-
Notifications
You must be signed in to change notification settings - Fork 222
Contributing
All pull requests will be welcomed! There are lots of areas for improvement: user guide, documentation, unit tests (we have very few), translation of old portuguese code, bug fixes. Please use 4 spaces indentation in your PRs.
About new features, for sure the most needed and most challenging one is parsing (decoding) new forensic artifacts or file formats and keeping up to date with new versions of already supported artifacts.
To support a new artifact, first you need to detect it. You should add a new mimetype definition in conf/CustomSignatures.xml file. It can be based on known file signature or, if non existent, on file name or extension. For example, lets define a new non-standard mimetype named 'application/x-new-mimetype':
<mime-type type="application/x-new-mimetype">
<magic priority="50">
<match value="SIGNATURE" type="string" offset="0"/>
</magic>
<glob pattern="*.newext"/>
</mime-type>
Basically it will search for 'SIGNATURE' string at offset zero of analyzed files. If found, that file 'contentType' will be set to 'application/x-new-mimetype'. If not found AND if the file does not contain any of all other defined signatures (by Tika library or in CustomSignatures.xml), the *.newext extension will be tested. If it matches, 'contentType' will also be set to 'application/x-new-mimetype'.
After a the new mimetype is defined, you can add all files identified as 'application/x-new-mimetype' to a new category. For that, simply add a new entry in conf/CategoriesByTypeConfig.txt file:
New Category = application/x-new-mimetype
If you know a command line tool that already decodes the new artifact, you can configure IPED to automatically run that tool and import its output in conf/ExternalParsers.xml file. See details in https://github.com/lfcnassif/IPED/wiki/User-Manual#External-Tools-Integration