dfis

Digital Forensic Investigative Scripts

Simply a collection of the more generally useful scripts I've created for use during my forensic investigations. They're mostly Perl and generally I use them from a Linux investigative platform. Many of the scripts have dependencies on external tools like the Sleuthkit.

Documentation is sadly lacking. I have plans for a series of blog posts that discuss the finer points of using these tools. But I figured it was better to get the code out there than wait for documentation. The scripts do at least have command-line help built in and internal commentary in some cases.

The original version of the frib/fib tools are documented here:

https://www.mandiant.com/blog/ext3-file-recovery-indirect-blocks/

http://www.deer-run.com/~hal/EXT3FileRecovery.pdf

http://www.livestream.com/sansinstitute/video?clipId=pla_813f3343-b170-4671-ac73-fd186e7b400e&utm_source=lslibrary&utm_medium=ui-thumb

There have been some updates to frib/fib since these presentations, adding some new functionality. But the tools basically work the same.

If you have questions about any of these tools, please feel free to contact me via email.

Hal Pomeranz hal@deer-run.com