Easy Button Load

From truxwiki.com
Revision as of 11:45, 24 January 2024 by Sam (talk | contribs) (→‎Sample Scenario)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

An Easy Button Load is a way to have Truxton perform processing on an external drive. Everything that Truxton does is put on that drive.

When to Use Easy Button

The Easy Button loads (normal and triage) are used when you have collected seized media to an external drive and you quickly just want reports from it. You're not interested in looking at images or videos, you just want text reports and Excel spreadsheets.

Operating Scenario

Easy Button Load assumes several things:

  1. You have forensically collected your media
  2. You have created a top level folder on an external drive
  3. You have copied the media to that folder
  4. There is room on the external drive to hold Truxton's results
  5. In File Explorer, you right button on your top level folder on the external drive and select "Easy Button Load into Truxton"
  6. When Truxton completes...
  7. You run the Desktop GUI to peruse the data
  8. When you are finished, you go to File Explorer, right button on any folder and select "Easy Button Reset"
  9. You give the external drive to someone else
  10. They attach it to their machine, right button on the "D:\Truxton Results\Collection 1" folder and select "Use This Truxton Database"
  11. When they are done, they "Easy Button Reset"

Sample Input Folder Structure

Let's say we have collected a hard drive, an SD card and a UFED dump of a phone. You attached a Samsung T7 external drive, created a top level folder on that drive named "Collection 1" and copied the data to it. For the rest of this article we will assume the external drive is drive letter D. The drive contains the following:

D:\Collection 1\PC1\PC1.E01
D:\Collection 1\SD1\SDCard.E01
D:\Collection 1\Phone\Report.xml

The Details

Easy Button was designed so you don't need the Truxton application in order to look at the data Truxton processed. All you need is a browser.

When you Easy Button Load a folder, a new top level folder will be created on the drive of the folder you are loading. It will be called "Truxton Results" and will contain a folder with the same name as the one you loaded. For sample in this article, it will be called "D:\Truxton Results\Collection 1" In this folder, you will see a file named "Reports.html" Opening that file in a browser will show you links to the Investigation level reports as well as the reports for each piece of media loaded. The two report types generated are the Consolidated Contacts report and the Summary report. You will also notice two folders in "D:\Truxton Results\Collection 1" named "Processing" and "Reports".

The Reports Folder

The "D:\Truxton Results\Collection 1\Reports" folder will contain an "Everything" folder and one folder for each media in the investigation.

Everything

This folder ("D:\Truxton Results\Collection 1\Reports\Everything") contains:

  • Contacts.zip - This contains the Consolidated Contacts HTML report for the investigation with supporting files
  • Curated Images.zip - This contains the Curated Images HTML report for the investigation with supporting files
  • Curated Videos.zip - This contains the Curated Videos HTML report for the investigation with supporting files
  • Geographic Information.geojson - This contains all of the geographic coordinates from the media in the investigation in GeoJSON format for use by system such as 4DV.
  • Geographic Information.kmz - This contains all of the geographic coordinates from the media in the investigation in KMZ format for use by applications such as Google Earth.
  • Investigation Summary.zip - This contains the Investigation Summary HTML report and supporting files
  • Investigation.tpif - The database records for all media in the investigation. This is used to import this investigation into someone else's Truxton. File contents are not included in this file.
  • Unique Artifacts.xlsx - An Excel spreadsheet containing all of the unique artifacts from the media

PC1

This folder ("D:\Truxton Results\Collection 1\Reports\PC1") contains:

  • Contacts.zip - This contains the Consolidated Contacts HTML report for this media with supporting files
  • Geographic Information.geojson - This contains all of the geographic coordinates from this media in GeoJSON format for use by system such as 4DV.
  • Geographic Information.kmz - This contains all of the geographic coordinates from this media in KMZ format for use by applications such as Google Earth.
  • Summary.zip - This contains the Media Summary HTML report and supporting files
  • Unique Artifacts.xlsx - An Excel spreadsheet containing all of the unique artifacts from this media

The Processing Folder

This folder contains all of the configuration files, Load List, logs and depot files for the investigation.

Determining What to Load

When Easy Button is given a folder to process, it will recursively navigate the folder looking for the files in the following sections. When a file is found, an entry is made for it in a load list. A copy of this load list is saved to the processing folder. Once the load list has been created, the loader is spawned to process it.

Backup.zip

Any file named "Backup.zip" is assumed to be an ADF dump and will be loaded.

DD Files

Any file name with an extension of ".dd" will be loaded. It is assumed that this is the product of the Unix dd tool.

E01 Files

Any Expert Witness files will be loaded.

IMG Files

Any file name with an extension of ".img" will be loaded.

ISO Files

Any file name with an extension of ".iso" will be loaded as a ISO Disk Image file.

L01 Files

Any Logical Evidence files will be loaded.

Report.xml

Any file named "report.xml" will be assumed to be a Cellebrite UFED Report that can be loaded.

UFDR Files

UFDR files are UFED Reader files.

XRY Files

When Easy Button finds a file that has an extension of ".xry" it will the folder contains an XRY extract. It will then look for folders in the same folder as the ".xry" file. If the folder contains a ".log" file, that folder will be loaded.

Zip Files

Any ZIP files will be assumed to have been created by the forensic technician that collected the data.

Sample Scenario

You have seized two phones, a hard drive, thumb drive and DVD from a person of interest.

  • Attach an external drive to your imaging computer (drive E: for sample purposes)
  • Create a top level folder, E:\Case 2022-42
  • Create a folder for the first phone and put the UFDR into it, E:\Case 2022-42\Phone 1\iPhone 1.ufdr
  • Create a folder for the second phone and put the UFDR into it, E:\Case 2022-42\Phone 2\Android 1.ufdr
  • Create a folder for the hard drive and put the E01 into it, E:\Case 2022-42\Hard Drive 1\HD001.E01
  • Create a folder for the DVD and put the ISO into it, E:\Case 2022-42\DVD\DVD001.ISO
  • In Windows File Explorer, navigate to the E:\ folder
  • Right-button on the Case 2022-42 folder and choose "Easy Button Load into Truxton"
  • Wait for Truxton to complete. Have a coffee, chat about an amazing movie with friends.
  • A browser should appear with the "Case 2022-42" home page in it