Software

From BitCurator
Jump to: navigation, search

The BitCurator environment uses open source and public domain digital forensics, data triage, and metadata reprocessing tools. Software developed by the BitCurator team is licensed under the GNU General Public License Version 3. Other software included in the BitCurator environment may be covered by other open source licenses and attribution terms.

If you can't find the information about the BitCurator software you need on this page, check our FAQ or join the BitCurator Users listserv.

Current Release: 1.0.0 (September 23, 2014)

The default username ("bcadmin") and password ("bcadmin") are the same for both the Virtual Machine and the Live CD.

Virtual Machine

File-2.png
BitCurator Virtual Machine (Release 1.0.0)

This file is approximately 2.5GB. You can find directions on how to install the BitCurator virtual machine using Oracle's virtualization software VirtualBox here. If you wish to create your own virtual machine, or create a VM for another virtualization platform, please use the ISO installation media below.

Installation ISO CD/DVD Image

Disk-9.png
BitCurator ISO (Release 1.0.0)

The BitCurator ISO image is a customized version of Ubuntu Linux 14.04 LTS (64-bit). The ISO can be run as a live CD, or used to install BitCurator on a dedicated machine. You can also create your own BitCurator virtual machine using the ISO image (for example, if you wish to use VMWare rather than VirtualBox).

To install BitCurator as as stand-alone operating system, visit this page.

Want to put BitCurator on a bootable USB stick? Download our ISO image and using Pendrive Linux's Universal USB installer.

Technical Requirements

The BitCurator environment may be run as either a dedicated operating system or as a virtual machine using virtualization tools such as VirtualBox or VMware. The instructions on this page will assist you in installing, configuring, and using the BitCurator environment for both cases.

The BitCurator environment runs best on a host with a 64-bit processor and a native 64-bit OS. BitCurator is distributed with a configuration file that requires only one processing core and 1.5GB of RAM when running in VirtualBox in order to accommodate a wide range of hardware. We recommend that you reconfigure to provide the VM with at least 2 processor cores and 4GB of memory. For large disk images, data-intensive tasks, and simplified access to a range of hardware write-blockers, the environment should be installed on the host machine as a dedicated operating system.

Tools in the BitCurator Environment

The BitCurator virtual machine includes a unique interface to execute open source forensics tools. The BitCurator interface produces human-readable reports using the output of tools such as fiwalk and bulk_extractor. BitCurator also includes 3rd-party tools for disk imaging, data triage, private and individually identifying information (PII) discovery, filesystem analytics and reporting, and metadata export. The BitCurator environment is configured with scripts that automate actions that can be run against live filesystems, connected devices, and disk images for file analysis prior to (or in lieu of) imaging.

BitCurator currently includes the following tools:

Software produced by the BitCurator team:

  • BitCurator Reporting Tool: A GUI-driven (and optionally command-line) tool for running forensics tools in sequence to produce human- and machine-readable reports.
  • BitCurator Disk Image Access Tool: A GUI interface to browse raw and forensically-packaged disk images, export files and deleted items, and view disk image metadata.
  • BitCurator Mounter: A Qt GUI application to list currently attached devices along with technical details. Allows users to mount fixed and removable media according to the current mount policy.
  • BitCurator Read-Only AppIndicator: A Ubuntu AppIndicator allowing users to switch the system mount policy between "Read Only" and "Read/Write" for any attached media prior to mounting.

Disk imaging

  • Guymager: Multi-threaded open-source forensic disk imaging tool.
  • dcfldd: A forensics-focused rewrite of dd.
  • cdrdao: A CD imaging tool.

