Difference between pages "Document Metadata Extraction" and "Rekall"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Office Files: Evidence Center can handle metadata for MS/Open office files)
 
 
Line 1: Line 1:
Here are tools that will extract metadata from document files.
+
{{Infobox_Software |
 +
  name = Rekall |
 +
  maintainer = [[Michael Cohen]] |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Memory analysis}}, {{Memory imaging}} |
 +
  license = {{GPL}} |
 +
  website = [https://code.google.com/p/rekall/ code.google.com/p/rekall/] |
 +
}}
  
=Office Files=
+
Rekall is the stand-alone continuation of the [[Volatility]] Technology Preview (TP) version, aka the scudette branch.
  
; [[antiword]]
+
One of Rekalls goals is to provide better integration with [[GRR]] by improved modularity of the framework and having memory acquisition capability.
: http://www.winfield.demon.nl/
+
  
; [[Belkasoft]] Evidence Center
+
== Memory acquisition drivers ==
: http://belkasoft.com/
+
: Extracts metadata from various [[Microsoft]] Office files (both 97-2003 and 2007-2013 formats), as well as Open Office documents. Besides, can extract plain texts (combining all texts from all XLS/XLSX/ODS pages and PPT/PPTX/ODP slides) and embedded objects. For pictures, embedded into a document, the tool can visualize them all right in its user interface.
+
  
; [[catdoc]]
+
The drivers can be found under:
: http://www.45.free.net/~vitus/software/catdoc/
+
<pre>
 +
rekall/tools/linux
 +
rekall/tools/osx
 +
rekall/tools/windows
 +
</pre>
  
; [[laola]]
+
=== Linux ===
: http://user.cs.tu-berlin.de/~schwartz/pmh/index.html
+
  
; [[word2x]]
+
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
: http://word2x.sourceforge.net/
+
<pre>
 +
cd rekall/tools/linux/
 +
make
 +
</pre>
  
; [[wvWare]]
+
The acquisition driver is named pmem.ko.
: http://wvware.sourceforge.net/
+
: Extracts metadata from various [[Microsoft]] Word files ([[doc]]). Can also convert doc files to other formats such as HTML or plain text.
+
  
; [[Outside In]]
+
To load the driver:
: http://www.oracle.com/technology/products/content-management/oit/oit_all.html
+
<pre>
: Originally developed by Stellant, supports hundreds of file types.
+
sudo insmod pmem.ko
 +
</pre>
  
; [[FI Tools]]
+
To check if the driver is running:
: http://forensicinnovations.com/
+
<pre>
: More than 100 file types.
+
sudo lsmod
 +
</pre>
  
=StickyNotes=
+
The driver create a device file named:
; StickyNotes Parser
+
<pre>
Windows 7 StickyNotes follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx MS Compound Document binary format]; the StickyNotes Parser extracts metadata (time stamps) from the OLE format, including the text content (not the RTF contents) of the notes themselves. Sn.exe also extracts the modified time of the Root Entry to the Compound Document; all times are displayed in UTC format
+
/dev/pmem
:http://code.google.com/p/winforensicaanalysis/downloads/list
+
</pre>
  
=PDF Files=
+
To unload the driver:
 +
<pre>
 +
sudo rmmod pmem
 +
</pre>
  
; [[xpdf]]
+
To read acquire the memory just read from the device file. e.g.
: http://www.foolabs.com/xpdf/
+
<pre>
: [[pdfinfo]] (part of the [[xpdf]] package) displays some metadata of [[PDF]] files.
+
dd if=/dev/pmem of=image.raw
 +
</pre>
  
 +
For more information see:
 +
<pre>
 +
rekall/tools/linux/README
 +
</pre>
  
(See [[PDF]])
+
=== Mac OS X ===
  
=Images=
+
For more information see:
 +
<pre>
 +
rekall/tools/osx/OSXPMem/README
 +
</pre>
  
; [[Exiftool]]
+
=== Windows ===
: http://www.sno.phy.queensu.ca/~phil/exiftool/
+
Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.
: Free, cross-platform tool to extract metadata from many different file formats. Also supports writing
+
  
; [[jhead]]
+
Both the i386 and amd64 binary version of the driver can be found in the directory:
: http://www.sentex.net/~mwandel/jhead/
+
<pre>
: Displays or modifies [[Exif]] data in [[JPEG]] files.
+
rekall/tools/windows/winpmem/binaries
 +
</pre>
  
; [[vinetto]]
+
E.g.
: http://vinetto.sourceforge.net/
+
<pre>
: Examines [[Thumbs.db]] files.
+
rekall/tools/winpmem/binaries/amd64/winpmem.sys
 +
</pre>
  
;[[libexif]]
+
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
: http://sourceforge.net/projects/libexif EXIF tag Parsing Library
+
<pre>
 +
rekall/tools/winpmem/executables/Release/
 +
</pre>
  
; [[Adroit Photo Forensics]]
+
To load the driver:
: http://digital-assembly.com/products/adroit-photo-forensics/
+
<pre>
: Displays meta data and uses date and camera meta-data for grouping, timelines etc.
+
winpmem.exe -l
 +
</pre>
  
; Exif Viewer
+
The device filename is (This can not be changed without recompiling):
: http://araskin.webs.com/exif/exif.html
+
<pre>
: Add-on for Firefox and Thunderbird that displays various [[JPEG]]/JPG metadata in local and remote images.
+
\\.\pmem
 +
</pre>
  
; exiftags
+
Note that running dd directly on this device file can crash the machine.
: http://johnst.org/sw/exiftags/
+
Use the winpmem.exe tool instead because it handles protected memory regions.
: open source utility to parse and edit [[exif]] data in [[JPEG]] images. Found in many Debian based distributions.
+
  
; exifprobe
+
To read and acquire the physical memory and write it to image.raw:
: http://www.virtual-cafe.com/~dhh/tools.d/exifprobe.d/exifprobe.html
+
<pre>
: Open source utility that reads [[exif]] data in [[JPEG]] and some "RAW" image formats. Found in many Debian based distributions.
+
winpmem.exe image.raw
 +
</pre>
  
; Exiv2
+
To unload the driver:
: http://www.exiv2.org
+
<pre>
: Open source C++ library and command line tool for reading and writing metadata in various image formats. Found in almost every GNU/Linux distribution
+
winpmem.exe -u
 +
</pre>
  
; pngtools
+
For more information see:
: http://www.stillhq.com/pngtools/
+
<pre>
: Open source suite of commands (pnginfo, pngchunks, pngchunksdesc) that reads metadata found in [[PNG]] files. Found in many Debian based distributions.
+
rekall/tools/windows/README
 +
</pre>
  
; pngmeta
+
== See Also ==
: http://sourceforge.net/projects/pmt/files/
+
* [[Volatility]]
: Open source command line tool that extracts metadata from [[PNG]] images. Found in many Debian based distributions.
+
  
=General=
+
== External Links ==
These general-purpose programs frequently work when the special-purpose programs fail, but they generally provide less detailed information.
+
* [https://code.google.com/p/rekall/ Project site]
 
+
* [http://docs.rekall.googlecode.com/git/index.html Project documentation]
; [[Metadact-e]]
+
: "Patented server-based metadata cleaning software that previews, cleans and converts documents in Microsoft Outlook, Web Access email, tablets and smartphones, as well as desktop-based documents."
+
: http://www.litera.com/Products/Metadact-e.aspx
+
 
+
; [[Metadata Extraction Tool]]
+
: "Developed by the National Library of New Zealand to programmatically extract preservation metadata from a range of file formats like PDF documents, image files, sound files Microsoft office documents, and many others."
+
: http://meta-extractor.sourceforge.net/
+
 
+
; [[Metadata Assistant]]
+
: http://www.payneconsulting.com/products/metadataent/
+
 
+
; [[hachoir|hachoir-metadata]]
+
: Extraction tool, part of '''[[Hachoir]]''' project
+
 
+
; [[file]]
+
: The UNIX '''file''' program can extract some metadata
+
 
+
; [[GNU libextractor]]
+
: http://gnunet.org/libextractor/ The libextractor library is a plugable system for extracting metadata
+
 
+
; [[Directory Lister Pro]]
+
: Directory Lister Pro is a Windows tool which creates listings of files from selected directories on hard disks, CD-ROMs, DVD-ROMs, floppies, USB storages and network shares. Listing can be in HTML, text or CSV format (for easy import to Excel). Listing can contain standard file information like file name, extension, type, owner and date created, but especially for forensic analysis file meta data can be extracted from various formats: 1) executable file information (EXE, DLL, OCX) like file version, description, company, product name. 2) multimedia properties (MP3, AVI, WAV, JPG, GIF, BMP, MKV, MKA, MPEG) like track, title, artist, album, genre, video format, bits per pixel, frames per second, audio format, bits per channel. 3) Microsoft Office files (DOC, DOCX, XLS, XLSX, PPT, PPTX) like document title, author, keywords, word count. For each file and folder it is also possible to obtain its CRC32, MD5, SHA-1 and Whirlpool hash sum. Extensive number of options allows to completely customize the visual look of the output. Filter on file name, date, size or attributes can be applied so it is possible to limit the files listed.
+
: http://www.krksoft.com
+
 
+
[[Category:Tools]]
+

Revision as of 14:23, 12 January 2014

Rekall
Maintainer: Michael Cohen
OS: Cross-platform
Genre: Memory Analysis,Memory Imaging
License: GPL
Website: code.google.com/p/rekall/

Rekall is the stand-alone continuation of the Volatility Technology Preview (TP) version, aka the scudette branch.

One of Rekalls goals is to provide better integration with GRR by improved modularity of the framework and having memory acquisition capability.

Memory acquisition drivers

The drivers can be found under:

rekall/tools/linux
rekall/tools/osx
rekall/tools/windows

Linux

To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:

cd rekall/tools/linux/
make

The acquisition driver is named pmem.ko.

To load the driver:

sudo insmod pmem.ko

To check if the driver is running:

sudo lsmod

The driver create a device file named:

/dev/pmem

To unload the driver:

sudo rmmod pmem

To read acquire the memory just read from the device file. e.g.

dd if=/dev/pmem of=image.raw

For more information see:

rekall/tools/linux/README

Mac OS X

For more information see:

rekall/tools/osx/OSXPMem/README

Windows

Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.

Both the i386 and amd64 binary version of the driver can be found in the directory:

rekall/tools/windows/winpmem/binaries

E.g.

rekall/tools/winpmem/binaries/amd64/winpmem.sys

A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:

rekall/tools/winpmem/executables/Release/

To load the driver:

winpmem.exe -l

The device filename is (This can not be changed without recompiling):

\\.\pmem

Note that running dd directly on this device file can crash the machine. Use the winpmem.exe tool instead because it handles protected memory regions.

To read and acquire the physical memory and write it to image.raw:

winpmem.exe image.raw

To unload the driver:

winpmem.exe -u 

For more information see:

rekall/tools/windows/README

See Also

External Links