-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhelp.txt
73 lines (45 loc) · 5.11 KB
/
help.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
FALLBACKIMAGER
This is a modular utility for forensic work as a complement or fallback to the commercial and/or established tools. The modules write log files into given output directories, calculate hashes and/or lists of copied files etc. Multiple jobs can be generated and executed sequentially.
The tool is currently developed for Linux based OS and Windows (>=10). It is work in progress.
Tabs
Each module is represented by a tab in the upper part of the application window.
Most modules have a button and field “Source” to select the source for the operation (e.g. directory or logical drive). Fields can be edited directly. In most cases the buttons let you choose a folder or file.
The modules need a “Destination” (or “Logging”) to be set. “Filename” sets the name base part for generated files. The related button gives a default proposal in most modules (sometimes dependent on the source).
Add job
When the usage of a module is defined in the tab above, a command can be added to the task list (“Jobs”). It is possible to edit the command directly or to write one completely from scratch. A command has to end with a semicolon. The last entry can be removed withe button “Remove last” on the right.
Start jobs
The execution job after job is started with the button “Start jobs” on the left above the info field. The jobs will show infos and progress.
Modules
EwfImager
This is a conveniant interface for ewfacquire from libewf. This module is not available on Windows.
EwfChecker
The module simply uses ewfinfo. ewfexport and ewfewfverify to check an EWF/E01 image file. It is used by EwfImager. This is not available on Windows.
OscdImager
The module uses oscdimg.exe (from the Windows ADK Package) to generate an ISO file (UDF file system). Obviously this module is only available on Windows.
DismImager
This module is only availible on Windows with Admin privileges. It generates an image in the WIM format using DISM/dism.exe. The CLI tool is built into Windows. You can either generate and verify a WIM image or just verify an existing. When “Copy WimMount.exe to destination directory” is selected the little GUI tool WimMount.exe is copied from bin to the destination. WimMount.exe needs to be run as Admin and can mount and dismount WIM image files.
ZipImager
Using the Python library zipfile this module generates an ZIP archive from a source file structure. The process is robust to unreadable paths and a TSV path list is generated.
HashedCopy
Copies files and verifies by md5 and sha256. Paths and hashes are stored as TSV.
Sqlite
The Sqlite module uses the Python library sqlite3. It can show the structure of a .db file (“Dump schema”) or dump the content as CSV/TSV (“Dump content”). In addition SQL code can be executed (“Execute SQL”) by the library. An alternative method is implemented (“Alternative”) that is designed to generate a .db file from a MySQL dump file in case sqlite3 fails.
Reporter
The tool parses a template and replaces "%jinsert{}{}" or "\jinsert{}{}" by values from a JSON file.
Example: reporter-example-template.txt
AxChecker
As Magnet’s AXIOM has proven to be unreliable in the past, this module compares the files in an AXIOM Case.mfdb to a file list (CSV/TSV e.g. created with X-Ways) or a local file structure. Only one partition or subtree of the case file can be compared at a time.
Hits are files, that are represented in the artifacts. This tool might help to find missing files. Be aware that you will (nearly) never have full accordance.
WipeR/WipeW
This is a wipe tool designed for SSDs and HDDs. There is also the possibility to overwrite files but without erasing file system metadata.
By default only unwiped blocks (or SSD pages) are overwritten though it is possible to force the overwriting of every block or even use a two pass wipe (1st pass writes random values). Instead of zeros you can choose to overwrite with any other Byte given in hex (0 - ff).
Whe the target is a physical drive, you can create a partition where (after a successful wipe) the log is copied into. A custom head for this log can be defined in a text file (“Head of log file”, log_head.txt by default).
Be aware that this module is extremely dangerous as it is designed to erase data! There will be no “Are you really really sure questions” as Windows users might be used to.
Settings
The Linux version has an additional settings tab. The sudo password can be set for operations needing root previliges. Make sure your user account is configured for sudo. A GUI for blockdev --setro/--setrw is provided and a software writeblocker can be enabled ord disabled. Be aware that setting blockdevices to read-only is not 100% safe. Make sure you do not mount devices you want to keep untouched. Disable all auto-mounting as provided e.g. by graphical file managers. Best idea might be to use a pure window manager instead of full desktop environments for forensic work.
Legal Notice
License
Respect GPL-3: https://www.gnu.org/licenses/gpl-3.0.en.html
Disclaimer
Use the software on your own risk.
This is not a commercial product with an army of developers and a department for quality control behind it.