applications/forensics tools

fiwalk - fiwalk - find and extract files of a given type

License: GPL
Vendor: cert.org
Description:
fiwalk is a program that processes a disk image using the SleuthKit
library and outputs its results in Digital Forensics XML, the Attribute
Relationship File Format (ARFF) format used by the Weka Datamining
Toolkit, or an easy-to-read textual format.

The fiwalk source code comes with fiwalk.py, a Python module that makes
it easy to create digital forensics programs. Also included are several
demonstration programs that use fiwalk.py:
	* iblkfind.py – Given a disk block in a disk image, this program
	  tells you which file(s) map that sector.
	* icarvingtruth.py - Given two or more images of the same disk
	  at different points in time, this program files that are present
	  in the earlier images that can only be recovered from the later
	  images using file carving techniques.
	* idifference.py - Given two or more images of the same disk at
	  different points in time, this program tells you what changes
	  took place between each one.
	* iextract.py - Allows the extraction of files that match a
	  particular pattern.
	* igrep.py - Searches every file in a disk image for a particular
	  string. When found, prints, the file and the offset within the
	  file that the string was found.
	* ihistogram.py – Prints a histogram of file types found in the disk image.
	* imap.py - Displays a “map” of where files are present in
	  the disk image.
	* imicrosoft_redact.py - Modifies a disk image of a bootable
	  Microsoft operating system so that the image can no longer be
	  boot and so that any Microsoft copyrighted file in the \Windows
	  directory cannot be executed. This allows the disk image of a
	  Microsoft operating system to be distributed without implicitly
	  violating Microsoft’s copyright.
	* iredact.py - An experimental disk redaction program which
	  allows the removal of specific files matching specific criteria.
	* iverify.py – Given a disk image and a previously created
	  XML file, verifies that each file in the DFXML file is still
	  present in the disk image.
	* sanitize_xml.py - Given a DFXML file, sanitize file names so
	  that no personally identifiable information is leaked if the
	  DFXML file is distributed.

Packages

fiwalk-0.6.16-2.el6.i686 [144 KiB] Changelog by Lawrence R. Rogers (2012-11-26):
* Release 0.6.16-2
	Rebuilt with the sleuthkit 4.0.1
fiwalk-0.6.16-1.el6.i386 [147 KiB] Changelog by Simson Garfinkel (2011-12-02):
* Release 0.6.16-1
	* xml.cpp: moved library versions from xml.h to xml.cpp
	  (xml::add_DFXML_build_environment): now includes exiv2 version in dfxml output
	* xml.cpp (printf): added #ifdef GNUC_HAS_DIAGNOSTIC_PRAGMA to allow compiling with older GCC
	* python/ireport.py: renamed from istats and changed to work with dfxml
	* python/Makefile.am (EXTRA_DIST): Changed istats to ireport.
	* python/dfxml.py (fileobjects_iter): replaced iteritems() with items() to allow for migration to Python 3.
	  Replaced unicode() with "" for migration to Python 3.

Listing created by Repoview-0.6.6-4.el7