DFIR - Imaging Tools
|
This article is being considered for deletion! Reason: This is not an application page and only links to several web-pages. Whats the benefit for an openSUSE User?. Please do not blank, merge, or move this article, or remove this notice. Refer to this article's discussion page and our deletion policy for more information. |
The description of the above image
Download for openSUSE
Vendor: ApplicationVendor
Developer: ApplicationProject
License: License
Web: http://application.org
About
There are a variety of forensic imaging tools. At a high-level they provide functionality similar in concept to "dd if=/dev/sda of=image_file".
dd itself can be used by wrapping it ins scripts. This article discusses other available tools.
Features
- Used by computer forensic and incident response professionals, but also useful as a cloning tool for general users
- Multiple output formats supported including raw (dd), EnCase 4,5,6, AFF, etc.
- md5 hash verification typically available, as well as others
- Many ask for meta information such as drive manufacturer, serial number, etc.
- When used for evidence it can record relevant chain of custody information and custodian information.
Imaging Tools
| Tool | 11.4 | 12.1 | 12.2 | factory | other | comment | General Remarks |
| adepto | N/A | N/A | N/A | N/A | N/A | adepto is included in the helix boot cd | |
| aimage | N/A | N/A | N/A | N/A | security/3.2.5 | a imaging tool to create aff format images | aimage has been EOL'ed. guymager or ftkimager (windows/mac) are recommended for creating aff images. |
| AIR | N/A | N/A | N/A | N/A | N/A | Automated Image and Restore | a GUI front-end to dd and dc3dd designed for easily creating forensic bit images |
| dc3dd | N/A | N/A | v7.1.614 | v7.1.614 | security/7.1.614 | DoD Cyber Crime Center DD | This tool was formerly known as dcfldd. When released as dc3dd it was totally rewritten. |
| ddrescue / gnu_ddrescue | v1.14 | v1.14 | v1.15 | v1.16 | Base:System | Also known as GNU ddrescue | This tool is different than dd_rescue. |
| dd_rescue | v1.23 | v1.24 | v1.28 | v1.28 | Base:System | This tool is different than ddrescue. | |
| ewfacquire | N/A | N/A | v20100226 | v20120813 | security | a imaging tool to create ewf format images | ewfacquire is part of ewftools in some distributions. |
| IXimager | N/A | N/A | N/A | N/A | N/A | A law enforcement only imager | used in conjunction with ILook Investigator |
| LinEn | N/A | N/A | N/A | N/A | N/A | a proprietary imaging tool to create ewf format images | included on the Helix boot CD |
| guymager | N/A | N/A | N/A | N/A | N/A | a imaging tool to create aff format images | Guymager is an open source forensic imager. It focuses on user friendliness and high speed. |
| rdd | N/A | N/A | N/A | N/A | N/A | a dd-like tool, with forensic imaging features | Rdd is robust with respect to read errors |
| sdd | N/A | N/A | N/A | N/A | Archiving:Backup/1.52 | a dd-like tool | Designed to work well when IBS != OBS. Working with tape is an example. |
External links
For fedora and ubuntu, you can find summary information about available tools at: