Load Validation

From truxwiki.com
Jump to navigation Jump to search

One of the challenges of testing Truxton is that there are so many moving parts. Since you can add your own logic to the ETL layer, we need a standard way to test it.

The Problem

There are always new things in forensics. New file types will be discovered and exploited, new capabilities developed, new versions of software delivered, etc. When a new version of Truxon comes out, how do you know if it breaks anything? How do you know that it isn't missing something it used to find? We need an easy way to check that Truxton is performing correctly.

ValidateLoad

This tool was created in order to integrate system-level testing into Truxton's automated build process. It became a public tool to give you the ability to quickly validate Truxton against your own private test media. It combines load parameters and validation data into a single XML file that is also used by the Truxton Loader (Load.exe).

ValidateLoad shares no operational code with the Truxton code base. Meaning, no application logic that exists in Truxton will be present in ValidateLoad. This was done to make sure that any bugs in the Truxton code base would not be present in the validator.

Validating Truxton

Installing the latest version of a tool, especially a forensic tool, runs the risk of introducing a "silent" bug. These are difficult to discover because it is something that used to work, but doesn't any longer. Bugs that cause the software to blow up are easy to find and fix. Bugs that silently don't do something are very difficult to identify.

You can use ValidateLoad to test new versions of Truxton.

  1. Load a piece of media that you are familiar with
  2. Create a validation XML of the items in that media that are important to you
  3. When you receive a new version of Truxton
    1. Install it on a test machine
    2. Load the media with the new Truxton
    3. Execute ValidateLoad with the XML file you created
    4. Review any discrepancies

Typical Test Failures

The most common reasons for a test failure are:

  1. New file types are identified. Files that used to be unidentified are being file typed by the new version.
  2. Carved file lengths. When Truxton implements a new method for calculating the length of a carved file, or improves accuracy of the contents of the file, the length and hash will change.

How to Use

Here's what you need to do to use ValidateLoad.exe to make sure Truxton is doing what it should.

  1. Find a piece of media that you know very well
  2. Create loader configuration file for that media
  3. Make notes of important things that should be in Truxton
  4. Combine the two into a single XML file
  5. Put the media and configuration file in a safe place
  6. When you want to test Truxton:
    1. Load.exe "Media1Validation.xml" Media1.E01
      
    2. Wait for Media1.E01 to finish loading
    3. ValidateLoad.exe "Media1Validation.xml"
      

Parameters

These are parameters that govern how the data will be validated. They are elements in the XML file.

check_hashes

This boolean element controls whether ValidateLoad should retrieve the contents of files in the media, calculate the MD5 hash and compare that with what is stored in the [File] table record. This validates that what file contents should be stored are actually stored. This can be a lengthy process for large media.

description

This element contains a human readable summary of the media and the tests. This string will be printed to the screen when the test executes.

children

If this element exists in the file, the root file of the load will be checked for children. If there are no child files of the load root, a failure will be generated.

entity

This controls the things that can be checked in the [Entity] database table.

Attribute Name Optional Database Column Meaning
id Yes N/A Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began.
name Yes N/A Description of the test used when reporting a failure.
t Yes [Entity].[EntityTypeID] The type of entity
o Yes [Entity].[Offset] The offset into the parent file where this entity was found
v Yes [Entity].[EntityStringID] The string value of the entity, ValidateLoad will calculate the GUID.
l Yes [Entity].[Length] The offset into the parent file where this entity was found
d Yes [Entity].[DataTypeID] The format of the data as found in the parent. It is a DATA_TYPE value.

event

This controls the things that can be checked in the [Event] database table.

Attribute Name Optional Database Column Meaning
id Yes N/A Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began.
name Yes N/A Description of the test used when reporting a failure.
t Yes [Event].[EventTypeID] The type of event. It is an Event Types value.
s Yes [Event].[Start] The date time when this event started. This should be specified in SQL format.
e Yes [Event].[End] The date time when this event ended. This should be specified in SQL format.
d Yes [Event].[Description] The description of the event
i Yes [Event].[Title] The short title of the event.

exif

This controls the things that can be checked in the [EXIF] database table.

Attribute Name Optional Database Column Meaning
id Yes N/A Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began.
name Yes N/A Description of the test used when reporting a failure.
h Yes [EXIF].[HashID] The hash of the contents of the image file.
mk Yes [EXIF].[Make] The make of the imaging device.
mo Yes [EXIF].[Model] The model of the imaging device.
sn Yes [EXIF].[SerialNumber] The serial number of the imaging device.
o Yes [EXIF].[Offset] The offset into the parent file where the EXIF data began.

expandedfile

This controls the things that can be checked in the [ExpandedFile] database table.

Attribute Name Optional Database Column Meaning
id Yes N/A Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began.
name Yes N/A Description of the test used in error reporting
h Yes [ExpandedFile].[HashID] The hash of the file contents.
e Yes [ExpandedFile].[Expander] The identifier of the expander that processed this file.

file

This controls the things that can be checked in the [File] database table.

