Difference between revisions of "Reference Documents"

From SleuthKitWiki
Jump to: navigation, search
(removed FAT and ExtX sections.)
(removed NTFS links.)
Line 49: Line 49:
 
=File System Documents=
 
=File System Documents=
 
[http://www.digital-evidence.org/fsfa/ File System Forensic Analysis]
 
[http://www.digital-evidence.org/fsfa/ File System Forensic Analysis]
==NTFS==
+
 
* [http://linux-ntfs.sourceforge.net/ntfs/index.html Linux NTFS Documentation]
+
 
==ISO 9660 (CD-ROMS)==
 
==ISO 9660 (CD-ROMS)==
 
* [http://www.ecma-international.org/publications/standards/Ecma-119.htm ECMA-119], The ECMA version of the ISO9660 standard.  This is a formal spec that is not the easiest to read as an "Intro to ISO9660".
 
* [http://www.ecma-international.org/publications/standards/Ecma-119.htm ECMA-119], The ECMA version of the ISO9660 standard.  This is a formal spec that is not the easiest to read as an "Intro to ISO9660".

Revision as of 10:25, 5 January 2010

Tools and Libraries that are used by The Sleuth Kit

(in alphabetical order)

  • AFFLib (AFF image format support)
  • file (detects file type)
  • libewf (EnCase / Expert Witness image format support)


General Digital Investigation Sites

(in alphabetical order)


Forensic Tool Testing

(in alphabetical order)


Bootable CDs (without The Sleuth Kit)

(in alphabetical order)


UNIX-based File System Analysis Tools

File Hash Databases

(in alphabetical order)

File System Documents

File System Forensic Analysis

ISO 9660 (CD-ROMS)

  • ECMA-119, The ECMA version of the ISO9660 standard. This is a formal spec that is not the easiest to read as an "Intro to ISO9660".
  • IEEE P1281: System Use Sharing Protocol, this defines how to use the System Use area of the ISO9660 spec. The System Use area is used by the Rock Ridge Extensions.
  • IEEE P1282: Rock Ridge Interchange Protocol, this defines how to use the System Use area to store long file names, POSIX info, sym links etc.
  • Joliet Specification, this defines the Joliet methods for storing longer file names and using Unicode in a "Secondary Volume Descriptor".

Volume System Documents

(in alphabetical order)

Disk Acquisition Tools

(in alphabetical order)