Forensics Wiki - User contributions [en]

User talk:Simsong

2008-01-08T08:12:33Z

Cmihai: Bot issues

== Categories ==

As a Wikipedia user, I have noticed that none of your articles have categories. Did you know that categories exist in MediaWiki? If yes, is there a reason? I would like to start work on it. [[Special:Categories]], http://meta.wikimedia.org/wiki/Help:Category --[[User:Midnightcomm|Midnightcomm]] 01:09, 23 April 2006 (EDT)

:Woah, I don't know much about Categories. How would I add them? What are they for?

::[http://en.wikipedia.org/wiki/Wikipedia:Categorization Categories] are used to help organize pages. I also see that there are no help articles, in the absance if them, I will be using the Wikipedia [http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style style guides]. --[[User:Midnightcomm|Midnightcomm]] 01:09, 23 April 2006 (EDT)
::<nowiki>[[Category:File Systems]]</nowiki>

:::Sounds good to me. We welcome your contributions.

:::Yay! I'm all for categories. I've started adding some (tools, licenses, OSes, ...), feel free to add more and categorize the articles. --[[User:Uwe Hermann|Uwe Hermann]] 15:03, 23 April 2006 (EDT)

::::How do you add categories? --SImson

::::: Usually you just add <nowiki>[[Category:Foobar]]</nowiki> somewhere at the bottom of the page, more info [http://meta.wikimedia.org/wiki/Help:Category here]. For the tools, I have incorporated the category into the Infobox, see [[dd]] for an example. It looks a bit stupid in the wiki source, but keeps the wiki category and the "Genre:" classification in one place, which is important IMHO. Btw, you can sign your "posts" with "<nowiki>--~~~~</nowiki>" which will expand to username and date, just like on this post. --[[User:Uwe Hermann|Uwe Hermann]] 21:45, 2 May 2006 (EDT)

Hi. We have some spambots advertising "Chinese antique furniture" on the wiki. Could also be real people, since they've gotten over the captcha, but I doubt they understand plain English. How do you generally deal with such people here? Or better said, is there someone we're supposed to notify when something like this happens like flag the article as spam or something?

Well, I guess you'll see it when you log in anyway, just thought I'd give you a heads up before it gets indexed and all that.
--[[User:Cmihai|cmihai]] 00:12, 8 January 2008 (PST)

Tools:Data Recovery

2008-01-07T22:19:22Z

Cmihai: Added Magic Rescue File Carver and MBR extraction info.

= Partition Recovery =

*[http://www.ptdd.com/index.htm Partition Table Doctor]
: Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).

*[http://www.diskinternals.com/ntfs-recovery/ NTFS Recovery]
: DiskInternals NTFS Recovery is a fully automatic utility that recovers data from damaged or formatted disks.

*[http://www.stud.uni-hannover.de/user/76201/gpart/ gpart]
: Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.

*[http://www.cgsecurity.org/wiki/TestDisk Testdisk]
: TestDisk is OpenSource software and is licensed under the GNU Public License (GPL).

== See Also ==

* [http://support.microsoft.com/?kbid=166997 Using Norton Disk Edit to Backup Your Master Boot Record]

== Notes ==

* "fdisk /mbr" restores the boot code in the [[Master boot record]], but not the partition itself. On newer versions of Windows you should use fixmbr, bootrec or mbrfix. You can also extract a copy of the specific standard MBR code from tools like bootrec.exe and diskpart.exe in Windows (from various offsets) and copy it to disk with dd (Use bs=446 count=1). For Windows XP SP2 c:\%WINDIR%\System32\diskpart.exe the MBR code is found between offset 1b818h and 1ba17h.

= Data Recovery =

*[http://www.toolsthatwork.com/bringback.htm BringBack]
: BringBack offers easy to use, inexpensive, and highly successful data recovery for Windows and Linux (ext2) operating systems and digital images stored on memory cards, etc.

*[http://www.runtime.org/raid.htm RAID Reconstructor]
: Runtime Software's RAID Reconstructor will reconstruct RAID Level 0 (Striping) and RAID Level 5 drives.

*[http://www.salvationdata.com Salvation Data]
: Claims to have a program that can read the "bad blocks" of Maxtor drives with proprietary commands.

* [http://www.e-rol.com/en/ e-ROL]
: Erol allows you to recover through the internet files erased by mistake. Recover your files online for free.

* [http://www.recuva.com/ Recuva]
: Recuva is a freeware Windows tool that will recover accidentally deleted files.

* [http://www.snapfiles.com/get/restoration.html Restoration]
: Restoration is a freeware Windows software that will allow you to recover deleted files

* [http://www.undelete-plus.com/ Undelete Plus]
: Undelete Plus is a free deleted file recovery tool that works for all versions of Windows (95-Vista), FAT12/16/32, NTFS and NTFS5 filesystems and can perform recovery on various solid state devices.

* [http://www.data-recovery-software.net/ R-Studio]
: R-Studio is a data recovery software suite that can recover files from FAT(12-32), NTFS, NTFS 5, HFS/HFS+, FFS, UFS/UFS2 (*BSD, Solaris), Ext2/Ext3 (Linux) and so on.

=Carving=
*[http://www.datalifter.com/products.htm DataLifter® - File Extractor Pro]
: Data carving runs on multiple threads to make use of modern processors

*[http://foremost.sourceforge.net/ Foremost]
: Foremost is a console program to recover files based on their headers, footers, and internal data structures.

*[http://www.digitalforensicssolutions.com/Scalpel/ Scalpel]
: Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.

*[[EnCase]]
: EnCase comes with some eScripts that will do carving.

*[http://ocfa.sourceforge.net/libcarvpath/ CarvFs]
: A virtual filesystem (fuse) implementation that can provide carving tools with the posibility to do recursive multi tool zero-storage carving (also called in-place carving). Patches and scripts for scalpel and foremost are provided. Works on raw and encase images.

*[http://ocfa.sourceforge.net/libcarvpath/ LibCarvPath]
: A shared library that allows carving tools to use zero-storage carving on carvfs virtual files.

*[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]
: PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its 'Photo Recovery' name) from digital camera memory.

*[http://www.datarescue.com/photorescue/ PhotoRescue]
: Datarescue PhotoRescue Advanced is picture and photo data recovery solution made by the creators of IDA Pro. PhotoRescue will undelete, unerase and recover pictures and files lost on corrupted, erased or damaged compact flash (CF) cards, SD Cards, Memory Sticks, SmartMedia and XD cards.

* [https://www.uitwisselplatform.nl/projects/revit RevIt]
: RevIt (Revive It) is an experimental carving tool, initially developed for the DFRWS 2006 carving challenge. It uses 'file structure based carving'. Note that RevIt currently is a work in progress.

* [http://jbj.rapanden.dk/magicrescue/ Magic Rescue]
: Magic Rescue is a file carving tool that uses "magic bytes" in a file contents to recover data.

Tools:Network Forensics

2007-12-21T14:30:17Z

Cmihai: snoop on Solaris

=Network Forensics Packages and Appliances=
; [[Burst]]
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
: Expensive IP geo-location service.

; [[chkrootkit]]
: http://www.chkrootkit.org

; [[cryptcat]]
: http://farm9.org/Cryptcat/

; [[Enterasys Dragon]]
: http://www.enterasys.com/products/advanced-security-apps/index.aspx Instrusion Detection System includes session reconstruction.

; [[MaxMind]]
: http://www.maxmind.com
: [[IP geolocation]] services and data provider for off-line geotagging. Free GeoLite country database. Programmable APIs.

; [[netcat]]
: http://netcat.sourceforge.net/

; [[netflow]]/[[flowtools]]
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
: http://www.splintered.net/sw/flow-tools/
: http://silktools.sourceforge.net/
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (vmWare)

; NetIntercept
: http://www.sandstorm.net/products/netintercept
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
; [[rkhunter]]
: http://rkhunter.sourceforge.net/

; [[ngrep]]
: http://ngrep.sourceforge.net/

; [[nslookup]]
: http://en.wikipedia.org/wiki/Nslookup Name Server Lookup command line tool used to find IP address from domain name

; [[Sguil]]
: http://sguil.sourceforge.net/

; [[Snort]]
: http://www.snort.org/

; [[ssldump]]
: http://ssldump.sourceforge.net/

; [[Tcpdump]]
: http://www.tcpdump.org

; [[tcpextract]]
: http://tcpxtract.sourceforge.net/

; [[tcpflow]]
: http://www.circlemud.org/~jelson/software/tcpflow/

; [[truewitness]]
: http://www.nature-soft.com/forensic.html
: Linux/open-source. Based in India.

; [[etherpeek]]
: http://www.wildpackets.com/products/etherpeek/overview

; [[Whois]]
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN

; [[IP Regional Registries]]
: http://www.arin.net/community/rirs.html
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)

; [[Wireshark/Ethereal]]
: http://www.wireshark.org/
: Open Source protocol analyzer previously known as ethereal.

=Command-line tools=

[[arp]] - view the contents of your ARP cache

[[ifconfig]] - view your mac and IP address

[[ping]] - send packets to probe remote machines

[[tcpdump]] - capture packets

[[snoop]] - captures packets from the network and displays their contents - [[Solaris]]

[[nemesis]] - create arbitrary packets

[[tcpreplay]] - replay captured packets

[[traceroute]] - view a network path

[[gnetcast]] - GNU rewrite of netcat

[[packit]] - Packet generator

[[nmap]]

==ARP and Ethernet MAC Tools==

[[arping]] - transmit ARP traffic

[[arpdig]] - probe LAN for MAC addresses

[[arpwatch]] - Watch ARP changes

[[arp-sk]] Perform denial of service attacks

[[macof]] CAM table attacks

[[ettercap]] Performs various low-level Ethernet network attacks.

==CISCO Discovery Protocol Tools==
[[cdpd]] - Transmit and receive CDP announcements; provides forgery capabilities.

==ICMP Layer Tests and Attacks==
[[icmp-reset]]

[[icmp-quench]]

[[icmp-mtu]]

[[ish]] - ICMP shell (like SSH, but uses ICMP)

[[isnprober]]

==IP Layer Tests==
[[iperf]] - IP multicast test

[[fragtest]] IP fragment reassembly test

==UDP Layer Tests==

[[udpcast]] - Includes udp-receiver and udp-sender

==TCP Layer==

[[lft]] http://pwhois.org/lft - TCP tracing

[[etrace]] http://www.bindshell.net/tools/etrace

[[firewalk]] http://www.packetfactory.net

Tools:File Analysis

2007-12-20T16:45:00Z

Cmihai: GnuWin32, SUA

== Image Analysis ==
; [[SurfRecon LE rapid image analysis tool]], by SurfRecon, Inc.
: http://www.surfrecon.com

== Open Source Tools ==

; [[file]]
: The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.

; [[ldd]]
: list dynamic dependencies of executable files

; [[truss]]
: Solaris tool used to trace the system/library calls (not user calls) and signals made/received by a new or existing process. It sends the output to stderr.
: http://docs.sun.com/app/docs/doc/819-2239/truss-1?l=en&a=view&q=truss

; [[ltrace]]
: Library call tracer
: http://linux.die.net/man/1/ltrace

; [[strace]]
: System Call Tracer
: http://sourceforge.net/projects/strace/

; [[xtrace]]
: eXtended trace utility, similar to strace, ptrace, truss, but with extended functionality and unique features, such as dumping function calls (dynamically or statically linked), dumping call stack and more.
: http://sourceforge.net/projects/xtrace/

; [[ktrace]]
: Enables kernel process tracing on OpenBSD.
: http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

; [[Valgrind]]
: Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired.
: http://valgrind.org/

; [[DTrace]]
: Comprehensive dynamic tracing framework for Solaris (also ported to MacOS X - XRays and FreeBSD). DTrace provides a powerful infrastructure to permit investigation of the behavior of the operating system and user programs.
: http://www.sun.com/bigadmin/content/dtrace/

; [[strings]]
: Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.

; [[Galleta]]
: Parses cookie files. http://www.foundstone.com/resources/proddesc/galleta.htm

; The [[Open Computer Forensics Architecture]]
: http://ocfa.sourceforge.net/

; [[Pasco]]
; Parses '''index.dat'' files. http://www.foundstone.com/resources/proddesc/pasco.htm

; [[Rifiuti]]
; Examines the INFO2 file in the Recycle Bin http://www.foundstone.com/resources/proddesc/rifiuti.htm

; [[yim2text]]
; Extracts the 'encrypted' info in yahoo instant messenger log files. http://www.1vs0.com/tools.html

; [[Hachoir]]
: determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats.

; [[Cygwin]]
: http://www.cygwin.com/
: Linux like environment for Windows

; [[UnxUtils]]
: http://unxutils.sourceforge.net/
: Common unix utilities compiled for a Windows environment.

; [[GnuWin32]]
: http://gnuwin32.sourceforge.net/
: Common GNU utilities compiled for a Windows Environment.

; [[SUA]]
: http://www.microsoft.com/windowsserver2003/R2/unixcomponents/webinstall.mspx
: Microsoft Subsystem for UNIX-based Applications.

== File Sharing Analysis Tools ==
; [[P2PMarshal|P2P Marshal]]
: Tools to discover and analyze peer-to-peer files for Windows.

== [[NDA]] and [[scoped distribution]] tools ==

Tools:File Analysis

2007-12-20T16:33:32Z

Cmihai: Added ldd, truss, strace, ltrace, ktrace, valgrind, xtrace, DTrace

== Image Analysis ==
; [[SurfRecon LE rapid image analysis tool]], by SurfRecon, Inc.
: http://www.surfrecon.com

== Open Source Tools ==

; [[file]]
: The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.

; [[ldd]]
: list dynamic dependencies of executable files

; [[truss]
: Solaris tool used to trace the system/library calls (not user calls) and signals made/received by a new or existing process. It sends the output to stderr.
: http://docs.sun.com/app/docs/doc/819-2239/truss-1?l=en&a=view&q=truss

; [[ltrace]]
: Library call tracer
: http://linux.die.net/man/1/ltrace

; [[strace]]
: System Call Tracer
: http://sourceforge.net/projects/strace/

; [[xtrace]]
: eXtended trace utility, similar to strace, ptrace, truss, but with extended functionality and unique features, such as dumping function calls (dynamically or statically linked), dumping call stack and more.
: http://sourceforge.net/projects/xtrace/

; [[ktrace]]
: Enables kernel process tracing on OpenBSD.
: http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

; [[Valgrind]]
: Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired.
: http://valgrind.org/

; [[DTrace]]
: Comprehensive dynamic tracing framework for Solaris (also ported to MacOS X - XRays and FreeBSD). DTrace provides a powerful infrastructure to permit investigation of the behavior of the operating system and user programs.
: http://www.sun.com/bigadmin/content/dtrace/

; [[strings]]
: Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.

; [[Galleta]]
: Parses cookie files. http://www.foundstone.com/resources/proddesc/galleta.htm

; The [[Open Computer Forensics Architecture]]
: http://ocfa.sourceforge.net/

; [[Pasco]]
; Parses '''index.dat'' files. http://www.foundstone.com/resources/proddesc/pasco.htm

; [[Rifiuti]]
; Examines the INFO2 file in the Recycle Bin http://www.foundstone.com/resources/proddesc/rifiuti.htm

; [[yim2text]]
; Extracts the 'encrypted' info in yahoo instant messenger log files. http://www.1vs0.com/tools.html

; [[Hachoir]]
: determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats.

; [[Cygwin]]
: http://www.cygwin.com/
: Linux like environment for Windows

; [[UnxUtils]]
: http://unxutils.sourceforge.net/
: Common unix utilities compiled for a Windows environment.

== File Sharing Analysis Tools ==
; [[P2PMarshal|P2P Marshal]]
: Tools to discover and analyze peer-to-peer files for Windows.

== [[NDA]] and [[scoped distribution]] tools ==

Thumbs.db

2007-12-20T16:21:27Z

Cmihai: Added MiTeC Windos File Analyzer for thumbs.db extraction

Thumbs.db is a file created by windows when thumbnail view is used. It is a hidden file not viewed by most users and not updated when files are moved from a folder which images have passed through or deleted. This gives a secondary chance that someone will leave behind at least partial evidence of an image in their windows folders.

The thumbnails in Thumbs.db are stored in a OLE 2 Compound Document format. It's the same format that MS Office uses.

There is a forensic application developed under the open source project over at sourceforge called vinetto at http://sourceforge.net/projects/vinetto that can extract them. It does require a python enviornment. Additionally there are several other java solutions based around the Jakarta project that is apart of Apache. Additional resources about thumbs.db can be found in a white paper at http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf.

MiTeC Windows File Analyzer [http://www.mitec.cz/wfa.html] is a tool for forensic analysis of Thumbnail Databases, Prefetch files, shortcuts, IExplore Index.DAT files and Recycle Bin contents on a Windows system. It will print a report of analyzed files.

=Windows Vista=
Thumbs.db no longer exists in Vista. This data has been moved to ''User Profile/Application Data/Microsoft Internet Explorer/Thumbscache32, 96 and 128'''

Tools:Data Recovery

2007-12-20T16:16:52Z

Cmihai: Links

= Partition Recovery =

*[http://www.ptdd.com/index.htm Partition Table Doctor]
: Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).

*[http://www.diskinternals.com/ntfs-recovery/ NTFS Recovery]
: DiskInternals NTFS Recovery is a fully automatic utility that recovers data from damaged or formatted disks.

*[http://www.stud.uni-hannover.de/user/76201/gpart/ gpart]
: Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.

*[http://www.cgsecurity.org/wiki/TestDisk Testdisk]
: TestDisk is OpenSource software and is licensed under the GNU Public License (GPL).

== See Also ==

* [http://support.microsoft.com/?kbid=166997 Using Norton Disk Edit to Backup Your Master Boot Record]

== Notes ==

* "fdisk /mbr" restores the boot code in the [[Master boot record]], but not the partition itself. On newer versions of Windows you should use fixmbr, bootrec or mbrfix.

= Data Recovery =

*[http://www.toolsthatwork.com/bringback.htm BringBack]
: BringBack offers easy to use, inexpensive, and highly successful data recovery for Windows and Linux (ext2) operating systems and digital images stored on memory cards, etc.

*[http://www.runtime.org/raid.htm RAID Reconstructor]
: Runtime Software's RAID Reconstructor will reconstruct RAID Level 0 (Striping) and RAID Level 5 drives.

*[http://www.salvationdata.com Salvation Data]
: Claims to have a program that can read the "bad blocks" of Maxtor drives with proprietary commands.

* [http://www.e-rol.com/en/ e-ROL]
: Erol allows you to recover through the internet files erased by mistake. Recover your files online for free.

* [http://www.recuva.com/ Recuva]
: Recuva is a freeware Windows tool that will recover accidentally deleted files.

* [http://www.snapfiles.com/get/restoration.html Restoration]
: Restoration is a freeware Windows software that will allow you to recover deleted files

* [http://www.undelete-plus.com/ Undelete Plus]
: Undelete Plus is a free deleted file recovery tool that works for all versions of Windows (95-Vista), FAT12/16/32, NTFS and NTFS5 filesystems and can perform recovery on various solid state devices.

* [http://www.data-recovery-software.net/ R-Studio]
: R-Studio is a data recovery software suite that can recover files from FAT(12-32), NTFS, NTFS 5, HFS/HFS+, FFS, UFS/UFS2 (*BSD, Solaris), Ext2/Ext3 (Linux) and so on.

=Carving=
*[http://www.datalifter.com/products.htm DataLifter® - File Extractor Pro]
: Data carving runs on multiple threads to make use of modern processors

*[http://foremost.sourceforge.net/ Foremost]
: Foremost is a console program to recover files based on their headers, footers, and internal data structures.

*[http://www.digitalforensicssolutions.com/Scalpel/ Scalpel]
: Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.

*[[EnCase]]
: EnCase comes with some eScripts that will do carving.

*[http://ocfa.sourceforge.net/libcarvpath/ CarvFs]
: A virtual filesystem (fuse) implementation that can provide carving tools with the posibility to do recursive multi tool zero-storage carving (also called in-place carving). Patches and scripts for scalpel and foremost are provided. Works on raw and encase images.

*[http://ocfa.sourceforge.net/libcarvpath/ LibCarvPath]
: A shared library that allows carving tools to use zero-storage carving on carvfs virtual files.

*[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]
: PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its 'Photo Recovery' name) from digital camera memory.

*[http://www.datarescue.com/photorescue/ PhotoRescue]
: Datarescue PhotoRescue Advanced is picture and photo data recovery solution made by the creators of IDA Pro. PhotoRescue will undelete, unerase and recover pictures and files lost on corrupted, erased or damaged compact flash (CF) cards, SD Cards, Memory Sticks, SmartMedia and XD cards.

* [https://www.uitwisselplatform.nl/projects/revit RevIt]
: RevIt (Revive It) is an experimental carving tool, initially developed for the DFRWS 2006 carving challenge. It uses 'file structure based carving'. Note that RevIt currently is a work in progress.

Tools:Data Recovery

2007-12-20T16:15:36Z

Cmihai: NTFS-Recovery, R-Studio, Undelete Plus, Photorescue, mbrfix, fixmbr, bootrec

= Partition Recovery =

*[http://www.ptdd.com/index.htm Partition Table Doctor]
: Recover deleted or lost Partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).

*[http://www.diskinternals.com/ntfs-recovery/]
: DiskInternals NTFS Recovery is a fully automatic utility that recovers data from damaged or formatted disks.

*[http://www.stud.uni-hannover.de/user/76201/gpart/ gpart]
: Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.

*[http://www.cgsecurity.org/wiki/TestDisk Testdisk]
: TestDisk is OpenSource software and is licensed under the GNU Public License (GPL).

== See Also ==

* [http://support.microsoft.com/?kbid=166997 Using Norton Disk Edit to Backup Your Master Boot Record]

== Notes ==

* "fdisk /mbr" restores the boot code in the [[Master boot record]], but not the partition itself. On newer versions of Windows you should use fixmbr, bootrec or mbrfix.

= Data Recovery =

*[http://www.toolsthatwork.com/bringback.htm BringBack]
: BringBack offers easy to use, inexpensive, and highly successful data recovery for Windows and Linux (ext2) operating systems and digital images stored on memory cards, etc.

*[http://www.runtime.org/raid.htm RAID Reconstructor]
: Runtime Software's RAID Reconstructor will reconstruct RAID Level 0 (Striping) and RAID Level 5 drives.

*[http://www.salvationdata.com Salvation Data]
: Claims to have a program that can read the "bad blocks" of Maxtor drives with proprietary commands.

* [http://www.e-rol.com/en/ e-ROL]
: Erol allows you to recover through the internet files erased by mistake. Recover your files online for free.

* [http://www.recuva.com/ Recuva]
: Recuva is a freeware Windows tool that will recover accidentally deleted files.

* [http://www.snapfiles.com/get/restoration.html Restoration]
: Restoration is a freeware Windows software that will allow you to recover deleted files

* [http://www.undelete-plus.com/]
: Undelete Plus is a free deleted file recovery tool that works for all versions of Windows (95-Vista), FAT12/16/32, NTFS and NTFS5 filesystems and can perform recovery on various solid state devices.

* [http://www.data-recovery-software.net/]
: R-Studio is a data recovery software suite that can recover files from FAT(12-32), NTFS, NTFS 5, HFS/HFS+, FFS, UFS/UFS2 (*BSD, Solaris), Ext2/Ext3 (Linux) and so on.

=Carving=
*[http://www.datalifter.com/products.htm DataLifter® - File Extractor Pro]
: Data carving runs on multiple threads to make use of modern processors

*[http://foremost.sourceforge.net/ Foremost]
: Foremost is a console program to recover files based on their headers, footers, and internal data structures.

*[http://www.digitalforensicssolutions.com/Scalpel/ Scalpel]
: Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.

*[[EnCase]]
: EnCase comes with some eScripts that will do carving.

*[http://ocfa.sourceforge.net/libcarvpath/ CarvFs]
: A virtual filesystem (fuse) implementation that can provide carving tools with the posibility to do recursive multi tool zero-storage carving (also called in-place carving). Patches and scripts for scalpel and foremost are provided. Works on raw and encase images.

*[http://ocfa.sourceforge.net/libcarvpath/ LibCarvPath]
: A shared library that allows carving tools to use zero-storage carving on carvfs virtual files.

*[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]
: PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its 'Photo Recovery' name) from digital camera memory.

*[http://www.datarescue.com/photorescue/]
: Datarescue PhotoRescue Advanced is picture and photo data recovery solution made by the creators of IDA Pro. PhotoRescue will undelete, unerase and recover pictures and files lost on corrupted, erased or damaged compact flash (CF) cards, SD Cards, Memory Sticks, SmartMedia and XD cards.

* [https://www.uitwisselplatform.nl/projects/revit RevIt]
: RevIt (Revive It) is an experimental carving tool, initially developed for the DFRWS 2006 carving challenge. It uses 'file structure based carving'. Note that RevIt currently is a work in progress.

Tools

2007-12-20T16:08:25Z

Cmihai: Added SNARL FreeBSD forensics LiveCD and Penguin Sleuthkit

This is an '''overview of available tools''' for forensic [[investigator]]s. Please click on the name of any tool for more details.

'''Note: This page has gotten too big and is being broken up. See:'''
* [[Tools:Data Recovery]] (including file carving)
* [[:Category:Disk Imaging]]
* [[Tools:File Analysis]]
* [[Tools:Memory Imaging]]
* [[:Category:Secure_deletion]]

= Disk Analysis Tools =
== Hard Drive Firmware and Diagnostics Tools ==
; [[PC-3000]], from [[DeepSpar Data Recovery Systems]]
: http://www.deepspar.com/products-pc-3000-drive.html
: http://www.pc-3000.com/

== Linux-based Tools ==
; [[LINReS]], by [[NII Consulting Pvt. Ltd.]]
: http://www.niiconsulting.com/innovation/linres.html

; [[SMART]], by [[ASR Data]]
: http://www.asrdata.com

== Macintosh-based Tools ==

; [[Macintosh Forensic Software]], by [[BlackBag Technologies, Inc.]]
: http://www.blackbagtech.com/software_mfs.html

; [[MacForensicsLab]], by [[Subrosasoft]]
: [http://www.subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=39&products_id=114 MacForensicLab-Subrosasoft]

== Windows-based Tools ==

; [[BringBack]] by [[Tech Assist, Inc.]]
: http://www.toolsthatwork.com/bringback.htm

; [[EMail Detective - Forensic Software Tool]] by [[Hot Pepper Technology, Inc]]
; http://www.hotpepperinc.com/emd

; [[EnCase]], by [[Guidance Software]]
: http://www.guidancesoftware.com/

; [[fbi (tool)|fbi]], by [[Nuix Pty Ltd]]
: http://www.nuix.com

; [[Forensic Toolkit]] ([[FTK]]), by [[AccessData]]
: http://www.accessdata.com/products/ftk/

; [[ILook Investigator]], by [[Elliot Spencer]] and [[Internal Revenue Service|U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation]] (IRS)
: http://www.ilook-forensics.org/

; [[OnLineDFS]] by [[Cyber Security Technologies]]
: http://www.cyberstc.com/

; [[P2 Power Pack]] by [[Paraben]]
: https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187

; [[Safeback]] by [[NTI]] and [[Armor Forensics]]
: http://www.forensics-intl.com/safeback.html

; [[X-Ways Forensics]] by [[X-Ways AG]]
: http://www.x-ways.net/forensics/index-m.html

; [[Prodiscover]] by [[Techpathways]]
: http://www.techpathways.com/ProDiscoverWindows.htm

== Open Source Tools ==

; [[AFFLIB]]
: A library for working with [[disk image]]s. Currently AFFLIB supports raw, [[AFF]], [[AFD]], and [[EnCase]] file formats. Work to support segmented raw, [[iLook]], and other formats is ongoing.

; [[Autopsy]]
: http://www.sleuthkit.org/autopsy/desc.php

; [[foremost]]
: http://foremost.sf.net/
: [[Linux]] based file carving program

; [[Scalpel]]
: http://www.digitalforensicssolutions.com/Scalpel/
: [[Linux]] and [[Windows]] file carving program originally based on [[foremost]].

; [[FTimes]]
: http://ftimes.sourceforge.net/FTimes/index.shtml
: FTimes is a system baselining and evidence collection tool.

; [[gfzip]]
: http://www.nongnu.org/gfzip/

; [[gpart]]
: http://www.stud.uni-hannover.de/user/76201/gpart/
: Tries to ''guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted''.

; [[magicrescue]]
: http://jbj.rapanden.dk/magicrescue/

; The [[Open Computer Forensics Architecture]]
: http://ocfa.sourceforge.net/

; [[pyflag]]
: http://www.pyflag.net/PyFlagWiki/
: web-based, database-backed forensic and log analysis GUI written in Python.

; [[scrounge-ntfs]]
: http://memberwebs.com/nielsen/software/scrounge/

; [[Sleuthkit]]
: http://www.sleuthkit.org/

; [[The Coroner's Toolkit]] ([[TCT]])
: http://www.porcupine.org/forensics/tct.html

; [[Zeitline]] --- Forensic timeline editor
: http://projects.cerias.purdue.edu/forensics/timeline.php
: http://sourceforge.net/projects/zeitline/

; [[Hachoir]]
: A generic framework for binary file manipulation, it supports [[FAT12]], [[FAT16]], [[FAT32]], [[ext2|ext2/ext3]], Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).

== [[NDA]] and [[scoped distribution]] tools ==

= Enterprise Tools (Proactive Forensics)=

; [[P2 Enterprise Edition]] by [[Paraben]]
: http://www.paraben-forensics.com/enterprise_forensics.html

; [[LiveWire Investigator 2008]] by [[WetStone Technologies]]
: http://www.wetstonetech.com/f/livewire2008.html

= Forensics Live CDs =

; [[FCCU Gnu/Linux Boot CD]]
: A Live CD built on top of [[Knoppix]] with a lot of tools with forensic purpose.
: It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.

; [[Helix]]
: A Live CD built on top of [[Knoppix]] with special tools for [[Incident Response|incident response]] and electronic discovery.
: Its a hybrid CD which also contains a [[Cygwin]] environment for use on a running Windows system (w/o rebooting) including the Sysinternals tools.

; [[SNARL]]
; A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
; http://sourceforge.net/projects/snarl/

; [[Knoppix STD]]
: A Live CD built on top of [[Knoppix]].
: http://s-t-d.org/

; [[Penguin Sleuthkit]
; A Linux LiveCD that includes SleuthKit.
; http://penguinsleuth.org/

; [[THE FARMER'S BOOT CD]]
: A [[Linux]] [[Live CD]], designed and optimized for previewing data in a [[forensically sound]] manner. It contains a number of programs forensic practitioners can utilize to preview both [[Windows]] and [[Linux]] systems.

; [[MacQuisition Boot CD]]
: A forensic [[Live CD]] built for imaging [[Macintosh]] systems.

; [[DEFT Linux]]
: A Live CD built on top of [[Xubuntu]] with the best tools for computer forensics and incident response.
: It is very easy to use with a lot of device drivers. The first live CD with [[AFF]] and dhash.
: http://deft.yourside.it

; [[Recovery Is Possible]]
: A [[Linux]] [[Live CD]] with a number of recovery applications such as [[TestDisk]], [[PhotoRec]] etc.
: http://www.tux.org/pub/people/kent-robotti/looplinux/rip/

; [[Ubuntu-Rescue-Remix]]
: Ubuntu-rescue-remix is a live cd that provides the data recovery expert with an environment equipped with the best free-libre, open source data recovery and forensics tools available. Since many of those libraries and tools are part of the Ubuntu Installer, it makes sense to remix Ubuntu into a lightweight and powerful environment for data recovery. This project was formerly known as Rescubuntu.
:http://ubuntu-rescue-remix.org/

= Metadata Extraction Tools =

; [[antiword]]
: http://www.winfield.demon.nl/

; [[catdoc]]
: http://www.45.free.net/~vitus/software/catdoc/

; [[jhead]]
: http://www.sentex.net/~mwandel/jhead/
: Displays or modifies [[Exif]] data in [[JPEG]] files.

; [[laola]]
: http://user.cs.tu-berlin.de/~schwartz/pmh/index.html

; [[vinetto]]
: http://vinetto.sourceforge.net/
: Examines [[Thumbs.db]] files.

; [[word2x]]
: http://word2x.sourceforge.net/

; [[wvWare]]
: http://wvware.sourceforge.net/
: Extracts metadata from various [[Microsoft]] Word files ([[doc]]). Can also convert doc files to other formats such as HTML or plain text.

; [[xpdf]]
: http://www.foolabs.com/xpdf/
: [[pdfinfo]] (part of the [[xpdf]] package) displays some metadata of [[PDF]] files.

; [[Metadata Assistant]]
: http://www.payneconsulting.com/products/metadataent/

; hachoir-metadata: part of '''[[Hachoir]]''' project

= Personal Digital Device Tools=

== PDA Forensics ==
; [[Paraben PDA Seizure]]
; [[Paraben PDA Seizure Toolbox]]
; [[PDD]]

== Cell Phone Forensics ==
; [[BitPIM]]
; [[DataPilot Secure View]]
; [[GSM .XRY]]
; [[Fernico ZRT]]
; [[ForensicMobile]]
; [[LogiCube CellDEK]]
; [[MOBILedit!]]
; [[Oxygen PM II]]
; [[Paraben Device Seizure]]
; [[Paraben Device Seizure Toolbox]]
; [[Serial Port Monitoring]]
; [[TULP2G]]

== SIM Card Forensics ==
; [[ForensicSIM]]
; [[Paraben Device Seizure]]
; [[SIMCon]]

== Preservation Tools ==
; [[Paraben StrongHold Bag]]
; [[Paraben StrongHold Tent]]

= Other Tools =

; [[VMware]] Player
: http://www.vmware.com/products/player/
: http://en.wikipedia.org/wiki/VMware#VMware_Workstation
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.

