BASH SCRIPTS AND TOOLS
KS v. 2.1(new! file types added)- This is a keywords searching tool. sudo bash ks.sh for running it. It mounts a DD image file; It extracts all deleted files; slackspace; It makes a data carving on the freespace only; It indexes all by RECOLL. You need:
The Sleuthkit (last release)
Photorec
MD5Deep
RECOLL
It stores the index DB and the recoll.conf in the chosen output directory.
(MD5: 2dd75047c1ccaf63da963a4778134d28)
FileInfo v. 0.2- A GUI forensic tool for Ubuntu Linux designed to extract information from files, PE32, Thumbnail from JPEG and exif. This tool is tested on Ubuntu 10.10 and Kubuntu 10.04. It uses zenity, libimage-exiftool-perl, and many other tools built on the main Linux distributions.
(MD5: f13f620d84a11b1bac291686d1647291)
NBTempo V. 1.1(new!)- This is a GUI (Graphical User Interface) Bash script for making files timelines and reporting them in CSV (electronic sheet) format. It needs TSK 3.2.1 and YAD (Yet Another Dialog).(TSK based)
(MD5: 15967f40e4de7a326949f561aeea034b)
XMount-GUI 1.01(new!) - Bash script using YAD - xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike. THIS IS A Graphic User Interface by John Lehr.
(MD5: C0DF7EA60E410BE4061A31F76375DF92)
Raw2FS 1.2 - Bash script - It's possible to resolve the file name starting from the carved file name generated by the Foremost tool and save it, it generates an HTML report. It's possible to resolve the file name starting from the offset of a "grep" keywords search. The tool identifies automatically the change of the partition and, if the keyword is contained into the slack space, saves the sector/cluster/block where it is. (remember that for fat -> sector, ntfs -> cluster, ext2/3 -> block) (TSK based)
MD5: 72EF33F7AD0F2F429BAECA282DC9B496 (29/04/2009 updated!)
MultiFS 1.1 - Bash script - this tool can detect and extract the hidden file systems. (TSK based)
MD5: 70A2DB818E1A045249EB26DA8D45427A
SFDumper 2.2 - Bash script - this is a selective file retriever, it works on active, deleted and carved files. It can do a keyword search among the files retrieved. (TSK based)
MD5: 1037A96DFE56F0E53D90672884996DDD
FUNDL 2.0 - Bash script - this is a selective deleted file retriever, HTML reporting. (TSK based)
MD5: CFFACDE9290D96CBF20D332910139F27
FKLook - Bash script - by this script you can search for a keyword in many files and it copies only the files those match with the keyword, in a separated directory you chose.
MD5: 6748FAB3CE858BE4DC0A999436E39440
Offset_Brute_Force - Bash script - This is a dumb and dirty bash script born to brute force the partition offset looking for an hidden partition and trying to mount it. Example: $ ./force.sh pen-drive.dd 0 4194304
MD5: 006060382f66661707907b03fcbc0320
fod v.0.2 - Bash script - "fod" stay for "Foremost output divide". This is a simple script for splitting foremost output directory's contents into subdirectories with a defined number of files for each type of format file.
MD5: ff150dccf6774d55a7409d740132a10a
PXS Installer 1.5.1 - Bash script - this is the easier way to install PTK on Ubuntu workstation, using XAMMP as web server. This script install PTK, Stk, libewf, afflib, XAMMP and all packages required.
MD5: CA14F76AB3098E1A36A45B18CE2D8233
If you want give us a feedback or you would like to upload one of your scripts/tools for the digital forensics, please use the link CONTACT.