Difference between pages "Libewf" and "GRR"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = libewf |
+
   name = Rekall |
   maintainer = [[Joachim Metz]], [[David Loveall]] |
+
   maintainer = [[Darren Bilby]] and others |
   os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
+
   os = {{Cross-platform}} |
   genre = {{Disk imaging}} |
+
   genre = {{Incident response}} |
   license = {{LGPL}} |
+
   license = {{APL}} |
   website = [http://libewf.sourceforge.net libewf.sourceforge.net] |
+
   website = [https://code.google.com/p/grr/ code.google.com/p/grr/] |
 
}}
 
}}
  
The '''libewf''' package contains [[Linux]] based library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies.
+
GRR is an Incident Response Framework focused on Remote Live Forensics.
  
It has been ported to other platforms like [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], and [[Windows]] as well.
+
The disk and file system analysis capabilities of GRR are provided by the [[sleuthkit]] and [[pytsk]] projects.
  
== History ==
+
The memory analysis and acquisition capabilities of GRR are provided by the [[rekall]] project.
  
Libewf was created by [[Joachim Metz]] in 2006, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
+
= See also =
 +
* [[rekall]]
  
Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [http://www.asrdata.com/SMART/whitepaper.html Expert Witness Compression Format Specification] by [[Andrew Rosen]]. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
+
= External Links =
 +
* [https://code.google.com/p/grr/ Project site]
 +
* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]
 +
* [http://grr.googlecode.com/git/docs/index.html Documentation]
  
libewf also has read support for the EnCase L01 format.
+
== Publications ==
 +
* [http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/37237.pdf Distributed forensics and incident response in the enterprise], by [[Michael Cohen]], [[Darren Bilby]], G. Caronni. Digital Investigation, 2011.
 +
* [https://googledrive.com/host/0B9hc84IflFGbN2IwMTUyYTUtMTU0Mi00ZWQ3LWFhNDktM2IyMTg5MmY3OWI0/Hunting%20in%20the%20Enterprise:%20Forensic%20Triage%20and%20Incident%20Response Hunting in the enterprise: Forensic triage and incident response], by [[Andreas Moser]], [[Michael Cohen]], Digital Investigation, 2013.
  
In 2007 [[David Loveall]] contributed mount_ewf.py to the libewf project. This application allows a [[fuse]] based mount of the storage media data in the EWF files to be mounted.
+
== Presentations ==
 +
* [https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Docs/GRR%20Rapid%20Response%20-%20OSFC%202012.pdf OSDFC 2012 GRR Overview], by [[Darren Bilby]]
  
== Tools ==  
+
== Workshops ==
The '''libewf''' package contains the following tools:
+
* [https://drive.google.com/?usp=chrome_app#folders/0B1wsLqFoT7i2eU1jU0JldW9JUU0 OSDFC workshop 2013], by [[Darren Bilby]]
* '''ewfacquire''', which writes storage media data from devices and files to EWF files.
+
* '''ewfacquirestream''', which writes data from stdin to EWF files.
+
* '''ewfexport''', which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
+
* '''ewfinfo''', which shows the metadata in EWF files.
+
* '''ewfverify''', which verifies the storage media data in EWF files.
+
 
+
Provided as separate tools on the libewf project site:
+
* '''mount_ewf.py''', which allows the storage media data in a EWF files to be mounted, contributed by [[David Loveall]] in 2007.
+
* '''libewf-java''', Java (JNA) bindings were contributed by [[Bradley Schatz]] in 2009.
+
* '''delphi imdisk proxy''', Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by [[Brendan Berney]] in 2010.
+
* '''jlibewf''', native Java EWF reader contributed by [[Bruce Allen]] in 2010.
+
 
+
A menu based interface for ewfacquirestream called pyEWF, contributed by [[Dennis Schreiber]], was originally also available on the project site. However this is currently no longer maintained. Instead the name pyewf was reused for the libewf Python bindings created by [[David Collett]] which is now included in the libewf package.
+
 
+
== Examples ==
+
 
+
Imaging a device on a Unix-based system:
+
<pre>
+
ewfacquire /dev/sda
+
</pre>
+
 
+
Imaging a device on a Windows system:
+
<pre>
+
ewfacquire \\.\PhysicalDrive0
+
</pre>
+
 
+
Converting a split RAW into an EWF image
+
<pre>
+
ewfacquire split.raw.???
+
</pre>
+
 
+
or
+
 
+
<pre>
+
cat split.raw.??? | ewfacquirestream
+
</pre>
+
 
+
Converting an EWF into another EWF format or a (split) RAW image
+
<pre>
+
ewfexport image.E01
+
</pre>
+
 
+
Exporting files from a logical image (L01)
+
<pre>
+
ewfexport image.L01
+
</pre>
+
 
+
== External Links ==
+
 
+
* [http://libewf.sourceforge.net libewf project site]
+

Revision as of 15:36, 12 January 2014

Rekall
Maintainer: Darren Bilby and others
OS: Cross-platform
Genre: Incident Response
License: APL
Website: code.google.com/p/grr/

GRR is an Incident Response Framework focused on Remote Live Forensics.

The disk and file system analysis capabilities of GRR are provided by the sleuthkit and pytsk projects.

The memory analysis and acquisition capabilities of GRR are provided by the rekall project.

See also

External Links

Publications

Presentations

Workshops