My favorites | Sign in
Project Home Wiki Issues Source
Project Information
Members

Since Google Wave is scheduled to be completely decommissioned on April 30, 2012. Because Forensie depends on Wave to be fully functional, this project will only continue to be useful for the MBR, VBR, and hex interpretation/display functionality.

Overview

This project is an implementation of a Google Wave Robot designed to perform very basic file forensic analysis. The ultimate purpose of its creation is to evaluate Wave's potential to accomplish more sophisticated tasks in digital forensics analysis.

To use Forensie, add 'forensie@appspot.com' to your Wave contacts, then simply add Forensie to the wave and input the data to be processed. That's it!

Features

Forensie is capable of analyzing the following inputs:

  • MBR of a hard drive
  • Boot sector of an FAT12/16/32 partition
  • FAT date, time, and date and time values
  • Decoding hex and binary input

Forensie responds as you would expect: posting responses containing the interpretation of hex or binary data; changing previously posted interpretations when the original changes; not posting anything if there isn't hex or binary data.

Currently, Forensie can see past any number of header lines. In other words, if you want to have Forensie translate an MBR, but you need to have a long, detailed explanation with it that includes lots of newlines, just make sure you put the hex or binary text at the end of the blip, and Forensie will find it.

Added to the most recent version of Forensie, you can now give commands to specify how the hex or binary input should be processed. This feature gives the user much greater flexibility while alleviating the burden off Forensie of automatically detecting all input given to it. Commands must be on a line that begins with '>> ' followed by each command word separated by a space. The currently supported commands are:

  • hex: The default interpretation mode. Presents the input in a fixed-width font along with its ASCII decoding. All other commands fall back to this interpretation if an error occurs.
  • mbr: Analyzes the given input as a Master Boot Record.
  • fat-vbr: Analyzes the given input as a Boot Sector for an FAT volume.
  • date: Analyzes the given input as an FAT date value.
  • time: Analyzes the given input as an FAT time value.
  • datetime: Analyzes the given input as FAT date and time values.
  • little-endian: A sub-command, to be used with one of the other commands above. Tells Forensie to process the input for little endian format.
  • big-endian: A sub-command, to be used with one of the other commands above. Tells Forensie to process the input for big endian format.

Commands are case insensitive. Each command must be entered in the following format at the beginning of a line, and must begin with the '>>' characters:

>> main-command [sub-command]

For example, the following would tell Forensie to interpret the given date and time value in little endian format:

>> datetime little-endian
a3347e653c 

Forensie will post the following in response:

Time & Date Value: 15:49:41.63, 5 March, 2010
Processed for little endian format

Limitations

Wave is still in preview, so there are things we hope will be supported in the future. Particularly, the ability for Forensie to process files attached to a wave would greatly improve its utility.

Tool Recommendation

If you need a hex editor to use with Forensie, try HxD. HxD provides the ability to read directly from any hard drive, partition, file, running program in RAM, or disk image, with or without read-only mode. If you aren't comfortable getting it directly from the developer's page, get it from CNET.

Powered by Google Project Hosting