Add $Bitmap.tkape

[nisargsuthar]

Description

Please include a summary of the change and (if applicable) which issue is fixed.

Checklist:

Please replace every instance of [ ] with [X] OR click on the checkboxes after you submit your PR

• I have generated a unique GUID for my Target(s)/Module(s)
• I have placed the Target(s)/Module(s) in an appropriate subfolder in Targets or Modules. If one doesn't exist, I have either added it to the Misc folder or created a relevant subfolder with justification
• I have set or updated the version of my Target(s)/Module(s)
• I have verified that KAPE parses the Target(s)/Module(s) successfully via kape.exe, using --tlist/--mlist and corrected any errors
• I have validated my Target(s)/Module(s) against test data and verified they are working as intended
• I have made an attempt to document the artifacts within the Target(s) or Module(s) I am submitting. If documentation doesn't exist, I have placed N/A underneath the Documentation header
• For Targets, I have consulted either the Target Guide, Target Template, Compound Target Guide, or Compound Target Template to ensure my Target(s) follow the same format
• For Modules, I have consulted either the Module Guide, Module Template, Compound Module Guide, or Compound Module Template to ensure my Module(s) follow the same format

If your submission involves an SQLite database, have you considered making an SQLECmd Map for the SQLite database? If you make a Map, please add the SQLite database to the SQLiteDatabases.tkape Compound Target.

Thank you for your submission and for contributing to the DFIR community!

[EricZimmerman]

I'm curious, what possible forensic value could this actually have for you?

I get what it does but how are you going to leverage it

[nisargsuthar]

I'm curious, what possible forensic value could this actually have for you?

I thought it would be a nice addition for KAPE to collect it. Could be used for bulk sample generation and collection (for something like the DFIRArtifactMuseum) which can be useful for writing parsers and validating existing tools. I'm not sure which tools currently parse $Bitmap files, but even besides that it could be useful for analysts to collect it and manually locate unallocated clusters if need be.

For me personally, I think it will be helpful when I eventually write parsers for NTFS artefacts for Veritas. It could perhaps breakdown the bit array and how allocated/unallocated clusters are to be interpreted from the artifact.

[EricZimmerman]

There not much else to it other than cluster in use or not, afaik

[nisargsuthar]

There not much else to it other than cluster in use or not, afaik

That is correct, that's all there's to it.

I'm not sure if analysts are required to find the allocation statuses of clusters before/after using blkls or manually carving out files but I'm assuming that you'd need to provide some contextual information about where the files were recovered from and that something like "from unallocated space" isn't a good statement in a forensic report.

One use case for this I can think of is proving that a file was deleted. It can be possible that the MFT entry for a deleted file gets overwritten, but we still need to address how the file was recovered and from which clusters.

I'm curious, are there any tools which parse $Bitmap currently?

[EricZimmerman]

Not that I know of. It's just 0s a 1s