Difference between revisions of "Selective file dumper"

From ForensicsWiki
Jump to: navigation, search
(New page: '''Selective File Dumper''' (SFDumper) is an open source free computer forensics useful tool written in Bash Script, by Nanni Bassetti and Denis Frati, for [[...)
 
 
Line 1: Line 1:
'''Selective File Dumper''' (SFDumper) is an [[open source]] [[Free software|free]] [[computer forensics]] useful tool written in [[Bash]] Script, by Nanni Bassetti and Denis Frati, for [[Linux]] systems.
+
{{Infobox_Software |
 +
  name = SFDumper |
 +
  maintainer = Nanni Bassetti, Denis Frati |
 +
  os = {{Linux}} |
 +
  genre = {{Analysis}} |
 +
  license = Artistic License, {{GPL}}, {{Public Domain}} |
 +
  website = [http://sfdumper.sourceforge.net/ sfdumper.sourceforge.net] |
 +
}}
  
The script is fast and selective and it can retrieve all the files of the file type chosen (eg. .doc or .jpg)., active, deleted and unallocated, in interactive way.
+
'''Selective File Dumper''' (SFDumper) is a tool written in [[Bash]] Script for [[Linux]] systems.
  
The [[Bash]] script '''SFDUMPER.SH''', can recover active, deleted and unallocated files automatically and then it can delete the carved files duplicates of the deleted and active files retrieved by the [[Sleuthkit]], thanks to the comparison of the [[SHA256]] [[hash]] codes of the carved files and the active and deleted files.
+
It's fast and selective, it can retrieve all the files of the file type you choose with only one tool referenced, deleted and unallocated in very fast way.
 +
 
 +
The [[Bash]] script '''SFDUMPER.SH''' can recover active, deleted and unallocated files automatically and then it can delete the carved duplicate files of the deleted and active files retrieved by the [[Sleuthkit]], thanks to the comparison of the [[SHA256]] [[hash]] codes.
  
 
It's possible to recognize the renamed files by the data carving and it's possible to expand the [[Foremost]] configuration file inside the script, for adding new extensions.
 
It's possible to recognize the renamed files by the data carving and it's possible to expand the [[Foremost]] configuration file inside the script, for adding new extensions.
Line 10: Line 19:
  
 
The script can work on the partition chosen from an image file or directly from the device (eg. /dev/sdb).
 
The script can work on the partition chosen from an image file or directly from the device (eg. /dev/sdb).
 
  
 
== Actions ==
 
== Actions ==
Line 25: Line 33:
 
7) Reporting all with the investigator name, date and time.<br />
 
7) Reporting all with the investigator name, date and time.<br />
 
</blockquote>
 
</blockquote>
 
  
 
== Requirements ==
 
== Requirements ==
  
<blockquote>
+
* [[Linux]]
[[Linux OS]]<br />
+
* [[Sleuthkit]]
[[Sleuthkit]]<br />
+
* [[Foremost]]
[[Foremost]] <br />
+
* [[md5deep]] (sha256deep)
[[Sha256deep]]<br />
+
* [[grep]]
[[grep]]<br />
+
* [[awk]]
[[awk]]<br />
+
* [[sed]]
[[sed]]<br />
+
* [[dd]]
[[dd]]<br />
+
</blockquote>
+
  
 
== Requirements for the GUI version ==
 
== Requirements for the GUI version ==
  
[[Zenity]]  
+
* [[Zenity]]  
 
+
  
 
== Usage ==
 
== Usage ==
  
sudo sh sfdumper.sh<br />
+
''sudo sh sfdumper.sh''
or<br />
+
chmod +x sfdumper.sh<br />
+
./sfdumper.sh <br />
+
  
 +
or
  
== Official web site ==
+
''chmod +x sfdumper.sh''
  
http://sfdumper.sourceforge.net
+
''./sfdumper.sh''
 +
 
 +
== Official web site ==
  
 +
* http://sfdumper.sourceforge.net
  
 
== External links ==
 
== External links ==
  
http://freshmeat.net/projects/zenity
+
* http://freshmeat.net/projects/zenity
  
[[Category:Computer forensics]]
+
[[Category:Linux]]
[[Category:Free security software]]
+
[[Category:Unix software]]
+

Latest revision as of 04:15, 21 September 2008

SFDumper
Maintainer: Nanni Bassetti, Denis Frati
OS: Linux
Genre: Analysis
License: Artistic License,GPL,Public Domain
Website: sfdumper.sourceforge.net

Selective File Dumper (SFDumper) is a tool written in Bash Script for Linux systems.

It's fast and selective, it can retrieve all the files of the file type you choose with only one tool referenced, deleted and unallocated in very fast way.

The Bash script SFDUMPER.SH can recover active, deleted and unallocated files automatically and then it can delete the carved duplicate files of the deleted and active files retrieved by the Sleuthkit, thanks to the comparison of the SHA256 hash codes.

It's possible to recognize the renamed files by the data carving and it's possible to expand the Foremost configuration file inside the script, for adding new extensions.

Finally, it is possible to do a keywords search on the set of files extracted by the Sleuthkit and Foremost.

The script can work on the partition chosen from an image file or directly from the device (eg. /dev/sdb).

Actions

1) Choosing the partition to analyze from an image file or a device;
2) Choosing the file type by the extension you need to have;
3) Extracting all referenced files by their extension;
4) Extracting all the deleted files by their extension;
5) Carving all the partitions chosen and, automatically, the script will
delete the duplicate files leaving only the carved files whose are not
into the referenced or delete set of files;
6) Executing a keyword search on all the retrieved files;
7) Reporting all with the investigator name, date and time.

Requirements

Requirements for the GUI version

Usage

sudo sh sfdumper.sh

or

chmod +x sfdumper.sh

./sfdumper.sh

Official web site

External links