ftree documentation - Details | Install | Changelog | Download
ftree details
ftree - identify, hash and destructure all files recursively
DESCRIPTION
ftree is forensic utility that will quickly recursively crawl a files within a directory and surface important forensic information include file type, sha256 hash, macb times and file structure. ftree can also diff two directories which can be a powerful tool for identifying how directories and files have changed over time (e.g. how an iOS device has change after international travel).
EXAMPLES
Produce a forensic tree artifact for ~/cases/case-123 storing the output as a sqlite file in /tmp/case-123-ftree.sqlite:
$ ftree generate ~/cases/case-123 -f sqlite -o /tmp/case-123-ftree.sql
Process the /sbin directory, don't sha256 hash each file, output as csv to console
$ ftree generate /sbin --skip-hash -f csv
Create a forensic tree diff of an iOS backup before and after international travel in json format:
$ ftree diff ./ir/iosDevice/backup-before-travel ./ir/iosdevice/backup-after-travel > iphone-incident-response.json
Generate a debug log for Hack42 Lab support:
$ ftree -d generate case-123
SYNOPSIS
ftree [-V | --version] [-h | --help] [--format (json|csv|sqlite)]
<command> [options] <args>
OPTIONS
-f, --format .............. (json|csv|sqlite) [default: json]
--skip-hash ............... do not generate a sha256 hash for each file
--skip-magic .............. do not attempt to determine file type
--skip-structure .......... do not provide file strucutre data
-d, --debug ............... create debug log
COMMANDS
generate ................ generate a forensic tree
diff .................... diff two forensics trees
register ................ register license
license ................. display license info
version ................. display version info
help .................... display help
Output format
ftree can output results in a json, csv or sqlite format. Regardless of which format you choose, ftree will return the results with the same fields. For SQLite output, the results are stored in the "ftree" table. Note: cvs fields are limited to 32k for Excel compatibility.
ftree generate output
Field | Type | Description |
---|---|---|
id | integer | auto-incrementing counter |
key | string | path to file relative to entry directory |
ext | string | file extension |
type | string | file type (file, directory, symbolic link, etc) |
error | string | error message if can't process file |
dir_name | string | directory path relative to entry directory |
file_name | string | name of the file :-) |
full_path | string | full path to the file from root of filesystem |
size | integer | size of file in bytes |
file_hash | text | sha256 hash of file |
mtimeMs | text | The timestamp indicating the last time this file was modified expressed in milliseconds since the POSIX Epoch. |
atimeMs | text | The timestamp indicating the last time this file was accessed expressed in milliseconds since the POSIX Epoch. |
ctimeMs | text | The timestamp indicating the last time the file status was changed expressed in milliseconds since the POSIX Epoch. |
birthtimeMs | text | The timestamp indicating the creation time of this file expressed in milliseconds since the POSIX Epoch. |
magic_base | text | Short form of file type (from libmagic v5.32) |
magic_full | text | Full file type results (from libmagic v5.32) |
structure_hash | text | sha256 hash of file structure data, useful for finding files with identical structure |
element_count | integer | total number of file structure arrtibutes found |
structure_type | text | algorithim used to descructure the file (e.g. sqlite, bplist, plist, xml, jpeg, etc) |
structure_data | text | structure data stored as espaced JSON data |
ftree diff output
- original refers to files from the first directory argument passed
- new refers to files in the second directory argument passed
Field | Type | Description |
---|---|---|
id | integer | auto-incrementing counter |
key | string | path to file relative to entry directory |
diff_status | test | status of diff: identical, modified, new or deleted |
file_name | string | name of the file :-) |
original_type | string | file type (file, directory, symbolic link, etc) of original file |
original_magic_base | text | Short form of file type (from libmagic v5.32) of original file |
original_path | string | full path to the original file from root of filesystem |
original_file_hash | text | sha256 hash of original file |
new_type | string | file type (file, directory, symbolic link, etc) of new file |
new_magic_base | text | Short form of file type (from libmagic v5.32) of new file |
new_path | string | full path to the new file from root of filesystem |
new_file_hash | text | sha256 hash of new file |
BUGS
AUTHOR
Andrew Hoog <ahoog at hack42labs dot com>