Notifications
Clear all

"Forensic" plugin for 7-Zip

24 Posts
6 Users
0 Likes
3,762 Views
(@aniskin)
Posts: 15
Active Member
Topic starter
 

Hello, world.

Maybe someone will be interested in the free plugin for 7-zip, which allows you to open various forensic disk images as archives

Forensic7z is a plugin for the popular 7-Zip archiver. You can use Forensic7z to open and browse disk images created by specialized software for forensic analysis, such as Encase or FTK Imager.

At the moment, the Forensic7z plugin supports images in the following formats

- ASR Expert Witness Compression Format (.S01)
- Encase Image File Format (.E01)
- Advanced Forensics Format (.AFF)
- AccessData FTK Imager Logical Image (.AD1)

I am the developer of this plugin, ready to answer on any question.

 
Posted : 21/11/2018 3:03 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Looks very interesting-

When you say “open” forensic image files, how does that differ from mounting a forensic image using Mount ImagePro, OSFMount, etc?

I can “open” forensic images with FTK Imager as well but I need to export native files from FTK Imager our mount the image file before I can meaningfully interact with the files in the image.

 
Posted : 22/11/2018 4:37 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Does your plugin also reveal slack space files in images or just logical NTFS files for example?

 
Posted : 22/11/2018 4:39 am
(@aniskin)
Posts: 15
Active Member
Topic starter
 

When you say “open” forensic image files, how does that differ from mounting a forensic image using Mount ImagePro, OSFMount, etc?

I don`t have Mount ImagePro so I don`t know how it works.

You must understand that plugin is not a professional tool and it is not a replacement for any professional tool. It does only one simple thing - it decompresses compressed image into RAW.

Does your plugin also reveal slack space files in images or just logical NTafS files for example?

Plugin does not parse internal structures of RAW images. 7-Zip has native support of some FS and when you open RAW file as nested archive 7-Zip uses its own algorithms for decoding FS.

 
Posted : 22/11/2018 4:58 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Very interesting, thanks for posting about it (and of course for actually making it ) ).

I have seen you made a lot of other plugins for 7zip
http//www.tc4shell.com/en/7zip/

Nice, particularly this one
http//www.tc4shell.com/en/7zip/wincrypthashers/

as I missed the MD5 in "plain" 7zip.

I didn't know that such plugins were possible, IMHO a missing function (cannot say if it is possible to implement it) is to have a way (when you open an "unknown" file) to know which specific "parser" (or plugin) 7zip is using, i.e. in which format it "sees" and "interprets" the file.

jaclaz

 
Posted : 22/11/2018 10:17 am
(@aniskin)
Posts: 15
Active Member
Topic starter
 

I didn't know that such plugins were possible, IMHO a missing function (cannot say if it is possible to implement it) is to have a way (when you open an "unknown" file) to know which specific "parser" (or plugin) 7zip is using, i.e. in which format it "sees" and "interprets" the file.

Just use Properties command. It will show used parser (Type parameter).

 
Posted : 22/11/2018 10:47 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Just use Properties command. It will show used parser (Type parameter).

Sure, thanks )

But that implies to first open the "unknown" file, and then right click "properties" on *any* file "inside" the (maybe) opened file.

I didn't explain myself properly.

I was thinking more of an added field in the tabular view, when you open the "container" file like Name/Size/Modified/Created/Accessed/Attributes/ … etc., which BTW would make it clearer (I almost always use 7Zip as two panes file manager) that the pane is relative to the "inside" of an archive (or "container").

Or even (this is another thing) a command pre-parsing the contents of the directory containing the unknown file(s) and adding a "presumed file type" (independent from file extension) to each file in it.

Of course since analyzing files in a directory would take computer time, this should be something that is generated only on demand.

jaclaz

 
Posted : 22/11/2018 11:39 am
(@aniskin)
Posts: 15
Active Member
Topic starter
 

7-Zip API does not provide such functionality.

 
Posted : 22/11/2018 11:43 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

7-Zip API does not provide such functionality.

I suspected something like that.

Too bad … (

Thanks again for the nice plugins.

jaclaz

 
Posted : 22/11/2018 11:47 am
(@aniskin)
Posts: 15
Active Member
Topic starter
 

Could somebody provide me samples of EnCase Ex01 and Lx01 files? I would like to add support of this formats but cannot do it without samples.

 
Posted : 22/11/2018 1:15 pm
Page 1 / 3
Share: