weyne/kaliwiki
1
0
Fork 0
mirror of https://github.com/mubix/kaliwiki.git synced 2025-10-29 16:59:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #84 from StefanMolls/gh-pages

Browse Source 
Added forensic section
This commit is contained in:
Will Pennell 2014-04-24 12:43:32 -04:00
commit 47e1b05413
79 changed files with 3901 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
forensics/index.md
View File

@ -1,3 +1,142 @@
# Placeholder
# Forensics
This is just a placeholder. Feel free to contribute :)
Anti-Virus Forensics Tools
------------
* [chkrootkit](../tools/chkrootkit.md)
Digital Anti-Forensics
------------
* [chkrootkit](../tools/chkrootkit.md)
Digital Forensics
------------
* [autopsy](../tools/autopsy.md)
* [binwalk](../tools/binwalk.md)
* [bulk_extractor](../tools/bulk_extractor.md)
* [chkrootkit](../tools/chkrootkit.md)
* [dc3dd](../tools/dc3dd.md)
* [dcfldd](../tools/dcfldd.md)
* [extundelete](../tools/extundelete.md)
* [foremost](../tools/foremost.md)
* [fsstat](../tools/fsstat.md)
* [galleta](../tools/galleta.md)
* [tsk_comparedir](../tools/tsk_comparedir.md)
* [tsk_loaddb](../tools/tsk_loaddb.md)
Forensic Analysis Tools
------------
* [affcompare](../tools/affcompare.md)
* [affcopy](../tools/affcopy.md)
* [affcrypto](../tools/affcrypto.md)
* [affdiskprint](../tools/affdiskprint.md)
* [affinfo](../tools/affinfo.md)
* [affsign](../tools/affsign.md)
* [affstats](../tools/affstats.md)
* [affuse](../tools/affuse.md)
* [affverify](../tools/affverify.md)
* [affxml](../tools/affxml.md)
* [autopsy](../tools/autopsy.md)
* [binwalk](../tools/binwalk.md)
* [blkcalc](../tools/blkcalc.md)
* [blkcat](../tools/blkcat.md)
* [blkstat](../tools/blkstat.md)
* [bulk_extractor](../tools/bulk_extractor.md)
* [ffind](../tools/ffind.md)
* [fls](../tools/fls.md)
* [foremost](../tools/foremost.md)
* [galleta](../tools/galleta.md)
* [hfind](../tools/hfind.md)
* [icat-sleuthkit](../tools/icat-sleuthkit.md)
* [istat](../tools/istat.md)
* [jcat](../tools/jcat.md)
* [mactime-sleuthkit](../tools/mactime-sleuthkit.md)
* [missidentify](../tools/missidentify.md)
* [mmcat](../tools/mmcat.md)
* [pdgmail](../tools/pdgmail.md)
* [readpst](../tools/readpst.md)
* [reglookup](../tools/reglookup.md)
* [regripper](../tools/regripper.md)
* [sigfind](../tools/sigfind.md)
* [sorter](../tools/sorter.md)
* [srch_strings](../tools/srch_strings.md)
* [tsk_recover](../tools/tsk_recover.md)
* [vinetto](../tools/vinetto.md)
Forensic Carving Tools
------------
* [binwalk](../tools/binwalk.md)
* [bulk_extractor](../tools/bulk_extractor.md)
* [foremost](../tools/foremost.md)
* [jls](../tools/jls.md)
* [magicrescue](../tools/magicrescue.md)
* [pasco](../tools/pasco.md)
* [pev](../tools/pev.md)
* [recoverjpeg](../tools/recoverjpeg.md)
* [rifiuti](../tools/rifiuti.md)
* [rifiuti2](../tools/rifiuti2.md)
* [safecopy](../tools/safecopy.md)
* [scalpel](../tools/scalpel.md)
* [scrounge-ntfs](../tools/scrounge-ntfs.md)
Forensic Hashing Tools
------------
* [md5deep](../tools/md5deep.md)
* [rahash2](../tools/rahash2.md)
Forensic Imaging Tools
------------
* [affcat](../tools/affcat.md)
* [affconvert](../tools/affconvert.md)
* [blkls](../tools/blkls.md)
* [dc3dd](../tools/dc3dd.md)
* [dcfldd](../tools/dcfldd.md)
* [ddrescue](../tools/ddrescue.md)
* [ewfacquire](../tools/ewfacquire.md)
* [ewfacquirestream](../tools/ewfacquirestream.md)
* [ewfexport](../tools/ewfexport.md)
* [ewfinfo](../tools/ewfinfo.md)
* [ewfverify](../tools/ewfverify.md)
* [fsstat](../tools/fsstat.md)
* [guymager](../tools/guymager.md)
* [img_cat](../tools/img_cat.md)
* [img_stat](../tools/img_stat.md)
* [mmls](../tools/mmls.md)
* [mmstat](../tools/mmstat.md)
* [tsk_gettimes](../tools/tsk_gettimes.md)
Forensic Suites
------------
* [autopsy](../tools/autopsy.md)
* [dff](../tools/dff.md)
* [dff-gui](../tools/dff-gui.md)
Network Forensics
------------
* [p0f](../tools/p0f.md)
Password Forensics Tools
------------
* [chntpw](../tools/chntpw.md)
PDF Forensics Tools
------------
* [pdf-parser](../tools/pdf-parser.md)
* [peepdf](../tools/peepdf.md)
RAM Forensics Tools
------------
* [volafox](../tools/volafox.md)
* [volatility](../tools/volatility.md)

34
tools/affcat.md Normal file
View File

@ -0,0 +1,34 @@
# affcat
Notes
-------
affcat outputs the contents of an image file to stdout. Image files that are not raw but are recognized by AFF will be output in raw format. Missing pages will not be padded, but the fact that they are missing will be noted on STDERR.
Help Text
-------
```
afcat version 3.7.1
usage: afcat [options] infile [... more infiles]
options:
-s name --- Just output segment name
-p ### --- just output data page number ###
-S ### --- Just output data sector ### (assumes 512-byte sectors). Sector #0 is first
-q --- quiet; don't print to STDERR if a page is skipped
-n --- noisy; tell when pages are skipped.
-l --- List all of the segment names
-L --- List segment names, lengths, and args
-d --- debug. Print the page numbers to stderr as data goes to stdout
-b --- Output BADFALG for bad blocks (default is NULLs)
-v --- Just print the version number and exit.
-r offset:count --- seek to offset and output count characters in each file; may be repeated
```
Example Usage
-------
Links
-------

60
tools/affcompare.md Normal file
View File

@ -0,0 +1,60 @@
# affcompare
Notes
-------
affcompare - compares two disk images
Help Text
-------
```
affcompare version 3.7.1
usage: affcompare [options] file1 file2
compares file1 with file2
or affcompare [options] -r dir1 dir2
comparses similarly-named files in dir1 and dir2
or affcompare [options] -s file1 file2...
Reports if file was successfully copied to Amazon S3
checking only for existence, not reading back the bytes.
(Because all writes to S3 are validated by the MD5 of the object
fast options:
(These compare segments but not their contents.)
-p --- report about the results of preening
-e --- Just report about existence (use with -r)
-s --- Just see if all of the segments are present, but don't
validate the contents. (Primarily for use with Amazon S3)
other options:
-V --- just print the version number and exit
-v --- Verbose; each file as it is compared.
-q --- Quiet. No output except for errors
-a --- print what's the same (all)
-b --- print the numbers of differing sectors
-c --- print the contents of differing sectors
-m --- Just report about the data (ignore metadata)
-P ### --- Just examine the differences on page ###
-q --- Quiet; no output except for errors.
Options documented above:
-r dir1 dir2 --- recursively compare what's in dir1 with dir2, and
report what's in dir1 that's not in dir2
-s --- Check to see if named files are on Amazon S3
affcompare file1.aff file2.aff --- compare file1.aff and file2.aff
affcompare f1.aff f2.aff dir1/ --- compare f1.aff with dir1/f1.aff and f2.aff with dir2/f2.aff
note: dir1/ must end with a slash.
affcompare -b img file.aff --- compare file.aff and file.img
affcompare -b img file1.aff file2.aff... --- compare file1.aff, file1.img, etc.
affcompare -re dir1 dir2 --- report AFF files in dir1 but not in dir2
affcompare -rse dir1 s3:/// --- report AFF files in dir1 but not on S3 (low bandwidth)
affcompare -rs dir1 s3:/// --- report AFF files in dir1 but incomplete on on S3 (more bandwidth)
```
Example Usage
-------
Links
-------

60
tools/affconvert.md Normal file
View File

@ -0,0 +1,60 @@
# affconvert
Notes
-------
affconvert is part of the AFF toolset. This program can interconvert between all of the different file formats that AFF supports. It can also be used to restore AFF files on raw disk partitions. [1]
Help Text
-------
```
affconvert version 3.7.1
usage: affconvert [options] file1 [... files]
examples:
affconvert file1.iso --- convert file1.iso to file1.aff
affconvert file1.iso file2.iso file3.iso... --- batch convert files
affconvert -r -e iso image.aff --- convert image.aff to image.iso
affconvert -M4g -o/media/dvd.afd bigfile.aff --- split an AFF file into 4GB chunks for archiving to DVD
General options:
-q -- Quiet mode. Don't ask questions, don't print status.
AFF output options:
-a ext -- use 'ext' for aff files (default is aff)
(use .afd for AFD files)
-Mn[kgm] -- set maximum size of output file. Suffix with g, m or k.
-sn -- set the image_pagesize (default 16777216)
-x -- don't compress AFF file.
-O dir -- use 'dir' as the output directory
-o file -- output to 'file' (can only convert one at a time)
File is AFF is file ends .aff; otherwise assumes raw.
-Xn -- Set compression to n; default is 7
-L -- Use the LZMA compression algorithm (better but slower)
Raw output options:
-r -- force raw output.
-e ext -- use 'ext' for the raw files (default raw)
(implies -r)
Dangerous input options:
-z -- zap; delete the output file if it already exists.
-Z -- Do not automatically probe for gzip/bzip2 compression.
-y -- Always answer yes/no questions 'yes.'
-V = Just print the version number and exit.
```
Example Usage
-------
```
affconvert file1.iso --- convert file1.iso to file1.aff
affconvert file1.iso file2.iso file3.iso... --- batch convert files
affconvert -r -e iso image.aff --- convert image.aff to image.iso
```
Links
-------
[1] http://www.forensicswiki.org/wiki/Afconvert

55
tools/affcopy.md Normal file
View File

@ -0,0 +1,55 @@
# affcopy
Notes
-------
affcopy - segment-by-segment copying and verification (optional encryption)
Help Text
-------
```
usage: afcopy [options] file1 file
Copies file1 to file2
afcopy [options] file1 file2 file3 ... dir
Copies file1.. into dir
afcopy [options] file1 file2 file3 ... dir1 dir2...
Copies file1.. into dirs1, dir2, ...
By default, all page MACs are verified on read and all segments
are verified after write.
Options:
-v = verbose: print each file as it is copied
-vv = very verbose: print each segment as it is copied
-d = print debugging information as well
-x = don't verify hashes on reads
-y = don't verify writes
-Xn = recompress pages (preen) with zlib level n
-L = recompress pages (preen) with LZMA (smaller but slower)
-h = help; print this message.
-V = print the program version and exit.
-z = zap; copy even if the destination exists.
-m = just copy the missing segments
Signature Options:
-k filename.key = specify private key for signing
-c filename.cer = specify a X.509 certificate that matches the private key
(by default, the file is assumed to be the same one
provided with the -k option.) -n = read notes to accompany the copy from standard in.
Encryption Options: Specify passphrase encryption for filename.aff with:
file://:passphrase@/filename.aff
Examples:
afcopy file.aff file://:mypassword@/file-encrypted.aff - encrypt file.aff
afcopy -vy -X9 *.aff s3:/// Copy all files in current
directory to S3 default bucket with X9 compression
```
Example Usage
-------
Links
-------

54
tools/affcrypto.md Normal file
View File

@ -0,0 +1,54 @@
# affcrypto
Notes
-------
affcrypto — encrypt or decrypt a disk image in place
Help Text
-------
```
afcrypto version 3.7.1
usage: afcrypto [options] filename.aff [filename2.aff ... ]
prints if each file is encrypted or not.
options:
-x --- output in XML
-j --- Just print the number of encrypted segments
-J --- Just print the number of unencrypted segments
Data conversion options:
-e --- encrypt the unencrypted non-signature segments
-d --- decrypt the encrypted non-signature segments
-r --- change passphrase (take old and new from stdin)
-O old --- specify old passphrase
-N new --- specify new passphrase
-K mykey.key -- specifies a private keyfile for unsealing (may not be repeated)
-C mycert.crt -- specifies a certificate file for sealing (may be repeated)
-S --- add symmetric encryptiong (passphrase) to AFFILE encrypted with public key
(requires a private key and a specified passphrase).
-A --- add asymmetric encryption to a AFFILE encrypted with a passphrase
(requires a certificate file spcified with the -C option
Password Cracking Options:
-p passphrase --- checks to see if passphrase is the passphrase of the file
exit code is 0 if it is, -1 if it is not
-k --- attempt to crack passwords by reading a list of passwords from ~/.affpassphrase
-f file --- Crack passwords but read them from file.
Debugging:
-V --- Just print the version number and exit.
-D --- debug; print out each key as it is tried
-l --- List the installed hash and encryption algorithms
Note: This program ignores the environment variables:
AFFLIB_PASSPHRASE
AFFLIB_PASSPHRASE_FILE
AFFLIB_PASSPHRASE_FD
AFFLIB_DECRYPTING_PRIVATE_KEYFILE
```
Example Usage
-------
Links
-------

23
tools/affdiskprint.md Normal file
View File

@ -0,0 +1,23 @@
# affdiskprint
Notes
-------
affdiskprint — generates an XML-based "diskprint" for fast image comparison
Help Text
-------
```
afdiskprint version 3.7.1
usage: afdiskprint [options] infile
-x XML = Verify the diskprint
-V = Just print the version number and exit.
-h = Print this help.
```
Example Usage
-------
Links
-------

49
tools/affinfo.md Normal file
View File

@ -0,0 +1,49 @@
# affinfo
Notes
-------
affinfo — prints details about the segments
Help Text
-------
```
afinfo version 3.7.1
usage: afinfo [options] infile
-a = print ALL segments (normally data segments are suppressed)
-b = print how many bad blocks in each segment (implies -a)
-i = identify the files, don't do info on them.
-w = wide output; print more than 1 line if necessary.
-s segment = Just print information about 'segment'.
(may be repeated)
-m = validate MD5 hash of entire image
-S = validate SHA1 hash of entire image
-v = validate the hash of each page (if present)
-y = don't print segments of lengths 16 and 20 as hex)
-p<passphrase> = Specify <passphrase> to decrypt file
-l = Just print the segment names and exit
-V = Just print the version number and exit.
Preview Options:
-X = no data preview; just print the segment names
-x = print binary values in hex (default is ASCII)
Misc:
-d = debug
-A = if infile is a device, print the number of sectors
and sector size to stdout in XML. Otherwise error
Compilation:
LZMA compression: Enabled
QEMU enabled
FUSE enabled
Amazon S3 enabled
HAVE_LIBEXPAT
```
Example Usage
-------
Links
-------

32
tools/affsign.md Normal file
View File

@ -0,0 +1,32 @@
# affsign
Notes
-------
Help Text
-------
```
afsign version 3.7.1
usage: afsign [options] filename.aff
This program will:
* Sign each segment if there are no segment signatures.
* Write signed chain-of-custody Bill of Materials segment.
Signature Options:
-k filename.key = specify private key for signing
-c filename.cer = specify a X.509 certificate that matches the private key
(by default, the file is assumed to be the same one
provided with the -k option.)
-Z = ZAP (remove) all signature segments.
options:
-n --- ask for a chain-of-custody note.
-v --- Just print the version number and exit.
```
Example Usage
-------
Links
-------

22
tools/affstats.md Normal file
View File

@ -0,0 +1,22 @@
# affstats
Notes
-------
Help Text
-------
```
afstats version 3.7.1
usage: afstats [options] infile(s)
-m = print all output in megabytes
-v = Just print the version number and exit.
```
Example Usage
-------
Links
-------

80
tools/affuse.md Normal file
View File

@ -0,0 +1,80 @@
# affuse
Notes
-------
affuse — allows AFF images to be "mounted" as raw files on Linux
Help Text
-------
```
affuse version 3.7.1
Usage: affuse [<FUSE library options>] af_image mount_point
FUSE options:
-d -o debug enable debug output (implies -f)
-f foreground operation
-s disable multi-threaded operation
-o allow_other allow access to other users
-o allow_root allow access to root
-o auto_unmount auto unmount on process termination
-o nonempty allow mounts over non-empty file/dir
-o default_permissions enable permission checking by kernel
-o fsname=NAME set filesystem name
-o subtype=NAME set filesystem type
-o large_read issue large read requests (2.4 only)
-o max_read=N set maximum size of read requests
-o hard_remove immediate removal (don't hide files)
-o use_ino let filesystem set inode numbers
-o readdir_ino try to fill in d_ino in readdir
-o direct_io use direct I/O
-o kernel_cache cache files in kernel
-o [no]auto_cache enable caching based on modification times (off)
-o umask=M set file permissions (octal)
-o uid=N set file owner
-o gid=N set file group
-o entry_timeout=T cache timeout for names (1.0s)
-o negative_timeout=T cache timeout for deleted names (0.0s)
-o attr_timeout=T cache timeout for attributes (1.0s)
-o ac_attr_timeout=T auto cache timeout for attributes (attr_timeout)
-o noforget never forget cached inodes
-o remember=T remember cached inodes for T seconds (0s)
-o intr allow requests to be interrupted
-o intr_signal=NUM signal to send on interrupt (10)
-o modules=M1[:M2...] names of modules to push onto filesystem stack
-o max_write=N set maximum size of write requests
-o max_readahead=N set maximum readahead
-o max_background=N set number of maximum background requests
-o congestion_threshold=N set kernel's congestion threshold
-o async_read perform reads asynchronously (default)
-o sync_read perform reads synchronously
-o atomic_o_trunc enable atomic open+truncate support
-o big_writes enable larger than 4kB writes
-o no_remote_lock disable remote file locking
-o no_remote_flock disable remote file locking (BSD)
-o no_remote_posix_lock disable remove file locking (POSIX)
-o [no_]splice_write use splice to write to the fuse device
-o [no_]splice_move move data while splicing to the fuse device
-o [no_]splice_read use splice to read from the fuse device
Module options:
[iconv]
-o from_code=CHARSET original encoding of file names (default: UTF-8)
-o to_code=CHARSET new encoding of the file names (default: UTF-8)
[subdir]
-o subdir=DIR prepend this directory to all paths (mandatory)
-o [no]rellinks transform absolute symlinks to relative
Use fusermount -u mount_point, to unmount
```
Example Usage
-------
Links
-------

26
tools/affverify.md Normal file
View File

@ -0,0 +1,26 @@
# affverify
Notes
-------
affverify - verifies the digital signatures on a file
Help Text
-------
```
afverify version 3.7.1
usage: afverify [options] filename.aff
Verifies the digital signatures on a file
options:
-a --- print all segments
-V --- Just print the version number and exit.
-v --- verbose
SHA256 is operational
```
Example Usage
-------
Links
-------

25
tools/affxml.md Normal file
View File

@ -0,0 +1,25 @@
# affxml
Notes
-------
affxml converts an AFF image into XML.
Help Text
-------
```
afxml version 3.7.1
usage: afxml [options] infile...
-V = Just print the version number and exit
-x = Don't include the infile filename in output.
-j segname = Just print information about segname
(may be repeated)
-s = output 'stats' for the file data (may a long time)
```
Example Usage
-------
Links
-------

46
tools/autopsy.md Normal file
View File

@ -0,0 +1,46 @@
# autopsy
Notes
-------
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
Help Text
-------
```
usage: /usr/bin/autopsy [-c] [-C] [-d evid_locker] [-i device filesystem mnt] [-p port] [remoteaddr]
-c: force a cookie in the URL
-C: force NO cookie in the URL
-d dir: specify the evidence locker directory
-i device filesystem mnt: Specify info for live analysis
-p port: specify the server port (default: 9999)
remoteaddr: specify the host with the browser (default: localhost)
```
Example Usage
-------
```
root@kali:~/kaliwiki/tools# autopsy
============================================================================
Autopsy Forensic Browser
http://www.sleuthkit.org/autopsy/
ver 2.24
============================================================================
Evidence Locker: /var/lib/autopsy
Start Time: Tue Apr 22 15:06:35 2014
Remote Host: localhost
Local Port: 9999
Open an HTML browser on the remote host and paste this URL in it:
http://localhost:9999/autopsy
Keep this process running and use <ctrl-c> to exit
```
Links
-------
[1] http://www.sleuthkit.org/autopsy/
[2] http://wiki.sleuthkit.org/index.php?title=Autopsy_User%27s_Guide

85
tools/binwalk.md Normal file
View File

@ -0,0 +1,85 @@
# binwalk
Notes
-------
Binwalk is a firmware analysis tool designed to assist in the analysis, extraction, and reverse engineering of firmware images and other binary blobs.
Help Text
-------
```
Binwalk v1.2.2-1
Craig Heffner, http://www.devttys0.com
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Signature Analysis:
-B, --binwalk Perform a file signature scan (default)
-R, --raw-bytes=<string> Search for a custom signature
-A, --opcodes Scan for executable code signatures
-C, --cast Cast file contents as various data types
-m, --magic=<file> Specify an alternate magic file to use
-x, --exclude=<filter> Exclude matches that have <filter> in their description
-y, --include=<filter> Only search for matches that have <filter> in their description
-I, --show-invalid Show results marked as invalid
-T, --ignore-time-skew Do not show results that have timestamps more than 1 year in the future
-k, --keep-going Show all matching results at a given offset, not just the first one
-b, --dumb Disable smart signature keywords
Strings Analysis:
-S, --strings Scan for ASCII strings (may be combined with -B, -R, -A, or -E)
-s, --strlen=<n> Set the minimum string length to search for (default: 3)
Entropy Analysis:
-E, --entropy Plot file entropy (may be combined with -B, -R, -A, or -S)
-H, --heuristic Identify unknown compression/encryption based on entropy heuristics (implies -E)
-K, --block=<int> Set the block size for entropy analysis (default: 1024)
-a, --gzip Use gzip compression ratios to measure entropy
-N, --no-plot Do not generate an entropy plot graph
-F, --marker=<offset:name> Add a marker to the entropy plot graph
-Q, --no-legend Omit the legend from the entropy plot graph
-J, --save-plot Save plot as an SVG (implied if multiple files are specified)
Binary Diffing:
-W, --diff Hexdump / diff the specified files
-K, --block=<int> Number of bytes to display per line (default: 16)
-G, --green Only show hex dump lines that contain bytes which were the same in all files
-i, --red Only show hex dump lines that contain bytes which were different in all files
-U, --blue Only show hex dump lines that contain bytes which were different in some files
-w, --terse Diff all files, but only display a hex dump of the first file
Extraction Options:
-D, --dd=<type:ext[:cmd]> Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-e, --extract=[file] Automatically extract known file types; load rules from file, if specified
-M, --matryoshka Recursively scan extracted files, up to 8 levels deep
-r, --rm Cleanup extracted files and zero-size files
-d, --delay Delay file extraction for files with known footers
Plugin Options:
-X, --disable-plugin=<name> Disable a plugin by name
-Y, --enable-plugin=<name> Enable a plugin by name
-p, --disable-plugins Do not load any binwalk plugins
-L, --list-plugins List all user and system plugins by name
General Options:
-o, --offset=<int> Start scan at this file offset
-l, --length=<int> Number of bytes to scan
-g, --grep=<text> Grep results for the specified text
-f, --file=<file> Log results to file
-c, --csv Log results to file in csv format
-O, --skip-unopened Ignore file open errors and process only the files that can be opened
-t, --term Format output to fit the terminal window
-q, --quiet Supress output to stdout
-v, --verbose Be verbose (specify twice for very verbose)
-u, --update Update magic signature files
-?, --examples Show example usage
-h, --help Show help output
```
Example Usage
-------
Links
-------
[1] https://github.com/devttys0/binwalk
[2] http://binwalk.org/

31
tools/blkcalc.md Normal file
View File

@ -0,0 +1,31 @@
# blkcalc
Notes
-------
blkcalc - Converts between unallocated disk unit numbers and regular disk unit numbers.
Help Text
-------
```
usage: blkcalc [-dsu unit_addr] [-vV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images]
Slowly calculates the opposite block number
One of the following must be given:
-d: The given address is from a 'dd' image
-s: The given address is from a 'blkls -s' (slack) image
-u: The given address is from a 'blkls' (unallocated) image
-f fstype: The file system type (use '-f list' for supported types)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose output to stderr
-V: Print version
```
Example Usage
-------
blkcalc -u 64 images/wd0e
Links
-------
[1] http://www.sleuthkit.org/sleuthkit/man/blkcalc.html

40
tools/blkcat.md Normal file
View File

@ -0,0 +1,40 @@
# blkcat
Notes
-------
blkcat displays num data units (default is one) starting at the unit address unit_addr from image to stdout in different formats (default is raw). blkcat was called dcat in TSK versions prior to 3.0.0.
Help Text
-------
```
usage: blkcat [-ahsvVw] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-u usize] image [images] unit_addr [num]
-a: displays in all ASCII
-h: displays in hexdump-like fashion
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-f fstype: File system type (use '-f list' for supported types)
-s: display basic block stats such as unit size, fragments, etc.
-v: verbose output to stderr
-V: display version
-w: displays in web-like (html) fashion
-u usize: size of each data unit in image (for raw, blkls, swap)
[num] is the number of data units to display (default is 1)
```
Example Usage
-------
```
# blkcat -hw image 264 4
```
or
```
# blkcat -hw image 264
```
Links
-------

32
tools/blkls.md Normal file
View File

@ -0,0 +1,32 @@
# blkls
Notes
-------
blkls opens the named image(s) and copies file system data units (blocks). By default, blkls copies the contents of unallocated data blocks. blkls was called dls in TSK versions prior to 3.0.0. blkls was called unrm in TCT.
Help Text
-------
```
usage: blkls [-aAelvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] [start-stop]
-e: every block (including file system metadata blocks)
-l: print details in time machine list format
-a: Display allocated blocks
-A: Display unallocated blocks
-f fstype: File system type (use '-f list' for supported types)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-s: print slack space only (other flags are ignored
-v: verbose to stderr
-V: print version
```
Example Usage
-------
Links
-------

25
tools/blkstat.md Normal file
View File

@ -0,0 +1,25 @@
# blkstat
Notes
-------
blkstat - Display details of a file system data unit (i.e. block or sector)
Help Text
-------
```
usage: blkstat [-vV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] addr
-f fstype: File system type (use '-f list' for supported types)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-v: Verbose output to stderr
-V: Print version
```
Example Usage
-------
Links
-------
[1] http://www.sleuthkit.org/sleuthkit/man/blkstat.html

100
tools/bulk_extractor.md Normal file
View File

@ -0,0 +1,100 @@
# bulk_extractor
Notes
-------
bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
Help Text
-------
`bulk_extractor version 1.3 $Rev: 10606 $
Usage: bulk_extractor [options] imagefile
runs bulk extractor and outputs to stdout a summary of what was found where
Required parameters:
imagefile - the file to extract
or -R filedir - recurse through a directory of files
SUPPORT FOR E01 FILES COMPILED IN
SUPPORT FOR AFF FILES COMPILED IN
-o outdir - specifies output directory. Must not exist.
bulk_extractor creates this directory.
Options:
-b banner.txt- Add banner.txt contents to the top of every output file.
-r alert_list.txt - a file containing the alert list of features to alert
(can be a feature file or a list of globs)
(can be repeated.)
-w stop_list.txt - a file containing the stop list of features (white list
(can be a feature file or a list of globs)s
(can be repeated.)
-F <rfile> - Read a list of regular expressions from <rfile> to find
-f <regex> - find occurrences of <regex>; may be repeated.
results go into find.txt
-q nn - Quiet Rate; only print every nn status reports. Default 0; -1 for no status at all
Tuning parameters:
-C NN - specifies the size of the context window (default 16)
-G NN - specify the page size (default 16777216)
-g NN - specify margin (default 4194304)
-W n1:n2 - Specifies minimum and maximum word size
(default is -w6:14)
-B NN - Specify the blocksize for bulk data analysis (default 512)
-j NN - Number of analysis threads to run (default 4)
-M nn - sets max recursion depth (default 5)
Path Processing Mode:
-p <path>/f - print the value of <path> with a given format.
formats: r = raw; h = hex.
Specify -p - for interactive mode.
Specify -p -http for HTTP mode.
Parallelizing:
-Y <o1> - Start processing at o1 (o1 may be 1, 1K, 1M or 1G)
-Y <o1>-<o2> - Process o1-o2
-A <off> - Add <off> to all reported feature offsets
Debugging:
-h - print this message
-H - print detailed info on the scanners
-V - print version number
-z nn - start on page nn
-dN - debug mode (see source code
-Z - zap (erase) output directory
Control of Scanners:
-P <dir> - Specifies a plugin directory
-E scanner - turn off all scanners except scanner
-m <max> - maximum number of minutes to wait for memory starvation
default is 60
-s name=value - sets a bulk extractor option name to be value
-e bulk - enable scanner bulk
-e wordlist - enable scanner wordlist
-x accts - disable scanner accts
-x aes - disable scanner aes
-x base16 - disable scanner base16
-x base64 - disable scanner base64
-x elf - disable scanner elf
-x email - disable scanner email
-x exif - disable scanner exif
-x gps - disable scanner gps
-x gzip - disable scanner gzip
-x hiber - disable scanner hiber
-x json - disable scanner json
-x kml - disable scanner kml
-x net - disable scanner net
-x pdf - disable scanner pdf
-x vcard - disable scanner vcard
-x windirs - disable scanner windirs
-x winpe - disable scanner winpe
-x winprefetch - disable scanner winprefetch
-x zip - disable scanner zip
``
```
Example Usage
-------
Links
-------
[1] http://www.forensicswiki.org/wiki/Bulk_extractor

41
tools/chkrootkit.md Normal file
View File

@ -0,0 +1,41 @@
# chkrootkit
Notes
-------
```
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
* chkrootkit: a shell script that checks system binaries for rootkit modification.
* ifpromisc.c: checks if the network interface is in promiscuous mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
* chkutmp.c: checks for utmp deletions.
```
Help Text
-------
```
Usage: /usr/sbin/chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-e exclude known false positive files/dirs, quoted,
space separated, READ WARNING IN README
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
```
Example Usage
-------
Links
-------
Homepage: http://www.chkrootkit.org/

58
tools/chntpw.md Normal file
View File

@ -0,0 +1,58 @@
# chntpw
Notes
-------
This manual page documents briefly the chntpw command. This manual page was written for the Debian distribution because the original program does not have a manual page.
chntpw is a utility to view some information and change user passwords in a Windows NT/2000 SAM userdatabase file, usually located at \WINDOWS\system32\config\SAM on the Windows file system. It is not necessary to
know the old passwords to reset them. In addition it contains a simple registry editor (same size data writes) and hex-editor with which the information contained in a registry file can be browsed and modified.
Help Text
-------
```
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
chntpw: change password of a user in a NT/2k/XP/2k3/Vista SAM file, or invoke registry editor.
chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...]
-h This message
-u <user> Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to get to the registry files, and what they are.
Source/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!
```
Example Usage
-------
Mount the Windows file system and enters the directory \WINDOWS\system32\config where Windows stores the SAM database.
```
ntfs-3g /dev/sda1 /media/win ; cd /media/win/WINDOWS/system32/config/
```
Opens registry hives SAM and system and change administrator account. This will work even if the name
has been changed or it has been localized (since different language versions of NT use different
administrator names).
```
chntpw SAM system
```
Lists the users defined in the SAM registry file.
```
chntpw -l SAM
```
Prompts for password for jabbathehutt and changes it in the SAM registry file, if found (otherwise do nothing).
```
chntpw -u jabbathehutt SAM
```
Links
-------

199
tools/dc3dd.md Normal file
View File

@ -0,0 +1,199 @@
# dc3dd
Notes
-------
dc3dd is a patched version of GNU dd with added features for computer forensics. It was developed at the DoD Cyber Crime Center by Jesse Kornblum. The first release, corresponding to Coreutils version 6.9.91, was published on 1 Feb 2008.[1]
Help Text
-------
```
------
usage:
------
dc3dd [OPTION 1] [OPTION 2] ... [OPTION N]
*or*
dc3dd [HELP OPTION]
where each OPTION is selected from the basic or advanced
options listed below, or HELP OPTION is selected from the
help options listed below.
--------------
basic options:
--------------
if=DEVICE or FILE Read input from a device or a file (see note #1
below for how to read from standard input). This
option can only be used once and cannot be
combined with ifs=, pat=, or tpat=.
ifs=BASE.FMT Read input from a set of files with base name
BASE and sequential file name extensions
conforming to the format specifier FMT (see note
#4 below for how to specify FMT). This option
can only be used once and cannot be combined with
if=, pat=, or tpat=.
of=FILE or DEVICE Write output to a file or device (see note #2
below for how to write to standard output). This
option can be used more than once (see note #3
below for how to generate multiple outputs).
hof=FILE or DEVICE Write output to a file or device, hash the
output file or device, and verify by comparing
the output hash(es) to the input hash(es). This
option can be used more than once (see note #3
below for how to generate multiple outputs).
ofs=BASE.FMT Write output to a set of files with base name BASE
and sequential file name extensions generated from
the format specifier FMT (see note #4 below for
how to specify FMT). This option can be used more
than once (see note #3 below for how to generate
multiple outputs). Specify the maximum size of
each file in the set using ofsz=.
hofs=BASE.FMT Write output to a set of files with base name BASE
and sequential file name extensions generated from
the format specifier FMT (see note #4 below for
how to specify FMT). Hash the output files and
verify by comparing the output hash(es) to the
input hash(es). This option can be used more than
once (see note #3 below for how to generate
multiple outputs). Specify the maximum size of
each file in the set using ofsz=.
ofsz=BYTES Set the maximum size of each file in the sets of
files specified using ofs= or hofs= to
BYTES (see note #5 below). A default value for
this option may be set at compile time using
-DDEFAULT_OUTPUT_FILE_SIZE followed by the desired
value in BYTES.
hash=ALGORITHM Compute an ALGORITHM hash of the input and also
of any outputs specified using hof=, hofs=, phod=,
or fhod=, where ALGORITHM is one of md5, sha1,
sha256, or sha512. This option may be used once
for each supported ALGORITHM. Alternatively,
hashing can be activated at compile time using one
or more of -DDEFAULT_HASH_MD5,-DDEFAULT_HASH_SHA1,
-DDEFAULT_HASH_SHA256, and -DDEFAULT_HASH_SHA512.
log=FILE Log I/O statistcs, diagnostics, and total hashes
of input and output to FILE. If hlog= is not
specified, piecewise hashes of multiple file
input and output are also logged to FILE. This
option can be used more than once to generate
multiple logs.
hlog=FILE Log total hashes and piecewise hashes to FILE.
This option can be used more than once to generate
multiple logs.
-----------------
advanced options:
-----------------
phod=DEVICE The same as hof=DEVICE, except only the bytes
written to DEVICE by dc3dd are verified. This
option can be used more than once (see note
#3 below for how to generate multiple outputs).
fhod=DEVICE The same as phod=DEVICE, with additional
hashing of the entire output DEVICE. This option
can be used more than once (see note #3 below
for how to generate multiple outputs).
rec=off By default, zeros are written to the output(s) in
place of bad sectors when the input is a device.
Use this option to cause the program to instead
exit when a bad sector is encountered.
wipe=DEVICE Wipe DEVICE by writing zeros (default) or a
pattern specified by pat= or tpat=.
hwipe=DEVICE Wipe DEVICE by writing zeros (default) or a
pattern specified by pat= or tpat=. Verify
DEVICE after writing it by hashing it and
comparing the hash(es) to the input hash(es).
pat=HEX Use pattern as input, writing HEX to every byte
of the output. This option can only be used once
and cannot be combined with if=, ifs=, or
tpat=.
tpat=TEXT Use text pattern as input, writing the string TEXT
repeatedly to the output. This option can only be
used once and cannot be combined with if=, ifs=,
or pat=.
cnt=SECTORS Read only SECTORS input sectors. Must be used
with pat= or tpat= if not using the pattern with
wipe= or hwipe= to wipe a device.
iskip=SECTORS Skip SECTORS sectors at start of the input device
or file.
oskip=SECTORS Skip SECTORS sectors at start of the output
file. Specifying oskip= automatically
sets app=on.
app=on Do not overwrite an output file specified with
of= if it already exists, appending output instead.
ssz=BYTES Unconditionally use BYTES (see note #5 below) bytes
for sector size. If ssz= is not specified,
sector size is determined by probing the device;
if the probe fails or the target is not a device,
a sector size of 512 bytes is assumed.
bufsz=BYTES Set the size of the internal byte buffers to BYTES
(see note #5 below). This effectively sets the
maximum number of bytes that may be read at a time
from the input. BYTES must be a multiple of sector
size. Use this option to fine-tune performance.
verb=on Activate verbose reporting, where sectors in/out
are reported for each file in sets of files
specified using ifs=, ofs=, or hofs=.
Alternatively, verbose reporting may be activated
at compile time using -DDEFAULT_VERBOSE_REPORTING.
nwspc=on Activate compact reporting, where the use
of white space to divide log output into
logical sections is suppressed. Alternatively,
compact reporting may be activated at compile
time using -DDEFAULT_COMPACT_REPORTING.
b10=on Activate base 10 bytes reporting, where the
progress display reports 1000 bytes instead
of 1024 bytes as 1 KB. Alternatively, base 10
bytes reporting may be activated at compile
time using -DDEFAULT_BASE_TEN_BYTES_REPORTING.
corruptoutput=on For verification testing and demonstration
purposes, corrupt the output file(s) with extra
bytes so a hash mismatch is guaranteed.
-------------
help options:
-------------
--help display this help and exit
--version output version information and exit
--flags display compile-time flags and exit
------
notes:
------
1. To read from stdin, do not specify if=, ifs=, pat=, or tpat=.
2. To write to stdout, do not specify of=, hof=, ofs=, hofs=, phod=,
fhod=, wipe=, or hwipe=.
3. To write to multiple outputs specify more than one of of=, hof=, ofs=,
hofs=, phod=, or fhod=, in any combination.
4. FMT is a pattern for a sequence of file extensions that can be numerical
starting at zero, numerical starting at one, or alphabetical. Specify FMT
by using a series of zeros, ones, or a's, respectively. The number of
characters used indicates the desired length of the extensions.
For example, a FMT specifier of 1111 indicates four character
numerical extensions starting with 0000.
5. BYTES may be followed by the following multiplicative suffixes:
c (1), w (2), b (512), kB (1000), K (1024), MB (1000*1000),
M (1024*1024), GB (1000*1000*1000), G (1024*1024*1024), and
so on for T, P, E, Z, and Y.
6. Consider using cnt=, iskip= and oskip= to work around
unreadable sectors if error recovery fails.
7. Sending an interrupt (e.g., CTRL+C) to dc3dd will cause
the program to report the work completed at the time
the interrupt is received and then exit.
Report bugs to <dc3dd@dc3.mil>.
dc3dd completed at 2014-04-22 14:11:52 -0500
```
Example Usage
-------
Links
-------
[1] http://www.forensicswiki.org/wiki/Dc3dd

126
tools/dcfldd.md Normal file
View File

@ -0,0 +1,126 @@
# dcfldd
Notes
-------
dcfldd is an enhanced version of dd developed by the U.S. Department of Defense Computer Forensics Lab.[1]
Help Text
-------
```
Usage: dcfldd [OPTION]...
Copy a file, converting and formatting according to the options.
bs=BYTES force ibs=BYTES and obs=BYTES
cbs=BYTES convert BYTES bytes at a time
conv=KEYWORDS convert the file as per the comma separated keyword list
count=BLOCKS copy only BLOCKS input blocks
ibs=BYTES read BYTES bytes at a time
if=FILE read from FILE instead of stdin
obs=BYTES write BYTES bytes at a time
of=FILE write to FILE instead of stdout
NOTE: of=FILE may be used several times to write
output to multiple files simultaneously
of:=COMMAND exec and write output to process COMMAND
seek=BLOCKS skip BLOCKS obs-sized blocks at start of output
skip=BLOCKS skip BLOCKS ibs-sized blocks at start of input
pattern=HEX use the specified binary pattern as input
textpattern=TEXT use repeating TEXT as input
errlog=FILE send error messages to FILE as well as stderr
hashwindow=BYTES perform a hash on every BYTES amount of data
hash=NAME either md5, sha1, sha256, sha384 or sha512
default algorithm is md5. To select multiple
algorithms to run simultaneously enter the names
in a comma separated list
hashlog=FILE send MD5 hash output to FILE instead of stderr
if you are using multiple hash algorithms you
can send each to a separate file using the
convention ALGORITHMlog=FILE, for example
md5log=FILE1, sha1log=FILE2, etc.
hashlog:=COMMAND exec and write hashlog to process COMMAND
ALGORITHMlog:=COMMAND also works in the same fashion
hashconv=[before|after] perform the hashing before or after the conversions
hashformat=FORMAT display each hashwindow according to FORMAT
the hash format mini-language is described below
totalhashformat=FORMAT display the total hash value according to FORMAT
status=[on|off] display a continual status message on stderr
default state is "on"
statusinterval=N update the status message every N blocks
default value is 256
sizeprobe=[if|of] determine the size of the input or output file
for use with status messages. (this option
gives you a percentage indicator)
WARNING: do not use this option against a
tape device.
split=BYTES write every BYTES amount of data to a new file
This operation applies to any of=FILE that follows
splitformat=TEXT the file extension format for split operation.
you may use any number of 'a' or 'n' in any combo
the default format is "nnn"
NOTE: The split and splitformat options take effect
only for output files specified AFTER these
options appear in the command line. Likewise,
you may specify these several times for
for different output files within the same
command line. you may use as many digits in
any combination you would like.
(e.g. "anaannnaana" would be valid, but
quite insane)
vf=FILE verify that FILE matches the specified input
verifylog=FILE send verify results to FILE instead of stderr
verifylog:=COMMAND exec and write verify results to process COMMAND
--help display this help and exit
--version output version information and exit
The structure of of FORMAT may contain any valid text and special variables.
The built-in variables are used the following format: #variable_name#
To pass FORMAT strings to the program from a command line, it may be
necessary to surround your FORMAT strings with "quotes."
The built-in variables are listed below:
window_start The beginning byte offset of the hashwindow
window_end The ending byte offset of the hashwindow
block_start The beginning block (by input blocksize) of the window
block_end The ending block (by input blocksize) of the hash window
hash The hash value
algorithm The name of the hash algorithm
For example, the default FORMAT for hashformat and totalhashformat are:
hashformat="#window_start# - #window_end#: #hash#"
totalhashformat="Total (#algorithm#): #hash#"
The FORMAT structure accepts the following escape codes:
\n Newline
\t Tab
\r Carriage return
\\ Insert the '\' character
## Insert the '#' character as text, not a variable
BLOCKS and BYTES may be followed by the following multiplicative suffixes:
xM M, c 1, w 2, b 512, kD 1000, k 1024, MD 1,000,000, M 1,048,576,
GD 1,000,000,000, G 1,073,741,824, and so on for T, P, E, Z, Y.
Each KEYWORD may be:
ascii from EBCDIC to ASCII
ebcdic from ASCII to EBCDIC
ibm from ASCII to alternated EBCDIC
block pad newline-terminated records with spaces to cbs-size
unblock replace trailing spaces in cbs-size records with newline
lcase change upper case to lower case
notrunc do not truncate the output file
ucase change lower case to upper case
swab swap every pair of input bytes
noerror continue after read errors
sync pad every input block with NULs to ibs-size; when used
with block or unblock, pad with spaces rather than NULs
Report bugs to <nicholasharbour@yahoo.com>.
```
Example Usage
-------
Links
-------
[1] http://www.forensicswiki.org/wiki/Dcfldd

51
tools/ddrescue.md Normal file
View File

@ -0,0 +1,51 @@
# ddrescue
Notes
-------
dd_rescue copies data from one file (or block device) to another.
Help Text
-------
```
dd_rescue Version 1.28, garloff@suse.de, GNU GPL
($Id: dd_rescue.c,v 1.130 2012/05/19 20:46:14 garloff Exp $)
(compiled Dec 15 2012 12:04:22 by gcc (Debian 4.7.2-4) 4.7.2)
(features: O_DIRECT splice )
dd_rescue copies data from one file (or block device) to another.
USAGE: dd_rescue [options] infile outfile
Options: -s ipos start position in input file (default=0),
-S opos start position in output file (def=ipos),
-b softbs block size for copy operation (def=65536, 1048576 for -d),
-B hardbs fallback block size in case of errs (def=4096, 512 for -d),
-e maxerr exit after maxerr errors (def=0=infinite),
-m maxxfer maximum amount of data to be transfered (def=0=inf),
-y syncfrq frequency of fsync calls on outfile (def=512*softbs),
-l logfile name of a file to log errors and summary to (def=""),
-o bbfile name of a file to log bad blocks numbers (def=""),
-r reverse direction copy (def=forward),
-t truncate output file (def=no),
-d/D use O_DIRECT for input/output (def=no),
-k use efficient in-kernel zerocopy splice
-w abort on Write errors (def=no),
-a spArse file writing (def=no),
-A Always write blocks, zeroed if err (def=no),
-i interactive: ask before overwriting data (def=no),
-f force: skip some sanity checks (def=no),
-p preserve: preserve ownership / perms (def=no),
-q quiet operation,
-v verbose operation,
-V display version and exit,
-h display this help and exit.
Sizes may be given in units b(=512), k(=1024), M(=1024^2) or G(1024^3) bytes
This program is useful to rescue data in case of I/O errors, because
it does not necessarily abort or truncate the output.
```
Example Usage
-------
Links
-------

18
tools/dff-gui.md Normal file
View File

@ -0,0 +1,18 @@
# dff-gui
Notes
-------
Help Text
-------
```
GUI for the Digital Forensics Framework.
```
Example Usage
-------
Just execute "dff-gui" to open the GUI environment
Links
-------
[1] http://www.digital-forensic.org/

31
tools/dff.md Normal file
View File

@ -0,0 +1,31 @@
# dff
Notes
-------
Digital Forensics Framework dff is a simple but powerful open source tool with a flexible module system which will help you in your digital forensics works, including files recovery due to error or crash, evidence research and analysis, etc. The source code is written in C++ and Python, allowing performances and great extensibility.
Help Text
-------
```
DFF
Digital Forensic Framework
Usage: /usr/bin/dff [options]
Options:
-v --version display current version
-g --graphical launch graphical interface
-b --batch=FILENAME executes batch contained in FILENAME
-l --language=LANG use LANG as interface language
-h --help display this help message
-d --debug redirect IO to system console
--verbosity=LEVEL set verbosity level when debugging [0-3]
-c --config=FILEPATH use config file from FILEPATH
```
Example Usage
-------
Links
-------

92
tools/ewfacquire.md Normal file
View File

@ -0,0 +1,92 @@
# ewfacquire
Notes
-------
ewfacquire is a utility to acquire media data from a source and store it in EWF format (Expert Witness Compression Format). ewfacquire acquires media data in a format equivalent to EnCase and FTK imager, including meta data. Under Linux, FreeBSD, NetBSD, OpenBSD, MacOS-X/Darwin ewfacquire supports reading directly from device files. On other platforms ewfacquire can convert a raw (dd) image into the EWF format.
ewfacquire is part of the libewf package. libewf is a library to access the Expert Witness Compression Format (EWF).
Help Text
-------
```
ewfacquire 20130416
Use ewfacquire to acquire data from a file or device and store it in the EWF
format (Expert Witness Compression Format).
Usage: ewfacquire [ -A codepage ] [ -b number_of_sectors ]
[ -B number_of_bytes ] [ -c compression_values ]
[ -C case_number ] [ -d digest_type ] [ -D description ]
[ -e examiner_name ] [ -E evidence_number ] [ -f format ]
[ -g number_of_sectors ] [ -l log_filename ]
[ -m media_type ] [ -M media_flags ] [ -N notes ]
[ -o offset ] [ -p process_buffer_size ]
[ -P bytes_per_sector ] [ -r read_error_retries ]
[ -S segment_file_size ] [ -t target ] [ -T toc_file ]
[ -2 secondary_target ] [ -hqRsuvVw ] source
source: the source file(s) or device
-A: codepage of header section, options: ascii (default),
windows-874, windows-932, windows-936, windows-949,
windows-950, windows-1250, windows-1251, windows-1252,
windows-1253, windows-1254, windows-1255, windows-1256,
windows-1257 or windows-1258
-b: specify the number of sectors to read at once (per chunk),
options: 16, 32, 64 (default), 128, 256, 512, 1024, 2048, 4096,
8192, 16384 or 32768
-B: specify the number of bytes to acquire (default is all bytes)
-c: specify the compression values as: level or method:level
compression method options: deflate (default), bzip2
(bzip2 is only supported by EWF2 formats)
compression level options: none (default), empty-block,
fast or best
-C: specify the case number (default is case_number).
-d: calculate additional digest (hash) types besides md5, options:
sha1, sha256
-D: specify the description (default is description).
-e: specify the examiner name (default is examiner_name).
-E: specify the evidence number (default is evidence_number).
-f: specify the EWF file format to write to, options: ewf, smart,
ftk, encase2, encase3, encase4, encase5, encase6 (default),
encase7, encase7-v2, linen5, linen6, linen7, ewfx
-g specify the number of sectors to be used as error granularity
-h: shows this help
-l: logs acquiry errors and the digest (hash) to the log_filename
-m: specify the media type, options: fixed (default), removable,
optical, memory
-M: specify the media flags, options: logical, physical (default)
-N: specify the notes (default is notes).
-o: specify the offset to start to acquire (default is 0)
-p: specify the process buffer size (default is the chunk size)
-P: specify the number of bytes per sector (default is 512)
(use this to override the automatic bytes per sector detection)
-q: quiet shows minimal status information
-r: specify the number of retries when a read error occurs (default
is 2)
-R: resume acquiry at a safe point
-s: swap byte pairs of the media data (from AB to BA)
(use this for big to little endian conversion and vice versa)
-S: specify the segment file size in bytes (default is 1.4 GiB)
(minimum is 1.0 MiB, maximum is 7.9 EiB for encase6
and encase7 format and 1.9 GiB for other formats)
-t: specify the target file (without extension) to write to
-T: specify the file containing the table of contents (TOC) of
an optical disc. The TOC file must be in the CUE format.
-u: unattended mode (disables user interaction)
-v: verbose output to stderr
-V: print version
-w: zero sectors on read error (mimic EnCase like behavior)
-2: specify the secondary target file (without extension) to write
to
```
Example Usage
-------
Links
-------

84
tools/ewfacquirestream.md Normal file
View File

@ -0,0 +1,84 @@
# ewfacquirestream
Notes
-------
ewfacquirestream is a utility to acquire media data from stdin and store it in EWF format (Expert Witness Format). ewfacquirestream acquires media data in a format equivalent to EnCase and FTK imager, including meta data.Under Linux, FreeBSD, NetBSD, OpenBSD, MacOS-X/Darwin
ewfacquirestream is part of the libewf package. libewf is a library to access the Expert Witness Compression Format (EWF).
Help Text
-------
```
ewfacquirestream 20130416
Use ewfacquirestream to acquire data from a pipe and store it in the EWF format
(Expert Witness Compression Format).
Usage: ewfacquirestream [ -A codepage ] [ -b number_of_sectors ]
[ -B number_of_bytes ] [ -c compression_values ]
[ -C case_number ] [ -d digest_type ]
[ -D description ] [ -e examiner_name ]
[ -E evidence_number ] [ -f format ]
[ -l log_filename ] [ -m media_type ]
[ -M media_flags ] [ -N notes ]
[ -o offset ] [ -p process_buffer_size ]
[ -P bytes_per_sector ] [ -S segment_file_size ]
[ -t target ] [ -2 secondary_target ]
[ -hqsvV ]
Reads data from stdin
-A: codepage of header section, options: ascii (default),
windows-874, windows-932, windows-936, windows-949,
windows-950, windows-1250, windows-1251, windows-1252,
windows-1253, windows-1254, windows-1255, windows-1256,
windows-1257 or windows-1258
-b: specify the number of sectors to read at once (per chunk), options:
16, 32, 64 (default), 128, 256, 512, 1024, 2048, 4096, 8192, 16384
or 32768
-B: specify the number of bytes to acquire (default is all bytes)
-c: specify the compression values as: level or method:level
compression method options: deflate (default), bzip2
(bzip2 is only supported by EWF2 formats)
compression level options: none (default), empty-block,
fast or best
-C: specify the case number (default is case_number).
-d: calculate additional digest (hash) types besides md5, options:
sha1, sha256
-D: specify the description (default is description).
-e: specify the examiner name (default is examiner_name).
-E: specify the evidence number (default is evidence_number).
-f: specify the EWF file format to write to, options: ftk, encase2,
encase3, encase4, encase5, encase6 (default), encase7, linen5,
linen6, linen7, ewfx
-h: shows this help
-l: logs acquiry errors and the digest (hash) to the log_filename
-m: specify the media type, options: fixed (default), removable,
optical, memory
-M: specify the media flags, options: logical, physical (default)
-N: specify the notes (default is notes).
-o: specify the offset to start to acquire (default is 0)
-p: specify the process buffer size (default is the chunk size)
-P: specify the number of bytes per sector (default is 512)
-q: quiet shows minimal status information
-s: swap byte pairs of the media data (from AB to BA)
(use this for big to little endian conversion and vice versa)
-S: specify the segment file size in bytes (default is 1.4 GiB)
(minimum is 1.0 MiB, maximum is 7.9 EiB for encase6 and
encase7 format and 1.9 GiB for other formats)
-t: specify the target file (without extension) to write to (default
is image)
-v: verbose output to stderr
-V: print version
-2: specify the secondary target file (without extension) to write to
```
Example Usage
-------
Links
-------

74
tools/ewfexport.md Normal file
View File

@ -0,0 +1,74 @@
# ewfexport
Notes
-------
ewfexport is a utility to export media data stored in EWF files.
ewfexport is part of the libewf package. libewf is a library to access the Expert Witness Compression Format (EWF).
Help Text
-------
```
ewfexport 20130416
Use ewfexport to export data from the EWF format (Expert Witness Compression
Format) to raw data or another EWF format.
Usage: ewfexport [ -A codepage ] [ -b number_of_sectors ]
[ -B number_of_bytes ] [ -c compression_values ]
[ -d digest_type ] [ -f format ] [ -l log_filename ]
[ -o offset ] [ -p process_buffer_size ]
[ -S segment_file_size ] [ -t target ] [ -hqsuvVw ] ewf_files
ewf_files: the first or the entire set of EWF segment files
-A: codepage of header section, options: ascii (default),
windows-874, windows-932, windows-936, windows-949,
windows-950, windows-1250, windows-1251, windows-1252,
windows-1253, windows-1254, windows-1255, windows-1256,
windows-1257 or windows-1258
-b: specify the number of sectors to read at once (per chunk),
options: 16, 32, 64 (default), 128, 256, 512, 1024, 2048,
4096, 8192, 16384 or 32768 (not used for raw and files
formats)
-B: specify the number of bytes to export (default is all bytes)
-c: specify the compression values as: level or method:level
compression method options: deflate (default), bzip2
(bzip2 is only supported by EWF2 formats)
compression level options: none (default), empty-block,
fast or best
-d: calculate additional digest (hash) types besides md5,
options: sha1, sha256 (not used for raw and files format)
-f: specify the output format to write to, options:
raw (default), files (restricted to logical volume files), ewf,
smart, encase1, encase2, encase3, encase4, encase5, encase6,
encase7, encase7-v2, linen5, linen6, linen7, ewfx
-h: shows this help
-l: logs export errors and the digest (hash) to the log_filename
-o: specify the offset to start the export (default is 0)
-p: specify the process buffer size (default is the chunk size)
-q: quiet shows minimal status information
-s: swap byte pairs of the media data (from AB to BA)
(use this for big to little endian conversion and vice
versa)
-S: specify the segment file size in bytes (default is 1.4 GiB)
(minimum is 1.0 MiB, maximum is 7.9 EiB for raw, encase6
and encase7 format and 1.9 GiB for other formats)
(not used for files format)
-t: specify the target file to export to, use - for stdout
(default is export) stdout is only supported for the raw
format
-u: unattended mode (disables user interaction)
-v: verbose output to stderr
-V: print version
-w: zero sectors on checksum error (mimic EnCase like behavior)
```
Example Usage
-------
Links
-------

46
tools/ewfinfo.md Normal file
View File

@ -0,0 +1,46 @@
# ewfinfo
Notes
-------
ewfinfo is a utility to show meta data stored in EWF files.
ewfinfo is part of the libewf package. libewf is a library to access the Expert Witness Compression Format (EWF).
Help Text
-------
```
ewfinfo 20130416
Use ewfinfo to determine information about the EWF format (Expert Witness
Compression Format).
Usage: ewfinfo [ -A codepage ] [ -d date_format ] [ -f format ]
[ -ehimvVx ] ewf_files
ewf_files: the first or the entire set of EWF segment files
-A: codepage of header section, options: ascii (default),
windows-874, windows-932, windows-936, windows-949,
windows-950, windows-1250, windows-1251, windows-1252,
windows-1253, windows-1254, windows-1255, windows-1256,
windows-1257 or windows-1258
-d: specify the date format, options: ctime (default),
dm (day/month), md (month/day), iso8601
-e: only show EWF read error information
-f: specify the output format, options: text (default),
dfxml
-h: shows this help
-i: only show EWF acquiry information
-m: only show EWF media information
-v: verbose output to stderr
-V: print version
```
Example Usage
-------
Links
-------

49
tools/ewfverify.md Normal file
View File

@ -0,0 +1,49 @@
# ewfverify
Notes
-------
ewfverify is a utility to verify media data stored in EWF files.
ewfverify is part of the libewf package. libewf is a library to access the Expert Witness Compression Format (EWF).
Help Text
-------
```
ewfverify 20130416
Use ewfverify to verify data stored in the EWF format (Expert Witness
Compression Format).
Usage: ewfverify [ -A codepage ] [ -d digest_type ] [ -f format ]
[ -l log_filename ] [ -p process_buffer_size ]
[ -hqvVw ] ewf_files
ewf_files: the first or the entire set of EWF segment files
-A: codepage of header section, options: ascii (default),
windows-874, windows-932, windows-936, windows-949,
windows-950, windows-1250, windows-1251, windows-1252,
windows-1253, windows-1254, windows-1255, windows-1256,
windows-1257 or windows-1258
-d: calculate additional digest (hash) types besides md5,
options: sha1, sha256
-f: specify the input format, options: raw (default),
files (restricted to logical volume files)
-h: shows this help
-l: logs verification errors and the digest (hash) to the
log_filename
-p: specify the process buffer size (default is the chunk size)
-q: quiet shows minimal status information
-v: verbose output to stderr
-V: print version
-w: zero sectors on checksum error (mimic EnCase like behavior)
```
Example Usage
-------
Links
-------

54
tools/extundelete.md Normal file
View File

@ -0,0 +1,54 @@
# extundelete
Notes
-------
extundelete is a utility that can recover deleted files from an ext3 or ext4 partition.
Help Text
-------
```
Usage: extundelete [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.
Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino[,ino,...]
Restore the file(s) with known inode number 'ino'.
The restored files are created in ./RESTORED_FILES
with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/' (it
must be one of the paths returned by --dump-names).
The restored file is created in the current
directory as 'RECOVERED_FILES/path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--output-dir 'path' Restore files in the output dir 'path'.
By default the restored files are created under current directory 'RECOVERED_FILES'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
```
Example Usage
-------
extundelete is designed to undelete files from an unmounted partition to a separate (mounted) partition. extundelete will restore any files it finds to a subdirectory of the current directory named “RECOVERED_FILES”. To run the program, type “extundelete --help” to see various options available to you.
Typical usage to restore all deleted files from a partition looks like this:
$ extundelete /dev/sda4 --restore-all
Links
-------
http://extundelete.sourceforge.net/

27
tools/ffind.md Normal file
View File

@ -0,0 +1,27 @@
# ffind
Notes
-------
Help Text
-------
```
usage: ffind [-aduvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] inode
-a: Find all occurrences
-d: Find deleted entries ONLY
-u: Find undeleted entries ONLY
-f fstype: Image file system type (use '-f list' for supported types)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: The offset of the file system in the image (in sectors)
-v: Verbose output to stderr
-V: Print version
```
Example Usage
-------
Links
-------
[1] http://www.forensicswiki.org/wiki/The_Sleuth_Kit_How-To

38
tools/fls.md Normal file
View File

@ -0,0 +1,38 @@
# fls
Notes
-------
Create a file listing of an image
Help Text
-------
```
usage: fls [-adDFlpruvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-m dir/] [-o imgoffset] [-z ZONE] [-s seconds] image [images] [inode]
If [inode] is not given, the root directory is used
-a: Display "." and ".." entries
-d: Display deleted entries only
-D: Display only directories
-F: Display only files
-l: Display long version (like ls -l)
-i imgtype: Format of image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-m: Display output in mactime input format with
dir/ as the actual mount point of the image
-o imgoffset: Offset into image file (in sectors)
-p: Display full path for each file
-r: Recurse on directory entries
-u: Display undeleted entries only
-v: verbose output to stderr
-V: Print version
-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)
-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)
```
Example Usage
-------
Links
-------

36
tools/foremost.md Normal file
View File

@ -0,0 +1,36 @@
# foremost
Notes
-------
foremost is a forensics application to recover files based on their headers, footers, and internal data structures. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.[1]
Help Text
-------
```
foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus.
$ foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t <type>] [-s <blocks>] [-k <size>]
[-b <size>] [-c <file>] [-o <dir>] [-i <file]
-V - display copyright information and exit
-t - specify file type. (-t jpeg,pdf ...)
-d - turn on indirect block detection (for UNIX file-systems)
-i - specify input file (default is stdin)
-a - Write all headers, perform no error detection (corrupted files)
-w - Only write the audit file, do not write any detected files to the disk
-o - set output directory (defaults to output)
-c - set configuration file to use (defaults to foremost.conf)
-q - enables quick mode. Search are performed on 512 byte boundaries.
-Q - enables quiet mode. Suppress output messages.
-v - verbose mode. Logs all messages to screen
```
Example Usage
-------
foremost -t jpeg -i /dev/sda1
Will search /dev/sda1 for deleted .jpeg files. Output is restored to <current_dir>/output/ . Within this output folder you will find an audit.txt logfile and a subfolder with restored files.
Links
-------
[1] http://www.howtoforge.com/recover-deleted-files-with-foremost

64
tools/fsstat.md Normal file
View File

@ -0,0 +1,64 @@
# fsstat
Notes
-------
fsstat - Display general details of a file system image
Help Text
-------
```
usage: fsstat [-tvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image
-t: display type only
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose output to stderr
-V: Print version
```
Example Usage
-------
Example from wiki.sleuthkit.org [2]
```
# fsstat images/hda1.dd
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: EXT3FS
<...>
Group: 0:
Inode Range: 1 - 15392
Block Range: 0 - 32767
Super Block: 0 - 0
Group Descriptor Table: 1 - 1
Data bitmap: 2 - 2
Inode bitmap: 3 - 3
Inode Table: 4 - 484
Data Blocks: 485 - 32767
Group: 1:
Inode Range: 15393 - 30784
Block Range: 32768 - 65535
Super Block: 32768 - 32768
Group Descriptor Table: 32769 - 32769
Data bitmap: 32770 - 32770
Inode bitmap: 32771 - 32771
Inode Table: 32772 - 33252
Data Blocks: 33253 - 65535
Group: 2:
Inode Range: 30785 - 46176
Block Range: 65536 - 98303
Data bitmap: 65536 - 65536
Inode bitmap: 65537 - 65537
Inode Table: 65540 - 66020
Data Blocks: 65538 - 65539, 66021 - 98303
<...>
```
Links
-------
[1] http://www.sleuthkit.org/sleuthkit/man/fsstat.html
[2] http://wiki.sleuthkit.org/index.php?title=FS_Analysis

20
tools/galleta.md Normal file
View File

@ -0,0 +1,20 @@
# galleta
Notes
-------
A Internet Explorer Cookie Forensic Analysis Tool.
Help Text
-------
```
Usage:
galleta [options] <filename>
-t Field Delimiter (TAB by default)
```
Example Usage
-------
Links
-------
[1] http://www.mcafee.com/us/downloads/free-tools/galleta.aspx

19
tools/guymager.md Normal file
View File

@ -0,0 +1,19 @@
# guymager
Notes
-------
GUYMAGER is a Linux-based GUI forensic imaging tool
Help Text
-------
```
A GUI based forensic imaging tool.
```
Example Usage
-------
Executing "guymager" will open up the GUI
Links
-------
[1] http://guymager.sourceforge.net/

62
tools/hfind.md Normal file
View File

@ -0,0 +1,62 @@
# hfind.md
Notes
-------
hfind - Lookup a hash value in a hash database
Help Text
-------
```
usage: hfind [-eqV] [-f lookup_file] [-i db_type] db_file [hashes]
-e: Extended mode - where values other than just the name are printed
-q: Quick mode - where a 1 is printed if it is found, else 0
-V: Print version to STDOUT
-f lookup_file: File with one hash per line to lookup
-i db_type: Create index file for a given hash database type
db_file: The location of the original hash database
[hashes]: hashes to lookup (STDIN is used otherwise)
Supported types: nsrl-md5, nsrl-sha1, md5sum, hk
```
Example Usage
-------
```
To create an MD5 index file for NIST NSRL:
* hfind -i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
To lookup a value in the NSRL:
* hfind /usr/local/hash/nsrl/NSRLFile.txt 76b1f4de1522c20b67acc132937cf82e
76b1f4de1522c20b67acc132937cf82e Hash Not Found
You can even do both SHA-1 and MD5 if you want:
* hfind -i nsrl-sha1 /usr/local/hash/nsrl/NSRLFile.txt
* hfind /usr/local/hash/nsrl/NSRLFile.txt
76b1f4de1522c20b67acc132937cf82e
80001A80B3F1B80076B297CEE8805AAA04E1B5BA
76b1f4de1522c20b67acc132937cf82e Hash Not Found
80001A80B3F1B80076B297CEE8805AAA04E1B5BA thrdcore.cpp
To make a database of critical binaries of a trusted system, use md5sum:
* md5sum /bin/* /sbin/* /usr/bin/* /usr/bin/* /usr/local/bin/* /usr/local/sbin/* > system.md5
* hfind -i md5sum system.md5
To look entries up, the following will work:
* hfind system.md5 76b1f4de1522c20b67acc132937cf82e
76b1f4de1522c20b67acc132937cf82e Hash Not Found
or
* md5sum -q /bin/* | hfind system.md5
928682269cd3edb1acdf9a7f7e606ff2 /bin/bash
<...>
or
* md5sum -q /bin/* > bin.md5
* hfind -f bin.md5 system.md5
928682269cd3edb1acdf9a7f7e606ff2 /bin/bash
<...>
```
Links
-------
[1] http://www.sleuthkit.org/sleuthkit/man/hfind.html

29
tools/icat-sleuthkit.md Normal file
View File

@ -0,0 +1,29 @@
# icat-sleuthkit
Notes
-------
icat-sleuthkit - Output the contents of a file based on its inode number.
Help Text
-------
```
usage: icat-sleuthkit [-hHsvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] inum[-typ[-id]]
-h: Do not display holes in sparse files
-r: Recover deleted file
-R: Recover deleted file and suppress recovery errors
-s: Display slack space at end of file
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose to stderr
-V: Print version
```
Example Usage
-------
Links
-------

26
tools/img_cat.md Normal file
View File

@ -0,0 +1,26 @@
# img_cat
Notes
-------
img_cat outputs the contents of an image file. Image files that are not raw will have embedded data and metadata. img_cat will output only the data. This allows you to convert an embedded format to raw or to calculate the MD5 hash of the data by piping the output to the appropriate tool.
Help Text
-------
```
usage: img_cat [-vV] [-i imgtype] [-b dev_sector_size] [-s start_sector] [-e stop_sector] image
-i imgtype: The format of the image file (use 'i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-s start_sector: The sector number to start at
-e stop_sector: The sector number to stop at
-v: verbose output to stderr
-V: Print version
```
Example Usage
-------
Links
-------

25
tools/img_stat.md Normal file
View File

@ -0,0 +1,25 @@
# img_stat
Notes
-------
img_stat displays the details associated with an image file. The output of this command is image format specific. At a minimum, the size will be given and the byte range of each file will be given for split image formats.
Help Text
-------
```
usage: img_stat [-tvV] [-i imgtype] [-b dev_sector_size] image
-t: display type only
-i imgtype: The format of the image file (use '-i list' for list of supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-v: verbose output to stderr
-V: Print version
```
Example Usage
-------
Links
-------

28
tools/istat.md Normal file
View File

@ -0,0 +1,28 @@
# istat
Notes
-------
istat - Information about an inode number
Help Text
-------
```
usage: istat [-B num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-z zone] [-s seconds] [-vV] image inum
-B num: force the display of NUM address of block pointers
-z zone: time zone of original machine (i.e. EST5EDT or GMT)
-s seconds: Time skew of original machine (in seconds)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose output to stderr
-V: print version
```
Example Usage
-------
Links
-------

28
tools/jcat.md Normal file
View File

@ -0,0 +1,28 @@
# jcat
Notes
-------
jcat - Show the contents of a block in the file system journal.
Help Text
-------
```
usage: jcat [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] image [images] [inode] blk
blk: The journal block to view
inode: The file system inode where the journal is located
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose output to stderr
-V: print version
```
Example Usage
-------
jcat -f linux-ext3 img.dd 34 | xxd
Links
-------

30
tools/jls.md Normal file
View File

@ -0,0 +1,30 @@
# jls
Notes
-------
jls lists the records and entries in a file system journal. If inode is given, then it will look there for a journal. Otherwise, it will use the default location. The output lists the journal block number and a description.
Help Text
-------
```
usage: jls [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] image [inode]
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: File system type (use '-f list' for supported types)
-o imgoffset: The offset of the file system in the image (in sectors)
-v: verbose output to stderr