Forensic analysis and metadata generation

  • bulk_extractor: A stream-based tool for disk image analysis.
  • bulk_extractor Viewer (BEViewer): The GUI front-end for bulk-extractor
  • DFXML tools: A set of C and Python programs to process Digital Forensics XML.
  • fiwalk: File system analysis and DFXML export.
  • The Sleuth Kit: A suite of forensics tools, utilities, and APIs.
  • libewf: Open-source support for the Expert Witness format.
  • AFFLIB: Open-source library for the Advanced Forensic Format.
  • pyExifToolGUI: A GUI front-end for Exiftool. Allows editing of image metadata.

Other utilities

  • ClamAV / ClamTK: Virus scanning.
  • FSlint: Duplicate file identification and deletion.
  • sdhash: File similarity tool using similarity digests.
  • HFS Utilities: Utilities providing access to legacy HFS file systems, such as HFS Explorer.
  • FITS: The File Information Tool Set.
  • readpst: A utility for reading and exporting the contents of PST files.
  • recoll: An indexing tool.
  • GTK Hash: A cryptographic hashing tool.
  • GHex: A hex viewer/editor
  • Nautilus scripts: Support for various interactions with files and file systems.
  • Safe Mount: Software write-blocking for digital media.

Licenses and Rights

Software produced for the BitCurator project is licensed under the GNU General Public Licence, Version 3. Documentation and other materials generated by the BitCurator team (including this wiki) are licensed under Creative Commons Attribution 2.0 Generic (CC By 2.0). All other software included in the BitCurator environment is distributed in accordance with the original distribution terms.

Source Code

GitHub repository Our Github repository includes BitCurator-specific reporting tools, 3rd party open source tools, and technical documentation. Post-0.2.0 releases are marked with tags.

Release Archive

Past releases of the virtual machine and installation ISO are listed here. Please contact our team if you require a specific previous release. Source code associated with all major releases is tagged with the release number on our Github repository.

  • 1.0.0 VM and 1.0.0 ISO (September 23, 2014)
  • 0.9.21 VM and 0.9.22 ISO (September 20, 2014)
  • 0.9.21 VM and ISO (September 16, 2014)
  • 0.9.20 VM and ISO (September 5, 2014)
  • 0.9.19 VM and ISO (August 28, 2014)
  • 0.9.18 VM and ISO (August 24, 2014)
  • 0.9.16 VM and ISO (August 3, 2014)
  • 0.9.13 VM and ISO (June 30, 2014)
  • 0.9.12 VM and ISO (June 11, 2014)
  • 0.9.9 VM and ISO (May 28, 2014)
  • 0.9.8 VM and ISO (May 21, 2014)
  • 0.9.7 VM and ISO (May 20, 2014)
  • 0.9.6 VM and ISO (May 17, 2014)
  • 0.9.4 VM and ISO (May 15, 2014)

Pre-14.04LTS Releases:

  • 0.8.4 VM and ISO (April 17, 2014)
  • 0.8.0 VM and ISO (March 19, 2014)
  • 0.7.6 VM and ISO (February 21, 2014)
  • 0.7.4 VM and ISO (February 15, 2014)
  • 0.7.0 VM and ISO (February 2, 2014)
  • 0.6.4 VM and ISO (January 24, 2014)
  • 0.6.2 VM and ISO (January 18, 2014)
  • 0.5.8 VM and ISO (December 20, 2013)
  • 0.5.6 VM and ISO (December 13, 2013)
  • 0.5.0 VM and ISO (December 6, 2013)
  • 0.4.4 VM and ISO (October 25, 2013)
  • 0.4.2 VM and ISO (October 18, 2013)
  • 0.4.0 VM and ISO (October 11, 2013)
  • 0.3.5 VM and ISO (September 10, 2013)
  • 0.3.4 VM and ISO (September 9, 2013)
  • 0.3.0 VM and ISO (July 23, 2013)
  • 0.3.0 VM and ISO Prerelease (July 19, 2013)
  • 0.2.7 VM and ISO (June 22, 2013)
  • 0.2.4 VM and ISO (May 10, 2013)
  • 0.2.3 VM and ISO (March 22, 2013)
  • 0.2.2 VM and ISO (March 19, 2013)

