Forensics Wiki - User contributions [en]

Memory analysis

2008-03-03T16:25:13Z

Uwe Hermann: Add "Lest We Remember: Cold Boot Attacks on Encryption Keys" paper.

'''Memory Analysis''' is the science of using a [[Tools:Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, we have broken it into subpages:

* [[Windows Memory Analysis]]
* [[Linux Memory Analysis]]
* [[FreeBSD Memory Analysis]]

== See Also ==

* [[Tools:Memory Imaging]]

== Weblinks ==

* [http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf Mariusz Burdach: Finding Digital Evidence In Physical Memory] (PDF)
* [https://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Paul Movall, Ward Nelson, Shaun Wetzstein: Linux Physical Memory Analysis] (PDF)
* [http://citp.princeton.edu/memory/ Lest We Remember: Cold Boot Attacks on Encryption Keys] ([http://citp.princeton.edu.nyud.net/pub/coldboot.pdf PDF])

Slack

2008-03-03T16:19:01Z

Uwe Hermann:

{{Expand}}

== Definition ==

In Computer Forensics '''slack''' refers to the bytes after the logical end of a file and the end of the cluster wherein the final byte of the valid file resides.

== Slack Types ==

=== RAM Slack ===

=== File Slack ===

== External Links ==

Slack

2008-03-03T16:18:24Z

Uwe Hermann:

{{Expand}}

== Definition ==

In Computer Forensics ''slack'' refers to the bytes after the logical end of a file and the end of the cluster wherein the final byte of the valid file resides.

== Slack Types ==

=== RAM Slack ===

=== File Slack ===

== External Links ==

Anti-forensic techniques

2006-08-21T08:05:55Z

Uwe Hermann: Breaking Encase with FILE0 and Winhex

'''Anti-forensic techniques''' try to frustrate [[forensic investigator]]s and their [[techniques]].

This can include refusing to run when [[debugging]] mode is enabled, refusing to run when running inside of a [[virtual machine]], or deliberately overwriting data. Although some anti-forensic tools have legitimate purposes, such as overwriting sensitive data that shouldn't fall into the wrong hands, like any [[Tools|tool]] they can be abused.

== Secure Data Deletion ==

[[Secure data deletion|Securely deleting]] data, so that it cannot be restored with forensic methods. <br />
Be aware that software 'data destroyers' may not necessaruly do what they state on the burb site. In particular a common mistake is the oversight of how the underlying file system actually stores files, for instance a 'wipe drive' application that will write a series of random values across unallocated space on the hard disk may not take into account the slack space at the end of allocated data blocks. Thus allowing a large portion of old data to still be recoverable. This is a very handy for a forensic analyst, but not so handy for IT Managers.

== Hiding Data ==

Hiding data where a forensic [[investigator]] would not usually look, e.g. using [[steganography]] or other means.

== Encrypted Data ==

[[Encryption|Encrypting data]], in order to prevent access to it.

== Preventing Data Creation ==

Prevent the creation of certain data in the first place. Data which was never there, obviously cannot be restored with forensic methods.

== Detecting Forensic Analysis ==

There are methods to detect whether an [[investigator]] tries to perform a (live) forensic analysis on the system. A malicious user or program could react to that by destroying evidence, for example.

== See also ==

* [[Tools#Anti-forensics_Tools]]

== Externals Links ==

* [http://www.safehack.com/Textware/forensic/Anti_Forensic_Break_Encase.pdf Breaking Encase with FILE0 and Winhex]

EnCase

2006-08-21T08:05:22Z

Uwe Hermann: Breaking Encase with FILE0 and Winhex

{{Wikify}}

Encase is an all-in-one computer forensics suite from Guidance Software Inc.

=File Format=
Perhaps the '''de facto''' standard for forensic analyses in law enforcement, Guidance Software's EnCase Forensic encase} uses a proprietary format for images, reportedly based on ASR Data's Expert Witness Compression Format. EnCase's Evidence File .E01) format contains a physical bitstream of an acquired disk, prefixed with a '"Case Info" header, interlaced with CRCs for every block of 64 sectors~(32 KB), and followed by a footer containing an MD5 hash for the entire bitstream. Contained in the header are the date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password; the header concludes with its own CRC.

Encase can store media dat into multiple evidence files, which are called segment files. Each segment file consist of multiple sections. Each section consist of a section start definition. This contains a section type.

At least from Encase 3 the case info header is contained in the "header" section, which is defined twice within the file and contain the same information.

With Encase 4 an additional "header2" section was added. The "header" section now appears only once, but the new "header2" section twice.

Version 3 of The Encase F introduced an "error2" sections that it uses to record the location and number of bad sector chunks. The way it handles the sections it can't read is that those areas are filled with zero. Then Encase displays to the user the areas that could not be read when the image was acquired. The granularity of unreadable chunks appears to be 32K.

Within Encase 5 the amount of sectors per block (chunk) can vary.

Encase from at least in version 3, 4 and 5 can hash the data of the media it acquires.
It does this by calculating a MD5 hash of the original media data and adds a hash section
to the last of the segment files.

=Features=

==File Systems Understood==

==File Search Facilities==

==Historical Reconstruction==

Can it build timelines and search by creation date?

==Searching Abilities==

Can it search? Does it build an index? Can it focus on file types or particular kinds of metadata?

==Hash Databases==

Encase uses [[MD5]] hashes and uses a [[Encase hash files|proprietary file format]] to store them. It can also import hashes from the [[NSRL]], [[Hashkeeper]], and plain MD5 files.

==Evidence Collection Features==

Can it sign files? Does it keep an audit log?

=History=

Originally written in (YEAR), it has now developed into a Forensic Edition and an Enterprise Edition.

==License Notes==

Is it commercial or open source? Are there other licensing options?

= External Links =

* [http://www.guidancesoftware.com/lawenforcement/ef_index.asp EnCase Website]
* [http://www.safehack.com/Textware/forensic/Anti_Forensic_Break_Encase.pdf Breaking Encase with FILE0 and Winhex]

==External Reviews==

License transition status

2006-07-18T18:03:00Z

Uwe Hermann: /* Files/Images */ Deleted last image with unclear license.

This page keeps track of the '''license status''' of the wiki.

All contributions after '''March 19th, 2006''' are under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license. Contributions prior to that date have an unclear license. We are currently contacting the authors of the respective content, asking them whether they agree to license their contributions under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license...

__TOC__

== HOWTO ==

If you have contributed to this wiki '''before March 19th, 2006''', please consider (re-)licensing your contributions under this license. You can do that by adding this small paragraph to your user page:

'''I hereby license all my contributions to this wiki (before and after March 19th, 2006) under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license.'''

Thanks in advance.

