DOCSLIB.ORG

DSCRETE: Automatic Rendering of Forensic Information from Memory Images Via Application Logic Reuse

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse Brendan Saltaformaggio, Zhongshu Gu, Xiangyu Zhang, Dongyan Xu Department of Computer Science and CERIAS Purdue University, West Lafayette, IN 47907 fbsaltafo, gu16, xyzhang, [email protected] Abstract involves powering down a workstation, preserving im- ages of any storage devices (e.g., hard disks, thumb drive, State-of-the-art memory forensics involves signature- etc.), and later analyzing those images to recover eviden- based scanning of memory images to uncover data struc- tiary files. However, this procedure results in a signifi- ture instances of interest to investigators. A largely unad- cant loss of live evidence stored in the system’s RAM — dressed challenge is that investigators may not be able to executing processes, open network connections, volatile interpret the content of data structure fields, even with a IPC data, and OS and application data structures. deep understanding of the data structure’s syntax and se- Increasingly, forensic investigators are looking to ac- mantics. This is very common for data structures with cess the wealth of actionable evidence stored in a sys- application-specific encoding, such as those represent- tem’s memory. Typically, this requires that an investiga- ing images, figures, passwords, and formatted file con- tor have access to a suspected machine, prior to it being tents. For example, an investigator may know that a powered down, to capture an image of its volatile mem- buffer field is holding a photo image, but still can- ory. Further, memory acquisition (both hardware [6] and not display (and hence understand) the image. We call software [25] based) must be as minimally invasive as this the data structure content reverse engineering chal- possible since they operate directly on the machine under lenge. In this paper, we present DSCRETE, a system investigation. The resulting memory image is then ana- that enables automatic interpretation and rendering of in- lyzed offline using memory analysis tools. Therefore, the memory data structure contents. DSCRETE is based on goal of memory analysis tools (like the work presented in the observation that the application in which a data struc- this paper) is to recreate, in the forensics lab, the system’s ture is defined usually contains interpretation and render- previously observable state based on the memory image. ing logic to generate human-understandable output for that data structure. Hence DSCRETE aims to identify Uncovering evidence from memory images is now and reuse such logic in the program’s binary and create an essential capability in modern computer forensics. a “scanner+renderer” tool for scanning and rendering in- Most state-of-the-art solutions locate data structure in- stances of the data structure in a memory image. Differ- stances in a memory image via signature-based scan- ent from signature-based approaches, DSCRETE avoids ning. Currently these signatures are either value- reverse engineering data structure signatures. Our evalu- invariant based [2, 3, 9, 21, 23, 26], where data struc- ation with a wide range of real-world application binaries ture fields are expected to have known value patterns, shows that DSCRETE is able to recover a variety of ap- or structural-invariant based [5, 16, 17, 24], which rely plication data — e.g., images, figures, screenshots, user on points-to invariants between data structures. In both accounts, and formatted files and messages — with high cases, data structure signatures will first be derived by accuracy. The raw contents of such data would otherwise analyzing the corresponding programs. Then the signa- be unfathomable to human investigators. tures will be used to scan memory images and identify instances of the data structures. Contents of the identi- fied instances will be presented to forensic investigators 1 Introduction as potential evidence. A significant challenge, not addressed in existing Traditionally, digital investigations have aimed to re- memory forensics techniques, is that investigators may cover evidence of a cyber-crime or perform incident re- not be able to interpret the content of data structure sponse via analysis of non-volatile storage. This routine fields, even with the data structure’s syntax and seman- XRefWriter @ 0xf5e7c0 { ... std::string pdfVersion { ObjectStorage @ 0xfd51c0 { ObjectStorage @ 0xfcf710 { int length = 3 const ::Ref K { const ::Ref K { char* s = 0xcfc660 "1.4" int num = 8 int num = 5 } int gen = 0 int gen = 0 uint* streamEnds = 0x0 } } int streamEndsLen = 0 ObjectEntry* V = 0xfbf4b0 ObjectEntry* V = 0xfcb840 ObjectStream* objStr = 0x0 } } bool useEncrypt = 0 bool encrypted = 0 ... ChangedStorage { ObjectEntry @ 0xfbf4b0 { ObjectEntry @ 0xfcb840 { std::map<K, V> Mapping Object* object = 0xd403a0 Object* object = 0xfccfb0 } } } ... } Object @ 0xd403a0 { Object @ 0xfccfb0 { ObjType = objStream ObjType = objDict union { union { ... ... Stream* stream = 0xfce3a8 Dict* dict = 0xfcdd40 ... ... } } } } Stream @ 0xfce3a8 { Dict @ 0xfcdd40 = { void* _vptr = 0x7f3140 XRef* xref = 0xf56e50 int ref = 1 DictEntry* entries =0xfceff0 } int size = 8 int length = 7 int ref = 1 } (a) Signature-based scanner output. (b) DSCRETE-based scanner output. Figure 1: Illustration of content reverse engineering challenge. (a) Raw content of an in-memory data structure instance representing a PDF file. (b) The same data structure after applying DSCRETE’s scanner based on content reverse engineering. tics. This is very common for data structures with verse engineering, we present a concrete example (from application-specific encoding, such as those represent- Section 4). Figure 1a shows the raw content of an in- ing images, passwords, messages, or formatted file con- memory data structure graph representing a PDF file. tents (e.g., PDF), all of which are potential evidence in This is the output produced by existing signature-based a forensic investigation. For example, an investigator scanners. For comparison, Figure 1b shows the same may know that a buffer field is holding a photo image data structure content after applying DSCRETE’s scan- (through existing data structure reverse engineering and ner with content reverse engineering capability. It is scanning techniques [9, 15–17, 24, 26]), but still cannot quite obvious that the reverse-engineered content would display (and hence understand) the image. Similarly, a be far more helpful to investigators than the raw data message_body field may hold an instant message, but structure content. the message is encoded, and hence it cannot be readily We have performed extensive experimentation with interpreted. We call this the data structure content re- DSCRETE using a wide range of real-world commodity verse engineering challenge. application binaries. Our results show that DSCRETE is To enable automatic data structure content reverse en- able to recover a variety of application data — e.g., im- gineering, we present DSCRETE1, a system that auto- ages, figures, screenshots, user accounts, and formatted matically interprets and renders contents of in-memory files and messages — with very high accuracy. The raw data structures. DSCRETE is based on the following contents of such data would otherwise be unfathomable observation: The application, in which a data structure to human investigators. is defined, usually contains interpretation and rendering The remainder of this paper is organized as follows: logic to generate human-understandable output for that Section 2 presents an overview of DSCRETE. Section 3 data structure. Hence the key idea behind DSCRETE details the design of DSCRETE. Section 4 presents our is to identify and reuse such interpretation and render- evaluation results. Section 5 discusses some observations ing logic in a binary program — without source code — from our evaluation, current limitations, and future direc- to create a “scanner+renderer” tool. This tool can then tions for this research. Section 6 discusses related works identify instances of the data structure in a memory im- and Section 7 concludes the paper. age and, most importantly, render them in the applica- tion’s original output format to facilitate human percep- 2 System Overview tion and avoid the overhead of reverse engineering data structure signatures required by signature-based memory 2.1 Key Idea: Executable Code Reuse image scanners. To illustrate the challenge of data structure content re- DSCRETE is based on reusing the existing data struc- ture interpretation and rendering logic in the original 1DSCRETE stands for “Data Structure Content Reverse Engineer- application binary. As a simple example, consider the ing via execuTable rEuse,” pronounced as “discrete.” Linux gnome-paint application. At the high-level, gnome-paint works as follows: An input image file tion” (Section 3.2), a graph closure algorithm is used to is processed into various internal application data struc- formulate a list of possible candidates for P. Each can- tures. The user then performs edits to and saves the im- didate is tested, by the “tester” component (Section 3.3), age. To save the image, gnome-paint will reconstruct with a ground truth data structure instance to determine a formatted image from its internal data structures and if it can serve as a viable memory scanner. write this image to the output file. Once the specific application logic (P) is identified, Later, if a forensic investigator wanted to recover the DSCRETE packages this logic as a context-free memory edited
Recommended publications
  • Ubuntu Kung Fu

    Ubuntu Kung Fu

    Prepared exclusively for Alison Tyler Download at Boykma.Com What readers are saying about Ubuntu Kung Fu Ubuntu Kung Fu is excellent. The tips are fun and the hope of discov- ering hidden gems makes it a worthwhile task. John Southern Former editor of Linux Magazine I enjoyed Ubuntu Kung Fu and learned some new things. I would rec- ommend this book—nice tips and a lot of fun to be had. Carthik Sharma Creator of the Ubuntu Blog (http://ubuntu.wordpress.com) Wow! There are some great tips here! I have used Ubuntu since April 2005, starting with version 5.04. I found much in this book to inspire me and to teach me, and it answered lingering questions I didn’t know I had. The book is a good resource that I will gladly recommend to both newcomers and veteran users. Matthew Helmke Administrator, Ubuntu Forums Ubuntu Kung Fu is a fantastic compendium of useful, uncommon Ubuntu knowledge. Eric Hewitt Consultant, LiveLogic, LLC Prepared exclusively for Alison Tyler Download at Boykma.Com Ubuntu Kung Fu Tips, Tricks, Hints, and Hacks Keir Thomas The Pragmatic Bookshelf Raleigh, North Carolina Dallas, Texas Prepared exclusively for Alison Tyler Download at Boykma.Com Many of the designations used by manufacturers and sellers to distinguish their prod- ucts are claimed as trademarks. Where those designations appear in this book, and The Pragmatic Programmers, LLC was aware of a trademark claim, the designations have been printed in initial capital letters or in all capitals. The Pragmatic Starter Kit, The Pragmatic Programmer, Pragmatic Programming, Pragmatic Bookshelf and the linking g device are trademarks of The Pragmatic Programmers, LLC.
  • How to Get Kubuntu Desktop on Ubuntu Server?

    How to Get Kubuntu Desktop on Ubuntu Server?

    [ How to get kubuntu desktop on ubuntu server ] User rating: May 16, · Use the arrow key to scroll down the list and find Ubuntu desktop. Use the Space key to select it, press Tab to select OK at the bottom, then press Enter. The system will install the software and reboot, giving you a graphical login screen generated by . How to Install Desktop on Ubuntu Server. One main difference between Ubuntu Server and Desktop is that Ubuntu Server Edition does not install a graphical user interface by default. We don’t need a desktop to work with Ubuntu server, because the Linux command line interface is very powerful, more efficient and very easy to use. If you find yourself wanting a desktop environment after you have installed Ubuntu server you can easily add it. Pick your favorite desktop environment from the list below and run the associated command. Remember that installation software requires root privileges so use “sudo” or switch to the root user before you begin the installation. Nov 13, · Ubuntu Install Kde Desktop Lockscreen Select The default GNOME Desktop will be available in the “Ubuntu” session. If you want to use the Wayland Display Server, you can select the appropriate option for that. After logging in, you will be at the KDE Desktop Home. Download Ubuntu desktop, Ubuntu Server, Ubuntu for Raspberry Pi and IoT devices, Ubuntu Core and all the Ubuntu flavours. Ubuntu is an open-source software platform that runs everywhere from the PC to the server and the cloud. sudo apt-get install tasksel sudo tasksel remove ubuntu-desktop sudo tasksel install server sudo apt-get update sudo apt-get install linux-server linux-image-server sudo apt-get purge lightdm These commands can help you to competly convert an Ubuntu Desktop to Ubuntu Server.
  • Multi Software Product Lines in the Wild

    Multi Software Product Lines in the Wild

    AperTO - Archivio Istituzionale Open Access dell'Università di Torino Multi software product lines in the wild This is the author's manuscript Original Citation: Availability: This version is available http://hdl.handle.net/2318/1667454 since 2020-07-06T10:51:50Z Publisher: Association for Computing Machinery Published version: DOI:10.1145/3168365.3170425 Terms of use: Open Access Anyone can freely access the full text of works made available as "Open Access". Works made available under a Creative Commons license can be used according to the terms and conditions of said license. Use of all other works requires consent of the right holder (author or publisher) if not exempted from copyright protection by the applicable law. (Article begins on next page) 27 September 2021 Multi Software Product Lines in the Wild Michael Lienhardt Ferruccio Damiani [email protected] [email protected] Università di Torino Università di Torino Italy Italy Simone Donetti Luca Paolini [email protected] [email protected] Università di Torino Università di Torino Italy Italy ABSTRACT 1 INTRODUCTION Modern software systems are often built from customizable and A Software Product Line (SPL) is a set of similar programs, called inter-dependent components. Such customizations usually define variants, with a common code base and well documented variabil- which features are offered by the components, and may depend ity [1, 6, 19]. Modern software systems are often built as complex on backend components being configured in a specific way. As assemblages of customizable components that out-grow the expres- such system become very large, with a huge number of possible siveness of SPLs.
  • Recommended Software and How to Install It

    Recommended Software and How to Install It

    Recommended Software and how to install it. Date Created 15th March 2020 Reviewed V3 Description: These notes can be used on the Raspberry Pi 4 Workstation and the Raspbian for PC/Mac operating system www.giakonda.org.uk [email protected] Recommended Software and how to install it. Table of Contents Open-Source Software..........................................................................................................................2 General Interest Tasks......................................................................................................................3 Internet applications....................................................................................................................3 For MultiMedia work..................................................................................................................3 Taking Screen Shots.........................................................................................................................5 Gnome Screen Shot.....................................................................................................................5 Doing techie stuff.............................................................................................................................6 Storage managers........................................................................................................................6 Remote Working.........................................................................................................................6
  • Oracle® Solaris 11.3 Desktop User's Guide

    Oracle® Solaris 11.3 Desktop User's Guide

    ® Oracle Solaris 11.3 Desktop User's Guide Part No: E54809 April 2020 Oracle Solaris 11.3 Desktop User's Guide Part No: E54809 Copyright © 2011, 2020, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
  • Beginning Ubuntu for Windows and Mac Users

    Beginning Ubuntu for Windows and Mac Users

    Beginning Ubuntu for Windows and Mac Users Nathan Haines Beginning Ubuntu for Windows and Mac Users Copyright © 2015 by Nathan Haines This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher's location, in its current version, and permission for use must always be obtained from Springer. Permissions for use may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution under the respective Copyright Law. ISBN-13 (pbk): 978-1-4842-0609-6 ISBN-13 (electronic): 978-1-4842-0608-9 Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
  • DVD: Suse Linux 10.0

    DVD: Suse Linux 10.0

    LINUX MAGA On this DVD: Suse Linux 10.0 Linux kernel 2.6.13 ZINE X.org 6.8.2 KDE 3.4.2 Gnome 2.12 OpenOffice 2.0 pre-release KOffice 1.4 GIMP 2.2.8 ISSUE Inkscape 0.42 Evolution 2.4 Firefox 1.0.6 Xen 3 preview 62 GCC 4.0 RealPlayer 10.0.1 SUSE LINUX Banshee 0.9.7 Kaffeine 0.7.1 MySQL 4.1.9 In August 2005, Novell announced a dramatic new direction for Suse Linux. Suse, they said, was now a community project, with volunteer developers participating in reviewing, testing, and development. They announced that the fi rst release of this new 10.0 community-based Suse would be Suse Linux 10.0. Now Suse Linux has fi nally arrived, and we are proud to include it as this month's Linux DVD is Linux Kernel 2.6.11, along with for the desktop user. Included is a pre- Magazine DVD. Suse Linux 10.0 combines KDE 3.4.2 and GNOME 2.12. Updated release version of the OpenOffi ce.org Suse's long Linux tradition with the technical components include GCC 4.0, glibc 2.0 productivity suite. muscle of Novell and the agility of the 2.3.5, and the Xen 3 technical preview. The Kontact personal information mana- community framework. On this DVD, you'll ger, and the alternative Evolution suite, fi nd the great tools that have made Suse Some of the new tools in Suse 10.0 in- contain tools for managing your email, Linux one of the world's great Linux clude the AppArmor intrusion detection calendar, and address book.
  • MX-19.2 Users Manual

    MX-19.2 Users Manual

    MX-19.2 Users Manual v. 20200801 manual AT mxlinux DOT org Ctrl-F = Search this Manual Ctrl+Home = Return to top Table of Contents 1 Introduction...................................................................................................................................4 1.1 About MX Linux................................................................................................................4 1.2 About this Manual..............................................................................................................4 1.3 System requirements..........................................................................................................5 1.4 Support and EOL................................................................................................................6 1.5 Bugs, issues and requests...................................................................................................6 1.6 Migration............................................................................................................................7 1.7 Our positions......................................................................................................................8 1.8 Notes for Translators.............................................................................................................8 2 Installation...................................................................................................................................10 2.1 Introduction......................................................................................................................10
  • Operating Systems II

    Operating Systems II

    Operating Systems II Vimalkumar Velayudhan April 11, 2007 Vimalkumar Velayudhan Operating Systems II Linux distribution A Linux distribution is = The Linux kernel(OS) + Application software Popular ones are Company/Organization Commercial Version Open Source Version Redhat Redhat Enterprise Linux Fedora Core Novell SuSE Linux Enterprise openSuSE Debian - Debian GNU/Linux Mandriva Mandriva Corporate Desktop/Server Mandriva Linux Vimalkumar Velayudhan Operating Systems II Which One to Choose? If one requires technical support, the commercial versions are the best option Open Source versions are freely available for download and are often distributed with IT magazines like Linux For You1 and Digit2 For a new Linux user my recommendations are openSuSE or Ubuntu Linux 1http://www.linuxforu.com 2http://www.thinkdigit.com Vimalkumar Velayudhan Operating Systems II Installation Basic requirements Intel pentium systems I, II, III or IV (can even run on older ones) Minimum 256 MB RAM for a Graphic User Interface (KDE or GNOME) A hard disk - 5 - 10GB hard disk space Notes Linux can be installed along with Windows systems (Multiboot) Requires partitioning of the hard disk and formatting to ext2 or ext3 lesystems Linux can also read and write data on the windows partitions Vimalkumar Velayudhan Operating Systems II Live Linux Distributions Also known as Live CD's3 Does not require any installation onto hard disk Can run directly from the CD Can be used for learning and to try out new distributions Atleast 256 - 512MB RAM is required Some examples include Ubuntu, Knoppix and Slax Live CD's with Bioinformatics software pre-installed are also available. Examples include VLinux4, BioKnoppix, Vigyaan CD.
  • Showing JPG Comments in an Image Browser John C

    Showing JPG Comments in an Image Browser John C

    Showing JPG comments in an image browser John C. Nash 2017-06-04 The Conclusions (up front!) The JPEG image standard allows several ways to save caption information INSIDE an individual JPG file. This is important, as captions stored separately can be “lost” if filenames are changed. However, which choice of mechanism to use leads to confusion. Here I recommend the “Comment” field be used. This is available via rdjpgcom and wrjpgcom tools in Linux. On Windows, or under WINE in Linux, Irfanview is quite capable (Image/Info/Comment), but mapivi which is cross platform is sometimes better for adding comments. For Linux I found feh allowed a simple script to display images with comments for a quick verification of the caption. Irfanview offers a full-screen option that is similar. Having got into “production” mode, I discovered that it was, or at least feels, more efficient to work mostly in Irfanview. The background to this is outlined in the section “Production workflow”. Motivations My wife and I have a lot of photos. We don’t look at them very often, but they do represent memories and serve to remind us of events in our past. There are also some that should be passed to other family and friends. The many albums take up space, and are not terribly well stored. For this reason we have been scanning them. Images on their own are not particularly useful. Therefore we have been adding captions, using the “Comment” capability of JPG files. This is in the IPTC tags of the JPEG standard (https://en.wikipedia.org/wiki/JPEG).
  • Var/Www/Apps/Conversion/Tmp

