|
|||||
Software | Training | Services | |||
Services
About Us
Legal
Notices |
Maresware FAQs and Technical Tips
The FAQ is, Maresware is no longer publicly available. Below are some FAQs about how to use specific Maresware programs, plus some other technical tips. For quick access use the alphabetical index links immediately below. Or just scroll and browse.
Alternate Data Streams are copied by Copy_ads program
Q. Can I copy Alternate Data Stream files out to normal files for analysis? A. Yes. Copy_ads can identify and copy Aternate Data Stream files. When it copies the files, it isolates the Alternate Data Streams and copies them to "normal" files for easy analysis and review. TopQ. Is there a program that will overwrite Altnerate Data Streams when they are removed? A. Yes. The RMD program has been redesigned to overwrite alternate data streams attached to files it removes on NTFS file systems. TopQ. I have identified a few hundred files which need to be prepared and printed for legal discovery. How do I assign Bates numbers for our attorneys to use? A. Bates_no program is designed to number (rename) files with Bates numbers for legal use. The identified files need to be moved to a specific directory first. Bates_no can then be used to assign numbers to either the filenames or the filename extensions. Also see chapter 2 of The Handbook of Computer Crime Investigation, by Eoghan Casey[ ISBN: 0-12-163103-6]. TopQ. I inadvertently used the Bates_no program on files that weren't supposed to be renamed. Is there a way to reverse the Bates number naming process? A. The Bates_no program has a -U option that will remove the Bates numbers from file names. TopQ. I want to generate a catalog or listing of all files on the drive. Which Maresware program do I use? A. Any of the following will generate a catalog of all files on a drive: Crckit, Diskcat, Hash, MD5 . Each one has different capabilities and can be tailored to specific needs. Check the documentation to see which is most suitable for your task. TopQ. If I already have the hashes (produced by hash.exe) of my operating system, how difficult is it to compare the current hashes of the same files to make certain none have been altered? A. It is a simple 3 line batch file using hash.exe and compare.exe. It should take approximately 10 minutes to complete. TopQ. Once I have the hashes of files on two systems, (i.e., the suspect drive, and the restored drive), how can I determine if anything has changed? A. The Maresware Compare program is a generic program designed to compare data files for common or mismatched records. However, the Hashcmp program is specifically written to compare the output of the hash.exe program, and is lightning fast. The Hash_dup program can list duplicate hash values in the hash output files. TopQ. Can Upcopy work with a text list of source files to copy to a destination? A. Yes, you can provide Upcopy with a text list containing the paths/filenames of all the source files that you want copied to the specific destination. This is especially useful if the source file list comes from a data base. TopQ. I often have situations where I want to copy all of a certain type of file or all of certain tree structures to a work drive. I must maintain tree structure while doing this. Which Maresware program do I use? A. The Upcopy program will copy any files or directories to any specified location and maintain tree integrity. TopQ. Is there a forensic substitute for the DIR program? A. Yes, the Maresware Mdir program was designed specifically for forensic use. It shows much more information by default than DIR, and can almost be "programmed" to the user's needs. TopQ. I have wiped the drive with all 0's, and I have X number of sectors on the drive. I have a third party program that is saying the MD5 hash is ABCD...etc. Is there a way of determining what the true MD5 value of X sectors of hex 0's should be? A. Yes, Maresware's Sha_verify will simulate in memory any number of sectors or bytes containing a single value. It will also perform SHA1 and SHA2 on files. TopQ. If I use Crckit, Diskcat, Hash, or MD5 to create a catalog of the drive, can I get the output in the format I need for further processing? A. These programs output their information in what is called a fixed length record. So, almost any data base or spreadsheet program can easily import the output of these programs. And if a fixed length record is not sufficient, these programs also allow you to add delimiters between fields (columns) so that the data can be imported into any data base and spreadsheet programs which have these input requirements. [All Maresware programs which produce the kind of output that you might want to further analyze/process gives you that output in fixed-length records.] TopQ. I ran Hash on the same file a number of times, and each time I get a different value. The file is very large, over 600 meg. What can be the problem? A. This happens occasionally, particularly with very large files. The cause is an improper transfer of data somewhere between the hard drive, the OS, and the program. This is usually caused by one or all of the following:
Q. I want to perform a CRC/HASH of an entire file system(logical file structure). Which Maresware program do I use? A. The Diskcat program will perform a 32 bit CRC and MD5 hash of files. But the one that is specifically designed to calculate the hash values is Hash Another alternative, with different output capability, is the MD5 program. Refer to its documentation for details about the output options. TopQ. Why should I consider using hash to validate software and data? A. The MD5 and SHA algorithms in the Hash program are the generally accepted standard for validating evidence files and data files. See Hash faqs TopQ. I have a data file extracted from a mainframe data base with well over 100 million records in it. I want to search a field for the occurrence of over 100 keys (these are phone numbers). Which Maresware program do I use? A. The Search program can sequentially search a typical data file of 100 million records in a few minutes. However, the data file MUST be a fixed length format. Easy to create using the filbreak program. TopQ. I need to perform string searches. Which Maresware program should I use? A. The NT_Ss program will perform string searches on a physical disk. Its output is fixed length, and identifies the sector where the item was located. The Strsrch program will perform string searches on the logical file system. It is an extremely fast and efficient program. Its output is also fixed length. (Fixed length outputs lend themselves very nicely to reprocessing.) Both programs provide surrounding text. The strsrch program will only search for text. It does not open zip or containers such as docx files. TopQ. When copying files to destination directories, the directory trees created always seem to have today's date. Is there a way to have Upcopy maintain the original date on the directories it creates? A. The option -M will cause Upcopy to 'M'aintain the source dates of any of the original directories it creates during the copy process. For reference purposes, this option also causes any empty source directories to be created. TopQ. Which Maresware program would I use to overwrite individual files, slack, or free space on a drive? A. The Rm and Rmd programs can wipe/overwrite a file or files, file slack or disk free space. Under NTFS, it also can wipe alternate data streams, and clean the MFT. The Rm program merely deletes files, and doesn't overwrite them. TopQ. Can Rm and Rmd work with a text list of source files to remove? A. Yes, you can provide Rm with a text list containing the paths/filenames of all the source files that you want to remove. This is especially useful if the source file list comes from a data base of some sort. It is also useful if you have a list of contraband files which need to be removed from a computer. TopQ. Are the Linux versions of Maresware compatable with the DOS versions, as far as operation and output? A. Yes, where possible, with programs like Hash and Sstrsrch, both the Linux and DOS versions provide similar output record format, similar command line structures and options, and similar speed. This allows the user to mix or combine outputs from the two runs. Top |