== Current License Status ==

=== Pages ===

{| border="0" cellpadding="2" cellspacing="2" align="top"
|- style="background:#bfbfbf; font-weight: bold"
! Page
! License Status
! Checked for copyright infringement
|-
| [[AFF]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[AFIS]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[AFOSI]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[ASR]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[ASR Data]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[AccessData]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Adobe PDF Format]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Afflib]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Anti-forensic techniques]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Applied Cellphone Forensics]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Audio Devices]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[BMP]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Bad blocks]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Bibliography]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Blackbag]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Blackberry Forensics]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Books]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Cellphones]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Conferences]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[DCFL]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[DIBS]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Data Reduction]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Dcfldd]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Dd]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Digital Evidence Bags]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[EVT]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[EXIF]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Email Headers]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[EnCase]]
| ?
| style="background:lime" | OK
|-
| [[Epilogue to Gutmann's 1996 paper]]
| style="background:lime" | OK
| ?
|-
| [[Exif]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[FAT]]
| ?
| style="background:lime" | OK
|-
| [[FCCU Gnu/Linux Boot CD]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[File Formats]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[File Systems]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Flash IDE Adapters]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Foremost]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Forensic Toolkit]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Forensic file formats]]
| ?
| style="background:lime" | OK
|-
| [[Full Disk Encryption]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Gfzip]]
| ?
| ?
|-
| [[Harvard Forensics Project]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Helix]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[ILook]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[ILook External Imager]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[ILook Imager]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[ILook Investigator]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[ILook file format]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[IXimager]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[JPEG]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Jesse Kornblum]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Journals]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[LNK]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[License transition status]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Linux]]
| ?
| style="background:lime" | OK
|-
| [[Mailing lists]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Main Page]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Md5deep]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Metadata]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Microsoft PocketPC]]
| ?
| ?
|-
| [[Microsoft Windows]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Microsoft Windows Mobile]]
| ?
| ?
|-
| [[National Software Reference Library]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Ontrack Data Eraser]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Organizations]]
| style="background:lime" | OK (Not copyrightable)
| style="background:lime" | OK
|-
| [[Other Websites]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[PDAs]]
| ?
| ?
|-
| [[Palm]]
| ?
| ?
|-
| [[Papers]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Paraben]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[People]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Personal Digital Devices]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[ProDiscover]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[ProDiscovery]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[PyFlag]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Pyflag]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[RIM Blackberry]]
| ?
| style="background:lime" | OK
|-
| [[Raw image file]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Raw image files]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Recovering Overwritten Data]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Recovering bad data]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Recovering deleted data]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Reports]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[SIM Cards]]
| ?
| ?
|-
| [[SMART]]
| style="background:lime" | OK (Original unlicensed, copyright-infringing content was removed)
| style="background:lime" | OK
|-
| [[Safeback]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Sanitization Standards]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Scalpel]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Simson Garfinkel]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Sleuthkit]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[SmartPhones]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[SpinRite]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Symbian]]
| ?
| ?
|-
| [[Techniques]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Tools]]
| style="background:lime" | OK (All content created after March 19)
| style="background:lime" | OK
|-
| [[UNIX]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[VMware]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Vendors]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Websites]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Wetstone]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
| [[Write Blockers]]
| style="background:lime" | OK
| style="background:lime" | OK
|-
|}

=== Files/Images ===

{| border="0" cellpadding="2" cellspacing="2" align="top"
|- style="background:#bfbfbf; font-weight: bold"
! File
! License Status
! Comments
|-
| [[:Image:Simpic.jpg]]
| style="background:lime" | OK
| Replaced with free version.
|-
| [[:Image:Treo.jpg]]
| style="background:lime" | OK
| Deleted.
|-
| [[:Image:Pocketpc.jpg]]
| style="background:lime" | OK
| Replaced with free version.
|-
| [[:Image:Newton.jpg]]
| style="background:lime" | OK
| Deleted.
|-
| [[:Image:Zaurus-front.jpg]]
| style="background:lime" | OK
| Replaced with free version.
|-
| [[:Image:Sharp sl-c3100-thm.jpg]]
| style="background:lime" | OK
| Deleted.
|-
| [[:Image:Yale fat16 diagram.jpg]]
| style="background:lime" | OK
| Deleted.
|-
| [[:Image:Recover-FAT-volume-structur.jpg]]
| style="background:lime" | OK
| Deleted.
|-
| [[:Image:HelixGroupPaper.pdf]]
| style="background:lime" | OK
| Deleted
|-
| [[:Image:Network Appliance DataFort.doc]]
| style="background:lime" | OK
| Deleted
|-
| [[:Image:Draft Paper.doc]]
| style="background:lime" | OK
| Deleted
|-
| [[:Image:Survey3.doc]]
| style="background:lime" | OK
| Deleted
|-
| [[:Image:Survey.doc]]
| style="background:lime" | OK
| Deleted
|-
| [[:Image:Biblio.doc]]
| style="background:lime" | OK
| Deleted
|-
| [[:Image:HelixCFS.doc]]
| style="background:lime" | OK
| Deleted
|-
| [[:Image:Init2.doc]]
| style="background:lime" | OK
| Deleted
|-
| [[:Image:Init.doc]]
| style="background:lime" | OK
| Deleted
|-
| [[:Image:Securing Storage White Paper.pdf]]
| style="background:lime" | OK
| Decru white paper. Not Creative Commons licensed, but we'll keep it here, as it might disappear from the net.
|-

|}

FAT

2006-07-18T18:01:33Z

Uwe Hermann: Replaced image with unclear license with a table.

{{wikify}}

FAT, or file allocation table, is a file system that is designed to keep track of allocation status of clusters on a hard drive. Developed in 1977 by Microsoft Corporation, FAT was originally intended to be a file system for the Microsoft Disk BASIC interpreter. FAT was quickly incorporated into an early version of Tim Patterson's QDOS, which was a moniker for "Quick and Dirty Operating System". Microsoft later purchased the rights to QDOS and released it under Microsoft branding as PC-DOS and later, MS-DOS.

== Structure==

{| style="text-align:center;" cellpadding="3" border="1px"
| Boot sector
| More reserved<br/> sectors (optional)
| FAT #1
| FAT #2
| Root directory<br /> (FAT12/16 only)
| Data region<br /> (rest of disk)
|}

=== Boot Record ===
When a computer is powered on, a POST (power-on self test) is performed, and control is then transferred to the MBR (Master Boot Record). The MBR is present no matter what file system is in use, and contains information about how the storage device is logically partitioned. When using a FAT file system, the MBR hands off control of the computer to the Boot Record, which is the first sector on the partition. The Boot Record, which occupies a reserved area on the partition, contains executable code, in addition to information such as an OEM identifier, number of FATs, media descriptor (type of storage device), and information about the operating system to be booted. Once the Boot Record code executes, control is handed off to the operating system installed on that partition.

=== FATs ===
The primary task of the File Alocation Tables are to keep track of the allocation status of clusters, or logical groupings of sectors, on the disk drive. There are four different possible FAT entries: allocated (along with the address of the next cluster associated with the file), unallocated, end of file, and bad sector.

In order to provide redundancy in case of data corruption, two FATs, FAT1 and FAT2, are stored in the file system. FAT2 is a typically a duplicate of FAT1. However, FAT mirroring can be disabled on a FAT32 drive, thus enabling any of the FATs to become the Primary FAT. This possibly leaves FAT1 empty, which can be deceiving.

=== Root Directory ===
The Root Directory, sometimes referred to as the Root Folder, contains an entry for each file and directory stored in the file system. This information includes the file name, starting cluster number, and file size. This information is changed whenever a file is created or subsequently modified. Root directory has a fixed size of 512 entries on a hard disk and the size on a floppy disk depends. With FAT32 it can be stored anywhere within the partition, although in previous versions it is always located immediately following the FAT region.

=== Data Area ===

The Boot Record, FATs, and Root Directory are collectively referred to as the System Area. The remaining space on the logical drive is called the Data Area, which is where files are actually stored. It should be noted that when a file is deleted by the operating system, the data stored in the Data Area remains intact until it is overwritten.

=== Clusters ===
In order for FAT to manage files with satisfactory efficiency, it groups sectors into larger blocks referred to as clusters. This is necessary because a computer only has a fixed number of memory addresses. In modern computers, a typical drive has far more memory sectors than addresses. Consequently, sectors are grouped together (into clusters) in order to share an address. A cluster is the smallest unit of disk space that can be allocated to a file, which is why clusters are often called allocation units. Only the "data area" is divided into clusters, the rest of the partition is simply sectors. Cluster size is determined by the size of the disk volume and every file must be allocated an even number of clusters. Cluster sizing has a significant impact on performance and disk utilization. Larger cluster sizes result in more wasted space because files are less likely to fill up an even number of clusters.

The size of one cluster is specified in the Boot Record and can range from a single sector (512 bytes) to 128 sectors (65536 bytes). The sectors in a cluster are continuous, therefore each cluster is a continuous block of space on the disk. Note that only one file can be allocated to a cluster. Therefore if a 1KB file is placed within a 32KB cluster there are 31KB of wasted space. The formula for determining clusters in a partition is (# of Sectors in Partition) - (# of Sectors per Fat * 2) - (# of Reserved Sectors) ) / (# of Sectors per Cluster).

=== Wasted Sectors ===

'''Wasted Sectors''' (a.k.a. '''partition slack''') are a result of the number of data sectors not being evenly distributed by the cluster size. It's made up of unused bytes left at the end of a file. Also, if the partition as declared in the partition table is larger than what is claimed in the Boot Record the volume can be said to have wasted sectors. Small files on a hard drive are the reason for wasted space and the bigger the hard drive the more wasted space there is. This is because for a fixed number of memory addresses, a larger hard drive must have more sectors in each cluster.

=== FAT Entry Values ===
<br>
FAT12<br>
<br>
0x000 (Free Cluster)<br>
0x001 (Reserved Cluster)<br>
0x002 - 0xFEF (Used cluster; value points to next cluster)<br>
0xFF0 - 0xFF6 (Reserved values)<br>
0xFF7 (Bad cluster)<br>
0xFF8 - 0xFFF (Last cluster in file)<br>
<br>
FAT16<br>
<br>
0x0000 (Free Cluster)<br>
0x0001 (Reserved Cluster)<br>
0x0002 - 0xFFEF (Used cluster; value points to next cluster)<br>
0xFFF0 - 0xFFF6 (Reserved values)<br>
0xFFF7 (Bad cluster)<br>
0xFFF8 - 0xFFFF (Last cluster in file)<br>
<br>
FAT32<br>
<br>
0x?0000000 (Free Cluster)<br>
0x?0000001 (Reserved Cluster)<br>
0x?0000002 - 0x?FFFFFEF (Used cluster; value points to next cluster)<br>
0x?FFFFFF0 - 0x?FFFFFF6 (Reserved values)<br>
0x?FFFFFF7 (Bad cluster)<br>
0x?FFFFFF8 - 0x?FFFFFFF (Last cluster in file)

Note: FAT32 uses only 28 of 32 possible bits, the upper 4 bits should be left alone. Typically these bits are zero, and are represented above by a question mark (?).

[[Category:Disk file systems]]

==Versions==

There are three variants of FAT in existence: FAT12, FAT16, and FAT32.

=== FAT12 ===
* FAT12 is the oldest type of FAT that uses a 12 bit file allocation table entry.
* FAT12 can hold a max of 4,086 clusters (which is 2<sup>12</sup> clusters minus a few values that are reserved for values used in the FAT).
* It is used for floppy disks and hard drive partitions that are smaller than 16 MB.
* All 1.44 MB 3.5" floppy disks are formatted using FAT12.
* Cluster size that is used is between 0.5 KB to 4 KB.

=== FAT16 ===
* It is called FAT16 because all entries are 16 bit.
* FAT16 can hold a max of 65,536 addressable units (2 <sub>26</sub>
* It is used for small and moderate sized hard disk volumes.
* The actual capacity is 65,525 due to some reserved values

=== FAT32 ===
FAT32 is the enhanced version of the FAT system implemented beginning with Windows 95 OSR2, Windows 98, and Windows Me.
Features include:
* Drives of up to 2 terabytes are supported (Windows 2000 only supports up to 32 gigabytes)
* Since FAT32 uses smaller clusters (of 4 kilobytes each), it uses hard drive space more efficiently. This is a 10 to 15 percent improvement over FAT or FAT16.
* The limitations of FAT or FAT 16 on the number of root folder entries have been eliminated. In FAT32, the root folder is an ordinary cluster chain, and can be located anywhere on the drive.
* File allocation mirroring can be disabled in FAT32. This allows a different copy of the file allocation table then the default to be active.

==== Limitations with Windows 2000 & Windows XP ====
* Clusters cannot be 64KB or larger.
* Cannot decrease cluster size that will result in the the FAT being larger than 16 MB minus 64KB in size.
* Cannot contain fewer than 65,527 clusters.
* Maximum of 32KB per cluster.
* ''Windows XP'': The Windows XP installation program will not allow a user to format a drive of more than 32GB using the FAT32 file system. Using the installation program, the only way to format a disk greater than 32GB in size is to use NTFS. A disk larger than 32GB in size ''can'' be formatted with FAT32 for use with Windows XP if the system is booted from a Windows 98 or Windows ME startup disk, and formatted using the tool that will be on the disk.

=== Comparison of FAT Versions ===

See the table at http://en.wikipedia.org/wiki/File_Allocation_Table for more detailed information about the various versions of FAT.

== Uses ==
Due to its low cost, mobility, and non-volatile nature, flash memory has quickly become the choice medium for storing and transferring data in consumer electronic devices. The majority of flash memory storage is formatted using the FAT file system. In addition, FAT is also frequently used in electronic devices with miniature hard drives.

Examples of devices in which FAT is utilized include:

* USB thumb drives
* Digital cameras
* Digital camcorders
* Portable audio and video players
* Multifunction printers
* Electronic photo frames
* Electronic musical instruments
* Standard televisions
* PDAs

==Data Recovery==
Recovering directory entries from FAT filesystems as part of [[recovering deleted data]] can be accomplished by looking for entries that begin with a sigma 0xe5. When a file or directory is deleted under a FAT filesystem, the first character of its name is changed to sigma. The remainder of the directory entry information remains intact.

The pointers are also changed to zero for each cluster used by the file. Recovery tools look at the FAT to find the entry for the file. The location of the starting cluster will still be in the directory file. It is not deleted or modified. The tool will go straight to that cluster and try to recover the file using the file size to determine the number of clusters to recover. Some tools will go to the starting cluster and recover the next "X" number of clusters needed for the specific file size. However, this tool is not ideal. An ideal tool will locate "X" number of available clusters. Since files are most often fragmented, this will be a more precise way to recover the file.

An issue arises when two files in the same row of clusters are deleted. If the clusters are not in sequential order, the tool will automatically receive "X" number of clusters. However, because the file was fragmented, it's most likely that all the clusters obtained will not all contain data for that file. If these two deleted files are in the same row of clusters, it is highly unlikely the file can be recovered.

==File Slack==
File slack is data that starts from the end of the file written and continues to the end of the sectors designated to the file. There are two types of file slack, RAM slack, and Residual slack. RAM slack starts from the end of the file and goes to the end of that sector. Residual slack then starts at the next sector and goes to the end of the cluster allocated for the file. File slack is a helpful tool when analyzing a hard drive because the old data that is not overwritten by the new file is still in tact. Go to http://www.pcguide.com/ref/hdd/file/partSizes-c.html for examples.

<table border="1" cellspacing="2" bordercolor="#000000" cellpadding="4" width="468" bordercolorlight="#C0C0C0">
<tr>
<td width="101" bgcolor="#808080"><font size="2"><b><center>Cluster</center></b></font></td>
<td width="177" bgcolor="#808080"><font size="2"><b><center>Sample Slack Space,
50% Cluster Slack Per File</center></b></font></td>
<td width="178" bgcolor="#808080"><font size="2"><b><center>Sample Slack Space,
67% Cluster Slack Per File</center></b></font></td>
</tr>
<tr>
<td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>2 kiB</center></b></font></td>
<td width="177"><font size="2"><center>17 MB</center></font></td>
<td width="178"><font size="2"><center>22 MB</center></font></td>
</tr>
<tr>
<td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>4 kiB</center></b></font></td>
<td width="177"><font size="2"><center>33 MB</center></font></td>
<td width="178"><font size="2"><center>44 MB</center></font></td>
</tr>
<tr>
<td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>8 kiB</center></b></font></td>
<td width="177"><font size="2"><center>66 MB</center></font></td>
<td width="178"><font size="2"><center>89 MB</center></font></td>
</tr>
<tr>
<td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>16 kiB</center></b></font></td>
<td width="177"><font size="2"><center>133 MB</center></font></td>
<td width="178"><font size="2"><center>177 MB</center></font></td>
</tr>
<tr>
<td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>32 kiB</center></b></font></td>
<td width="177"><font size="2"><center>265 MB</center></font></td>
<td width="178"><font size="2"><center>354 MB</center></font></td>
</tr>
</table>

The diagram above demonstrates the larger the cluster size used, the more disk space is wasted due to slack. This suggests it is better to use smaller cluster sizes whenever possible.

