Veritas

Veraciously Effective Renderer In Typical Artifact Structures

Abstract

A hex viewer made for parsing and color coding artifact file structures for visualization using dynamic templates, to make validation process easier.

About

Tired of always having to look up different versions of file structures & manually mapping the bytes while working with hex?

Veritas is an elementary WIP hex viewer made for forensicators, which automatically identifies different artifacts and applies the correct template. These templates are generated dynamically to accurately highlight data with appropriate color markers.

Last Still

Disclaimer

Veritas is not meant to be an advanced hex viewer with functionalities that a real hex editor might have. It solely aims for one thing, convenience for data validation. It is suggested that this hex viewer be used in accordance with other good hex editors that offer searching and goto functions. Over time, Veritas will support more file structures; but as of now I'm the only one working on this project when I'm able to.

Features

Dynamic artifact templates.
Color coded artifact file structure with sub-sections.
TODO: Multiple tabs.
TODO: Finish popups.

Supported Artifacts

NTOS	Images	Documents
Prefetch	PNG	PDF
Registry	JPG
MFT	BMP
	GIF

Requirements

Python >= 3.10.4
Kivy >= 2.1.0

Installation

Step 1: Create a virtual environment using:

python3 -m venv veritas

Step 2: Depending on your OS, activate the virtual environment using:

Windows: .\veritas\Scripts\activate
Linux: source veritas/Scripts/activate

Step 3: Install kivy using:

python3 -m pip install "kivy[base]"

Special Thanks

Gary Kessler's File Signatures Table, for the very handy cheatsheet for various file signatures.
Andrew Rathbun's DFIRArtifactMuseum, for providing numerous artifact samples to validate proper parsing.
Forensics Wiki, for additional information on file structures.
Joachim Metz's Libscaa, for the prefetch file structure documentation.
el3phanten, for invaluable assistance in kivy.