Create custom defined reports and lists with IsoBuster

There are 2 ways to create custom lists. Via the command line and via the GUI. Both have been present for quite some time but the available commands and tags have exploded exponentially in IsoBuster 4.1. Actually the GUI variant was never public knowledge and also just a mere subset of what it is today

Custom lists / reports via the command line

As explained, this core functionality has been available for quite some time and the help file section on this topic should be self explanatory. Of course the available commands and tags' count is now a multitude of what it was before IsoBuster 4.1. So please check this help file section on building lists via the command line to get started.

Custom lists / reports via the GUI

This option needs a bit more explaining. It is based on a single string per report that is stored in the registry. You can store up to 20 report strings in the registry. IsoBuster, on startup, will use those strings to build the right-mouse-click popup menu that is used to export lists. The strings are identical to the strings you would use on the command line. So again, for all tags and commands, please check this help file section explaining all tags and commands to get started.

However, there are a few commands that only make sense for the GUI implementation. These commands are listed here:

  • {'Title'}    If used, it must be the first tag on the line, otherwise it is ignored. It can contain any text between single quotes
  • {%DEFAULT}   This tag is used to make a report/list the default (bold and executed when parent object is double clicked)
  • {%CHECKED}   This tag is used if you want to display a check mark next to the title
  • (%INVISIBLE} This tag is used to hide a report entirely. It doesn't make much sense to use this for custom reports but it does make sense when you overload or replace existing embedded reports

To include your own reports to the GUI, create a simple text file and add strings "CustomFileList1" up to "CustomFileList10" with your own command strings in key "[HKEY_CURRENT_USER\Software\Smart Projects\IsoBuster]" (see the example below for the text that is required for this to work). Rename the text file to something.reg. Double click the .reg file and allow Windows' RegEdit to make the changes to the registry. Start IsoBuster and see the new functionality.

Here are working XML and DFXML examples that you can copy and paste to a text file, and use as base for your own project (Or download the example reg file here):

REGEDIT4

[HKEY_CURRENT_USER\Software\Smart Projects\IsoBuster]

"CustomFileList1"="{'XML (IsoBuster 4.1 version)'}{%UTF8}{%XML}{%GMT}{%STREAMS}<%XMLHEADER><%BR><xml><%BR><Creator><%BR> <Application><%APP></Application><%BR> <Version><%VERSION></Version><%BR> <Operator><%USER></Operator><%BR> <OS><%OS></OS><%BR> <Start_Time_Date><%SYSTIMEDATE></Start_Time_Date><!--GMT--><%BR></Creator><%BR><%BR><Source><%BR> <Target_Name><%NAME></Target_Name><%BR> <Target_Type><%TYPE></Target_Type><%BR> <Target_Time_Date><%TIMEDATE></Target_Time_Date><!--GMT--><%BR> <Partition_LBA><%PARTITIONLBA></Partition_LBA><!--Session in case of optical--><%BR> <Partition_Blocks_Cnt><%PARTITIONBLOCKS></Partition_Blocks_Cnt><!--Session in case of optical--><%BR> <Media_Blocks_Cnt><%DEVICEBLOCKS></Media_Blocks_Cnt><!--Entire Device or inserted Media--><%BR> <Device><%DEVICE></Device><%BR> <Block_Size><%DEVICEBLOCKSIZE></Block_Size><!--Bytes--><%BR> <ImageFile><%DEVICEPATH></ImageFile><!--If working from imagefile--><%BR> <ImageFile_Size><%DEVICEFILESIZE></ImageFile_Size><!--Bytes--><!--If working from imagefile--><%BR></Source>{%HEADER}{%FILE}<%BR><Object Name='<%NAME>'><!--File--><%BR> <Path><%RELPATH></Path><%BR> <Size><%BYTES></Size><!--Bytes--><%BR> <Total_Size><%TOTBYTES></Total_Size><!--Bytes -Includes Streams (and/or Resource Fork) size (if present)--><%BR> <Time_Date><%TIMEDATE></Time_Date><!--GMT--><%BR> <UID><%UID></UID><%BR> <Type><%TYPE></Type><%BR> <Creator><%CREATOR></Creator><!--Relevant if MAC File System--><%BR> <Streams Streams='<%STREAMS>'><%STREAMLOOP> </Streams><%BR> <Extents Extents='<%EXTENTS>'><%EXTENTLOOP> </Extents><%BR></Object>{%STREAM}<%BR><Object Name='<%NAME>'><!--Stream and/or Resource Fork--><%BR> <Path><%RELPATH></Path><%BR> <Size><%BYTES></Size><!--Bytes--><%BR> <Time_Date><%TIMEDATE></Time_Date><!--GMT--><%BR> <UID><%UID></UID><%BR> <Type><%TYPE></Type><%BR> <Extents Extents='<%EXTENTS>'><%EXTENTLOOP> </Extents><%BR></Object>{%EXTENT} <Extent Name='<%NAME>' Index='<%INDEX>'><%BR> <LBA><%LBA></LBA><%BR> <Last_LBA><%LASTLBA></Last_LBA><%BR> <Size><%BYTES></Size><!--Bytes--><%BR> <Offset_In_Block><%OFFSET></Offset_In_Block><%BR> <Blocks_Cnt><%BLOCKS></Blocks_Cnt><%BR> <Bad_Blocks_Cnt><%BADBLOCKS></Bad_Blocks_Cnt><%BR> </Extent>{%STREAMLOOP} <Stream Name='<%NAME>' Index='<%INDEX>'/>{%FOLDER}<%BR><Object Name='<%NAME>'><!--Folder--><%BR> <Path><%RELPATH></Path><%BR> <Size><%BYTES></Size><!--Bytes--><%BR> <Time_Date><%TIMEDATE></Time_Date><!--GMT--><%BR> <UID><%UID></UID><%BR> <Type><%TYPE></Type><%BR> <Streams Streams='<%STREAMS>'><%STREAMLOOP> </Streams><%BR> <Extents Extents='<%EXTENTS>'><%EXTENTLOOP> </Extents><%BR></Object>{%FOOTER}<%BR><Stats><%BR> <Objects><%CNT></Objects><%BR> <End_Time_Date><%SYSTIMEDATE></End_Time_Date><!--GMT--><%BR> <Elapsed_Time><%SYSTIMELAPSED></Elapsed_Time><%BR> <Elapsed_Time_Sec><%SYSTIMELAPSEDSEC></Elapsed_Time_Sec><%BR> <Elapsed_Time_NanoSec><%SYSTIMELAPSEDNANOSEC></Elapsed_Time_NanoSec><%BR></Stats><%BR><%BR></xml><%BR><!-- For more information: https://www.isobuster.com/reports -->"

"CustomFileList2"="{'DFXML (IsoBuster 4.1 version)'}{%UTF8}{%XML}{%GMT}{%FOLDERS}{%STREAMS}<%XMLHEADER><%BR><dfxml xmlns='http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML'<%BR> xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'<%BR> xmlns:dc='http://purl.org/dc/elements/1.1/'<%BR> xmlns:hfs='http://www.forensicswiki.org/wiki/HFS' version='1.0'><%BR><%BR> <metadata><%BR> <dc:type><%DEVICETYPE></dc:type><%BR> </metadata><%BR><%BR> <creator><%BR> <program><%APP></program><%BR> <version><%VERSION></version><%BR> <execution_environment><%BR> <start_time><%SYSTIMEDATE></start_time><!--GMT--><%BR> <os_version><%OS></os_version><%BR> <username><%USER></username><%BR> </execution_environment><%BR> </creator><%BR><%BR> <source><%BR> <device_model><%DEVICE></device_model><%BR> <image_filename><%DEVICEPATH></image_filename><%BR> <image_size><%DEVICEFILESIZE></image_size><%BR> <sectorsize><%DEVICEBLOCKSIZE></sectorsize><%BR> <devicesectors coding='base10'><%DEVICEBLOCKS></devicesectors><%BR> </source><%BR><%BR> <volume><%BR> <ftype_str><%TYPE></ftype_str><%BR> <partition_offset><%PARTITIONLBABYTESOFFSET></partition_offset>{%HEADER}{%FOLDER}<%BR> <fileobject><%BR> <filename><%RELPATH></filename><%BR> <name_type>d</name_type><%BR> <filesize><%BYTES></filesize><%BR> <alloc>1</alloc><%BR> <inode><%UID></inode><%BR> <mtime><%TIMEDATE></mtime><!--GMT--><%BR> <byte_runs><%EXTENTLOOP> </byte_runs><%BR> </fileobject>{%FILE}<%BR> <fileobject><%BR> <filename><%RELPATH></filename><%BR> <name_type>r</name_type><%BR> <filesize><%BYTES></filesize><%BR> <alloc>1</alloc><%BR> <inode><%UID></inode><%BR> <mtime><%TIMEDATE></mtime><!--GMT--><%BR> <hfs:HFStype_creator><%TYPE>/<%CREATOR></hfs:HFStype_creator><!--Only relevant if MAC File System--><%BR> <byte_runs><%EXTENTLOOP> </byte_runs><%BR> </fileobject>{%STREAM}<%BR> <fileobject><!--Stream or Resource Fork--><%BR> <filename><%RELPATH></filename><%BR> <name_type>-</name_type><%BR> <filesize><%BYTES></filesize><%BR> <alloc>1</alloc><%BR> <inode><%UID></inode><%BR> <mtime><%TIMEDATE></mtime><!--GMT--><%BR> <byte_runs><%EXTENTLOOP> </byte_runs><%BR> </fileobject>{%EXTENT} <byte_run img_offset='<%LBABYTEOFFSET>' len='<%BYTES>' />{%FOOTER} </volume><%BR><%BR> <runstats><%BR> <stop_time><%SYSTIMEDATE></stop_time><!--GMT--><%BR> <clock_seconds><%SYSTIMELAPSEDSEC></clock_seconds><%BR> </runstats><%BR><%BR></dfxml><%BR><!-- For more information: https://www.isobuster.com/reports -->"

"CustomFileList3"="{'-'}"

"CustomFileList4"="{'LBA+TIME+DATE+SIZE+PATH (Old style IsoBuster < 4.1 report)'}<%LBA> , <%TIMEDATE> , <%SIZE> , <%FULLPATH>"

If you use this example, you see the highlighted options added to the GUI (make sure to restart IsoBuster after you added the strings)

Custom Reports with IsoBuster

Click to zoom

Overload the existing lists / reports via the GUI

Last, you can also use the whole custom reports functionality to overload or even replace the existing embedded functionality. In other words, you improve or replace the existing reports in IsoBuster with your own.

To do that you use registry key strings EmdeddedFileList just like you would use the CustomFileList registry key strings. All the rest remains the same. You can replace the entire functionality with your own or add functionality that you require. To add, and not so much replace, use tag <%EMBEDDED> in your new string. <%EMBEDDED> will be replaced by the original, program provided, string. If you don't provide a Title, the program stored title will still be used. The latter is particulary useful when you replace the functionality entirely.

A few examples:

Example 1: The functionality remains unchanged, but files are saved with UTF8 encoding rather than UTF16 encoding (which is the default)

Example 2: The functionality remains unchanged but this type list is the default now (and checked as well, why not)

Example 3: The functionality remains unchanged but there's a footer at the end of the list, showing what version of IsoBuster was used

Example 4: Entirely new functionality, with a new name etc.

Example 5: This list removed entirely

REGEDIT4

[HKEY_CURRENT_USER\Software\Smart Projects\IsoBuster]

"EmdeddedFileList1"="{%UTF8}<%EMBEDDED>"

"EmdeddedFileList2"="{%DEFAULT}{%CHECKED}<%EMBEDDED>"

"EmdeddedFileList3"="<%EMBEDDED>{%FOOTER}<%BR>Created with <%APP> <%VERS>"

"EmdeddedFileList4"="{'My new list'}{%UTF8}{%GMT}{%STREAMS}<%LBA>;<%NAME>;<%TOTSIZE>;<%TIME>"

"EmdeddedFileList5"="<%INVISIBLE>"