(Pre-0.2.2 releases not shown)

BitCurator Design Requirements Document

Additional Design Documents

Release Notes

Abbreviated release notes for past releases. Full release notes may be found in the bitcurator-users group archive (https://groups.google.com/forum/#!forum/bitcurator-users)

  • 0.9.13 (June 30, 2014)
    • Improved version of the "File Access" tab in the BitCurator Reporting Tool
    • Export files and deleted/unallocated items directly from FAT12, FAT16, FAT32, NTFS, HFS+, ISO9660, and ext volumes stored in raw, AFF, and EWF (including split AFF and split EWF) disk images.
    • Added 4.9.0 release of the BagIt (Java) library
    • Added Antiword for export of legacy Word documents to TXT / PDF
    • Added ssdeep for fuzzy hashing
    • Added ddrescue
  • 0.9.9 (May 29, 2014)
    • Improves compatibility with current matplotlib
    • Reinstates the HFS Explorer tool
    • Ubuntu 14.04LTS package updates
    • Bugfixes for the BitCurator reporting tool
  • 0.9.8 (May 21, 2014):
    • Desktop launcher fix for BitCurator reporting tool
  • 0.9.7 (May 18, 2014):
    • Restored right-click-to-mount scripts
    • Bugfixes and performance improvements in reporting tool
    • libewf and TSK updated
  • 0.9.6 (May 18, 2014):
    • Minor udisks fix to restore floppy access
  • 0.9.4 (May 15, 2014):
    • libewf updated to 20140427 release. TSK and fiwalk now built against this version.
    • The Sleuth Kit updated from latest github sources. Improves performance and reporting on disk images.
    • SDHash updated to 3.4.
    • BitCurator PDF reports generated from bulk_extractor output now include additional provenance and performance metadata.
    • BitCurator configuration (in /etc/bitcurator/bc_report_config.txt) updated to manage additional bulk_extractor reports.
    • DFXML sources updated to latest release
  • 0.8.4 (April 17, 2014):
    • Floppy disk drive access restored.
    • Installation bug preventing installation on laptops with certain webcams fixed.
    • File system output in Excel format now includes file format ID.
    • BitCurator configuration file (in /etc/bitcurator/bc_report_config.txt)
    • VirtualBox additions updated to 4.3.10.
  • 0.8.0 (February 28, 2014):
    • BitCurator install scripts complete
    • PPA packaging updates
  • 0.7.0 (January 31, 2014):
    • Preliminary BitCurator disk image navigation tool
    • Reporting updates
    • ClamTK by default
    • TSK / BE updates
  • 0.6.0 (January 15, 2014):
    • Full PREMIS metadata update
    • Improved disk mounting scripts
    • EAD and METS exports
  • 0.5.8 (December 20, 2013):
    • Updated PREMIS event reporting
    • Maintenance: VM cleanup
  • 0.5.0 (December 6, 2013):
    • Initial PREMIS event metadata export for forensic analysis events
    • PREMIS in METS Toolbox included
    • File duplication tool included
    • Disk image mounting scripts added
  • 0.3.5 (Sept 10, 2013):
    • VirtualBox extensions updates
    • Imaging tool and launcher updates
  • 0.4.0 (Sept 30, 2013):
    • PPA packaging of forensics tools and BitCurator software via BitCurator LaunchPad site
    • Redaction scripting updates
  • 0.3.4 (Sept 9, 2013):
    • GUI updates
    • DFXML updates
    • Bulk extractor 1.4.0 and AFFLIB updates
  • 0.3.2 (Sept --, 2013):
    • [Team test - no public release this version]
  • 0.3.0 (July 30, 2013):
    • Front-end GUIs for forensic processing tools
    • Forensics tools for data indexing
    • Improved removable media support
Personal tools
Namespaces

Variants
Actions
About
Support
Tools