Load Validation
One of the challenges of testing Truxton is that there are so many moving parts. Since you can add your own logic to the ETL layer, we need a standard way to test it.
Contents
The Problem
There are always new things in forensics. New file types will be discovered and exploited, new capabilities developed, new versions of software delivered, etc. When a new version of Truxon comes out, how do you know if it breaks anything? How do you know that it isn't missing something it used to find? We need an easy way to check that Truxton is performing correctly.
ValidateLoad
This tool was created in order to integrate system-level testing into Truxton's automated build process. It became a public tool to give you the ability to quickly validate Truxton against your own private test media. It combines load parameters and validation data into a single XML file that is also used by the Truxton Loader (Load.exe).
ValidateLoad shares no operational code with the Truxton code base. Meaning, no application logic that exists in Truxton will be present in ValidateLoad. This was done to make sure that any bugs in the Truxton code base would not be present in the validator.
Validating Truxton
Installing the latest version of a tool, especially a forensic tool, runs the risk of introducing a "silent" bug. These are difficult to discover because it is something that used to work, but doesn't any longer. Bugs that cause the software to blow up are easy to find and fix. Bugs that silently don't do something are very difficult to identify.
You can use ValidateLoad to test new versions of Truxton.
- Load a piece of media that you are familiar with
- Create a validation XML of the items in that media that are important to you
- When you receive a new version of Truxton
- Install it on a test machine
- Load the media with the new Truxton
- Execute ValidateLoad with the XML file you created
- Review any discrepancies
Typical Test Failures
The most common reasons for a test failure are:
- New file types are identified. Files that used to be unidentified are being file typed by the new version.
- Carved file lengths. When Truxton implements a new method for calculating the length of a carved file, or improves accuracy of the contents of the file, the length and hash will change.
How to Use
Here's what you need to do to use ValidateLoad.exe
to make sure Truxton is doing what it should.
- Find a piece of media that you know very well
- Create loader configuration file for that media
- Make notes of important things that should be in Truxton
- Combine the two into a single XML file
- Put the media and configuration file in a safe place
- When you want to test Truxton:
Load.exe "Media1Validation.xml" Media1.E01
- Wait for Media1.E01 to finish loading
ValidateLoad.exe "Media1Validation.xml"
Parameters
These are parameters that govern how the data will be validated. They are elements in the XML file.
check_hashes
This boolean element controls whether ValidateLoad should retrieve the contents of files in the media, calculate the MD5 hash and compare that with what is stored in the [File]
table record.
This validates that what file contents should be stored are actually stored.
This can be a lengthy process for large media.
description
This element contains a human readable summary of the media and the tests. This string will be printed to the screen when the test executes.
children
If this element exists in the file, the root file of the load will be checked for children. If there are no child files of the load root, a failure will be generated.
