Selective file dumper
From Wikipedia, the free encyclopedia
Selective File Dumper | |
---|---|
Design by | Nanni Bassetti and Denis Frati |
Latest release | 1.5 / March 21, 2008 |
Written in | Bash (shell script) |
OS | Linux |
Genre | Computer forensics |
License | GNU General Public License GNU Lesser General Public License |
Website | http://sfdumper.sourceforge.net/ |
Selective File Dumper (SFDumper) is an free open source computer forensics useful tool written in Bash script, by Nanni Bassetti and Denis Frati, for Linux systems.
The script is fast and selective and it can retrieve all the files of the file type chosen (eg. .doc or .jpg)., active, deleted and unallocated, in interactive way.
The Bash script SFDUMPER.SH, can recover active, deleted and unallocated files automatically and then it can delete the carved files duplicates of the deleted and active files retrieved by the Sleuthkit, thanks to the comparison of the SHA256 hash codes of the carved files and the active and deleted files.
It's possible to recognize the renamed files by the data carving and it's possible to expand the Foremost configuration file inside the script, for adding new extensions.
Finally, it is possible to do a keywords search on the set of files extracted by the Sleuthkit and Foremost.
The script can work on the partition chosen from an image file or directly from the device (eg. /dev/sdb).
It is free software licensed under the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL).
Contents |
[edit] Actions
- Choosing the partition to analyze from an image file or a device.
- Choosing the file type by the extension you need to have.
- Extracting all referenced files by their extension.
- Extracting all the deleted files by their extension.
- Carving all the partitions chosen and, automatically, the script will delete the duplicate files leaving only the carved files whose are not into the referenced or delete set of files.
- Executing a keyword search on all the retrieved files.
- Reporting all with the investigator name, date and time.
[edit] Requirements
[edit] Requirements for the GUI version
[edit] Usage
sudo sh sfdumper.sh
or
chmod +x sfdumper.sh
./sfdumper.sh