Difference between pages "Document Metadata Extraction" and "Second Look"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(StickyNotes)
 
 
Line 1: Line 1:
Here are tools that will extract metadata from document files.
+
[[File:second_look_logo.png]]
  
=Office Files=
+
The Incident Response edition of '''Second Look®: Linux Memory Forensics''' is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.
  
; [[antiword]]
+
== Memory Acquisition ==
: http://www.winfield.demon.nl/
+
Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.
  
; [[catdoc]]
+
== Memory Analysis ==
: http://www.45.free.net/~vitus/software/catdoc/
+
Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.
  
; [[laola]]
+
Second Look® also applies an integrity verification approach for the analysis of each process in memory.  This enables it to detect unauthorized applications as well as stealthy user-level malware.
: http://user.cs.tu-berlin.de/~schwartz/pmh/index.html
+
  
; [[word2x]]
+
== Supported Systems ==
: http://word2x.sourceforge.net/
+
Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions.  The following are its capabilities as of April 2012:
 +
* Supported target kernels: 2.6.x, 3.x up to 3.2
 +
* Supported target architectures: x86 32- and 64-bit
 +
* Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!
  
; [[wvWare]]
+
== External Links ==
: http://wvware.sourceforge.net/
+
Second Look® is a product of [[Raytheon Pikewerks Corporation]]:
: Extracts metadata from various [[Microsoft]] Word files ([[doc]]). Can also convert doc files to other formats such as HTML or plain text.
+
* http://secondlookforensics.com
 
+
; [[Outside In]]
+
: http://www.oracle.com/technology/products/content-management/oit/oit_all.html
+
: Originally developed by Stellant, supports hundreds of file types.
+
 
+
; [[FI Tools]]
+
: http://forensicinnovations.com/
+
: More than 100 file types.
+
 
+
=StickyNotes=
+
; StickyNotes Parser
+
Windows 7 StickyNotes follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx MS Compound Document binary format]; the StickyNotes Parser extracts metadata (time stamps) from the OLE format, including the text content (not the RTF contents) of the notes themselves. Sn.exe also extracts the modified time of the Root Entry to the Compound Document; all times are displayed in UTC format
+
:http://code.google.com/p/winforensicaanalysis/downloads/list
+
 
+
=PDF Files=
+
 
+
; [[xpdf]]
+
: http://www.foolabs.com/xpdf/
+
: [[pdfinfo]] (part of the [[xpdf]] package) displays some metadata of [[PDF]] files.
+
 
+
 
+
(See [[PDF]])
+
 
+
=Images=
+
 
+
; [[Exiftool]]
+
: http://www.sno.phy.queensu.ca/~phil/exiftool/
+
: Free, cross-platform tool to extract metadata from many different file formats. Also supports writing
+
 
+
; [[jhead]]
+
: http://www.sentex.net/~mwandel/jhead/
+
: Displays or modifies [[Exif]] data in [[JPEG]] files.
+
 
+
; [[vinetto]]
+
: http://vinetto.sourceforge.net/
+
: Examines [[Thumbs.db]] files.
+
 
+
;[[libexif]]
+
: http://sourceforge.net/projects/libexif EXIF tag Parsing Library
+
 
+
; [[Adroit Photo Forensics]]
+
: http://digital-assembly.com/products/adroit-photo-forensics/
+
: Displays meta data and uses date and camera meta-data for grouping, timelines etc.
+
 
+
; Exif Viewer
+
: http://araskin.webs.com/exif/exif.html
+
: Add-on for Firefox and Thunderbird that displays various [[JPEG]]/JPG metadata in local and remote images.
+
 
+
; exiftags
+
: http://johnst.org/sw/exiftags/
+
: open source utility to parse and edit [[exif]] data in [[JPEG]] images. Found in many Debian based distributions.
+
 
+
; exifprobe
+
: http://www.virtual-cafe.com/~dhh/tools.d/exifprobe.d/exifprobe.html
+
: Open source utility that reads [[exif]] data in [[JPEG]] and some "RAW" image formats. Found in many Debian based distributions.
+
 
