Difference between pages "The Sleuth Kit" and "Microsoft PocketPC"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
(Did some reorganizing. Added an overview section and content.)
 
Line 1: Line 1:
'''The Sleuth Kit''' (TSK) is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], [[UFS1]], and [[UFS2]] [[file system]]s.
+
=Overview=
 +
Microsoft PocketPC In 2001, PDAs with Palm OS installed enjoyed a market share of about 72 percent, while PocketPC held a meager 15 percent.  However, by the fourth quarter of 2004, Microsoft PocketPC and Palm OS were practically tied.  With sales of Palm OS devices down, PocketPC-based devices had a market share of 40.2 percent to Palm's 40.7 percent.  This is evidence of the growing popularity of PocketPC-based devices, and thus the increased likeliness one will encounter such a device "in the field."
  
[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.
 
  
+
== History ==
=Features=
+
  
The Sleuth Kit is arranged in layers. There is a ''data layer'' which is concerned with how information is stored on a disk and a ''metadata layer'' which is considered with information such as [[inode]]s and [[directory|directories]]. The commands that deal with the data layer are prefixed with the letter ''d'', which the commands that deal with the metadata layer are prefixed with the letter ''i''.
+
The PocketPC operating system began as Windows CE in November of 1996. The NEC MobilePro 200 and the Casio A-10 were the first two PDA-type device available with this early version of the operating system.  From here, Windows CE continued in development through versions 2 (with such devices as the MD Elan SC400, DEC SA1100, Hitachi SuperH 3, NEC VR4101, Philips DR 31500, and the Toshiba TX3912).
  
Some of the commands in Sleuth Kit are:
 
  
; dcat
 
: Views the contents of a [[block]].
 
  
; dls
+
'''References:'''
: Lists [[unallocated block]]s. Makes keyword searches more efficient. Gets a list of unallocated blocks.
+
----
  
; dcalc
+
[http://www.hpcfactor.com/support/windowsce/ The History of Microsoft Windows CE]
: Tells you where an unallocated blocks are.
+
  
; dstat
+
[http://palmtops.about.com/cs/pdafacts/a/Palm_Pocket_PC.htm Palm vs. Pocket PC-The Great Debate]
: Details about a given block.
+
  
; icat
+
[http://www.windowsfordevices.com/news/NS8063885791.html Gartner: Windows CE ties Palm]
: View contents of a file given its inode value or [[cluster number]]. Doesn't list directories, lists the contents.
+
 
+
; ils
+
: Lists the files extents on a disk.
+
 
+
; istat
+
: Information about an inode number.
+
 
+
==File Systems Understood==
+
 
+
* [[NTFS]]
+
* [[FAT]]
+
* [[EXT2]], [[EXT3]]
+
* [[UFS1]], [[UFS2]]
+
+
==File Search Facilities==
+
 
+
* Lists allocated and unallocated files.
+
* Lists and sorts by file type.
+
* Shows a time time of creation and change.
+
+
==Historical Reconstruction==
+
+
==Searching Abilities==
+
+
* Searches for keywords.
+
* Builds an index.
+
 
+
==Hash Databases==
+
 
+
* Uses [[MD5]] or [[SHA1]].
+
* Interfaces with [[NIST NSRL]], [[Hashkeeper]] and customer databases.
+
+
==Evidence Collection Features==
+
+
* Tracks forensic activity.
+
 
+
=History=
+
 
+
==License Notes==
+
 
+
Is it commercial or open source? Are there other licensing options?
+
 
+
= External Links =
+
 
+
* [http://www.sleuthkit.org Official website]
+
* [http://www.sleuthkit.org/autopsy/desc.php Autopsy website]
+
+
==External Reviews==
+

Revision as of 10:28, 6 February 2006

Overview

Microsoft PocketPC In 2001, PDAs with Palm OS installed enjoyed a market share of about 72 percent, while PocketPC held a meager 15 percent. However, by the fourth quarter of 2004, Microsoft PocketPC and Palm OS were practically tied. With sales of Palm OS devices down, PocketPC-based devices had a market share of 40.2 percent to Palm's 40.7 percent. This is evidence of the growing popularity of PocketPC-based devices, and thus the increased likeliness one will encounter such a device "in the field."


History

The PocketPC operating system began as Windows CE in November of 1996. The NEC MobilePro 200 and the Casio A-10 were the first two PDA-type device available with this early version of the operating system. From here, Windows CE continued in development through versions 2 (with such devices as the MD Elan SC400, DEC SA1100, Hitachi SuperH 3, NEC VR4101, Philips DR 31500, and the Toshiba TX3912).


References:

The History of Microsoft Windows CE

Palm vs. Pocket PC-The Great Debate

Gartner: Windows CE ties Palm

Retrieved from "http://www.forensicswiki.org/w/index.php?title=The_Sleuth_Kit&oldid=2080"