-V: print version
```
Example Usage
-------
```
jls -f linux-ext3 img.dd
```
Links
-------

33
tools/list.txt Normal file
View File

@ -0,0 +1,33 @@
affdiskprint
affinfo
affsign
affstats
affuse
affverify
affxml
autopsy
binwalk
blkcalc
blkcat
blkstat
bulk_extractor
ffind
fls
foremost
galleta
hfind
icat-sleuthkit
istat
jcat
mactime-sleuthkit
missidentify
mmcat
pdgmail
readpst
reglookup
regripper
sigfind
sorter
srch_strings
tsk_recover
vinetto

62
tools/mactime-sleuthkit.md Normal file
View File

@ -0,0 +1,62 @@
# mactime-sleuthkit
Notes
-------
mactime - Create an ASCII time line of file activity
Help Text
-------
```
SYNOPSIS
mactime [-b body ] [-g group file ] [-p password file ] [-i (day|hour) index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]
DESCRIPTION
mactime creates an ASCII time line of file activity based on the body file specified by '-b' or from STDIN. The time line is written to STDOUT. The body file must be in the time machine format
that is created by 'ils -m', 'fls -m', or the mac-robber tool.
ARGUMENTS
-b body
Specify the location of a body file. This file must be generated by a tool such as 'fls -m'
or 'ils -m'.
The 'mac-robber' and 'grave-robber' tools can also be used to generate the file.
-g group file
Specify the location of the group file. mactime will display the group name instead
of the GID if this is given.
-p password file
Specify the location of the passwd file. mactime will display the user name instead
of the UID of this is given.
-i day|hour index file
Specify the location of an index file to write to. The first argument specifies the
granularity, either an hourly summary or daily. If the ´-d´ flag is given, then the summary
will be separated by a ',' to import into a spread sheet.
-d Display timeline and index files in comma delimited format. This is used to
import the data into a spread sheet for presentations or graphs.
-h Display header info about the session including time range, input source,
and passwd or group files.
-V Display version to STDOUT.
-m The month is given as a number instead of name.
-y The date range is given with the year first.
-z TIME_ZONE
The timezone from where the data was collected. The name of this argument is system
dependent (examples include EST5EDT, GMT+1).
DATE_RANGE
The range of dates to make the time line for. The standard format is yyyy-mm-dd
for a starting date and no ending date. For an ending date, use yyyy-mm-dd..yyyy-mm-dd.
```
Example Usage
-------
Links
-------
[1] http://wiki.sleuthkit.org/index.php?title=Mactime

31
tools/magicrescue.md Normal file
View File

@ -0,0 +1,31 @@
# magicrescue
Notes
-------
Magic Rescue opens devices for reading, scans them for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. It works on any file system, but on very fragmented file systems it can only recover the first chunk of each file. These chunks are sometimes as big as 50MB, however.
To invoke magicrescue, you must specify at least one device and the -d and -r options. See the "USAGE" section in this manual for getting started.
Help Text
-------
```
Usage: magicrescue [-I FILE] [-M MODE] [-O [+-=][0x]OFFSET] [-b BLOCKSIZE]
-d OUTPUT_DIR -r RECIPE1 [-r RECIPE2 [...]] DEVICE1 [DEVICE2 [...]]
-b Only consider files starting at a multiple of BLOCKSIZE.
-d Mandatory. Output directory for found files.
-r Mandatory. Recipe name, file or directory.
-I Read input file names from this file ("-" for stdin)
-M Produce machine-readable output to stdout.
-O Resume from specified offset (hex or decimal) in the first device.
```
Example Usage
-------
Links
-------

42
tools/md5deep.md Normal file
View File

@ -0,0 +1,42 @@
# md5deep
Notes
-------
Computes the hashes, or message digest, for any number of files while optionally recursively digging through the directory structure. Can also take a list of known hashes and display the filenames of input files whose hashes either do or do not match any of the known hashes. Errors are reported to standard error. If no FILES are specified, reads from standard input.
Help Text
-------
```
md5deep version 4.2 by Jesse Kornblum and Simson Garfinkel.
$ md5deep [OPTION]... [FILES]...
See the man page or README.txt file or use -hh for the full list of options
-p <size> - piecewise mode. Files are broken into blocks for hashing
-r - recursive mode. All subdirectories are traversed
-e - show estimated time remaining for each file
-s - silent mode. Suppress all error messages
-z - display file size before hash
-m <file> - enables matching mode. See README/man page
-x <file> - enables negative matching mode. See README/man page
-M and -X are the same as -m and -x but also print hashes of each file
-w - displays which known file generated a match
-n - displays known hashes that did not match any input files
-a and -A add a single hash to the positive or negative matching set
-b - prints only the bare name of files; all path information is omitted
-l - print relative paths for filenames
-t - print GMT timestamp (ctime)
-i/I <size> - only process files smaller/larger than SIZE
-v - display version number and exit
-d - output in DFXML; -u - Escape Unicode; -W FILE - write to FILE.
-j <num> - use num threads (default 4)
-Z - triage mode; -h - help; -hh - full help
```
Example Usage
-------
Links
-------

55
tools/missidentify.md Normal file
View File

@ -0,0 +1,55 @@
# missidentify
Notes
-------
Miss Identify is a program to find Win32 applications. In its default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). The program can also be run to display all executables encountered, regardless of the extension. This is handy when looking for all of the executables on a drive. Other options allow the user to record the strings found in an executable and to work recursively.[1]
Help Text
-------
```
missidentify version 1.0 by Jesse Kornblum
Usage: missidentify [-Vh] [-rablv] [-s|-S len] [FILES]
-r Recursive mode. All subdirectories are traversed
-q Silent mode. No error messages are displayed
-a Display all executable files regardless of extension
-b Bare filename. No path information displayed
-l Relative paths in filenames
-v Verbose mode. Displays the filename for every 10th file processed
-s|-S Display strings
-V Display version number and exit
-h Display this help message
```
Example Usage
-------
Taken from forensicswiki[1]
The program can be used to search for mislabeled executables:
```
C:\> missidentify *
C:\missidentify-1.0\sample.jpg
```
To enumerate all executables:
```
C:\> missidentify -a *
C:\missidentify-1.0\sample.jpg
C:\missidentify-1.0\missidentify.exe
```
To search for all executables in an unusual place:
```
C:\> missidentify -ar c:\windows\system32
...
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\System32\ntoskrnl.exe
C:\WINDOWS\System32\NEVER-GONNA-CATCH-ME.EXE
C:\WINDOWS\System32\ntver.dll
...
```
Links
-------
[1] http://www.forensicswiki.org/wiki/Miss_Identify

25
tools/mmcat.md Normal file
View File

@ -0,0 +1,25 @@
# mmcat
Notes
-------
mmcat outputs the contents of a specific volume to stdout. This allows you to extract the contents of a partition to a separate file.
Help Text
-------
```
mmcat [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] [-t vstype] image [images] part_num
-t vstype: The type of partition system (use '-t list' for list of supported types)
-i imgtype: The format of the image file (use '-i list' for list of supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)
-v: verbose output
-V: print the version
```
Example Usage
-------
Links
-------

42
tools/mmls.md Normal file
View File

@ -0,0 +1,42 @@
# mmls
Notes
-------
mmls displays the layout of the partitions in a volume system, which include partition tables and disk labels.
Help Text
-------
```
mmls [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-BrvV] [-aAmM] [-t vstype] image [images]
-t vstype: The type of volume system (use '-t list' for list of supported types)
-i imgtype: The format of the image file (use '-i list' for list supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)
-B: print the rounded length in bytes
-r: recurse and look for other partition tables in partitions (DOS Only)
-v: verbose output
-V: print the version
Unless any of these are specified, all volume types are shown
-a: Show allocated volumes
-A: Show unallocated volumes
-m: Show metadata volumes
-M: Hide metadata volumes
```
Example Usage
-------
To list the partition table of a Windows system using autodetect:
```
# mmls disk_image.dd
```
To list the contents of a BSD system that starts in sector 12345 of a split image:
```
# mmls -t bsd -o 12345 -i split disk-1.dd disk-2.dd
```
Links
-------

26
tools/mmstat.md Normal file
View File

@ -0,0 +1,26 @@
# mmstat
Notes
-------
mmstat displays the general details of a volume system, which includes partition tables and disk labels. Mainly, the type is given.
Help Text
-------
```
mmstat [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] [-t vstype] image [images]
-t vstype: The volume system type (use '-t list' for list of supported types)
-i imgtype: The format of the image file (use '-i list' for list of supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)
-v: verbose output
-V: print the version
```
Example Usage
-------
Links
-------

21
tools/pasco.md Normal file
View File

@ -0,0 +1,21 @@
# pasco
Notes
-------
pasco is a tool to extract valuable informations (from a forensics investigator point of view) from MS IE cache files (index.dat).
Help Text
-------
```
Usage: pasco [options] <filename>
-d Undelete Activity Records
-t Field Delimiter (TAB by default)
```
Example Usage
-------
Links
-------

54
tools/pdf-parser.md Normal file
View File

@ -0,0 +1,54 @@
# pdf-parser
Notes
-------
Help Text
-------
```
Usage: pdf-parser [options] pdf-file|zip-file|url
pdf-parser, use it to parse a PDF document
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-s SEARCH, --search=SEARCH
string to search in indirect objects (except streams)
-f, --filter pass stream object through filters (FlateDecode,
ASCIIHexDecode, ASCII85Decode, LZWDecode and
RunLengthDecode only)
-o OBJECT, --object=OBJECT
id of indirect object to select (version independent)
-r REFERENCE, --reference=REFERENCE
id of indirect object being referenced (version
independent)
-e ELEMENTS, --elements=ELEMENTS
type of elements to select (cxtsi)
-w, --raw raw output for data and filters
-a, --stats display stats for pdf document
-t TYPE, --type=TYPE type of indirect object to select
-v, --verbose display malformed PDF elements
-x EXTRACT, --extract=EXTRACT
filename to extract malformed content to
-H, --hash display hash of objects
-n, --nocanonicalizedoutput
do not canonicalize the output
-d DUMP, --dump=DUMP filename to dump stream content to
-D, --debug display debug info
-c, --content display the content for objects without streams or
with streams without filters
--searchstream=SEARCHSTREAM
string to search in streams
--unfiltered search in unfiltered streams
--casesensitive case sensitive search in streams
--regex use regex to search in streams
```
Example Usage
-------
Links
-------
[1] http://blog.didierstevens.com/programs/pdf-tools/

32
tools/pdgmail.md Normal file
View File

@ -0,0 +1,32 @@
# pdgmail
Notes
-------
Gather gmail artifacts from a pd process memory dump
Help Text
-------
```
Usage: /usr/bin/pdgmail [OPTIONS]
Options:
-f, --file the file to use (stdin if no file given)
-b, --bodies don't look for message bodies (helpful if you're getting too many false positives on the mb regex)
-h, --help prints this
-v,--verbose be verbose (prints filename, other junk)
-V,--version prints just the version info and exits.
This expects to be unleashed on the result of running strings -el on a pd dump from windows process memory.
Anything other than that, your mileage will certainly vary.
```
Example Usage
-------
```
strings -el memory.dump | pdgmail | less
```
Links
-------
[1] http://digital-forensics.sans.org/blog/2008/10/20/pdgmail-new-tool-for-gmail-memory-forensics/

36
tools/peepdf.md Normal file
View File

@ -0,0 +1,36 @@
# peepdf
Notes
-------
peepdf is a tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it is able to create new PDF files, modify existent ones and obfuscate them.[1]
Help Text
-------
```
Usage: /usr/bin/peepdf [options] PDF_file
Version: peepdf 0.2 r183
Options:
-h, --help show this help message and exit
-i, --interactive Sets console mode.
-s SCRIPTFILE, --load-script=SCRIPTFILE
Loads the commands stored in the specified file and
execute them.
-f, --force-mode Sets force parsing mode to ignore errors.
-l, --loose-mode Sets loose parsing mode to catch malformed objects.
-u, --update Updates peepdf with the latest files from the
repository.
-g, --grinch-mode Avoids colorized output in the interactive console.
-v, --version Shows program's version number.
-x, --xml Shows the document information in XML format.
```
Example Usage
-------
Links
-------
[1] http://eternal-todo.com/tools/peepdf-pdf-analysis-tool

36
tools/pev.md Normal file
View File

@ -0,0 +1,36 @@
# pev
Notes
-------
Make an analysis and show useful information of PE32/PE32+ file given.
Help Text
-------
```
Usage: pev [-cdhops] <file>
pev will get information about PE32 binaries and display it on standard output.
All switches are optional, but --all is used by default.
```
Example Usage
-------
To get only the Product Version of putty.exe file:
```
$ pev -p putty.exe
```
To show DOS and COFF file headers of cards.dll:
```
$ pev -dc cards.dll
```
Display all possible information about svchost.exe file:
```
$ pev svchost.exe
```
Links
-------

35
tools/rahash2.md Normal file
View File

@ -0,0 +1,35 @@
# rahash2
Notes
-------
This program is part of the radare project.
Hasher allows you to calculate, check and show the hash values of each block of a target file. The block size is 32768 bytes by default. It's allowed to hash from stdin using '-' as a target file.
You can hash big files by hashing each block and later determine what part of it has been modified. Useful for filesystem analysis.
This command can be used to calculate hashes of a certain part of a file or a command line passed string.
Help Text
-------
```
Usage: rahash2 [-rBv] [-b bsize] [-a algo] [-s str] [-f from] [-t to] [file] ...
-a algo comma separated list of algorithms (default is 'sha1')
-b bsize specify the size of the block (instead of full file)
-B show per-block hash
-s string hash this string instead of files
-f from start hashing at given address
-t to stop hashing at given address
-r output radare commands
-v show version information
Supported algorithms: md4, md5, sha1, sha256, sha384, sha512, crc16,
crc32, xor, xorpair, parity, mod255, hamdist, entropy, pcprint
```
Example Usage
-------
Links
-------

44
tools/readpst.md Normal file
View File

@ -0,0 +1,44 @@
# readpst
Notes
-------
readpst is a program that can read an Outlook PST (Personal Folders) file and convert it into an mbox file, a format suitable for KMail, a recursive mbox structure, or separate emails.
Help Text
-------
```
ReadPST / LibPST v0.6.54
Little Endian implementation being used.
Usage: readpst [OPTIONS] {PST FILENAME}
OPTIONS:
-V - Version. Display program version
-C charset - character set for items with unspecified character set
