Re: [Libguestfs] Libguestfs as filesystem forensic tool

2016-03-02 Thread Richard W.M. Jones
On Wed, Mar 02, 2016 at 11:26:08PM +0200, noxdafox wrote:
> 
> 
> On 02/03/16 18:24, Richard W.M. Jones wrote:
> >On Wed, Mar 02, 2016 at 05:59:32PM +0200, noxdafox wrote:
> >>One of the patches I'm talking about would add TSK (The Sleuth Kit)
> >>as a dependency within the appliance.
> >>
> >>This would bring new APIs such as:
> >>  'fls' more powerful 'ls' command allowing to get list of deleted
> >>files or timelines at a given path.
> >>  'icat' similar to ntfscat-i but it supports multiple FS.
> >>
> >>Yet I'm not sure whether it's desirable as it is for a narrow use
> >>case and on my Debian box TSK is a 12Mb binary.
> >Yes that's a rather large dependency.
> >
> >However it's possible to use optgroups ["optional" field in
> >generator/actions.ml] and subpackaging to mean that end users don't
> >need to install this dependency unless they want it.
> If I understood correctly, I just need to set the optional field in
> the API and then issue the command: "./configure
> --with-extra-packages=... " right?

Actually even easier than that.  Just add the TSK package name to
`appliance/packagelist.in'.

However you should also use the optional field in `generator/actions.ml'
for your new API(s) because it allows callers to query whether the
feature is available (using the guestfs_feature_available API).  When
you use the optional field, you will also need to write a function in
the daemon called optgroup__available.  See `daemon/ntfs.c' for
an example.

Note the package name and optional field name don't need to be the
same.  Also there is not necessarily a 1-1 mapping: it may make sense
to have several optgroups, or may not.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/

___
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs


Re: [Libguestfs] Libguestfs as filesystem forensic tool

2016-03-02 Thread noxdafox



On 02/03/16 18:24, Richard W.M. Jones wrote:

On Wed, Mar 02, 2016 at 05:59:32PM +0200, noxdafox wrote:

One of the patches I'm talking about would add TSK (The Sleuth Kit)
as a dependency within the appliance.

This would bring new APIs such as:
  'fls' more powerful 'ls' command allowing to get list of deleted
files or timelines at a given path.
  'icat' similar to ntfscat-i but it supports multiple FS.

Yet I'm not sure whether it's desirable as it is for a narrow use
case and on my Debian box TSK is a 12Mb binary.

Yes that's a rather large dependency.

However it's possible to use optgroups ["optional" field in
generator/actions.ml] and subpackaging to mean that end users don't
need to install this dependency unless they want it.
If I understood correctly, I just need to set the optional field in the 
API and then issue the command: "./configure --with-extra-packages=... " 
right?


Would need to see the patches before really deciding.

Rich.



___
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs


Re: [Libguestfs] Libguestfs as filesystem forensic tool

2016-03-02 Thread Richard W.M. Jones
On Wed, Mar 02, 2016 at 05:59:32PM +0200, noxdafox wrote:
> One of the patches I'm talking about would add TSK (The Sleuth Kit)
> as a dependency within the appliance.
> 
> This would bring new APIs such as:
>  'fls' more powerful 'ls' command allowing to get list of deleted
> files or timelines at a given path.
>  'icat' similar to ntfscat-i but it supports multiple FS.
> 
> Yet I'm not sure whether it's desirable as it is for a narrow use
> case and on my Debian box TSK is a 12Mb binary.

Yes that's a rather large dependency.

However it's possible to use optgroups ["optional" field in
generator/actions.ml] and subpackaging to mean that end users don't
need to install this dependency unless they want it.

Would need to see the patches before really deciding.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

___
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs


Re: [Libguestfs] Libguestfs as filesystem forensic tool

2016-03-02 Thread noxdafox

On 02/03/16 17:53, Richard W.M. Jones wrote:

On Wed, Mar 02, 2016 at 05:47:40PM +0200, noxdafox wrote:

Greetings,

I am playing around with the idea of using libguestfs as a forensic
tool to investigate VM disk images.

Some use cases as example:
  * Sandbox for malware analysis.
  * Incident response in cloud environments.

Libguestfs is a precious resource in this case as it allows to
abstract the disk image internals and expose them as mountable
devices.

Combined with some state of the art tool such as The Sleuth Kit it
would turn it into a pretty powerful forensic tool.
http://www.sleuthkit.org/

I played around with some proof-of-concept and the idea seems to work.

The question I'd like to ask is if this feature would interest the
libguestfs community or if I shall fork the project
(libguestforensic?) and, if so, what is the preferable way to do it.

Actually I believe parts of libguestfs (and especially hivex) are
already used in this way.

Anyhow you're free to fork libguestfs provided you obey the license.
It may be easier/less work if you submit patches upstream where they
make sense for the upstream project, such as generally useful APIs
(like the ntfscat-i API).
One of the patches I'm talking about would add TSK (The Sleuth Kit) as a 
dependency within the appliance.


This would bring new APIs such as:
 'fls' more powerful 'ls' command allowing to get list of deleted files 
or timelines at a given path.

 'icat' similar to ntfscat-i but it supports multiple FS.

Yet I'm not sure whether it's desirable as it is for a narrow use case 
and on my Debian box TSK is a 12Mb binary.


Rich.



___
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs


Re: [Libguestfs] [libguestfs] Libguestfs as filesystem forensic tool

2016-03-02 Thread Richard W.M. Jones
On Wed, Mar 02, 2016 at 05:47:40PM +0200, noxdafox wrote:
> Greetings,
> 
> I am playing around with the idea of using libguestfs as a forensic
> tool to investigate VM disk images.
> 
> Some use cases as example:
>  * Sandbox for malware analysis.
>  * Incident response in cloud environments.
> 
> Libguestfs is a precious resource in this case as it allows to
> abstract the disk image internals and expose them as mountable
> devices.
> 
> Combined with some state of the art tool such as The Sleuth Kit it
> would turn it into a pretty powerful forensic tool.
> http://www.sleuthkit.org/
> 
> I played around with some proof-of-concept and the idea seems to work.
> 
> The question I'd like to ask is if this feature would interest the
> libguestfs community or if I shall fork the project
> (libguestforensic?) and, if so, what is the preferable way to do it.

Actually I believe parts of libguestfs (and especially hivex) are
already used in this way.

Anyhow you're free to fork libguestfs provided you obey the license.
It may be easier/less work if you submit patches upstream where they
make sense for the upstream project, such as generally useful APIs
(like the ntfscat-i API).

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW

___
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs


[Libguestfs] [libguestfs] Libguestfs as filesystem forensic tool

2016-03-02 Thread noxdafox

Greetings,

I am playing around with the idea of using libguestfs as a forensic tool 
to investigate VM disk images.


Some use cases as example:
 * Sandbox for malware analysis.
 * Incident response in cloud environments.

Libguestfs is a precious resource in this case as it allows to abstract 
the disk image internals and expose them as mountable devices.


Combined with some state of the art tool such as The Sleuth Kit it would 
turn it into a pretty powerful forensic tool.

http://www.sleuthkit.org/

I played around with some proof-of-concept and the idea seems to work.

The question I'd like to ask is if this feature would interest the 
libguestfs community or if I shall fork the project (libguestforensic?) 
and, if so, what is the preferable way to do it.


Thank you.

___
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs