Forensics Wiki - User contributions [en]

SAFE Boot Disk

2010-01-29T07:56:36Z

KPryor: Fixed broken link

{{Infobox_Software |
name = SAFE Boot Disk |
maintainer = [[ForensicSoft]] |
os = {{Windows}} |
genre = {{Live CD}} |
license = {{Commercial}} |
website = [http://www.forensicsoft.com/catalog/products.php http://www.forensicsoft.com/catalog/products.php] |
}}

The '''System Acquisition Forensic Environment (SAFE) Boot Disk''' is the first and only commercially available forensically sound Windows Boot disk by [[ForensicSoft]]. SAFE is a fully licensed version of Windows PE protected that is protected by the proven [[SAFE Block XP]] software write blocking technology.

'''SAFE Boot Disk''' now allows you to boot any x86-based computer without the need to remove the drives or worry about the need for special adapters or controller cards. Because '''SAFE Boot Disk''' is based on Windows PE it includes built in driver support as well as the ability to easily install any drivers that may be missing. This also means the '''Safe Boot Disk''' includes built in support for the NTFS file system without the need for third party tools and has the ability to write to NTFS and NTFS compressed file systems, taking advantage of larger partition sizes, larger file size limits and the advantage of native NTFS compression.

In order to ensure the '''SAFE Boot Disk''' is a forensically sound Live CD it has the proven write blocking technology used by [[SAFE Block XP]] built in to ensure that upon booting every attached disk and flash device are automatically blocked without any required user interaction. Unlike some of the Linux Live CD's this is true write blocking and not just mounting read-only or not auto-mounting.

Finally '''SAFE Boot Disk''' provides access to Host Protected Areas (HPAs) and Device Configuration Overlay (DCOs) on IDE (PATA and SATA) disks, has built in Case Logging and built in tools for exploration, viewing, and simple forensics functions.

ILook

2008-08-15T03:48:19Z

KPryor:

{{Leonly}}
{{Infobox_Software |
name = ILook |
maintainer = [[Internal Revenue Service|IRS-CI]] |
os = {{Windows}} |
genre = {{Analysis}} |
license = [http://www.ilook-forensics.org/iLookv8eula.html EULA] |
website = [http://www.ilook-forensics.org/ ilook-forensics.org] |
}}

'''ILook''' is an all-in-one [[computer forensics]] suite originally created by Elliot Spencer and currently maintained by the U.S. Department of Treasury [[Internal Revenue Service]] Criminal Investigation Division (IRS-CI) Electronic Crimes Program. It was made available at no cost to law enforcement agencies and US government agencies at the discretion of the IRS-CI, but is not available to the general public.

Elliot Spencer publicly announced on May 9, 2008, via the ILook users Yahoo! group, the end of ILook. Due to the end of federal funding for continued development, the currently released ILook 8.0.18 is the final version. Spencers company, Perlustro, is developing a new commercial version of ILook, but no further updates of the free version will be forthcoming. Currently licensed users will still be able to renew their licenses for the foreseeable future, but no new ILook licenses will be issued.

The ILook Investigator © Forensic Software is a comprehensive suite of computer forensics tools used to acquire and analyze digital media. ILook Investigator © products include the ILook v8 forensic application and the [[IXimager]] which are both designed to follow forensics best practices.

ILook can support a wide variety of file systems, including [[FAT]] 12/16/32, [[NTFS]], [[NTFS Compressed]], [[HFS]], [[HFS+]], [[Ext2]], [[Ext3]], [[ReiserFS]] 1, 2, and 3, [[SysV-AFS]], [[SysV-EAFS]], [[SysV-HTFS]], [[NWFS]], [[NWFS Compressed]], [[VMWare Drive Mount Disk Drives]], [[Microsoft]] [[Virtual PC]] disks. It can also process CDs in [[CDFS]], [[ISO 9660]], [[ISO 9660]], and [[UDF]].

==Search Facilities==
* Lists allocated and unallocated files.
* Sorts files by type (signature and extension).
* Searches for keywords.
* Works with compressed zip files.

==Searching Abilities==
* Searches for keywords.
* Builds an index.

==Hash Databases==

Hashes and compares using custom hash sets as well as the [[Hashkeeper]] [[hash database]] and [[National Software Reference Library|NIST]] [[hash library]] using [[MD5]] and [[FIPS 180-2]] compliant algorithms (e.g. [[SHA-1]]).

== External links ==
* [http://www.ilook-forensics.org/ Official website]
* [http://www.ilook-forensics.org/iLookv8eula.html EULA]

[[Category:Disk imaging]]

ILook

2008-08-15T03:46:59Z

KPryor:

{{Leonly}}
{{Infobox_Software |
name = ILook |
maintainer = [[Internal Revenue Service|IRS-CI]] |
os = {{Windows}} |
genre = {{Analysis}} |
license = [http://www.ilook-forensics.org/iLookv8eula.html EULA] |
website = [http://www.ilook-forensics.org/ ilook-forensics.org] |
}}

'''ILook''' is an all-in-one [[computer forensics]] suite originally created by Elliot Spencer and currently maintained by the U.S. Department of Treasury [[Internal Revenue Service]] Criminal Investigation Division (IRS-CI) Electronic Crimes Program. It was made available at no cost to law enforcement agencies and US government agencies at the discretion of the IRS-CI, but is not available to the general public.

Elliot Spencer publicly announced on May 9, 2008, via the ILook users Yahoo! group, the end of ILook. Due to the end of federal funding for continued development, the currently released ILook 8.0.18 is the final version. Spencers company, Perlustro, is developing a new commercial version of ILook, but no new updates or versions of the free version will be forthcoming. Currently licensed users will still be able to renew their licenses for the foreseeable future, but no new ILook licenses will be issued.

The ILook Investigator © Forensic Software is a comprehensive suite of computer forensics tools used to acquire and analyze digital media. ILook Investigator © products include the ILook v8 forensic application and the [[IXimager]] which are both designed to follow forensics best practices.

ILook can support a wide variety of file systems, including [[FAT]] 12/16/32, [[NTFS]], [[NTFS Compressed]], [[HFS]], [[HFS+]], [[Ext2]], [[Ext3]], [[ReiserFS]] 1, 2, and 3, [[SysV-AFS]], [[SysV-EAFS]], [[SysV-HTFS]], [[NWFS]], [[NWFS Compressed]], [[VMWare Drive Mount Disk Drives]], [[Microsoft]] [[Virtual PC]] disks. It can also process CDs in [[CDFS]], [[ISO 9660]], [[ISO 9660]], and [[UDF]].

==Search Facilities==
* Lists allocated and unallocated files.
* Sorts files by type (signature and extension).
* Searches for keywords.
* Works with compressed zip files.

==Searching Abilities==
* Searches for keywords.
* Builds an index.

==Hash Databases==

Hashes and compares using custom hash sets as well as the [[Hashkeeper]] [[hash database]] and [[National Software Reference Library|NIST]] [[hash library]] using [[MD5]] and [[FIPS 180-2]] compliant algorithms (e.g. [[SHA-1]]).

== External links ==
* [http://www.ilook-forensics.org/ Official website]
* [http://www.ilook-forensics.org/iLookv8eula.html EULA]

[[Category:Disk imaging]]

Talk:Scalpel

2008-08-07T14:56:47Z

KPryor:

Has anyone used this tool yet?
I have downloaded it and will install it in the near future.
Thanks,

Redloco

: Yes, I've used it with great success. What would you like to know? [[User:Jessek|Jessek]] 10:40, 7 August 2008 (UTC)

: I've used Foremost with success, but haven't tried Scalpel. [[User:KPryor|KPryor]] 14:55, 7 August 2008 (UTC)

Talk:Scalpel

2008-08-07T14:54:38Z

KPryor:

Has anyone used this tool yet?
I have downloaded it and will install it in the near future.
Thanks,

Redloco

: Yes, I've used it with great success. What would you like to know? [[User:Jessek|Jessek]] 10:40, 7 August 2008 (UTC)

I've used Foremost with success, but haven't tried Scalpel.

Talk:How To Set Up a Disk Imaging Station

2008-05-28T04:13:35Z

KPryor:

omg... IMHO, it seems to be "[newbie] howto install freebsd" ;)
[[User:.FUF|.FUF]] 20:51, 23 May 2008 (UTC)
:What's wrong with having a newbie HOWTO? Most forensics geeks are not FreeBSD users, so a HOWTO guide is helpful. [[User:Jessek|Jessek]] 17:18, 24 May 2008 (UTC)
::Honestly, what this wiki needs is more newbie HOWTOs.[[User:Simsong|Simsong]] 07:47, 25 May 2008 (UTC)

Agreed. I am a newbie, so I would be happy to see more how-to's.

