ftree - forensic tree

ftree documentation - Details | Install | Changelog | Download

ftree details

ftree - identify, hash and destructure all files recursively

DESCRIPTION

ftree is forensic utility that will quickly recursively crawl a files within a directory and surface important forensic information include file type, sha256 hash, macb times and file structure. ftree can also diff two directories which can be a powerful tool for identifying how directories and files have changed over time (e.g. how an iOS device has change after international travel).

EXAMPLES

Produce a forensic tree artifact for ~/cases/case-123 storing the output as a sqlite file in /tmp/case-123-ftree.sqlite:

$ ftree generate ~/cases/case-123 -f sqlite -o /tmp/case-123-ftree.sql

Process the /sbin directory, don't sha256 hash each file, output as csv to console

$ ftree generate /sbin --skip-hash -f csv

Create a forensic tree diff of an iOS backup before and after international travel in json format:

$ ftree diff ./ir/iosDevice/backup-before-travel ./ir/iosdevice/backup-after-travel > iphone-incident-response.json

Generate a debug log for Hack42 Lab support:

$ ftree -d generate case-123

SYNOPSIS

  ftree [-V | --version] [-h | --help] [--format (json|csv|sqlite)]
        <command> [options] <args>

OPTIONS

  -f, --format .............. (json|csv|sqlite) [default: json]
  --skip-hash ............... do not generate a sha256 hash for each file
  --skip-magic .............. do not attempt to determine file type
  --skip-structure .......... do not provide file strucutre data
  -d, --debug ............... create debug log

COMMANDS

  generate ................ generate a forensic tree
  diff .................... diff two forensics trees
  register ................ register license
  license ................. display license info
  version ................. display version info
  help .................... display help

Output format

ftree can output results in a json, csv or sqlite format. Regardless of which format you choose, ftree will return the results with the same fields. For SQLite output, the results are stored in the "ftree" table. Note: cvs fields are limited to 32k for Excel compatibility.

ftree generate output

Field Type Description
id integer auto-incrementing counter
key string path to file relative to entry directory
ext string file extension
type string file type (file, directory, symbolic link, etc)
error string error message if can't process file
dir_name string directory path relative to entry directory
file_name string name of the file :-)
full_path string full path to the file from root of filesystem
size integer size of file in bytes
file_hash text sha256 hash of file
mtimeMs text The timestamp indicating the last time this file was modified expressed in milliseconds since the POSIX Epoch.
atimeMs text The timestamp indicating the last time this file was accessed expressed in milliseconds since the POSIX Epoch.
ctimeMs text The timestamp indicating the last time the file status was changed expressed in milliseconds since the POSIX Epoch.
birthtimeMs text The timestamp indicating the creation time of this file expressed in milliseconds since the POSIX Epoch.
magic_base text Short form of file type (from libmagic v5.32)
magic_full text Full file type results (from libmagic v5.32)
structure_hash text sha256 hash of file structure data, useful for finding files with identical structure
element_count integer total number of file structure arrtibutes found
structure_type text algorithim used to descructure the file (e.g. sqlite, bplist, plist, xml, jpeg, etc)
structure_data text structure data stored as espaced JSON data

ftree diff output

  • original refers to files from the first directory argument passed
  • new refers to files in the second directory argument passed
Field Type Description
id integer auto-incrementing counter
key string path to file relative to entry directory
diff_status test status of diff: identical, modified, new or deleted
file_name string name of the file :-)
original_type string file type (file, directory, symbolic link, etc) of original file
original_magic_base text Short form of file type (from libmagic v5.32) of original file
original_path string full path to the original file from root of filesystem
original_file_hash text sha256 hash of original file
new_type string file type (file, directory, symbolic link, etc) of new file
new_magic_base text Short form of file type (from libmagic v5.32) of new file
new_path string full path to the new file from root of filesystem
new_file_hash text sha256 hash of new file

BUGS

AUTHOR

Andrew Hoog <ahoog at hack42labs dot com>

Want to stay updated on our latest tools and HOWTOs?