Activity for guymager
-
chang-li created ticket #10
hide dev-loop
-
yossi cohen posted a comment on ticket #13
Hi, Guy, I use Ubuntu 22.04, but I also checked the issue in Kali and, as far as I can remember, Caine and Mint, and there was no change. I didn't try to compile guymager myself.
-
guy posted a comment on ticket #13
Hello Yossi, I'm astonished to read this. In my understanding, a touch screen principally should behave like a mouse. I never made any tests on a touch screen system for the simple reason that I don't have one readily available. Maybe I could try to lend one for a test. Which Linux distro and version are you using? Did you try to compile Guymager yourself on your system to see if it behaves differently then?
-
guymager stuck on touch screen
-
Antonio Voza created ticket #12
Building error - undefined reference to `pCompileInfoTimestampChangelog'
-
an cucchi created ticket #19
GuyMager portable
-
Dear Subham, sorry for the late reply - the entire "Guymager Support Team" (me) was on holiday. Sorry to disappoint you: A CLI version has been asked several times, but still is not available due to lack of time. Best wishes Guy
-
Dear Subham, sorry for the late reply - the entire "Guymager Support Team2 (me) was on holiday. Sorry to disappoint you: a CLI version has been asked several times, but still is not available due to lack of time. Best wishes Guy
-
Shubham Pathak created ticket #9
Inquiry about Guymager CLI Interface Availability and Usage
-
Dots in Filename and description
-
Ticket moved from /p/guymager/feature-requests/18/
-
Hallo "John Doe", english version -> see below. wenn jemand von "Festplatten" spricht, dann denke ich, dass ich auf Deutsch antworten kann ;-) Ja, zusätzliche Zeichen in Dateinamen sind ohne weiteres möglich. Nur eben habe ich die Standardkonfiguration so gewählt, dass möglichst keine Probleme beim späteren Kopieren auftreten. Bitte sieh Dir den Parameter SpecialFilenameChars in /etc/guymager/guymager.cfg an (in der Datei findest Du übrigens auch die ganze Konfigurations-Dokumentation, da kann man...
-
Danke für die netten Worte! Unter develop@faert.net kannst Du mich gerne auch direkt kontaktieren.
-
Danke für die netten Worte! Kannst Du mich bitte kurz direkt kontaktieren unter develop@faert.net ?
-
Hallo "John Doe", english version -> see below. wenn jemand von "Festplatten" spricht, dann denke ich, dass ich auf Deutsch antworten kann ;-) Ja, zusätzliche Zeichen in Dateinamen sind ohne weiteres möglich. Nur eben habe ich die Standardkonfiguration so gewählt, dass möglichst keine Probleme beim späteren Kopieren auftreten. Bitte sieh Dir den Parameter SpecialFilenameChars in /etc/guymager/guymager.cfg an (in der Datei findest Du übrigens auch die ganze Konfigurations-Dokumentation, da kann man...
-
John Doe posted a comment on ticket #18
Hallo Guy, vielen lieben Dank für die schnelle Antwort. Das hilft mir bzw. uns sehr. Mein richtiger Name ist Bernhard Wolff und ich bin Computer- und Mobilfunkforensiker bei der Polizei NRW. Wir setzen Dein Programm zum Imagen der sichergestellten Festplatten aus PC Asservaten ein und sind sehr zufrieden damit. Wirklich hervorragende Arbeit! Vielen Dank dafür! Ganz liebe Grüße nach Luxemburg Bernhard
-
Hallo "John Doe", wenn jemand von "Festplatten" spricht, dann denke ich, dass ich auf Deutsch antworten kann ;-) Ja, zusätzliche Zeichen in Dateinamen sind ohne weiteres möglich. Nur eben habe ich die Standardkonfiguration so gewählt, dass möglichst keine Probleme beim späteren Kopieren auftreten. Bitte sieh Dir den Parameter SpecialFilenameChars in /etc/guymager/guymager.cfg an (in der Datei findest Du übrigens auch die ganze Konfigurations-Dokumentation, da kann man recht viel machen). Mögliche...
-
Dots in Filename and description
-
guymager released /guymager/LatestSource/guymager-0.8.13.tar.gz
-
-
-
Guymager version 0.8.13
-
Ole G. Gjelland posted a comment on ticket #17
Great, thanks! Just getting past the device selection most forensic personell should be able to make their way with just the keyboard. For now I'm comfortable with the xdotool exercise, it was already included in my boot disk ISO image for more general purposes. I've put the tip itself to be displayed in a wrapper script that fires up guymager.
-
I added keyboard support in my trunk. You'll be able to get the context menu by pressing Space or Enter. The complete sequence for starting an acquisition without pointing device would be: 1. Select device with arrow up/down keys 2. Press Space or Enter 3. Select the desired entry in the context menu ("Acquire image") by using the arrow up/down keys, then press Enter 4. Navigate through the acquisition dialog by using TAB / SHIFT TAB for switching to next/prev element Arrow keys for changing the...
-
Many thanks for your kind words. I just tried it myself and indeed - as stupid as it sounds - you can't acquire a device without a mouse! You're completely right, this must be fixed! I found a solution that might work as a very last possibility. You need internet connection for it (I know, that's not allowed in many cases): 1. CTRL-ALT-T for getting a shell 2. sudo apt install xdotool 3. Move the mouse to correct position over the Guymager device line. Do it with xdotool mousemove 500 500 (you'll...
-
Many thanks for your kind words. I just tried it myself and indeed - as stupid as it sounds - you can't acquire a device without a mouse! You're completely right, this must be fixed! I found a solution that might work as a very last possibility. You need internet connection for it (I know, that's not allowed in many cases): 1. CTRL-ALT-T for getting a shell 2. sudo apt install xdotool 3. Move the mouse to correct position over the Guymager device line. Do it with xdotool mousemove 500 500 (you'll...
-
Menu item to select Acquire image
-
sunlight posted a comment on a wiki page
Dear Guy, Just wonder that can Guymager be booted from a USB flash memory stick or CD-ROM ? In other words, can Guymager support on-line Forensics to collect digital evidence and pick up data, make image in the source computer's running state? thanks
-
Building Guymager 0.8.12 on Debian 10 Buster
-
Building Guymager 0.8.12 on Debian 10 Buster
-
Building Guymager 0.8.12 on Debian 10 Buster
-
Building Guymager 0.8.12 on Debian 10 Buster
-
Building Guymager 0.8.12 on Debian 10 Buster
-
invalid dates and Target date error
-
Closed - not a Guymager bug
-
Those meta data fields (Timestamps, Case number, Examiner, Notes, Evidence number etc.) are simply glued together with TABs. Together with some more texts they form one big string, So, the format is simplistic and I have no idea what's going wrong in Encase. You would have to ask the developers. To me, it looks like an Encase bug, because I never had such feedback for other software. I always recommed to check with libewf (by Joachim Metz) in case of problems. I cannot exlcude that the occurence...
-
rooibost posted a comment on ticket #11
Hi Guy, I applied your suggestion and changed "AvoidEncaseProblems". Since then, from what I can see, it seems that this not only fixing the error popups when I add the evidence to Encase, but it appears to also have fixed the Target Date problem I had. Not sure if this is a "correlation does not imply causation" situation or if the images that i have been making had something different from the previous machines I imaged. I think for now I will continue to keep on it and will raise another ticket...
-
Brilliant, thanks! I will definitely work this into my build, as we are using Encase primarily and I have seen these error pop ups happening when adding the evidence files. I will apply it later today and will continue with my tests with your suggestions and will give you an update afterwards whether it persists.
-
For now: I suppose it's an Encase bug and is related to Encase not interpreting the EWF header correctly. What you could try: Launch Guymager with option "AvoidEncaseErrors". From the documentation: AvoidEncaseProblems -- Encase produces strange error messages if the EWF internal fields "Imager Version" and "OS Version" contain more than 11 or 23 characters, respectively. Leave this flag OFF if you don't work with Encase (default setting). Set it to ON if ever you work with Encase and want to avoid...
-
Thank you for the quick response, I am in the process of imaging the same machine with FTK imager, using Brett Shavers' WindowsFE . Once it has completed, I will test your suggestions also on Kali Linux and will send you and update.
