Difference between pages "Ddrescue" and "Plaso"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(linked to my blog containing some useful scripts/oneliners -- not sure if linking is allowed this way... else lmk!)
 
(Property list (plist) formats)
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = ddrescure |
+
   name = plaso |
   maintainer = [[Antonio Diaz Diaz]]|
+
   maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
   os = {{Linux}}|
+
   os = [[Linux]], [[Mac OS X]], [[Windows]] |
   genre = {{Disk imaging}} |
+
   genre = {{Analysis}} |
   license = {{GPL}} |
+
   license = {{APL}} |
   website = [http://www.gnu.org/software/ddrescue/ddrescue.html http://www.gnu.org/software/ddrescue/ddrescue.html] |
+
   website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
 
}}
 
}}
  
'''ddrescue''' is a raw disk imaging tool that "copies data from one file or block device to another, trying hard to rescue data in case of read errors."  The application is developed as part of the GNU project and has written with UNIX/Linux in mind.
+
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
  
'''ddrescue''' and '''[[dd_rescue]]''' are completely different programs which share no development between them.  The two projects are not related in any way except that they both attempt to enhance the standard [[dd]] tool and coincidentally chose similar names for their new programs.
+
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
  
From the [[ddrescue]] info pages:
+
== Supported Formats ==
<blockquote>
+
The information below is based of version 1.1.0
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.<br><br>
+
  
Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps.<br><br>
+
=== Storage Media Image File Formats ===
 +
Storage Medis Image File Format support is provided by [[dfvfs]].
  
The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.<br><br>
+
=== Volume System Formats ===
 +
Volume System Format support is provided by [[dfvfs]].
  
If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.<br><br>
+
=== File System Formats ===
 +
File System Format support is provided by [[dfvfs]].
  
Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using
+
=== File formats ===
the logfile, only the needed blocks are read from the second and successive copies.
+
* Apple System Log (ASL)
</blockquote>
+
* Basic Security Module (BSM)
 +
* Bencode files
 +
* [[Google Chrome|Chrome cache files]]
 +
* CUPS IPP
 +
* [[Extensible Storage Engine (ESE) Database File (EDB) format]] using [[libesedb]]
 +
* Firefox Cache
 +
* [[Java|Java IDX]]
 +
* MacOS-X Application firewall
 +
* MacOS-X Keychain
 +
* MacOS-X Securityd
 +
* MacOS-X Wifi
 +
* ([[SleuthKit]]) mactime logs
 +
* McAfee Anti-Virus Logs
 +
* Microsoft [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
 +
* [[OLE Compound File]] using [[libolecf]]
 +
* [[Opera|Opera Browser history]]
 +
* OpenXML
 +
* Pcap files
 +
* Popularity Contest log
 +
* [[Property list (plist)|Property list (plist) format]] using [[binplist]]
 +
* SELinux audit logs
 +
* SkyDrive log and error log files
 +
* [[SQLite database format]] using [[SQLite]]
 +
* Symantec AV Corporate Edition and Endpoint Protection log
 +
* Syslog
 +
* UTMP
 +
* UTMPX
 +
* [[Windows Event Log (EVT)]] using [[libevt]]
 +
* Windows Firewall
 +
* Windows Job files (also known as "at jobs")
 +
* [[Windows Prefetch File Format|Windows Prefetch File format]]
 +
* [[Windows#Recycle_Bin|Windows Recycle bin]] (INFO2 and $I/$R)
 +
* [[Windows NT Registry File (REGF)]] using [[libregf]]
 +
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
 +
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
 +
* Xchat and Xchat scrollback files
  
== Installation ==
+
=== Bencode file formats ===
 +
* Transmission
 +
* uTorrent
  
=== Bootable CD ===
+
=== ESE database file formats ===
ddrescue is available on bootable rescue cds such as SystemRescueCd http://www.sysresccd.org/Main_Page.
+
* Internet Explorer WebCache format
=== Debian and Ubuntu ===
+
The package 'ddrescue' in Debian and Ubuntu is actually [[dd_rescue]], another dd-like program which does not maintain a recovery log.  The correct package is gddrescue.
+
  
Debian
+
=== OLE Compound File formats ===
<blockquote>
+
* Document summary information
aptitude install gddrescue
+
* Summary information (top-level only)
</blockquote>
+
Ubuntu
+
<blockquote>
+
sudo apt-get install gddrescue
+
</blockquote>
+
=== Gentoo ===
+
<blockquote>
+
emerge ddrescue
+
</blockquote>
+
== Partition recovery ==
+
  
=== Kernel 2.6.3+ & ddrescue 1.4+ ===
+
=== Property list (plist) formats ===
'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.
+
* Airport
 +
* Apple Account
 +
* Bluetooth
 +
* Install History
 +
* iPod/iPhone
 +
* Mac User
 +
* [[Apple Safari|Safari history]]
 +
* Software Update
 +
* Spotlight
 +
* Spotlight Volume Information
 +
* Timemachine
  
First you copy as much data as possible, without retrying or splitting sectors:
+
=== SQLite database file formats ===
<blockquote>
+
* Android call logs
ddrescue --no-split /dev/hda1 imagefile logfile
+
* Android SMS
</blockquote>
+
* Chrome cookies
 +
* [[Google Chrome|Chrome browsing and downloads history]]
 +
* [[Mozilla Firefox|Firefox browsing and downloads history]]
 +
* Google Drive
 +
* Launch services quarantine events
 +
* MacKeeper cache
 +
* Mac OS X document versions
 +
* Skype text conversations
 +
* [[Zeitgeist|Zeitgeist activity database]]
  
Now let it retry previous errors 3 times, using uncached reads:
+
=== [[Windows Registry]] formats ===
<blockquote>
+
* [[Windows Application Compatibility|AppCompatCache]]
ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile
+
* CCleaner
</blockquote>
+
* Less Frequently Used
 +
* MountPoints2
 +
* MRUList and MRUListEx (no shell item support)
 +
* [[Internet Explorer|MSIE Zones]]
 +
* Office MRU
 +
* Outlook Search
 +
* Run Keys
 +
* Services
 +
* Terminal Server MRU
 +
* Typed URLS
 +
* USBStor
 +
* UserAssist
 +
* WinRar
 +
* Windows version information
  
If that fails you can try again but retrimmed, so it tries to reread full sectors:
+
== History ==
<blockquote>
+
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]], [[dfvfs]] and various other projects.
ddrescue --direct --retrim  --max-retries=3 /dev/hda1 imagefile logfile
+
</blockquote>
+
  
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
+
== See Also ==
 +
* [[dfvfs]]
 +
* [[log2timeline]]
  
=== Before linux kernel 2.6.3 / 2.4.x ===
+
== External Links ==
In 2.6.3 the 'raw device' has been marked obsolete. On later kernels ddrescue will use O_DIRECT on the input to do uncached reads.
+
* [https://code.google.com/p/plaso/ Project site]
 
+
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
First you copy as much data as possible, without retrying or splitting sectors:
+
* [http://blog.kiddaland.net/ Project blog]
<blockquote>
+
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]
ddrescue --no-split /dev/hda1 imagefile logfile
+
</blockquote>
+
 
+
Now change over to raw device access. Let it retry previous errors 3 times, don't read past last block in logfile:
+
<blockquote>
+
modprobe raw<br>
+
raw /dev/raw/raw1 /dev/hda1<br>
+
ddrescue --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
+
</blockquote>
+
 
+
If that fails you can try again (still using raw) but retrimmed, so it tries to reread full sectors:
+
<blockquote>
+
ddrescue --retrim --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
+
</blockquote>
+
 
+
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
+
 
+
At the end you may want to unbind the raw device:
+
<blockquote>
+
raw /dev/raw/raw1 0 0
+
</blockquote>
+
 
+
== Examples ==
+
 
+
These two examples are taken directly from the [[ddrescue]] info pages.
+
 
+
Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2
+
 
+
'''Please Note:''' This will overwrite ALL data on the partition you are copying to. If you do not want to do that, rather create an image of the partition to be rescued.
+
<blockquote>
+
ddrescue -r3 /dev/hda2 /dev/hdb2 logfile<br>
+
e2fsck -v -f /dev/hdb2<br>
+
mount -t ext2 -o ro /dev/hdb2 /mnt<br>
+
</blockquote>
+
 
+
Example 2: Rescue a CD-ROM in /dev/cdrom
+
<blockquote>
+
ddrescue -b 2048 /dev/cdrom cdimage logfile
+
</blockquote>
+
write cdimage to a blank CD-ROM
+
 
+
 
+
This example is derived from the ddrescue manual.
+
 
+
Example 3: Rescue an entire hard disk /dev/sda to another disk /dev/sdb
+
 
+
copy the error free areas first
+
ddrescue -n /dev/sda /dev/sdb rescue.log
+
attempt to recover any bad sectors
+
ddrescue -r 1 /dev/sda /dev/sdb rescue.log
+
 
+
== Options ==
+
 
+
-h, --help
+
    display this help and exit
+
-V, --version
+
    output version information and exit
+
-b, --block-size=<bytes>
+
    hardware block size of input device [512]  
+
-B, --binary-prefixes
+
    show binary multipliers in numbers [default SI]
+
-c, --cluster-size=<blocks>
+
    hardware blocks to copy at a time [128]
+
-C, --complete-only
+
    do not read new data beyond logfile limits
+
-d, --direct
+
    use direct disc access for input file
+
-D, --synchronous
+
    use synchronous writes for output file
+
-e, --max-errors=<n>
+
    maximum number of error areas allowed
+
-F, --fill=<types>
+
    fill given type areas with infile data (?*/-+)
+
-g, --generate-logfile
+
    generate approximate logfile from partial copy
+
-i, --input-position=<pos>
+
    starting position in input file [0]
+
-n, --no-split
+
    do not try to split or retry error areas
+
-o, --output-position=<pos>
+
    starting position in output file [ipos]
+
-q, --quiet
+
    quiet operation
+
-r, --max-retries=<n>
+
    exit after given retries (-1=infinity) [0]
+
-R, --retrim
+
    mark all error areas as non-trimmed
+
-s, --max-size=<bytes>
+
    maximum size of data to be copied
+
-S, --sparse
+
    use sparse writes for output file
+
-t, --truncate
+
    truncate output file
+
-v, --verbose
+
    verbose operation
+
 
+
Numbers may be followed by a multiplier: b = blocks, k = kB = 10^3 = 1000, Ki = KiB = 2^10 = 1024, M = 10^6, Mi = 2^20, G = 10^9, Gi = 2^30, etc...
+
 
+
 
+
== Cygwin ==
+
 
+
As of release 1.4-rc1, it can be compiled directly in [[Cygwin]] [http://en.wikipedia.org/wiki/Out_of_the_box Out of the Box]. Precompiled packages are available in the [http://cygwin.com/packages/ Cygwin distribution]. This makes it usable natively on [[Windows]] systems.
+
 
+
== See also ==
+
 
+
* [[aimage]]
+
* [[Blackbag]]
+
* [[dcfldd]]
+
* [[dd]]
+
* [[dd_rescue]]
+
* [[sdd]]
+
 
+
== Other Resources ==
+
[[http://pfuender.net/?p=80|Useful code-snippets for DDrescue]]
+

Revision as of 01:54, 4 June 2014

plaso
Maintainer: Kristinn Gudjonsson, Joachim Metz
OS: Linux, Mac OS X, Windows
Genre: Analysis
License: APL
Website: code.google.com/p/plaso/

Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating targeted timelines.

The Plaso project site also provides 4n6time, formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by David Nides.

Supported Formats

The information below is based of version 1.1.0

Storage Media Image File Formats

Storage Medis Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support is provided by dfvfs.

File System Formats

File System Format support is provided by dfvfs.

File formats

Bencode file formats

  • Transmission
  • uTorrent

ESE database file formats

  • Internet Explorer WebCache format

OLE Compound File formats

  • Document summary information
  • Summary information (top-level only)

Property list (plist) formats

  • Airport
  • Apple Account
  • Bluetooth
  • Install History
  • iPod/iPhone
  • Mac User
  • Safari history
  • Software Update
  • Spotlight
  • Spotlight Volume Information
  • Timemachine

SQLite database file formats

Windows Registry formats

  • AppCompatCache
  • CCleaner
  • Less Frequently Used
  • MountPoints2
  • MRUList and MRUListEx (no shell item support)
  • MSIE Zones
  • Office MRU
  • Outlook Search
  • Run Keys
  • Services
  • Terminal Server MRU
  • Typed URLS
  • USBStor
  • UserAssist
  • WinRar
  • Windows version information

History

Plaso is a Python-based rewrite of the Perl-based log2timeline initially created by Kristinn Gudjonsson. Plaso builds upon the SleuthKit, libyal, dfvfs and various other projects.

See Also

External Links