; [[VMware]] Server
: http://www.vmware.com/products/server/
: The free server product, for setting up/configuring/running [[VMware]] [[virtual machine]].Important difference being that it can run 'headless', i.e. everything in background.

; Computer Forensics Toolkit
: http://computer-forensics.privacyresources.org
: This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.

; Webtracer
: http://www.forensictracer.com
: Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)

; Live View
: http://liveview.sourceforge.net/
: Live View is a graphical forensics tool that creates a [[VMware]] [[virtual machine]] out of a dd disk image or physical disk.

; Parallels VM
: http://www.parallels.com/
: http://en.wikipedia.org/wiki/Parallels_Workstation

; Microsoft Virtual PC
: http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
: http://en.wikipedia.org/wiki/Virtual_PC

; The Onion Router (TOR)
: http://tor.eff.org/
: http://en.wikipedia.org/wiki/Tor_(anonymity_network)
: Network anonymizer designed to make traffic analysis difficult.

== Hex Editors ==

; [[biew]]
: http://biew.sourceforge.net/en/biew.html

; [[hexdump]]
: ...

; [[HexFiend]]
: A hex editor for Apple OS X
: http://ridiculousfish.com/hexfiend/

; [[Hex Workshop]]
: A hex editor from [[BreakPoint Software, Inc.]]
: http://www.bpsoft.com

; [[khexedit]]
: http://docs.kde.org/stable/en/kdeutils/khexedit/index.html

; [[WinHex]]
: Computer forensics software, data recovery software, hex editor, and disk editor from [[X-Ways]].
: http://www.x-ways.net/winhex

; [[xxd]]
: ...

= Telephone Scanners/War Dialers =

;PhoneSweep
:http://www.sandstorm.net/products/phonesweep/
:PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.

Blogs

2007-12-20T16:02:02Z

Cmihai: Added unixsadm

[[Computer forensics]] related '''blogs'''.

= English-Language Blogs =

== Forensic Blogs ==

* [http://computer.forensikblog.de/en/ Andreas Schuster - Computer Forensics Blog]
* [http://www.niiconsulting.com/checkmate/ Checkmate - e-zine on Digital Forensics and Incident Response]
* [http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics.html Jack Koziol - Ethical Hacking and Computer Forensics]
* [http://fleet.typepad.com/lukeup/ SecurityBros.com - Hacking, Forensics & Security]
* [http://windowsir.blogspot.com/ Windows Incident Response Blog] by [[Harlan Carvey]]
* [http://geschonneck.com/ Alexander Geschonneck - Computer Forensics Blog]
* [http://forensicblog.org/ Michael Murr - Computer Forensics Blog]
* [http://forenshick.blogspot.com/ Jordan Farr - Forensic news, Technology, TV, and more]
* [http://unixsadm.blogspot.com/ Criveti Mihai - UNIX, OpenVMS and Windows System Administration, Digital Forensics, High Performance Computing, Clustering and Distributed Systems]

== Related Blogs ==

* [http://www.c64allstars.de C64Allstars Blog]
* [http://www.emergentchaos.com/ Adam Shostack - Emergent Chaos]
* [http://jeffjonas.typepad.com/ Jeff Jonas - Inventor of NORA discusses privacy and all things digital]
* [http://www.cs.uno.edu/~golden/weblog Digital Forensics, Coffee, Benevolent Hacking] - Written by [[Golden G. Richard III]]

= Non-English Language =

=== French ===

* [http://forensics-dev.blogspot.com Forensics-dev] ([http://translate.google.com/translate?u=http%3A%2F%2Fforensics-dev.blogspot.com%2F&langpair=fr%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])

=== German ===

* [http://computer.forensikblog.de/ Andreas Schuster - Computer Forensik Blog Gesamtausgabe] ([http://computer.forensikblog.de/en/ English version])
* [http://computer-forensik.org Alexander Geschonneck - computer-forensik.org] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.computer-forensik.org&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
* [http://henrikbecker.blogspot.com Henrik Becker - Digitale Beweisführung] ([http://translate.google.com/translate?u=http%3A%2F%2Fhenrikbecker.blogspot.com&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])

=== Spanish ===

* [http://www.forensic-es.org/blog forensic-es.org] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.forensic-es.org%2Fblog&langpair=es%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
* [http://www.inforenses.com Javier Pages - InForenseS] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.inforenses.com&langpair=es%7Cen&hl=es&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])

Solaris

2007-12-20T15:22:28Z

Cmihai: Links, FS

'''Solaris''' is a highly scalable enterprise grade [[UNIX]] Operating System from [[Sun Microsystems]]. Solaris is known to run on [[SPARC]] and x86/x86-64 architectures, although it has also been ported to [[PowerPC]] and IBM [[zSeries]] [[mainframes]] in a joint effort with [[IBM]].

Commonly used filesystems and / or volume managers on the Solaris Operating System are [[UFS]], [[ZFS]], [[SAMFS]], [[QFS]], Veritas [VxFS] and Veritas [VxVM], [[AVS]] as well as the Solaris Volume Manager ([[Solstice]]).

== External Links ==

* [http://www.sun.com/solaris Sun Solaris homepage]
* [http://www.sun.com/blueprints/0405/819-2262.pdf Sun Blueprints - Using Computer Forensics When Investigating System Attacks]
* [http://www.opensolaris.org The OpenSolaris project]
* [http://www.phptr.com/content/images/0131482092/samplechapter/mcdougall_ch15.pdf Solaris Internals - The UFS File System - specifications, on disk layout]
* [http://www.solarisinternals.com/si/reading/sunworldonline/swol-05-1999/swol-05-filesystem.html Solaris Internals - Getting to know the Solaris filesystems]

[[Category:Operating systems]]

Solaris

2007-12-20T15:20:47Z

Cmihai: Filesystems, Links

Solaris

2007-12-20T15:18:06Z

Cmihai: Solaris, Sun Blueprints Forensics documents

'''Solaris''' is a highly scalable enterprise grade [[UNIX]] Operating System from [[Sun Microsystems]]. Solaris is known to run on [[SPARC]] and x86/x86-64 architectures, although it has also been ported to [[PowerPC]] and IBM [[zSeries]] [[mainframes]] in a joint effort with [[IBM]].

Commonly used filesystems and / or volume managers on the Solaris Operating System are [[UFS]], [[ZFS]], [[SAMFS]], [[QFS]], Veritas [VxFS] and Veritas [VxVM], [[AVS]] as well as the Solaris Volume Manager ([[Solstice]]).

== External Links ==

* [www.sun.com/solaris Sun Solaris homepage]
* [www.sun.com/blueprints/0405/819-2262.pdf Sun Blueprints - Using Computer Forensics When Investigating System Attacks]
* [http://www.opensolaris.org The OpenSolaris project]

[[Category:Operating systems]]

User talk:Jessek

2007-12-20T08:49:30Z

Cmihai: Hello

== Mutt Header Format corrections ==

Thank you for your corrections, i'm not realy good with english :( if you wont to jabber me try: fishor.bug.track # gmail # com
: My pleasure! [[User:Jessek|Jessek]] 09:16, 8 August 2007 (PDT)

== Hello ==

Just wanted to drop by and say "Hello". That, and to see who the people maintaining and editing this wiki are and all that, you know. :-). Anyway, I've enjoyed using Foremost so thanks for that too.
-[[User:Cmihai|cmihai]] 00:49, 20 December 2007 (PST)

Ext2

2007-12-20T08:39:39Z

Cmihai: Ext2

'''ext2''' or the '''second extended file system''' is a [[Linux]] filesystem designed as a replacement for ext. Note that [[ext3]] is mostly compatible with ext2.

The [[SleuthKit]] and [[R-Studio]] can be used to perform recovery of data from the EXT2 filesystem. Various data carving tools like [[Foremost]] and [[Scalpel]] also support the ext2 filesystem.

== Links ==

* [http://en.wikipedia.org/wiki/Ext2 Wikipedia article on EXT2]
* [http://www.nongnu.org./ext2-doc/ext2.html Layout of the EXT2 Filesystem]
* [http://fedora.linuxsir.org/doc/ext2undelete/Ext2fs-Undeletion.html Linux Ext2fs Undeletion mini-HOWTO]
* [http://unixsadm.blogspot.com/2007/11/ext2-filesystem-for-linux-and-solaris.html Using ext2 on other systems]

[[Category:Disk file systems]]

FTimes

2007-12-20T07:53:48Z

Cmihai: Fixed Infobox, added Limitations, DFRWS challange info.

