Slack_handler is a python tool for extracting File slacks in raw format and writing their details to a CSV file.
The File slacks considered are both RAM and DISK file slacks which represent the data between the none multiple size of the file and the allocated size in clusters. No volume slack is considered.
Implemented so far:
- extract all file slacks from raw or ewf disk image to a directory.
- display file slacks in LATIN-1 or Hex encoding to the console/terminal.
- pretty print all found file slack data in the provided disk image.
- Write-out File slacks details to a CSV file including: the original file, the file slack size, the parent directories, MD5 and SHA1 hashes, etc.
- Support for 'RAW' disk images.
- Support for 'EWF' disk images.
- Add CI using Github action.
- Add a helper function for MD5_calc and SHA1_calc in 'utils' module for factoring the code.
- Add EWF disk image to test_data.
- add more tests 'test__file_slack_nbr' and computed MD5 hashs.
- fix shenanigans of compressed files.
- add more tests 'test__file_slack_content' (inspection at binary level).
- add a test case for no_file_slack file.
- Add relative/absolute location details to CSV report file.
- cache and optimize Github actions.
- Add support for disk images in AFF formats.
- Optimize the way it locates the File slack space.
- Simulate user behaviors in test disk images using a Bash script.
- Generate more disk images for validation.
- add XML description file of each disk image using fiwalk or fls.
- package everything.
- Create a Virtual environment
- Download the latest release
- Clone pytsk repository
- update the repo (get libtsk)
python setup.py update - build (libtsk)
python setup.py build - install (which will install pytsk bindings)
python setup.py ìnstall pip listnow you should see pytsk installed if everything is ok!- clone pyewf repository
./synclibs.sh: Script that synchronizes the local library dependencies./autogen.sh./configure --enable-pythonpython setup.py buildpython setup.py install
For further details, please check the steps of the job Build used in Github actions process.
The tool is hosted on Pypi
pip3 install slack-handlerslack_handler --version
To dump all File slacks to 'slacks/' folder and extract all the information to CSV format file named 'report.csv' from a raw image 'USB-NTFS.dd' :
slack_handler --type raw --dump slacks/ --csv report.csv images/USB-NTFS.dd
Help:
usage: slack_handler [-h] [-e ENCODING] -t TYPE [-p] [-d DUMP] [-c CSV] [-v] [--version] disk image
Extract the file slack spaces.
positional arguments:
disk image
optional arguments:
-h, --help show this help message and exit
-e ENCODING, --encoding ENCODING
Display slack space in LATIN-1 or Hex. Supported options 'latin-1', 'hex'.
-t TYPE, --type TYPE Type of the disk image. Currently supported options 'raw' and 'ewf'.
-p, --pprint Pretty print all found file slack spaces.
-d DUMP, --dump DUMP Dump file slack spaces of each file in raw format to a directory if specified, by default temporary dir.
-c CSV, --csv CSV Write file slacks information to a CSV file.
-v, --verbose Control the verbosity of the output.
--version show program's version number and exit
Feel free to read the file LICENSE.
- Original version Date: 13/06/2012 by Sokratis Vidros sokratis.vidros@gmail.com
- Current updated version: 0.1 since 25/10/2020 by ALJI Mohamed sim4n6@gmail.com
- Joachim Metz for providing an initial feedback on the little tool related to the different types of disk slack space and the licensing.
- David Cowen for the awesome serie of "How-to on programming using libtsk and python".
- Any feedback is a welcome via Github issues or reach out via The Open Source DFIR Slack community using the registration link.