==FAT Advantages==
* Files available to multiple operating systems on the same computer
* Easier to switch from FAT to NTFS than vice versa
* Performs faster on smaller volumns (< 10GB)
* Does not index files which causes slightly higher performance
* Performs better with small cache sizes (< 96MB)
* More space effiecent on small volumes (< 4GB)
* Performs better with slow disks (< 5400RPM)

==FAT Disadvantages==
* FAT has a fixed maximum number of clusters per partition, which means as the hard disk gets bigger the size of each cluster must increase, creating more slack space
* Doesn't nativley support many abilities of NTFS such as compression, encryption, or advanced security using access control lists
* NTFS recommened by Microsoft for volumes larger than 32GB
* FAT slows down as the number of files on the disk increases
* FAT usually fragments files more
* FAT does not allow for indexing of files for faster searching
* FAT does not support user quotas

== External links ==
* http://en.wikipedia.org/wiki/File_Allocation_Table
* http://www.microsoft.com
* http://www.ntfs.com
* http://www.ntfs.com/ntfs_vs_fat.htm
* http://support.microsoft.com/kb/q154997/#XSLTH3126121123120121120120
* http://www.dewassoc.com/kbase/hard_drives/boot_sector.htm
* http://home.teleport.com/~brainy/fat32.htm
* http://www2.tech.purdue.edu/cpt/courses/cpt499s/
* http://home.no.net/tkos/info/fat.html
* http://web.ukonline.co.uk/cook/fat32.htm
* http://www.ntfs.com/fat-systems.htm
* http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx
* http://support.microsoft.com/kb/q140418

Memory analysis

2006-07-17T11:06:43Z

Uwe Hermann: Some links.

'''Memory Analysis''' is the science of using a [[Tools:Memory_Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, we have broken it into subpages:

* [[Windows Memory Analysis]]
* [[Linux Memory Analysis]]
* [[FreeBSD Memory Analysis]]

== Weblinks ==

* [http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf Mariusz Burdach: Finding Digital Evidence In Physical Memory] (PDF)
* [https://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Paul Movall, Ward Nelson, Shaun Wetzstein: Linux Physical Memory Analysis] (PDF)

Linux Memory Analysis

2006-07-17T11:03:31Z

Uwe Hermann:

...

== Weblinks ==

* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf Urrea, J. M., "An Analysis Of Linux Ram Forensics", Masters Thesis, Naval Postgraduate School, March 2006] (PDF)

Blackbag

2006-07-07T20:57:39Z

Uwe Hermann: Small fixes.

With regards to computer forensics, "'''black bag'''" operations usually consist of the acquisition of [[digital evidence]] without the target's knowledge.

This type of operation is especially useful during internal affairs or ongoing criminal investigations. Depending on the sensitivity of the investigation, access to the target's computer is sometimes facilitated by the target's superiors by giving the evidence collection specialist intelligence to bypass [[physical security]] devices during the operation. It should also be noted that during this type of operation, it is also possible to install applications and configure a computer system to further the investigation from a remote location.

According to the [http://foia.fbi.gov/foiaindex/bboperations.htm FBI's own web page], the term "black bag" is coined from a practice used by that agency between 1942 and 1967. During that time, the [[FBI]] illegally obtained evidence against several individuals/organizations by entering their offices and obtaining photographs of information found in their records. The practice was ordered to be discontinued by then FBI Director Hoover.

ProDiscover

2006-06-06T00:49:45Z

Uwe Hermann:

[[ProDiscover]] is a forensic [[Tools|tool]] made by [[Techpathways]].

The file format is documented at http://www.techpathways.com/uploads/ProDiscoverImageFileFormatv4.pdf.

[[Category:File Formats]]

ILook file format

2006-06-06T00:47:14Z

Uwe Hermann: Category.

The [[IXimager]], part of the [[iLook]] suite, creates image files in its own proprietary '''file format'''.

[[Category:File Formats]]

AFF

2006-06-06T00:45:40Z

Uwe Hermann: Category.

The '''Advanced Forensics Format''' ('''AFF''') is an extensible open format for the storage of [[disk image]]s and related forensic [[metadata]]. It was developed by [[Simson Garfinkel]] and [[Basis Technology]].

Both [[Sleuthkit]] 2.04 and [[Autopsy]] 2.07 support the aff image format.

== AFF Format ==

== AFF Library ==

== AFF Tools ==

* [[aimage]]
* [[ident]]
* [[afcat]]
* [[afcompare]]
* [[afconvert]]
* [[affix]]
* [[afinfo]]
* [[afstats]]
* [[afxml]]
* [[afsegment]]

== External Links ==

* [http://www.afflib.org/ Official website]
* [http://www.lnx4n6.be/index.php?sec=Documentation&page=aff-intro Introduction to the use of AFFLib v1.0]

[[Category:File Formats]]

Tools:Memory Imaging

2006-05-20T19:39:58Z

Uwe Hermann:

The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Usually memory images are used as part of [[memory analysis]].

== Microsoft Windows ==

; [[dd]]
: A version of [[dd]] by George Garner allows an Administrator user to image memory using the ''\device\physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista. This program cannot be used on Windows 2003 SP1 and above.

; [[hibernation]] files
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image.

== Exploits ==

At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.

In theory, this could be used with the ... to send through an exploit code that would cause the system to dump the contents of its hard drive back to the [[iPod]].

Windows Memory Analysis

2006-05-20T19:37:58Z

Uwe Hermann:

...

== History ==

During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during incident response. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called (NAME). The second, by [[George Garner]] and (AUTHOR) produced [[kntlist]].

Digital Forensics Research Workshop

2006-05-20T19:37:04Z

Uwe Hermann: Common typo, hence redirect.

#REDIRECT [[Digital Forensic Research Workshop]]

Memory analysis

2006-05-20T19:34:25Z

Uwe Hermann:

FreeBSD

2006-05-17T16:16:15Z

Uwe Hermann:

'''FreeBSD''' is a [[Unix]]-like free software [[operating system]].

== External Links ==

* [http://www.freebsd.org Official website]
* [http://en.wikipedia.org/wiki/FreeBSD Wikipedia: FreeBSD]

Unix

2006-05-17T16:14:11Z

Uwe Hermann:

'''Unix''' or '''UNIX''' is a general-purpose multi-user [[operating system]] developed mostly by [[Ken Thompson]] and [[Dennis Ritchie]] during 1969 at [[Bell Labs]]. About one year later during the early 1970s UNIX was unveiled to the general public. The original goal as it is today was to create a stable, secure, and powerful operating system that is portable to many different hardware platforms.

Today UNIX has evolved into three main categories which all flavors of UNIX derive from: [[BSD]] (Berkley Software Distribution), [[System V]] Release 4, and hybrid. Some of the most poplar flavors of UNIX are: [[IBM]]’s [[AIX]], [[Sun Microsystems]]' [[Solaris]], [[SGI]]’s [[IRIX]], [[Linux]], [[OpenBSD]], and [[FreeBSD]].

== External Links ==

* [http://upload.wikimedia.org/wikipedia/commons/5/50/Unix_history-simple.png Wikipedia: Time Line of UNIX]

Sun Microsystems, Inc.

2006-05-17T16:11:28Z

Uwe Hermann: Not needed, IMHO.

'''Sun Microsystems, Inc.''' is a computer hardware and software vendor.

== External Links ==

* [http://www.sun.com Official website]
* [http://en.wikipedia.org/wiki/Sun_Microsystems Wikipedia: Sun Microsystems]

AIX

2006-05-17T16:11:05Z

Uwe Hermann:

...

== External Links ==

* [http://www.ibm.com/servers/aix/overview IBM's AIX Operating system overview]
* [http://en.wikipedia.org/wiki/AIX_operating_system Wikipedia: AIX]

Encryption

2006-05-17T16:10:21Z

Uwe Hermann:

'''Encryption''' is a means to obfuscate data an entity wishes to protect to the point it will take a third party considerable time to access (decrypt) it. The methods of encryption vary from substitution ciphers to more modern methods such as digital ciphers which use an algorithm to obfuscate the data. Once the data is encrypted it is then referred to as cipher text.

Encrypt

2006-05-17T16:09:18Z

Uwe Hermann: Use REDIRECT in order to not duplicate content.

#REDIRECT [[Encryption]]

BSD

2006-05-17T16:08:24Z

Uwe Hermann:

'''Berkeley Software Distribution''' ('''BSD''') is one of the three major derivates of the [[Unix]] [[operating system]] from which many versions have been created such as [[OpenBSD]], [[FreeBSD]], [[NetBSD]], [[Trusted BSD]], and very early versions of [[Sun]]’s [[Solaris]]. BSD was first released in the late 1970s and continues to have a strong following today exhibited in the continued existence of the above versions. The only exception is Sun who switched the design of their operating system over to [[System V]] Release 4.

OpenBSD

2006-05-17T16:05:27Z

Uwe Hermann:

'''OpenBSD''' is a [[Unix]]-like operating system. It is said to be very secure, so much so the authors can make the claim of “Only one remote hole in the default install, in more than 8 years!” This claim is something very few [[operating systems]] can testify to.