Talk:How To Set Up a Disk Imaging Station

2008-05-28T04:12:11Z

KPryor:

Talk:How To Set Up a Disk Imaging Station

2008-05-28T04:11:30Z

KPryor:

ILook

2008-05-28T04:06:32Z

KPryor: Added info regarding the end of ILook development

{{Leonly}}
{{Infobox_Software |
name = ILook |
maintainer = [[Internal Revenue Service|IRS-CI]] |
os = {{Windows}} |
genre = {{Analysis}} |
license = [http://www.ilook-forensics.org/iLookv8eula.html EULA] |
website = [http://www.ilook-forensics.org/ ilook-forensics.org] |
}}

'''ILook''' is an all-in-one [[computer forensics]] suite originally created by Elliot Spencer and currently maintained by the U.S. Department of Treasury [[Internal Revenue Service]] Criminal Investigation Division (IRS-CI) Electronic Crimes Program. It was made available at no cost to law enforcement agencies and US government agencies at the discretion of the IRS-CI, but is not available to the general public.

Elliot Spencer publicly announced on May 9, 2008, via the ILook users Yahoo! group, the end of ILook. Due to the end of federal funding for continued development, the currently released ILook 8.0.18 is the final version. Spencers company, Perlustro, is developing new forensic tools for commercial release, but no new updates or versions of ILook will be forthcoming. Currently licensed users will still be able to renew their licenses for the foreseeable future, but no new ILook licenses will be issued.

The ILook Investigator © Forensic Software is a comprehensive suite of computer forensics tools used to acquire and analyze digital media. ILook Investigator © products include the ILook v8 forensic application and the [[IXimager]] which are both designed to follow forensics best practices.

ILook can support a wide variety of file systems, including [[FAT]] 12/16/32, [[NTFS]], [[NTFS Compressed]], [[HFS]], [[HFS+]], [[Ext2]], [[Ext3]], [[ReiserFS]] 1, 2, and 3, [[SysV-AFS]], [[SysV-EAFS]], [[SysV-HTFS]], [[NWFS]], [[NWFS Compressed]], [[VMWare Drive Mount Disk Drives]], [[Microsoft]] [[Virtual PC]] disks. It can also process CDs in [[CDFS]], [[ISO 9660], [[ISO 9660]], and [[UDF]].

==Search Facilities==
* Lists allocated and unallocated files.
* Sorts files by type (signature and extension).
* Searches for keywords.
* Works with compressed zip files.

==Searching Abilities==
* Searches for keywords.
* Builds an index.

==Hash Databases==

Hashes and compares using custom hash sets as well as the [[Hashkeeper]] [[hash database]] and [[National Software Reference Library|NIST]] [[hash library]] using [[MD5]] and [[FIPS 180-2]] compliant algorithms (e.g. [[SHA-1]]).

== External links ==
* [http://www.ilook-forensics.org/ Official website]
* [http://www.ilook-forensics.org/iLookv8eula.html EULA]

[[Category:Disk imaging]]

User:KPryor

2007-08-23T17:55:10Z

KPryor: New page: I hereby license all my contributions to this wiki (before and after March 19th, 2006) under the Creative Commons Attribution-ShareAlike 2.5 license.

I hereby license all my contributions to this wiki (before and after March 19th, 2006) under the Creative Commons Attribution-ShareAlike 2.5 license.

Md5sum

2007-08-23T17:21:37Z

KPryor: Fixed typo

{{Infobox_Software |
name = md5sum |
maintainer = [[GNU]] |
os = [[Linux]], [[Windows]], [[Mac OS X]], [[BSD]], [[Solaris]] |
genre = {{Hashing}} |
license = {{GPL}} |
website = [http://www.gnu.org/software/coreutils/ www.gnu.org] |
}}
This [[MD5]] [[hashing]] tool, part of the GNU Coreutils suite, has been a standard in the computer forensics community for some time. It is intended for *nix systems, but has been ported to the [[Windows]] platform. It should be noted that the program has options to read files in "binary" or "text" mode, which can produce different hashes. The text mode is the default on most platforms, which is different from other hashing utilities such as [[md5deep]].

== External Links ==

* [http://www.gnu.org/software/coreutils/ Official web site] for GNU Coreutils
* [http://en.wikipedia.org/wiki/Md5sum Wikipedia entry on md5sum]
* [http://www.etree.org/md5com.html md5sum for Windows]
* [http://unxutils.sourceforge.net/ A slew of ported tools for Windows include md5sum]