annkirpv/xt-snappy-fox

# xt-snappy-fox An X-Tension for [X-Ways Forensics](https://www.x-ways.net/forensics/) that automatically decompresses **Mozilla Firefox disk cache (`morgue`) files** during volume snapshot refinement (RVS) or from the directory browser context menu (DBC). Firefox stores cached HTTP bodies Snappy-compressed, so most forensic tools surface only the cache metadata, not the content. `xt-snappy-fox` decompresses each entry and adds the plaintext back into the volume snapshot as a child item (`_decompressed`) — previewable directly in the X-Ways viewer/gallery — and tags it in the **"Snappy decompressed"** report table. It wraps Davide Berardi's dependency-free decompressor [`snappy-fox`](https://github.com/berdav/snappy-fox), which can also reconstruct corrupted files. ## Background Inspired by a [BelkaSoft CTF](https://belkasoft.com/) challenge (documented in a [write-up](https://github.com/its5Q/writeups/blob/master/BelkaCTF%206/BelkaCTF%206%20Writeup.md#vacation) by **[Its5q](https://github.com/its5Q)**): the key evidence — which concert a suspect planned to attend — sat in the Firefox `morgue` cache of a Telegram Web session. The manual fix was to run snappy-fox over the cache files, bulk-rename the output to `.png`, and skim thumbnails in Explorer. `xt-snappy-fox` folds that whole detour into a single X-Ways run. ## Features - During **volume snapshot refinement (RVS)** it auto-detects Firefox cache entries by path pattern (`*morgue*final`); from the **directory browser** it runs on the items you select (any Snappy file, regardless of path). - Decompresses Snappy framed/unframed streams and can reconstruct corrupted files. - Adds each result as a child item and tags it in the **"Snappy decompressed"** report table. - Idempotent: re-running won't create duplicate child items. ## Building & requirements - Tested with **X-Ways Forensics 21.5 SR-5 (x64)**. Earlier versions of X-Ways have not been tested. - **Build from Source** Build the project yourself using Microsoft Visual Studio with the x64 toolchain. - **Precompiled Binary** Alternatively, download the precompiled x64 version of xt-snappy-fox.dll from the GitHub Releases section. ## Usage 1. Add the evidence object to your case. 2. Run via **Refine Volume Snapshot → Run X-Tensions**, or via the directory browser right-click menu. 3. The decompressed child items are created without a file type. Run X-Ways' **file type verification** (Refine Volume Snapshot → *Verify file types*, or the type-detection step shown in the file overview / directory browser) so each item is recognized by its content — e.g. as a PNG or JPEG image — and can then be displayed in the Viewer and gallery. 4. Review results in the **"Snappy decompressed"** report table. By default only CRC-verified output is accepted. Reconstruction of corrupted streams is offered as an opt-in prompt at startup; such output is flagged with a comment, since it may be partially reconstructed and is not CRC-verified. ## License GPL-3.0-or-later, matching upstream `snappy-fox`. See [`LICENSE`](LICENSE).