{{Infobox_Software |
name = FTimes |
maintainer = [[Klayton Monroe]] |
os = {{Multiplatform}} |
genre = [[Evidence collection]] |
license = {{BSD}} |
website = [http://ftimes.sourceforge.net/ ftimes.sf.net] |
}}

'''FTimes''', short for '''File Topography and Integrity Monitoring on an Enterprise Scale''' is a system baselining and evidence collection tool designed for incident response, evidence collection (alternate data streams, hidden files), content integrity monitoring, intrusion analysis and computer forensics.

== Limitations ==

FTimes does not collect all possible attributes on every supported platform.

== External Links ==

* [http://ftimes.sourceforge.net/ The FTimes Project Homepage]
* [http://unixsadm.blogspot.com/2007/11/building-ftimes-on-windows-using-visual.html Building FTimes on Windows using Visual Studio]
* [http://www.korelogic.com/Resources/Projects/dfrws_challenge_2006/ DFRWS 2006 File Carving Challenge - using FTimes]

FTimes

2007-12-20T07:43:40Z

Cmihai: FTimes tool

{{Infobox_Software |
name = FTimes |
os = {{Multiplatform} |
genre = [[Evidence collection]] |
license = {{BSD}} |
website = [http://ftimes.sourceforge.net/ ftimes.sf.net] |
}}

'''FTimes''', short for '''File Topography and Integrity Monitoring on an Enterprise Scale''' is a system baselining and evidence collection tool designed for incident response, evidence collection (alternate data streams, hidden files), content integrity monitoring, intrusion analysis and computer forensics.

== External Links ==

* [http://ftimes.sourceforge.net/ The FTimes Project Homepage]
* [http://unixsadm.blogspot.com/2007/11/building-ftimes-on-windows-using-visual.html Building FTimes on Windows using Visual Studio]

MD5

2007-12-19T23:28:04Z

Cmihai: Corrections

The '''Message-Digest algorithm 5''' ('''MD5''') is a cryptographic [[hash|hash function]] that produces a 128-bit hash value. Originally developed in 1991, much as has been written about this algorithm. As such, this article concentrates only on its application to computer forensics.

== Tools ==

On most [[Unix]] systems the tools [[digest]] -a md5 (Solaris), [[md5]] (BSD) or [[md5sum]] (GNU) can be used to compute the MD5 hash of a file or device. [[md5deep]] can compute MD5 hashes of whole directory trees.

== Weaknesses ==

Recently some cryptographic weaknesses have been found in MD5. Tool developers should avoid using MD5 in new products in favor of other hash functions like [[RIPEMD-160]], [[Tiger]], [[WHIRLPOOL]], [[SHA-256]] or [[SHA-512]]. Host Intrusion Detection systems and hash databases should also use multiple hash algorithms.

== External Links ==

* [http://en.wikipedia.org/wiki/Md5 Wikipedia: MD5]
* [http://deepbyte.com/blog/2006/02/is_the_md5_hash_unreliable.html Is the MD5 hash unreliable?]
* [http://unixsadm.blogspot.com/2007/11/exploiting-md5-and-other-hashing.html Collection of exploits and weaknesses in MD5]

[[Category:Hashing]]

MD5

2007-12-19T22:49:36Z

Cmihai: Added RIPEMD, Tiger, Whirlpool and SHA-512 references; digest tool

The '''Message-Digest algorithm 5''' ('''MD5''') is a cryptographic [[hash|hash function]] that produces a 128-bit hash value. Originally developed in 1991, much as has been written about this algorithm. As such, this article concentrates only on its application to computer forensics.

== Tools ==

On most [[Unix]] systems the tools [[digest]] -a md5 (Solaris), [[md5]] (BSD) or [[md5sum]] (GNU) can be used to compute the MD5 hash of a file or device. [[md5deep]] can compute MD5 hashes of whole directory trees.

== Weaknesses ==

Recently some cryptographic weaknesses have been found in MD5. Tool developers should avoid using MD5 in new products in favor of other hash functions like [[RIPEMD-160]], [[Tiger]], [[WHIRLPOOL]], [[SHA-256]] or [[SHA-512]]. Host Intrusion Detection systems and hash databases should also use multiple hash algorithms.

== External Links ==

* [http://en.wikipedia.org/wiki/Md5 Wikipedia: MD5]
* [http://deepbyte.com/blog/2006/02/is_the_md5_hash_unreliable.html Is the MD5 hash unreliable?]
* [http://unixsadm.blogspot.com/2007/11/exploiting-md5-and-other-hashing.html - Collection of exploits and weaknesses in MD5]

[[Category:Hashing]]

PGPDisk

2007-12-18T18:02:57Z

Cmihai: PGP Intentional Bypass

'''PGPDisk''' or Pretty Good Privacy [[Whole Disk Encryption]] was a disk encryption solution from the [http://www.pgp.com PGP Corporation]. It has since been rebranded as [[PGP Whole Disk Encryption]].

It provides transparent whole disk encryption with Pre-Boot authentification for Windows. Also supports MacOS X 10.4 (non-boot disks only).

An undocumented encryption bypass feature was found that allowed the drive to be accessed even without the boot-up password.

== External Links ==

* [http://www.pgp.com/products/wholediskencryption/ PGPDisk Official website]
* [http://securology.blogspot.com/2007/10/pgp-whole-disk-encryption-barely.html PGP Whole Disk Encryption - Barely Acknowledged Intentional Bypass]

[[Category:Encryption]]

DES

2007-12-17T16:15:14Z

Cmihai: Corrections

{{Expand}}

'''DES''' or '''Data Encryption Standard''' is a cipher selected as an official FIPS (Federal Information Processing Standard) for the United States.

DES is now considered to be insecure due to the 56-bit key size being too small.

== External Links ==

* [http://en.wikipedia.org/wiki/Data_Encryption_Standard Wikipedia article on DES]
* [http://www.copacobana.org/ A FPGA-based Codebreaker for DES and other Ciphers]
* [http://www.cryptography.com/resources/whitepapers/DES-photos.html DEEP Crack - Hardware DES cracking]

[[Category:Encryption]]

DES

2007-12-17T16:14:22Z

Cmihai: DES, DeepCrack, Copacobana FPGA DES cracker

{{Expand}}

'''DES''' or '''Data Encryption Standard''' is a cipher selected as an official FIPS (Federal Information Processing Standard) for the U.S.

DES is now considered to be insecure due to the 56-bit key size being too small.

== External Links ==

* [http://en.wikipedia.org/wiki/Data_Encryption_Standard Wikipedia article on DES]
* [http://www.copacobana.org/ - A FPGA-based Codebreaker for DES and other Ciphers]
* [http://www.cryptography.com/resources/whitepapers/DES-photos.html - DEEP Crack - Hardware DES cracking]

[[Category:Encryption]]

3DES

2007-12-17T16:09:03Z

Cmihai: Added 3DES

{{Expand}}

'''3DES''' or '''Triple DES''' is a block cipher formed by using the Data Encryption Standard ([[DES]]) cipher three times.

== External Links ==

* [http://en.wikipedia.org/wiki/Triple_DES) Wikipedia article on 3DES]

[[Category:Encryption]]

File Vault

2007-12-17T15:51:28Z

Cmihai: crypto.nsa.org "VileFault" whitepaper.

File Vault is the cryptographic file system developed by [http://www.apple.com Apple] and introduced with MacOS 10.3.

File Vault works by storing each user's home directory in an encrypted "[[.sparseimage]]" file. The file is automatically mounted when the user logs in and unmounted when the user logs out. All of the user's files and preferences are stored in this file. The file's encryption key is stored in the .sparseimage file, but that encryption key is itself encrypted with the user's login password.

There are no known attacks against File Vault other than a brute force attack on the user's password.

As part of the [http://www.apple.com/macosx/features/300.html#security security enhancements] in OS X 10.5 (Leopard) Apple have moved from AES-128 to AES-256 for the encryption used in the disk image.

=== Links ===
*You can find a good discussion of File Vault's usability shortcomings in [http://www.simson.net/thesis Simson Garfinkel's PhD Thesis].
*[http://chaosradio.ccc.de/23c3_m4v_1642.html Unlocking FileVault] Talk at [http://events.ccc.de/congress/2006-static/static/2/3/r/23rd_Chaos_Communication_Congress_7c1f.html 23c3] (video)
*[http://chaosradio.ccc.de/23c3_mp3_1642.html Unlocking FileVault] Talk at [http://events.ccc.de/congress/2006-static/static/2/3/r/23rd_Chaos_Communication_Congress_7c1f.html 23c3] (audio)
*[http://crypto.nsa.org/vilefault/23C3-VileFault.pdf Unlocking FileVault Whitepaper]

PGPDisk

2007-12-17T15:47:12Z

Cmihai: PGPDisk

'''PGPDisk''' or Pretty Good Privacy Whole Disk Encryption is a disk encryption solution from the [http://www.pgp.com PGP Corporation].

It provides transparent whole disk encryption with Pre-Boot authentification for Windows. Also supports MacOS X 10.4 (non-boot disks only).

== External Links ==

* [http://www.pgp.com/products/wholediskencryption/ PGPDisk Official website]

[[Category:Encryption]]

Vnconfig

2007-12-17T15:43:39Z

Cmihai: Corrections

'''vnconfig''' is the [[OpenBSD]] vnode disks for file swapping or pseudo file system configuration tool. Supports encrypting the data using the Blowfish cipher before it is written to disk when the -K flag is specified. Use -s to specify a saltfile.

== External Links ==

* [http://www.openbsd.org/ OpenBSD Official website]
* [http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8: OpenBSD Manpages: vnconfig(8)]

[[Category:Encryption]]

Vnconfig

2007-12-17T15:42:26Z

Cmihai: Encrypted svnd

'''vnconfig''' [[OpenBSD]] vnode disks for file swapping or pseudo file system configuration tool. Supports encrypting the data using the Blowfish cipher before it is written to disk when the -K flag is specified. Use -s to specify a saltfile.

== External Links ==

* [http://www.openbsd.org/ OpenBSD Official website]
* [http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8: OpenBSD Manpages: vnconfig(8)]

[[Category:Encryption]]

GELI

2007-12-17T14:30:04Z

Cmihai: GELI

'''GELI''' - [[FreeBSD]] Cryptographic [[GEOM]] class written by Pawel Jakub Dawidek. Supports various ciphers: [[AES]],[[Blowfish]] and [[3DES]]. Supports hidden volumes and Pre-Boot Authentification.

== External Links ==

* [http://www.freebsd.org FreeBSD official website]
* [http://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8 FreeBSD Manpage: GELI]
* [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html - FreeBSD Handbook - Disk Encryption]
* [http://en.wikipedia.org/wiki/GBDE Wikipedia: GBDE]

[[Category:Encryption]]

GBDE

2007-12-17T14:21:26Z

Cmihai: GBDE

'''GBDE''' - GEOM Based Disk Encryption - is a [[FreeBSD]] block device-layer disk encryption that uses 128-bit [[AES]] designed and implemented by Poul-Henning Kamp and Network Associates Inc.

A more efficient implementation of [[FreeBSD]] [[GEOM]] based Disk Encryption - [[GELI]] was later written later by Pawel Jakub Dawidek.

== External Links ==

* [http://www.freebsd.org FreeBSD official website]
* [http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf GBDE Whitepaper]
* [http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+6.2-RELEASE&format=html FreeBSD Manpage: GBDE]
* [http://en.wikipedia.org/wiki/GBDE Wikipedia: GBDE]

[[Category:Encryption]]

Encryption

2007-12-17T14:04:05Z

Cmihai: Category

'''Encryption''' is a means to obfuscate data an entity wishes to protect to the point it will take a third party considerable time to access (decrypt) it. The methods of encryption vary from substitution ciphers to more modern methods such as digital ciphers which use an algorithm to obfuscate the data. Once the data is encrypted it is then referred to as cipher text.

[[Category:Encryption]]

Category:Encryption

2007-12-17T14:03:32Z

Cmihai: New page: Encryption is a means to obfuscate data an entity wishes to protect to the point it will take a third party considerable time to access (decrypt) it. The methods of encryption vary from su...

Encryption is a means to obfuscate data an entity wishes to protect to the point it will take a third party considerable time to access (decrypt) it. The methods of encryption vary from substitution ciphers to more modern methods such as digital ciphers which use an algorithm to obfuscate the data. Once the data is encrypted it is then referred to as cipher text.

Blowfish

2007-12-17T13:56:34Z

Cmihai: Category, bullets for links

{{Expand}}

'''Blowfish''' is a symmetric block cipher designed by [[Bruce Schneier]]. It uses a 64-bit block cipher and a variable-length key (32 bits to 448 bits).

Blowfish is not subject to patents and is freely available for use.

== External Links ==

* [http://www.schneier.com/blowfish.html The Blowfish Encryption Algorithm]
* [http://en.wikipedia.org/wiki/Blowfish_(cipher) Wikipedia article on Blowfish]

[[Category:Encryption]]

Serpent

2007-12-17T13:56:13Z

Cmihai: Category, bullets for links

{{Expand}}

'''Serpent''' is an [[encryption]] algorithm designed by Ross Anderson, Eli Biham and Lars Knudsen as a candidate for the Advanced Encryption Standard [[AES]] competition, where it got second place with 59 votes ([[Rijndael]] got 86 votes, and was selected by [[NIST]] as the [[AES]]).

Serpent uses a block size of 128 bits and supports a key size of 128, 192 or 256 bits.

Serpent and Rijndael are somewhat similar. The main difference is that Rijndael has fewer rounds (10, 12 or 14 (depending on key size) compared to 32 for Serpent), hence it is faster. Arguably, Serpent is more secure.

Serpent is available as public domain, and can be freely used by anyone.

== External Links ==

* [http://www.cl.cam.ac.uk/~rja14/serpent.html Serpent Cipher Homepage]
* [http://en.wikipedia.org/wiki/Serpent_(cipher) Wikipedia article on Serpent]

[[Category:Encryption]]

Twofish

2007-12-17T13:55:45Z

Cmihai: Category, bullets for links

{{Expand}}

'''Twofish''' is an [[encryption]] algorithm designed designed by [[Bruce Schneier]], John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, Eli Biham and Lars Knudsen as a candidate for the Advanced Encryption Standard [[AES]] competition, where it got third place with 31 votes ([[Rijndael]] got 86 votes, and was selected by [[NIST]] as the [[AES]], and [[Serpent]] got 59 votes).

Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It is related to the earlier [[Blowfish]] block cipher, also designed by [[Bruce Schneier]].

== External Links ==

* [http://www.schneier.com/twofish.html Twofish Homepage]
* [http://en.wikipedia.org/wiki/Twofish Wikipedia article on Twofish]

[[Category:Encryption]]

CGD

2007-12-17T13:54:39Z

Cmihai: CGD

'''CGD''' Cryptographic Device Driver - Provides transparent full disk encryption for [[NetBSD]].

== External Links ==

* [http://www.netbsd.org/ NetBSD Official website]
* [http://www.netbsd.org/docs/guide/en/chap-cgd.html: NetBSD Documentation]

[[Category:Encryption]]

NetBSD

2007-12-17T13:51:29Z

Cmihai: NetBSD, links

'''NetBSD''' is an open source [[Unix]]-like [[operating system]] derived from the original University of California Berkeley's 4.3BSD release via the Networking/2 and 386BSD releases. It is available on many platforms.

== External Links ==

* [http://www.netbsd.org/ Official website]
* [http://en.wikipedia.org/wiki/NetBSD Wikipedia: NetBSD]

[[Category:Operating systems]]

Twofish

2007-12-17T13:45:28Z

Cmihai: Introduction, links, relation to Blowfish.

{{Expand}}

'''Twofish''' is an [[encryption]] algorithm designed designed by [[Bruce Schneier]], John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, Eli Biham and Lars Knudsen as a candidate for the Advanced Encryption Standard [[AES]] competition, where it got third place with 31 votes ([[Rijndael]] got 86 votes, and was selected by [[NIST]] as the [[AES]], and [[Serpent]] got 59 votes).

Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It is related to the earlier [[Blowfish]] block cipher, also designed by [[Bruce Schneier]].

== External Links ==

[http://www.schneier.com/twofish.html Twofish Homepage]
[http://en.wikipedia.org/wiki/Twofish Wikipedia article on Twofish]

Serpent

2007-12-17T13:02:01Z

Cmihai: Corrections

{{Expand}}

'''Serpent''' is an [[encryption]] algorithm designed by Ross Anderson, Eli Biham and Lars Knudsen as a candidate for the Advanced Encryption Standard [[AES]] competition, where it got second place with 59 votes ([[Rijndael]] got 86 votes, and was selected by [[NIST]] as the [[AES]]).

Serpent uses a block size of 128 bits and supports a key size of 128, 192 or 256 bits.

Serpent and Rijndael are somewhat similar. The main difference is that Rijndael has fewer rounds (10, 12 or 14 (depending on key size) compared to 32 for Serpent), hence it is faster. Arguably, Serpent is more secure.

Serpent is available as public domain, and can be freely used by anyone.

== External Links ==

[http://www.cl.cam.ac.uk/~rja14/serpent.html Serpent Cipher Homepage]
[http://en.wikipedia.org/wiki/Serpent_(cipher) Wikipedia article on Serpent]

Serpent

2007-12-17T13:01:14Z

Cmihai: Introduction, links. Comparison to Rijndael (AES)

{{Expand}}

'''Serpent''' [[encryption]] algorithm designed by Ross Anderson, Eli Biham and Lars Knudsen as a candidate for the Advanced Encryption Standard [[AES]] competition, where it got second place with 59 votes ([[Rijndael]] got 86 votes, and was selected by [[NIST]] as the [[AES]]).

Serpent uses a block size of 128 bits and supports a key size of 128, 192 or 256 bits.

Serpent and Rijndael are somewhat similar. The main difference is that Rijndael has fewer rounds (10, 12 or 14 (depending on key size) compared to 32 for Serpent), hence it is faster. Arguably, Serpent is more secure.

Serpent is available as public domain, and can be freely used by anyone.
== External Links ==

[http://www.cl.cam.ac.uk/~rja14/serpent.html Serpent Cipher Homepage]
[http://en.wikipedia.org/wiki/Serpent_(cipher) Wikipedia article on Serpent]

Blowfish

2007-12-17T12:51:36Z

Cmihai: Details, Schneier homepage

{{Expand}}

'''Blowfish''' is a symmetric block cipher designed by [[Bruce Schneier]]. It uses a 64-bit block cipher and a variable-length key (32 bits to 448 bits).

Blowfish is not subject to patents and is freely available for use.

== External Links ==
[http://www.schneier.com/blowfish.html The Blowfish Encryption Algorithm]
[http://en.wikipedia.org/wiki/Blowfish_(cipher) Wikipedia article on Blowfish]

TrueCrypt

2007-12-17T12:45:16Z

Cmihai: Keyfiles, plausible deniability.

'''TrueCrypt''' is an open source program to create and mount virtual encrypted disks in [[Windows|Windows Vista/XP/2000]] and Linux. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports various encryption algorithms (AES-256, Serpent and Twofish).

== Forensic Acquisition ==

If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.

==Attacks==
The only option for acquiring the content of a TrueCrypt drive is to do a brute-force password guessing attack. [[AccessData|AccessData's]] [[Password Recovery Toolkit]] and Distributed Network Attack ([[DNA]]) can both perform such an attack, but DNA is faster.

TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).

The existence of a FAT volume may be an indication of the existence of hidden volumes (a hidden volume can only be created within a FAT TrueCrypt volume).

== External Links ==

* [http://www.truecrypt.org/ Official website]

Blowfish

2007-12-17T07:37:27Z

Cmihai: Added Blowfish

{{Expand}}

Blowfish is a symmetric block cipher designed by [[Bruce Schneier].
Blowfish is not subject to patents and is free to use by anyone.

== External Links ==

[http://en.wikipedia.org/wiki/Blowfish_(cipher) Wikipedia article on Blowfish]

Full Disk Encryption

2007-12-17T07:32:49Z

Cmihai: Added TrueCrypt, FreeBSD GBDE and GELI, NetBSD CGD, OpenBSD vnconfig and PGPdisk.

'''Full Disk Encryption''' or '''Whole Disk Encryption''' is a phrase that was coined by [[Seagate]] to describe their encrypting [[hard drive]]. Under such a system, the entire contents of a hard drive are encrypted. This is different from [[Full Volume Encryption]] where only certain partitions are encrypted.

Some examples of full disk encryption:

== Hardware Solutions ==

; Seagate FDE
: http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf

; Network Appliance (Decru)
: http://www.netapp.com/ftp/decru-fileshredding.pdf
: http://www.decru.com/products/pdf/dsEseries.pdf (NetApps DataFort)
: http://www.decru.com/products/ltkm.htm (Decru Lifetime key Management)
: http://www.forensicswiki.org/images/6/6f/Securing_Storage_White_Paper.pdf (Decru white paper)

; Jetico BestCrypt
: http://www.jetico.com/

; beCrypt
: http://www.becrypt.com/our_products/disk_protect.php

; SecureDoc
: http://www.smart-cardsys.com/security/securedoc.htm

; Securstar driveCrypt DriveCrypt 4.20 - 1344Bit Hard Disk Encryption
: http://www.securstar.com/products_drivecryptpp.php

; Eracom Technology DiskProtect
: http://www.eracom-tech.com/drive_encryption.0.html

; Hitachi Bulk Data Encryption
: http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf

== Software Solutions ==

; [[TrueCrypt]]
: Transparent full disk encryption for [[Linux]] and [[Windows]. Supports various [[ciphers]]: [[AES]] (256 bit), [[Serpent]] and [[Twofish]].
: It provides protection from watermarking and inference attacks (volumes cannot be distinguished from random data).
: Supports hidden volumes within TrueCrypt volumes (plausible deniability).
: http://www.truecrypt.org/

; [[GBDE]]
: [[GEOM]] Based Disk Encryption. Provides transparent full disk and swap encryption for [[FreeBSD]]. Supported [[ciphers]]: [[AES]] (128 bit).
: Supports hidden volumes and Pre-Boot Authentification.
: Since data loss can occur on unexpected shutdowns, GELI is recommended instead of GBDE.
: http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+6.2-RELEASE&format=html
: http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf

; [[GELI]]
: Cryptographic [[GEOM]] class. Provides transparent full disk encryption for [[FreeBSD]]. Supports various [[ciphers]]: [[AES]], [[Blowfish]] and [[3DES]].
: Supports hidden volumes and Pre-Boot Authentification.
: http://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8

; [[CGD]]
: Cryptographic Device Driver. Provides transparent full disk encryption for [[NetBSD]].
: Supports various [[ciphers]]: [[AES]] (128 bit blocksize and accepts 128, 192 or 256 bit keys), [[Blowfish]] (64 bit blocksize and accepts 128 bit keys) and [[3DES]] (uses a 64 bit blocksize and accepts 192 bit keys (only 168 bits are actually used for encryption).
: http://www.netbsd.org/docs/guide/en/chap-cgd.html

; [[vnconfig]]
: The -K option of [[OpenBSD]] vnconfig(8) associates and encryption key with the svnd device. Supports saltfiles. Supported [[ciphers]]: [[Blowfish]].
: http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8

; [[PGPDisk]]
: Pretty Good Privacy Whole Disk Encryption provides transparent whole disk encryption with Pre-Boot authentification for [[Windows]]. Also supports [[MacOS]] X 10.4 (non-boot disks only).
: Can use OpenPGP RFC 2440 keys and X.509 keys for authentification.
: Supports USB Tokens for authentification.
: Supported [[ciphers]]: [[AES]] (256 bit keys).
: http://www.pgp.com/products/wholediskencryption/

; [[BitLocker]]
: Part of Windows Vista that uses [[AES]] 128 or 256 bit encryption

; [[BitArmor]]
: http://www.bitarmor.com/

; [[dm-crypt]]
: Transparent [[file system]] and [[swap]] encryption for [[Linux]] using the Linux 2.6 device mapper. Supports various [[ciphers]] and [[LUKS]] (Linux Unified Key Setup).
: http://www.saout.de/misc/dm-crypt/

; [[loop-AES]]
: Transparent [[file system]] and [[swap]] encryption for [[Linux]] using the loopback device and [[AES]].
: http://sourceforge.net/projects/loop-aes/

; [[SafeGuard Easy]]
: Certified according to [[Common Criteria]] EAL3 and FIPS 140-2
: Encryption algorithms supported: [[AES]] (128 and 256 bit) and [[IDEA]] (128 bit)
: Provides complete [[hard drive]] encryption including the boot disk.
: http://www.utimaco.us/products

; [[PointSec]]
: http://www.pointsec.com/

User:Cmihai

2007-12-17T06:54:37Z

Cmihai: Homepage, license

Criveti Mihai's homepage: http://unixsadm.blogspot.com/
Forensic tools: http://unixsadm.blogspot.com/2007/10/digital-forensic-tools-imaging.html

License

I hereby license all my contributions to this wiki (before and after March 19th, 2006) under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license.

PEiD

2007-12-17T06:49:30Z

Cmihai: Website has moved to http://www.peid.info/ - changed URL to reflect this.

{{Expand}}

{{Infobox_Software |
name = PEiD|
maintainer = Jibz, Qwerton, snaker, xineohP |
os = {{Windows}} |
license = ?? |
genre = {{Analysis}} |
website = http://www.peid.info/ |
}}

PEiD is a GUI-based program that runs under Windows which identifies more than 600 different signatures in PE files. It supports external plugins via it's Plugin Interface.