From ForensicsWiki
Revision as of 14:33, 16 November 2008 by .FUF (Talk | contribs) (Category:Operating systems)

Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The wide variety of useful Linux utilities exist for desktop computers can also be used on Linux-based PDAs. These utilities can often be used as a part of the forensics investigation process.



dd, or duplicate disk, is a Unix and Linux utility that allows the user to create a bitstream image of a disk or device. Once the Linux-based PDA is connected to another device and the dd utility is run, the mirror image can be uploaded onto memory cards or even an external desktop workstation connected via a network. Images created by dd are readable by forensics software tools such as EnCase and Forensic Toolkit. Since the device uses a Linux filesystem, the image may also be mounted and examined on a Linux workstation.


foremost is a Linux based program data for recovering deleted files and served as the basis for the more modern Scalpel. The program uses a configuration file to specify headers and footers to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format.