Difference between pages "File Carving Bibliography" and "Executable"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
'''In chronological order, oldest to most recent'''
+
{{expand}}
===Basic Techniques===
+
  
[http://handle.dtic.mil/100.2/ADA432468 An analysis of disc carving techniques], Mikus, Nicholas A. " Master's Thesis, Naval Postgraduate School. March 2005.
+
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
  
[http://www.dfrws.org/2005/proceedings/richard_scalpel.pdf Scalpel: A Frugal, High Performance File Carver], Golden G. Richard and Vassil Roussev, DFRWS 2005
+
There are multiple families of executable files:
 +
* Scripts; e.g. shell scripts, batch scripts (.bat)
 +
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
 +
* ELF
 +
* Mach-O
  
[http://www.dfrws.org/2007/proceedings/p73-marziale.pdf Massive threading: Using GPUs to increase the
+
== External Links ==
performance of digital forensics tools], Lodovico Marziale, Golden G. Richard III*, Vassil Roussev, DFRWS 2007.
+
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
  
===Fragment Recovery Carving===
+
=== ELF ===
 +
* [http://robinhoksbergen.com/papers/howto_elf.html Manually Creating an ELF Executable], by Robin Hoksbergen
  
<bibtex>
+
=== MZ, PE/COFF ===
@INPROCEEDINGS{Shanmugasundaram02automaticreassembly,
+
* [http://en.wikipedia.org/wiki/Portable_Executable Wikipedia: Portable Executable]
    author = {Kulesh Shanmugasundaram},
+
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification]
    title = {Automatic Reassembly of Document Fragments via Data Compression},
+
* [http://msdn.microsoft.com/en-us/magazine/ms809762.aspx Peering Inside the PE: A Tour of the Win32 Portable Executable File Format], by Matt Pietrek, March 1994
    booktitle = {Presented at the 2nd Digital Forensics Research Workshop},
+
* [http://www.microsoft.com/msj/0797/hood0797.aspx Under the Hood], by Matt Pietrek, July 1997
    year = {2002},
+
* [http://msdn.microsoft.com/en-us/magazine/cc301805.aspx An In-Depth Look into the Win32 Portable Executable File Format], by Matt Pietrek, February 2002
    pages = {152--159}
+
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011
}
+
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
</bibtex>
+
  
[http://isis.poly.edu/kulesh/research/pubs/icassp-2003.pdf Automated Reassembly of Fragmented Images], Anandabrata Pal, Kulesh Shanmugasundaram, Nasir Memon, Proceedings of the IEEE International Conference on Acoustics, Speech, and Signal Processing, 2003.
+
=== DBG, PDB ===
 +
* [http://en.wikipedia.org/wiki/Program_database Wikipedia: Program database]
 +
* [http://www.debuginfo.com/articles/debuginfomatch.html Matching Debug Information], by debuginfo.com
 +
* [http://support.microsoft.com/kb/121366 Description of the .PDB files and of the .DBG files], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/ff553493(v=vs.85).aspx Public and Private Symbols], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms679293(v=vs.85).aspx DbgHelp Structures], by [[Microsoft]]
 +
* [http://web.archive.org/web/20070915060650/http://www.x86.org/ftp/manuals/tools/sym.pdf Internet Archive: Microsoft Symbol and Type Information], by [[Microsoft]]
 +
* [http://pierrelib.pagesperso-orange.fr/exec_formats/MS_Symbol_Type_v1.0.pdf Microsoft Symbol and Type Information]
 +
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project]
 +
* [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h]
 +
* [http://sourceforge.net/p/mingw-w64/code/HEAD/tree/experimental/tools/libmsdebug/ libmsdebug], by the [[MinGW|MinGW project]]
 +
* [http://moyix.blogspot.ch/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007
  
[http://www.simson.net/clips/academic/2007.DFRWS.pdf "Carving Contiguous and Fragmented Files with Fast Object Validation"], Garfinkel, S.,, Digital Forensics Workshop (DFRWS 2007), Pittsburgh, PA, August 2007.
+
=== Mach-O ===
 +
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O]
  
===Sector Discrimination===
+
== Tools ==
  
<bibtex>
+
=== MZ, PE/COFF ===
@article{
+
* [https://code.google.com/p/pefile/ pefile], multi-platform Python module to read and work with Portable Executable (aka PE) files
  journal="Journal of Digital Forensic Practice", 
+
  publisher="Taylor & Francis",
+
  author="Yoginder Singh Dandass and Nathan Joseph Necaise and Sherry Reede Thomas",
+
  title="An Empirical Analysis of Disk Sector Hashes for Data Carving",
+
  year=2008,
+
  volume=2,
+
  issue=2,
+
  pages="95--106",
+
  abstract="Discovering known illicit material on digital storage devices is an important component of a digital forensic investigation. Using existing data carving techniques and tools, it is typically difficult to recover remaining fragments of deleted illicit files whose file system metadata and file headers have been overwritten by newer files. In such cases, a sector-based scan can be used to locate those sectors whose content matches those of sectors from known illicit files. However, brute-force sector-by-sector comparison is prohibitive in terms of time required. Techniques that compute and compare hash-based signatures of sectors in order to filter out those sectors that do not produce the same signatures as sectors from known illicit files are required for accelerating the process.
+
  
This article reports the results of a case study in which the hashes for over 528 million sectors extracted from over 433,000 files of different types were analyzed. The hashes were computed using SHA1, MD5, CRC64, and CRC32 algorithms and hash collisions of sectors from JPEG and WAV files to other sectors were recorded. The analysis of the results shows that although MD5 and SHA1 produce no false-positive indications, the occurrence of false positives is relatively low for CRC32 and especially CRC64. Furthermore, the CRC-based algorithms produce considerably smaller hashes than SHA1 and MD5, thereby requiring smaller storage capacities. CRC64 provides a good compromise between number of collisions and storage capacity required for practical implementations of sector-scanning forensic tools.",
+
=== PDB ===
  url="http://www.informaworld.com/10.1080/15567280802050436"
+
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files)
}
+
</bibtex>
+
 
+
[[Category:Bibliographies]]
+

Revision as of 06:56, 29 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.

There are multiple families of executable files:

  • Scripts; e.g. shell scripts, batch scripts (.bat)
  • DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
  • ELF
  • Mach-O

External Links

ELF

MZ, PE/COFF

DBG, PDB

Mach-O

Tools

MZ, PE/COFF

  • pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files

PDB

  • pdbparse, Open-source parser for Microsoft debug symbols (PDB files)