Difference between revisions of "Reference Documents"

From SleuthKitWiki
Jump to: navigation, search
Line 25: Line 25:
 
=Bootable CDs (without The Sleuth Kit)=
 
=Bootable CDs (without The Sleuth Kit)=
 
(in alphabetical order)
 
(in alphabetical order)
* Knoppix
+
* [http://www.knopper.net/knoppix/index-en.html Knoppix]
* PLAC
+
* [http://sourceforge.net/projects/plac/ PLAC]
  
  
 
=UNIX-based File System Analysis Tools=
 
=UNIX-based File System Analysis Tools=
* fatback: Analyze and recover deleted FAT files from Linux
+
* [http://sourceforge.net/projects/biatchux/ fatback]: Analyze and recover deleted FAT files from Linux
* foremost: Carves out files based on header and footer values
+
* [http://foremost.sourceforge.net/ foremost]: Carves out files based on header and footer values
* md5deep: Recursive md5sum with database lookups.
+
* [http://md5deep.sourceforge.net/ md5deep]: Recursive md5sum with database lookups.
* The Coroner's Toolkit (TCT): The original UNIX-based forensic toolkit
+
* [http://www.porcupine.org/forensics/tct.html The Coroner's Toolkit (TCT)]: The original UNIX-based forensic toolkit
* SMART for Linux: Not open source, but it is Linux-based.
+
* [http://www.asrdata.com/SMART/ SMART for Linux]: Not open source, but it is Linux-based.
* Carving tools for DFRWS 2006 Carving Challenge
+
* [http://www.dfrws.org/2006/challenge/submissions/index.html Carving tools] for DFRWS 2006 Carving Challenge
  
 
=File Hash Databases=
 
=File Hash Databases=
 
(in alphabetical order)
 
(in alphabetical order)
* CyberAbuse Rootk(it)ID project
+
* [http://rk.cyberabuse.org/?page=credits CyberAbuse Rootk(it)ID project]
* Hash Keeper
+
* [http://www.hashkeeper.org/ Hash Keeper]
* KnownGoods
+
* [http://www.knowngoods.org/ KnownGoods]
* NIST NSRL SW Fingerprint Database
+
* [http://www.nsrl.nist.gov/ NIST NSRL SW Fingerprint Database]
* RPM Use on Linux systems with '-V -a' to identify binaries that are different than the local database says
+
* [http://www.rpm.org/ RPM] Use on Linux systems with '-V -a' to identify binaries that are different than the local database says
* Solaris Fingerprint Database
+
* [http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl Solaris Fingerprint Database]
  
 
=File System Documents=
 
=File System Documents=
 +
[http://www.digital-evidence.org/fsfa/ File System Forensic Analysis]
 
==NTFS==
 
==NTFS==
* Linux NTFS Documentation
+
* [http://linux-ntfs.sourceforge.net/ntfs/index.html Linux NTFS Documentation]
 
==FAT==
 
==FAT==
* FAT32 File System Specifcation 1.03 (MS)
+
* [http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx FAT32 File System Specification] 1.03 (MS)
 
==EXT2FS==
 
==EXT2FS==
* Design and Implementation of the Second Extended File System (Card, Ts'o, and Tweedie)
+
* [http://web.mit.edu/tytso/www/linux/ext2intro.html Design and Implementation of the Second Extended File System] (Card, Ts'o, and Tweedie)
* Linux EXT2FS Undeletion mini-HOWTO (Aaron Crane)
+
* [http://en.tldp.org/HOWTO/mini/Ext2fs-Undeletion.html Linux EXT2FS Undeletion mini-HOWTO] (Aaron Crane)
 
==EXT3FS==
 
==EXT3FS==
* EXT3, Journaling Filesystem (Tweedie)
+
* [http://olstrans.sourceforge.net/release/OLS2000-ext3/ EXT3], Journaling Filesystem (Tweedie)
  
 
=Volume System Documents=
 
=Volume System Documents=
 
(in alphabetical order)
 
(in alphabetical order)
* Minimal Parition Table Specification (Andries Brouwer)
+
* [http://www.win.tue.nl/~aeb/partitions/partition_tables.html Minimal Parition Table Specification] (Andries Brouwer)
* Partition Types (Andries Brouwer)
+
* [http://www.win.tue.nl/~aeb/partitions/partition_types.html Partition Types] (Andries Brouwer)
  
 
=Disk Acquisition Tools=
 
=Disk Acquisition Tools=
 
(in alphabetical order)
 
(in alphabetical order)
* Automated Image and Restore (AIR): (Linux X GUI for 'dd')
+
* [http://air-imager.sourceforge.net/ Automated Image and Restore (AIR)]: (Linux X GUI for 'dd')
* DCFL dd: 'dd' for Unix with MD5s
+
* [http://sourceforge.net/projects/biatchux/ DCFL dd]: 'dd' for Unix with MD5s
* George Garner's Acquisition Tools: 'dd' for Windows
+
* [http://users.erols.com/gmgarner/forensics/ George Garner's Acquisition Tools]: 'dd' for Windows
* GNU File Utils: 'dd' for Unix
+
* [http://www.gnu.org/software/fileutils/fileutils.html GNU File Utils]: 'dd' for Unix
* netcat: Network transport
+
* [http://www.securityfocus.com/tools/137 netcat]: Network transport
* UnxUtils: 'dd' for Windows
+
* [http://unxutils.sourceforge.net/ UnxUtils]: 'dd' for Windows

Revision as of 20:04, 4 June 2007

Tools and Libraries that are used by The Sleuth Kit

(in alphabetical order)

  • AFFLib (AFF image format support)
  • file (detects file type)
  • libewf (EnCase / Expert Witness image format support)


General Digital Investigation Pages

(in alphabetical order)


Forensic Tool Testing

(in alphabetical order)


Bootable CDs (without The Sleuth Kit)

(in alphabetical order)


UNIX-based File System Analysis Tools

File Hash Databases

(in alphabetical order)

File System Documents

File System Forensic Analysis

NTFS

FAT

EXT2FS

EXT3FS

  • EXT3, Journaling Filesystem (Tweedie)

Volume System Documents

(in alphabetical order)

Disk Acquisition Tools

(in alphabetical order)