Warning the is alpha code... you run it at your own risk... no waranties are implied, I am not responsible if
it trashes your system.... data carving can be hazardous you your machines health... You have been 
warned... have fun!

Run the program : DEB_Viewer.exe - This should run OK under WindowsXP. This app was developed
using Delphi 7.

Click on button 'Load DEB'

You should then select a DEB tag file e.g. .'tag'. For the DRFWS Challenge this would be 'DRFWS_1.TAG'

The tag file is loaded and a Tag Continuity Block (TCB) is appended to the tag file. This includes information 
such as when the DEB was opened, the application ID e.g. 'DEB Viewer', application version, function,
a new MD5 hash is a also written (Tag File Hash) as the last part of the TCB. The Summary tab shows the
DEB tag file.

Select the 'Index' tab - this lists the contents of the DEB Index File. For the DRFWS challenge only one
entry is listed. Click on this entry. The File Viewer window is displayed. This is used to show the contents 
of the file selected. The display has a number of different windows:

top left - window labeled 'memoStatus' - displays a list of file headers and their location. The contents of
this window may be selected and its full contents pasted into a text editor. Once the file has been fully 
analysed the details of the zip files found and their component parts is displayed.

top right - window labeled 'memoIndex' - displays a list of files carved by the application. Each file carved has
naming convention 'nnnnn.xxx aaa bbb' where:
	nnnnn = start sector of source
	xxx = file extension e.g. htm, jpg, txt,...
	aaa = size
	bbb = MD5 hash
The contents of this window may also be selected and its full contents pasted into a text editor (this is the 
most convenient way to view it).
The exception to this is Zip files, they are output with sequential numbers '1.zip nnnnn aaa bbb'.


The button labelled ' Analyse' - Starts the application analysing and carving the selected file.

A grid representation of the selected file is shown. As the analysis is performed the grid square colours 
change:
	red = known file signature in sector
	yellow = sector is predominantly ASCII 
	blue = sector contains binary
	black = sector contains a single byte value (blank)
Note: because the DFRWS challenge test file is so large it is best to maximise the size of this window
in order to view the full file. Also note that the grid colours are not maintained when the display is scrolled
or other windows are dragged over it. This will get sorted later!!!

When selecting a sector, its contents will be shown in the hex viewer below the main file grid.

The button labelled 'Native View' currently only supports text files and bmp files... this spawns an 
external viewer... not really applicable to the DFRWS challenge as the only file in the index is
just a blob of data.


About the data carving.
_______________________

Sectors containing text (above a text character threshold per sector - set in the code) found in the data 
is output to a file with the extension '.txt'

Dumb File carving of .jpg, .doc.

Carving of .html files between header and footers markers where found.

Carving of ZIP files - complex. Each component part of a zip file is listed in the memoStatus window. Once 
parsing of data set is complete the contents of the 'Zip Table' is displayed. The 'Zip Table' is parsed
to reconstruct zip file (even basic fragmented zips).