Skip to content

anir0y/ad1-viewer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
ad1
ad1
 
 
server
server
 
 
tests
tests
 
 
web
web
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
explore.py
explore.py
 
 
run.sh
run.sh
 
 
walk.py
walk.py
 
 

Repository files navigation

anir0y

AD1 Viewer

Browse AccessData AD1 logical images in your browser — no FTK, no Windows.

A zero-dependency, cross-platform (Apple Silicon–native) viewer for FTK Imager .ad1 Custom Content / logical images. Pure-stdlib Python parser + local web UI.

Why

AD1 is AccessData/Exterro's proprietary logical-evidence container. Officially you need FTK Imager (Windows) to open one. This tool reads the format directly — so you can browse, preview, hash and export files from an .ad1 on macOS (incl. M-series), Linux, or Windows with nothing but Python 3.

Features

  • AD1 v4 parser from scratch (pure stdlib struct + zlib) — ad1/parser.py
  • File tree browser (lazy-expanded) with sizes
  • Preview (text / hex), per-file MD5 / SHA-1 / SHA-256, PE/MZ executable flag
  • Metadata — timestamps, owner SIDs, NTFS flags from the AD1 attribute chain
  • Filename search
  • Findings panel — artifact locator (browser history DBs, Windows Mail/HxStore, registry hives, prefetch, scripts, executables)
  • Download any file (decompressed) to disk
  • No build step, no pip install, no external services — runs fully offline

Install & run

git clone https://github.com/anir0y/ad1-viewer
cd ad1-viewer
python3 -m server.app /path/to/image.ad1 --port 8000
# or: ./run.sh /path/to/image.ad1 8000

Then open http://127.0.0.1:8000/.

Requires Python 3.9+. No third-party packages.

CLI helpers

python3 walk.py image.ad1                    # dump the logical tree + verify a decompress
python3 -m unittest tests.test_parser -v     # self-contained tests (no evidence file)

How it works

The AD1 format was reverse-engineered against real v4 logical images. The parser understands the ADSEGMENTEDFILE / ADLOGICALIMAGE headers, the object tree (sibling/child/metadata/chunk pointers, all little-endian, offsets relative to the 0x200 logical-image base), zlib-compressed 64 KB data chunks, and the category | key | length | value attribute chain. See ad1/parser.py for the documented struct layout.

Format references that informed the work: al3ks1s — AD1ventures, DFIRScience — What is an AD1?.

Scope / non-goals

The Findings panel locates artifacts (browser History, HxStore.hxd, registry hives, …) and lets you preview/export them. Deep decoders — parsing browser-history SQLite into URL/timestamp rows, or extracting email bodies from HxStore — are intentionally out of scope for now and tracked as future work.

⚠️ Forensic tool provided as-is. Validate against known-good output before relying on it for casework. Never commit evidence images — see .gitignore.

License

MIT © Animesh Roy (anir0y)

Built by Animesh Roy — anir0y · Security Operations Command
“Break it before they breach it.”

About

Browser-based AccessData AD1 logical image viewer — pure-stdlib Python parser + zero-dependency web UI. Open .ad1 evidence on Mac/Linux/Windows without FTK Imager.

Topics

python incident-response forensics dfir digital-forensics ftk-imager ad1

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages