Senin, 17 Februari 2014

Basic Command Computer Forensic

Tools to forensic data

1. dd,
resource : http://www.forensicswiki.org/wiki/Dd

Forensic tools to analysis data image format, keep data no change propertis like time and other

Usage: dd [OPERAND]...
  or:  dd OPTION

The basic dd syntax is as follows:
# dd if=  of=   bs=
("if" being "input file" and "of" meaning "output file").

wiped and formatted drive, like this:
# dd if=/dev/ of=/dev/ bs=512 conv=noerror,sync 
You can write the output to a file: 
# dd if=/dev/ of=/home/user/linux_image.dd bs=512 conv=noerror,sync
root@bt:~/evid# dd if=/dev/fd0 of=image.disk1 bs=512
In linux, the blocksize value can have a multiplicative suffix: 
c =1
w =2
b =512
kB =1000,           K =1024
MB =1000*1000,      M =1024*1024
GB =1000*1000*1000, G =1024*1024*1024
and so on for T, P, E, Z, Y.

2. libewf
resource : http://code.google.com/p/libewf/wiki/Mounting
 
libewf is a library to access the Expert Witness Compression Format (EWF).

- mkdir /mnt/ewfimage
- mounting

ewfmount image.E01 /mnt/ewfimage/
This will create the following device file:
/mnt/ewfimage/ewf1
 Unmount :
umount /mnt/ewfimage/
Or fusermount: 

fusermount -u /mnt/ewfimage/

3. sleuthkit
resource : http://www.sleuthkit.org/ 
A library, framework, and set of command line tools to analyze disk images. 


- Its comand line forensic tools can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types.  for graphical interface can use Autopsy

root@bt:~# icat -h
Missing image name and/or address
usage: icat [-hrRsvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] inum[-typ[-id]]
        -h: Do not display holes in sparse files
        -r: Recover deleted file
        -R: Recover deleted file and suppress recovery errors
        -s: Display slack space at end of file
        -i imgtype: The format of the image file (use '-i list' for supported types)
        -b dev_sector_size: The size (in bytes) of the device sectors
        -f fstype: File system type (use '-f list' for supported types)
        -o imgoffset: The offset of the file system in the image (in sectors)
        -v: verbose to stderr
        -V: Print version
 

 http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview
http://wiki.sleuthkit.org/index.php?title=FS_Analysis



 4. Autopsy
A graphical interface to the Sleuth Kit and other digital forensics tools.



Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)