Difference between pages "Tools:File Analysis" and "JTAG Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added eMule Reader.)
 
 
Line 1: Line 1:
== Image Analysis ==
+
== Definition ==
; [[SurfRecon LE rapid image analysis tool]] by SurfRecon, Inc.
+
=== From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): ===
: http://www.surfrecon.com
+
  
== Software Forensics ==
+
Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
; [[CodeSuite]] by Software Analysis & Forensic Engineering
+
: CodeSuite comprises BitMatch, CodeCross, CodeDiff, CodeMatch, and SourceDetective for comparing and analyzing source code and object code to find copyright infringement and trade secret theft. It can be used for free on small sets of code.
+
: CodeSuite also includes FileCount and FileIsolate for counting file attributes and quickly copying or deleting entire file trees. Both are free utilities.
+
: http://www.safe-corp.biz
+
  
== Open Source Tools ==
+
=== Forensic Application ===
  
; [[file]]
+
JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.
: The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.
+
  
; [[ldd]]
+
== Tools and Equipment ==
: List dynamic dependencies of executable files.
+
  
; [[truss]]
+
* [[JTAG and Chip-Off Tools and Equipment]]
: Solaris tool used to trace the system/library calls (not user calls) and signals made/received by a new or existing process. It sends the output to stderr.
+
: http://docs.sun.com/app/docs/doc/819-2239/truss-1?l=en&a=view&q=truss
+
  
; [[PDF Miner]]
+
== Procedures ==
: "...suite of programs that aims to help analyzing text data from PDF documents. It includes a PDF parser, a PDF renderer (though only rendering text is supported for now), and a couple of nice tools to extract texts. Unlike other PDF-related tools, it allows to obtain the exact location of texts in a page, as well as other layout information such as font size or font name, which could be useful for analyzing the document. It also infers text running within a page by using clustering technique."
+
: http://www.unixuser.org/~euske/python/pdfminer/index.html
+
  
; [[ltrace]]
+
* [[JTAG HTC Wildfire S]]
: Library call tracer.
+
* [[JTAG LG P930]]
: http://linux.die.net/man/1/ltrace
+
* [[JTAG Samsung Galaxy S4 (SGH-I337)]]
 
+
; [[strace]]
+
: System Call Tracer.
+
: http://sourceforge.net/projects/strace/
+
 
+
; [[xtrace]]
+
: eXtended trace utility, similar to strace, ptrace, truss, but with extended functionality and unique features, such as dumping function calls (dynamically or statically linked), dumping call stack and more.
+
: http://sourceforge.net/projects/xtrace/
+
 
+
; [[ktrace]]
+
: Enables kernel process tracing on OpenBSD.
+
: http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
+
 
+
; [[Valgrind]]
+
: Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired.
+
: http://valgrind.org/
+
 
+
; [[DTrace]]
+
: Comprehensive dynamic tracing framework for Solaris (also ported to MacOS X - XRays and FreeBSD). DTrace provides a powerful infrastructure to permit investigation of the behavior of the operating system and user programs.
+
: http://www.sun.com/bigadmin/content/dtrace/
+
 
+
; [[strings]]
+
: Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.
+
 
+
; The [[Open Computer Forensics Architecture]]
+
: http://ocfa.sourceforge.net/
+
 
+
; [[Rifiuti]] (not GPL)
+
: Examines the INFO2 file in the Recycle Bin.
+
: http://www.foundstone.com/us/resources/proddesc/rifiuti.htm
+
 
+
; [[Pasco]] (not GPL)
+
: Parses ''index.dat'' files.
+
: http://www.foundstone.com/us/resources/proddesc/pasco.htm
+
 
+
; [[Galleta]] (not GPL)
+
: Parses cookie files.
+
: http://www.foundstone.com/us/resources/proddesc/galleta.htm
+
 
+
; dumpster_dive.pl
+
: MS Windows Recycle Bin INFO2 parser
+
: http://jafat.sourceforge.net/files.html
+
 
+
; cookie_cruncher.pl
+
: MS IE cookie file parser
+
: http://jafat.sourceforge.net/files.html
+
 
+
; [[yim2text]]
+
: Extracts the 'encrypted' info in Yahoo Instant Messenger log files.
+
: http://www.1vs0.com/tools.html
+
 
+
; [[Hachoir]]
+
: Determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats.
+
 
+
; [[Cygwin]]
+
: http://www.cygwin.com/
+
: Linux like environment for Windows.
+
 
+
; [[UnxUtils]]
+
: http://unxutils.sourceforge.net/
+
: Common unix utilities compiled for a Windows environment.
+
 
+
; [[GnuWin32]]
+
: http://gnuwin32.sourceforge.net/
+
: Common GNU utilities compiled for a Windows Environment.
+
 
+
; [[SUA]]
+
: http://www.microsoft.com/windowsserver2003/R2/unixcomponents/webinstall.mspx
+
: Microsoft Subsystem for UNIX-based Applications.
+
 
+
== File Sharing Analysis Tools ==
+
;[http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-utilities/emule-reader eMule Reader]
+
:eMule Reader is a suite of command-line executables for parsing and printing configuration and log files associated with the eMule P2P client.  eMule Reader is available free of charge.
+
; [[P2PMarshal|P2P Marshal]]
+
: Tools to discover and analyze peer-to-peer files for Windows.
+
 
+
== [[NDA]] and [[scoped distribution]] tools ==
+

Revision as of 23:23, 17 August 2013

Definition

From Wikipedia (http://en.wikipedia.org/wiki/Joint_Test_Action_Group ):

Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.

Forensic Application

JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.

Tools and Equipment

Procedures