Digital Forensic Software

[joel.folkerts at gmail.com (Joel Folkerts)]

You might consider Automated Image & Restore (AIR) -- basically a GUI
front-end for dd/dfcldd: http://air-imager.sourceforge.net/

-Joel


"The path to hell is paved with good intentions."


On Thu, Dec 10, 2009 at 2:55 PM, PJ McGarvey <pj_mcgarvey at hotmail.com>wrote:

>  I'll second FTK Imager Lite as a free, portable tool, that can do drive
> imaging, deleted files analysis and extraction, file hashing and the latest
> version also does memory acquisition.  I keep it on a USB key and use it
> pretty frequently.
>
> Does anyone know something similiar (portable, gui-fied) that runs on
> Linux?
>
> PJ
>
> > Date: Thu, 10 Dec 2009 11:14:50 -0500
> > From: gbugbear at gmail.com
>
> > To: pauldotcom at mail.pauldotcom.com
> > Subject: Re: [Pauldotcom] Digital Forensic Software
>
> > All great advice. I just did some demos for the sysadmins at work on
> > several Forensic Image packages available. Here's some notes that
> > might help and save you some time.
> >
> > Helix Pro 3 - must purchase
> >
> > Easy to use
> > Can be used as a Live or Bootable CD
> > Includes hashing capabilities.
> > Includes a ?Receiver? server for receiving multiple images on a network.
> > Supported on Windows, Mac, and Linux
> > Support via Forums and Email
> > Includes auto generated Chain of Custody Forms
> >
> > Bootable CD - Marks all mounted drives as read only by default
> > Live CD - Run from within OS, touchess OS but they have this well
> documented
> > Some notes on using Bootable Option (if you have issues)
> >
> > Enable Safe Mode Video (F4) and acpi=off ?advanced Configuration and
> > Power Interface? (F6) on the boot menu.
> > Note: You Must manually mount destination disk as read/write via
> interface
> > Raptor - free at http://www.raptorforensics.com
> >
> > Bootable CD raw image utility based on Ubuntu, interface a bit more
> > clumsy compared to Helix but it works and it is free
> >
> > Dcfldd - free at http://dcfldd.sourceforge.net/
> >
> > Live CD raw image utility - windows or linux -cmd line only
> >
> >
> > Live View 0.7b - free (can convert Image files into a VM) at
> > http://liveview.sourceforge.net/
> >
> > provides an easy to use interface that can create read only .vmdk from
> > a raw image or physical disk.
> > Will disable networking within VMWare auto
> > Can run a cryptographic checksum on the image before and after booting
> > to verify the integrity of the evidence
> > Support for all versions of Windows and some Linux
> > Supports VMWare Workstation 5.5+ or Server 1.X (does not support Server
> 2.X yet)
> > Can be used with a single image file or split images
> >
> >
> > Also FTK rocks for mounting read only and carving out what you want.
> > It also has a "lite" version that will run off a USB device
> >
> > Hope this helps.
> >
> > Tim
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091210/cea56c12/attachment.htm