-D - Include deleted items in output
-M - Write emails in the MH (rfc822) format
-S - Separate. Write emails in the separate format
-b - Don't save RTF-Body attachments
-c[v|l] - Set the Contact output mode. -cv = VCard, -cl = EMail list
-d <filename> - Debug to file.
-e - As with -M, but include extensions on output files
-h - Help. This screen
-j <integer> - Number of parallel jobs to run
-k - KMail. Output in kmail format
-o <dirname> - Output directory to write files to. CWD is changed *after* opening pst file
-q - Quiet. Only print error messages
-r - Recursive. Output in a recursive format
-t[eajc] - Set the output type list. e = email, a = attachment, j = journal, c = contact
-u - Thunderbird mode. Write two extra .size and .type files
-w - Overwrite any output mbox files
Only one of -k -M -r -S should be specified
```
Example Usage
-------
See [1]
Links
-------
[1] http://www.question-defense.com/2012/11/29/readpst-backtrack-5-forensics-forensics-analysis-tools-readpst

47
tools/recoverjpeg.md Normal file
View File

@ -0,0 +1,47 @@
# recoverjpeg
Notes
-------
Recoverjpeg tries to identify jpeg pictures from a filesystem image. To achieve this goal, it scans the filesystem image and looks for a jpeg structure at blocks starting at 512 bytes boundaries.
Salvaged jpeg pictures are stored by default under the name imageXXXXX.jpg where XXXXX is a five digit number starting at zero. If there are more than 100,000 recovered pictures, recoverjpeg will
start using six figures numbers and more as soon as needed, but the 100,000 first ones will use a five figures number. Options -f and -i can override this behaviour.
Help Text
-------
```
Usage: recoverjpeg [options] file|device
Options:
-b blocksize Block size in bytes (default: 512)
-f format Format string in printf syntax
-h This help message
-i index Initial picture index
-m maxsize Max jpeg file size in bytes (default: 6m)
-q Be quiet
-r readsize Size of disk reads in bytes (default: 128m)
-v verbose Replace progress bar by details
```
Example Usage
-------
Recover as many pictures as possible from the memory card located in /dev/sdc:
```
recoverjpeg /dev/sdc
```
Recover as many pictures as possible from a crashed ReiserFS file system (which does not necessarily store pictures at block boundaries) in /dev/hdb1:
```
recoverjpeg -b 1 /dev/hdb1
```
Do the same thing in a memory constrained environment where no more than 16MB of RAM can be used for the operation:
```
recoverjpeg -b 1 -r 16m /dev/hdb1
```
Links
-------

50
tools/reglookup.md Normal file
View File

@ -0,0 +1,50 @@
# reglookup
Notes
-------
reglookup is designed to read windows registry elements and print them out to stdout in a CSV-like format. It has filtering options to narrow the focus of the output.
This tool is designed to work with on Windows NT-based registries.
Help Text
-------
```
Usage: reglookup [-v] [-s] [-p <PATH_FILTER>] [-t <TYPE_FILTER>] <REGISTRY_FILE>
Version: 0.12.0
Options:
-v sets verbose mode.
-h enables header row. (default)
-H disables header row.
-s enables security descriptor output.
-S disables security descriptor output. (default)
-p restrict output to elements below this path.
-t restrict results to this specific data type.
-i includes parent key modification times with child values.
```
Example Usage
-------
To read and print the contents of an entire system registry file:
```
reglookup /mnt/win/c/WINNT/system32/config/system
```
To limit the output to just those entries under the Services key:
```
reglookup -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
```
To limit the output to all registry values of type BINARY:
```
reglookup -t BINARY /mnt/win/c/WINNT/system32/config/system
```
And to limit the output to BINARY values under the Services key:
```
reglookup -t BINARY -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system
```
Links
-------
[1] http://projects.sentinelchicken.org/reglookup/

16
tools/regripper.md Normal file
View File

@ -0,0 +1,16 @@
# regripper
Notes
-------
Automatic analysis of registry hives. regripper is a shell script located at /usr/bin/regripper. It will use wine to execute rr.exe
Help Text
-------
Regripper is a GUI tool. Fill in the "Hive File" to be analyzed, the "Report File" to write the output to and choose the correct plugin for analysis.
Example Usage
-------
Links
-------
[1] http://regripper.wordpress.com/

21
tools/rifiuti.md Normal file
View File

@ -0,0 +1,21 @@
# rifiuti
Notes
-------
rifiuti is a tool to extract valuable informations (from a forensics investigator point of view) from MS recycle bins info2 files.
It will extract the deleted time, original drive number, original path ans size of the deleted files found in the recycle bin.
Help Text
-------
```
Usage: rifiuti [options] <filename>q
-d Field Delimiter (TAB by default)
```
Example Usage
-------
Links
-------

45
tools/rifiuti2.md Normal file
View File

@ -0,0 +1,45 @@
# rifiuti2
Notes
-------
Rifiuti2 is a rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. Analysis of Windows Recycle Bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files and whether the deleted files have been moved out from the recycle bin since they are trashed. Rifiuti2 supports the INFO2 file format found in Windows up to Windows XP and the new file format found in Vista, and the program is fully internationalized. If you need to analyse recycle bins of Windows Vista and Windows Server 2008, you should use the rifiuti-vista command, for other Windows platforms, you should use the rifiuti command.
Quoting from original Foundstone page:
```
Many computer crime investigations require the reconstruction of a subject's Recycle Bin. Since this analysis technique is executed regularly, we researched the structure of the data found in the Recycle Bin repository files (INFO2 files). Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. ... Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms."
```
Since the original rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. But it does more:
* Supports Windows in any other languages besides English
* Supports Vista and 2008 (they don't use INFO2 file any more)
* Enables localization (that is, translatable)
* More rigorous error checking
* Supports output in XML format
Help Text
-------
```
Usage:
rifiuti2 [OPTION...] FILE
Help Options:
-h, --help Show help options
--help-all Show all help options
--help-text Show plain text output options
Application Options:
-o, --output=FILE Write output to FILE
-x, --xml Output in XML format (-t, -n, -l, -8 options will have no effect)
--from-encoding=ENC The assumed file name character set when no unicode file name is present in INFO2 record (mandatory if INFO2 file is created by Win98, useless otherwise)
```
Example Usage
-------
Links
-------

185
tools/safecopy.md Normal file
View File

@ -0,0 +1,185 @@
# safecopy
Notes
-------
A data recovery tool.
Safecopy is a data recovery tool which tries to extract as much data as possible from a seekable, but problematic (i.e. damaged sectors) source - like floppy drives, harddisk partitions, CDs, ...,
where other tools like dd would fail doe to I/O errors.
Safecopy tries to get as much data from the source as possible without device dependent tricks. For example to get an ISO image from a copy protected or otherwise damaged CD-ROM, cdrdao and bin2iso
would possibly do a better and faster job.
Safecopy comes with preset options (named stages) to ease its use. These presets can be overridden by individual options.
Help Text
-------
```
Safecopy 1.6 by CorvusCorax
Usage: safecopy [options] <source> <target>
Options:
--stage1 : Preset to rescue most of the data fast,
using no retries and avoiding bad areas.
Presets: -f 10% -r 10% -R 1 -Z 0 -L 2 -M BaDbLoCk
-o stage1.badblocks
--stage2 : Preset to rescue more data, using no retries
but searching for exact ends of bad areas.
Presets: -f 128* -r 1* -R 1 -Z 0 -L 2
-I stage1.badblocks
-o stage2.badblocks
--stage3 : Preset to rescue everything that can be rescued
using maximum retries, head realignment tricks
and low level access.
Presets: -f 1* -r 1* -R 4 -Z 1 -L 2
-I stage2.badblocks
-o stage3.badblocks
All stage presets can be overridden by individual options.
-b <size> : Blocksize for default read operations.
Set this to the physical sectorsize of your media.
Default: 1*
Hardware block size if reported by OS, otherwise 4096
-f <size> : Blocksize when skipping over badblocks.
Higher settings put less strain on your hardware,
but you might miss good areas in between two bad ones.
Default: 16*
-r <size> : Resolution in bytes when searching for the exact
beginning or end of a bad area.
If you read data directly from a device there is no
need to set this lower than the hardware blocksize.
On mounted filesystems however, read blocks
and physical blocks could be misaligned.
Smaller values lead to very thorough attempts to read
data at the edge of damaged areas,
but increase the strain on the damaged media.
Default: 1*
-R <number> : At least that many read attempts are made on the first
bad block of a damaged area with minimum resolution.
More retries can sometimes recover a weak sector,
but at the cost of additional strain.
Default: 3
-Z <number> : On each error, force seek the read head from start to
end of the source device as often as specified.
That takes time, creates additional strain and might
not be supported by all devices or drivers.
Default: 1
-L <mode> : Use low level device calls as specified:
0 Do not use low level device calls
1 Attempt low level device calls
for error recovery only
2 Always use low level device calls
if available
Supported low level features in this version are:
SYSTEM DEVICE TYPE FEATURE
Linux cdrom/dvd bus/device reset
Linux cdrom read sector in raw mode
Linux floppy controller reset, twaddle
Default: 1
--sync : Use synchronized read calls (disable driver buffering).
Safecopy will use O_DIRECT if supported by the OS
and O_SYNC otherwise.
Default: Asynchronous read buffering by the OS is allowed
-s <blocks> : Start position where to start reading.
Will correspond to position 0 in the destination file.
Default: block 0
-l <blocks> : Maximum length of data to be read.
Default: Entire size of input file
-I <badblockfile> : Incremental mode. Assume the target file already
exists and has holes specified in the badblockfile.
It will be attempted to retrieve more data from
the listed blocks or from beyond the file size
of the target file only.
Warning: Without this option, the destination file
will be emptied prior to writing.
Use -I /dev/null if you want to continue a previous
run of safecopy without a badblock list.
Default: none
-i <bytes> : Blocksize to interpret the badblockfile given with -I.
Default: Blocksize as specified by -b
-X <badblockfile> : Exclusion mode. If used together with -I,
excluded blocks override included blocks.
Safecopy will not read or write any data from
areas covered by exclude blocks.
Default: none
-x <bytes> : Blocksize to interpret the badblockfile given with -X.
Default: Blocksize as specified by -b
-o <badblockfile> : Write a badblocks/e2fsck compatible bad block file.
Default: none
-S <seekscript> : Use external script for seeking in input file.
(Might be useful for tape devices and similar).
Seekscript must be an executable that takes the
number of blocks to be skipped as argv1 (1-64)
the blocksize in bytes as argv2
and the current position (in bytes) as argv3.
Return value needs to be the number of blocks
successfully skipped, or 0 to indicate seek failure.
The external seekscript will only be used
if lseek() fails and we need to skip over data.
Default: none
-M <string> : Mark unrecovered data with this string instead of
skipping it. This helps in later finding corrupted
files on rescued file system images.
The default is to zero unreadable data on creation
of output files, and leaving the data as it is
on any later run.
Warning: When used in combination with
incremental mode (-I) this may overwrite data
in any block that occurs in the -I file.
Blocks not in the -I file, or covered by the file
specified with -X are save from being overwritten.
Default: none
--debug <level> : Enable debug output. Level is a bit field,
add values together for more information:
program flow: 1
IO control: 2
badblock marking: 4
seeking: 8
incremental mode: 16
exclude mode: 32
or for all debug output: 255
Default: 0
-T <timingfile> : Write sector read timing information into
this file for later analysis.
Default: none
-h | --help : Show this text
Valid parameters for -f -r -b <size> options are:
<integer> Amount in bytes - i.e. 1024
<percentage>% Percentage of whole file/device size - e.g. 10%
<number>* -b only, number times blocksize reported by OS
<number>* -f and -r only, number times the value of -b
Description of output:
. : Between 1 and 1024 blocks successfully read.
_ : Read of block was incomplete. (possibly end of file)
The blocksize is now reduced to read the rest.
|/| : Seek failed, source can only be read sequentially.
> : Read failed, reducing blocksize to read partial data.
! : A low level error on read attempt of smallest allowed size
leads to a retry attempt.
[xx](+yy){ : Current block and number of bytes continuously
read successfully up to this point.
X : Read failed on a block with minimum blocksize and is skipped.
Unrecoverable error, destination file is padded with zeros.
Data is now skipped until end of the unreadable area is reached.
< : Successful read after the end of a bad area causes
backtracking with smaller blocksizes to search for the first
readable data.
}[xx](+yy) : current block and number of bytes of recent
continuous unreadable data.
Copyright 2009 CorvusCorax
This is free software. You may redistribute copies of it under
the terms of the GNU General Public License version 2 or above.
<http://www.gnu.org/licenses/gpl2.html>.
There is NO WARRANTY, to the extent permitted by law.
```
Example Usage
-------
Links
-------

57
tools/scalpel.md Normal file
View File

@ -0,0 +1,57 @@
# scalpel
Notes
-------
scalpel - Recover files using a header/footer database
Help Text
-------
```
Scalpel version 1.60
Written by Golden G. Richard III, based on Foremost 0.69.
Carves files from a disk image based on file headers and footers.
Usage: scalpel [-b] [-c <config file>] [-d] [-h|V] [-i <file>]
[-m blocksize] [-n] [-o <outputdir>] [-O num] [-q clustersize]
[-r] [-s num] [-t <blockmap file>] [-u] [-v]
<imgfile> [<imgfile>] ...
-b Carve files even if defined footers aren't discovered within
maximum carve size for file type [foremost 0.69 compat mode].
-c Choose configuration file.
-d Generate header/footer database; will bypass certain optimizations
and discover all footers, so performance suffers. Doesn't affect
the set of files carved. **EXPERIMENTAL**
-h Print this help message and exit.
-i Read names of disk images from specified file.
-m Generate/update carve coverage blockmap file. The first 32bit
unsigned int in the file identifies the block size. Thereafter
each 32bit unsigned int entry in the blockmap file corresponds
to one block in the image file. Each entry counts how many
carved files contain this block. Requires more memory and
disk. **EXPERIMENTAL**
-n Don't add extensions to extracted files.
-o Set output directory for carved files.
