Gfzip

From Forensics Wiki
Revision as of 06:35, 1 March 2006 by Capibara (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Generic Forensic Zip is a set of tools and libraries for creating and accessing randomly accessible forensic zip files of disk images. These files that use an open format (gfzip) defined by this project, allow a dd disk image to be stored in compressed form and yet be randomly accessable through the libgfz library. A second library, libgfzcreate is made available by this project to allow the creation of gfz files from programs used to acquire disk image data. Finally the project includes a set of basic commandline tools for the creation and verification of gfzip files and for restoring dd images from the gfz files. Next to compression, the gfzip files are made 'safe' for forensic use by the use of x509 certificates and the use of multi level digests (sha256). The x509 certificate that is used to sign the gfz file is embedded into the file, thus carrying all relevant information about the person who acquired the image within the file. One further feature thet gfzip allows is the embedding of (signed) enviroment data and commandline attributes that may be useful as metadata in the further processing of the image files. This metadata may include for example information about the source of the data and the time it was aquired. Future versions of gfzip will also include bad-block information, this is a feature defined in the file format, but not implemented in the first release of gfzip.