Revision as of 10:28, 5 January 2010

Tools and Libraries that are used by The Sleuth Kit

(in alphabetical order)

• AFFLib (AFF image format support)
• file (detects file type)
• libewf (EnCase / Expert Witness image format support)

General Digital Investigation Sites

(in alphabetical order)

• Computer Forensics, Cybercrime and Steganography Resources
• E-Evidence Info
• Forensics Wiki
• Linux-Forensics
• Open Source Forensics

Forensic Tool Testing

(in alphabetical order)

• CFTT Yahoo Groups List
• Digital Forensic Tool Testing Images
• NIST Computer Forensic Tool Testing (and CFReDS)

Bootable CDs (without The Sleuth Kit)

(in alphabetical order)

• Knoppix
• PLAC

UNIX-based File System Analysis Tools

• fatback: Analyze and recover deleted FAT files from Linux
• foremost: Carves out files based on header and footer values
• md5deep: Recursive md5sum with database lookups.
• The Coroner's Toolkit (TCT): The original UNIX-based forensic toolkit
• SMART for Linux: Not open source, but it is Linux-based.
• Carving tools for DFRWS 2006 Carving Challenge

File Hash Databases

(in alphabetical order)

• CyberAbuse Rootk(it)ID project
• Hash Keeper
• KnownGoods
• NIST NSRL SW Fingerprint Database
• RPM Use on Linux systems with '-V -a' to identify binaries that are different than the local database says
• Solaris Fingerprint Database

Volume System Documents

(in alphabetical order)

• Minimal Parition Table Specification (Andries Brouwer)
• Partition Types (Andries Brouwer)

Disk Acquisition Tools

(in alphabetical order)

• Automated Image and Restore (AIR): (Linux X GUI for 'dd')
• DCFL dd: 'dd' for Unix with MD5s
• George Garner's Acquisition Tools: 'dd' for Windows
• GNU File Utils: 'dd' for Unix
• netcat: Network transport
• UnxUtils: 'dd' for Windows