Difference between pages "Tools:Data Recovery" and "Tsk-cp"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Carving)
 
 
Line 1: Line 1:
{{Wikify}}
+
Tsk-cp is a set of [[LibCarvPath]] aware versions of [[Sleuthkit]] tools, that are for use together with the
 +
normal versions of the other sleuthkit tools in the process of doing [[zero storage carving]].
  
= Partition Recovery =
+
The tools are:
  
; [[Partition Table Doctor]]
+
* mmls-cp : A CarvPath based version of mmls for listing a partitioned carvpath disk images as a list of partition carvpaths.
: http://www.ptdd.com/index.htm
+
* dls-cp : A CarvPath based version of dls for listing all continuous unallocated fragments of a carvpath partition holding a filesystem as a list of unallocated block carvpaths.
 +
* icat-cp : A CarvPath based version of icat that instead of copying out the data of an inode within a carvpath partition holding a filesystem as the carvpath of the file and the carvpath of the [[file slack]].
  
; [[parted]]
+
The carvpaths output by dls-cp can be used as the input of a CarvPath aware carving tool.
: The Linux partition management tool.
+
 
+
; [[Active Partition Recovery]]
+
: ...
+
 
+
; [[gpart]]
+
: http://www.stud.uni-hannover.de/user/76201/gpart/
+
 
+
; [[Testdisk]]
+
: http://www.cgsecurity.org/wiki/TestDisk
+
  
 
== See Also ==
 
== See Also ==
 
+
* [Open Computer Forensics Architecture]
* [http://support.microsoft.com/?kbid=166997 Using Norton Disk Edit to Backup Your Master Boot Record]
+
 
+
== Notes ==
+
 
+
* "fdisk /mbr" restores the boot code in the [[MBR]], but not the partition itself.
+
= Data Recovery =
+
 
+
; [[BringBack]]
+
: http://www.toolsthatwork.com/
+
: BringBack offers easy to use, inexpensive, and highly successful data recovery for Windows and Linux (ext2) operating systems and digital images stored on memory cards, etc.
+
 
+
; [[ByteBack Data Recovery Investigative Suite v4.0]]
+
: http://www.toolsthatwork.com
+
: Now with UDMA, ATA & SATA support, memory management and greater ease and control of partition and MBR manipulations, ByteBack continues to uphold it's viability as the computer forensics and recovery application of professionals.
+
 
+
; [[RAID Reconstructor]]
+
: http://www.runtime.org/raid.htm
+
: Runtime Software's RAID Reconstructor will reconstruct [[RAID Level 0]] (Striping) and [[RAID Level 5]] drives.
+
 
+
; [[Salvation Data]]
+
: http://www.salvationdata.com
+
: Claims to have a program that can read the "[[bad blocks]]" of [[Maxtor]] drives with proprietary commands.
+
 
+
=Carving=
+
; [[DataLifter DataLifter® - File Extractor Pro]]
+
: http://www.datalifter.com/products.htm
+
 
+
; [[Scalpel]]
+
: Currently the most popular open-source carving tool.
+
 
+
; [[EnCase]]
+
: EnCase comes with some eScripts that will do carving.
+
 
+
; [[CarvFs]]
+
A virtual filesystem (fuse) implementation that can provide carving tools
+
with the posibility to do recursive multi tool zero-storage carving
+
(also called in-place carving). Patches and scripts for scalpel and
+
foremost are provided. Works on raw and encase images.
+
: http://ocfa.sourceforge.net/libcarvpath/
+
 
+
; [[LibCarvPath]]
+
: http://ocfa.sourceforge.net/libcarvpath/
+
A shared library that allows carving tools to use zero-storage carving on
+
carvfs virtual files.
+

Revision as of 01:30, 11 August 2012

Tsk-cp is a set of LibCarvPath aware versions of Sleuthkit tools, that are for use together with the normal versions of the other sleuthkit tools in the process of doing zero storage carving.

The tools are:

  • mmls-cp : A CarvPath based version of mmls for listing a partitioned carvpath disk images as a list of partition carvpaths.
  • dls-cp : A CarvPath based version of dls for listing all continuous unallocated fragments of a carvpath partition holding a filesystem as a list of unallocated block carvpaths.
  • icat-cp : A CarvPath based version of icat that instead of copying out the data of an inode within a carvpath partition holding a filesystem as the carvpath of the file and the carvpath of the file slack.

The carvpaths output by dls-cp can be used as the input of a CarvPath aware carving tool.

See Also

  • [Open Computer Forensics Architecture]