Difference between revisions of "Tools"

From ForensicsWiki
Jump to: navigation, search
(Anti-forensics Tools: shred, wipe.)
m
Line 10: Line 10:
  
 
== Unix-based imagers==
 
== Unix-based imagers==
 +
 
; [[dd]]
 
; [[dd]]
 
: A program that converts and copies files, is one of the oldest [[Unix]] programs. I can copy data from any Unix "file" (including a [[raw partition]]) to any other Unix "file" (including a disk file or a raw partition). This is one of the oldest of the imaging tools, and produces [[raw image files]]. Extended into [[dcfldd]].
 
: A program that converts and copies files, is one of the oldest [[Unix]] programs. I can copy data from any Unix "file" (including a [[raw partition]]) to any other Unix "file" (including a disk file or a raw partition). This is one of the oldest of the imaging tools, and produces [[raw image files]]. Extended into [[dcfldd]].
Line 17: Line 18:
  
 
; [[dd_rescue]]
 
; [[dd_rescue]]
 +
: http://www.garloff.de/kurt/linux/ddrescue/
 
: A tool similar to [[dd]], but unlike dd it will continue reading the next sector, if it stumbles over bad sectors it cannot read.
 
: A tool similar to [[dd]], but unlike dd it will continue reading the next sector, if it stumbles over bad sectors it cannot read.
 +
 +
; GNU [[ddrescue]]
 +
: http://www.gnu.org/software/ddrescue/ddrescue.html
  
 
; [[sdd]]
 
; [[sdd]]
Line 23: Line 28:
  
 
; [[aimage]]
 
; [[aimage]]
: Part of the [[AFF]] system, [[aimage]] can create either a raw file or an AFF file. It can optionally compress and calculate MD5 or SHA-1 hash residues while the data is being copied.
+
: Part of the [[AFF]] system, [[aimage]] can create either a raw file or an AFF file. It can optionally compress and calculate [[MD5]] or [[SHA-1]] hash residues while the data is being copied.
  
;[[Blackbag]]
+
; [[Blackbag]]
 
: Specializes in [[Mac]] analysis, now a branch of the [[BSD]] family tree.
 
: Specializes in [[Mac]] analysis, now a branch of the [[BSD]] family tree.
  
Line 45: Line 50:
 
: Can image with out dongle plugged in. Only images to E0* file.
 
: Can image with out dongle plugged in. Only images to E0* file.
  
;[[DIBS]]
+
; [[DIBS]]
 
: Can image and convert many file formats. Also builds mobile toolkit.
 
: Can image and convert many file formats. Also builds mobile toolkit.
  
;[[iLook]]
+
; [[iLook]]
 
: The [[IRS]]'s forensic tool.
 
: The [[IRS]]'s forensic tool.
  
;[[Paraben]]
+
; [[Paraben]]
 
: A complete set of tools for [[Windows]] (and [[handheld]]) products.
 
: A complete set of tools for [[Windows]] (and [[handheld]]) products.
  
;[[ProDiscovery]]
+
; [[ProDiscovery]]
: Images and searches FAT12, FAT16, FAT 32 and all NTFS files.
+
: Images and searches [[FAT12]], [[FAT16]], [[FAT32]] and all [[NTFS]] files.
  
;[[AccessData]]
+
; [[AccessData]]
 
: Their ultimate tool lets you "READ, ACQUIRE, DECRYPT, ANALYZE and REPORT (R.A.D.A.R.)."
 
: Their ultimate tool lets you "READ, ACQUIRE, DECRYPT, ANALYZE and REPORT (R.A.D.A.R.)."
  
;[[ASR]]
+
; [[ASR]]
 
: A tool for imaging and analyzing disks.
 
: A tool for imaging and analyzing disks.
  
;[[Wetstone]]  
+
; [[Wetstone]]  
 
: Gargoyle investigator scans for illicit data and [[steganographic image]]s.
 
: Gargoyle investigator scans for illicit data and [[steganographic image]]s.
  
 
= Data Recovery Tools =
 
= Data Recovery Tools =
; Salvation Data
 
: [http://www.salvationdata.com] Claims to have a program that can read the "[[bad blocks]]" of [[Maxtor]] drives with proprietary commands.
 
  
; RAID Reconstructor
+
; [[Salvation Data]]
 +
: http://www.salvationdata.com
 +
: Claims to have a program that can read the "[[bad blocks]]" of [[Maxtor]] drives with proprietary commands.
 +
 
 +
; [[RAID Reconstructor]]
 
: Runtime Software's [http://www.runtime.org/raid.htm RAID Reconstructor] will reconstruct [[RAID Level 0]] (Striping) and [[RAID Level 5]] drives. People who have used it, love it.
 
