Reference Documents
From SleuthKitWiki
Contents
Tools and Libraries that are used by The Sleuth Kit
(in alphabetical order)
- AFFLib (AFF image format support)
- file (detects file type)
- libewf (EnCase / Expert Witness image format support)
General Digital Investigation Pages
(in alphabetical order)
- Computer Forensics, Cybercrime and Steganography Resources
- E-Evidence Info
- Linux-Forensics
- Open Source Forensics
Forensic Tool Testing
(in alphabetical order)
- CFTT Yahoo Groups List
- Digital Forensic Tool Testing Images
- NIST Computer Forensic Tool Testing (and CFReDS)
Bootable CDs (without The Sleuth Kit)
- Knoppix
- PLAC
UNIX-based File System Analysis Tools
- fatback: Analyze and recover deleted FAT files from Linux
- foremost: Carves out files based on header and footer values
- md5deep: Recursive md5sum with database lookups.
- The Coroner's Toolkit (TCT): The original UNIX-based forensic toolkit
- SMART for Linux: Not open source, but it is Linux-based.
- Carving tools for DFRWS 2006 Carving Challenge
File Hash Databases
- CyberAbuse Rootk(it)ID project
- Hash Keeper
- KnownGoods
- NIST NSRL SW Fingerprint Database
- RPM Use on Linux systems with '-V -a' to identify binaries that are different than the local database says
- Solaris Fingerprint Database
File System Documents
NTFS
- Linux NTFS Documentation
FAT
- FAT32 File System Specifcation 1.03 (MS)
EXT2FS
- Design and Implementation of the Second Extended File System (Card, Ts'o, and Tweedie)
- Linux EXT2FS Undeletion mini-HOWTO (Aaron Crane)
EXT3FS
- EXT3, Journaling Filesystem (Tweedie)
Volume System Documents
- Minimal Parition Table Specification (Andries Brouwer)
- Partition Types (Andries Brouwer)
Disk Acquisition Tools
- Automated Image and Restore (AIR): (Linux X GUI for 'dd')
- DCFL dd: 'dd' for Unix with MD5s
- George Garner's Acquisition Tools: 'dd' for Windows
- GNU File Utils: 'dd' for Unix
- netcat: Network transport
- UnxUtils: 'dd' for Windows
