Simple File Parser ...
 
Notifications
Clear all

Simple File Parser (no longer supported)

17 Posts
6 Users
0 Likes
2,743 Views
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

Hi All,

I'm currently writing a tool for the parsing of common Windows artefacts and I would like to share it with the forensic community. This tool is called the Simple File Parser (SFP) and it currently supports the parsing of link and prefetch files and allows the user to easily export the information to CSV format for a more detailed analysis.

To take a look at the program or to download it yourself, please visit the tool's page https://code.google.com/p/simple-file-parser/. You will need .NET 4 installed before running this program.

I will take on-board any comments, or if you find any bugs please let me know.

Chris.

 
Posted : 30/03/2012 11:54 pm
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

Version 1.3 has been released and has initial support for Windows 7 jump-lists.

 
Posted : 16/04/2012 12:07 am
 tg92
(@tg92)
Posts: 13
Active Member
 

Thanks for this great tool.

Thierry

 
Posted : 17/04/2012 2:39 am
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

Thanks Thierry, I have plans to improve the jump-list support and to make it multi-threaded for performance (once I've worked out how to thread in C# that is!).

 
Posted : 18/04/2012 1:04 pm
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

Version 1.4 has now been released with more robust support for jump-list artefacts, improved GUI and speed, multithreaded goodness and multiple time-zone support. Download at www.simplefileparser.blogspot.com.

As ever, please let me have your comments and suggestions for future releases.

 
Posted : 15/06/2012 4:47 pm
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

Version 1.5 now has support for the parsing of INDX Attributes ($I30 files).

Let me know if you have any issues.

 
Posted : 21/11/2012 5:47 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Does the LNK parser support parsing the shell item ID lists?

 
Posted : 21/11/2012 6:31 pm
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

Hi Harlan,

It does not support them at the moment, but if there is an interest I can try to code a solution. The tool does know where they exist, so it shouldn't be too difficult (famous last words!).

 
Posted : 23/11/2012 5:38 pm
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

In order to give something back to the forensic community, all of the code is now available on Google Code. Feel free to download, distribute and copy. I will keep all updated versions of SFP on Google Code from now on. If anyone would like to contribute to the project please let me know (first job is to optimise the code!)

http//code.google.com/p/simple-file-parser/

 
Posted : 30/01/2013 3:41 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

nice to see another .net developer writing tools! Is the source code in the .exe file at the link you provided? all i see is the exe.

also, i noticed in the status bar it says

take taken 0.33

when i am guessing it should be

time taken 0.33

the prefetch parsing had some issues on win8 as well.

i would recommend against using a msgbox for each error as the end user will need to click ok possibly dozens of times. an area for status messages (like a listbox) would be better for that

id like to take a look at your code. seems like some good stuff based on the lnk results. have you compared your results with those generated by shellify? thats what i have been using for a while for lnk files

 
Posted : 31/01/2013 3:45 am
Page 1 / 2
Share: