Re: [Libguestfs] Libguestfs as filesystem forensic tool
On Wed, Mar 02, 2016 at 11:26:08PM +0200, noxdafox wrote: > > > On 02/03/16 18:24, Richard W.M. Jones wrote: > >On Wed, Mar 02, 2016 at 05:59:32PM +0200, noxdafox wrote: > >>One of the patches I'm talking about would add TSK (The Sleuth Kit) > >>as a dependency within the appliance. > >> > >>This would bring new APIs such as: > >> 'fls' more powerful 'ls' command allowing to get list of deleted > >>files or timelines at a given path. > >> 'icat' similar to ntfscat-i but it supports multiple FS. > >> > >>Yet I'm not sure whether it's desirable as it is for a narrow use > >>case and on my Debian box TSK is a 12Mb binary. > >Yes that's a rather large dependency. > > > >However it's possible to use optgroups ["optional" field in > >generator/actions.ml] and subpackaging to mean that end users don't > >need to install this dependency unless they want it. > If I understood correctly, I just need to set the optional field in > the API and then issue the command: "./configure > --with-extra-packages=... " right? Actually even easier than that. Just add the TSK package name to `appliance/packagelist.in'. However you should also use the optional field in `generator/actions.ml' for your new API(s) because it allows callers to query whether the feature is available (using the guestfs_feature_available API). When you use the optional field, you will also need to write a function in the daemon called optgroup__available. See `daemon/ntfs.c' for an example. Note the package name and optional field name don't need to be the same. Also there is not necessarily a 1-1 mapping: it may make sense to have several optgroups, or may not. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ ___ Libguestfs mailing list Libguestfs@redhat.com https://www.redhat.com/mailman/listinfo/libguestfs
Re: [Libguestfs] Libguestfs as filesystem forensic tool
On 02/03/16 18:24, Richard W.M. Jones wrote: On Wed, Mar 02, 2016 at 05:59:32PM +0200, noxdafox wrote: One of the patches I'm talking about would add TSK (The Sleuth Kit) as a dependency within the appliance. This would bring new APIs such as: 'fls' more powerful 'ls' command allowing to get list of deleted files or timelines at a given path. 'icat' similar to ntfscat-i but it supports multiple FS. Yet I'm not sure whether it's desirable as it is for a narrow use case and on my Debian box TSK is a 12Mb binary. Yes that's a rather large dependency. However it's possible to use optgroups ["optional" field in generator/actions.ml] and subpackaging to mean that end users don't need to install this dependency unless they want it. If I understood correctly, I just need to set the optional field in the API and then issue the command: "./configure --with-extra-packages=... " right? Would need to see the patches before really deciding. Rich. ___ Libguestfs mailing list Libguestfs@redhat.com https://www.redhat.com/mailman/listinfo/libguestfs
Re: [Libguestfs] Libguestfs as filesystem forensic tool
On Wed, Mar 02, 2016 at 05:59:32PM +0200, noxdafox wrote: > One of the patches I'm talking about would add TSK (The Sleuth Kit) > as a dependency within the appliance. > > This would bring new APIs such as: > 'fls' more powerful 'ls' command allowing to get list of deleted > files or timelines at a given path. > 'icat' similar to ntfscat-i but it supports multiple FS. > > Yet I'm not sure whether it's desirable as it is for a narrow use > case and on my Debian box TSK is a 12Mb binary. Yes that's a rather large dependency. However it's possible to use optgroups ["optional" field in generator/actions.ml] and subpackaging to mean that end users don't need to install this dependency unless they want it. Would need to see the patches before really deciding. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org ___ Libguestfs mailing list Libguestfs@redhat.com https://www.redhat.com/mailman/listinfo/libguestfs
Re: [Libguestfs] Libguestfs as filesystem forensic tool
On 02/03/16 17:53, Richard W.M. Jones wrote: On Wed, Mar 02, 2016 at 05:47:40PM +0200, noxdafox wrote: Greetings, I am playing around with the idea of using libguestfs as a forensic tool to investigate VM disk images. Some use cases as example: * Sandbox for malware analysis. * Incident response in cloud environments. Libguestfs is a precious resource in this case as it allows to abstract the disk image internals and expose them as mountable devices. Combined with some state of the art tool such as The Sleuth Kit it would turn it into a pretty powerful forensic tool. http://www.sleuthkit.org/ I played around with some proof-of-concept and the idea seems to work. The question I'd like to ask is if this feature would interest the libguestfs community or if I shall fork the project (libguestforensic?) and, if so, what is the preferable way to do it. Actually I believe parts of libguestfs (and especially hivex) are already used in this way. Anyhow you're free to fork libguestfs provided you obey the license. It may be easier/less work if you submit patches upstream where they make sense for the upstream project, such as generally useful APIs (like the ntfscat-i API). One of the patches I'm talking about would add TSK (The Sleuth Kit) as a dependency within the appliance. This would bring new APIs such as: 'fls' more powerful 'ls' command allowing to get list of deleted files or timelines at a given path. 'icat' similar to ntfscat-i but it supports multiple FS. Yet I'm not sure whether it's desirable as it is for a narrow use case and on my Debian box TSK is a 12Mb binary. Rich. ___ Libguestfs mailing list Libguestfs@redhat.com https://www.redhat.com/mailman/listinfo/libguestfs
Re: [Libguestfs] [libguestfs] Libguestfs as filesystem forensic tool
On Wed, Mar 02, 2016 at 05:47:40PM +0200, noxdafox wrote: > Greetings, > > I am playing around with the idea of using libguestfs as a forensic > tool to investigate VM disk images. > > Some use cases as example: > * Sandbox for malware analysis. > * Incident response in cloud environments. > > Libguestfs is a precious resource in this case as it allows to > abstract the disk image internals and expose them as mountable > devices. > > Combined with some state of the art tool such as The Sleuth Kit it > would turn it into a pretty powerful forensic tool. > http://www.sleuthkit.org/ > > I played around with some proof-of-concept and the idea seems to work. > > The question I'd like to ask is if this feature would interest the > libguestfs community or if I shall fork the project > (libguestforensic?) and, if so, what is the preferable way to do it. Actually I believe parts of libguestfs (and especially hivex) are already used in this way. Anyhow you're free to fork libguestfs provided you obey the license. It may be easier/less work if you submit patches upstream where they make sense for the upstream project, such as generally useful APIs (like the ntfscat-i API). Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://fedoraproject.org/wiki/MinGW ___ Libguestfs mailing list Libguestfs@redhat.com https://www.redhat.com/mailman/listinfo/libguestfs
[Libguestfs] [libguestfs] Libguestfs as filesystem forensic tool
Greetings, I am playing around with the idea of using libguestfs as a forensic tool to investigate VM disk images. Some use cases as example: * Sandbox for malware analysis. * Incident response in cloud environments. Libguestfs is a precious resource in this case as it allows to abstract the disk image internals and expose them as mountable devices. Combined with some state of the art tool such as The Sleuth Kit it would turn it into a pretty powerful forensic tool. http://www.sleuthkit.org/ I played around with some proof-of-concept and the idea seems to work. The question I'd like to ask is if this feature would interest the libguestfs community or if I shall fork the project (libguestforensic?) and, if so, what is the preferable way to do it. Thank you. ___ Libguestfs mailing list Libguestfs@redhat.com https://www.redhat.com/mailman/listinfo/libguestfs
