|
|
| Line 1: |
Line 1: |
| − | '''Selective File Dumper''' (SFDumper) is an [[open source]] [[Free software|free]] [[computer forensics]] useful tool written in [[Bash]] Script, by Nanni Bassetti and Denis Frati, for [[Linux]] systems. | + | '''Multihashing''' is the process of using two or more [[hashing]] algorithms together. The process is used in [[hash]] by Mares, [[fsum]], [[hashdeep]], and [[fciv]]. |
| − | | + | |
| − | The script is fast and selective and it can retrieve all the files of the file type chosen (eg. .doc or .jpg)., active, deleted and unallocated, in interactive way. | + | |
| − | | + | |
| − | The [[Bash]] script '''SFDUMPER.SH''', can recover active, deleted and unallocated files automatically and then it can delete the carved files duplicates of the deleted and active files retrieved by the [[Sleuthkit]], thanks to the comparison of the [[SHA256]] [[hash]] codes of the carved files and the active and deleted files.
| + | |
| − | | + | |
| − | It's possible to recognize the renamed files by the data carving and it's possible to expand the [[Foremost]] configuration file inside the script, for adding new extensions.
| + | |
| − | | + | |
| − | Finally, it is possible to do a [[keywords]] search on the set of files extracted by the [[Sleuthkit]] and [[Foremost]].
| + | |
| − | | + | |
| − | The script can work on the partition chosen from an image file or directly from the device (eg. /dev/sdb).
| + | |
| − | | + | |
| − | | + | |
| − | == Actions ==
| + | |
| − | | + | |
| − | <blockquote>
| + | |
| − | 1) Choosing the partition to analyze from an image file or a device;<br />
| + | |
| − | 2) Choosing the file type by the extension you need to have;<br />
| + | |
| − | 3) Extracting all referenced files by their extension;<br />
| + | |
| − | 4) Extracting all the deleted files by their extension;<br />
| + | |
| − | 5) Carving all the partitions chosen and, automatically, the script will<br />
| + | |
| − | delete the duplicate files leaving only the carved files whose are not<br />
| + | |
| − | into the referenced or delete set of files;<br />
| + | |
| − | 6) Executing a keyword search on all the retrieved files;<br />
| + | |
| − | 7) Reporting all with the investigator name, date and time.<br />
| + | |
| − | </blockquote>
| + | |
| − | | + | |
| − | | + | |
| − | == Requirements ==
| + | |
| − | | + | |
| − | <blockquote>
| + | |
| − | [[Linux OS]]<br /> | + | |
| − | [[Sleuthkit]]<br />
| + | |
| − | [[Foremost]] <br />
| + | |
| − | [[Sha256deep]]<br />
| + | |
| − | [[grep]]<br />
| + | |
| − | [[awk]]<br />
| + | |
| − | [[sed]]<br />
| + | |
| − | [[dd]]<br />
| + | |
| − | </blockquote>
| + | |
| − | | + | |
| − | == Requirements for the GUI version ==
| + | |
| − | | + | |
| − | [[Zenity]]
| + | |
| − | | + | |
| − | | + | |
| − | == Usage ==
| + | |
| − | | + | |
| − | sudo sh sfdumper.sh<br />
| + | |
| − | or<br />
| + | |
| − | chmod +x sfdumper.sh<br />
| + | |
| − | ./sfdumper.sh <br />
| + | |
| − | | + | |
| − | | + | |
| − | == Official web site ==
| + | |
| − | | + | |
| − | http://sfdumper.sourceforge.net
| + | |
| − | | + | |
| − | | + | |
| − | == External links ==
| + | |
| − | | + | |
| − | http://freshmeat.net/projects/zenity
| + | |
| − | | + | |
| − | [[Category:Computer forensics]]
| + | |
| − | [[Category:Free security software]]
| + | |
| − | [[Category:Unix software]]
| + | |
