Toolkit for Retrieval and Analysis of Cyber Evidence (TRACE)

TRACE is a digital forensic tool I developed as my final year project. It provides an intuitive interface for analyzing disk images and includes a range of functionalities to assist forensic examiners in extracting and viewing the contents of various image file formats.

Navigation 🧭

• Preview 👀
• Features 🌟
• Screenshots 📸
• Supported Image Formats 💾
• Tested File Systems 🗂️
• Cross-Platform Compatibility 🖥️💻
• Getting Started 🚀
  • Prerequisites 🛠️
  • Configuration ⚙️
  • Running the Tool ▶️
• Built With 🧱
• Work in Progress 🛠️
• Testing & Feedback 🧪
• Contributing 🤝
• Socials 👨‍💻

Preview 👀      ⬆️

Features 🌟      ⬆️

✅ *Image Mounting: Mount forensic disk images. (Windows only)
✅ Tree Viewer: Navigate through the disk image structure, including partitions and files.
✅ Detailed File Analysis: View file content in different formats, such as HEX, text, and application-specific views.
✅ EXIF Data Extraction: Extract and display EXIF metadata from photos.
✅ Registry Viewer: View and examine Windows registry files.
✅ Basic File Carving: Recover deleted files from disk images.
✅ Virus Total API Integration: Check files for malware using the Virus Total API.
✅ E01 Image Verification: Verify the integrity of E01 disk images.
✅ Convert E01 to Raw: Convert E01 disk images to raw format.
✅ Message Decoding: Decode messages from base64, binary, and other encodings.

Screenshots 📸      ⬆️

Registry Browser 🗂️

File Carving 🔪

File Search 🔍

Image Verification ✅

Supported Image Formats 💾      ⬆️

Tested File Systems 🗂️      ⬆️

Cross-Platform Compatibility 💻🖥️      ⬆️

Operating System	Screenshot
macOS Sonoma 🍏
Kali Linux 2024 🐧
*WSL2 - Ubuntu 22.04.3 LTS 🐧
Windows 10 🗔

Getting Started 🚀      ⬆️

Prerequisites 🔧

For Windows:

*There's a compatibility issue with Python 3.12. Please install Python 3.11 from the official Python website: https://www.python.org/downloads/release/python-3110/

If you don't already have Microsoft C++ Build Tools installed, you'll need to install them to compile required packages like libewf-python and pytsk3.

Step 1: Download and Install Microsoft C++ Build Tools - https://visualstudio.microsoft.com/visual-cpp-build-tools/ During the installation, make sure to select the following workloads:

• Desktop development with C++
• C++ build tools

Step 2: Install the Dependencies

pip install -r requirements.txt

For macOS - Apple Silicon:

chmod +x install_macos_silicon.sh

./install_macos_silicon.sh

This script will:

• Check if Homebrew is installed and offer to install it if it’s not.
• Install necessary system dependencies (ffmpeg and poppler) using Homebrew.
• Install all Python dependencies specified in requirements_macos_silicon.txt using pip.

For Ubuntu on WSL:

chmod +x WSL_Ubuntu_install.sh

./WSL_Ubuntu_install.sh

This script will:

• Update package lists and install necessary system packages including graphics libraries and sound management tools.
• Install necessary Python dependencies from requirements_macos_silicon.txt (same requirements for Ubuntu).

Configuration ⚙️

• API Keys Configuration: The tool integrates with VirusTotal and Veriphone APIs, and you will need to provide your own API keys to use these features. Update the API keys in the following files:

  • For VirusTotal: Update the API key in modules/virus_total_tab.py
  • For Veriphone: Update the API key in modules/veriphone_api.py

Running the Tool ▶️

python main.py

Built With 🧱      ⬆️

• pytsk3 - Python bindings for the SleuthKit
• libewf-python - Library to access the Expert Witness Compression Format (EWF)
• PySide6 - Used for the GUI components.
• Arsenal Image Mounter - For mounting forensic disk images.

Work in Progress 🧑‍🔧      ⬆️

• Direct Video/Audio Playback: Currently, the video and audio player saves files temporarily before playing them, which can cause delays. The goal is to enable direct playback for faster performance.
• Integrated File Search and Viewer: The file search functionality is not yet connected to the "Viewer Tab," which displays HEX, text, application-specific views, metadata, and other details. This integration needs to be implemented.
• Cross-Platform Image Mounting: Image mounting currently works only on Windows using the Arsenal Image Mounter executable. The aim is to make this feature work across all platforms without relying on external executables.
• File Carving and Viewer Integration: The file carving functionality is not yet connected to the "Viewer Tab," where users can view HEX, text, application-specific views, and metadata. Additionally, the current file carving process does not distinguish between deleted and non-deleted files; it will "carve" all files of the selected type from the disk image.
• Color Issues in Dark Mode: The software currently has some colour display issues on Linux and macOS systems when using dark mode. Certain UI elements may not be clearly visible or may appear incorrectly.

Testing & Feedback 🧪      ⬆️

• Tested Formats: The tool has primarily been tested with dd and E01 files. While these formats are well-supported, additional testing with other formats, such as Ex01, Lx01, s01, and others, is needed.
• Tested File Systems: Currently, the tool has only been tested on the NTFS file system. Testing on additional file systems like FAT32, exFAT, HFS+, APFS, EXT4, and others is needed to ensure broader compatibility.
• Call for Samples: If you have disk images in formats that are less tested (Ex01, Lx01, s01, etc.), your contributions would be greatly appreciated to help improve the tool's compatibility and robustness.
• Feedback Welcome: Please report any issues or unexpected behaviour to help improve the tool. Contributions and testing feedback are encouraged and welcomed.

Contributing 🤝      ⬆️

I welcome contributions from the community to help improve TRACE! If you're interested in contributing, here’s how you can get involved:

How to Contribute

1. Report Issues: If you find any bugs or have suggestions for improvements, please open an issue on GitHub. Provide as much detail as possible to help address the issue effectively.
2. Submit a Pull Request: If you have a fix or feature you’d like to contribute, please fork the repository, make your changes, and submit a pull request. Ensure your code adheres to the coding standards and includes tests where applicable.
3. Provide Testing Samples: If you have disk images in formats that are less tested (Ex01, Lx01, s01, etc.), your contributions would be greatly appreciated to help improve the tool’s compatibility and robustness. You can share these samples by contacting me.
4. Review and Feedback: Review the changes submitted by others and provide feedback to help refine and enhance the tool.

Socials 👨‍💻      ⬆️