entity
This controls the things that can be checked in the [Entity]
database table.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
id | Yes | N/A | Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began. |
name | Yes | N/A | Description of the test used when reporting a failure. |
t | Yes | [Entity].[EntityTypeID] |
The type of entity |
o | Yes | [Entity].[Offset] |
The offset into the parent file where this entity was found |
v | Yes | [Entity].[EntityStringID] |
The string value of the entity, ValidateLoad will calculate the GUID. |
l | Yes | [Entity].[Length] |
The offset into the parent file where this entity was found |
d | Yes | [Entity].[DataTypeID] |
The format of the data as found in the parent. It is a DATA_TYPE value. |
event
This controls the things that can be checked in the [Event]
database table.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
id | Yes | N/A | Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began. |
name | Yes | N/A | Description of the test used when reporting a failure. |
t | Yes | [Event].[EventTypeID] |
The type of event. It is an Event Types value. |
s | Yes | [Event].[Start] |
The date time when this event started. This should be specified in SQL format. |
e | Yes | [Event].[End] |
The date time when this event ended. This should be specified in SQL format. |
d | Yes | [Event].[Description] |
The description of the event |
i | Yes | [Event].[Title] |
The short title of the event. |
exif
This controls the things that can be checked in the [EXIF]
database table.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
id | Yes | N/A | Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began. |
name | Yes | N/A | Description of the test used when reporting a failure. |
h | Yes | [EXIF].[HashID] |
The hash of the contents of the image file. |
mk | Yes | [EXIF].[Make] |
The make of the imaging device. |
mo | Yes | [EXIF].[Model] |
The model of the imaging device. |
sn | Yes | [EXIF].[SerialNumber] |
The serial number of the imaging device. |
o | Yes | [EXIF].[Offset] |
The offset into the parent file where the EXIF data began. |
expandedfile
This controls the things that can be checked in the [ExpandedFile]
database table.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
id | Yes | N/A | Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began. |
name | Yes | N/A | Description of the test used in error reporting |
h | Yes | [ExpandedFile].[HashID] |
The hash of the file contents. |
e | Yes | [ExpandedFile].[Expander] |
The identifier of the expander that processed this file. |
file
This controls the things that can be checked in the [File]
database table.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
id | Yes | N/A | Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began. |
description | Yes | N/A | Description of the test used when reporting failure. |
ni | Yes | [File].[FilenameID] |
The integer value (string ID) of the file name. |
s | Yes | [File].[FilenameID] |
The string representation of the file name. The string id will be calculated for you. |
size | Yes | [File].[OSLength] |
The number of bytes in the file as reported by the operating system. |
cf | Yes | [File].[Created] |
The create date time in FILETIME ticks. |
af | Yes | [File].[LastAccess] |
The last access time in FILETIME ticks. |
mf | Yes | [File].[LastWrite] |
The last write time in FILETIME ticks. |
att | Yes | [File].[Attributes] |
The attributes of the file as set by the file system. |
o | Yes | [File].[OriginID] |
The origin of the file. |
h | Yes | [File].[HashID] |
The MD5 hash of the file contents. |
t | Yes | [File].[FileTypeID] |
The type of file. It is one of the supported file types. |
do | Yes | [File].[PhysicalDiskOffset] |
The offset into the disk image where the file contents began. |
cs | Yes | [File].[ContentStatusID] |
The status of the contents. It is a Content Status value. |
path | Yes | [File].[FullPathID] |
The string id of the full path of the file. |
filecount
This element controls tests for the number of records in the [File]
table.
This allows you to specify that a minimum number of files must be found with the given criteria.
For example, you can test that all four copies of a file where found.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
id | Yes | N/A | Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began. |
description | Yes | N/A | Description of the test used in error reporting |
ni | Yes | [File].[FilenameID] |
The integer value (string ID) of the file name. |
s | Yes | [File].[FilenameID] |
The string representation of the file name. The string id will be calculated. |
size | Yes | [File].[OSLength] |
The number of bytes in the file as reported by the operating system. |
t | Yes | [File].[FileTypeID] |
The type of file. It is one of the supported file types. |
att | Yes | [File].[Attributes] |
The attributes of the file as set by the file system. |
cs | Yes | [File].[ContentStatusID] |
The status of the contents. It is a Content Status value. |
minimum | No | N/A | An integer representing the minimum number of files that must satisfy this test's criteria. |
freespace
This controls the things that can be checked in the [Freespace]
database table.
When specified, all of the records in the [Freespace]
table will be checked against the original disk image to validate the contents of freespace depot match the image.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
image | No | N/A | The name of the image file to validate. |
hash
This controls the things that can be checked in the [Hash]
database table.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
id | Yes | N/A | Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began. |
description | Yes | N/A | Description of the test used in error reporting |
hlid | No | [Hash].[HashListID] |
The identifier of the hash list |
h | No | [Hash].[HashID] |
The hash value |
hashlist
This controls the things that can be checked in the [HashList]
database table.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
id | Yes | N/A | Arbitrary integer identifier for the test used in reporting failures. If this is not specified, the default value will be the line number of the file where the element began. |
description | Yes | N/A | Description of the test used in error reporting |
name | Yes | N/A | Description of the test used in reporting a failure. |
desc | Yes | N/A | Description of the hash list. |
hlid | Yes | [HashList].[ID] |
The identifier of the hash list. |
tagged
This controls the things that can be checked in the [Tagged]
database table.
This only tests for tagged files.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
name | No | [Tagged].[TagID] |
The string value of the tag. |
h | Yes | [Tagged].[HashID] |
The hash of the file contents. |
url
This controls the things that can be checked in the [WebsiteVisit]
database table.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
t | Yes | [WebsiteVisit].[URLTypeID] |
The type of the URL. It is one of the URL Types values. |
u | Yes | [WebsiteVisit].[URLID] |
The string url, the string id will be calculated. |
w | Yes | [WebsiteVisit].[When] |
When the url was retrieved in FILETIME ticks. |
a | Yes | [WebsiteVisit].[AccountID] |
The string ID of the account that retrieved the URL. |
m | Yes | [WebsiteVisit].[WebsiteMethodID] |
The method used to retrieve the URL. |
o | Yes | [WebsiteVisit].[Offset] |
The offset into the parent file where this URL was found. |
usb
This controls the things that can be checked in the [USBDevice]
database table.
Attribute Name | Optional | Database Column | Meaning |
---|---|---|---|
id | Yes | N/A | Arbitrary integer identifier for the test used when reporting failures. If this is not specified, the default value will be the line number of the file where the element began. |
o | Yes | [USBDevice].[Offset] |
The offset into the parent file where the USB device was referenced |
pid | Yes | [USBDevice].[PID] |
The product identifier integer |
vid | Yes | [USBDevice].[VID] |
The vendor identifier integer |
rev | Yes | [USBDevice].[Revision] |
The revision integer of the device |
Sample
The following is a real-world validation file used by the Truxton developers.
<truxton_test dir="f:\" generated="2012-03-21T09:07:39Z">
Test Disk Images\dban-2.2.6_i586.tar
<truxton_options>
<!-- The truxton_options section allows the validator data file to also act as a loader configuration file -->
<wait>terminateetl</wait>
<suspect>Larry Moe Curly</suspect>
<jurisdiction>Mayberry Sheriff</jurisdiction>
<itype>5</itype>
<case>HPD 2014-1198.4, MSD 2014/T14/0101</case>
<media>{00010011-2233-4455-6677-89abcde00001}</media>
<mf>1</mf> Human Friendly Media ID
<md>CD image of Dan's Boot and Nuke</md> Media Description
<mn>DBAN CD</mn> Short Media Name
<mt>6</mt> MEDIA_TYPE_CD_IMAGE
Seahorse Palace, 88 Brinker Road, Barrington, IL
Watch https://www.youtube.com/watch?v=ocs0c4OpC04 if you dare...
