Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
The GNU Core Utilities are the basic file, shell and text manipulation utilities of the GNU operating system.
These are the core utilities which are expected to exist on every operating system.
dcfldd is an enhanced version of GNU dd with features useful for forensics and security. Based on the dd program found in the GNU Coreutils package, dcfldd has the following additional features:
- Hashing on-the-fly - dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
- Status output - dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
- Flexible disk wipes - dcfldd can be used to wipe disks quickly and with a known pattern if desired.
- Image/wipe Verify - dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
- Multiple outputs - dcfldd can output to multiple files or disks at the same time.
- Split output - dcfldd can split output to multiple files with more configurability than the split command.
- Piped output and logs - dcfldd can send all its log data and output to commands as well as files natively.
Autopsy® and The Sleuth Kit® are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows, Linux, OS X, and other Unix systems. They can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types.
Examiners and analysts can use the Autopsy graphical interface or The Sleuth Kit (TSK) command line tools to conduct an investigation. Join the sleuthkit-users list to ask questions and help others.
Developers can write modules to extend the functionality of both Autopsy and TSK. Refer to the Autopsy Developer's Guide or the TSK Framework Module Writer's Guide for details on how to incorporate your tools into TSK and Autopsy.
If you need a custom, automated solution, then you can build one using the TSK libraries or the framework. We have also done research on using Hadoop to analyze disk images using cloud computing infrastructures.
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types.