PaulDotCom mailing list archives

Digital Forensic Software

From: pj_mcgarvey at hotmail.com (PJ McGarvey)
Date: Thu, 10 Dec 2009 15:55:42 -0500


I'll second FTK Imager Lite as a free, portable tool, that can do drive imaging, deleted files analysis and extraction, 
file hashing and the latest version also does memory acquisition.  I keep it on a USB key and use it pretty frequently.

 

Does anyone know something similiar (portable, gui-fied) that runs on Linux?

 

PJ

Date: Thu, 10 Dec 2009 11:14:50 -0500
From: gbugbear at gmail.com
To: pauldotcom at mail.pauldotcom.com
Subject: Re: [Pauldotcom] Digital Forensic Software

All great advice. I just did some demos for the sysadmins at work on
several Forensic Image packages available. Here's some notes that
might help and save you some time.

Helix Pro 3 - must purchase

Easy to use
Can be used as a Live or Bootable CD
Includes hashing capabilities.
Includes a ?Receiver? server for receiving multiple images on a network.
Supported on Windows, Mac, and Linux
Support via Forums and Email
Includes auto generated Chain of Custody Forms

Bootable CD - Marks all mounted drives as read only by default
Live CD - Run from within OS, touchess OS but they have this well documented

Some notes on using Bootable Option (if you have issues)

Enable Safe Mode Video (F4) and acpi=off ?advanced Configuration and
Power Interface? (F6) on the boot menu.
Note: You Must manually mount destination disk as read/write via interface

Raptor - free at http://www.raptorforensics.com

Bootable CD raw image utility based on Ubuntu, interface a bit more
clumsy compared to Helix but it works and it is free

Dcfldd - free at http://dcfldd.sourceforge.net/

Live CD raw image utility - windows or linux -cmd line only

Live View 0.7b - free (can convert Image files into a VM) at
http://liveview.sourceforge.net/

provides an easy to use interface that can create read only .vmdk from
a raw image or physical disk.
Will disable networking within VMWare auto
Can run a cryptographic checksum on the image before and after booting
to verify the integrity of the evidence
Support for all versions of Windows and some Linux
Supports VMWare Workstation 5.5+ or Server 1.X (does not support Server 2.X yet)
Can be used with a single image file or split images

Also FTK rocks for mounting read only and carving out what you want.
It also has a "lite" version that will run off a USB device

Hope this helps.

Tim

                                          
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091210/45d41d50/attachment.htm

Current thread:

Digital Forensic Software Tyler Robinson (Dec 09)
- Digital Forensic Software Raffi Jamgotchian (Dec 09)
- Digital Forensic Software Joel Folkerts (Dec 09)
- Digital Forensic Software Robert Miller (Dec 09)
  - Digital Forensic Software Chris Gerling Jr (Dec 10)
- Digital Forensic Software xgermx (Dec 09)
  - Message not available
    - Digital Forensic Software Tyler Robinson (Dec 09)
    - Digital Forensic Software Tim Mugherini (Dec 10)
    - Digital Forensic Software PJ McGarvey (Dec 10)
    - Digital Forensic Software Joel Folkerts (Dec 10)
    - Recommended hardware for Snort IDS Nils (Dec 11)
    - Recommended hardware for Snort IDS Joel Esler (Dec 11)
    - Recommended hardware for Snort IDS Aa'ed Alqarta (Dec 11)
- Digital Forensic Software Karl Schuttler (Dec 09)
  - Digital Forensic Software Robert Miller (Dec 09)
    - Digital Forensic Software Monkey Daemon (Dec 10)
    - Digital Forensic Software Daniel [virturity.com] (Dec 10)