== External Links ==

* [http://www.openbsd.org Official website]

Steganography

2006-05-17T16:04:04Z

Uwe Hermann: Please do not sign normal articles, only discussions on "Talk" pages. Thanks!

'''Steganography''' is a science that pertains to the art of concealing data in a communication in such a way that only the sender and receiver know of its existance and method of access. The platform used for transmission can be anything from a paper document to a digital file. Additionally, it is more common than not to [[encrypt]] the hidden data whenever possible such as with digital files or images.

International Business Machines Corporation

2006-05-17T16:00:46Z

Uwe Hermann: IBM moved to International Business Machines Corporation: Move to full name.

'''International Business Machines Corporation''' ('''IBM''') is a computer hardware and software vendor.

== External Links ==

* [http://www.ibm.com Official website]
* [http://en.wikipedia.org/wiki/IBM Wikipedia: IBM]

IBM

2006-05-17T16:00:46Z

Uwe Hermann: IBM moved to International Business Machines Corporation: Move to full name.

#REDIRECT [[International Business Machines Corporation]]

International Business Machines Corporation

2006-05-17T16:00:24Z

Uwe Hermann:

Digital Forensic Research Workshop

2006-05-16T00:05:57Z

Uwe Hermann: Wikified.

The '''Digital Forensic Research Workshop''' ('''DFRWS''') was initiated in August 2001 to bring academic researchers and digital forensic [[investigator]]s and practitioners together for active discussion that addresses three major objectives:

* Define the need and create the processes for the incorporation of a rigorous scientific method as a fundamental tenant of the evolving discipline of Digital Forensic Science.
* Develop a research agenda that considers practitioner requirements, multiple investigative environments and emphasizes real world usability.
* The discovery, explanation and presentation of conclusive, persuasive evidence that will meet the heightened scrutiny of the courts and other decision-makers in military and civilian environments.

Since 2001, an annual workshop has been held in various cities around the US to present and discuss research topics. Archives are available as well as a more detailed history.

== External Links ==

* [http://www.dfrws.org/ Official website]

Digital Forensic Research Workshop

2006-05-16T00:04:06Z

Uwe Hermann: DFRWS moved to Digital Forensic Research Workshop: Move to full name.

'''Digital Forensic Research Workshop''' - DFRWS [http://www.dfrws.org/]

The Digital Forensic Research Workshop (DFRWS) was initiated in August 2001 to bring academic researchers and digital forensic investigators and practitioners together for active discussion that addresses three major objectives:

* Define the need and create the processes for the incorporation of a rigorous scientific method as a fundamental tenant of the evolving discipline of Digital Forensic Science
* Develop a research agenda that considers practitioner requirements, multiple investigative environments and emphasizes real world usability
* The discovery, explanation and presentation of conclusive, persuasive evidence that will meet the heightened scrutiny of the courts and other decision-makers in military and civilian environments

Since 2001, an annual workshop has been held in various cities around the US to present and discuss research topics. Archives are available as well as a more detailed history.

DFRWS

2006-05-16T00:04:06Z

Uwe Hermann: DFRWS moved to Digital Forensic Research Workshop: Move to full name.

#REDIRECT [[Digital Forensic Research Workshop]]

Recovering deleted data

2006-05-16T00:03:47Z

Uwe Hermann:

{{Wikify}}

When the user requests to delete a file, most modern [[operating system]]s generally do not erase the actual data. For example, when a file in a [[FAT]] [[file system]] is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.

== Recovery Programs ==

There are many programs that can recover these deleted files. Some of these software packages are specifically designed for forensics purposes. For example, [[Scalpel]] and its predecessor, [[foremost]], were developed to facilitate forensics investigations.

== Recovery challenges and test images ==

[http://www.dfrws.org/2006/challenge/]
File Carving Challenge - [[DFRWS]] 2006

[http://dftt.sourceforge.net/test6/index.html]
FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)

[http://dftt.sourceforge.net/test7/index.html]
NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)

[http://dftt.sourceforge.net/test11/index.html]
Basic Data Carving Test - fat32 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #11)

[http://dftt.sourceforge.net/test12/index.html]
Basic Data Carving Test - ext2 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #12)

Main Page

2006-05-16T00:01:16Z

Uwe Hermann:

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">

This is the '''Forensics Wiki''', a [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons]-licensed [http://en.wikipedia.org/wiki/Wiki wiki] devoted to information about [[digital forensics]]. We currently list a total of [[Special:Allpages|{{NUMBEROFARTICLES}}]] pages.

Much of [[computer forensics]] is focused on the [[tools]] and [[techniques]] used by [[investigator]]s, but there are also a number of important [[papers]], [[people]], and [[organizations]] involved. Many of those organizations sponsor [[conferences]] throughout the year and around the world. You may also wish to examine the popular [[journals]] and some special [[reports]].

'''Please note: by adding or modifying any content in this wiki, you agree to license your contributions under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license!'''
</div>

{| width="100%"
|-
| width="60%" style="vertical-align:top" |

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#eeeeff; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#ccccff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">Topics</h2>

* '''[[File Analysis]]''':
** '''[[File Formats]]''': [[PDF]], [[DOC]], [[JPEG]], [[GIF]], [[BMP]], [[LNK]], [[MP3]], [[AAC]], [[Thumbs.db]], ...
** '''[[Forensic file formats]]''': [[AFF]], [[gfzip]], [[sgzip]], ...
* '''[[File Systems]]''': [[FAT]], [[NTFS]], [[ext2]]/[[ext3]], [[ufs]], [[ffs]], [[reiserfs]], ...
** '''[[File Systems#Cryptographic_File_Systems|Cryptographic File Systems]]''': [[File Vault]], [[CFS]], [[NCryptfs]], [[TCFS]], [[SFS]], ...
* '''[[Hardware]]''':
** '''[[Bus]]ses''': [[IDE]], [[SCSI]], [[Firewire]], [[USB]], ...
** '''[[Data storage media|Media]]''': [[RAM]], [[Hard Drive]]s, [[Memory Card]]s, [[SmartCard]]s, [[RFID]] Tags...
** '''[[Personal Digital Devices]]''': [[PDAs]], [[Cellphones]], [[SmartPhones]], [[Audio Devices]], ...
** '''[[Other Devices]]''': [[Printers]], [[Scanners]], ...
** '''[[Write Blockers]]''': ...
* '''Recovering data''': [[Recovering bad data|bad data]], [[Recovering deleted data|deleted data]], [[Recovering Overwritten Data|overwritten data]], [[Sanitization Standards]]
* [[Network forensics]]
* [[Encryption]]
* [[Steganography]], [[Steganalysis]]
* [[GPS]]
* '''[[Metadata]]:''' [[MAC times]], [[ACLs]], [[Email Headers]], [[Exif]], [[ID3]], [[OLE-2]], ...
* '''Further information:''' [[Books]], [[Papers]], [[Reports]], [[Journals]], [[Websites]], [[Blogs]], [[Mailing lists]], [[Organizations]], [[Vendors]], [[Conferences]]
</div>

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#e0ffe0; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#ccffcc; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">Tools</h2>

* '''[[Tools|All Tools]]''':
** '''[[Tools#Disk_Imaging_Tools|Disk Imaging]]''': [[dd]], [[dcfldd]], [[dd_rescue]], [[sdd]], [[aimage]], [[Blackbag]], ...
** '''[[Tools#Data_Recovery_Tools|Data Recovery]]''': ...
** '''[[Tools#Disk_Analysis_Tools|Disk Analysis]]''': [[EnCase]], [[SMART]], [[Sleuthkit]], [[foremost]], [[Scalpel]], ...
** '''[[Tools#Forensics_Live_CDs|Live CDs]]''': [[FCCU Gnu/Linux Boot CD]], [[Helix]], [[Knoppix STD]], ...
** '''[[Tools#Metadata_Extraction_Tools|Metadata Extraction]]''': [[wvWare]], [[jhead]], ...
** '''[[Tools#File_Analysis_Tools|File Analysis]]''': [[file]], [[ldd]], [[ltrace]], [[strace]], [[strings]], ...
** '''[[Tools#Network_Forensics_Tools|Network Forensics]]''': [[Snort]], ...
** '''[[Tools#Anti-forensics_Tools|Anti-Forensics]]''': [[Slacker]], [[wipe]], [[shred]], ...
** '''[[Tools#Other_Tools|Other Tools]]''': [[biew]], [[hexdump]], ...
</div>

| width="40%" style="vertical-align:top" |

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffdddd; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#ffbbbb; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">License Transition</h2>

We're currently in the middle of a [[License transition status|license transition]]. The goal is to license all contents of this wiki under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license. If you have contributed to this wiki '''before March 19th, 2006''', please consider (re-)licensing your contributions under this license. You can do that by adding [[License_transition_status#HOWTO|this small paragraph]] to your user page. Thanks in advance! Contributions '''after''' March 19th, 2006 are automatically CC-licensed, there's no need to add such a paragraph.
</div>

<div style="margin-top:0.5em; border:2px solid #ff0000; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffff99; align:center; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">Wiki News</h2>

* '''2006-04-28''': I've modified the wiki configuration so that articles are now off a '/wiki/foobar' URL, rather than 'index.php?title=foobar' URL. Please let me know if there are any errors. --[[User:Simsong]].

</div>

<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#c0ffff; align:right; border:1px solid #ddccff;">

<h2 style="margin:0; background-color:#99ffff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[:Category:Top-Level|Categories]]</h2>

The contents of this wiki are organized into various [[:Category:Top-Level|categories]]:

* [[:Category:Tools|Tools]]
* [[:Category:Disk file systems|Disk file systems]]
* [[:Category:File Formats|File Formats]]
* [[:Category:Howtos|Howtos]]
* [[:Category:Licenses|Licenses]]
* [[:Category:Operating systems|Operating systems]]
* [[:Category:People|People]]
* ...

</div>

|}

__NOTOC__
__NOEDITSECTION__

How to analyse partitions

2006-05-16T00:00:47Z

Uwe Hermann: Category.

A How-to for dealing with partitions.

[http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12] suggests using the ''mmls'' program to display the contents of partitions.

For example:

# mmls -t dos disk.dd
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000001 0000000062 0000000062 Unallocated
02: 00:00 0000000063 0002056319 0002056257 Win95 FAT32 (0x0B)
03: 00:01 0002056320 0008209214 0006152895 OpenBSD (0xA6)
04: 00:02 0008209215 0019999727 0011790513 FreeBSD (0xA5)

You can use mmls to examine the OpenBSD and FreeBSD partitions that are inside the DOS partition:

# mmls -t bsd -o 2056321 disk.dd
Length Description
00: 02 0000000000 0019999727 0019999728 Unused (0x00)
01: 08 0000000063 0002056319 0002056257 MSDOS (0x08)
02: 00 0002056320 0002260943 0000204624 4.2BSD (0x07)
03: 01 0002260944 0002875823 0000614880 Swap (0x01)
04: 03 0002875824 0003080447 0000204624 4.2BSD (0x07)
05: 04 0003080448 0003233663 0000153216 4.2BSD (0x07)
06: 07 0003233664 0004257791 0001024128 4.2BSD (0x07)
07: 06 0004257792 0008209214 0003951423 4.2BSD (0x07)
08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)

(Examples from [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12])

== External Links ==

* [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12: Using mmls from The Sleuth Kit]

[[Category:Howtos]]

How to analyse partitions

2006-05-15T23:58:41Z

Uwe Hermann: Howto:Partitions moved to How to analyse partitions: Move to HOWTO name.

Category:Howtos

2006-05-15T23:57:51Z

Uwe Hermann:

[[Category:Top-Level]]

How to recover deleted files

2006-05-15T23:57:38Z

Uwe Hermann: Wikified + category.

...

== External Links ==

* [http://www.sleuthkit.org/informer/sleuthkit-informer-14.html The Sleuth Kit Informer #14: FAT file recovery in The Sleuth Kit]

[[Category:Howtos]]

How to recover deleted files

2006-05-15T23:55:42Z

Uwe Hermann: HowTo:Sleuth Kit moved to How to recover deleted files: Moved title to name of the HOWTO. I'll create a "Howtos" category now, where we can put all the HOWTOs...

Using the [[Sleuth Kit]] to:

* [http://www.sleuthkit.org/informer/sleuthkit-informer-14.html Recover deleted files]

Autopsy Forensic Browser

2006-05-15T23:51:47Z

Uwe Hermann: Autopsy moved to Autopsy Forensic Browser: Move to full name.

{{Infobox_Software |
name = Autopsy |
maintainer = [[Brian Carrier]] |
os = {{Web-based}} |
genre = {{Analysis}} |
license = {{GPL}} |
website = [http://sleuthkit.org/autopsy/ sleuthkit.org/autopsy/] |
}}

The '''Autopsy Forensic Browser''' ('''Autopsy''') is a graphical interface to the command line digital investigation analysis tools in [[The Sleuth Kit]]. Together, they can analyze [[Windows]] and [[UNIX]] disks and [[file systems]] ([[NTFS]], [[FAT]], [[UFS1]]/[[UFS2]], [[Ext2]]/[[Ext3]]).

The [[Sleuthkit]] and Autopsy are both Open Source and run on UNIX platforms. As Autopsy is [[HTML]]-based, you can connect to the Autopsy server from any platform using a web browser. Autopsy provides a "File Manager"-like interface and shows details about deleted data and file system structures.

Autopsy

2006-05-15T23:51:47Z

Uwe Hermann: Autopsy moved to Autopsy Forensic Browser: Move to full name.

#REDIRECT [[Autopsy Forensic Browser]]

Brian Carrier

2006-05-15T23:51:32Z

Uwe Hermann:

'''Brian Carrier''' is the author of [[The Sleuth Kit]] and the [[Autopsy Forensic Browser]].

[[Category:People]]

The Sleuth Kit

2006-05-15T23:50:14Z

Uwe Hermann: Sleuthkit moved to The Sleuth Kit: Move to full name.

{{Infobox_Software |
name = The Sleuth Kit |
maintainer = [[Brian Carrier]] |
os = {{Linux}}, {{FreeBSD}}, {{OpenBSD}}, {{Mac OS X}}, {{SunOS}} |
genre = {{Disk file systems}} |
license = {{IBM Open Source License}}, {{Common Public License}}, {{GPL}} |
website = [http://www.sleuthkit.org/ sleuthkit.org] |
}}

'''The Sleuth Kit''' ('''TSK''') is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], [[UFS1]], and [[UFS2]] [[file system]]s.

[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.

=Features=

The Sleuth Kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.

Some of the commands in Sleuth Kit are:

; dcat
: Views the contents of a [[block]].

; dls
: Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.

; dcalc
: Tells you where an unallocated blocks are.

; dstat
: Details about a given block.

; icat
: View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.

; ils
: Lists the files extents on a disk.

; istat
: Information about an inode number.

==File Systems Understood==

* [[NTFS]]
* [[FAT]]
* [[EXT2]], [[EXT3]]
* [[UFS1]], [[UFS2]]

==File Search Facilities==

* Lists allocated and unallocated files.
* Lists and sorts by file type.
* Shows a time time of creation and change.

==Historical Reconstruction==

==Searching Abilities==

* Searches for keywords.
* Builds an index.

==Hash Databases==

* Uses [[MD5]] or [[SHA1]].
* Interfaces with [[NIST NSRL]], [[Hashkeeper]] and customer databases.

==Evidence Collection Features==

* Tracks forensic activity.

=History=

==License Notes==

Is it commercial or open source? Are there other licensing options?

= External Links =

* [http://www.sleuthkit.org/autopsy/desc.php Autopsy website]

==External Reviews==

Sleuthkit

2006-05-15T23:50:14Z

Uwe Hermann: Sleuthkit moved to The Sleuth Kit: Move to full name.

#REDIRECT [[The Sleuth Kit]]

The Sleuth Kit

2006-05-15T23:49:56Z

Uwe Hermann:

Autopsy Forensic Browser

2006-05-15T23:47:34Z

Uwe Hermann: Infobox + wikified.

