From BitCurator
Jump to: navigation, search

The BitCurator environment uses open source and public domain digital forensics, data triage, and metadata reprocessing tools. Software developed by the BitCurator team is licensed under the GNU General Public License Version 3. Other software included in the BitCurator environment may be covered by other open source licenses and attribution terms.

If you can't find the information about the BitCurator software you need on this page, check our FAQ or join the BitCurator Users listserv.

Current Release: 1.7.62 (October 25th, 2016)

The default username ("bcadmin") and password ("bcadmin") are the same for both the Virtual Machine and the Live CD.

Virtual Machine

BitCurator Virtual Machine (Release 1.7.40) (Torrent)

This file is approximately 2.8GB. You can find directions on how to install the BitCurator virtual machine using Oracle's virtualization software VirtualBox here. If you wish to create your own virtual machine, or create a VM for another virtualization platform, please use the ISO installation media below.

Installation ISO CD/DVD Image

BitCurator ISO (Release 1.7.40) (Torrent)

The BitCurator ISO image is a customized version of Ubuntu Linux 16.04.1 LTS (64-bit). The ISO can be run as a live CD, or used to install BitCurator on a dedicated machine. You can also create your own BitCurator virtual machine using the ISO image (for example, if you wish to use VMWare rather than VirtualBox).

To install BitCurator as as stand-alone operating system, visit this page.

Want to put BitCurator on a bootable USB stick? Download our ISO image and using Pendrive Linux's Universal USB installer.

Technical Requirements

The BitCurator environment may be run as either a dedicated operating system or as a virtual machine using virtualization tools such as VirtualBox or VMware. The instructions on this page will assist you in installing, configuring, and using the BitCurator environment for both cases.

The BitCurator environment requires a 64-bit processor (Intel Core i5, Core i7, or AMD equivalent). When run as a virtual machine, a native 64-bit OS is also required.

Using BitCurator in a production environment? Digital forensics tools are computationally intensive. We recommend running BitCurator on a machine with - at minimum - a Core i7 processor, 16GB RAM, and a solid-state hard drive.

The BitCurator VirtualBox image is distributed with a configuration file set to two processing cores and 2GB of RAM. Although it is not recommended, you may be able to reduce the amount of RAM and number of processor cores to run the environment on older hardware.

For large disk images, data-intensive tasks, and simplified access to a range of hardware write-blockers, the environment should be installed on the host machine as a dedicated operating system.

Tools in the BitCurator Environment

The BitCurator virtual machine includes a unique interface to execute open source forensics tools. The BitCurator interface produces human-readable reports using the output of tools such as fiwalk and bulk_extractor. BitCurator also includes 3rd-party tools for disk imaging, data triage, private and individually identifying information (PII) discovery, filesystem analytics and reporting, and metadata export. The BitCurator environment is configured with scripts that automate actions that can be run against live filesystems, connected devices, and disk images for file analysis prior to (or in lieu of) imaging.

BitCurator currently includes the following tools:

Software produced by the BitCurator team:

  • BitCurator Reporting Tool: A GUI-driven (and optionally command-line) tool for running forensics tools in sequence to produce human- and machine-readable reports.
  • BitCurator Disk Image Access Tool: A GUI interface to browse raw and forensically-packaged disk images, export files and deleted items, and view disk image metadata.
  • BitCurator Mounter: A Qt GUI application to list currently attached devices along with technical details. Allows users to mount fixed and removable media according to the current mount policy.
  • BitCurator Read-Only AppIndicator: A Ubuntu AppIndicator allowing users to switch the system mount policy between "Read Only" and "Read/Write" for any attached media prior to mounting.

Disk imaging

  • Guymager: Multi-threaded open-source forensic disk imaging tool.
  • dcfldd: A forensics-focused rewrite of dd.
  • cdrdao: A CD imaging tool.

Forensic analysis and metadata generation

  • bulk_extractor: A stream-based tool for disk image analysis.
  • bulk_extractor Viewer (BEViewer): The GUI front-end for bulk-extractor
  • DFXML tools: A set of C and Python programs to process Digital Forensics XML.
  • fiwalk: File system analysis and DFXML export.
  • The Sleuth Kit: A suite of forensics tools, utilities, and APIs.
  • libewf: Open-source support for the Expert Witness format.
  • AFFLIB: Open-source library for the Advanced Forensic Format.
  • pyExifToolGUI: A GUI front-end for Exiftool. Allows editing of image metadata.

Other utilities

  • ClamAV / ClamTK: Virus scanning.
  • FSlint: Duplicate file identification and deletion.
  • sdhash: File similarity tool using similarity digests.
  • HFS Utilities: Utilities providing access to legacy HFS file systems, such as HFS Explorer.
  • FITS: The File Information Tool Set.
  • readpst: A utility for reading and exporting the contents of PST files.
  • recoll: An indexing tool.
  • GTK Hash: A cryptographic hashing tool.
  • Bless Hex Editor: A hex editor with power-user features
  • GHex: A simple hex viewer/editor
  • Nautilus scripts: Support for various interactions with files and file systems.
  • Safe Mount: Software write-blocking for digital media.

Licenses and Rights

Software produced for the BitCurator project is licensed under the GNU General Public License, Version 3. Documentation and other materials generated by the BitCurator team (including this wiki) are licensed under Creative Commons Attribution 4.0 Generic (CC By 4.0). All other software included in the BitCurator environment is distributed in accordance with the original distribution terms.

Source Code

GitHub repository Our Github repository includes BitCurator-specific reporting tools, 3rd party open source tools, and technical documentation. Post-0.2.0 releases are marked with tags.

Release History

Past releases of the virtual machine and installation ISO are listed here. Please contact our team if you require a specific previous release. Source code associated with all major releases is tagged with the release number on our Github repository.

Ubuntu 16.04LTS (Xenial) based releases:

Ubuntu 16.04LTS (Xenial) based testing/pre-releases:

  • 1.7.16 VM and ISO (July 5th, 2016)
  • 1.7.14 VM and ISO (June 23rd, 2016)
  • 1.7.10 VM and ISO (June 22nd, 2016)
  • 1.7.6 VM and ISO (June 12th, 2016)
  • 1.7.4-Beta VM and ISO (June 9th, 2016)
  • 1.7.2-Beta VM and ISO (April 11th, 2016)
  • 1.7.0-Beta VM and ISO (April 5th, 2016)

Ubuntu 14.04LTS (Trusty) based releases:

  • 1.6.22 VM (torrent) (mirror) and 1.6.22 ISO (torrent) (mirror) (July 5th, 2016)
  • 1.6.18 VM and ISO (June 23rd, 2016)
  • 1.6.12 VM and ISO (June 12th, 2016)
  • 1.6.10 VM and ISO (April 30th, 2016)
  • 1.6.8 VM and ISO (April 20th, 2016)
  • 1.6.6 VM and ISO (April 14th, 2016)
  • 1.6.4 VM and ISO (April 11th, 2016)
  • 1.6.2 VM and ISO (April 5th, 2016)
  • 1.6.0 VM and ISO (January 23rd, 2016)
  • 1.5.18 VM and ISO (December 24th, 2015)
  • 1.5.16 VM and ISO (December 12th, 2015)
  • 1.5.14 VM and ISO (November 23rd, 2015)
  • 1.5.12 VM and ISO (October 26th, 2015)
  • 1.5.11 VM and ISO (October 17th, 2015)
  • 1.5.9 VM and ISO (September 9th, 2015)
  • 1.5.8 VM and ISO (August 25th, 2015)
  • 1.5.7 VM and ISO (August 14th, 2015)
  • 1.5.5 VM and ISO (August 7th, 2015)
  • 1.5.1 VM and ISO (July 21, 2015)
  • 1.3.7 VM and ISO (May 31, 2015)
  • 1.3.5 VM and ISO (May 17, 2015)
  • 1.3.3 VM and ISO (April 1, 2015)
  • 1.3.1 VM and ISO (March 24, 2015)
  • 1.2.1 VM and ISO (December 31, 2014)
  • 1.2.0 VM and ISO (December 28, 2014)
  • 1.1.0 VM and ISO (October 30, 2014)
  • 1.0.0 VM and ISO (September 23, 2014)
  • 0.9.22 VM and ISO (September 20, 2014)
  • 0.9.21 VM and ISO (September 16, 2014)
  • 0.9.20 VM and ISO (September 5, 2014)
  • 0.9.19 VM and ISO (August 28, 2014)
  • 0.9.18 VM and ISO (August 24, 2014)
  • 0.9.16 VM and ISO (August 3, 2014)
  • 0.9.13 VM and ISO (June 30, 2014)
  • 0.9.12 VM and ISO (June 11, 2014)
  • 0.9.9 VM and ISO (May 28, 2014)
  • 0.9.8 VM and ISO (May 21, 2014)
  • 0.9.7 VM and ISO (May 20, 2014)
  • 0.9.6 VM and ISO (May 17, 2014)
  • 0.9.4 VM and ISO (May 15, 2014)

