|
|
Maresware Programs L through O
Includes:
Lfn_Crc
/ Mak_html
/ Makedir
/ Md5
/ Md5_verify
/ Mdir
/ Mktemp
/ Modify
/ Nist_crc
/ No_html
/ Ntimage
/ Nt_ss
/ Ntwipe
All programs are command line programs.
Lfn_Crc
Find the long filename Checksum of the corresponding 8.3 DOS name
Be sure to check the help file for additional information about this program. When long filenames are deleted in Windows, there remain remnants of the 8.3 filename in the directory. When undeleting the long filename it must match the original exactly; otherwise, an internal checksum won't match and the file won't be displayed. To confirm that the 8.3 filename and the internal checksum stored for the long filename are correct, use Lfn-crc to calculate what the checksum should be. | View the html help file. |
Mak_html
Make an html index.htm file listing of folders
This program will take a path/tree/folder as a starting location and create an output html file (usually index.htm) with links to all the files it locates within the specified folder. The output is then generally used to supply to someone with a browser, and they will use this file as a starting point to browse/view the files identified. Its output of a default index.htm file can be used to include it as a link in a report document, which a user can click on, and then have links to all the files which may be associated as exhibits in a report. | View the html help file. |
Makedir
Make directories
Be sure to check the help file for additional information about this program. Makedir is a very efficient alternative to the MD program. It will make multiple subdirectories based on command line input. It will make any and all subdirectories up to and including the final subdirectory listed on the command line. It can also make multiple subdirectories in different locations based on just one command line input. | View the html help file. |
Md5
Calculate the 128 bit MD5 hash of a file
Be sure to check the help file for additional information about this program. Md5 is designed to quickly calculate the MD5 or SHA "hash" value of a file. The advantage of Maresware's Md5 is that it adds formatting capability to the standard output produced by MD5sum. It can also calculate a 32 bit CRC 160 bit SHA, or any of the 256, 384, 512 SHA-2 values. MD5 will allow the user to perform hashes on only a section of a file (the -D#,# option). This is used when verifying video and other multimedia files. Historically, the MD5 and SHA algorithms have been used to "fingerprint" files. No two files will ever produce the same fingerprint unless they are identical. The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. CERT at Carnegie Mellon University at one point was using the MD5 signature to validate sensitive data sent out over the Internet. When information is distributed with the MD5 signature value, the MD5 program can be used to validate the integrity of the data. The current version of MD5 can take an input file of "hashes" and compare those against files in a file system. Thus possibly identifying virus signatures of known virus's. Two similar options: --AONLY and --ONLYMD5 (--ONLYMD5 is preferred) are designed to output ONLY the MD5 value. This is to allow you to create a single column output file that contains MD5 values to be imported into programs like AUTOPSY and used as reference MD5 values for you analysis. NOTE: The MD5 (and all the SHA) algorithms are also used in Maresware's Hash program. It provides more information and is more flexible, allowing customized output. But the HASH program cannot compare suspect hash values (--MATCH option). | View the html help file. |
Md5_verify
Calculate the 128 bit MD5 of a "set" of dd output files
This program is similar to the Windows verion named sha_verify. It can take a set of files with a sequential extension (.000, .001, .002 etc) and perform MD5 or SHA1 on the files as if they were a single file. In effect it "merges" the content of hte files when performing the calculaton. This is important when trying to confirm that the outputs from a dd, dcfldd, or ntimage program have produced the correct outputs.
| View the html help file. |
Mdir
An "intelligent" alternative to DIR
Be sure to check the help file for additional information about this program. Mdir gives the user the look and feel of the DOS DIR program but it is designed to facilitate forensic work. It provides more information and greater flexibility in programming the types of files displayed on the screen. The 32 bit version can also display the 3 file time types generated by WIN95 and WINNT file systems. Under NTFS it can show instances of Multiple Data Streams. | View the html help file. |
Mktemp
(this is a free program). Mktemp can be used to create sample test (temporary) files. The files it creates are of known size and content. This is useful when testing software operation on known entities. The program is capable of creating a number of subdirectories in a tree structure also. | html help file not available. |
Modify
Change a file's attributes
Be sure to check the help file for additional information about this program. Modify/change file attributes (takes the place of the DOS attrib command.) The program can change the attributes of files with a simpler command structure than the DOS attrib command. It allows you to change the following: hidden; read/write; archive; and system attributes. | View the html help file. |
Mouse
Display fixed length records on the screen
Be sure to check the help file for additional information about this program. Mouse is designed to work on files which have fixed length records and do not have the traditional Carriage Return / Line Feed characters. (CR/LF). It will display the file on the screen based on the length input by the user. It can also be used to add returns to text files and redirect output to a new file with these returns in it. Mouse was named as an alternative to the *ix cat command which displays a file contents to the screen. | View the html help file. |
Nist_crc
Nist_crc is a program compiled from (slightly modified) source code obtained from the NIST/NSRL web site. The program will compute the CRC, MD4, MD5, and SHA1 of a file. However, the Maresware program Sha_verify is a little more robust than this one.
No_html
No_html is a program designed to take an input file containing html or xml code (tags) and remove them from the file. Often during forensics or e-discovery file data is carved or identified which contains html or xml code. Review of these files is difficult because of the embedded coding. This program takes those files and creates a new output file with a ttx extension which contains the clear text of the source file with the tags removed. Ntimage
This program is a command line program which will perform hashes, and images of hard drives in a windows environment. You should test it thoroughly on your own systems before putting it to forensic use. Be sure to check the help file for additional information about this program. The Ntimage program is designed to be able to create forensic images (within the capabilities of the OS) while running directly under the NT, W2K, XP operating systems. One use of this program is to image a drive when the system cannot be shut down. Other capabilities are:
Drives can be restored from any of the image file formats created.
If used in a controlled situation, a hardware write blocker is obviously
called for.
Nt_ss
Be sure to check the help file for additional information about this program. The Nt_ss program is designed to run under an NT type operating system (XP, W2K, NT) and do one or many simultaneous string searches on a physical drive at the sector level. Other capabilities are:
Ntwipe
This is a 16 bit program, no longer available or practical. Top |