libforensic1394 About libforensic1394 libforensic1394 is a library for performing memory forensics over the IEEE 1394 (“FireWire”) interface. Unlike existing libraries libforensic1394 supports the new ‘Juju’ stack introduced in Linux 2.6.22 as well as recent versions of Mac OS X through IOKit. In addition to a C API Python bindings (using ctypes) are also provided. Further information on libforensic1394 can be found at: https://freddie.witherden.org/tools/libforensic1394/ Contact information can be found in the `AUTHORS` file. Runtime Requirements GNU/Linux A recent version of Linux running a 2.6.22 kernel (or later) with the ‘Juju’ stack compiled either into the kernel or as a loadable module. Presence of the new stack can be determined by analysing the output of: $ ls /dev | grep fw If the new stack is loaded and the system has at least one FireWire port then `fw0` should be printed. Additional ports/devices will take the form fw<n>. If no devices are listed then it is likely that the new stack is not loaded. Instructions for loading the new stack can be found on the Linux IEEE 1394 FireWire wiki: https://ieee1394.wiki.kernel.org/index.php/Juju_Migration In addition the page also contains instructions for making FireWire devices accessible to regular (non-root) users. For libforensic1394 to work correctly access to all nodes is required. In the relatively common case where both the old and new stacks are compiled as loadable modules the new stack can be loaded as follows: $ sudo modprobe -r ohci1394 sbp2 eth1394 dv1394 raw1394 video1394 $ sudo modprobe firewire-ohci The first command removes the old stack (if loaded) while the second loads the new stack. Mac OS X Mac OS X 10.5 (“Leopard”) or newer running on a FireWire equipped Macintosh. Windows & BSD There is currently no support for using libforensic1394 on Windows or BSD operating systems. It is likely that support for FreeBSD will be added in the near future. A platform layer for Windows is less likely on account of there being no standard userspace API for accessing FireWire devices. Building libforensic1394 In order to build libforensic1394 a recent version of CMake (2.8 or later) is required. After extracting the archive libforensic1394 can be built by issuing the following commands: $ mkdir build $ cd build $ cmake -G"Unix Makefiles" ../ $ make (Alternatively it is also possible to use CMake to generate build files for other development environments such as XCode and Eclipse/CDT. Please consult the CMake documentation for further information.) Installing directly Once built libforensic1394 can be installed by executing: $ sudo make install Users on operating systems which use `su` as opposed to `sudo` should issue the above command as root. On some GNU/Linux systems it may be necessary to execute `ldconfig` afterwards to regenerate the shared library cache. Installing through a package manager An alternative to installing libforensic1394 directly is to use a binary package produced by CPack, which is a component of CMake. Supported package formats include .tae.gz, .deb and .rpm. Using one of these packages in combination with a package manager is the recommended way to install libforensic1394. Building a package is as simple issuing: $ make package After building the project. This will produce the binary packages relevant to the system (.tar.gz on all systems, .deb if `dpkg` is available and .rpm if `rpmbuild` is available). The appropriate package can then be installed using the systems package manager. Python Bindings Python language bindings are provided in the python/ directory and are compatible with all versions of Python since 2.5 (including Python 3). The bindings themselves are written entirely in Python and interface with libforensic1394 using the ctypes package. The bindings can be installed, either locally or system wide, using the `setup.py` file in the python/ directory. As the setup script is merely a frontend to the Python Distributions Utilities (`distutils`) module it is worth consulting its documentation for further information. Known Bugs & Limitations A list of known bugs & limitations can be found in the BUGS file. Special Thanks I am greatly indebted to Stefan Richter for the assistance he has provided to me (and others!) on the Linux 1394 user list.
FreddieWitherden/libforensic1394
A library for performing memory forensics over the IEEE 1394 interface.
CLGPL-3.0