Ubuntu 12.04LTS based releases:

  • 0.8.4 VM and ISO (April 17, 2014)
  • 0.8.0 VM and ISO (March 19, 2014)
  • 0.7.6 VM and ISO (February 21, 2014)
  • 0.7.4 VM and ISO (February 15, 2014)
  • 0.7.0 VM and ISO (February 2, 2014)
  • 0.6.4 VM and ISO (January 24, 2014)
  • 0.6.2 VM and ISO (January 18, 2014)
  • 0.5.8 VM and ISO (December 20, 2013)
  • 0.5.6 VM and ISO (December 13, 2013)
  • 0.5.0 VM and ISO (December 6, 2013)
  • 0.4.4 VM and ISO (October 25, 2013)
  • 0.4.2 VM and ISO (October 18, 2013)
  • 0.4.0 VM and ISO (October 11, 2013)
  • 0.3.5 VM and ISO (September 10, 2013)
  • 0.3.4 VM and ISO (September 9, 2013)
  • 0.3.0 VM and ISO (July 23, 2013)
  • 0.3.0 VM and ISO Prerelease (July 19, 2013)
  • 0.2.7 VM and ISO (June 22, 2013)
  • 0.2.4 VM and ISO (May 10, 2013)
  • 0.2.3 VM and ISO (March 22, 2013)
  • 0.2.2 VM and ISO (March 19, 2013)

(Pre-0.2.2 releases not shown)

BitCurator Design Requirements Document

Additional Design Documents

Release Notes

Abbreviated release notes for past releases. Full release notes for specific releases may be found in the bitcurator-users group archive (!forum/bitcurator-users)

