So, here’s the thing. In this line of work, you tend to generate/collect, A LOT of data, files, reports, etc. for each and every case or project you work on. Depending on how busy you are and the number of new cases coming in all this data gets overwhelming quick! For my colleagues and I this translates to a constant shuffle of case folders/files from hot storage to some form of cold storage or archive quickly to ensure you have the working space to work the next slew of cases/projects that are coming in. I suspect this is a common issue for many in the DFIR field. Plus, with device capacities ballooning, it’s a constant shuffle to maintain free working space.
For some this may be as simple as
copying your case/project folder from your working drive straight to cold
storage/archive and call it a day. I certainly tried this early on, but found
it to be lacking in a lot of big ways. The problem being:
- Case folders often end up containing thousands/hundreds of thousands of small files per case.
- Each move/restoration all these files is slow and inefficient.
- It potentially wastes space and does not provide any solution for compression.
- It’s difficult to track all these files and ensure some don’t get misplaced/lost when being moved around.
- Lack of validation process to ensure the files haven’t been corrupted when restored.
Solutions Explored
So, to address these issues, early on I quickly decided it was best to package up each case/project folder and all it subfolders into a single package/archive. This really addresses each of the issues I outlined above and is a much better way to organize and maintain archivable data long-term. For a while, we experimented with using something like FTK Imager to create AD1’s for each case/project folder. Then would move those off onto cold-storage/archive. This was workable but after using it a while, found that it still wasn’t the fastest solution out there, had some reliability issues that came back to bite us, and was reliant on a proprietary archive/format.
…Getting closer
So the solution, leverage a powerful, well supported, and common utility to do the same thing. What I settled on…7-Zip. It’s a fantastic archiving/compression tool and would make an excellent backbone for our archiving needs. I’m not going to spend time discussing 7-Zip and why it’s so good…there’s plenty of other discussion on that out there. But while 7-Zip would do much of the important heavy lifting, it still did not meet all of the needs on it’s own.
Success!
Fortunately, with a great CLI interface, it was easy to put together a script that made it very simple to create batch archives of numerous cases at once. Next, I leveraged some additional code to generate file-lists, test/validate generated archives, and maintain a final hash for validating the integrity of archives. All these things sound trivial, and they can be. However! When you have a giant pile of Case folders, and their accompanying files backed up and ready to archive, this can be a giant pain point and very tedious process for each case folder. With PackNHash it’s a single easy to run process, that is set and forget. Go get a coffee, and come back later to find all your case folders neatly packaged up and ready for archive.
PacknHash
Here’s a quick rundown of the features:
-Bulk processes numerous individual cases/casefolders at once.
-Automatically organizes each processed case folder into its own labeled package.
-Recurses through each subfolder/file with in each casefolder and collects all files for each cases archive.
-Selection of input path to collect case folders from and output path is GUI driven so no need to type out paths in a CLI.
-Archive segment size easily set by GB.
-Each file output archive is accompanied by a full file-listing of all files/folders contained in it via text file.
-Each file output archive is integrity tested and MD5 hashed with a log providing these details.
-Leverages the excellent speed and compression of 7-Zip for the best combination of both.
Requirements/Tested on:
- Windows 10/11 – 64bit
- That’s it!