    Var/Www/Apps/Conversion/Tmp

    : gettext lvresize run_init ! gettextize lvs runlevel ./ gettext.sh lvscan running-circles [ gfortran lwp-download run-parts [[ ghostscript lwp-dump runuser ]] gif2tiff lwp-mirror rvi { gij lwp-request rview } gindxbib lwp-rget rvim a2p git lz s2p ab git-receive-pack lzcat sa abrt-backtrace git-shell lzcmp sadf abrt-cli git-upload-archive lzdiff safe_finger abrtd git-upload-pack lzegrep sandbox abrt-debuginfo-install gjar lzfgrep saned abrt-handle-upload gjarsigner lzgrep sane-find-scanner ac gkeytool lzless sar accept glibc_post_upgrade.x86_64 lzma saslauthd accton glookbib lzmadec sasldblistusers2 aclocal gls-dns-forward lzmainfo saslpasswd2 aclocal-1.11 gls-email-iptables lzmore saytime aconnect gls-grade-securevnc-backend lzop scanimage acpid gls-makebridge m4 scp acpi_listen gls-munge-grub magnifier script activation-client gls-munge-rootpw mail scriptreplay addftinfo gls-resetvm Mail scrollkeeper-config addgnupghome gls-vserver-network mailq scrollkeeper-extract addpart gls-vserver-network2 mailq.postfix scrollkeeper-gen-seriesid addr2line glxgears mailq.sendmail scrollkeeper-get-cl adduser glxinfo mailstat scrollkeeper-get-content-list agetty gmake mailstats scrollkeeper-get-extended-content-list alias gneqn mailx scrollkeeper-get-index-from-docpath alsactl gnome-about make scrollkeeper-get-toc-from-docpath alsa-info gnome-about-me MAKEDEV scrollkeeper-get-toc-from-id alsa-info.sh gnome-appearance-properties makedumpfile scrollkeeper-install alsamixer gnome-at-mobility makemap scrollkeeper-preinstall alsaunmute gnome-at-properties
  • Capturar Imagens De Dados Aimage, Air, Btktool, Dc3dd

    Capturar Imagens De Dados Aimage, Air, Btktool, Dc3dd

    Capturar aimage, air, btktool, dc3dd, dc3dd GUI, dd, ddrescue, Imagens de dd_rescue, linen, rdd_copy, rddi, sdd, Guymager, dcfldd, Dados cstream, dds2tar, disktype Captura tela Gnome-Screenshot Dump de memdump memória Geração de DHash, GtkHash, md5deep, md5sum, sha1deep, Hash sha1sum, sha256deep, sha256sum, ssdeep Identificação Discover, Hardinfo, lshw, lshw-GTK, Sysinfo, scsitools, de HW lspci, lsusb, blktool, disktype, file Limpar midias Wipe, shred AFFTools Afcat, afcompare, afconvert, afinfo, afstats, afxml ewfacquire, ewfacquirestream, ewfexport, ewfinfo, EWFTools ewfverify, mount_ewf.py Antivírus clamav Arquivos Cabextract, orange, p7zip, unace, unrar, unshield, Compactados Xarchiver, zoo, lzop, arj, MScompress, msexpand, star Arquivos de Dcraw, exif, exifautotran, exifprobe, exiftags, exiv2, Imagem jhead, jpeginfo, vinetto, exifgrep, dcraw Antiword, fccu-docprop, mdb-hexdump, readpst, Arquivos MS RegLookup, regp, tnef, Rifiuti, Grokevt, dumpster- dive.pl Bcrypt, ccrypt, Gdecrypt, Outguess, TrueCrypt, cryptcat, Cripto-Stegano sshfs Editor Hexa Bless, ghex2, hexdump blkcalc, blkcat, blkls, blkstat, disk_sreset, disk_stat, Ferramentas ffind, fls, fsstat, hfind, icat, ifind, ils, img_cat, img_stat, Sleuthkit istat, jcat, jls, mactime, mmcat, mmls, mmstat, sigfind, sorter Linha do mac-robber, mactime Tempo Localizar dados glark, gnome-search-tool, Sgrep ntfscat, ntfsclone, ntfscluster, ntfsinfo, ntfslabel, ntfsls, NTFStools ntfssundelete Quebra de fcrackzip, john the Ripper, medussa, ophcrack, ophcrack- Senha cli, chntpw, samdump, bkhive,