|
|
| Line 1: |
Line 1: |
| − | <div style="margin-top:0.5em; border:2px solid #ff0000; padding:0.5em 0.5em 0.5em 0.5em; background-color:#dddddd; align:center;">
| + | == Guidelines == |
| − | '''Note:''' We're trying to use the same [[tool template]] for all devices. Please use this if possible.
| + | |
| − | </div>
| + | |
| | | | |
| − | '''TODO: Not all of the following are tools, most are simply company names. The tools should have their own articles...'''
| + | # If on, leave on. If off, leave off. |
| | + | # Collect and preserve other surrounding and related devices. |
| | + | # Retain [[search warrant]] (if necessary - [[LE]]). |
| | + | # Return device to forensic lab if able. |
| | + | # Use [[forensically sound]] tools for processing. |
| | | | |
| − | = Hardware imagers = | + | == Notes == |
| − | ; [[DeepSpar Disk Imager]]
| + | |
| − | : Handles Data Recovery Imaging issues, drive instability, and bad sectors. http://www.deepspar.com/products-ds-disk-imager.html - Data Sheet and Whitepaper available for download from product web page.
| + | |
| − | ; [[ICS Solo3]]
| + | |
| − | : Supports USB, Firewire and SCSI drives. http://www.icsforensic.com/
| + | |
| − | ; [[Logicube Talon]]
| + | |
| − | : Supports USB
| + | |
| − | ; [[PSIClone]]
| + | |
| − | : Built-in PATA, SATA, USB and write blocker. http://www.thepsiclone.com/
| + | |
| − | : Enhanced Error Handling and Logging
| + | |
| − | ; [[Voom HardCopy III]]
| + | |
| − | : Allows destination drive to be formatted in NTFS.
| + | |
| | | | |
| − | = Unix-based imagers=
| + | Expand on 5 as to what to collect: |
| | | | |
| − | ; '''ewfacquire''' and '''ewfacquirestream'''
| + | * [[ESN]], |
| − | : Part of the [[libewf]] library package, '''ewfacquire''' and '''ewfacquiresteam''' can create evidence files in the [[EnCase]] and [[FTK Imager]] .E0* (EWF-E01) and [[SMART]] .s0* (EWF-S01) formats. '''ewfacquire''' and '''ewfacquirestream''' calculate an [[MD5]] and/or [[SHA1]] hash while the data is being acquired. Because of compatibility with [[EnCase]] '''ewfacquire''' and '''ewfacquirestream''' only store the [[SHA1]] digest hash in the Extended EWF (EWF-X) format.
| + | * [[IMEI]], |
| − | '''ewfacquire''' and '''ewfacquirestream''' provides support for byte swapping of media bytes. This is useful for dealing with big endian media on and little endian architectures and vice versa.
| + | * [[Carrier]], |
| − | It also has intelligent error recovery.
| + | * Model Number, |
| − | : https://libewf.sourceforge.net/
| + | * Color, and |
| | + | * Other information related to [[Cell Phone]] and [[SIM Card]]. |
| | | | |
| − | ; [[Adepto]]
| + | Process: |
| − | : http://www.e-fense.com/helix/ | + | |
| | | | |
| − | ; [[aimage]]
| + | # Research the [[Cell Phone]]. Visit PhoneScoop.com for more information |
| − | : Part of the [[AFF]] system, [[aimage]] can create files is raw, AFF, AFD, or AFM formats. AFF and AFD formats can be compressed or uncompressed. [[aimage]] can optionally compress and calculate [[MD5]] or [[SHA-1]] hash residues while the data is being copied. It has intelligent error recovery, similar to what is in [[ddrescue]].
| + | # |
| − | | + | # |
| − | ; [[AIR]]
| + | # |
| − | : AIR (Automated Image and Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.
| + | |
| − | : http://air-imager.sourceforge.net/
| + | |
| − | | + | |
| − | ; [[dcfldd]]
| + | |
| − | : A version of [[dd]] created by the [[Digital Computer Forensics Laboratory]]. [[dcfldd]] is an enhanced version of [[GNU]] dd with features useful for forensics and security, such as calculating [[MD5]] or [[SHA-1]] [[hash]]es on the fly and faster disk wiping.
| + | |
| − | | + | |
| − | ; [[dd]]
| + | |
| − | : A program that converts and copies files, is one of the oldest [[Unix]] programs. I can copy data from any Unix "file" (including a [[raw partition]]) to any other Unix "file" (including a disk file or a raw partition). This is one of the oldest of the imaging tools, and produces [[raw image files]]. Extended into [[dcfldd]].
| + | |
| − | | + | |
| − | ; EnCase [[LinEn]]
| + | |
| − | : Linux-based version of EnCase's forensic imaging tool.
| + | |
| − | | + | |
| − | ; GNU [[ddrescue]]
| + | |
| − | : http://www.gnu.org/software/ddrescue/ddrescue.html
| + | |
| − | | + | |
| − | ; [[dd_rescue]]
| + | |
| − | : http://www.garloff.de/kurt/linux/ddrescue/
| + | |
| − | : A tool similar to [[dd]], but unlike dd it will continue reading the next sector, if it stumbles over bad sectors it cannot read.
| + | |
| − | | + | |
| − | ; iLook [[IXimager]]
| + | |
| − | : The primary imaging tool for [[iLook]]. It is [[Linux]] based and produces compressed authenticatable [[image file]]s that may only be read in the iLook analysis tool.
| + | |
| − | | + | |
| − | ; [[MacQuisition Boot CD]]
| + | |
| − | : Provides software to safely image [[Macintosh]] drives.
| + | |
| − | | + | |
| − | ; [[rdd]]
| + | |
| − | : http://sourceforge.net/projects/rdd
| + | |
| − | : Rdd is robust with respect to read errors and incorporates several other functions: MD5 and SHA-1 hashing, block hashing, entropy computation, checksumming, network transfer, and output splitting.
| + | |
| − | | + | |
| − | ; [[sdd]]
| + | |
| − | : Another [[dd]]-like tool. It is supposed to be faster in certain situations.
| + | |
| − | | + | |
| − | = Windows-based imagers =
| + | |
| − | | + | |
| − | ; [[AccessData]]
| + | |
| − | : Their ultimate tool lets you "READ, ACQUIRE, DECRYPT, ANALYZE and REPORT (R.A.D.A.R.)."
| + | |
| − | | + | |
| − | ; [[ASR]]
| + | |
| − | : A tool for [[imaging]] and analyzing disks.
| + | |
| − | | + | |
| − | ; [[DIBS]]
| + | |
| − | : Can image and convert many file formats. Also builds mobile toolkit.
| + | |
| − | | + | |
| − | ; [[EnCase]]
| + | |
| − | : Can image with out dongle plugged in. Only images to E0* file.
| + | |
| − | | + | |
| − | ; [[FTK Imager]] by [[AccessData]]
| + | |
| − | : Can image and convert many image formats. Including [[E0*]] (EWF-E01), s0* (EWF-S01) and [[dd]]. Also a free tool.
| + | |
| − | | + | |
| − | ; [[Ghost]]
| + | |
| − | : FTK can read forensic, uncompressed [[Ghost image]]s.
| + | |
| − | | + | |
| − | ; [[iLook]]
| + | |
| − | : The [[IRS]]'s set of forensic tools and utilities. iLook V8 can image in Windows.
| + | |
| − | | + | |
| − | ; [[Paraben]]
| + | |
| − | : A complete set of tools for [[Windows]] (and [[handheld]]) products.
| + | |
| − | | + | |
| − | ; [[ProDiscovery]]
| + | |
| − | : Images and searches [[FAT12]], [[FAT16]], [[FAT32]] and all [[NTFS]] files.
| + | |
| − | | + | |
| − | ; [[X-Ways Forensics]]
| + | |
| − | : Has some limited imaging capabilities. The output is [[raw format]].
| + | |
| − | | + | |
| − | ; [[X-Ways Replica]]
| + | |
| − | : Performs [[hard disk]] [[cloning]] and imaging. The output is [[raw format]].
| + | |
| − | | + | |
| − | | + | |
| − | [[Category:Tools]]
| + | |
| − | | + | |
| − | [[Category:Tools]]
| + | |
