Difference between pages "Windows" and "Linux Repositories"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(RECYCLER)
 
m (fedora: fix both link rot and a typo)
 
Line 1: Line 1:
{{Expand}}
 
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
+
There are a number of linux distributions.
  
There are 2 main branches of Windows:
+
In general they have primary repositories which are setup for every installation of the operating system and they have special purpose repositories which require specific setup.
* the DOS-branch: i.e. Windows 95, 98, ME
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
+
  
== Features ==
+
=Repository Setup=
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
+
==openSUSE==
 +
For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured:
  
=== Introduced in Windows NT ===
+
*security
* [[NTFS]]
+
*devel:languages:perl
 +
*devel:languages:python
  
=== Introduced in Windows 2000 ===
+
This is most easily done from the command line via (assumes openSUSE 12.1):
  
=== Introduced in Windows XP ===
+
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/security/openSUSE_12.1</nowiki> security
* [[Prefetch]]
+
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/devel:/languages:/perl</nowiki>/openSUSE_12.1 perl
* System Restore (Restore Points); also present in Windows ME
+
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_12.1</nowiki> python
 +
 +
zypper lr  <nowiki>          </nowiki>  # used to verify you have the repos installed
  
==== SP2 ====
+
==fedora==
* Windows Firewall
+
  
=== Introduced in Windows Server 2003 ===
+
[https://forensics.cert.org/ CERT] maintains a fedora security repository with a large number of DFIR applications.
* Volume Shadow Copies
+
  
=== Introduced in [[Windows Vista]] ===
+
==debian==
* [[BitLocker Disk Encryption | BitLocker]]
+
* [[Windows Desktop Search | Search]] integrated in operating system
+
* [[ReadyBoost]]
+
* [[SuperFetch]]
+
* [[NTFS|Transactional NTFS (TxF)]]
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
+
* $Recycle.Bin
+
* [[Windows XML Event Log (EVTX)]]
+
* [[User Account Control (UAC)]]
+
  
=== Introduced in Windows Server 2008 ===
+
You can search for debian packages at [http://packages.debian.org/search debian's search page]
  
=== Introduced in [[Windows 7]] ===
+
==ubuntu==
* [[BitLocker Disk Encryption | BitLocker To Go]]
+
* [[Jump Lists]]
+
* [[Sticky Notes]]
+
  
=== Introduced in [[Windows 8]] ===
+
=Computer Forensic Tools=
* [[Windows File History | File History]]
+
Below is a list of computer forensic tools.  For each tool the repository it can be found in and the version in the repository is shown.
* [[Windows Storage Spaces | Storage Spaces]]
+
* [[Search Charm History]]
+
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
+
  
=== Introduced in Windows Server 2012 ===
+
As an example, aimage is in the openSUSE security repository and it is version 3.2.5
* [[Resilient File System (ReFS)]]
+
  
== Forensics ==
+
==Imaging Tools==
  
=== Partition layout ===
+
{|border="1" cellpadding="2" cellspacing="0" {{repository table}}
Default partition layout, first partition starts:
+
|-
* at sector 63 in Windows 2000, XP, 2003
+
|rowspan=1| '''Tool'''
* at sector 2048 in Windows Vista, 2008, 7
+
|'''openSUSE'''
 +
|'''fedora'''
 +
|'''debian'''
 +
|'''ubuntu'''
 +
|'''comment'''
 +
|'''General Remarks'''
  
=== Filesystems ===
+
|-
* [[FAT]], [[FAT|exFAT]]
+
|rowspan=1| [http://www.e-fense.com/helix/ adepto]
* [[NTFS]]
+
|N/A <!-- opensuse -->
* [[Resilient File System (ReFS) | ReFS]]
+
|?              <!-- fedora-->
 +
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|  <!-- comment -->
 +
|adepto is included in the helix boot cd<!-- General Remarks -->
  
=== Recycle Bin ===
+
|-
The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.
+
|rowspan=1| [[aimage]]
 +
|security/3.2.5 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|squeeze/3.2.4  <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a imaging tool to create aff format images  <!-- comment -->
 +
|aimage has been EOL'ed.  guymager or ftkimager (windows/mac) are recommended for creating aff images. <!-- General Remarks -->
  
==== RECYCLER ====
+
|-
The Recycler format is used by Windows 2000, XP.
+
|rowspan=1| [[AIR]]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|Automated Image and Restore  <!-- comment -->
 +
|a GUI front-end to dd and dc3dd designed for easily creating forensic bit images <!-- General Remarks -->
  
Per user Recycle Bin folder in the form:
+
|-
<pre>
+
|rowspan=1| [[dc3dd]]
C:\Recycler\%SID%\
+
|security*/7.1.614 <!-- opensuse -->
</pre>
+
|?              <!-- fedora-->
 +
|sid/7.1.614    <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|DoD Cyber Crime Center DD  <!-- comment -->
 +
|This tool was formerly known as dcfldd.  When released as dc3dd it was totally rewritten. <!-- General Remarks -->
  
Which contains:
+
|-
* INFO2 file; "Recycled" files metadata
+
|rowspan=1| [[ddrescue]]
 +
|Base/1.14 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|squeeze/1.14 sid/1.23 <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|Also known as GNU ddrescue<!-- comment -->
 +
|This tool is different than dd_rescue.
  
Also see: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf Lesson 3 – The Recycle Bin], by Steve Hailey
+
|-
 +
|rowspan=1| [[dd_rescue]]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|<!-- comment -->
 +
|This tool is different than GNU ddrescue.
  
==== $RECYCLE.BIN ====
+
|-
The $Recycle.Bin is used as of Windows Vista.
+
|rowspan=1| [[libewf|ewfacquire]]
 +
|security*/20100226 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|squeeze/20100226              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a imaging tool to create ewf format images  <!-- comment -->
 +
|ewfacquire is part of ewftools in some distributions.<!-- General Remarks -->
  
Per user Recycle Bin folder in the form:
+
|-
<pre>
+
|rowspan=1| [[IXimager]]
C:\$Recycle.Bin\%SID%\
+
|N/A <!-- opensuse -->
</pre>
+
|?              <!-- fedora-->
 +
|N/A            <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|A law enforcement only imager<!-- comment -->
 +
|used in conjunction with ILook Investigator
  
Which contains:
+
|-
* $I files; "Recycled" file metadata
+
|rowspan=1| [[LinEn]]
* $R files; the original data
+
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a proprietary imaging tool to create ewf format images  <!-- comment -->
 +
|included on the Helix boot CD<!-- General Remarks -->
  
Also see: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by Mitchell Machor, January 22, 2008
+
|-
 +
|rowspan=1| [[guymager]]
 +
|N/A<!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|Squeeze/0.4.2 Sid/0.5.9-3              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a imaging tool to create aff format images  <!-- comment -->
 +
|Guymager is an open source forensic imager. It focuses on user friendliness and high speed.  <!-- General Remarks -->
  
=== Registry ===
+
|-
 +
|rowspan=1| [http://sourceforge.net/projects/rdd rdd]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|2.0.7-2              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a dd-like tool, with forensic imaging features  <!-- comment -->
 +
|Rdd is robust with respect to read errors<!-- General Remarks -->
  
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
+
|-
 +
|rowspan=1| [ftp://ftp.berlios.de/pub/sdd/ sdd]
 +
|Archiving:Backup/1.52 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|lenny/1.52 deprecated              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a dd-like tool<!-- comment -->
 +
|Designed to work well when IBS != OBS.  Working with tape is an example.<!-- General Remarks -->
  
=== Thumbs.db Files ===
+
|}
  
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
+
*package will appear in the base release with the next full distribution release.
  
See also: [[Vista thumbcache]].
+
==File Inventory Tools==
  
=== Browser Cache ===
+
{|border="1" cellpadding="2" cellspacing="0" {{repository table}}
 +
|-
 +
|rowspan=1| '''Tool'''
 +
|'''openSUSE'''
 +
|'''fedora'''
 +
|'''debian'''
 +
|'''ubuntu'''
 +
|'''comment'''
 +
|'''General Remarks'''
  
=== Browser History ===
+
|-
 +
|rowspan=1| [[exiftool]]
 +
|base/v8.65 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|squeeze/v8.15 sid/v8.60              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|  <!-- comment -->
 +
|exiftool has superior metadata reporting capability -->
  
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
+
|-
 +
|rowspan=1| [[fiwalk]]
 +
|security*/v0.6.15 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|  <!-- comment -->
 +
|fiwalk is a robust $MFT walker<!-- General Remarks -->
  
=== Search ===
 
See [[Windows Desktop Search]]
 
  
=== Setup log files (setupapi.log) ===
+
|}
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
+
  
=== Sleep/Hibernation ===
+
*package will appear in the base release with the next full distribution release.
 
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
+
 
+
=== Users ===
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
+
<pre>
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
</pre>
+
 
+
The %SID%\ProfileImagePath value should also contain the username.
+
 
+
=== Windows Error Reporting (WER) ===
+
 
+
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
+
<pre>
+
C:\ProgramData\Microsoft\Windows\WER\
+
</pre>
+
 
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
+
<pre>
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
+
</pre>
+
 
+
Corresponding registry key:
+
<pre>
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
+
</pre>
+
 
+
== Advanced Format (4KB Sector) Hard Drives ==
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
+
 
+
== %SystemRoot% ==
+
The actual value of %SystemRoot% is store in the following registry value:
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+
Value: SystemRoot
+
</pre>
+
 
+
== See Also ==
+
* [[Windows Event Log (EVT)]]
+
* [[Windows XML Event Log (EVTX)]]
+
* [[Windows Vista]]
+
* [[Windows 7]]
+
* [[Windows 8]]
+
 
+
== External Links ==
+
 
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html?m=1 Search history on Windows 8 and 8.1], by [[Yogesh Khatri's]], April 1, 2014
+
 
+
=== Malware/Rootkits ===
+
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
+
 
+
=== Program execution ===
+
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
+
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
+
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
+
 
+
=== Tracking removable media ===
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
+
 
+
=== Under the hood ===
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
+
 
+
==== MSI ====
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
+
 
+
==== Side-by-side (WinSxS) ====
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
+
* [http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry], by Amanda Stewart, April 2014
+
 
+
==== Application Experience and Compatibility ====
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
* [http://www.alex-ionescu.com/?p=41 Secrets of the Application Compatilibity Database (SDB) – Part 3], by [[Alex Ionescu]], May 26, 2007
+
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
+
 
+
==== System Restore (Restore Points) ====
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
+
 
+
==== Crash dumps ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
+
 
+
==== RPC ====
+
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
+
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
+
 
+
==== User Account Control (UAC) ====
+
* [http://blog.strategiccyber.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ User Account Control – What Penetration Testers Should Know], by Raphael Mudge, March 20, 2014
+
 
+
==== Windows Event Logs ====
+
* [http://journeyintoir.blogspot.ch/2014/03/exploring-program-inventory-event-log.html Exploring the Program Inventory Event Log], by [[Corey Harrell]], March 24, 2014
+
 
+
==== Windows Scripting Host ====
+
* [https://www.mandiant.com/blog/ground-windows-scripting-host-wsh/ Going To Ground with The Windows Scripting Host (WSH)], by Devon Kerr, February 19, 2014
+
 
+
==== USB ====
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
+
 
+
==== WMI ====
+
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
+
 
+
==== Windows Error Reporting (WER) ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
* [http://journeyintoir.blogspot.ch/2014/02/exploring-windows-error-reporting.html Exploring Windows Error Reporting], by [[Corey Harrell]], February 24, 2014
+
 
+
==== Windows Firewall ====
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
+
 
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
+
 
+
=== Windows XP ===
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
+
 
+
[[Category:Operating systems]]
+
[[Category:Windows]]
+

Revision as of 13:25, 19 April 2014

There are a number of linux distributions.

In general they have primary repositories which are setup for every installation of the operating system and they have special purpose repositories which require specific setup.

Repository Setup

openSUSE

For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured:

  • security
  • devel:languages:perl
  • devel:languages:python

This is most easily done from the command line via (assumes openSUSE 12.1):

sudo zypper ar -f http://download.opensuse.org/repositories/security/openSUSE_12.1 security
sudo zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/perl/openSUSE_12.1 perl
sudo zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_12.1 python

zypper lr               # used to verify you have the repos installed

fedora

CERT maintains a fedora security repository with a large number of DFIR applications.

debian

You can search for debian packages at debian's search page

ubuntu

Computer Forensic Tools

Below is a list of computer forensic tools. For each tool the repository it can be found in and the version in the repository is shown.

As an example, aimage is in the openSUSE security repository and it is version 3.2.5

Imaging Tools

Tool openSUSE fedora debian ubuntu comment General Remarks
adepto N/A ? N/A ? adepto is included in the helix boot cd
aimage security/3.2.5 ? squeeze/3.2.4 ? a imaging tool to create aff format images aimage has been EOL'ed. guymager or ftkimager (windows/mac) are recommended for creating aff images.
AIR N/A ? N/A ? Automated Image and Restore a GUI front-end to dd and dc3dd designed for easily creating forensic bit images
dc3dd security*/7.1.614 ? sid/7.1.614 ? DoD Cyber Crime Center DD This tool was formerly known as dcfldd. When released as dc3dd it was totally rewritten.
ddrescue Base/1.14 ? squeeze/1.14 sid/1.23 ? Also known as GNU ddrescue This tool is different than dd_rescue.
dd_rescue N/A ? N/A ? This tool is different than GNU ddrescue.
ewfacquire security*/20100226 ? squeeze/20100226 ? a imaging tool to create ewf format images ewfacquire is part of ewftools in some distributions.
IXimager N/A ? N/A ? A law enforcement only imager used in conjunction with ILook Investigator
LinEn N/A ? N/A ? a proprietary imaging tool to create ewf format images included on the Helix boot CD
guymager N/A ? Squeeze/0.4.2 Sid/0.5.9-3 ? a imaging tool to create aff format images Guymager is an open source forensic imager. It focuses on user friendliness and high speed.
rdd N/A ? 2.0.7-2 ? a dd-like tool, with forensic imaging features Rdd is robust with respect to read errors
sdd Archiving:Backup/1.52 ? lenny/1.52 deprecated ? a dd-like tool Designed to work well when IBS != OBS. Working with tape is an example.
  • package will appear in the base release with the next full distribution release.

File Inventory Tools

Tool openSUSE fedora debian ubuntu comment General Remarks
exiftool base/v8.65 ? squeeze/v8.15 sid/v8.60 ? exiftool has superior metadata reporting capability -->
fiwalk security*/v0.6.15 ? N/A ? fiwalk is a robust $MFT walker


  • package will appear in the base release with the next full distribution release.