Skip to content
Forensic Analysis Tool for Btrfs File System.
C++ CMake C
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Basics Add device information. Aug 6, 2018
Pool Add device information. Aug 6, 2018
Tools Modified README Dec 4, 2017
Trees
Utility Implement multi-device support. Still have something to do with acqui… Dec 4, 2017
.gitignore
CMakeLists.txt Add device information. Aug 6, 2018
Doxyfile Add device information. Aug 6, 2018
LICENSE Change some functions to const. Dec 2, 2017
README.md Modified README Dec 4, 2017
btrfrsc.cpp Implement multi-device support. Still have something to do with acqui… Dec 4, 2017

README.md

btrForensics

Forensic Analysis Tool for Btrfs File System.

Platform:

Linux

Prerequisite:

Install the Sleuth Kit library --> Link

Build:

mkdir build

cd build

cmake ..

make

Input File:

Raw image which contains a btrfs partition, or a partition device file with btrfs.

Usage:

btrfrsc [-o offset1,offset2,offset3...] image 

-o offset: Offset to the beginning of the partition (in sectors). May have multiple values if the pool is made up by multiple partitions(devices).

Current Capabilities:

  1. Browse nodes derived from root tree and print information.
  2. Browse nodes in filesystem tree and print information.
  3. List all files in default filesystem tree.
  4. Explor files and subdirectories in default root directory.
  5. Switch to a subvolume or snapshot and exploere files within.
  6. Read a file from image and save to current directory.

Tools

There will be some stand alone programs built in Tools/ folder.

Most of them simulates functions of tools in The Sleuth's Kit.

Current list:

Tools/fsstat: Print information about the file system.
Tools/fls: List files and/or directories in a Btrfs partition image.
Tools/istat: Print information about an inode.
Tools/icat: Output the contents of file with provided inode number in Btrfs.
Tools/subls: List subvolumes and snapshots in a Btrfs image.

Note:

Reference of Btrfs structure can be found in btrfs Wiki.

Btrfs on-disk format: Link

License:

This software uses MIT License.

The Sleuth Kit library is employed.

You can find the Sleuth Kit from sleuthkit/sleuthkit

You can’t perform that action at this time.