RVT-userGuide.pdf

(301 KB) Pobierz

Revealer Toolkit – User Guide

Jose Navarro

November 15, 2009

Contents

1 License

1.1 License of this document

. . . . . . . . . . . . . . . . . . . . .

1.2 License of the Revealer Toolkit

. . . . . . . . . . . . . . . . .

2 Acknowledgements

3 Introduction

4 Installation

4.1 Operating system

4.2 Software

. . . . . .

4.3 Folder structure

. .

4.4 Sample image

. . .

4.5 Conﬁguration ﬁle

4.6 First test

. . . . .

4.7 Additional software

5 Folder structure

5.1 Morgues

. . . . . . . . . . . .

5.2 Cases

. . . . . . . . . . . . .

5.3 Devices, disks and partitions

5.4 Forensic results

. . . . . . . .

6 Command guide

6.1 General interaction

. . . . . .

6.2 Cheatsheets

. . . . . . . . . .

6.3 Command:

case

. . . . . . . .

6.3.1

case list

. . . . . . . .

6.4 Command:

images

. . . . . .

6.4.1

images list

. . . . . .

6.4.2

images partition info

6.4.3

images partition table

6.4.4

images scan

. . . . . .

6.4.5

images loadconﬁg

. . .

Command:

info

. . . . . . . .

6.5.1

info list

. . . . . . . .

6.5.2

info debug

. . . . . . .

6.6 Command:

losetup

. . . . . .

6.6.1

losetup assign

. . . . .

6.6.2

losetup delete

. . . . .

6.6.3

losetup list

. . . . . .

6.6.4

losetup recheck

. . . .

6.7 Command:

mount

. . . . . .

6.7.1

mount assign

. . . . .

6.7.2

mount delete

. . . . .

6.7.3

mount list

. . . . . . .

6.7.4

mount recheck

. . . .

6.8 Command:

cluster

. . . . . .

6.8.1

cluster allocationstatus

6.8.2

cluster extract

. . . .

6.8.3

cluster generateindex

6.8.4

cluster toinode

. . . .

6.9 Command:

inode

. . . . . . .

6.9.1

inode allocationstatus

6.10 Command:

script

. . . . . . .

6.11 Command:

set

. . . . . . . .

6.11.1

set level

. . . . . . . .

6.5

7 Script modules

7.1

script ﬁlelist

. . . . . . . . . . . . .

7.1.1

script ﬁlelist generate

. . .

7.2

script ﬁles

. . . . . . . . . . . . . .

7.2.1

script ﬁles allocﬁles

. . . .

7.3

script search

. . . . . . . . . . . .

7.3.1

script search clusterlist

. . .

7.3.2

script search clusters

. . . .

7.3.3

script search ﬁle

. . . . . .

7.3.4

script search launch

. . . .

7.3.5

script search quickcount

. .

7.4

script strings

. . . . . . . . . . . .

7.4.1

script strings generate

. . .

7.5

script timelines

. . . . . . . . . . .

7.5.1

script timelines generate

. .

7.6

script webmail

. . . . . . . . . . .

7.7

script software

. . . . . . . . . . .

7.8

script regripper

. . . . . . . . . . .

7.8.1

script regripper listmodules

7.8.2

script regripper execmodule

7.8.3

script regripper execallmodules

7.9

script mail

. . . . . . . . . . . . . . .

7.9.1

script mail parsepsts

. . . . . .

7.10

script evt

. . . . . . . . . . . . . . . .

7.10.1

script evt generate

. . . . . . .

7.11

script lnk

. . . . . . . . . . . . . . . .

7.11.1

script lnk generate

. . . . . . .

7.12

script report

. . . . . . . . . . . . . . .

7.12.1

script report search2pdf

. . . .

7.12.2

script report lnkstats

. . . . . .

7.12.3

script report lnk2csv

. . . . . .

8 Operational guides and tricks

8.1 RVT Shell tricks

. . . . . . .

8.1.1 command level

. . . .

8.1.2 case level

. . . . . . .

8.1.3 TAB key

. . . . . . .

8.1.4 command history

. . .

8.2 entities expansion

. . . . . . .

8.3 chaining commands

. . . . . .

8.4 Logs

. . . . . . . . . . . . . .

8.5 Searches

. . . . . . . . . . . .

8.6 F-Response compatibility

. .

8.7 Known problems

. . . . . . .

A Sample image from scratch

B Additional software

B.1 RVT tools

. . . .

B.2 libpst Utilities

. .

B.3 RegRipper

. . . .

installation

. . . . . . . . . . . . . . . . . . . . . . . . . 45

. . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 1

License

1.1

License of this document

Permission is granted to copy, distribute and/or modify this document

under the terms of the GNU Free Documentation License, Version 1.3 or any

later version published by the Free Software Foundation; with no Invariant

Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled ”GNU Free Doc-

umentation License”.

More information at: http://www.gnu.org/licenses/fdl.html

1.2

License of the Revealer Toolkit

This program is free software; you can redistribute it and/or modify it

under the terms of the GNU General Public License as published by the Free

Software Foundation; either version 2 of the License, or any later version.

This program is distributed in the hope that it will be useful, but WITH-

OUT ANY WARRANTY; without even the implied warranty of MER-

CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

GNU General Public License for more details.

You should have received a copy of the GNU General Public License

along with this program; if not, write to the Free Software Foundation, Inc.,

51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

For more information, please visit http://www.gnu.org/licenses/old–licenses/gpl–

2.0.txt

Plik z chomika:

agentpl

Inne pliki z tego folderu:

129871656.pdf (361 KB)
allin1-0.4.tar.gz (70 KB)
Alpha2.zip (182 KB)
autopsy-3.1.3-64bit.msi (8297 KB)
Mobile SMART HUB Setup_0906_v1.0.0.4.exe (19671 KB)

RVT-userGuide.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: