Difference between revisions of "Reference Documents"
From SleuthKitWiki
Line 25: | Line 25: | ||
=Bootable CDs (without The Sleuth Kit)= | =Bootable CDs (without The Sleuth Kit)= | ||
(in alphabetical order) | (in alphabetical order) | ||
− | * Knoppix | + | * [http://www.knopper.net/knoppix/index-en.html Knoppix] |
− | * PLAC | + | * [http://sourceforge.net/projects/plac/ PLAC] |
=UNIX-based File System Analysis Tools= | =UNIX-based File System Analysis Tools= | ||
− | * fatback: Analyze and recover deleted FAT files from Linux | + | * [http://sourceforge.net/projects/biatchux/ fatback]: Analyze and recover deleted FAT files from Linux |
− | * foremost: Carves out files based on header and footer values | + | * [http://foremost.sourceforge.net/ foremost]: Carves out files based on header and footer values |
− | * md5deep: Recursive md5sum with database lookups. | + | * [http://md5deep.sourceforge.net/ md5deep]: Recursive md5sum with database lookups. |
− | * The Coroner's Toolkit (TCT): The original UNIX-based forensic toolkit | + | * [http://www.porcupine.org/forensics/tct.html The Coroner's Toolkit (TCT)]: The original UNIX-based forensic toolkit |
− | * SMART for Linux: Not open source, but it is Linux-based. | + | * [http://www.asrdata.com/SMART/ SMART for Linux]: Not open source, but it is Linux-based. |
− | * Carving tools for DFRWS 2006 Carving Challenge | + | * [http://www.dfrws.org/2006/challenge/submissions/index.html Carving tools] for DFRWS 2006 Carving Challenge |
=File Hash Databases= | =File Hash Databases= | ||
(in alphabetical order) | (in alphabetical order) | ||
− | * CyberAbuse Rootk(it)ID project | + | * [http://rk.cyberabuse.org/?page=credits CyberAbuse Rootk(it)ID project] |
− | * Hash Keeper | + | * [http://www.hashkeeper.org/ Hash Keeper] |
− | * KnownGoods | + | * [http://www.knowngoods.org/ KnownGoods] |
− | * NIST NSRL SW Fingerprint Database | + | * [http://www.nsrl.nist.gov/ NIST NSRL SW Fingerprint Database] |
− | * RPM Use on Linux systems with '-V -a' to identify binaries that are different than the local database says | + | * [http://www.rpm.org/ RPM] Use on Linux systems with '-V -a' to identify binaries that are different than the local database says |
− | * Solaris Fingerprint Database | + | * [http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl Solaris Fingerprint Database] |
=File System Documents= | =File System Documents= | ||
+ | [http://www.digital-evidence.org/fsfa/ File System Forensic Analysis] | ||
==NTFS== | ==NTFS== | ||
− | * Linux NTFS Documentation | + | * [http://linux-ntfs.sourceforge.net/ntfs/index.html Linux NTFS Documentation] |
==FAT== | ==FAT== | ||
− | * FAT32 File System | + | * [http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx FAT32 File System Specification] 1.03 (MS) |
==EXT2FS== | ==EXT2FS== | ||
− | * Design and Implementation of the Second Extended File System (Card, Ts'o, and Tweedie) | + | * [http://web.mit.edu/tytso/www/linux/ext2intro.html Design and Implementation of the Second Extended File System] (Card, Ts'o, and Tweedie) |
− | * Linux EXT2FS Undeletion mini-HOWTO (Aaron Crane) | + | * [http://en.tldp.org/HOWTO/mini/Ext2fs-Undeletion.html Linux EXT2FS Undeletion mini-HOWTO] (Aaron Crane) |
==EXT3FS== | ==EXT3FS== | ||
− | * EXT3, Journaling Filesystem (Tweedie) | + | * [http://olstrans.sourceforge.net/release/OLS2000-ext3/ EXT3], Journaling Filesystem (Tweedie) |
=Volume System Documents= | =Volume System Documents= | ||
(in alphabetical order) | (in alphabetical order) | ||
− | * Minimal Parition Table Specification (Andries Brouwer) | + | * [http://www.win.tue.nl/~aeb/partitions/partition_tables.html Minimal Parition Table Specification] (Andries Brouwer) |
− | * Partition Types (Andries Brouwer) | + | * [http://www.win.tue.nl/~aeb/partitions/partition_types.html Partition Types] (Andries Brouwer) |
=Disk Acquisition Tools= | =Disk Acquisition Tools= | ||
(in alphabetical order) | (in alphabetical order) | ||
− | * Automated Image and Restore (AIR): (Linux X GUI for 'dd') | + | * [http://air-imager.sourceforge.net/ Automated Image and Restore (AIR)]: (Linux X GUI for 'dd') |
− | * DCFL dd: 'dd' for Unix with MD5s | + | * [http://sourceforge.net/projects/biatchux/ DCFL dd]: 'dd' for Unix with MD5s |
− | * George Garner's Acquisition Tools: 'dd' for Windows | + | * [http://users.erols.com/gmgarner/forensics/ George Garner's Acquisition Tools]: 'dd' for Windows |
− | * GNU File Utils: 'dd' for Unix | + | * [http://www.gnu.org/software/fileutils/fileutils.html GNU File Utils]: 'dd' for Unix |
− | * netcat: Network transport | + | * [http://www.securityfocus.com/tools/137 netcat]: Network transport |
− | * UnxUtils: 'dd' for Windows | + | * [http://unxutils.sourceforge.net/ UnxUtils]: 'dd' for Windows |
Revision as of 20:04, 4 June 2007
Contents
Tools and Libraries that are used by The Sleuth Kit
(in alphabetical order)
- AFFLib (AFF image format support)
- file (detects file type)
- libewf (EnCase / Expert Witness image format support)
General Digital Investigation Pages
(in alphabetical order)
- Computer Forensics, Cybercrime and Steganography Resources
- E-Evidence Info
- Linux-Forensics
- Open Source Forensics
Forensic Tool Testing
(in alphabetical order)
- CFTT Yahoo Groups List
- Digital Forensic Tool Testing Images
- NIST Computer Forensic Tool Testing (and CFReDS)
Bootable CDs (without The Sleuth Kit)
(in alphabetical order)
UNIX-based File System Analysis Tools
- fatback: Analyze and recover deleted FAT files from Linux
- foremost: Carves out files based on header and footer values
- md5deep: Recursive md5sum with database lookups.
- The Coroner's Toolkit (TCT): The original UNIX-based forensic toolkit
- SMART for Linux: Not open source, but it is Linux-based.
- Carving tools for DFRWS 2006 Carving Challenge
File Hash Databases
(in alphabetical order)
- CyberAbuse Rootk(it)ID project
- Hash Keeper
- KnownGoods
- NIST NSRL SW Fingerprint Database
- RPM Use on Linux systems with '-V -a' to identify binaries that are different than the local database says
- Solaris Fingerprint Database
File System Documents
NTFS
FAT
- FAT32 File System Specification 1.03 (MS)
EXT2FS
- Design and Implementation of the Second Extended File System (Card, Ts'o, and Tweedie)
- Linux EXT2FS Undeletion mini-HOWTO (Aaron Crane)
EXT3FS
- EXT3, Journaling Filesystem (Tweedie)
Volume System Documents
(in alphabetical order)
- Minimal Parition Table Specification (Andries Brouwer)
- Partition Types (Andries Brouwer)
Disk Acquisition Tools
(in alphabetical order)
- Automated Image and Restore (AIR): (Linux X GUI for 'dd')
- DCFL dd: 'dd' for Unix with MD5s
- George Garner's Acquisition Tools: 'dd' for Windows
- GNU File Utils: 'dd' for Unix
- netcat: Network transport
- UnxUtils: 'dd' for Windows