Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Selective file dumper
|Maintainer:||Nanni Bassetti, Denis Frati|
|License:||Artistic License,GPL,Public Domain|
It's fast and selective, it can retrieve all the files of the file type you choose with only one tool referenced, deleted and unallocated in very fast way.
The Bash script SFDUMPER.SH can recover active, deleted and unallocated files automatically and then it can delete the carved duplicate files of the deleted and active files retrieved by the Sleuthkit, thanks to the comparison of the SHA256 hash codes.
It's possible to recognize the renamed files by the data carving and it's possible to expand the Foremost configuration file inside the script, for adding new extensions.
The script can work on the partition chosen from an image file or directly from the device (eg. /dev/sdb).
1) Choosing the partition to analyze from an image file or a device;
2) Choosing the file type by the extension you need to have;
3) Extracting all referenced files by their extension;
4) Extracting all the deleted files by their extension;
5) Carving all the partitions chosen and, automatically, the script will
delete the duplicate files leaving only the carved files whose are not
into the referenced or delete set of files;
6) Executing a keyword search on all the retrieved files;
7) Reporting all with the investigator name, date and time.
Requirements for the GUI version
sudo sh sfdumper.sh
chmod +x sfdumper.sh