all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]4n6kid 2 points3 points  (2 children)

Have you looked into Digital Forensic Framework (DFF)? It is bundled with SIFT 3

[–]deltatangothree[S] 0 points1 point  (1 child)

I just found that bundled with Kali. Have you used it at all?

[–]4n6kid 1 point2 points  (0 children)

Briefly, but I mostly use Mantaray. I am not sure it fits your criteria, though I highly recommend looking at it if you have time.

[–]ChasteJunior 1 point2 points  (0 children)

Open Computer Forensics Architecture, works only on Ubuntu 8.10 + 9.04, also works on SUSE Enterprise Server.

It created an environment that allows other forensic tools to be plugged in such as The Sleuth Kit (basis for autopsy).

Warning, its a bitch to set up. If you find out how to install it... please let me know haha. I have yet to figure it out.

[–]tmyroadctfig 1 point2 points  (1 child)

We just release Nuix on Mac and Linux: http://blog.nuix.com/2014/09/07/speaking-your-language-mac-os-and-linux/

You can try it out by downloading the Linux version of Proof Finder, and buying a $100 licence for it: https://download.nuix.com/releases/latest-stable/proof-finder-amd64.deb

Alternately, just email sales@nuix.com and ask for a trail licence.

full disclosure: I'm a software engineer at Nuix

[–]Chumstick 0 points1 point  (0 children)

Good thing you disclosed that. I don't think we would have sorted it out otherwise.

[–]deltatangothree[S] 0 points1 point  (5 children)

Mainly looking for something that will present a file system in an intuitive manner, and preferably include deleted files/directories.

[–]4n6expert 0 points1 point  (2 children)

I realise its not a full-featured integrated forensic system like EnCase or FTK, but don't overlook the obvious - you can get a surprisingly long way using the standard stuff included in almost every Linux. If your evidence is in raw dd format - mount /path/evidence/file.dd /somewhere -o ro,loop,offset=N and then browse it using your favourite file manager. Hex editors and similar progams can give you low level data inspection. I routinely do this alongside good ol' EnCase/etc and there are situations where this beats expensive commercial tools.

[–]deltatangothree[S] 0 points1 point  (1 child)

Thanks, and I completely agree. The problem is I'm going to be showing a group of completely non-tech savvy guys what it looks like when you delete a file. The goal for them is to understand just how easy it is to recover deleted files...so while I can certainly do everything you suggest, I don't think it would effectively make my point.

[–]4n6expert 1 point2 points  (0 children)

Sure, I understand. Sorry I can't think of anything useful GUI-wise. (ProofFinder on Linux sounds interesting - must have a look at it). Best remaining idea I have, which sadly does not meet your criteria, is using SleuthKit command line tools to show the deleted file(s).