NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Set of forensic tools for ReadyNas Duo / Sparc V1
Dear All,
I've spent some time to get most of the valuable forensic tools working on ReadyNas Duo (RND2120; sparc V1).
The tools are compilled using gcc-3.4 and g++-3.4 from Debian Sarge and Readynas 4.1.10 repositories.
All packages are directly extracted from the source which and repacked into tar.gz after the make.
These packages are no debian packages, but ready to use. In case any libraries are missing, use the above repositories to install them.
Built packages:
The sources where not patched or modified.
The toolset can be downloaded from the following sources:
http://www.cloudxeon.com/975076d2a4d
http://www.filesplat.com/~shared-download?id=4X67B2HLRFTCIF5U94BDMCKY5QPKWE7E
https://copy.com/980prQjVQy43
I would be happy if some Admin/Mod would upload it directly to the forum.
Kind regards,
Fire Bird
I've spent some time to get most of the valuable forensic tools working on ReadyNas Duo (RND2120; sparc V1).
The tools are compilled using gcc-3.4 and g++-3.4 from Debian Sarge and Readynas 4.1.10 repositories.
Backup_NAS-173:~# cat /etc/apt/sources.list
deb http://www.readynas.com/packages 4.1.10/
deb http://archive.debian.org/debian sarge main contrib non-free
Backup_NAS-173:~#
All packages are directly extracted from the source which and repacked into tar.gz after the make.
These packages are no debian packages, but ready to use. In case any libraries are missing, use the above repositories to install them.
Built packages:
- extundelete 0.2.4
- scalpel 2.0
- foremost 1.5.7
- testdisk/photorec 6.14
The sources where not patched or modified.
Backup_NAS-173:/usr/src# uname -a
Linux Backup_NAS-173 2.6.17.14ReadyNAS #1 Wed Jun 20 20:08:20 PDT 2012 padre GNU/Linux
Backup_NAS-173:/usr/src# file extundelete-0.2.4/src/extundelete
extundelete-0.2.4/src/extundelete: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), not stripped
Backup_NAS-173:/usr/src# extundelete-0.2.4/src/extundelete --help
Usage: extundelete-0.2.4/src/extundelete [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.
Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino[,ino,...]
Restore the file(s) with known inode number 'ino'.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/'
The restored file is created in the current
directory as 'RECOVERED_FILES/path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--restore-directory 'path'
Will restore directory 'path'. 'path' is relative to the
root directory of the file system. The restored
directory is created in the output directory as 'path'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
--log 0 Make the program silent.
--log filename Logs all messages to filename.
--log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or
--log info,error error. Omission of the '=name' results in messages
--log warn=0 with the specified level to be logged to the console.
--log error=filename If the parameter is '=0', logging for the specified
level will be turned off. If the parameter is
'=filename', messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named 'RECOVERED_FILES/' by default.
Backup_NAS-173:/usr/src#
Backup_NAS-173:/usr/src# file foremost-1.5.7/foremost
foremost-1.5.7/foremost: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), not stripped
Backup_NAS-173:/usr/src# ./foremost-1.5.7/foremost -h
foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus.
$ foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t <type>] [-s <blocks>] [-k <size>]
[-b <size>] [-c <file>] [-o <dir>] [-i <file]
-V - display copyright information and exit
-t - specify file type. (-t jpeg,pdf ...)
-d - turn on indirect block detection (for UNIX file-systems)
-i - specify input file (default is stdin)
-a - Write all headers, perform no error detection (corrupted files)
-w - Only write the audit file, do not write any detected files to the disk
-o - set output directory (defaults to output)
-c - set configuration file to use (defaults to foremost.conf)
-q - enables quick mode. Search are performed on 512 byte boundaries.
-Q - enables quiet mode. Suppress output messages.
-v - verbose mode. Logs all messages to screen
Backup_NAS-173:/usr/src#
Backup_NAS-173:/usr/src# file Scalpel-2.0-master/src/scalpel
Scalpel-2.0-master/src/scalpel: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), not stripped
Backup_NAS-173:/usr/src# Scalpel-2.0-master/src/scalpel -h
Scalpel version 2.0
Written by Golden G. Richard III and Lodovico Marziale.
Scalpel carves files or data fragments from a disk image based on a set of
file carving patterns, which include headers, footers, and other information.
Usage: scalpel [-b] [-c <config file>] [-d] [-e] [-h] [-i <file>]
[-n] [-o <outputdir>] [-O] [-p] [-q <clustersize>] [-r]
[-v] [-V] <imgfile> [<imgfile>] ...
Options:
-b Carve files even if defined footers aren't discovered within
maximum carve size for file type [foremost 0.69 compat mode].
-c Choose configuration file.
-d Generate header/footer database; will bypass certain optimizations
and discover all footers, so performance suffers. Doesn't affect
the set of files carved. **EXPERIMENTAL**
-e Do nested header/footer matching, to deal with structured files that may
contain embedded files of the same type. Applicable only to
FORWARD / NEXT patterns.
-h Print this help message and exit.
-i Read names of disk images from specified file. Note that minimal parsing of
the pathnames is performed and they should be formatted to be compliant C
strings; e.g., under Windows, backslashes must be properly quoted, etc.
-n Don't add extensions to extracted files.
-o Set output directory for carved files.
-O Don't organize carved files by type. Default is to organize carved files
into subdirectories.
-p Perform image file preview; audit log indicates which files
would have been carved, but no files are actually carved. Useful for
indexing file or data fragment locations or supporting in-place file
carving.
-q Carve only when header is cluster-aligned.
-r Find only first of overlapping headers/footers [foremost 0.69 compat mode].
-V Print copyright information and exit.
-v Verbose mode.
Backup_NAS-173:/usr/src#
Backup_NAS-173:/usr/src# file testdisk-6.14/src/testdisk
testdisk-6.14/src/testdisk: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), not stripped
Backup_NAS-173:/usr/src# testdisk-6.14/src/testdisk -h
TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Usage: testdisk [/log] [/debug] [file.dd|file.e01|device]
testdisk /list [/log] [file.dd|file.e01|device]
testdisk /version
/log : create a testdisk.log file
/debug : add debug information
/list : display current partitions
TestDisk checks and recovers lost partitions
It works with :
- BeFS (BeOS) - BSD disklabel (Free/Open/Net BSD)
- CramFS, Compressed File System - DOS/Windows FAT12, FAT16 and FAT32
- XBox FATX - Windows exFAT
- HFS, HFS+, Hierarchical File System - JFS, IBM's Journaled File System
- Linux btrfs - Linux ext2, ext3 and ext4
- Linux GFS2 - Linux LUKS
- Linux Raid - Linux Swap
- LVM, LVM2, Logical Volume Manager - Netware NSS
- Windows NTFS - ReiserFS 3.5, 3.6 and 4
- Sun Solaris i386 disklabel - UFS and UFS2 (Sun/BSD/...)
- XFS, SGI's Journaled File System - Wii WBFS
- Sun ZFS
If you have problems with TestDisk or bug reports, please contact me.
Backup_NAS-173:/usr/src#
Backup_NAS-173:/usr/src# file testdisk-6.14/src/photorec
testdisk-6.14/src/photorec: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), not stripped
Backup_NAS-173:/usr/src# testdisk-6.14/src/photorec -h
PhotoRec 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Usage: photorec [/log] [/debug] [/d recup_dir] [file.dd|file.e01|device]
photorec /version
/log : create a photorec.log file
/debug : add debug information
PhotoRec searches various file formats (JPEG, Office...), it stores them
in recup_dir directory.
If you have problems with PhotoRec or bug reports, please contact me.
Backup_NAS-173:/usr/src#
The toolset can be downloaded from the following sources:
http://www.cloudxeon.com/975076d2a4d
http://www.filesplat.com/~shared-download?id=4X67B2HLRFTCIF5U94BDMCKY5QPKWE7E
https://copy.com/980prQjVQy43
Backup_NAS-173:/usr/src# md5sum forensic_tools_sparc-v1.tar.gz
73dd982e59798dfc309ff90db14f7b88 forensic_tools_sparc-v1.tar.gz
Backup_NAS-173:/usr/src# sha1sum forensic_tools_sparc-v1.tar.gz
2c723e2044ba4bc2df56331a7a0048e8571c0cab forensic_tools_sparc-v1.tar.gz
Backup_NAS-173:/usr/src#
I would be happy if some Admin/Mod would upload it directly to the forum.
Kind regards,
Fire Bird
No RepliesBe the first to reply
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
