IPED icon indicating copy to clipboard operation
IPED copied to clipboard

Published 20 hours ago verified publisher icon sepinf-inc

Process DMG images directly in command line

Open aberenguel opened this issue 1 year ago • 13 comments

Extractions on newer MacOS does not allow to extract the physical APFS partition image if it is encrypted. It only allows to create a image of a mounted folder (logical extraction), so that the result is a DMG image file.

The workaround today is to convert the DMG file in AD1 using some tools like FTK image, but it takes a lot of time.

It would be interesting if IPED process the DMG image file directly in command line, like iped.exe -d Macbook.dmg.

aberenguel avatar Aug 19 '23 20:08 aberenguel

Not sure if it would be easy to implement this directly into IPED. I think DMG images can also contain a raw bit by bit disk copy, or not?

Found this library from Joachim Metz: https://github.com/libyal/libmodi

And its file format documentation, lots of details: https://github.com/libyal/libmodi/blob/main/documentation/Mac%20OS%20disk%20image%20types.asciidoc

Maybe this would fit better if integrated into Sleuthkit, so we would get embedded HFS (and APFS?) decoding, if physical image data is allowed in DMG.

lfcnassif avatar Aug 19 '23 21:08 lfcnassif

Other possible approach would be using 7zip to handle it like a ZIP container, I think 7zip supports DMG, but not sure if SevenZipJBindings, used by us, supports it...

lfcnassif avatar Aug 19 '23 21:08 lfcnassif

Other possible approach would be using 7zip to handle it like a ZIP container, I think 7zip supports DMG, but not sure if SevenzipJBindings, used by us, supports it...

I don't have DMG images created by MacOS, please test this with your DMGs:

  • try to open them with stand alone 7zip
  • if it works, configure IPED SevenZipParser to process the corresponding DMG mimetype into ParserConfig.xml, like:
<parser class="iped.parsers.compress.SevenZipParser">
    <mime>application/x-apple-diskimage</mime>
</parser>

PS: Above config is just for testing as it overrides SevenZipParser default supported types and all of them should be added above.

lfcnassif avatar Aug 19 '23 22:08 lfcnassif

PS2: you should add application/x-apple-diskimage to Compressed Files in CategoriesConfig.json or other category that is configured to be expanded in CategoriesToExpand.txt, so IPED will try to expand it using SevenZipParser.

lfcnassif avatar Aug 19 '23 22:08 lfcnassif

PS3: I tried it years ago to handle another image format, but 7zip extracted huge files, one corresponding to the partition, other corresponding to NTFS file system, so it wasn't a good solution that time. But maybe for logical DMGs it can work better.

lfcnassif avatar Aug 19 '23 22:08 lfcnassif

Great! I'll do that!

aberenguel avatar Aug 19 '23 23:08 aberenguel

Just tested it with a VDI image, I don't remember if it was the format I tested in the past. 7zip is able to open it, but SevenZipJBindings is not (throws a no codec registered exception). Extracting manually NTFS partitions with 7zip, SevenZipJBindings is able to expand them, although I think it would be better to redirect them to TSK to get unallocated and recover deleted files (it was just a quick test).

lfcnassif avatar Aug 19 '23 23:08 lfcnassif

Looking at SevenZipJBinding supported formats: https://sevenzipjbind.sourceforge.net/

Seems DMG is not supported. But I think the test is simple and still worth to try.

Another non ideal approach would be to call 7zip native tool by fork/exec to expand some formats. Looking at 7zip page, between those we don't support yet, I think interesting: DMG, VDI, QCOW2, maybe others...

7zip for Win64 would be a small app (a few MBs) to embed into IPED. Calling an external tool to expand containers is not an ideal approach, usually we have to wait the full container expansion to start consuming its subitems, we may also have invalid or long path issues... We have those problems with pffexport to decode OST mailboxes. But I don't know if there is another easy option...

lfcnassif avatar Aug 20 '23 03:08 lfcnassif

Just found these 2 java projects: https://github.com/unsound/dmgextractor (older) https://github.com/SJSU-CS-systems-group/dmgInspector (newer)

lfcnassif avatar Aug 20 '23 12:08 lfcnassif

Just found these 2 java projects: https://github.com/unsound/dmgextractor (older) https://github.com/SJSU-CS-systems-group/dmgInspector (newer)

Hi @aberenguel, if you can test both applications on your DMG images when you have some time, that would help a lot.

lfcnassif avatar Aug 20 '23 15:08 lfcnassif

I'm working on https://github.com/SJSU-CS-systems-group/dmgInspector I didn't like it because all image bytes are handled in memory (ByteBuffer). I will be necessary to adapt the code to handle file in a stream way.

I will try https://github.com/unsound/dmgextractor

aberenguel avatar Aug 20 '23 21:08 aberenguel

I'm working on https://github.com/SJSU-CS-systems-group/dmgInspector I didn't like it because all image bytes are handled in memory (ByteBuffer). I will be necessary to adapt the code to handle file in a stream way.

I will try https://github.com/unsound/dmgextractor

Thank you @aberenguel! Just to be clear, I didn't ask you to implement it, but just to test both tools on your DMG images to see which works better. Of course code contributions would be very welcome :-)

lfcnassif avatar Aug 22 '23 02:08 lfcnassif