Difference between pages "TestDisk" and "Plaso"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(File systems)
 
(Property list (plist) formats)
 
Line 1: Line 1:
{{Infobox Software
+
{{Infobox_Software |
| logo = [[Image:TestDisk-logo.gif]]
+
  name = plaso |
| name = TestDisk
+
  maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
| developer = Christophe Grenier
+
  os = [[Linux]], [[Mac OS X]], [[Windows]] |
| maintainer = Christophe Grenier
+
  genre = {{Analysis}} |
| latest_release_version = 6.8
+
  license = {{APL}} |
| latest_release_date = August 13, 2007
+
  website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
| os = {{Linux}}, {{Windows}}, {{Mac OS X}}, Dos, BSD
+
| interface = Command line interface
+
| genre = Data recovery
+
| license = GPLv2+
+
| website = [http://www.cgsecurity.org/wiki/TestDisk TestDisk Wiki]
+
 
}}
 
}}
  
'''TestDisk''' is a free software data recovery utility licensed under the terms of the GNU General Public License (GPL). It was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table).
+
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
  
[http://www.cgsecurity.org/wiki/TestDisk_%26_PhotoRec_in_various_digital_forensics_testcase Forensics usage of TestDisk and PhotoRec] is described on the web site.
+
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
  
==Summary==
+
== Supported Formats ==
TestDisk queries the BIOS or the operating system in order to find the hard disks and their characteristics (LBA size and Cylinder-head-sector geometry). TestDisk does a quick check of your disk's structure and compares it with your Partition Table for entry errors. If the Partition Table has entry errors, TestDisk can repair them.
+
  
However, it's up to the user to look over the list of possible partitions found by TestDisk and to select the one(s) which were being used just before the drive failed to boot or the partition(s) were lost. In some cases, especially after initiating a detailed search for lost partitions,
+
=== Storage Media Image File Formats ===
TestDisk may show partition data which is simply from the remnants of a partition that had been deleted and overwritten long ago.
+
Storage Medis Image File Format support is provided by [[dfvfs]].
  
TestDisk has features for both novices and experts. For those who know little or nothing about data recovery techniques, TestDisk can be used to collect detailed information about a non-booting drive which can then be sent to a tech for further analysis. Those more familiar with such procedures should find TestDisk a handy tool in performing onsite recovery.
+
=== Volume System Formats ===
 +
Volume System Format support is provided by [[dfvfs]].
  
==Supported operating systems==
+
=== File System Formats ===
* [[DOS]] (either real or in a Windows 9x DOS box);
+
File System Format support is provided by [[dfvfs]].
* [[Microsoft]] [[Windows]] (NT4, 2000, XP, 2003, Vista);
+
* [[Linux]];
+
* [[FreeBSD]], [[NetBSD]], [[OpenBSD]];
+
* SunOS and
+
* [[Mac OS X]]
+
  
==File systems==
+
=== File formats ===
TestDisk can find lost partitions of the following file systems:
+
<b>TODO expand this list</b>
* Be File System (BeOS)
+
* BSD disklabel ([[FreeBSD]]/[[OpenBSD]]/[[NetBSD]])
+
* [[Cramfs]], Compressed File System
+
* DOS/Windows [[FAT]] 12, 16, and 32
+
* [[HFS]], [[HFS+]] and [[HFS+|HFSX]], Hierarchical File System
+
* IBM Journaled File System 2 (JFS2), IBM's Journaled File System
+
* [[Linux]] [[ext2]] and [[ext3]]
+
* [[Linux]] RAID
+
** RAID 1: mirroring
+
** RAID 4: striped array with parity device
+
** RAID 5: striped array with distributed parity information
+
** RAID 6: striped array with distributed dual redundancy information
+
* Linux Swap (versions 1 and 2)
+
* [[Linux Logical Volume Manager (LVM)|LVM]] and [[Linux Logical Volume Manager (LVM)|LVM2]], [[Linux Logical Volume Manager (LVM)|Linux Logical Volume Manager]]
+
* Mac partition map
+
* Novell Storage Services (NSS)
+
* [[NTFS]] ([[Windows]] NT/2000/XP/2003/Vista/2008)
+
* [[Reiserfs | ReiserFS]] 3.5, 3.6 and 4
+
* Sun Solaris i386 disklabel
+
* Unix File System: [[Unix File System|UFS]] and [[Unix File System|UFS2]] (Sun/BSD/...)
+
* XFS, SGI's Journaled File System
+
  
