Volume System
Autopsy Forensic Browser
Autopsy is a graphical interface to the command line tools in The Sleuth Kit and allows one to view deleted and allocated files, perform keyword searches, and create timelines of file activity.
CDFS
CDFS is a file system for Linux systems that `exports' all tracks and boot images on a CD as normal files. These files can then be mounted (e.g. for ISO and boot images), copied, played (audio and VideoCD tracks).
cdrecord
Cdrecord, now known as cdrtools, supports DVD-R and DVD-RW with all known DVD-writers on all UNIX-like OS and on Win32. Other optical media types are supported, as is multisession, and recently support for BluRay has been implemented (version 2.10). DVD writing support has been available in cdrecord since march 1998. Cdrecord writes DVD media similar to CD media. The readcd tool can be used to read the contents of a CD.
disktype
The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to 'file', but gives much more details about the file system or partition table)
gpart
Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
Appears to be no longer developed, however is still available for most Linux distrubutions e.g. Ubuntu, installs version 0.1h-11, n.b. Beta version.
KS - keywords searcher
KS - This is a keywords searching tool. sudo bash ks.sh for running it. It mounts a DD image file; It extracts all deleted files; slackspace; It makes a data carving on the freespace only; It indexes all by RECOLL. You need:
The Sleuthkit (last release)
Photorec
MD5Deep
RECOLL
It stores the index DB and the recoll.conf in the chosen output directory.
NEW file formats added and README.txt for the HowTo expand the search range.
Website:
http://scripts4cf.sourceforge.net/tools.html
libbde
Library and tools to support the BitLocker Drive Encryption (BDE) format.
libvshadow
Library and tools to support the Volume Service Snapshot (VSS) format.
PTK
PTK forensics is an alternative advanced framework for the TSK suite (The SleuthKit). Born as a free interface in order to improve the features already present in "Autopsy Forensic Browser" (the former TSK interface). PTK Forensics, now, is much more. In addition to providing the functions already present in Autopsy Forensic Browser it now implements numerous new essential forensic features.
pyflag
The tool is an acronym for "Forensic and Log Analysis GUI", written for analysis of various log file types and network traffic analysis but can also be used for forensic analysis of disk images includes support for the Volatility framework http://www2.opensourceforensics.org/node/15 and supports file carving to recover known file types.
tableau-parm
tableau-parm is an small command line utility designed to interact with Tableau forensic write blockers. It performs functions similar to the Tableau Disk Monitor, except that it operates under Linux.
TestDisk
Tool to check and undelete partition. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3/EXT4, Linux SWAP (version 1 and 2), Linux Logical Volume Manager (LVM), Linux Raid, Linux LUKS, NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, and ReiserFS.
Operating System support is comprehensive, with precompiled binaries available for many popular types.
The Sleuth Kit
A collection of command line tools and a C library for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.
xmount
xmount allows you to convert on-the-fly between multiple input and output hard disk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file.