  • 1.7.22 (July 14th, 2016)
    • First Ubuntu 16.04 LTS based release
    • Improved support for modern storage devices (including SSDs)
    • Bagger to version 2.7.1
    • Now includes "dumpfloppy" ( in "Imaging Tools"
    • Latest version of bagit-python (using GitHub sources) included
    • The Sleuth Kit (TSK) libraries updated to improve NTFS volume handling, among many other fixes
    • Ubuntu "hardinfo" package now linked in "Additional Tools" (appears as "System Profiler and Benchmark") to assist in responding to problems and bug reports
    • FITS updated to 0.10.2
    • FIDO updated to 1.3.4
    • Updated VirtualBox Guest Additions to most recent (5.1.0)
  • 1.6.18 (June 23rd, 2016)
    • Fixes an issue with read-only drive mounting where certain floppy and SCSI drives were not remounted properly
    • Now includes "dumpfloppy" ( in "Imaging Tools"
    • Latest version of bagit-python (using GitHub sources) included
    • The Sleuth Kit (TSK) libraries updated to improve NTFS volume handling, among many other fixes
    • Ubuntu "hardinfo" package now linked in "Additional Tools" (appears as "System Profiler and Benchmark") to assist in responding to problems and bug reports
    • FITS updated to 0.10.2
    • FIDO updated to 1.3.4
  • 1.2.1 (January 3, 2014)
    • USB 3.0 device access (when installed as the host OS) restored
    • Startup services cleaned up
    • bulk_extractor rebuilt to accommodate Java update
  • 1.2.0 (October 30, 2014)
    • Weekly fstrim cron job disabled to prevent unwanted changes to the contents of SSDs
    • Devices are now mounted with the loop option by default
    • VirtualBox 4.3.20 updates
    • PREMIS report generation updates (improved event support and vocab fixes) in BitCurator reporting tool
    • ssdeep updated to 2.12 (corrects bugs in signature generation code and other updates from 2.10)
    • hashdb updated to 1.1.2
    • XlsxWriter updated to 0.6.4
    • Guymager updated to latest build of 0.7.4
    • DFXML libraries updated to latest GitHub sources
    • Removed unneeded OpenCL library preventing BitCurator from booting on certain systems
    • fixed a minor application launch issue with BEViewer
    • disktype added with patches for E01 and other disk image formats
    • Ubuntu core and kernel updates
  • 1.1.0 (October 30, 2014)
    • BitCurator Reporting Tool directory selection dialogue updated in Run All to prevent crash on first run
    • objectIdentifierType / Value entries in BitCurator PREMIS output fixed
    • VirtualBox guest additions updated to 4.3.18
    • FITS updated to 0.8.3
    • gnome-sushi included to preview various file formats (left-click on file and hit the space bar; preview pops up)
    • VLC newly included to play and examine metadata in A/V media files
    • TestDisk newly included (damaged/lost partition recovery)
    • PhotoRec newly included (damaged/lost file recovery)
    • Minor updates to Nautilus scripts (typo fixes)
  • 1.0 (September 5, 2014)
    • Improved version of the BitCurator Disk Image Access tool.
    • Many bugfixes (see user forum post)
  • 0.9.20 (September 5, 2014)
    • The 0.9.20 release eliminates a bug that prevented export of files from certain FAT16 file systems in the Disk Image Access tool, and includes various other core system updates and environment cleanup.
  • 0.9.19 (August 29, 2014)
    • Addresses various bugs and usability issues in the 0.9.16 and 0.9.18 releases U
    • Updated version of the BitCurator Disk Image Access tool. Performance of this tool when loading disk images has been substantially improved, and the interface now provides a streamlined method to export *only* the deleted or *only* the allocated items (via the Edit menu). The tool also now provides realtime feedback during file export.
    • bulk_extractor updated to 1.5.3, many additional scanners and improvements
    • DFXML tools updated
  • 0.9.13 (June 30, 2014)
    • Improved version of the "File Access" tab in the BitCurator Reporting Tool
    • Export files and deleted/unallocated items directly from FAT12, FAT16, FAT32, NTFS, HFS+, ISO9660, and ext volumes stored in raw, AFF, and EWF (including split AFF and split EWF) disk images.
    • Added 4.9.0 release of the BagIt (Java) library
    • Added Antiword for export of legacy Word documents to TXT / PDF
    • Added ssdeep for fuzzy hashing
    • Added ddrescue
  • 0.9.9 (May 29, 2014)
    • Improves compatibility with current matplotlib
    • Reinstates the HFS Explorer tool
    • Ubuntu 14.04LTS package updates
    • Bugfixes for the BitCurator reporting tool
  • 0.9.8 (May 21, 2014):
    • Desktop launcher fix for BitCurator reporting tool
  • 0.9.7 (May 18, 2014):
    • Restored right-click-to-mount scripts
    • Bugfixes and performance improvements in reporting tool
    • libewf and TSK updated
  • 0.9.6 (May 18, 2014):
    • Minor udisks fix to restore floppy access
  • 0.9.4 (May 15, 2014):
    • libewf updated to 20140427 release. TSK and fiwalk now built against this version.
    • The Sleuth Kit updated from latest github sources. Improves performance and reporting on disk images.
    • SDHash updated to 3.4.
    • BitCurator PDF reports generated from bulk_extractor output now include additional provenance and performance metadata.
    • BitCurator configuration (in /etc/bitcurator/bc_report_config.txt) updated to manage additional bulk_extractor reports.
    • DFXML sources updated to latest release
  • 0.8.4 (April 17, 2014):
    • Floppy disk drive access restored.
    • Installation bug preventing installation on laptops with certain webcams fixed.
    • File system output in Excel format now includes file format ID.
    • BitCurator configuration file (in /etc/bitcurator/bc_report_config.txt)
    • VirtualBox additions updated to 4.3.10.
  • 0.8.0 (February 28, 2014):
    • BitCurator install scripts complete
    • PPA packaging updates
  • 0.7.0 (January 31, 2014):
    • Preliminary BitCurator disk image navigation tool
    • Reporting updates
    • ClamTK by default
    • TSK / BE updates
  • 0.6.0 (January 15, 2014):
    • Full PREMIS metadata update
    • Improved disk mounting scripts
    • EAD and METS exports
  • 0.5.8 (December 20, 2013):
    • Updated PREMIS event reporting
    • Maintenance: VM cleanup
  • 0.5.0 (December 6, 2013):
    • Initial PREMIS event metadata export for forensic analysis events
    • PREMIS in METS Toolbox included
    • File duplication tool included
    • Disk image mounting scripts added
  • 0.3.5 (Sept 10, 2013):
    • VirtualBox extensions updates
    • Imaging tool and launcher updates
  • 0.4.0 (Sept 30, 2013):
    • PPA packaging of forensics tools and BitCurator software via BitCurator LaunchPad site
    • Redaction scripting updates
  • 0.3.4 (Sept 9, 2013):
    • GUI updates
    • DFXML updates
    • Bulk extractor 1.4.0 and AFFLIB updates
  • 0.3.2 (Sept --, 2013):
    • [Team test - no public release this version]
  • 0.3.0 (July 30, 2013):
    • Front-end GUIs for forensic processing tools
    • Forensics tools for data indexing
    • Improved removable media support