Difference between revisions of "Reference Documents"

From SleuthKitWiki
Jump to: navigation, search
m (Added back references.)
(removed FAT and ExtX sections.)
Line 51: Line 51:
 
==NTFS==
 
==NTFS==
 
* [http://linux-ntfs.sourceforge.net/ntfs/index.html Linux NTFS Documentation]
 
* [http://linux-ntfs.sourceforge.net/ntfs/index.html Linux NTFS Documentation]
==FAT==
 
* [http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx FAT32 File System Specification] 1.03 (MS)
 
==EXT2FS==
 
* [http://web.mit.edu/tytso/www/linux/ext2intro.html Design and Implementation of the Second Extended File System] (Card, Ts'o, and Tweedie)
 
* [http://en.tldp.org/HOWTO/mini/Ext2fs-Undeletion.html Linux EXT2FS Undeletion mini-HOWTO] (Aaron Crane)
 
==EXT3FS==
 
* [http://olstrans.sourceforge.net/release/OLS2000-ext3/ EXT3], Journaling Filesystem (Tweedie)
 
 
==ISO 9660 (CD-ROMS)==
 
==ISO 9660 (CD-ROMS)==
 
* [http://www.ecma-international.org/publications/standards/Ecma-119.htm ECMA-119], The ECMA version of the ISO9660 standard.  This is a formal spec that is not the easiest to read as an "Intro to ISO9660".
 
* [http://www.ecma-international.org/publications/standards/Ecma-119.htm ECMA-119], The ECMA version of the ISO9660 standard.  This is a formal spec that is not the easiest to read as an "Intro to ISO9660".

Revision as of 09:03, 5 January 2010

Tools and Libraries that are used by The Sleuth Kit

(in alphabetical order)

  • AFFLib (AFF image format support)
  • file (detects file type)
  • libewf (EnCase / Expert Witness image format support)


General Digital Investigation Sites

(in alphabetical order)


Forensic Tool Testing

(in alphabetical order)


Bootable CDs (without The Sleuth Kit)

(in alphabetical order)


UNIX-based File System Analysis Tools

File Hash Databases

(in alphabetical order)

File System Documents

File System Forensic Analysis

NTFS

ISO 9660 (CD-ROMS)

  • ECMA-119, The ECMA version of the ISO9660 standard. This is a formal spec that is not the easiest to read as an "Intro to ISO9660".
  • IEEE P1281: System Use Sharing Protocol, this defines how to use the System Use area of the ISO9660 spec. The System Use area is used by the Rock Ridge Extensions.
  • IEEE P1282: Rock Ridge Interchange Protocol, this defines how to use the System Use area to store long file names, POSIX info, sym links etc.
  • Joliet Specification, this defines the Joliet methods for storing longer file names and using Unicode in a "Secondary Volume Descriptor".

Volume System Documents

(in alphabetical order)

Disk Acquisition Tools

(in alphabetical order)