-
Thanks, rooibost, I'm glad to hear that Guymager found its way down to ZA :-) Concerning your date problem: Could you please verify with a third, independent tool? I would suggest that you use ewfinfo. It should be contained on the Kali Linux you use. Call it like this: ewfinfo ImageName.E* You must pass all segment files to ewfinfo. Have a look at the two output lines named "Acquisition date" and "System date".
-
invalid dates and Target date error
-
dasd posted a comment on ticket #16
Regarding sha256/512 I made a mistake misread it. You could implement truncated sha512 (sha256/512) and that could be verfide by guymager (feature request) and there would be no need to use other tools for verification. Thank you for explaining reasons for separating hashing and verification. I understand it completely, but was just thinking creatively.
-
Also, is there a tehnical, or other, reason why verification of image could not start some time after image creation begins My reasons: It's a question of looking at the image (set of segment files) as a whole. Get one job done and do the other one next. I would not feel good when starting verification on an image that has not been completely written yet. Depending on the target device, this would lead to a lot of disk head movements. That would slow down the write AND the verification process. Yes,...
-
Guymager supports SHA256, but it won't get written to the resulting EWF file (as it is not supported there). It's contained in the info file only. would use sha512 and would truncate the hash to first 40 characters, the result would be the same as using sha256 I cannot confirm this... while SHA256 and SHA512 have similar algorithms, they produce completely different hashes, I think!? Could you please show me an example (C-Code, Python-Code, Linux shell, ...) that would show me how to use SHA512 for...
-
Hi Guy, tnx for the reply. Regarding sha 256/512 if I understan it correctly, EWF officially supports only MD5 and SHA1. Guymager already supports sha256 (ewf-x supports sha256/512 per https://github.com/libyal/libewf/issues/107) If Guymager would use sha512 and would truncate the hash to first 40 characters, the result would be the same as using sha256 but the hashing speed would be cca. 50 % faster. This would be especially usefull when verification of image is being done, where decompression is...
-
Please have a look at my response in ticket #16 https://sourceforge.net/p/guymager/feature-requests/16/
-
Hello dasd, I saw that you posted the same feature request twice, so I permitted myself to delete the previous one. Concerning the compression algorithms: For the EWF format, I cannot simply switch to a different algorithm, as no software out there would be able to read such EWF files. The same is true for hashing: No algorithm other then those supported by the standard (see Joachim Metz' outstanding documentation) will ever be supported. Yes, it's true that SHA512 is faster, however, we can't take...
-
Implement faster compression and hashing algorithm (sha512)
-
bkl posted a comment on ticket #14
Hi, sorry, but i wrote my answer another thread (because wrote from mail), see below.
-
Hi Guy, Thank You for the response! I found an implementation: https://github.com/Velocidex/c-aff4 The first binary of aff4imager (Version 1.0 -> aff4imager) is Jan 16 2018, and it is work for me with "-V" option, and the last but one binary (Release 3.3. rc1 -> linpmem-v3.3.rc1) is Mar 2 2019 also. (the aff4imager is part of the linpmem release: "Since the pmem tools are functionally equivalent to the aff4 imager (with extra memory capabilities) we just release the pmem tools as the main user facing...
-
Hello bkl, I had a look at the AFF4 documentation. Unfortunately, I can't say that it's written a way that would allow me to support AFF4 easily. I then tried to compile aff4imager myself (current version, i.e. 1.0) and managed to do so in the end. However, there are some bugs. For example, I get a floating point error when trying to view the metadata from the reference image named Base-Linear.aff4 with option -V. Using the AFF4 C/C++ library from within Guymager possibly could be an option, but...
-
Encase verification errors E01 image, Imaged using Guymager
-
got no reply - therefore closed
-
aff4 image format
-
-
-
-
Guymager version 0.8.12
-
Mark, Guymager just does a complete image of the media (HDD, SDD, ...). I can't tell you what possibilities you have with Axiom or other commercial products, as I do not use those. The image done by Guymager complies to the standard formats used in forensics, i.e. EWF or RAW (dd) - and this format is independent of the OS that was installed on the HDD that you imaged. What do you mean by "facial recognition" or "pin"? Do you mean that the original computer only could be unlocked by putting the correct...