Attribute Name Optional Database Column Meaning
id Yes N/A Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began.
description Yes N/A Description of the test used when reporting failure.
ni Yes [File].[FilenameID] The integer value (string ID) of the file name.
s Yes [File].[FilenameID] The string representation of the file name. The string id will be calculated for you.
size Yes [File].[OSLength] The number of bytes in the file as reported by the operating system.
cf Yes [File].[Created] The create date time in FILETIME ticks.
af Yes [File].[LastAccess] The last access time in FILETIME ticks.
mf Yes [File].[LastWrite] The last write time in FILETIME ticks.
att Yes [File].[Attributes] The attributes of the file as set by the file system.
o Yes [File].[OriginID] The origin of the file.
h Yes [File].[HashID] The MD5 hash of the file contents.
t Yes [File].[FileTypeID] The type of file. It is one of the supported file types.
do Yes [File].[PhysicalDiskOffset] The offset into the disk image where the file contents began.
cs Yes [File].[ContentStatusID] The status of the contents. It is a Content Status value.
path Yes [File].[FullPathID] The string id of the full path of the file.

filecount

This element controls tests for the number of records in the [File] table. This allows you to specify that a minimum number of files must be found with the given criteria. For example, you can test that all four copies of a file where found.

Attribute Name Optional Database Column Meaning
id Yes N/A Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began.
description Yes N/A Description of the test used in error reporting
ni Yes [File].[FilenameID] The integer value (string ID) of the file name.
s Yes [File].[FilenameID] The string representation of the file name. The string id will be calculated.
size Yes [File].[OSLength] The number of bytes in the file as reported by the operating system.
t Yes [File].[FileTypeID] The type of file. It is one of the supported file types.
att Yes [File].[Attributes] The attributes of the file as set by the file system.
cs Yes [File].[ContentStatusID] The status of the contents. It is a Content Status value.
minimum No N/A An integer representing the minimum number of files that must satisfy this test's criteria.

freespace

This controls the things that can be checked in the [Freespace] database table. When specified, all of the records in the [Freespace] table will be checked against the original disk image to validate the contents of freespace depot match the image.

Attribute Name Optional Database Column Meaning
image No N/A The name of the image file to validate.

hash

This controls the things that can be checked in the [Hash] database table.

Attribute Name Optional Database Column Meaning
id Yes N/A Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began.
description Yes N/A Description of the test used in error reporting
hlid No [Hash].[HashListID] The identifier of the hash list
h No [Hash].[HashID] The hash value

hashlist

This controls the things that can be checked in the [HashList] database table.

Attribute Name Optional Database Column Meaning
id Yes N/A Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began.
description Yes N/A Description of the test used in error reporting
name Yes N/A Description of the test used in reporting a failure.
desc Yes N/A Description of the hash list.
hlid Yes [HashList].[ID] The identifier of the hash list.

tagged

This controls the things that can be checked in the [Tagged] database table. This only tests for tagged files.

Attribute Name Optional Database Column Meaning
name No [Tagged].[TagID] The string value of the tag.
h Yes [Tagged].[HashID] The hash of the file contents.

url

This controls the things that can be checked in the [WebsiteVisit] database table.

Attribute Name Optional Database Column Meaning
t Yes [WebsiteVisit].[URLTypeID] The type of the URL. It is one of the URL Types values.
u Yes [WebsiteVisit].[URLID] The string url, the string id will be calculated.
w Yes [WebsiteVisit].[When] When the url was retrieved in FILETIME ticks.
a Yes [WebsiteVisit].[AccountID] The string ID of the account that retrieved the URL.
m Yes [WebsiteVisit].[WebsiteMethodID] The method used to retrieve the URL.
o Yes [WebsiteVisit].[Offset] The offset into the parent file where this URL was found.

usb

This controls the things that can be checked in the [USBDevice] database table.

Attribute Name Optional Database Column Meaning
id Yes N/A Arbitrary integer identifier for the test used when reporting failures. If this is not specified, the default value will be the line number of the file where the element began.
o Yes [USBDevice].[Offset] The offset into the parent file where the USB device was referenced
pid Yes [USBDevice].[PID] The product identifier integer
vid Yes [USBDevice].[VID] The vendor identifier integer
rev Yes [USBDevice].[Revision] The revision integer of the device

Sample

The following is a real-world validation file used by the Truxton developers.

<truxton_test dir="f:\" generated="2012-03-21T09:07:39Z">

Test Disk Images\dban-2.2.6_i586.tar

 <truxton_options>
  <!-- The truxton_options section allows the validator data file to also act as a loader configuration file -->
  <wait>terminateetl</wait>
  <suspect>Larry Moe Curly</suspect>
  <jurisdiction>Mayberry Sheriff</jurisdiction>
  <itype>5</itype>
  <case>HPD 2014-1198.4, MSD 2014/T14/0101</case>