== See also ==
+
* Apple System Log (ASL)
* [[PhotoRec]]
+
* Basic Security Module (BSM)
 +
* Bencode files
 +
* [[Google Chrome|Chrome cache files]]
 +
* [[Extensible Storage Engine (ESE) Database File (EDB) format]] using [[libesedb]]
 +
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
 +
* [[OLE Compound File]] using [[libolecf]]
 +
* [[Property list (plist)|Property list (plist) format]] using [[binplist]]
 +
* SQLite databases
 +
* Syslog
 +
* [[Windows Event Log (EVT)]] using [[libevt]]
 +
* [[Windows NT Registry File (REGF)]] using [[libregf]]
 +
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
 +
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
  
==External links==
+
=== Bencode file formats ===
* [http://www.cgsecurity.org/wiki/TestDisk TestDisk Wiki]
+
* Transmission
 +
* uTorrent
 +
 
 +
=== ESE database file formats ===
 +
* Internet Explorer WebCache format
 +
 
 +
=== OLE Compound File formats ===
 +
* Document summary information
 +
* Summary information (top-level only)
 +
 
 +
=== Property list (plist) formats ===
 +
<b>TODO expand this list</b>
 +
 
 +
=== SQLite database file formats ===
 +
* Android call logs
 +
* Android SMS
 +
* Chrome cookies
 +
* Chrome browsing and downloads history
 +
* Firefox browsing and downloads history
 +
* Google Drive
 +
* Launch services quarantine events
 +
* MacKeeper
 +
* Mac OS X document versions
 +
* Skype
 +
* Zeitgeist activity
 +
 
 +
=== Windows Registry formats ===
 +
<b>TODO expand this list</b>
 +
 
 +
== History ==
 +
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]] and other projects.
 +
 
 +
== See Also ==
 +
* [[dfvfs]]
 +
* [[log2timeline]]
 +
 
 +
== External Links ==
 +
* [https://code.google.com/p/plaso/ Project site]
 +
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
 +
* [http://blog.kiddaland.net/ Project blog]
 +
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]

Revision as of 03:33, 3 June 2014

plaso
Maintainer: Kristinn Gudjonsson, Joachim Metz
OS: Linux, Mac OS X, Windows
Genre: Analysis
License: APL
Website: code.google.com/p/plaso/

Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating targeted timelines.

The Plaso project site also provides 4n6time, formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by David Nides.

Supported Formats

Storage Media Image File Formats

Storage Medis Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support is provided by dfvfs.

File System Formats

File System Format support is provided by dfvfs.

File formats

TODO expand this list

Bencode file formats

  • Transmission
  • uTorrent

ESE database file formats

  • Internet Explorer WebCache format

OLE Compound File formats

  • Document summary information
  • Summary information (top-level only)

Property list (plist) formats

TODO expand this list

SQLite database file formats

  • Android call logs
  • Android SMS
  • Chrome cookies
  • Chrome browsing and downloads history
  • Firefox browsing and downloads history
  • Google Drive
  • Launch services quarantine events
  • MacKeeper
  • Mac OS X document versions
  • Skype
  • Zeitgeist activity

Windows Registry formats

TODO expand this list

History

Plaso is a Python-based rewrite of the Perl-based log2timeline initially created by Kristinn Gudjonsson. Plaso builds upon the SleuthKit, libyal and other projects.

See Also

External Links