SnIPER is a command line front-end for the famous TSK suite written by Paolo Bertasi and Nicola Zago.sniper logo

SnIPER can be used to analyze filesystems, performing accurate filtering and, eventually, recovering interesting files. You can use it in interactive mode or in batch mode, setting all the required options, i.e. a list of patterns to filter out uninteresting files. SnIPER can also draw a simple but intuitive timeline graph of currently selected files.

Features

  • real file-system and  partition raw images analysis
  • smart filtering based on string pattern against full-path, file-name, directory name, file extension
  • basic filtering based on the file status (active / deleted)
  • powerful filtering based on creation  / access / modification  / change time
  • filtering concatenation with boolean operators and brackets
  • pre-set filters available
  • batch way available (to ease embedding in other scripts)
  • chart drawing (pdf)
  • small dependencies
  • portable (python)
  • fast and small (in memory)
  • reusable analysis (to save time)

How SnIPER works

  1. SnIPER calls TSK to get a filesystem file list
  2. SnIPER computes a filesystem fingerprint to avoid using the wrong filelist for a filesystem
  3. SnIPER reads from console or file a pattern list
  4. SnIPER extract the files matching the pattern list
  5. SniPER draws a pdf chart
  6. SnIPER saves the selected files

Dependencies

SnIPER depends on two python packages:

  • dateutil
  • pychart

License

SnIPER is licensed under GPLv3

download

Changelog

  • 21-10-2011:  0.9.1Added: command-line option ‘–preserve-tree BOOL’  (console command ‘preserve_tree’)

If preserve mode is on, when you use the ‘save’ command the directory hierarchy is preserved.
Otherwise sniper behaves as in previous version, that is it saves all files in
the output directory, with the directory hierarchy flatten and the inode number of
the file in the first part of its basename.

ScreenShot

SnIPER: searching with custom view

SnIPER: searchin with custom view

SnIPER: saving files

SnIPER chart

SnIPER chart

How to use the interactive console

When console starts, you have to specify the work context, that is the device (or the raw
file) you are going to use, the offset of the partition in the device, the file-system of
the partition and the output directory for the files you’ll recover.

Specify the device to analyze:
Specify the offset of the partition:
Specify the file system of the device:
Specify the output directory:

If all fields are valide, SnIPER will automatically retrieve information about the files
in the file system of the partition. Otherwise, the console will warn you with an error,
for example if the device specified doesn’t exist or the offset of the partition is not
a number.
If you do not specify an output directory, working directory will be used. You can always
change the context, using the commands:

device FILE
outdir OUTPUT_DIRECTORY
offset OFFSET
fs FILESYSTEM

or you can view current value of the context variables using `echo’, e.g:

> echo device
file.iso
> echo offset
0
> echo fs
fat32
> echo outdir
out/

Remember that while you are using SnIPER, you can always type the `help’ command to have
a list and a description of all supported commands.
When the context is redefined, you have to load manually the filesystem information using
the command

retrieve

Now that we have the right context, you can use SnIPER to list or save files from the device
to the output directory according to some desired charateristic.
Before proceeding, it is useful to specify that in the filesystem there are active files,
that are the ones you can normally work with, and the deleted files, that are the ones you
have deleted but still have a reference in the file system. SnIPER, thanks to TSK can also
manage the deleted files.
Here we list some sample researches that SnIPER can do:

  • all files with extension “jpg”

test e "jpg"

  • all files with string “_001” in the basename

test f "_001"

  • all file with string “Holiday” in the path

test d "Holiday"

  • all deleted files

test del

  • all files with size greater than 1024 bytes

test s > "1024"

  • all files created during year 2010

test C = "2010"

This basic conditions of research can be complicate using logic operators and, or, not and
using parenthesis.

  • all files with extension “txt” or “html”

test e "txt" or e "html"

  • all files with extension “txt” created since June 2010

test e "txt" and C >= "2010-06"

  • all deleted files with extension “txt” created before June 2010, or active files “wav”

test ( del and e "txt" and C < "2010-06" ) or ( not del and e "wav")

All the supported patterns are descrived in `help pattern’. Remember that SnIPER is case
sensitive and the arguments of the pattern have always to be strings.
`save‘ command has the same synopsis of `test‘ and it saves the files found in a new directory
placed in the output directory, with the research pattern as name of directory.

The command `test’ gives a list of the files matching the specified pattern. The default
view is simply a list of the basename+extension of the files found.
This view can be enriched using the command `setview’, e.g.:

setview a s C

With the arguments of this example you’ll see the complete path and name of files, the size
and the creation date. See `help setview‘ for more details.

You can review file of the last `test‘ using `view‘ and you can save the list of files in
a file using `dumpfile destination_file‘.

Advertisements