A post-mortem analysis tool for raw disk images

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for CERT-EDF from gravatar.com CERT-EDF

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers
Report project as malware

Project description

Fossil

Status Powered By: EDF License: MIT

A post-mortem analysis tool for raw disk/partition images


Introduction

Fossil is a linux command line collector based on pre-configured or customizable collection profiles.

It uses sleuthkit tools under the hood.

It can be used to perform various forensic tasks during the post-mortem examination of raw disk or partition images, such as computing image content digests or creating collections based on generaptor collection targets.


[!TIP] If your disk image is not a raw disk image, you can use tools such as affuse from afflib-tools to create a mountpoint exposing a read-only raw disk image.

Getting Started

Fossil releases are available on Github and Pypi. Using a Python virtual environment is recommended.

# Setup sleuthkit toolkit
sudo apt install sleuthkit
# Setup fossil
python3 -m pip install edf-fossil
# Setup generaptor configuration files w/o fetching velociraptor binaries
generaptor update --do-no-fetch
# List partitions
fossil windows disk.img partitions
# List file system entries (see options to include deleted files and directories)
fossil windows disk.img fs_entries
# List file system entries in a raw partition instead
fossil --image-is-partition windows part.img fs_entries
# Perform default data collection on disk.img raw disk image
fossil windows disk.img collect
# Perform custom collection based on a collection profile
echo '{"targets":["WebServer/IIS"]}' > iis_server.json
fossil windows disk.img collect --custom-profile iis_server.json
# Hash all existing files in the disk
fossil windows disk.img digest > result.csv
# Include deleted files (warning, sleuthkit is prone to errors when extracting deleted data)
fossil windows disk.img digest --deleted > result.csv

Configuration

Fossil does not need any configuration file, it relies on Generaptor configuration files instead.


License

Distributed under the MIT License.


Contributing

Contributions are welcome. See CONTRIBUTING.md.


Security

To report a (suspected) security issue, see SECURITY.md.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for CERT-EDF from gravatar.com CERT-EDF

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

edf_fossil-1.0.0-py3-none-any.whl (14.7 kB view details)

Uploaded Python 3

File details

Details for the file edf_fossil-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: edf_fossil-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 14.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for edf_fossil-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6d2e51b5a4a6f7f478883ba44417c68c42a54561322de09ecb6a5e4ed125601a
MD5 e07f79f975cc87c7528012ca4e86b494
BLAKE2b-256 12fc2a0875201c6c4c0c5a6a81ef04d4b5341c3f0e8e6edabac773d38154b8cd

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page