The BitCurator environment uses open source and public domain digital forensics, data triage, and metadata reprocessing tools. Software developed by the BitCurator team is licensed under the GNU General Public License Version 3. Other software included in the BitCurator environment may be covered by other open source licenses and attribution terms.
Current Release: 1.3.3 (April 1, 2015)
The default username ("bcadmin") and password ("bcadmin") are the same for both the Virtual Machine and the Live CD.
Virtual MachineBitCurator Virtual Machine (Release 1.3.3)
This file is approximately 3.1GB. You can find directions on how to install the BitCurator virtual machine using Oracle's virtualization software VirtualBox here. If you wish to create your own virtual machine, or create a VM for another virtualization platform, please use the ISO installation media below.
Installation ISO CD/DVD ImageBitCurator ISO (Release 1.3.3)
The BitCurator ISO image is a customized version of Ubuntu Linux 14.04 LTS (64-bit). The ISO can be run as a live CD, or used to install BitCurator on a dedicated machine. You can also create your own BitCurator virtual machine using the ISO image (for example, if you wish to use VMWare rather than VirtualBox).
To install BitCurator as as stand-alone operating system, visit this page.
Want to put BitCurator on a bootable USB stick? Download our ISO image and using Pendrive Linux's Universal USB installer.
The BitCurator environment may be run as either a dedicated operating system or as a virtual machine using virtualization tools such as VirtualBox or VMware. The instructions on this page will assist you in installing, configuring, and using the BitCurator environment for both cases.
The BitCurator environment runs best on a host with a 64-bit processor and a native 64-bit OS. BitCurator is distributed with a configuration file that requires only one processing core and 1.5GB of RAM when running in VirtualBox in order to accommodate a wide range of hardware. We recommend that you reconfigure to provide the VM with at least 2 processor cores and 4GB of memory. For large disk images, data-intensive tasks, and simplified access to a range of hardware write-blockers, the environment should be installed on the host machine as a dedicated operating system.
Tools in the BitCurator Environment
The BitCurator virtual machine includes a unique interface to execute open source forensics tools. The BitCurator interface produces human-readable reports using the output of tools such as fiwalk and bulk_extractor. BitCurator also includes 3rd-party tools for disk imaging, data triage, private and individually identifying information (PII) discovery, filesystem analytics and reporting, and metadata export. The BitCurator environment is configured with scripts that automate actions that can be run against live filesystems, connected devices, and disk images for file analysis prior to (or in lieu of) imaging.
BitCurator currently includes the following tools:
Software produced by the BitCurator team:
- BitCurator Reporting Tool: A GUI-driven (and optionally command-line) tool for running forensics tools in sequence to produce human- and machine-readable reports.
- BitCurator Disk Image Access Tool: A GUI interface to browse raw and forensically-packaged disk images, export files and deleted items, and view disk image metadata.
- BitCurator Mounter: A Qt GUI application to list currently attached devices along with technical details. Allows users to mount fixed and removable media according to the current mount policy.
- BitCurator Read-Only AppIndicator: A Ubuntu AppIndicator allowing users to switch the system mount policy between "Read Only" and "Read/Write" for any attached media prior to mounting.
- Guymager: Multi-threaded open-source forensic disk imaging tool.
- dcfldd: A forensics-focused rewrite of dd.
- cdrdao: A CD imaging tool.
Forensic analysis and metadata generation
- bulk_extractor: A stream-based tool for disk image analysis.
- bulk_extractor Viewer (BEViewer): The GUI front-end for bulk-extractor
- DFXML tools: A set of C and Python programs to process Digital Forensics XML.
- fiwalk: File system analysis and DFXML export.
- The Sleuth Kit: A suite of forensics tools, utilities, and APIs.
- libewf: Open-source support for the Expert Witness format.
- AFFLIB: Open-source library for the Advanced Forensic Format.
- pyExifToolGUI: A GUI front-end for Exiftool. Allows editing of image metadata.
- ClamAV / ClamTK: Virus scanning.
- FSlint: Duplicate file identification and deletion.
- sdhash: File similarity tool using similarity digests.
- HFS Utilities: Utilities providing access to legacy HFS file systems, such as HFS Explorer.
- FITS: The File Information Tool Set.
- readpst: A utility for reading and exporting the contents of PST files.
- recoll: An indexing tool.
- GTK Hash: A cryptographic hashing tool.
- GHex: A hex viewer/editor
- Nautilus scripts: Support for various interactions with files and file systems.
- Safe Mount: Software write-blocking for digital media.
