/libforensic1394

A library for performing memory forensics over the IEEE 1394 interface.

Primary LanguageCGNU Lesser General Public License v3.0LGPL-3.0

                           libforensic1394

About libforensic1394

  libforensic1394 is  a library  for performing memory  forensics over
  the  IEEE 1394  (“FireWire”) interface.   Unlike  existing libraries
  libforensic1394 supports  the new  ‘Juju’ stack introduced  in Linux
  2.6.22 as  well as  recent versions  of Mac OS  X through  IOKit. In
  addition  to  a  C  API  Python bindings  (using  ctypes)  are  also
  provided.

  Further information on libforensic1394 can be found at:

    https://freddie.witherden.org/tools/libforensic1394/

  Contact information can be found in the `AUTHORS` file.

Runtime Requirements

  GNU/Linux

    A recent version of Linux  running a 2.6.22 kernel (or later) with
    the ‘Juju’ stack compiled either  into the kernel or as a loadable
    module. Presence of  the new stack can be  determined by analysing
    the output of:

      $ ls /dev | grep fw

    If  the new  stack  is loaded  and  the system  has  at least  one
    FireWire   port  then   `fw0`  should   be   printed.   Additional
    ports/devices will take the form  fw<n>.  If no devices are listed
    then it is likely that the new stack is not loaded.

    Instructions for loading  the new stack can be  found on the Linux
    IEEE 1394 FireWire wiki:

      https://ieee1394.wiki.kernel.org/index.php/Juju_Migration

    In  addition  the  page  also  contains  instructions  for  making
    FireWire  devices  accessible to  regular  (non-root) users.   For
    libforensic1394 to work correctly access to all nodes is required.

    In the  relatively common case where  both the old  and new stacks
    are compiled  as loadable modules the  new stack can  be loaded as
    follows:

      $ sudo modprobe -r ohci1394 sbp2 eth1394 dv1394 raw1394 video1394
      $ sudo modprobe firewire-ohci

    The  first command  removes the  old stack  (if loaded)  while the
    second loads the new stack.

  Mac OS X

    Mac OS X 10.5 (“Leopard”)  or newer running on a FireWire equipped
    Macintosh.

  Windows & BSD

    There is currently no support for using libforensic1394 on Windows
    or BSD operating  systems.  It is likely that  support for FreeBSD
    will be added in the near future.  A platform layer for Windows is
    less likely  on account of  there being no standard  userspace API
    for accessing FireWire devices.

Building libforensic1394

  In order to build libforensic1394  a recent version of CMake (2.8 or
  later)  is required.  After  extracting the  archive libforensic1394
  can be built by issuing the following commands:

    $ mkdir build
    $ cd build
    $ cmake -G"Unix Makefiles" ../
    $ make

  (Alternatively it  is also possible  to use CMake to  generate build
  files  for   other  development  environments  such   as  XCode  and
  Eclipse/CDT.   Please consult  the CMake  documentation  for further
  information.)

  Installing directly

    Once built libforensic1394 can be installed by executing:

      $ sudo make install

    Users on  operating systems  which use `su`  as opposed  to `sudo`
    should issue the above command as root.  On some GNU/Linux systems
    it may be necessary to execute `ldconfig` afterwards to regenerate
    the shared library cache.

  Installing through a package manager

    An alternative to installing  libforensic1394 directly is to use a
    binary package produced  by CPack, which is a  component of CMake.
    Supported package  formats include .tae.gz, .deb  and .rpm.  Using
    one of these packages in combination with a package manager is the
    recommended way to install libforensic1394.

    Building a package  is as simple issuing:

      $ make package

    After building the project.  This will produce the binary packages
    relevant to the system (.tar.gz  on all systems, .deb if `dpkg` is
    available and  .rpm if `rpmbuild` is  available).  The appropriate
    package can then be installed using the systems package manager.

Python Bindings

  Python language  bindings are provided in the  python/ directory and
  are  compatible with  all versions  of Python  since  2.5 (including
  Python 3).   The bindings themselves are written  entirely in Python
  and interface with libforensic1394 using the ctypes package.

  The bindings can be installed,  either locally or system wide, using
  the `setup.py` file  in the python/ directory.  As  the setup script
  is  merely   a  frontend  to  the   Python  Distributions  Utilities
  (`distutils`) module  it is  worth consulting its  documentation for
  further information.

Known Bugs & Limitations

  A list of known bugs & limitations can be found in the BUGS file.

Special Thanks

  I am  greatly indebted to Stefan  Richter for the  assistance he has
  provided to me (and others!) on the Linux 1394 user list.