Reference Documents
From SleuthKitWiki
Contents
Tools and Libraries that are used by The Sleuth Kit
(in alphabetical order)
- AFFLib (AFF image format support)
- file (detects file type)
- libewf (EnCase / Expert Witness image format support)
General Digital Investigation Sites
(in alphabetical order)
- Computer Forensics, Cybercrime and Steganography Resources
- E-Evidence Info
- Forensics Wiki
- Linux-Forensics
- Open Source Forensics
Forensic Tool Testing
(in alphabetical order)
- CFTT Yahoo Groups List
- Digital Forensic Tool Testing Images
- NIST Computer Forensic Tool Testing (and CFReDS)
Bootable CDs (without The Sleuth Kit)
(in alphabetical order)
UNIX-based File System Analysis Tools
- fatback: Analyze and recover deleted FAT files from Linux
- foremost: Carves out files based on header and footer values
- md5deep: Recursive md5sum with database lookups.
- The Coroner's Toolkit (TCT): The original UNIX-based forensic toolkit
- SMART for Linux: Not open source, but it is Linux-based.
- Carving tools for DFRWS 2006 Carving Challenge
File Hash Databases
(in alphabetical order)
- CyberAbuse Rootk(it)ID project
- Hash Keeper
- KnownGoods
- NIST NSRL SW Fingerprint Database
- RPM Use on Linux systems with '-V -a' to identify binaries that are different than the local database says
- Solaris Fingerprint Database
File System Documents
NTFS
ISO 9660 (CD-ROMS)
- ECMA-119, The ECMA version of the ISO9660 standard. This is a formal spec that is not the easiest to read as an "Intro to ISO9660".
- IEEE P1281: System Use Sharing Protocol, this defines how to use the System Use area of the ISO9660 spec. The System Use area is used by the Rock Ridge Extensions.
- IEEE P1282: Rock Ridge Interchange Protocol, this defines how to use the System Use area to store long file names, POSIX info, sym links etc.
- Joliet Specification, this defines the Joliet methods for storing longer file names and using Unicode in a "Secondary Volume Descriptor".
Volume System Documents
(in alphabetical order)
- Minimal Parition Table Specification (Andries Brouwer)
- Partition Types (Andries Brouwer)
Disk Acquisition Tools
(in alphabetical order)
- Automated Image and Restore (AIR): (Linux X GUI for 'dd')
- DCFL dd: 'dd' for Unix with MD5s
- George Garner's Acquisition Tools: 'dd' for Windows
- GNU File Utils: 'dd' for Unix
- netcat: Network transport
- UnxUtils: 'dd' for Windows
