Difference between revisions of "Tools"
(→Metadata Extraction Tools: pdfinfo.)
|Line 145:||Line 145:|
= Network Forensics Tools =
= Network Forensics Tools =
Revision as of 07:18, 24 March 2006
- 1 Disk Imaging Tools
- 2 Data Recovery Tools
- 3 Disk Analysis Tools
- 4 Metadata Extraction Tools
- 5 Network Forensics Tools
- 6 Anti-forensics Tools
- 7 Other Tools
Disk Imaging Tools
At CanSec West 05, Michael Becher, Maximillian Dornseif, and Christian N. Klein discussed an exploit which uses DMA to read arbitrary memory locations of a firewire-enabled system. The paper lists more details. The exploit is run on an iPod running Linux. This can be used to grab screen contents.
In theory, this could be used with the ... to send through an exploit code that would cause the system to dump the contents of its hard drive back to the iPod.
- A program that converts and copies files, is one of the oldest Unix programs. I can copy data from any Unix "file" (including a raw partition) to any other Unix "file" (including a disk file or a raw partition). This is one of the oldest of the imaging tools, and produces raw image files. Extended into dcfldd.
- A version of dd created by the Digital Computer Forensics Laboratory. dcfldd is an enhanced version of GNU dd with features useful for forensics and security, such as calculating MD5 or SHA-1 hashes on the fly and faster disk wiping.
- A tool similar to dd, but unlike dd it will continue reading the next sector, if it stumbles over bad sectors it cannot read.
- Part of the AFF system, aimage can create either a raw file or an AFF file. It can optionally compress and calculate MD5 or SHA-1 hash residues while the data is being copied.
- FTK Imager by Access Data
- Can image and convert many image formats. Including E0* and DD. Also a free tool.
- Can image with out dongle plugged in. Only images to E0* file.
- Can image and convert many file formats. Also builds mobile toolkit.
- Images and searches FAT12, FAT16, FAT 32 and all NTFS files.
- Their ultimate tool lets you "READ, ACQUIRE, DECRYPT, ANALYZE and REPORT (R.A.D.A.R.)."
- A tool for imaging and analyzing disks.
Data Recovery Tools
- Salvation Data
-  Claims to have a program that can read the "bad blocks" of Maxtor drives with proprietary commands.
- RAID Reconstructor
- Runtime Software's RAID Reconstructor will reconstruct RAID Level 0 (Striping) and RAID Level 5 drives. People who have used it, love it.
Disk Analysis Tools
- ILook Investigator, by Elliot Spencer and IRS - Internal Revenue Service
Open Source Tools
- A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
- FCCU Gnu/Linux Boot CD
- Also a LiveCD built on top of Knoppix with a lot of tools with forensic purpose.
- It leaves the target devices unaltered (It does not use the swap partitions found on the devices).
- Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
Metadata Extraction Tools
- Extracts metadata from various Microsoft Word files (doc). Can also convert doc files to other formats such as HTML or plain text.
- pdfinfo (part of the xpdf package) displays some metadata of PDF files.