Included Forensic Tools

Linux comes with a number of simple utilities that make imaging and basic analysis of suspect disks and drives comparitively easy. These tools include:

  • dd -command used to copy from an input file or device to an output file or device. Simple bitstream imaging.

  • sfdisk and fdisk -used to determine the disk structure.

  • grep -search files (or multiple files) for instances of an expression or pattern.

  • The loop device -allows you to mount an image without having to rewrite the image to a disk.

  • md5sum and sha1sum -create and store an MD5 or SHA hash of a file or list of files (including devices).

  • file -reads a file’s header information in an attempt to ascertain itstype, regardless of name or extension.

  • xxd -command line hexdump tool. For viewing a file in hex mode.

  • ghex and khexedit**-**the Gnome and KDE (X Window interfaces) hex editors. Both have primitive search and byte selection capabilities.

Following is avery_simple series of steps to allow you to perform an easy practice analysis using the simple Linux tools mentioned above. All of the commands can be further explored with “man**_command**”. For simplicity we are going to use a floppy from a DOS machine. Again, this is just an introduction to the basic commands. These steps can be far more powerful with some command line tweaking.

results matching ""

    No results matching ""