Load List

From truxwiki.com
Jump to navigation Jump to search

A load list is a simple text file that allows you to script the load process. These are usually used when you have many pieces of media to load on a single machine. You can list the path to the media to load and Truxton will load as many of them as possible at a time until they are all loaded. You don’t have to hang around and start the next piece of media when one finishes.

It is not user friendly in that it is not self-explanatory. It was designed to be generated by scripts. The format of the file is a single letter record identifier followed by a colon followed by the parameters for that record type.

Fields

Investigation

The investigation line specifies the investigation that the following media should belong to. You may specify a globally unique identifier if you wish, otherwise Truxton will generate one for you. If you want the media in this load list file to belong to an existing investigation, put the identifier of that investigation on this line.

Once an investigation has been set, all media specified in the load list will belong to that investigation until another investigation line is present.

Samples

I: This is My Case

A new investigation will be created with the name "This is My Case" with a random identifier.


I: Case 14 2CBA17E4-038A-4828-8A0D-D221F943B3F9

A new investigation will be created with the name of "Case 14" and an identifier of "2CBA17E4-038A-4828-8A0D-D221F943B3F9"


i: {2CBA17E4-038A-4828-8A0D-D221F943B3F9}

The media specified in this load list file will be made part of an existing investigation with the id of "2CBA17E4-038A-4828-8A0D-D221F943B3F9."

Number of Loaders

The loaders line controls the number of load processes that will be used to load the media specified in the load list. This setting will remain in effect until the next loaders line or the end of file has been reached. Number of loaders is ignored when the enqueue (Q:) setting is specified. When using a load queue, the total number of loaders on your network is controlled by the instances attribute of the etl element for the load process in the TruxtonService.xml file on each loader machine. The sum of the instances values from the different loader machines will be the total number of loaders used to process the media.

Samples

L: 4

This will use four load processes to get the media in this list loaded.


L: 0

This will set the number of load processes equal to the number of CPUs in the loader machine.

Configuration

You can specify a configuration file to use. This can be used in conjunction with the path to media option. They are not exclusive.

Samples

C: c:\Configs\Triage.xml

This will cause the loaders to use configuration parameters as specified in the c:\Configs\Triage.xml file.

Hash Set Directory

The hash set directory line sets the path to the folder that contains hash sets for eliminating file contents during the load.

Samples

H: c:\Hashes

This will use all hash sets found in the "C:\Hashes" folder


H: \\hashserver\files\2016

This will use all hash sets found in the shared folder "\\hashserver\files\2016" It is not recommended that you put hashsets on a server. During a load, these files are accessed frequently and should be put on the fastest storage you have on the loader machine.

Media

This line contains the name and optional identifier for the media to be loaded. If no identifier is specified, one will be generated for you.

Samples

M: Laptop Drive

This will set the name of the media to "Laptop Drive." The identifier for the media will be completely random.


M: Bob's Phone 2CBA17E4-038A-4828-8A0D-D221F943B3F9

This will set the name of the media to "Bob's Phone" and set the identifier to "2CBA17E4-038A-4828-8A0D-D221F943B3F9"

Command Line Arguments

This allows you to set any command line argument for use with this media.

Samples

G: -loadas 514

This will add the loadas command line argument when the load process is spawned telling it to treat the media as a Master Boot Record.

Execute Before

This allows you to specify a PowerShell script, Python script, or batch file to execute before the load process is spawned. Once the script completes, the loader is free to execute. You can run multiple scripts by adding one script per line.

Samples

A: BeforeBobLoads.ps1

This script will execute before the loader process is spawned.

A: StartBillingRecord.py customer=THX1138 category=ForensicServices
A: ClearTemporaryFolders.cmd
A: SendStartMessage.bat
A: BeforeBobLoads.ps1

These scripts will execute sequentially before the loader process is spawned.

Execute After

This allows you to specify a PowerShell script, Python script, or batch file to execute after the load process exits. You can run multiple scripts by adding one script per line.

Exploitation of the media is not yet complete when these scripts execute.

Samples

Z: AfterBobLoads.cmd

This script will execute once the load completes.

Z: CompleteBillingRecord.py customer=THX1138
Z: ClearTemporaryFolders.cmd
Z: SendEndMessage.bat
Z: AfterBobLoads.ps1

These scripts will execute sequentially before the loader process is spawned.

Path

This is the line that causes the load process to be spawned. This holds the path to the media to be loaded.

Samples

P: c:\Images\WinXP.E01

This will load the "WinXP.E01" file.


P: c:\Data\Files 1

This will load the folder "Files 1"

Enqueue

If present, it signifies that you would rather have this entry placed on the loader queue so any loader on the network can load it. This is a global setting. If specified, ALL entries in the load list will be placed onto the loader queue. This will cause the L: to be ignored. When using a load queue, the total number of loaders on your network is controlled by the instances attribute of the etl element for the load process in the TruxtonService.xml file on each loader machine. The sum of the instances values from the different loader machines will be the total number of loaders used to process the media.

Samples

The following tells Truxton to allow any loader machine on the network to load the incoming data.

Q: load
P: \\Server\Incoming Data\East Coast\Virginia\Case 1234

Complete Sample Load List

The following load list will use one load process to exhaust the load list. Two pieces of media will be loaded as part of the "Hong Kong Cavaliers" investigation. A PowerShell script will be executed before Penny Priddy's phone is loaded. Emilio Lizardo's hard drive will be loaded after Penny’s phone load completes. It will be loaded as a Master Boot Record (file type 514) and media type of Hard Drive (3).

L: 1
I: Hong Kong Cavaliers

A: AddPhone.ps1
M: Penny Priddy’s Phone
P: \\ImageServer\Phones\PP.E01

M: Emilio Lizardo’s Hard Drive
G: -loadas 514 -mt 3
P: \\ImageServer\Hard Drives\EML.dd

Creating A Load List

All you need to create a load list is a text editor. Here are some ideas on creating a list.

Folder Structure of Disk Images

In this scenario, we have a deep folder structure with E01 files in them. The most basic way to create the load list is to get a directory listing into a file then edit that file.

cd C:\Storage\Incoming
dir /s /b *.E01 >loadlist.txt

This will result in a text file that contains the full path to every E01 in the folders.

C:\Storage\Incoming\HDD1\Case 1\Hitachi\DiskImage.E01
C:\Storage\Incoming\HDD1\Case 1\Western Digital\DiskImage.E01
C:\Storage\Incoming\HDD2\Omega\Seagate\DiskImage.E01

Edit the loadlist.txt file in an editor. Search and replace the C:\ text with P: C:\

P: C:\Storage\Incoming\HDD1\Case 1\Hitachi\DiskImage.E01
P: C:\Storage\Incoming\HDD1\Case 1\Western Digital\DiskImage.E01
P: C:\Storage\Incoming\HDD2\Omega\Seagate\DiskImage.E01

You now have a functional load list.

Finding Python

If you specify a Python script file to execute before or after a load, the loader must find the Python executable. It does this by first retrieving the python setting. If that doesn't work, it will then read the HKEY_CLASSES_ROOT\Python.File\shell\open\command from the Registry.