<mlat>42.130065</mlat> Latitude of where the media was seized
<mlong>-88.179016</mlong> Longitude of where the media was seized
<mr>1</mr> Take the "Validation" route, see LoaderConfigurations table
<evb>TRX-2015-99467666-1</evb>
<mcsn>HPD 2014-1198.4, MSD 2014/T14/0101</mcsn>
</truxton_options>
<description>Media 1.1 - Testing Truxton's ability to properly execute a remote loader to extract files from an ISO image file extracted from a TAR file.</description>
<check_hashes>yes</check_hashes>
<children />
<file id="0" description="f:\ABOUT.TXT" s="ABOUT.TXT" t="201" size="853" do="75776" cf="129191972760000000" h="cb6a2c78f9ad300ca1f4098e4c1467dd"/>
<file id="1" description="f:\DBAN.BZI" s="DBAN.BZI" t="200" size="10455904" do="77824" cf="129192052730000000" h="d40e2fb1612055f9b391354454f9d8d3"/>
<file id="2" description="f:\ISOLINUX.BIN" s="ISOLINUX.BIN" t="200" size="22528" do="53248" cf="129192039030000000" h="0c7c4e65eef0e937f6bb1018dcc7e5a4"/>
<file id="3" description="f:\ISOLINUX.CAT" s="ISOLINUX.CAT" size="2048" do="51200" cf="129192052730000000" h="37149d4961c0484f2cceb1a1614b253d"/>
<file id="4" description="f:\ISOLINUX.CFG" s="ISOLINUX.CFG" size="4024" do="10534912" cf="129191973260000000" h="8c02087e82158f9eb08ae5e195042d32"/>
<file id="5" description="f:\QUICK.TXT" s="QUICK.TXT" size="1026" do="10539008" h="f7f97885a8e3c3bc959a01f7c9e5ef98"/>
<file id="6" description="f:\RAID.TXT" s="RAID.TXT" t="201" size="390" do="10541056" cf="129191973720000000" h="ef4f15cf5f365edeb877f5efb38e3b4c"/>
<file id="7" description="f:\WARNING.TXT" s="WARNING.TXT" t="201" size="762" do="10543104" cf="129191973970000000" h="96b3e4aa975d8c895141fd6e86d9ace1"/>
<entity id="8" t="22" v="DBAN" description="Volume Name of an ISO Image is DBAN."/>
<hashlist id="9" description="Making sure the DBAN HashList was created by the CreateLevel1HashList target of the Test.TruxtonBuild file" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" name="DBAN Hash List" desc="Three hashes from the DBAN ISO (Test Media 1)" />
<hash id="10" description="DBAN HashList contains 0c7c4e65eef0e937f6bb1018dcc7e5a4" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="0c7c4e65eef0e937f6bb1018dcc7e5a4" />
<hash id="11" description="DBAN HashList contains 37149d4961c0484f2cceb1a1614b253d" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="37149d4961c0484f2cceb1a1614b253d" />
<hash id="12" description="DBAN HashList contains 8c02087e82158f9eb08ae5e195042d32" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="8c02087e82158f9eb08ae5e195042d32" />
<hash id="13" description="DBAN HashList contains cb6a2c78f9ad300ca1f4098e4c1467dd" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="cb6a2c78f9ad300ca1f4098e4c1467dd" />
<hash id="14" description="DBAN HashList contains d40e2fb1612055f9b391354454f9d8d3" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="d40e2fb1612055f9b391354454f9d8d3" />
<hash id="15" description="DBAN HashList contains ef4f15cf5f365edeb877f5efb38e3b4c" hlid="B586D3AC-5327-4835-B20E-C5553FA757DE" h="ef4f15cf5f365edeb877f5efb38e3b4c" />
<hashlist id="16" description="Making sure Paul HashList was created by the CreateLevel1HashList target of the Test.TruxtonBuild file" hlid="BD70AF1A-F5B5-4B2A-BD24-AD130074945B" name="Paul Hash List" desc="Paul test hashes" />
<hash id="17" description="Paul HashList contains DC63D492BA5B81368C6D50051560D092" hlid="BD70AF1A-F5B5-4B2A-BD24-AD130074945B" h="DC63D492BA5B81368C6D50051560D092" />
<hash id="18" description="Paul HashList contains 32EA14FAFE2E0CDB08FF5032DD5DEB9D" hlid="BD70AF1A-F5B5-4B2A-BD24-AD130074945B" h="32EA14FAFE2E0CDB08FF5032DD5DEB9D" />
<hash id="19" description="Paul HashList contains 8568A496EDBEE38B4751C9B272F04EE1" hlid="BD70AF1A-F5B5-4B2A-BD24-AD130074945B" h="8568A496EDBEE38B4751C9B272F04EE1" />
</truxton_test>