCounter, SwapByteEncodedPhoneNumber
  • Phone
    • OBEX support via BT (code may be removed)
    • PM Flash Files 
    • Blackberry IPD Records
  • File Carving
    • User defined file signature
  • Intelligent Carving/Recovery
    • AMR files
    • Flat Decoded Streams
    • Deflate Streams
  • Signature Analysis
  • HTML Reporting
  • Binary Probe
    • LE and BE versions of standard variables (Int, Double, etc…)
  • Timestamp Probe
    • HTMLFileTime
    • MacAbsolute
    • MSDOS32Bit
    • PRTime
    • A lot more planned but not implemented/tested
  • Encoding Probe
    • Base64
    • ROT13
    • ROT47
    • Outlook ASCII
    • Outlook Unicode
    • UTF-8
    • UTF-16
  • MetaData
    • EXIF
      • EXIF GPS Extraction to KML
    • EXE
    • BMP
    • DOC
    • FLV
    • GZ
    • IPD Record
    • SQLite
    • LNK
  • OS Artifacts
    • Windows
      • Registry Files
    • EVT Parsing/Carving
    • Macintosh
      • BPLIST file
      • COOK file


It has the following features in progress or partially supported (some may not make the final program):
  • FileSystem
    • NTFS
  • Mountable Files
    • Compound Structure File Format (doc, msi, thumbs.db,)
    • PDF
    • Zip Compressed
  • Data Visualization
    • TreeMaps
      • Data size/Type
      • Date Created/Accessed/Modified
  • MetaData
    • MOV 
  • Scripting  (most likely will be dropped).
    • Iron Python
    • C#/.NET
  • Carving
    • PST Content Carving
  • Batch Searching
Planned Features 
  • FileSystem
    • EXFAT
  • Advanced Data Recognizers (analyze content i.e cluster, segment, to determine data types)
    • Unicode by Language
    • JPEG

 If you made it this far, here you go .. one picture. The only picture in the wild.


3 comments:

  1. looks great, congratulations good work, all the best for the final version

    ReplyDelete
  2. What hex control are you using? ive been using http://sourceforge.net/projects/hexbox/

    ReplyDelete
    Replies
    1. It's a custom control written from the ground up.

      Delete