: Runtime Software's [http://www.runtime.org/raid.htm RAID Reconstructor] will reconstruct [[RAID Level 0]] (Striping) and [[RAID Level 5]] drives. People who have used it, love it.
  
 
= Disk Analysis Tools =
 
= Disk Analysis Tools =
 +
 
== Linux-based Tools ==
 
== Linux-based Tools ==
;[[SMART]], by [[ASR Data]]
+
 
 +
; [[SMART]], by [[ASR Data]]
 
: http://www.asrdata.com
 
: http://www.asrdata.com
  
 
== Windows-based Tools ==
 
== Windows-based Tools ==
 +
 
; [[EnCase]], by [[Guidance Software]]
 
; [[EnCase]], by [[Guidance Software]]
 
: http://www.guidancesoftware.com/
 
: http://www.guidancesoftware.com/
Line 85: Line 95:
 
: http://www.accessdata.com/products/ftk/
 
: http://www.accessdata.com/products/ftk/
  
; [[ILook Investigator]], by [[Elliot Spencer]] and [[IRS - Internal Revenue Service]]
+
; [[ILook Investigator]], by [[Elliot Spencer]] and [[Internal Revenue Service]] (IRS)
 
: http://www.ilook-forensics.org/
 
: http://www.ilook-forensics.org/
  
Line 92: Line 102:
  
 
== Open Source Tools ==
 
== Open Source Tools ==
; [[AFFLIB]]
 
: A library for working with [[disk image]]s. Currently AFFLIB supports raw, AFF, [[AFD]], and EnCase file formats. Work to support segmented raw, [[iLook]], and other formats is ongoing.
 
  
; [[Autopsy]]
+
; [[AFFLIB]]
 +
: A library for working with [[disk image]]s. Currently AFFLIB supports raw, [[AFF]], [[AFD]], and [[EnCase]] file formats. Work to support segmented raw, [[iLook]], and other formats is ongoing.
  
 
; [[foremost]]
 
; [[foremost]]
Line 101: Line 110:
 
; [[gfzip]]
 
; [[gfzip]]
  
; [http://jbj.rapanden.dk/magicrescue/ magicrescue]
+
; [[magicrescue]]
 +
: http://jbj.rapanden.dk/magicrescue/
  
 
; [[pyflag]]  
 
; [[pyflag]]  
Line 107: Line 117:
 
; [[Scalpel]]
 
; [[Scalpel]]
  
; [http://memberwebs.com/nielsen/software/scrounge/ scrounge-ntfs]
+
; [[scrounge-ntfs]]
 +
: http://memberwebs.com/nielsen/software/scrounge/
  
 
; [[Sleuthkit]]
 
; [[Sleuthkit]]
  
; Zeitline
+
; [[Autopsy]]
 +
 
 +
; [[Zeitline]]
  
;[[Helix]]
+
; [[Helix]]
 
: A LiveCD built on top of [[Knoppix]].
 
: A LiveCD built on top of [[Knoppix]].
  
;[[FCCU Gnu/Linux Boot CD]]
+
; [[FCCU Gnu/Linux Boot CD]]
 
: Also a LiveCD built on top of [[Knoppix]] with a lot of tools with forensic purpose.
 
: Also a LiveCD built on top of [[Knoppix]] with a lot of tools with forensic purpose.
: It leaves the target devices unaltered (It does not use the swap partitions found on the devices).
+
: It leaves the target devices unaltered (it does not use the swap partitions found on the devices).
  
 
; [[gpart]]
 
; [[gpart]]
Line 173: Line 186:
  
 
= Other Tools =
 
= Other Tools =
; VMware Player
+
 
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.  
+
; [[VMware]] Player
:  http://www.vmware.com/products/player/
+
: http://www.vmware.com/products/player/
 +
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.

Revision as of 17:31, 26 March 2006

Disk Imaging Tools

Hardware imagers

Imaging Memory

At CanSec West 05, Michael Becher, Maximillian Dornseif, and Christian N. Klein discussed an exploit which uses DMA to read arbitrary memory locations of a firewire-enabled system. The paper lists more details. The exploit is run on an iPod running Linux. This can be used to grab screen contents.

In theory, this could be used with the ... to send through an exploit code that would cause the system to dump the contents of its hard drive back to the iPod.

