Difference between revisions of "Reference Documents"

From SleuthKitWiki
Jump to: navigation, search
 
(4 intermediate revisions by one user not shown)
Line 1: Line 1:
=Tools and Libraries that are used by The Sleuth Kit=
+
=Tools and Libraries that are used by [[The Sleuth Kit]]=
 
(in alphabetical order)
 
(in alphabetical order)
 
* [http://www.afflib.org/ AFFLib] (AFF image format support)
 
* [http://www.afflib.org/ AFFLib] (AFF image format support)
 
* [ftp://ftp.astron.com/pub/file/ file] (detects file type)
 
* [ftp://ftp.astron.com/pub/file/ file] (detects file type)
 
* [http://www.uitwisselplatform.nl/projects/libewf/ libewf] (EnCase / Expert Witness image format support)
 
* [http://www.uitwisselplatform.nl/projects/libewf/ libewf] (EnCase / Expert Witness image format support)
 
  
 
=General Digital Investigation Sites=
 
(in alphabetical order)
 
* [http://www.forensix.org/ Computer Forensics, Cybercrime and Steganography Resources]
 
* [http://www.e-evidence.info/ E-Evidence Info]
 
* [http://www.forensicswiki.org/ Forensics Wiki]
 
* [http://www.linux-forensics.com/ Linux-Forensics]
 
* [http://www.opensourceforensics.org/ Open Source Forensics]
 
 
 
= Forensic Tool Testing=
 
(in alphabetical order)
 
* [http://groups.yahoo.com/group/cftt/ CFTT Yahoo Groups List]
 
* [http://dftt.sourceforge.net/ Digital Forensic Tool Testing Images]
 
* [http://www.cftt.nist.gov/ NIST Computer Forensic Tool Testing] (and [http://cfreds.nist.gov/ CFReDS])
 
 
 
 
=Bootable CDs (without The Sleuth Kit)=
 
(in alphabetical order)
 
* [http://www.knopper.net/knoppix/index-en.html Knoppix]
 
* [http://sourceforge.net/projects/plac/ PLAC]
 
 
 
=UNIX-based File System Analysis Tools=
 
* [http://sourceforge.net/projects/biatchux/ fatback]: Analyze and recover deleted FAT files from Linux
 
* [http://foremost.sourceforge.net/ foremost]: Carves out files based on header and footer values
 
* [http://md5deep.sourceforge.net/ md5deep]: Recursive md5sum with database lookups.
 
* [http://www.porcupine.org/forensics/tct.html The Coroner's Toolkit (TCT)]: The original UNIX-based forensic toolkit
 
* [http://www.asrdata.com/SMART/ SMART for Linux]: Not open source, but it is Linux-based.
 
* [http://www.dfrws.org/2006/challenge/submissions/index.html Carving tools] for DFRWS 2006 Carving Challenge
 
  
 
=File Hash Databases=
 
=File Hash Databases=
Line 46: Line 14:
 
* [http://www.rpm.org/ RPM] Use on Linux systems with '-V -a' to identify binaries that are different than the local database says
 
* [http://www.rpm.org/ RPM] Use on Linux systems with '-V -a' to identify binaries that are different than the local database says
 
* [http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl Solaris Fingerprint Database]
 
* [http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl Solaris Fingerprint Database]
 
=File System Documents=
 
[http://www.digital-evidence.org/fsfa/ File System Forensic Analysis]
 
==NTFS==
 
* [http://linux-ntfs.sourceforge.net/ntfs/index.html Linux NTFS Documentation]
 
==FAT==
 
* [http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx FAT32 File System Specification] 1.03 (MS)
 
==EXT2FS==
 
* [http://web.mit.edu/tytso/www/linux/ext2intro.html Design and Implementation of the Second Extended File System] (Card, Ts'o, and Tweedie)
 
* [http://en.tldp.org/HOWTO/mini/Ext2fs-Undeletion.html Linux EXT2FS Undeletion mini-HOWTO] (Aaron Crane)
 
==EXT3FS==
 
* [http://olstrans.sourceforge.net/release/OLS2000-ext3/ EXT3], Journaling Filesystem (Tweedie)
 
==ISO 9660 (CD-ROMS)==
 
* [http://www.ecma-international.org/publications/standards/Ecma-119.htm ECMA-119], The ECMA version of the ISO9660 standard.  This is a formal spec that is not the easiest to read as an "Intro to ISO9660".
 
* [ftp://ftp.ymi.com/pub/rockridge/susp112.ps IEEE P1281: System Use Sharing Protocol], this defines how to use the System Use area of the ISO9660 spec.  The System Use area is used by the Rock Ridge Extensions.
 
* [ftp://ftp.ymi.com/pub/rockridge/rrip112.ps IEEE P1282: Rock Ridge Interchange Protocol], this defines how to use the System Use area to store long file names, POSIX info, sym links etc.
 
* [http://bmrc.berkeley.edu/people/chaffee/jolspec.html Joliet Specification], this defines the Joliet methods for storing longer file names and using Unicode in a "Secondary Volume Descriptor".
 
 
=Volume System Documents=
 
(in alphabetical order)
 
* [http://www.win.tue.nl/~aeb/partitions/partition_tables.html Minimal Parition Table Specification] (Andries Brouwer)
 
* [http://www.win.tue.nl/~aeb/partitions/partition_types.html Partition Types] (Andries Brouwer)
 
 
=Disk Acquisition Tools=
 
(in alphabetical order)
 
* [http://air-imager.sourceforge.net/ Automated Image and Restore (AIR)]: (Linux X GUI for 'dd')
 
* [http://sourceforge.net/projects/biatchux/ DCFL dd]: 'dd' for Unix with MD5s
 
* [http://users.erols.com/gmgarner/forensics/ George Garner's Acquisition Tools]: 'dd' for Windows
 
* [http://www.gnu.org/software/fileutils/fileutils.html GNU File Utils]: 'dd' for Unix
 
* [http://www.securityfocus.com/tools/137 netcat]: Network transport
 
* [http://unxutils.sourceforge.net/ UnxUtils]: 'dd' for Windows
 

Latest revision as of 21:11, 5 June 2012

Tools and Libraries that are used by The Sleuth Kit

(in alphabetical order)

  • AFFLib (AFF image format support)
  • file (detects file type)
  • libewf (EnCase / Expert Witness image format support)


File Hash Databases

(in alphabetical order)