-
Mark, Guymager just does a complete image of the media (HDD, SDD, ...). I can't tell you what possibilities you have with Axiom or other commercial products, as I do not use those. The image done by Guymager complies to the standard formats used in forensics, i.e. EWF or RAW (dd) - and this format is independent of the OS that was installed on the HDD that you imaged. What do you mean by "facial recognition" or "pin"? Do you mean that the original computer only could be unlocked by putting the correct...
-
mark edmunds posted a comment on a wiki page
On a windows 10 PC/Laptop with standard windows security software using verified physical forensic image obtained using Guymager 0.8.4 and a logical forensic image using AccessDatta FTK Imager 3.1.1.8 and if the Physical image was ingested into forensic software Axiom v3.4.1.15164 is the date available able to be read by another computer in a format that would be reconizable to a lay person. do you need the facial recognition or the pin to read such data. Thanks for your assistance
-
Hello Kelum, you're describing two different problems here. Let's start with easy one: The Encase problem. There is no reason for limiting those comment strings to 64 or even only 12 characters. The EWF format (as documented by Joachim Metz) has no such limits and every software should be able to handle much longer strings. If Encase would complain only once about its inability to handle those strings, the user could still live with it. However, the annoying Encase error pops up again and again....
-
Ticket moved from /p/guymager/bugs/10/
-
Kelum Perera posted a comment on ticket #10
Picture files of the links in above
-
Encase verification errors E01 image, Imaged using Guymager
-
Building Guymager for OpenSuse
-
-
-
-
Guymager version 0.8.11
-
Euan Cochrane posted a comment on ticket #13
Thanks again. Updated the guide blog post and David added a pull request to BitCurator to make this change https://github.com/BitCurator/bitcurator-distro-salt/pull/2/files. I also passed on your message on twitter.
-
Hehe, looks good! Nice work! If I may just add a small remark: Please do not change /etc/guymager/guymager.cfg directly. Create a new file /etc/guymager/local.cfg and put the line Language = en_CH into it. The idea behind: If an update is going to be installed, your change would be overwritten if it resides in guymager.cfg. As local.cfg is loaded later (see INCLUDE statement at the end of guymager.cfg) the settings residing there overwrite those from earlier configuration files. Another remark: It's...
-
One last update. I wrote up the instructions I followed here and shared them with the folks on twitter. Thank you very much Guy!
-
I created a version of the language file here https://yale.box.com/s/ebxgsxxjjl29zdtm0j1crdulhryqn7ei that so far folks on twitter seem happy with. Named it guymager_en-CH.qm for "Cultural Heritage".
-
Thanks Guy! I note your point about the EWF files. I think I've figured out what needs to be done to create the translation files and where to put them. I may write something up about it, but for now can you confirm this approach is correct (from this twitter thread): edit this XML file https://sourceforge.net/p/guymager/code/HEAD/tree/tags/guymager-0.8.8/guymager_en.ts#l26 , compile it with QT_linguist (e.g. https://wiki.qt.io/How_to_create_a_multi_language_application) then put it in /usr/share/guymager...
-
Thanks Guy! I note your point about the EWF files. I think I've figured out what needs to be done to create the translation files and where to put them. I may write something up about it, but for now can you confirm this approach is correct (from this twitter thread): edit this XML file https://sourceforge.net/p/guymager/code/HEAD/tree/tags/guymager-0.8.8/guymager_en.ts#l26 , compile it with QT_linguist (e.g. https://wiki.qt.io/How_to_create_a_multi_language_application) then put it in /usr/share/guymager...
-
Hello Euan, you currently could change the names by creating a new language file. However, I must admit that this might be too complicated for the standard user. Would you like me to create one for you? You could then tell me if it fits your request. If yes, please send me your "translations" for case number description examiner evidence number notes Remark: Please be aware of the fact that those text fields will keep the original labels inside the EWF files . This is due to the fact, that the EWF...
1 >