Vinetto

2006-05-15T23:40:14Z

Uwe Hermann:

{{Infobox_Software |
name = Vinetto |
maintainer = [[Michel Roukine]] |
os = {{Linux}}, {{Windows}}, {{Mac OS X}} |
genre = {{Metadata}} |
license = {{GPL}} |
website = [http://vinetto.sourceforge.net/ vinetto.sf.net] |
}}

'''Vinetto''' is a forensics tool to examine [[Thumbs.db]] files. It is a command line Python script that works on [[Linux]], [[Mac OS X]] and [[Cygwin]] (win32).

== External Links ==

* [http://vinetto.sourceforge.net/test_JF_Beckers/vinetto.html Vinetto review and test]

Tools

2006-05-15T23:34:18Z

Uwe Hermann: /* Forensics Live CDs */

This is an '''overview of available tools''' for forensic [[investigator]]s. Please click on the name of any tool for more details.

'''Note: This page has gotten too big and is being broken up. See:'''
* [[Tools:Data Recovery]]
* [[Tools:Disk Imaging]]
* [[Tools:Memory Imaging]]

= Disk Analysis Tools =

== Linux-based Tools ==

; [[SMART]], by [[ASR Data]]
: http://www.asrdata.com

== Macintosh-based Tools ==

; [[Macintosh Forensic Software]], by [[BlackBag Technologies, Inc.]]
: http://www.blackbagtech.com/software_mfs.html

== Windows-based Tools ==

; [[BringBack]] by [[Tech Assist, Inc.]]
: http://www.toolsthatwork.com/bringback.htm

; [[EnCase]], by [[Guidance Software]]
: http://www.guidancesoftware.com/

; [[Forensic Toolkit]] ([[FTK]]), by [[AccessData]]
: http://www.accessdata.com/products/ftk/

; [[ILook Investigator]], by [[Elliot Spencer]] and [[Internal Revenue Service|U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation]] (IRS)
: http://www.ilook-forensics.org/

; [[Safeback]] by [[NTI]] and [[Armor Forensics]]
: http://www.forensics-intl.com/safeback.html

; [[X-Ways Forensics]] by [[X-Ways AG]]
: http://www.x-ways.net/forensics/index-m.html

== Open Source Tools ==

; [[AFFLIB]]
: A library for working with [[disk image]]s. Currently AFFLIB supports raw, [[AFF]], [[AFD]], and [[EnCase]] file formats. Work to support segmented raw, [[iLook]], and other formats is ongoing.

; [[Autopsy]]
: http://www.sleuthkit.org/autopsy/desc.php

; [[foremost]]
: http://foremost.sf.net/

; [[FTimes]]
: http://ftimes.sourceforge.net/FTimes/index.shtml
: FTimes is a system baselining and evidence collection tool.

; [[gfzip]]
: http://www.nongnu.org/gfzip/

; [[gpart]]
: http://www.stud.uni-hannover.de/user/76201/gpart/
: Tries to ''guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted''.

; [[magicrescue]]
: http://jbj.rapanden.dk/magicrescue/

; [[pyflag]]
: http://pyflag.sourceforge.net/

; [[Scalpel]]
: http://www.digitalforensicssolutions.com/Scalpel/

; [[scrounge-ntfs]]
: http://memberwebs.com/nielsen/software/scrounge/

; [[Sleuthkit]]
: http://www.sleuthkit.org/

; [[The Coroner's Toolkit]] ([[TCT]])
: http://www.porcupine.org/forensics/tct.html

; [[Zeitline]]
: http://projects.cerias.purdue.edu/forensics/timeline.php
: http://sourceforge.net/projects/zeitline/

== [[NDA]] and [[scoped distribution]] tools ==

; The [[Open Computer Forensics Architecture]]
: mailto:ocfa@dnpa.nl

= Forensics Live CDs =

; [[FCCU Gnu/Linux Boot CD]]
: A Live CD built on top of [[Knoppix]] with a lot of tools with forensic purpose.
: It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.

; [[Helix]]
: A Live CD built on top of [[Knoppix]] with special tools for incident response and electronic discovey.
: Its a hybrid CD which also contains a [[Cygwin]] environment for use on a running Windows system (w/o rebooting) including the sysinternal tools.

; [[Knoppix STD]]
: A Live CD built on top of [[Knoppix]].
: http://s-t-d.org/

; [[THE FARMER'S BOOT CD]]
: A [[Linux]] [[Live CD]], designed and optimized for previewing data in a [[forensically sound]] manner. It contains a number of programs forensic practitioners can utilize to preview both [[Windows]] and [[Linux]] systems.

; [[MacQuisition Boot CD]]
: A forensic [[Live CD]] built for imaging [[Macintosh]] systems.

= Metadata Extraction Tools =

; [[antiword]]
: http://www.winfield.demon.nl/

; [[catdoc]]
: http://www.45.free.net/~vitus/software/catdoc/

; [[jhead]]
: http://www.sentex.net/~mwandel/jhead/
: Displays or modifies [[Exif]] data in [[JPEG]] files.

; [[laola]]
: http://user.cs.tu-berlin.de/~schwartz/pmh/index.html

; [[vinetto]]
: http://vinetto.sourceforge.net/
: Examines [[Thumbs.db]] files.

; [[word2x]]
: http://word2x.sourceforge.net/

; [[wvWare]]
: http://wvware.sourceforge.net/
: Extracts metadata from various [[Microsoft]] Word files ([[doc]]). Can also convert doc files to other formats such as HTML or plain text.

; [[xpdf]]
: http://www.foolabs.com/xpdf/
: [[pdfinfo]] (part of the [[xpdf]] package) displays some metadata of [[PDF]] files.

; [[Metadata Assistant]]
: http://www.payneconsulting.com/products/metadataent/

= File Analysis Tools =

== Open Source Tools ==

; [[file]]
: The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.

; [[ldd]]
: ...

; [[ltrace]]
: ...

; [[strace]]
: ...

; [[strings]]
: Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.

; [[Galleta]]
: Parses cookie files. http://www.foundstone.com/resources/proddesc/galleta.htm

; [[Pasco]]
; Parses '''index.dat'' files. http://www.foundstone.com/resources/proddesc/pasco.htm

; [[Rifiuti]]
; Examines the INFO2 file in the Recycle Bin http://www.foundstone.com/resources/proddesc/rifiuti.htm

== [[NDA]] and [[scoped distribution]] tools ==

; The [[Open Computer Forensics Architecture]]
: mailto:ocfa@dnpa.nl

= Network Forensics Tools =

; [[chkrootkit]]
: ...

; [[cryptcat]]
: ...

; [[netcat]]
: ...

; [[netflow]]/[[flowtools]]
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
: http://www.splintered.net/sw/flow-tools/

;[[NetIntercept]]
: http://www.sandstorm.net/netintercept

; [[rkhunter]]
: ...

; [[Sguil]]
: http://sguil.sourceforge.net/

; [[Snort]]
: http://www.snort.org/

; [[Tcpdump]]
: http://www.tcpdump.org

; [[tcpextract]]
: http://tcpxtract.sourceforge.net/

; [[tcpflow]]
: http://www.circlemud.org/~jelson/software/tcpflow/

= Anti-forensics Tools =

; [[Ontrack Data Eraser]]
: ...

; [[Slacker]]
: A tool to hide files within the [[slack space]] of the [[NTFS]] file system.
: http://www.metasploit.com/projects/antiforensics/slacker.exe

; [[Timestomp]]
: A tool that allows one to modify all four [[NTFS]] timestamp (MACE) values.
: http://www.metasploit.com/projects/antiforensics/timestomp.exe

== Securely deleting data ==

; [[BCWipe]]
: Secure data deletion tools for [[Windows]] and [[Unix]]-like [[operating systems]].

; [[CyberScrub cyberCide]]
: This program securely erases all data from drives or partitions.
: http://www.cyberscrub.com/products/cybercide/index.php

; [[CyberScrub Privacy Suite]]
: This program securely erases selected data, wipes free space, powerful scheduling capabilities.
: http://www.cyberscrub.com/products/privacysuite/index.php

; [[Darik's Boot and Nuke]] ([[DBAN]])
: This is a bootable disk that securely wipes any hard disk it can detect.
: http://dban.sourceforge.net/

; [[Eraser]]
: Offers several patterns for wiping data including [[Peter Gutmann]]'s and the [[US DoD 5200.28-STD]] standard.
: http://www.heidi.ie/eraser

; [[shred]]
: Part of GNU coreutils.

; [[wipe]]
: http://abaababa.ouvaton.org/wipe/

== See also ==

* [[Anti-forensic techniques]]
* [[Database Encryption]].

= Personal Digital Device Tools=

== PDA Forensics ==
; [[Paraben PDA Seizure]]
; [[Paraben PDA Seizure Toolbox]]
; [[PDD]]

== Cell Phone Forensics ==
; [[BitPIM]]
; [[DataPilot Secure View]]
; [[GSM .XRY]]
; [[ForensicMobile]]
; [[LogiCube CellDEK]]
; [[MOBILedit!]]
; [[Oxygen PM II]]
; [[Paraben Cell Seizure]]
; [[Paraben Cell Seizure Toolbox]]
; [[TULP2G]]

== SIM Card Forensics ==
; [[ForensicSIM]]
; [[Paraben SIM Seizure]]
; [[SIMCon]]

== Preservation Tools ==
; [[Paraben StrongHold Bag]]
; [[Paraben StrongHold Tent]]

= Other Tools =

; [[VMware]] Player
: http://www.vmware.com/products/player/
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.

; [[VMware]] Server
: http://www.vmware.com/products/server/
: The free server product, for setting up/configuring/running [[VMware]] [[virtual machine]].Important difference being that it can run 'headless', i.e. everything in background.

== Hex Editors ==

; [[biew]]
: http://biew.sourceforge.net/en/biew.html

; [[hexdump]]
: ...

; [[Hex Workshop]]
: A hex editor from [[BreakPoint Software, Inc.]]
: http://www.bpsoft.com

; [[khexedit]]
: http://docs.kde.org/stable/en/kdeutils/khexedit/index.html

; [[WinHex]]
: Computer forensics software, data recovery software, hex editor, and disk editor from [[X-Ways]].
: http://www.x-ways.net/winhex

; [[xxd]]
: ...

== Telephone Scanners/War Dialers ==

;[[PhoneSweep]]
:http://www.sandstorm.net/phonesweep

THE FARMER'S BOOT CD

2006-05-15T23:32:15Z

Uwe Hermann: Wikified.

{{Infobox_Software |
name = THE FARMER'S BOOT CD |
maintainer = [[Thomas Rude]] |
os = {{Linux}}, {{Windows}} |
genre = {{Live CD}} |
license = ??? |
website = [http://www.forensicbootcd.com/ forensicbootcd.com] |
}}

'''THE FARMER'S BOOT CD''' ('''FBCD''') is a [[Linux]] [[boot CD]] developed by [[Thomas Rude]] ('farmerdude'). Taking a different approach than other [[Live CDs]], this CD was designed and optimized for previewing systems before acquiring. It contains a number of programs forensic practitioners can utilize to preview both [[Windows]] and [[Linux]] systems in a [[forensically sound]] manner.

== Preview Capabilities ==

THE FARMER'S BOOT CD has been designed for previewing both Windows and Linux systems. On-site previews before acquisitions is an emerging trend in the U.S.A. due to legal and technological reasons.

Below is a short list of what can be accomplished in a simple GUI on this CD;

* Mount file systems read-only, including journalled file system types
* Obtain a list of deleted files for ext2, FAT12/16/32, and NTFS file system types
* Undelete deleted files from NTFS file systems
* Obtain both E-mail and URL addresses from the Windows "pagefile.sys" file
* Read the Recycle Bin INFO2 records
* Read Windows event log files (AppEvent.Evt, SecEvent.Evt, SysEvent.Evt)
* Read many log files from Linux systems (shell histories, system logs, security logs, accounting logs, etc.)
* Obtain file system metainformation (creation date, last mount and write date, version, label, UUID, etc.)
* Parse Internet cache files from IE, Mozilla, and Opera, pulling cookies and histories
* Catalog target file system, selecting files of interest by extension or header
* Convert date/time between UNIX 32bit, UNIX hex, human readable, Windows 64bit, and Windows hex
* Generate thumbnails for all graphics in fully qualified path filename
* Obtain drive information (serial number, make/model, firmware, HPA status, etc.)
* Obtain system BIOS table information (serial numbers, dates, UUIDs, etc.)
* Obtain system hardware catalog
* Double-clicking on most common file types opens them (Documents, Graphics, Presentations, Movies, Audio, etc.)

== External Links ==

* [http://www.forensicbootcd.com/site/view.html THE FARMER'S BOOT CD screen shots] - Screen Shots for Delve Preview Program on the FBCD.
* [http://www.forensicfocus.com/farmers-boot-cd Preview Data in Under Twenty Minutes] - Paper on previewing data quickly at http://www.forensicfocus.com.

THE FARMER'S BOOT CD

2006-05-15T23:25:31Z

Uwe Hermann: Infobox.

{{Infobox_Software |
name = THE FARMER'S BOOT CD |
maintainer = [[Thomas Rude]] |
os = {{Linux}}, {{Windows}} |
genre = {{Live CD}} |
license = ??? |
website = [http://www.forensicbootcd.com/ forensicbootcd.com] |
}}

[http://www.forensicbootcd.com/ THE FARMER'S BOOT CD (FBCD)] is a unique Linux boot CD. Taking a different approach than other [[Live CDs]], this CD was designed and optimized for previewing systems before acquiring. THE FARMER'S BOOT CD contains a number of programs forensic practitioners can utilize to preview both Windows and Linux systems in a forensically sound manner. Developed by Thomas Rude ('farmerdude').

== Preview Capabilities ==

THE FARMER'S BOOT CD has been designed for previewing both Windows and Linux systems. On-site previews before acquisitions is an emerging trend in the U.S.A. due to legal and technological reasons.

Below is a short list of what can be accomplished in a simple GUI on this CD;

- Mount file systems read-only, including journalled file system types
- Obtain a list of deleted files for ext2, FAT12/16/32, and NTFS file system types
- Undelete deleted files from NTFS file systems
- Obtain both E-mail and URL addresses from the Windows "pagefile.sys" file
- Read the Recycle Bin INFO2 records
- Read Windows event log files (AppEvent.Evt, SecEvent.Evt, SysEvent.Evt)
- Read many log files from Linux systems (shell histories, system logs, security logs, accounting logs, etc.)
- Obtain file system metainformation (creation date, last mount and write date, version, label, UUID, etc.)
- Parse Internet cache files from IE, Mozilla, and Opera, pulling cookies and histories
- Catalog target file system, selecting files of interest by extension or header
- Convert date/time between UNIX 32bit, UNIX hex, human readable, Windows 64bit, and Windows hex
- Generate thumbnails for all graphics in fully qualified path filename
- Obtain drive information (serial number, make/model, firmware, HPA status, etc.)
- Obtain system BIOS table information (serial numbers, dates, UUIDs, etc.)
- Obtain system hardware catalog
- Double-clicking on most common file types opens them (Documents, Graphics, Presentations, Movies, Audio, etc.)

== Links ==

[http://www.forensicbootcd.com/ THE FARMER'S BOOT CD Page] Main Page for THE FARMER'S BOOT CD (FBCD).

[http://www.forensicbootcd.com/site/view.html THE FARMER'S BOOT CD screen shots] Screen Shots for Delve Preview Program on the FBCD.

[http://www.forensicfocus.com/farmers-boot-cd Preview Data in Under Twenty Minutes] Paper on previewing data quickly at http://www.forensicfocus.com

[[category:Forensic Utilities Linux Windows Live CD]]

Open Computer Forensics Architecture

2006-05-15T23:23:11Z

Uwe Hermann: Typo.

The '''Open Computer Forensics Architecture''' ('''OCFA''') is a modular computer forensics framework built by the [[Dutch National Police Agency]]. The main goal is to automate the digital forensic process to speed up the investigation and give tactical [[investigator]]s direct access to the seized data through an easy to use search and browse interface.

The architecture forms an environment where existing forensic [[tools]] and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and [[metadata]] from digital evidence.

The Open Computer Forensics Architecture aims to be highly modular, robust, fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items.

Currently the Open Computer Forensics Architecture is only available for [[law enforcement]]. Organizations interested can send an email to [mailto:ocfa@dnpa.nl ocfa@dnpa.nl]. Under [[NDA]] conditions it can also be made available for academic purposes. Questions about licensing can be directed at [mailto:license@dnpa.nl license@dnpa.nl].