pjrinaldi / wombattools Goto Github PK

wombatinfo displays the description at the end of the examiner section, it shouldn't do that.

If I want to checksum each block compressed, I can use the following... (adler-32 used in ewf)

uint32_t Expert_Witness_Compression_CRC(
uint8_t *buffer,
size_t buffer_size,
uint32_t previous_key )
{
size_t buffer_iterator = 0;
uint32_t lower_word = previous_key & 0xffff;
uint32_t upper_word = ( previous_key >> 16 ) & 0xffff;

for( buffer_iterator = 0;
     buffer_iterator < buffer_size;
     buffer_iterator++ )
{
	lower_word += buffer[ buffer_iterator ];
	upper_word += lower_word;

	if( ( buffer_iterator != 0 )
	 && ( ( buffer_iterator % 0x15b0 == 0 )
	  || ( buffer_iterator == buffer_size - 1 ) ) )
	{
		lower_word = lower_word % 0xfff1;
		upper_word = upper_word % 0xfff1;
	}
}
return( ( upper_word << 16 ) | lower_word );

}

Need to add a notification when creating the walafus read only filesystem

To be more consistent, I need to name the pieces as IMG.### rather than ###.dd

need to move case number and examiner right one space

also working on enterprise imager, which is a shell script using existing tools and parallel to make a segments of a raw image at the same time in parallel and see if that is faster than imaging straight through.

need to figure out how to feed the pieces through a hasher to verify the image as well as how the best method to compress the images: squashfs, tar zstd, 7z, xz, lz4, gzip, etc.

for hashing, will need to build a c/c++ program which takes each piece and feeds it the hash update function and then calculates it at the end. should be able to build quickly based off blake3 or wombatverify code.

Need to determine if wombatreader|log|info is enough or if i should build a fuse module that will display the 3 files and enable operating on them, but i think the current 3 tools are enough.

If the wfi name to create doesn't have an existing directory with the same name, the std::filesystem::canonical() call fails.

Need to look into this and see if having a directory for the image with the same name is what i actually wanted and then fix it with an exists/mkdir code

Need to implement the logical forensic image creation format.

as well as a way to extract the contents from it.

i can fuse mount the image as a raw device, the test device was a 256gb ssd, but i could not then mount the loop mounted raw ntfs image to a folder, so i can't review the files. i had to use zstd -d -o to create a raw image...

Need an install script and possibly a zip of the various tools.

Need to test tools to account for the IMAGE accessed/created in the current folder as well as when it is in a different path.

Need to implement the properties portion for the filesystems I currently have implemented in wombatforensics, i.e. fat12/16/32, exfat, ntfs, and ext2/3/4.

This will be what gets imported into the properties in wombatforensics, so i will need to figure out where to import that data, such as into the f#.prop file.

Need to implement wombatlog to display the log file

Implement wombatrestore which restores a wfi raw image back to a device and then verifies the hash matches on the device.

if a partition is selected, i need to get the root and then udev the root and discuss the image of partition from device ....

either figure out a way to get the parent from the device string /dev/sdXY /dev/nvmeXn1pX or update udev code to look at root of an identified partition

or don't worry about it and get rid of udev device identification altogether.

Working on wombatfileforensics, which is for any given file(s) from any mounted file system, the forensic properties for that file will be provided. similar to what istat does, except since it is for a mounted file system, you don't have to navigate the file system with fls to find relevant files, also it will cover more file systems than tsk eventually, essentially any file system i've been working on with Wombat Forensics.

wombatfuse mostly works, but fails to read the last block or half block or something like that. I need to figure out why that is, where my number is off and then fix that.

I am assuming it has to do with the framesize, being frameindex(i+1) - frameindex(i), and somehow that isn't working... or it is the final frame, which is rawsize - frameoffset(i).

Attempt to add md5 to the imager tool for the more mainstream people. can use qt's crytopgrahic hash to avoid libcrypto.

need to make a command line tool which will verify an existing image, similar to ewfverify.

need to implement the larger hash size calculation such as used in imager to speed up hashing.

think about implementing a fuse module at some point which will spit out the uncompressed raw dd as a loop device.

can use affuse/ewfuse as a guide.

need to implement wombatverify to hash verify the image and compare it to what is in the info file.

read whole file in and then find the offset for "- BLAKE3 Forensic Image", then seek -32 from SEEK_CUR and read 32 bytes.
or simply set the offset to tellg - 32, then read 32.

Need to remove the write nth block stdout messages from occurring.

Need to update the about/readme of the repository to account for the format switching.

If it continues to develop well and if testing shows a marked improvement compared to regular imaging, then I will probably spin off the enterprise imager into its own project and set of imaging functions.

Need to upgrade static library to v1.3.0, download compile, replace.

Need to implement wombat read instead of wombatfuse

Currrently the forensic image format uses an index file to figure out where the frames start, this index allows the seek/find functionality within the lz4 compressed portion.

I need to move the index file elements into skippable frames, so it is all contained in the image. This will be need to be implemented in the imager, fuse, and verify tools.

Also, i use the sector size to create the image, and i need to use a larger size, called blocksize and make it a multiple of the sectorsize, so maybe 10,240 (20*512) or some number for a larger blocksize for more efficient images. i will have to work on what to do when errors are encountered if i do this method.

Need to implement wombatinfo to display the info file

I can make a wombat info tool which will read the information out of the image and provide it back, such as the hash, case info, etc..

Need to test tools and implement error checks and graceful exits on errors prior to the v0.1 release

Converting to zstd_seekable should give seek/read-able functionality which should speed up functionality

Is there a need for a list command or option -l which lists the files and their sizes??? is this needed???

May not need the block size calculation as zstd is pretty self sufficient in it's calculations for verification and fusing and whatnot.

will test and look and code and remove if unneeded. this will also change the skippable frame size.

Need to ensure absolute file paths are taken care of cause imager fails with a pathed string for the image name...

Need to redo wombat logical as a 100 compatible tar.zst format.
need to figure out how to store forensic metadata and the regular file/folder structure in the file as well as how to reconstitute it and export from it.

Maybe i should just go with a simple lz4 compression of the image and then just stick my stuff at the end after it's done, and then it would be compatible with lz4 tools as well as my tools and might simplify the formatting, i can put my header at the end and just check it out.