Since Google Wave is scheduled to be completely decommissioned on April 30, 2012. Because Forensie depends on Wave to be fully functional, this project will only continue to be useful for the MBR, VBR, and hex interpretation/display functionality.
This project is an implementation of a Google Wave Robot designed to perform very basic file forensic analysis. The ultimate purpose of its creation is to evaluate Wave's potential to accomplish more sophisticated tasks in digital forensics analysis.
To use Forensie, add 'email@example.com' to your Wave contacts, then simply add Forensie to the wave and input the data to be processed. That's it!
Forensie is capable of analyzing the following inputs:
Forensie responds as you would expect: posting responses containing the interpretation of hex or binary data; changing previously posted interpretations when the original changes; not posting anything if there isn't hex or binary data.
Currently, Forensie can see past any number of header lines. In other words, if you want to have Forensie translate an MBR, but you need to have a long, detailed explanation with it that includes lots of newlines, just make sure you put the hex or binary text at the end of the blip, and Forensie will find it.
Added to the most recent version of Forensie, you can now give commands to specify how the hex or binary input should be processed. This feature gives the user much greater flexibility while alleviating the burden off Forensie of automatically detecting all input given to it. Commands must be on a line that begins with '>> ' followed by each command word separated by a space. The currently supported commands are:
Commands are case insensitive. Each command must be entered in the following format at the beginning of a line, and must begin with the '>>' characters:
>> main-command [sub-command]
For example, the following would tell Forensie to interpret the given date and time value in little endian format:
>> datetime little-endian a3347e653c
Forensie will post the following in response:
Time & Date Value: 15:49:41.63, 5 March, 2010 Processed for little endian format
Wave is still in preview, so there are things we hope will be supported in the future. Particularly, the ability for Forensie to process files attached to a wave would greatly improve its utility.
If you need a hex editor to use with Forensie, try HxD. HxD provides the ability to read directly from any hard drive, partition, file, running program in RAM, or disk image, with or without read-only mode. If you aren't comfortable getting it directly from the developer's page, get it from CNET.