+
; Exiv2
+
: http://www.exiv2.org
+
: Open source C++ library and command line tool for reading and writing metadata in various image formats. Found in almost every GNU/Linux distribution
+
 
+
; pngtools
+
: http://www.stillhq.com/pngtools/
+
: Open source suite of commands (pnginfo, pngchunks, pngchunksdesc) that reads metadata found in [[PNG]] files. Found in many Debian based distributions.
+
 
+
; pngmeta
+
: http://sourceforge.net/projects/pmt/files/
+
: Open source command line tool that extracts metadata from [[PNG]] images. Found in many Debian based distributions.
+
 
+
=General=
+
These general-purpose programs frequently work when the special-purpose programs fail, but they generally provide less detailed information.
+
 
+
; [[Metadata Extraction Tool]]
+
: "Developed by the National Library of New Zealand to programmatically extract preservation metadata from a range of file formats like PDF documents, image files, sound files Microsoft office documents, and many others."
+
: http://meta-extractor.sourceforge.net/
+
 
+
; [[Metadata Assistant]]
+
: http://www.payneconsulting.com/products/metadataent/
+
 
+
; [[hachoir|hachoir-metadata]]
+
: Extraction tool, part of '''[[Hachoir]]''' project
+
 
+
; [[file]]
+
: The UNIX '''file''' program can extract some metadata
+
 
+
; [[GNU libextractor]]
+
: http://gnunet.org/libextractor/ The libextractor library is a plugable system for extracting metadata
+
 
+
; [[Directory Lister Pro]]
+
: Directory Lister Pro is a Windows tool which creates listings of files from selected directories on hard disks, CD-ROMs, DVD-ROMs, floppies, USB storages and network shares. Listing can be in HTML, text or CSV format (for easy import to Excel). Listing can contain standard file information like file name, extension, type, owner and date created, but especially for forensic analysis file meta data can be extracted from various formats: 1) executable file information (EXE, DLL, OCX) like file version, description, company, product name. 2) multimedia properties (MP3, AVI, WAV, JPG, GIF, BMP, MKV, MKA, MPEG) like track, title, artist, album, genre, video format, bits per pixel, frames per second, audio format, bits per channel. 3) Microsoft Office files (DOC, DOCX, XLS, XLSX, PPT, PPTX) like document title, author, keywords, word count. For each file and folder it is also possible to obtain its CRC32, MD5, SHA-1 and Whirlpool hash sum. Extensive number of options allows to completely customize the visual look of the output. Filter on file name, date, size or attributes can be applied so it is possible to limit the files listed.
+
: http://www.krksoft.com
+
 
+
[[Category:Tools]]
+

Revision as of 10:53, 17 April 2012

Second look logo.png

The Incident Response edition of Second Look®: Linux Memory Forensics is designed for use by investigators who need quick, easy, and effective Linux memory acquisition and analysis capabilities.

Memory Acquisition

Second Look® preserves the volatile system state, capturing evidence and information that does not exist on disk and may otherwise be lost as an investigation proceeds. A command-line script allows for acquisition of memory from running systems without introducing any additional software. A memory access driver is provided for use on systems without a native interface to physical memory.

Memory Analysis

Second Look® interprets live system memory or captured memory images, detecting and reverse engineering malware, including stealthy kernel rootkits and backdoors. A kernel integrity verification approach is utilized to compare the Linux kernel in memory with a reference kernel. Pikewerks provides thousands of reference kernels derived from original distribution kernel packages, and a script for creating reference kernels for other systems, such as those running custom kernels.

Second Look® also applies an integrity verification approach for the analysis of each process in memory. This enables it to detect unauthorized applications as well as stealthy user-level malware.

Supported Systems

Second Look® is regularly updated to support analysis of the latest kernels and the most commonly used Linux distributions. The following are its capabilities as of April 2012:

  • Supported target kernels: 2.6.x, 3.x up to 3.2
  • Supported target architectures: x86 32- and 64-bit
  • Supported target distributions: Debian 4-6, RHEL/CentOS 4-6, Ubuntu 4.10-12.04, and more!

External Links

Second Look® is a product of Raytheon Pikewerks Corporation: