A new version of AIR has been released. The primary change is that it now supports the dc3dd imager and doing 2 hashing algorithms.
Thanks to Dr. Nanni Bassetti for his modifications and feedback that made this release possible.
As always, feedback and comments appreciated.
I'm trying to install v2 on Ubuntu 10.4 but for some it doesn't work. it successfully instll the package but when
I type air to run it, I get this error:
Can't locate Tk.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /usr/local/bin/air line 21.
BEGIN failed-compilation aborted at /usr/local/bin/air line 21.
can you please let me know how to fix this?
you have to install:
all by sudo.
Remember you must have also:
Check if you have problem to download the perl-tk automatically because you proxy server (if you have one)
try in this way
sudo apt-get install perl-tk
"sudo apt-get install perl-tk" worked.
Just wanted to give some feedback. It looks like a slow forum. I'm surprised more people haven't found you. ;) I just turned a forensic police officer onto it, so maybe things will pick up a little. I'm in the process of testing it now. Very nice piece of work. I get sweaty palms and a head ache when trying to use dd because it is so powerful and dangerous. I LOVE how you output the command you are using. It is an educational tool as well. <G>
Yes, it tends to be slow around here. Glad to hear that you are liking it so far. Let us know if you find any problems or have any suggestions and we'll do what we can to help you out.
>>you have to install: perl-tk sharutils all by sudo. Remember you must have also: md5deep package cryptcat dc3dd uudecode Check if you have problem to download the perl-tk automatically because you proxy server (if you have one) try in this way sudo apt-get install perl-tk
I just got the link to this forum.
Would it be possible that you add this information (included the cc compiler) to the readme file - this would be very helpful.
Also a comment that dc3dd has to be extra installed.
I just ran a first test yesterday - and I am still not yet sure if the tool is really helpful for me. The reason is simple: Most forensic tools run with Windows and only support .e01 and dd images. I do not prefer dd images as they always need a lot of space (whole size of the HD). If you compress them this does not really help very much, as you have to uncompress them to work with them. So .e01 or aff or other formats would be more helpful.
Is there a manual which helps me how to handle the tool? I regret, but I think it is not self explaining.
The first thing I noticed is, that there is no progress bar, so that you have no idea how long it will need till the job ist done. This is very important at customer investigations as the colleagues from the "paper front" always ask you: when are you ready?
"I don't know" is a bad answer.
The second is that there seems to be no language support - not so problematic, but it would be helpful. If you give me a list with the text to translate, I could try to translate it into german.
The third is that it seems to be able to backup a HD to a directory of the same HD which is dangerous - no warning (don't worry, even Encase and X-Ways have no warning).
As a fourth I personally have no idea if the source / destination block size is automatically set correct or if I have to change something. I am not sure if this setting means the sector size / cluster size / something else? And what are the effects if this value is setted wrong.
As a fifth I think tooltips which explain things like "iflag" "cryptcat" … when moving the mouse over the the text would be helpful.
I just had a short talk with a colleague - and he told me that his last impression of the tool was that the GUI is confusing, this is his reason why he did not use it till now.
Networking: I have absolutely no idea what the tool does if I enter a target IP / port (I know IPs and ports) but I have no idea if it creates a file there or what it does at this IP/port / what I have to do at the target to get the image there. Absolutely no idea. Do I have to run AIR on a second machine, enter the IP as source and the filename as target? How do I have to change IP settings (I have no idea how to do this in Linux, sorry). Can I use a Windows machine on the second site?
The same with the source - and I must admit that I have no idea how to get out the source / target IPs in Linux or how to change the settings. I know, this is a stu (silliest thinkable user) answer, but if you start a new tool for the first time, you will have the same problems.
Backing up via network would be an interesting solution for me as this offers the possibility to back up netbooks, MacBooks … where it is problematic to take out the HD without a damage.
Thanks for the feedback! I will try to answer all of your points as best as I can.
I can add more information to the readme file about the additional packages and binaries that may be needed.
As for images in .E01 format, it is possible to support this through the libewf library, but we will have to make some significant changes to the code to add this support. The same goes for AFF format - it is certainly possible to add support, we would just need to find the time to implement it.
Unfortunately we have no manual and this is just because of the time involved. I will look in to enabling and setting up the Wiki here on SourceForge and perhaps that can be used to create some documentation. This would also enable users to contribute.
1. As for the progress indicator, we can probably implement that, but it will require some thought. Currently the progress is handled by a simple program that receives data from STDIN, updates the count of total data seen, and then pipes the data to STDOUT which is then received by another process that writes the image file. To get an update for percent completed and estimated time to completion would require passing the size of the disk to the counter process.
2. Language support is definitely needed. This will require some re-coding, though. Right now all the strings are hard-coded in the app and they will need to be abstracted out to use external language files. Once we get to that point we'll definitely appreciate any help in getting translations for various languages.
3. As for writing to a directory on the same HDD which you are imaging… well, this shouldn't be an issue since you should never mount the target hard drive in the first place. If you are using a linux boot CD that allows the internal hard drive on the host system to be mounted automatically during the boot process then you need to find a linux boot CD designed for forensics that has the init scripts modified so as not to automatically mount ANY partitions or swap space.
4. The block size is simply the amount of data that will be read and written to the disks on each read/write operation. Standard disk sectors are 512-bytes, but most drives are designed to read significantly more than that in a single read/write operation. Different disks will perform differently, but generally I have found that using larger block sizes (32K or more) generally increases the speed. This has nothing to do with cluster sizes as clusters are a file system level abstraction. The imaging process doesn't care about the file system and only deals in disk sectors. There really is no "correct" block size, the only impact will be on the performance of reads and writes, and the only way to know that will be through experimentation and experience.
5. Tooltips would be good. We can look at implementing those (assuming Tk supports them).
The network imaging option requires AIR to run on each system (linux only). Your linux forensic workstation would have AIR running as the destination and will "listen" on a specific port. The system that will be imaging the hard drive will run AIR and specify the IP address and port of the destination system. It uses netcat or cryptcat (if installed) to transfer the image data over the network. In linux you can view/modify the IP addresses of your network interfaces by using the 'ifconfig' command in a console window.
Thank you. This helped me a little for my further work with AIR. AFF is not such an important format for me as it is not supported by our Forensic tools, but e01 with compression would be appreciated.
I will try tro run AIR via network the next days. Let's see…
1) A basic information with the "in about" time would be a first step.
By the way, I know the programmer of Guymager (I met him some months ago). Would it be helpful to come in contact with him, as he already knows more about .e01?
Nice work, I've been working with fedora since 2 year ago, I can`t install this "save-me-from-disaster" tool you have programmed so well, because in my fedora 13 64 lacks of "perl.h" file - I've been googleing but can't find anything about. Can you help me? Thanks.
I'm not familiar with the current Fedora or packages available… Check to see if Fedora has a Perl-Tk package that you can install prior to running the AIR install script. If AIR detects that Perl-Tk is already installed, that should prevent the installer from downloading the Perk-Tk souce and compiling, which is likely where you are seeing the failure.
If you have no luck there, send me the install log (should be /tmp/air-install.log) and I'll see if I can figure out a work-around.
AIR 2.0.0 is present in Caine 2.0 http://www.caine-live.net :-)
i just started working With AIR in Caine package, but the problem is that when i start the process of imaging even a single (.png) file it take a quite long time(hours) to verify, im not sure after the verification is the imaging complete, i also would be gld if u could explain more about the imaging over network feature of the AIR and what por number should we choose, and after, cause i use port 23, and after i click start on both ends it start to verify, but after few seconds it ask me to start again the whole process, im not sure what is going on actually?
Thanks in advance.
P.S: i installed the Air on my laptop