Difference between pages "Chaosreader" and "Snorkel"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Created page with '{{Infobox_Software | name = Chaosreader | maintainer = Brendan Gregg | os = {{Linux}}, {{Windows}}, {{Solaris}} | genre = Network forensics | license = {{GPL}} | webs…')
 
(Created page with '{{Infobox_Software | name = Snorkel | maintainer = NFI | os = Java | genre = {{Analysis}} | license = proprietary | website = [http://www.holmes.nl/NFIlabs/Snorkel h…')
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = Chaosreader |
+
   name = Snorkel |
   maintainer = Brendan Gregg |
+
   maintainer = NFI |
   os = {{Linux}}, {{Windows}}, {{Solaris}} |
+
   os = Java |
   genre = Network forensics |
+
   genre = {{Analysis}}  |
   license = {{GPL}} |
+
   license = proprietary |
   website = [http://chaosreader.sourceforge.net/ chaosreader.sourceforge.net] |
+
   website = [http://www.holmes.nl/NFIlabs/Snorkel http://www.holmes.nl/NFIlabs/Snorkel] |
 
}}
 
}}
  
== Overview ==
+
'''Snorkel''' is a Java software library that is used by developers of forensic software. Snorkel is not a standalone forensic application, but it is an important piece of infrastructure that can be used by many forensic applications: Snorkel gives access to digital evidence files, file systems, files, slack space, unallocated clusters, etc. This type of access is a key enabler in the development of forensic software systems, ranging from single-purpose stand-alone tools to integrated forensic processing systems.
  
'''Chaosreader''' A freeware tool to trace TCP/UDP/... sessions and fetch application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs. A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports. Chaosreader can also run in standalone mode - where it invokes tcpdump or snoop (if they are available) to create the log files and then processes them.
+
Snorkel is developed by the Netherlands Forensic Institute
  
== External Links  ==
+
=Features=
  
* [http://www.brendangregg.com/chaosreader.html Chaosreader author's website]
+
Snorkel recognizes and gives access to numerous storage formats for digital evidence, disk partitioning schemes, volume managers, file systems, and structured files. The formats supported are summarized below.
  
[[Category:Network Forensics]]
+
==Image File Formats Understood==
 +
 
 +
{|
 +
|Image file formats
 +
|[[Encase_image_file_format|EnCase]]
 +
|-
 +
|
 +
|RAW ([[Dd|dd]])
 +
|-
 +
|
 +
|VMWare ([[vmdk]])
 +
|}
 +
 
 +
==File Systems Understood==
 +
 
 +
{|
 +
|Volume managers
 +
|Windows (LDM)
 +
|-
 +
|Partitioning schemes
 +
|PC/MBR
 +
|-
 +
|
 +
|Apple
 +
|-
 +
|
 +
|GPT
 +
|-
 +
|
 +
|BSD
 +
|-
 +
|File systems
 +
|Windows ([[FAT]], [[NTFS]])
 +
|-
 +
|
 +
|Apple ([[MFS]], [[HFS]], [[HFS+]])
 +
|-
 +
|
 +
|Linux ([[Ext3|EXT]], [[Reiserfs|Reiser]])
 +
|-
 +
|
 +
|Solaris, BSD ([[UFS]])
 +
|-
 +
|
 +
|CD ([[ISO9660]], Joliet)
 +
|-
 +
|File Formats
 +
|Windows registry (Win 9x, NT)
 +
|-
 +
|
 +
|Microsoft Office (OLE2)
 +
|}
 +
 
 +
<!-- ==File Search Facilities== -->
 +
<!-- ==Historical Reconstruction== -->
 +
<!-- Can it build timelines and search by creation date? -->
 +
<!-- ==Searching Abilities== -->
 +
<!-- Can it search? Does it build an index? Can it focus on file types or particular kinds of metadata? -->
 +
<!-- ==Hash Databases== -->
 +
<!-- Can it create hashes of files and/or blocks? Can it compare these hash values to any databases? -->
 +
<!-- What sort of hash functions does it use? -->
 +
<!-- ==Evidence Collection Features== -->
 +
<!-- Can it sign files? Does it keep an audit log? -->
 +
<!-- =History= -->
 +
 
 +
==License Notes==
 +
 
 +
Snorkel is has a proprietary license.
 +
An evaluation version is available from the website.
 +
 
 +
= External Links =
 +
 
 +
* [http://www.forensischinstituut.nl/ the Netherlands Forensic Institute]
 +
* [http://www.holmes.nl/NFIlabs/Snorkel Snorkel website]
 +
 
 +
<!-- ==External Reviews== -->

Revision as of 08:00, 18 August 2009

Snorkel
Maintainer: NFI
OS: Java
Genre: Analysis
License: proprietary
Website: http://www.holmes.nl/NFIlabs/Snorkel

Snorkel is a Java software library that is used by developers of forensic software. Snorkel is not a standalone forensic application, but it is an important piece of infrastructure that can be used by many forensic applications: Snorkel gives access to digital evidence files, file systems, files, slack space, unallocated clusters, etc. This type of access is a key enabler in the development of forensic software systems, ranging from single-purpose stand-alone tools to integrated forensic processing systems.

Snorkel is developed by the Netherlands Forensic Institute

Contents

Features

Snorkel recognizes and gives access to numerous storage formats for digital evidence, disk partitioning schemes, volume managers, file systems, and structured files. The formats supported are summarized below.

Image File Formats Understood

Image file formats EnCase
RAW (dd)
VMWare (vmdk)

File Systems Understood

Volume managers Windows (LDM)
Partitioning schemes PC/MBR
Apple
GPT
BSD
File systems Windows (FAT, NTFS)
Apple (MFS, HFS, HFS+)
Linux (EXT, Reiser)
Solaris, BSD (UFS)
CD (ISO9660, Joliet)
File Formats Windows registry (Win 9x, NT)
Microsoft Office (OLE2)


License Notes

Snorkel is has a proprietary license. An evaluation version is available from the website.

External Links


Retrieved from "http://www.forensicswiki.org/w/index.php?title=Chaosreader&oldid=9751"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox