SELECTIVE FILE DUMPER
By Nanni Bassetti - nannib@libero.it and Denis Frati - denis.frati@cybercrimes.it
SFDUMPER 2.2
MD5: EEE04460C684333E056817170011B781
SFDUMPER is on the book "Open Source Software for Digital Forensics" by Springer
Changelog:
Ver. 2.2 - Fixed the "ambiguous redirect bug" and the progress counter.
Ver. 2.1 - now the software works on device and onĀ RAW / EWF / AFF and split images files.
The output is more orderly and clean.
There are no more errors due to output of the orphans files.
It can be run in "command line" or in interactive mode (the old way of
SFDumper).
There is the possibility to operate best on images/device with the file
system hfs/hfs+ using the feature made available by Snapshots of the
SleuthKit.
There are numbers indicating the progress of work, while the software is
running.
These important innovations have eliminated the problems of recovery of some
files and made the tool much more flexible and powerful.
**** OLD Releases are HERE ****
Introduction
SFDumper and FUNDL are present on the new Linux Live Distro CAINE, developed by the Modena University (Italy).
This is an Open Source free computer forensics useful tool written in Bash Script for Linux systems.
It's fast and selective, it can retrieve all the files of the file type you choose with only one tool referenced,
deleted and unallocated in very fast way.
We developed this tool that
will facilitate the search for files by their extension(eg. .doc or .jpg).
In fact, to find and to recover all files of a certain type and then to save them
becomes quite complicated using many Linux and Sleuthkit commands.
BEFORE SFDUMPER:
Thanks to the power of the SLEUTHKIT it's possible to find and to recover all the active and deleted files by their extension, into the file system, then by the carving by FOREMOST it's possible to extract all the unallocated files, with the resulting duplication between the carved files and those files extracted before (active and deleted).
Finally, it is possible to do a keywords search on the set of files extracted by the Sleuthkit and Foremost.
All these operations by bringing a great deal of time and go
done manually, writing tons of commands and pipes "|".
NOW:
Here is this bash script
SFDUMPER.SH, that can do all the operations above automatically and then delete the carved files duplicates of
the deleted and active files retrieved by the Sleuthkit.
It's possible to recognize the renamed files by the data carving and it's possible to expand the Foremost configuration file inside the script, for adding new extensions.
The script is interactive, working on the partition chosen from an image file or directly from
the device.
by this tool it is possible:
1) Choosing the partition to analyze from an image file or a device;
2) Choosing the file type by the extension you need to have;
3) Extracting all referenced files by their extension;
4) Extracting all the deleted files by their extension;
5) Carving all the partitions chosen and, automatically, the script will
delete the duplicate files leaving only the carved files whose are not
into the referenced or delete set of files;
6) Executing a keyword search on all the retrieved files;
7) Reporting all with the investigator name, date and time.
It's fast and selective, you can have all the files of the filetype you choose with only one tool.
Example:
you have a bit stream image file disk.dd with 3 partitions, you can choose to have all the *.doc files referenced, deleted and unallocated....all in very fast way.
Requirements:
Linux OS
Sleuthkit (http://www.sleuthkit.org)
Foremost (http://foremost.sourceforge.net)
Sha256deep
grep
awk
sed
dd
AFFlib
libewf
For the GUI version (present from release 1.3.5):
Zenity - http://freshmeat.net/projects/zenity
Usage:
sudo sh sfdumper.shor
chmod +x sfdumper.sh
./sfdumper.sh
Download
SFDUMPER 2.2MD5: EEE04460C684333E056817170011B781
click here for viewing some Screenshots
Contacts:
Nanni Bassetti - nannib@libero.it - http://www.nannibassetti.comDenis Frati - denis.frati@cybercrimes.it - http://www.denisfrati.it