Load List
A load list is a simple text file that allows you to script the load process. These are usually used when you have many pieces of media to load on a single machine. You can list the path to the media to load and Truxton will load as many of them as possible at a time until they are all loaded. You don’t have to hang around and start the next piece of media when one finishes.
It is not user friendly in that it is not self-explanatory. It was designed to be generated by scripts. The format of the file is a single letter record identifier followed by a colon followed by the parameters for that record type.
Contents
Fields
Investigation
The investigation line specifies the investigation that the following media should belong to. You may specify a globally unique identifier if you wish, otherwise Truxton will generate one for you. If you want the media in this load list file to belong to an existing investigation, put the identifier of that investigation on this line.
Once an investigation has been set, all media specified in the load list will belong to that investigation until another investigation line is present.
Samples
I: This is My Case
A new investigation will be created with the name "This is My Case" with a random identifier.
I: Case 14 2CBA17E4-038A-4828-8A0D-D221F943B3F9
A new investigation will be created with the name of "Case 14" and an identifier of "2CBA17E4-038A-4828-8A0D-D221F943B3F9"
i: {2CBA17E4-038A-4828-8A0D-D221F943B3F9}
The media specified in this load list file will be made part of an existing investigation with the id of "2CBA17E4-038A-4828-8A0D-D221F943B3F9."
Number of Loaders
The loaders line controls the number of load processes that will be used to load the media specified in the load list.
This setting will remain in effect until the next loaders line or the end of file has been reached.
Number of loaders is ignored when the enqueue (Q:
) setting is specified.
When using a load queue, the total number of loaders on your network is controlled by the instances
attribute of the etl
element for the load
process in the TruxtonService.xml
file on each loader machine.
The sum of the instances
values from the different loader machines will be the total number of loaders used to process the media.
Samples
L: 4
This will use four load processes to get the media in this list loaded.
L: 0
This will set the number of load processes equal to the number of CPUs in the loader machine.
Configuration
You can specify a configuration file to use. This can be used in conjunction with the path to media option. They are not exclusive.
Samples
C: c:\Configs\Triage.xml
This will cause the loaders to use configuration parameters as specified in the c:\Configs\Triage.xml
file.
Hash Set Directory
The hash set directory line sets the path to the folder that contains hash sets for eliminating file contents during the load.
Samples
H: c:\Hashes
This will use all hash sets found in the "C:\Hashes" folder
H: \\hashserver\files\2016
This will use all hash sets found in the shared folder "\\hashserver\files\2016" It is not recommended that you put hashsets on a server. During a load, these files are accessed frequently and should be put on the fastest storage you have on the loader machine.
Media
This line contains the name and optional identifier for the media to be loaded. If no identifier is specified, one will be generated for you.
Samples
M: Laptop Drive
This will set the name of the media to "Laptop Drive." The identifier for the media will be completely random.
M: Bob's Phone 2CBA17E4-038A-4828-8A0D-D221F943B3F9
This will set the name of the media to "Bob's Phone" and set the identifier to "2CBA17E4-038A-4828-8A0D-D221F943B3F9"
Command Line Arguments
This allows you to set any command line argument for use with this media.
Samples
G: -loadas 514
This will add the loadas
command line argument when the load process is spawned telling it to treat the media as a Master Boot Record.
Execute Before
This allows you to specify a PowerShell script, Python script, or batch file to execute before the load process is spawned. Once the script completes, the loader is free to execute. You can run multiple scripts by adding one script per line.
Samples
A: BeforeBobLoads.ps1
This script will execute before the loader process is spawned.
A: StartBillingRecord.py customer=THX1138 category=ForensicServices
A: ClearTemporaryFolders.cmd
A: SendStartMessage.bat
A: BeforeBobLoads.ps1
These scripts will execute sequentially before the loader process is spawned.
Execute After
This allows you to specify a PowerShell script, Python script, or batch file to execute after the load process exits. You can run multiple scripts by adding one script per line.
Exploitation of the media is not yet complete when these scripts execute.
Samples
Z: AfterBobLoads.cmd
This script will execute once the load completes.
Z: CompleteBillingRecord.py customer=THX1138
Z: ClearTemporaryFolders.cmd
Z: SendEndMessage.bat
Z: AfterBobLoads.ps1
These scripts will execute sequentially before the loader process is spawned.
Path
This is the line that causes the load process to be spawned. This holds the path to the media to be loaded.
Samples
P: c:\Images\WinXP.E01
This will load the "WinXP.E01" file.
P: c:\Data\Files 1
This will load the folder "Files 1"
Enqueue
If present, it signifies that you would rather have this entry placed on the loader queue so any loader on the network can load it.
This is a global setting.
If specified, ALL entries in the load list will be placed onto the loader queue.
This will cause the L:
to be ignored.
When using a load queue, the total number of loaders on your network is controlled by the instances
attribute of the etl
element for the load
process in the TruxtonService.xml
file on each loader machine.
The sum of the instances
values from the different loader machines will be the total number of loaders used to process the media.
Samples
The following tells Truxton to allow any loader machine on the network to load the incoming data.
Q: load
P: \\Server\Incoming Data\East Coast\Virginia\Case 1234
Complete Sample Load List
The following load list will use one load process to exhaust the load list. Two pieces of media will be loaded as part of the "Hong Kong Cavaliers" investigation. A PowerShell script will be executed before Penny Priddy's phone is loaded. Emilio Lizardo's hard drive will be loaded after Penny’s phone load completes. It will be loaded as a Master Boot Record (file type 514) and media type of Hard Drive (3).
L: 1
I: Hong Kong Cavaliers
A: AddPhone.ps1
M: Penny Priddy’s Phone
P: \\ImageServer\Phones\PP.E01
M: Emilio Lizardo’s Hard Drive
G: -loadas 514 -mt 3
P: \\ImageServer\Hard Drives\EML.dd
Creating A Load List
All you need to create a load list is a text editor. Here are some ideas on creating a list.
Folder Structure of Disk Images
In this scenario, we have a deep folder structure with E01 files in them. The most basic way to create the load list is to get a directory listing into a file then edit that file.
cd C:\Storage\Incoming
dir /s /b *.E01 >loadlist.txt
This will result in a text file that contains the full path to every E01 in the folders.
C:\Storage\Incoming\HDD1\Case 1\Hitachi\DiskImage.E01 C:\Storage\Incoming\HDD1\Case 1\Western Digital\DiskImage.E01 C:\Storage\Incoming\HDD2\Omega\Seagate\DiskImage.E01
Edit the loadlist.txt
file in an editor.
Search and replace the C:\
text with P: C:\
P: C:\Storage\Incoming\HDD1\Case 1\Hitachi\DiskImage.E01 P: C:\Storage\Incoming\HDD1\Case 1\Western Digital\DiskImage.E01 P: C:\Storage\Incoming\HDD2\Omega\Seagate\DiskImage.E01
You now have a functional load list.
Finding Python
If you specify a Python script file to execute before or after a load, the loader must find the Python executable.
It does this by first retrieving the python
setting.
If that doesn't work, it will then read the HKEY_CLASSES_ROOT\Python.File\shell\open\command
from the Registry.