  <media>{00010011-2233-4455-6677-89abcde00001}</media>
  <mf>1</mf> Human Friendly Media ID
  <md>CD image of Dan's Boot and Nuke</md> Media Description
  <mn>DBAN CD</mn> Short Media Name
  <mt>6</mt> MEDIA_TYPE_CD_IMAGE
  Seahorse Palace, 88 Brinker Road, Barrington, IL
  Watch https://www.youtube.com/watch?v=ocs0c4OpC04 if you dare...
  <mlat>42.130065</mlat> Latitude of where the media was seized
  <mlong>-88.179016</mlong> Longitude of where the media was seized
  <mr>1</mr> Take the "Validation" route, see LoaderConfigurations table
  <evb>TRX-2015-99467666-1</evb>
  <mcsn>HPD 2014-1198.4, MSD 2014/T14/0101</mcsn>
 </truxton_options>

 <description>Media 1.1 - Testing Truxton's ability to properly execute a remote loader to extract files from an ISO image file extracted from a TAR file.</description>
 <check_hashes>yes</check_hashes>
 <children />

 <file id="0" description="f:\ABOUT.TXT"    s="ABOUT.TXT"    t="201" size="853"      do="75776" cf="129191972760000000" h="cb6a2c78f9ad300ca1f4098e4c1467dd"/>
 <file id="1" description="f:\DBAN.BZI"     s="DBAN.BZI"     t="200" size="10455904" do="77824" cf="129192052730000000" h="d40e2fb1612055f9b391354454f9d8d3"/>
 <file id="2" description="f:\ISOLINUX.BIN" s="ISOLINUX.BIN" t="200" size="22528"    do="53248" cf="129192039030000000" h="0c7c4e65eef0e937f6bb1018dcc7e5a4"/>
 <file id="3" description="f:\ISOLINUX.CAT" s="ISOLINUX.CAT"         size="2048"     do="51200" cf="129192052730000000" h="37149d4961c0484f2cceb1a1614b253d"/>
 <file id="4" description="f:\ISOLINUX.CFG" s="ISOLINUX.CFG"         size="4024"     do="10534912" cf="129191973260000000" h="8c02087e82158f9eb08ae5e195042d32"/>
 <file id="5" description="f:\QUICK.TXT"    s="QUICK.TXT"            size="1026"     do="10539008" h="f7f97885a8e3c3bc959a01f7c9e5ef98"/>
 <file id="6" description="f:\RAID.TXT"     s="RAID.TXT"     t="201" size="390"      do="10541056" cf="129191973720000000" h="ef4f15cf5f365edeb877f5efb38e3b4c"/>
 <file id="7" description="f:\WARNING.TXT"  s="WARNING.TXT"  t="201" size="762"      do="10543104" cf="129191973970000000" h="96b3e4aa975d8c895141fd6e86d9ace1"/>

 <entity id="8" t="22" v="DBAN" description="Volume Name of an ISO Image is DBAN."/>
  
 <hashlist id="9" description="Making sure the DBAN HashList was created by the CreateLevel1HashList target of the Test.TruxtonBuild file" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" name="DBAN Hash List" desc="Three hashes from the DBAN ISO (Test Media 1)" />

 <hash id="10" description="DBAN HashList contains 0c7c4e65eef0e937f6bb1018dcc7e5a4" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="0c7c4e65eef0e937f6bb1018dcc7e5a4" />
 <hash id="11" description="DBAN HashList contains 37149d4961c0484f2cceb1a1614b253d" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="37149d4961c0484f2cceb1a1614b253d" />
 <hash id="12" description="DBAN HashList contains 8c02087e82158f9eb08ae5e195042d32" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="8c02087e82158f9eb08ae5e195042d32" />
 <hash id="13" description="DBAN HashList contains cb6a2c78f9ad300ca1f4098e4c1467dd" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="cb6a2c78f9ad300ca1f4098e4c1467dd" />
 <hash id="14" description="DBAN HashList contains d40e2fb1612055f9b391354454f9d8d3" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="d40e2fb1612055f9b391354454f9d8d3" />
 <hash id="15" description="DBAN HashList contains ef4f15cf5f365edeb877f5efb38e3b4c" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="ef4f15cf5f365edeb877f5efb38e3b4c" />

 <hashlist id="16" description="Making sure Paul HashList was created by the CreateLevel1HashList target of the Test.TruxtonBuild file" hlid="BD70AF1A-F5B5-4B2A-BD24-AD130074945B" name="Paul Hash List" desc="Paul test hashes" />

 <hash id="17" description="Paul HashList contains DC63D492BA5B81368C6D50051560D092" hlid="BD70AF1A-F5B5-4B2A-BD24-AD130074945B" h="DC63D492BA5B81368C6D50051560D092" />
 <hash id="18" description="Paul HashList contains 32EA14FAFE2E0CDB08FF5032DD5DEB9D" hlid="BD70AF1A-F5B5-4B2A-BD24-AD130074945B" h="32EA14FAFE2E0CDB08FF5032DD5DEB9D" />
 <hash id="19" description="Paul HashList contains 8568A496EDBEE38B4751C9B272F04EE1" hlid="BD70AF1A-F5B5-4B2A-BD24-AD130074945B" h="8568A496EDBEE38B4751C9B272F04EE1" />
</truxton_test>