Difference between pages "Plaso" and "Libsmraw"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Image File Formats)
 
(Tools)
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = plaso |
+
   name = libsmraw |
   maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
+
   maintainer = [[Joachim Metz]] |
   os = [[Linux]], [[Mac OS X]], [[Windows]] |
+
   os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
   genre = {{Analysis}} |
+
   genre = {{Disk imaging}} |
   license = {{APL}} |
+
   license = {{LGPL}} |
   website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
+
   website = [https://code.google.com/p/libsmraw/ code.google.com/p/libsmraw/] |
 
}}
 
}}
  
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
+
The '''libsmraw''' package contains a library and applications to read and write (split) RAW storage media bitstream copies.
 +
Libsmraw contains supports for multiple (split) RAW naming schemes.
  
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
+
== History ==
  
== Supported Formats ==
+
Libsmraw was created by [[Joachim Metz]] in 2010, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
 +
Libsmraw is a rewrite of earlier work for the proof-of-concept multi-threaded imager: GNOME Forensic Imager.
  
=== Storage Media Image File Formats ===
+
== Tools ==  
Storage Medis Image File Format support is provided by [[dfvfs]].
+
The '''libsmraw''' package contains the following tools:
 +
* '''smrawmount''', which FUSE mounts (split) RAW image files.
  
=== Volume System Formats ===
+
The '''libsmraw''' package also contains the following bindings:
Volume System Format support will be moved to [[dfvfs]].
+
* '''pysmraw''', bindings for Python (libsmraw 20140621 or later).
* [[Windows Shadow Volumes]] using [[libvshadow]]
+
  
=== File System Formats ===
+
== Examples ==  
File System Format support will be moved to [[dfvfs]].
+
* uses [[sleuthkit]] and [[pytsk]]
+
  
=== File Formats ===
+
FUSE mounting a split RAW image (libsmraw 20110916 or later)
* [[Property list (plist)|Binary property list (plist) format]] using [[binplist]]
+
<pre>
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
+
smrawmount image.raw.000 mount_point
* [[Windows Event Log (EVT)]] using [[libevt]]
+
</pre>
* [[Windows NT Registry File (REGF)]] using [[libregf]]
+
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
+
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
+
* Syslog
+
  
== History ==
+
Or:
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]] and other projects.
+
<pre>
 +
smrawmount image.raw.??? mount_point
 +
</pre>
  
== See Also ==
+
== Also See ==
* [[dfvfs]]
+
[[Raw_Image_Format | RAW Image format]]
* [[log2timeline]]
+
  
 
== External Links ==
 
== External Links ==
* [https://code.google.com/p/plaso/ Project site]
+
 
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
+
* [https://code.google.com/p/libsmraw/ Project site]
* [http://blog.kiddaland.net/ Project blog]
+
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]
+

Revision as of 08:46, 21 June 2014

libsmraw
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: code.google.com/p/libsmraw/

The libsmraw package contains a library and applications to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes.

History

Libsmraw was created by Joachim Metz in 2010, while working for Hoffmann Investigations. Libsmraw is a rewrite of earlier work for the proof-of-concept multi-threaded imager: GNOME Forensic Imager.

Tools

The libsmraw package contains the following tools:

  • smrawmount, which FUSE mounts (split) RAW image files.

The libsmraw package also contains the following bindings:

  • pysmraw, bindings for Python (libsmraw 20140621 or later).

Examples

FUSE mounting a split RAW image (libsmraw 20110916 or later)

smrawmount image.raw.000 mount_point

Or:

smrawmount image.raw.??? mount_point

Also See

RAW Image format

External Links