Licenses and Rights
Software produced for the BitCurator project is licensed under the GNU General Public Licence, Version 3. Documentation and other materials generated by the BitCurator team (including this wiki) are licensed under Creative Commons Attribution 2.0 Generic (CC By 2.0). All other software included in the BitCurator environment is distributed in accordance with the original distribution terms.
GitHub repository Our Github repository includes BitCurator-specific reporting tools, 3rd party open source tools, and technical documentation. Post-0.2.0 releases are marked with tags.
Past releases of the virtual machine and installation ISO are listed here. Please contact our team if you require a specific previous release. Source code associated with all major releases is tagged with the release number on our Github repository.
- 1.3.3 VM (mirror) and 1.3.3 ISO (mirror) (April 1, 2015)
- 1.3.1 VM (mirror) and 1.3.1 ISO (mirror) (March 24, 2015)
- 1.2.1 VM and 1.2.1 ISO (December 31, 2014)
- 1.2.0 VM and ISO (December 28, 2014)
- 1.1.0 VM and ISO (October 30, 2014)
- 1.0.0 VM and ISO (September 23, 2014)
- 0.9.22 VM and ISO (September 20, 2014)
- 0.9.21 VM and ISO (September 16, 2014)
- 0.9.20 VM and ISO (September 5, 2014)
- 0.9.19 VM and ISO (August 28, 2014)
- 0.9.18 VM and ISO (August 24, 2014)
- 0.9.16 VM and ISO (August 3, 2014)
- 0.9.13 VM and ISO (June 30, 2014)
- 0.9.12 VM and ISO (June 11, 2014)
- 0.9.9 VM and ISO (May 28, 2014)
- 0.9.8 VM and ISO (May 21, 2014)
- 0.9.7 VM and ISO (May 20, 2014)
- 0.9.6 VM and ISO (May 17, 2014)
- 0.9.4 VM and ISO (May 15, 2014)
- 0.8.4 VM and ISO (April 17, 2014)
- 0.8.0 VM and ISO (March 19, 2014)
- 0.7.6 VM and ISO (February 21, 2014)
- 0.7.4 VM and ISO (February 15, 2014)
- 0.7.0 VM and ISO (February 2, 2014)
- 0.6.4 VM and ISO (January 24, 2014)
- 0.6.2 VM and ISO (January 18, 2014)
- 0.5.8 VM and ISO (December 20, 2013)
- 0.5.6 VM and ISO (December 13, 2013)
- 0.5.0 VM and ISO (December 6, 2013)
- 0.4.4 VM and ISO (October 25, 2013)
- 0.4.2 VM and ISO (October 18, 2013)
- 0.4.0 VM and ISO (October 11, 2013)
- 0.3.5 VM and ISO (September 10, 2013)
- 0.3.4 VM and ISO (September 9, 2013)
- 0.3.0 VM and ISO (July 23, 2013)
- 0.3.0 VM and ISO Prerelease (July 19, 2013)
- 0.2.7 VM and ISO (June 22, 2013)
- 0.2.4 VM and ISO (May 10, 2013)
- 0.2.3 VM and ISO (March 22, 2013)
- 0.2.2 VM and ISO (March 19, 2013)
(Pre-0.2.2 releases not shown)
BitCurator Design Requirements Document
Additional Design Documents
- BitCurator Imaging Requirements, Version 0.7
- BitCurator Reporting Requirements (PII), Version 0.7
- BitCurator Reporting Requirements (Other forensics tools), Version 0.7
- BitCurator Metadata Requirements, Version 0.7
Abbreviated release notes for past releases. Full release notes may be found in the bitcurator-users group archive (https://groups.google.com/forum/#!forum/bitcurator-users)
- 1.2.1 (January 3, 2014)
- USB 3.0 device access (when installed as the host OS) restored
- Startup services cleaned up
- bulk_extractor rebuilt to accommodate Java update
- 1.2.0 (October 30, 2014)
- Weekly fstrim cron job disabled to prevent unwanted changes to the contents of SSDs
- Devices are now mounted with the loop option by default
- VirtualBox 4.3.20 updates
- PREMIS report generation updates (improved event support and vocab fixes) in BitCurator reporting tool
- ssdeep updated to 2.12 (corrects bugs in signature generation code and other updates from 2.10)
- hashdb updated to 1.1.2
- XlsxWriter updated to 0.6.4
- Guymager updated to latest build of 0.7.4
- DFXML libraries updated to latest GitHub sources
- Removed unneeded OpenCL library preventing BitCurator from booting on certain systems
- fixed a minor application launch issue with BEViewer
- disktype added with patches for E01 and other disk image formats
- Ubuntu core and kernel updates
- 1.1.0 (October 30, 2014)
- BitCurator Reporting Tool directory selection dialogue updated in Run All to prevent crash on first run
- objectIdentifierType / Value entries in BitCurator PREMIS output fixed
- VirtualBox guest additions updated to 4.3.18
- FITS updated to 0.8.3
- gnome-sushi included to preview various file formats (left-click on file and hit the space bar; preview pops up)
- VLC newly included to play and examine metadata in A/V media files
- TestDisk newly included (damaged/lost partition recovery)
- PhotoRec newly included (damaged/lost file recovery)
- Minor updates to Nautilus scripts (typo fixes)
- 1.0 (September 5, 2014)
- Improved version of the BitCurator Disk Image Access tool.
- Many bugfixes (see user forum post)
- 0.9.20 (September 5, 2014)
- The 0.9.20 release eliminates a bug that prevented export of files from certain FAT16 file systems in the Disk Image Access tool, and includes various other core system updates and environment cleanup.
- 0.9.19 (August 29, 2014)
- Addresses various bugs and usability issues in the 0.9.16 and 0.9.18 releases U
- Updated version of the BitCurator Disk Image Access tool. Performance of this tool when loading disk images has been substantially improved, and the interface now provides a streamlined method to export *only* the deleted or *only* the allocated items (via the Edit menu). The tool also now provides realtime feedback during file export.
- bulk_extractor updated to 1.5.3, many additional scanners and improvements
- DFXML tools updated
- 0.9.13 (June 30, 2014)
- Improved version of the "File Access" tab in the BitCurator Reporting Tool
- Export files and deleted/unallocated items directly from FAT12, FAT16, FAT32, NTFS, HFS+, ISO9660, and ext volumes stored in raw, AFF, and EWF (including split AFF and split EWF) disk images.
- Added 4.9.0 release of the BagIt (Java) library
- Added Antiword for export of legacy Word documents to TXT / PDF
- Added ssdeep for fuzzy hashing
- Added ddrescue
- 0.9.9 (May 29, 2014)
- Improves compatibility with current matplotlib
- Reinstates the HFS Explorer tool
- Ubuntu 14.04LTS package updates
- Bugfixes for the BitCurator reporting tool
- 0.9.8 (May 21, 2014):
- Desktop launcher fix for BitCurator reporting tool
- 0.9.7 (May 18, 2014):
- Restored right-click-to-mount scripts
- Bugfixes and performance improvements in reporting tool
- libewf and TSK updated
- 0.9.6 (May 18, 2014):
- Minor udisks fix to restore floppy access
- 0.9.4 (May 15, 2014):
- libewf updated to 20140427 release. TSK and fiwalk now built against this version.
- The Sleuth Kit updated from latest github sources. Improves performance and reporting on disk images.
- SDHash updated to 3.4.
- BitCurator PDF reports generated from bulk_extractor output now include additional provenance and performance metadata.
- BitCurator configuration (in /etc/bitcurator/bc_report_config.txt) updated to manage additional bulk_extractor reports.
- DFXML sources updated to latest release
- 0.8.4 (April 17, 2014):
- Floppy disk drive access restored.
- Installation bug preventing installation on laptops with certain webcams fixed.
- File system output in Excel format now includes file format ID.
- BitCurator configuration file (in /etc/bitcurator/bc_report_config.txt)
- VirtualBox additions updated to 4.3.10.
- 0.8.0 (February 28, 2014):
- BitCurator install scripts complete
- PPA packaging updates
- 0.7.0 (January 31, 2014):
- Preliminary BitCurator disk image navigation tool
- Reporting updates
- ClamTK by default
- TSK / BE updates
- 0.6.0 (January 15, 2014):
- Full PREMIS metadata update
- Improved disk mounting scripts
- EAD and METS exports
- 0.5.8 (December 20, 2013):
- Updated PREMIS event reporting
- Maintenance: VM cleanup
- 0.5.0 (December 6, 2013):
- Initial PREMIS event metadata export for forensic analysis events
- PREMIS in METS Toolbox included
- File duplication tool included
- Disk image mounting scripts added
- 0.3.5 (Sept 10, 2013):
- VirtualBox extensions updates
- Imaging tool and launcher updates
- 0.4.0 (Sept 30, 2013):
- PPA packaging of forensics tools and BitCurator software via BitCurator LaunchPad site
- Redaction scripting updates
- 0.3.4 (Sept 9, 2013):
- GUI updates
- DFXML updates
- Bulk extractor 1.4.0 and AFFLIB updates
- 0.3.2 (Sept --, 2013):
- [Team test - no public release this version]
- 0.3.0 (July 30, 2013):
- Front-end GUIs for forensic processing tools
- Forensics tools for data indexing
- Improved removable media support