Difference between pages "ALT Linux Rescue" and "Libsmraw"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (External Links: +starterkits)
 
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = ALT Linux Rescue |
+
   name = libsmraw |
   maintainer = Michael Shigorin |
+
   maintainer = [[Joachim Metz]] |
   os = {{Linux}} |
+
   os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
   genre = {{Live CD}} |
+
   genre = {{Disk imaging}} |
   license = {{GPL}}, others |
+
   license = {{LGPL}} |
   website = [http://en.altlinux.org/Rescue en.altlinux.org/rescue] |
+
   website = [https://code.google.com/p/libsmraw/ code.google.com/p/libsmraw/] |
 
}}
 
}}
  
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]] with some forensic capabilities and features.
+
The '''libsmraw''' package contains a library and applications to read and write (split) RAW storage media bitstream copies.
 +
Libsmraw contains supports for multiple (split) RAW naming schemes.
  
== Intro ==
+
== History ==  
  
This weekly-updated image is intended to be text-only toolchest for data analysis and recovery.
+
Libsmraw was created by [[Joachim Metz]] in 2010, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
 +
Libsmraw is a rewrite of earlier work for the proof-of-concept multi-threaded imager: GNOME Forensic Imager.
  
It will not try to use swap partitions or autodetect and automount file systems unless requested explicitly.
+
== Tools ==
 +
The '''libsmraw''' package contains the following tools:
 +
* '''smrawmount''', which FUSE mounts (split) RAW image files.
  
Forensic mode is available via a separate boot target for BIOS users and a rescue boot option (via F2) for UEFI users. This will skip activating MDRAID/LVM too.
+
The '''libsmraw''' package also contains the following bindings:
 +
* '''pysmraw''', bindings for Python.
  
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
+
== Examples ==
  
== Tools included ==
+
FUSE mounting a split RAW image (libsmraw 20110916 or later)
 +
<pre>
 +
smrawmount image.raw.000 mount_point
 +
</pre>
  
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either; [[libevt]], [[libevtx]], [[liblnk]], [[libpff]], [[libregf]], [[libuna]], [[libvshadow]], [[libwrc]] tools have been added since 20140514.
+
Or:
 +
<pre>
 +
smrawmount image.raw.??? mount_point
 +
</pre>
  
X11-based software is being considered for an extended version.
+
== Also See ==
 +
[[Raw_Image_Format | RAW Image format]]
  
== Platforms ==
+
== External Links ==
  
i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.
+
* [https://code.google.com/p/libsmraw/ Project site]
 
+
== Deliverables ==
+
 
+
Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).
+
 
+
== Forensic issues ==
+
 
+
Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.
+
 
+
MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch <tt>mount-system</tt> script to use <tt>ro,loop,noexec</tt> mount options (as of 20140423).
+
 
+
Physical device write blocking hasn't been considered so far.
+
 
+
== Credits ==
+
 
+
* [[User:.FUF]] for [[Forensic Live CD issues]] page, sound advice and early userspace patch
+
 
+
== External Links ==
+
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
+
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus
+
* Rescue image within [http://en.altlinux.org/Starterkits ALT Linux Starterkits] based on stable branch has gained the same features as of 20140612
+

Revision as of 08:45, 21 June 2014

libsmraw
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: code.google.com/p/libsmraw/

The libsmraw package contains a library and applications to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes.

History

Libsmraw was created by Joachim Metz in 2010, while working for Hoffmann Investigations. Libsmraw is a rewrite of earlier work for the proof-of-concept multi-threaded imager: GNOME Forensic Imager.

Tools

The libsmraw package contains the following tools:

  • smrawmount, which FUSE mounts (split) RAW image files.

The libsmraw package also contains the following bindings:

  • pysmraw, bindings for Python.

Examples

FUSE mounting a split RAW image (libsmraw 20110916 or later)

smrawmount image.raw.000 mount_point

Or:

smrawmount image.raw.??? mount_point

Also See

RAW Image format

External Links