Difference between revisions of "Reference Documents"

From SleuthKitWiki
Jump to: navigation, search
m (Added back references.)
Line 1: Line 1:
=Tools and Libraries that are used by The Sleuth Kit=
+
=Tools and Libraries that are used by [[The Sleuth Kit]]=
 
(in alphabetical order)
 
(in alphabetical order)
 
* [http://www.afflib.org/ AFFLib] (AFF image format support)
 
* [http://www.afflib.org/ AFFLib] (AFF image format support)

Revision as of 14:04, 31 December 2008

Tools and Libraries that are used by The Sleuth Kit

(in alphabetical order)

  • AFFLib (AFF image format support)
  • file (detects file type)
  • libewf (EnCase / Expert Witness image format support)


General Digital Investigation Sites

(in alphabetical order)


Forensic Tool Testing

(in alphabetical order)


Bootable CDs (without The Sleuth Kit)

(in alphabetical order)


UNIX-based File System Analysis Tools

File Hash Databases

(in alphabetical order)

File System Documents

File System Forensic Analysis

NTFS

FAT

EXT2FS

EXT3FS

  • EXT3, Journaling Filesystem (Tweedie)

ISO 9660 (CD-ROMS)

  • ECMA-119, The ECMA version of the ISO9660 standard. This is a formal spec that is not the easiest to read as an "Intro to ISO9660".
  • IEEE P1281: System Use Sharing Protocol, this defines how to use the System Use area of the ISO9660 spec. The System Use area is used by the Rock Ridge Extensions.
  • IEEE P1282: Rock Ridge Interchange Protocol, this defines how to use the System Use area to store long file names, POSIX info, sym links etc.
  • Joliet Specification, this defines the Joliet methods for storing longer file names and using Unicode in a "Secondary Volume Descriptor".

Volume System Documents

(in alphabetical order)

Disk Acquisition Tools

(in alphabetical order)