Difference between pages "DEFT Linux 1" and "File Vault"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
{{Infobox_Software |
+
File Vault is the cryptographic file system developed by [http://www.apple.com Apple] and introduced with MacOS 10.3.
  name = DEFT v1 Linux |
+
  maintainer = [[Stefano Fratepietro]] |
+
  os = {{Linux}} |
+
  genre = {{Live CD}} |
+
  license = {{GPL}}, others |
+
  website = [http://www.stevelab.net/deft] |
+
}}
+
  
'''DEFT v1''' is a Live CD built on top of Kubuntu 6.10 with the best tools for Computer Forensic and incident response.
+
File Vault works by storing each user's home directory in an encrypted ".sparseimage" file. The file is automatically mounted when the user logs in and unmounted when the user logs out. All of the user's files and preferences are stored in this file.  The file's encryption key is stored in the .sparseimage file, but that encryption key is itself encrypted with the user's login password.  
  
== Tools included ==
+
There are no known attacks against File Vault other than a brute force attack on the user's password.
  
'''Deft computer and network forensic packages list:'''
+
You can find a good discussion of File Vault's usability shortcomings in [http://www.simson.net/thesis Simson Garfinkel's PhD Thesis].
 
+
: - sleuthkit, collection of UNIX-based command line tools that allow you to investigate a computer
+
: - autopsy, graphical interface to the command line digital investigation tools in The Sleuth Kit
+
: - aff lib, advanced forensic format
+
: - gpart, tool which tries to guess the primary partition table of a PC-type hard disk
+
: - dd rescue, copy data from one file or block device to another
+
: - foremost, console program to recover files based on their headers, footers, and internal data structures
+
: - hex dump, combined hex and ascii dump of any file
+
: - khex edit, a versatile and customizable hex editor
+
: - steg detect, a steganography detection software
+
: - outguess, a stegano tool
+
: - ophcrack, Windows password recovery
+
: - wireshark, network sniffer
+
: - ettercap, network sniffer
+
: - nessus, vulnerability and security scanner
+
: - nmap, the best network scanner
+
: - airsnort, wireless LAN (WLAN) tool which recovers encryption keys
+
: - kismet, sniffer and intrusion detection system that work with any wireless card
+
: - dmraid, discover software RAID devices
+
: - testdisk, tool to recover damaged partitions
+
: - qtparted, a Partition Magic clone written in C++ using the Qt toolkit
+
: - vinetto, tool to examine Thumbs.db files
+
: - trID, tool to identify file types from their binary signatures
+
: - readpst, a tools to read ms-Outlook pst files
+
 
+
'''Deft utility package list:'''
+
 
+
: - linux Kernel 2.6.17
+
: - lkDE 3.5.5
+
: - k3b
+
: - samba client
+
: - open SSH client & server
+
 
+
 
+
and mutch more...
+
 
+
== External Links ==
+
 
+
* [http://www.stevelab.net/deft Official Website]
+

Revision as of 23:17, 10 June 2007

File Vault is the cryptographic file system developed by Apple and introduced with MacOS 10.3.

File Vault works by storing each user's home directory in an encrypted ".sparseimage" file. The file is automatically mounted when the user logs in and unmounted when the user logs out. All of the user's files and preferences are stored in this file. The file's encryption key is stored in the .sparseimage file, but that encryption key is itself encrypted with the user's login password.

There are no known attacks against File Vault other than a brute force attack on the user's password.

You can find a good discussion of File Vault's usability shortcomings in Simson Garfinkel's PhD Thesis.