Forensics: Difference between revisions
Jump to navigation
Jump to search
(Created page with "= Forensics = == Linux == Tools to extract entire system RAM to a file * [https://github.com/504ensicslabs/lime LiME] (Linux Memory Extractor)<br>A Loadable Kernel Module (L...") |
No edit summary |
||
| Line 1: | Line 1: | ||
= Forensics = | = Forensics = | ||
== Disk == | |||
Tools to recover disk images from disks with errors: | |||
* [http://www.garloff.de/kurt/linux/ddrescue/ dd_rescue] (GNU GPL 2 or 3)<br>Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd). | |||
* [https://www.gnu.org/software/ddrescue/ ddrescue] (GPL 2 or later)<br>GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying to rescue the good parts first in case of read errors. | |||
* [https://www.grc.com/sr/spinrite.htm SpinRite] (Commercial)<br>SpinRite is a computer software program for scanning magnetic data storage devices such as hard disks, recovering data from them and refreshing their surfaces. | |||
Tools to recover files from a disk image: | |||
* [http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]<br>PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. | |||
== Linux == | == Linux == | ||
=== Memory === | |||
Tools to extract entire system RAM to a file | Tools to extract entire system RAM to a file | ||
* [https://github.com/504ensicslabs/lime LiME] (Linux Memory Extractor)<br>A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition. | * [https://github.com/504ensicslabs/lime LiME] (Linux Memory Extractor)<br>A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition. | ||
** Works as a kernel module | ** Works as a kernel module | ||
** Compiles on Linux and Android | ** Compiles on Linux and Android | ||
Revision as of 21:58, 12 September 2015
Forensics
Disk
Tools to recover disk images from disks with errors:
- dd_rescue (GNU GPL 2 or 3)
Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd). - ddrescue (GPL 2 or later)
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying to rescue the good parts first in case of read errors. - SpinRite (Commercial)
SpinRite is a computer software program for scanning magnetic data storage devices such as hard disks, recovering data from them and refreshing their surfaces.
Tools to recover files from a disk image:
- PhotoRec
PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.
Linux
Memory
Tools to extract entire system RAM to a file
- LiME (Linux Memory Extractor)
A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.- Works as a kernel module
- Compiles on Linux and Android