Difference between pages "Selective file dumper" and "Multihashing"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(New page: '''Selective File Dumper''' (SFDumper) is an open source free computer forensics useful tool written in Bash Script, by Nanni Bassetti and Denis Frati, for [[...)
 
(New page: '''Multihashing''' is the process of using two or more hashing algorithms together. The process is used in hash by Mares, fsum, hashdeep, and fciv.)
 
Line 1: Line 1:
'''Selective File Dumper''' (SFDumper) is an [[open source]] [[Free software|free]] [[computer forensics]] useful tool written in [[Bash]] Script, by Nanni Bassetti and Denis Frati, for [[Linux]] systems.
+
'''Multihashing''' is the process of using two or more [[hashing]] algorithms together. The process is used in [[hash]] by Mares, [[fsum]], [[hashdeep]], and [[fciv]].
 
+
The script is fast and selective and it can retrieve all the files of the file type chosen (eg. .doc or .jpg)., active, deleted and unallocated, in interactive way.
+
 
+
The [[Bash]] script '''SFDUMPER.SH''', can recover active, deleted and unallocated files automatically and then it can delete the carved files duplicates of the deleted and active files retrieved by the [[Sleuthkit]], thanks to the comparison of the [[SHA256]] [[hash]] codes of the carved files and the active and deleted files.
+
 
+
It's possible to recognize the renamed files by the data carving and it's possible to expand the [[Foremost]] configuration file inside the script, for adding new extensions.
+
 
+
Finally, it is possible to do a [[keywords]] search on the set of files extracted by the [[Sleuthkit]] and [[Foremost]].
+
 
+
The script can work on the partition chosen from an image file or directly from the device (eg. /dev/sdb).
+
 
+
 
+
== Actions ==
+
 
+
<blockquote>
+
1) Choosing the partition to analyze from an image file or a device;<br />
+
2) Choosing the file type by the extension you need to have;<br />
+
3) Extracting all referenced files by their extension;<br />
+
4) Extracting all the deleted files by their extension;<br />
+
5) Carving all the partitions chosen and, automatically, the script will<br />
+
    delete the duplicate files leaving only the carved files whose are not<br />
+
    into the referenced or delete set of files;<br />
+
6) Executing a keyword search on all the retrieved files;<br />
+
7) Reporting all with the investigator name, date and time.<br />
+
</blockquote>
+
 
+
 
+
== Requirements ==
+
 
+
<blockquote>
+
[[Linux OS]]<br />
+
[[Sleuthkit]]<br />
+
[[Foremost]] <br />
+
[[Sha256deep]]<br />
+
[[grep]]<br />
+
[[awk]]<br />
+
[[sed]]<br />
+
[[dd]]<br />
+
</blockquote>
+
 
+
== Requirements for the GUI version ==
+
 
+
[[Zenity]]
+
 
+
 
+
== Usage ==
+
 
+
sudo sh sfdumper.sh<br />
+
or<br />
+
chmod +x sfdumper.sh<br />
+
./sfdumper.sh <br />
+
 
+
 
+
== Official web site ==
+
 
+
http://sfdumper.sourceforge.net
+
 
+
 
+
== External links ==
+
 
+
http://freshmeat.net/projects/zenity
+
 
+
[[Category:Computer forensics]]
+
[[Category:Free security software]]
+
[[Category:Unix software]]
+

Revision as of 07:10, 17 March 2008

Multihashing is the process of using two or more hashing algorithms together. The process is used in hash by Mares, fsum, hashdeep, and fciv.