-O Don't organize carved files by type. Default is to organize carved files
into subdirectories.
-p Perform image file preview; audit log indicates which files
would have been carved, but no files are actually carved.
-q Carve only when header is cluster-aligned.
-r Find only first of overlapping headers/footers [foremost 0.69 compat mode].
-s Skip n bytes in each disk image before carving.
-t Set directory for coverage blockmap. **EXPERIMENTAL**
-u Use carve coverage blockmap when carving. Carve only sections
of the image whose entries in the blockmap are 0. These areas
are treated as contiguous regions. **EXPERIMENTAL**
-V Print copyright information and exit.
-v Verbose mode.
```
Example Usage
-------
Links
-------

35
tools/scrounge-ntfs.md Normal file
View File

@ -0,0 +1,35 @@
# scrounge-ntfs
Notes
-------
scrounge-ntfs is a utility that can rescue data from corrupted NTFS partitions. It writes the files retrieved to another working file system. Certain information about the partition needs to be known in advance.
The -l mode is meant to be run in advance of the data corruption, with the output stored away in a file. This allows scrounge-ntfs to recover data reliably. See the 'NOTES' section below for recover info when this isn't the case.
Help Text
-------
```
usage: scrounge -l disk
List all drive partition information.
usage: scrounge -s disk
Search drive for NTFS partitions.
usage: scrounge [-m mftoffset] [-c clustersize] [-o outdir] disk start end
Scrounge data from a partition
-m Offset to mft (in sectors)
-c Cluster size (in sectors, default of 8)
-o Directory to put scrounged files in
disk The raw disk partitios (ie: /dev/hda)
start First sector of partition
end Last sector of partition
```
Example Usage
-------
Links
-------

29
tools/sigfind.md Normal file
View File

@ -0,0 +1,29 @@
# sigfind
Notes
-------
sigfind searches through a file and looks for the hex_signature at a given offset. This can be used to search for lost boot sectors, superblocks, and partition tables.
Help Text
-------
```
sigfind [-b bsize] [-o offset] [-t template] [-lV] [hex_signature] file
-b bsize: Give block size (default 512)
-o offset: Give offset into block where signature should exist (default 0)
-l: Signature will be little endian in image
-V: Version
-t template: The name of a data structure template:
dospart, ext2, ext3, fat, hfs, hfs+, ntfs, ufs1, ufs2
```
Example Usage
-------
```
sigfind -o 510 -l AA55 disk.dd
sigfind -t fat disk.dd
```
Links
-------
[1] http://www.sleuthkit.org/sleuthkit/man/sigfind.html

63
tools/sorter.md Normal file
View File

@ -0,0 +1,63 @@
# sorter
Notes
-------
sorter is a Perl script that analyzes a file system to organize the allocated and unallocated files by file type. It runs the 'file' command on each file and organizes the files according to the rules in configuration files. Extension mismatching is also done to identify 'hidden' files. One can also provide hash databases for files that are known to be good and can be ignored and files that are known to be bad and should be alerted.
By default, the program uses the configuration files in the directory where The Sleuth Kit was installed. Those can be overruled with run-time options. There is a standard configuration file for all file system types and then a specific one for a given operating system.
Help Text
-------
```
sorter [-b size] [-E] [-e] [-h] [-l] [-md5] [-s] [-sha1] [-U] [-v] [-V] [-a hash_alert] [-c config] [-C config] [-d dir] [-m mnt] [-n nsrl_db] [-x hash_exclude] [-o imgoffset] [-f fstype] [-i imgtype] image [images] [dir_meta_addr]
-b size: Minimum size. Ignore files smaller than 'size'
-E: Perform category indexing only (no extension checks - was '-i')
-e: Perform extension checks only (no category index files)
-h: HTML Format
-l: List index to STDOUT (no files are ever written)
-md5: Print the MD5 value with the index output
-s: Save files to category directories
-sha1: Print the SHA-1 value with the index output
-U: Ignore the unknown category - only save catgories in config files
-v: verbose debugging output
-V: print version information
-a hash_alert: hash database of hashes to alert on
-c config: specify a config file to use (in addition to default files)
NOTE: This config file has priority over default files
-C config: specify the ONLY config file to use
-d dir: Save category index files in the specified directory
-f fstype: file system type (Sleuth Kit types) of image
-i imgtype: Format of image file
-o imgoffset: Offset of file system in image (in sectors)
-m mnt: The mounting point of the image
-n nsrl_db: The NIST NSRL database file (NSRLFile.txt) (hashes to ignore)
-x hash_exclude: hash database of hashes to ignore
dir_meta_addr: Address of directory to start analyzing from
image: image to analyze
```
Example Usage
-------
To run sorter with no hash databases, the following can be used:
```
sorter -f ntfs -d data/sorter images/hda1.dd
sorter -d data/sorter images/hda1.dd
sorter -i raw -f ntfs -o 63 -d data/sorter images/hda.dd
```
To include the NSRL, an exclude, and an alert hash database:
```
sorter -f ntfs -d data/sorter -a /usr/hash/rootkit.db -x /usr/hash/win2k.db -n /usr/hash/nsrl/NSRLFile.txt images/hda1.dd
```
To just identify images using the supplied 'images.sort' file:
```
sorter -f ntfs -C /usr/local/sleuthkit/share/sort/images.sort -d data/sorter -h -s images/hda1.dd
```
Links
-------
[1] http://www.sleuthkit.org/sleuthkit/man/sorter.html

52
tools/srch_strings.md Normal file
View File

@ -0,0 +1,52 @@
# srch_strings
Notes
-------
Display printable strings in [file(s)] (stdin by default)
Help Text
-------
```
Usage: srch_strings [option(s)] [file(s)]
Display printable strings in [file(s)] (stdin by default)
The options are:
-a - Scan the entire file, not just the data section
-f Print the name of the file before each string
-n number Locate & print any NUL-terminated sequence of at
-<number> least [number] characters (default 4).
-t {o,x,d} Print the location of the string in base 8, 10 or 16
-o An alias for --radix=o
-e {s,S,b,l,B,L} Select character size and endianness:
s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
-h Display this information
-v Print the program's version number
```
Example Usage
-------
```
root@kali:~/kaliwiki/tools# srch_strings -a /root/samples/nbtscan.exe
<...>
osize > 1
obuf != 0
nbtscan 1.0.35 - 2008-04-08 - http://www.unixwiz.net/tools/
targ != 0
targets.c
paddr != 0
currTarget != 0
'NBTSCAN' => {
],
%s,
'CMDLINE' => [
'DATE' => %s,
# use as 'my $ref = do filename;'
# perl hashref output
argv != 0
gen_perl.c
\x%02X
<...>
```
Links
-------

27
tools/tsk_comparedir.md Normal file
View File

@ -0,0 +1,27 @@
# tsk_compredir
Notes
-------
tsk_comparedir - compare the contents of a directory with the contents of an image or local device.
Help Text
-------
```
usage: tsk_comparedir [-f fstype] [-i imgtype] [-b dev_sector_size] [-o sector_offset] [-n start_inum] [-vV] image [image] comparison_directory
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: The file system type (use '-f list' for supported types)
-o sector_offset: sector offset for file system to compare
-n start_inum: inum for directory in image file to start compare at
-v: verbose output to stderr
-V: Print version
```
Example Usage
-------
To compare the directories in image.dd to those in directory:
tsk_comparedir ./image.dd ./directory
Links
-------
[1] http://www.sleuthkit.org/sleuthkit/man/tsk_comparedir.html

31
tools/tsk_gettimes.md Normal file
View File

@ -0,0 +1,31 @@
# tsk_gettimes
Notes
-------
tsk_gettimes examines each of the file systems in a disk image and returns the data about them in the MACtime body format (the same as running 'fls -m' on each file system). The output of this can be used as input to mactime to make a timeline of file activity. The data is printed to STDOUT, which can then be redirected to a file.
Help Text
-------
```
usage: tsk_gettimes [-vV] [-i imgtype] [-b dev_sector_size] [-z zone] [-s seconds] image [image]
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-v: verbose output to stderr
-V: Print version
-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)
-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)
```
Example Usage
-------
To collect data about image image.dd:
```
# tsk_gettimes ./image.dd > body.txt
```
Links
-------

26
tools/tsk_loaddb.md Normal file
View File

@ -0,0 +1,26 @@
# tsk_loaddb
Notes
-------
tsk_loaddb - populate a SQLite database with metadata from a disk image
Help Text
-------
```
usage: tsk_loaddb [-vVk] [-i imgtype] [-b dev_sector_size] [-d output_dir] image [image]
-k: Don't create block data table
-d output_dir: The directory to store the database in (default is the same directory as the image)
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-v: verbose output to stderr
-V: Print version
```
Example Usage
-------
To load image data from image.dd to image.dd.db:
tsk_loaddb ./image.dd
Links
-------
[1] http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html

32
tools/tsk_recover.md Normal file
View File

@ -0,0 +1,32 @@
# tsk_recover
Notes
-------
tsk_recover recover files to the output_dir from the image. By default recovers only unallocated files. With flags, it will export all files.
Help Text
-------
```
usage: tsk_recover [-vVae] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o sector_offset] [-d dir_inum] image [image] output_dir
-i imgtype: The format of the image file (use '-i list' for supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-f fstype: The file system type (use '-f list' for supported types)
-v: verbose output to stderr
-V: Print version
-a: Recover allocated files only
-e: Recover all files (allocated and unallocated)
-o sector_offset: sector offset for a volume to recover (recovers only that volume)
-d dir_inum: Directory inum to recover from (must also specify a specific partition using -o or there must not be a volume system)
```
Example Usage
-------
To recover only unallocated files from image.dd to the recovered directory:
```
# tsk_recover ./recovered ./image.dd
```
Links
-------

41
tools/vinetto.md Normal file
View File

@ -0,0 +1,41 @@
# vinetto
Notes
-------
Vinetto is a tool intended for forensics examinations. It is a console program to extract thumbnail images and their metadata from those thumbs.db files generated under Windows. Used in forensic environments.
Help Text
-------
```
Usage: vinetto [OPTIONS] [-o DIR] file
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-o DIR write thumbnails to DIR
-H write html report to DIR
```
Example Usage
-------
How to display metadata contained within a Thumbs.db file
```
$ vinetto /path/to/Thumbs.db
```
How to extract the related thumbnails to a directory
```
$ vinetto -o /tmp/vinetto_output /path/to/Thumbs.db
```
How to extract the related thumbnails to a directory and produce an html report to preview these thumbnails through your favorite browser.
```
$ vinetto -Ho /tmp/vinetto_output /path/to/Thumbs.db
```
How to get a metadata report on all non deleted Thumbs.db files contained within a partition
```
$ find /mnt/hda2 -iname thumbs.db -printf "\n==\n %p \n\n" -exec vinetto {} \; 2>/tmp/vinetto_err.log >/tmp/vinetto_hda2.txt
```
Links
-------
[1] http://vinetto.sourceforge.net/

44
tools/volafox.md Normal file
View File

@ -0,0 +1,44 @@
# volafox
Notes
-------
volafox: Mac OS X Memory Analysis Toolkit
Help Text
-------
```
volafox: Mac OS X Memory Analysis Toolkit
project: http://code.google.com/p/volafox
support: 10.6-8; 32/64-bit kernel
input: *.vmem (VMWare memory file), *.mmr (Mac Memory Reader, flattened x86, IA-32e)
usage: python /usr/bin/volafox -i IMAGE [-o COMMAND [-vp PID][-x PID][-x KEXT_ID][-x TASKID]]
Options:
-o CMD : Print kernel information for CMD (below)
-p PID : List open files for PID (where CMD is "lsof")
-v : Print all files, including unsupported types (where CMD is "lsof")
-x PID/KID/TASKID : Dump process/task/kernel extension address space for PID/KID/Task ID (where CMD is "ps"/"kextstat"/"tasks")
COMMANDS:
system_profiler : Kernel version, CPU, and memory spec, Boot/Sleep/Wakeup time
mount : Mounted filesystems
kextstat : KEXT (Kernel Extensions) listing
ps : Process listing
tasks : Task listing (& Matching Process List)
systab : Syscall table (Hooking Detection)
mtt : Mach trap table (Hooking Detection)
netstat : Network socket listing (Hash table)
lsof : Open files listing by process (research, osxmem@gmail.com)
pestate : Show Boot information (experiment)
efiinfo : EFI System Table, EFI Runtime Services(experiment)
keychaindump : Dump master key candidates for decrypting keychain(Lion, ML)
```
Example Usage
-------
Links
-------
[1] https://code.google.com/p/volafox/

151
tools/volatility.md Normal file
View File

@ -0,0 +1,151 @@
# volatility
Notes
-------
Volatility is a mighty tool for memory analysis. Find some tutorials in the "Links" section to get started.
Help Text
-------
```
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility - A memory forensics analysis platform.
Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/root/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/root/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the timezone for displaying timestamps
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--output=text Output in this format (format support is module
specific)
--output-file=OUTPUT_FILE
write output in this file
-v, --verbose Verbose information
--shift=SHIFT Mac KASLR shift address
-g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
Supported Plugin Commands:
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for _RTL_ATOM_TABLE
bioskbd Reads the keyboard buffer from Real Mode memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
driverscan Scan for driver objects _DRIVER_OBJECT
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Scan Physical memory for _FILE_OBJECT pool allocations
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Scan Physical memory for _CMHIVE objects (registry hives)
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules Print list of loaded modules
mutantscan Scan for mutant objects _KMUTANT
patcher Patches memory based on page scans
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procexedump Dump a process to an executable file sample
procmemdump Dump a process to an executable memory sample
pslist Print all running processes by following the EPROCESS lists
psscan Scan Physical memory for _EPROCESS pool allocations
pstree Print process list as a tree
psxview Find hidden processes with various process listings
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
sockets Print list of open sockets
sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Scan for symbolic link objects
thrdscan Scan physical memory for _ETHREAD objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for tagWINDOWSTATION (window stations)
yarascan Scan process or kernel memory with Yara signatures
```
Example Usage
-------
To execute volatility use the command "vol".
Links
-------
[1] https://code.google.com/p/volatility/
[2] http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/
[3] http://www.evild3ad.com/956/volatility-memory-forensics-basic-usage-for-malware-analysis/