Difference between pages "Xplico" and "Selective file dumper"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(New page: '''Selective File Dumper''' (SFDumper) is an open source free computer forensics useful tool written in Bash Script, by Nanni Bassetti and Denis Frati, for [[...)
 
Line 1: Line 1:
{{Infobox_Software |
+
'''Selective File Dumper''' (SFDumper) is an [[open source]] [[Free software|free]] [[computer forensics]] useful tool written in [[Bash]] Script, by Nanni Bassetti and Denis Frati, for [[Linux]] systems.
  name = Xplico |
+
  maintainer = [[Gianluca Costa & Andrea de Franceschi]] |
+
  os = {{Linux}} |
+
  genre = {{Analysis}} |
+
  license = {{GPL}} |
+
  website = [http://www.xplico.org www.xplico.org] |
+
}}
+
  
The '''Xplico''' is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract all application data content from a network capture (pcap file or real-time acquisition). For example, Xplico is able to extract all e-mails carried by the POP and SMTP protocols, and all content carried by HTTP protocol from a pcap file.
+
The script is fast and selective and it can retrieve all the files of the file type chosen (eg. .doc or .jpg)., active, deleted and unallocated, in interactive way.
<h2>Features</h2>
+
            <ul>
+
              <li>Protocols supported: [http://www.xplico.org/status HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...];</li>
+
              <li> VoIP audio codecs supported: G711ulaw, G711alaw, G722, G729, G723, G726 and MSRTA (x-msrta:Real Time Audio)
+
              <li>Port Independent Protocol Identification (PIPI) for each application protocol;</li>
+
              <li>Multithreading;</li>
+
              <li>Output data and information in SQLite database or MySQL database and/or files;</li>
+
              <li>At each data reassembled by Xplico is associated a [[XML]] file that uniquely identifies the flows and the pcap containing the data reassembled;</li>
+
              <li>Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer ---RAM, CPU, HD access time, ...--- );</li>
+
              <li>TCP reassembly with ACK verification for any packet or soft ACK verification;</li>
+
              <li>Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;</li>
+
              <li>No size limit on data entry or the number of files entrance (the only limit is HD size).</li>
+
            </ul>
+
  
<h2>Demo and Cloud computing</h2>
+
The [[Bash]] script '''SFDUMPER.SH''', can recover active, deleted and unallocated files automatically and then it can delete the carved files duplicates of the deleted and active files retrieved by the [[Sleuthkit]], thanks to the comparison of the [[SHA256]] [[hash]] codes of the carved files and the active and deleted files.
<ul>
+
 
    <li>Demo with full features: [http://demo.xplico.org Demo]</li>
+
It's possible to recognize the renamed files by the data carving and it's possible to expand the [[Foremost]] configuration file inside the script, for adding new extensions.
    <li>VoIP decoding, from pcap to wav file:  [http://pcap2wav.xplico.org pcap2wav]</li>
+
 
</ul>
+
Finally, it is possible to do a [[keywords]] search on the set of files extracted by the [[Sleuthkit]] and [[Foremost]].
 +
 
 +
The script can work on the partition chosen from an image file or directly from the device (eg. /dev/sdb).
 +
 
 +
 
 +
== Actions ==
 +
 
 +
<blockquote>
 +
1) Choosing the partition to analyze from an image file or a device;<br />
 +
2) Choosing the file type by the extension you need to have;<br />
 +
3) Extracting all referenced files by their extension;<br />
 +
4) Extracting all the deleted files by their extension;<br />
 +
5) Carving all the partitions chosen and, automatically, the script will<br />
 +
    delete the duplicate files leaving only the carved files whose are not<br />
 +
    into the referenced or delete set of files;<br />
 +
6) Executing a keyword search on all the retrieved files;<br />
 +
7) Reporting all with the investigator name, date and time.<br />
 +
</blockquote>
 +
 
 +
 
 +
== Requirements ==
 +
 
 +
<blockquote>
 +
[[Linux OS]]<br />
 +
[[Sleuthkit]]<br />
 +
[[Foremost]] <br />
 +
[[Sha256deep]]<br />
 +
[[grep]]<br />
 +
[[awk]]<br />
 +
[[sed]]<br />
 +
[[dd]]<br />
 +
</blockquote>
 +
 
 +
== Requirements for the GUI version ==
 +
 
 +
[[Zenity]]
 +
 
 +
 
 +
== Usage ==
 +
 
 +
sudo sh sfdumper.sh<br />
 +
or<br />
 +
chmod +x sfdumper.sh<br />
 +
./sfdumper.sh <br />
 +
 
 +
 
 +
== Official web site ==
 +
 
 +
http://sfdumper.sourceforge.net
 +
 
 +
 
 +
== External links ==
 +
 
 +
http://freshmeat.net/projects/zenity
 +
 
 +
[[Category:Computer forensics]]
 +
[[Category:Free security software]]
 +
[[Category:Unix software]]

Revision as of 14:35, 14 March 2008

Selective File Dumper (SFDumper) is an open source free computer forensics useful tool written in Bash Script, by Nanni Bassetti and Denis Frati, for Linux systems.

The script is fast and selective and it can retrieve all the files of the file type chosen (eg. .doc or .jpg)., active, deleted and unallocated, in interactive way.

The Bash script SFDUMPER.SH, can recover active, deleted and unallocated files automatically and then it can delete the carved files duplicates of the deleted and active files retrieved by the Sleuthkit, thanks to the comparison of the SHA256 hash codes of the carved files and the active and deleted files.

It's possible to recognize the renamed files by the data carving and it's possible to expand the Foremost configuration file inside the script, for adding new extensions.

Finally, it is possible to do a keywords search on the set of files extracted by the Sleuthkit and Foremost.

The script can work on the partition chosen from an image file or directly from the device (eg. /dev/sdb).


Contents

Actions

1) Choosing the partition to analyze from an image file or a device;
2) Choosing the file type by the extension you need to have;
3) Extracting all referenced files by their extension;
4) Extracting all the deleted files by their extension;
5) Carving all the partitions chosen and, automatically, the script will
delete the duplicate files leaving only the carved files whose are not
into the referenced or delete set of files;
6) Executing a keyword search on all the retrieved files;
7) Reporting all with the investigator name, date and time.


Requirements

Linux OS
Sleuthkit
Foremost
Sha256deep
grep
awk
sed
dd

Requirements for the GUI version

Zenity


Usage

sudo sh sfdumper.sh
or
chmod +x sfdumper.sh
./sfdumper.sh


Official web site

http://sfdumper.sourceforge.net


External links

http://freshmeat.net/projects/zenity