Unix-based imagers

dd
A program that converts and copies files, is one of the oldest Unix programs. I can copy data from any Unix "file" (including a raw partition) to any other Unix "file" (including a disk file or a raw partition). This is one of the oldest of the imaging tools, and produces raw image files. Extended into dcfldd.
dcfldd
A version of dd created by the Digital Computer Forensics Laboratory. dcfldd is an enhanced version of GNU dd with features useful for forensics and security, such as calculating MD5 or SHA-1 hashes on the fly and faster disk wiping.
dd_rescue
http://www.garloff.de/kurt/linux/ddrescue/
A tool similar to dd, but unlike dd it will continue reading the next sector, if it stumbles over bad sectors it cannot read.
GNU ddrescue
http://www.gnu.org/software/ddrescue/ddrescue.html
sdd
Another dd-like tool. It is supposed to be faster in certain situations.
aimage
Part of the AFF system, aimage can create either a raw file or an AFF file. It can optionally compress and calculate MD5 or SHA-1 hash residues while the data is being copied.
Blackbag
Specializes in Mac analysis, now a branch of the BSD family tree.

Windows-based imagers

X-Ways Forensics
Has some limited imaging capabilities. The output is raw format.
X-Ways Replica
Performs hard disk cloning and imaging. The output is raw format.
Ghost
FTK can read forensic, uncompressed Ghost images.
FTK Imager by Access Data
Can image and convert many image formats. Including E0* and DD. Also a free tool.
EnCase
Can image with out dongle plugged in. Only images to E0* file.
DIBS
Can image and convert many file formats. Also builds mobile toolkit.
iLook
The IRS's forensic tool.
Paraben
A complete set of tools for Windows (and handheld) products.
ProDiscovery
Images and searches FAT12, FAT16, FAT32 and all NTFS files.
AccessData
Their ultimate tool lets you "READ, ACQUIRE, DECRYPT, ANALYZE and REPORT (R.A.D.A.R.)."
ASR
A tool for imaging and analyzing disks.
Wetstone
Gargoyle investigator scans for illicit data and steganographic images.

Data Recovery Tools

Salvation Data
http://www.salvationdata.com
Claims to have a program that can read the "bad blocks" of Maxtor drives with proprietary commands.
RAID Reconstructor
Runtime Software's RAID Reconstructor will reconstruct RAID Level 0 (Striping) and RAID Level 5 drives. People who have used it, love it.

Disk Analysis Tools

Linux-based Tools

SMART, by ASR Data
http://www.asrdata.com

Windows-based Tools

EnCase, by Guidance Software
http://www.guidancesoftware.com/
Forensic Toolkit, by AccessData
http://www.accessdata.com/products/ftk/
ILook Investigator, by Elliot Spencer and Internal Revenue Service (IRS)
http://www.ilook-forensics.org/
Safeback by NTI and Armor Forensics
http://www.forensics-intl.com/safeback.html

Open Source Tools

AFFLIB
A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
foremost
gfzip
magicrescue
http://jbj.rapanden.dk/magicrescue/
pyflag
Scalpel
scrounge-ntfs
http://memberwebs.com/nielsen/software/scrounge/
Sleuthkit
Autopsy
Zeitline
Helix
A LiveCD built on top of Knoppix.
FCCU Gnu/Linux Boot CD
Also a LiveCD built on top of Knoppix with a lot of tools with forensic purpose.
It leaves the target devices unaltered (it does not use the swap partitions found on the devices).
gpart
http://www.stud.uni-hannover.de/user/76201/gpart/
Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
jhead
http://www.sentex.net/~mwandel/jhead/
Displays or modifies Exif data in JPEG files.

Metadata Extraction Tools

jhead
Extracts and modifies Exif information from JPEG files.
wvWare
http://wvware.sourceforge.net/
Extracts metadata from various Microsoft Word files (doc). Can also convert doc files to other formats such as HTML or plain text.
word2x
http://word2x.sourceforge.net/
catdoc
http://www.45.free.net/~vitus/software/catdoc/
laola
http://user.cs.tu-berlin.de/~schwartz/pmh/index.html
xpdf
http://www.foolabs.com/xpdf/
pdfinfo (part of the xpdf package) displays some metadata of PDF files.

Network Forensics Tools

Snort
http://www.snort.org/

Anti-forensics Tools

Ontrack Data Eraser

Securely deleting data

shred
Part of GNU coreutils.
wipe
http://abaababa.ouvaton.org/wipe/

See also

Other Tools

VMware Player
http://www.vmware.com/products/player/
A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.