1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
|
REM ****************************************************************************
REM Project: GUYMAGER
REM ****************************************************************************
REM Programmer: Guy Voncken
REM Police Grand-Ducale
REM Service de Police Judiciaire
REM Section Nouvelles Technologies
REM ****************************************************************************
REM Main configuration file
REM ****************************************************************************
REM ATTENTION
REM ---------
REM Do not edit this file; put all your changes into /etc/guymager/local.cfg instead!
REM See the notes at the end of this file.
SECTION GUYMAGER
REM How this configuration file works
REM ---------------------------------
REM guymager user interface
REM -----------------------
REM
REM The parameter Language contains the language code (for example 'de', 'fr', 'en'). If Guymager doesn't
REM find the corresponding language file it switches to english instead. Contact the author of Guymager if
REM your language is missing. The language files are named guymager_xx.qm, where xx is the language code.
REM If you installed a Debian package, they can be found in directory /usr/share/guymager.
REM
REM The StartupXxx parameters configure the position and size of the main guymager window at startup.
REM StartupSize can be set to one of the following:
REM STANDARD Let the X-Wndow manager choose what it thinks is best
REM MAXIMISED or MAXIMIZED Maximum size
REM FULLSCREEN Maximum size and take away the title bar
REM MANUAL Use the values specified for StartupSizeManualX, StartupSizeManualY,
REM StartupSizeManualDx and StartupSizeManualDy.
REM The final result always slightly depends on the X-Window manager in use. For instance, there might be
REM window managers that can't distinguish MAXIMISED and FULLSCREEN.
REM
REM The dialog that appears when chooosing the image destination path can be adjusted in a similar way by
REM of the parameters FileDialogSize, FileDialogSizeManualDx, FileDialogSizeManualDy. Unfortunately, this
REM only works when using the alternative file dialog, not the Qt file dialog (see UseFileDialogFromQt
REM below).
REM
REM NumberStyle influences the way how numbers are displayed in guymager. There 3 possible values:
REM Locale Use the value of the system LOCALE to determine the format (set the LANG environment
REM correctly).
REM DecimalComma The format would look like 78.234,56 (normal format)
REM DecimalPoint The format would look like 78,234.56 (unusual american format)
REM Remark: Using Locale, more differences are possible. Thus, with the environment variable LANG set to
REM fr_FR, the number would be displayed as 78 234,56 (space as thousands separator). Setting NumberStyle
REM to something else than Locale is not recommended (you may use it if you are too lazy to set up your
REM LANG variable correctly).
REM
REM ScreenRefreshInterval [ms] Some screen fields (speed, remaining time, ...) are refreshed regularly.
REM ScreenRefreshInterval specifies how often this should occur.
REM
REM UseFileDialogFromQt When set to Yes, guymager uses the standard Qt file/directory selection dialogs.
REM There once was a Qt version with a bug in its dialog and an alternative dialog
REM was quickly added to guymager. The bug should have gone by now and this
REM configuration parameter should be set to Yes (the Qt dialogs are better then
REM the alternative programmed by the author of guymager).
REM Adjusting the dialog size (see configuration parameters FileDialogSize,
REM FileDialogSizeManualDx and FileDialogSizeManualDy) only works with the
REM alternative dialog.
Language='auto'
StartupSize = MANUAL
StartupSizeManualX = 130
StartupSizeManualY = 250
StartupSizeManualDx = 1000
StartupSizeManualDy = 500
FileDialogSize = MANUAL
FileDialogSizeManualDx = 800
FileDialogSizeManualDy = 500
NumberStyle=Locale
ScreenRefreshInterval = 1500
UseFileDialogFromQt = Yes
REM Table Fonts
REM Not in use yet. Will be used later on for adjusting the fonts used by guymager.
TABLE Fonts <TableName>
REM Object Family Size Weight Italic
REM ------------------------------------------------------------------------------------------
Menu 'Arial' 10 75 no
DialogDefault 'Arial' 10 75 no
ENDTABLE
REM Table Colors
REM The table contains color settings for different items on the screen:
REM LocalDevices Color to be used for marking local devices (i.e. devices with serial numbers found in
REM configuration table LocalDevices, see above) in the user interface. The whole row gets
REM this color.
REM All other entries refer to the colored dot of the acquisition state field for reflecting the current state:
REM StateIdle Nothing has been done with this device yet.
REM StateAcquire Acquisition running
REM StateAcquirePaused Acquisition interrupted (device cannot be accessed any longer)
REM StateVerify Verfication running
REM StateVerifyPaused Verfication interrupted (device cannot be accessed any longer)
REM StateCleanup Acquisition has been aborted by user and Guymager is removing partial files
REM StateFinished Finished successfully
REM StateFinishedBadVerify Finished, but the MD5 check while re-reading the source after acquisition failed.
REM This state only can occur if MD5 verification was switched on in the acquisition dialog.
REM StateAbortedUser Acquisition or verification aborted by user. Not an error, as it is the user's wish.
REM StateAbortedOther Acquisition or verification aborted for some other reason (for instance, if writing to
REM the destination fails). This is an error.
TABLE Colors None
REM Color R G B
REM -----------------------------------
LocalDevices 255 197 189
StateIdle 255 255 255
StateAcquire 78 132 255
StateAcquirePaused 255 174 0
StateVerify 78 132 255
StateVerifyPaused 255 174 0
StateCleanup 228 0 255
StateFinished 54 255 0
StateFinishedBadVerify 255 30 0
StateAbortedUser 255 255 255
StateAbortedOther 255 30 0
ENDTABLE
REM Image creation
REM --------------
REM
REM EwfFormat The EWF format (alias E01 format) differs depending on which software created
REM it. With this parameter, you can control which style guymager should follow.
REM Possible values are: Encase1, Encase2, Encase3, Encase4, Encase5, Encase6, Smart,
REM FTK, Linen5, Linen6 and LVF. See libewf for more information.
REM
REM EwfCompression The compression level for EWF images. Possible values are: None, Fast, Best.
REM See ewflib for more information.
REM
REM AffCompression The compression level for AFF images. Valid range: 1 - 9. A value of 1 results in a
REM fast, minimal compression and 9 in a slow, high compression.
REM See aff documentation for more information.
REM
REM AffMarkBadSectors Aff supports a possibility for marking bad sectors. If this parameter is enabled and
REM a bad sector is encountered, then the bad sector is written with a special content to
REM the image ("BAD SECTOR\0" followed by 501 random bytes). If this parameter is disabled,
REM then bad sectors are replaced by 512 zero bytes.
REM This parameter only influences images in AFF format.
REM
REM EwfSegmentSize The max. size of the segments in MB. 640MB is a good choice, as the segments
REM fit good on CDs as well as on DVDs. See ewflib for more information. The maximum
REM value is 2047.
REM
REM SpecialFilenameChars By default, guymager only allows the characters a-z, A-Z, 0-9 and _ to figure
REM in the image filenames. If you wannt to allow special chars and you are sure
REM that your destination file system can handle them, you might add them to
REM the parameter SpecialFilenameChars. Example: SpecialFilenameChars = '.- '
REM would allow you to use the characters . and - as well as spaces.
EwfFormat = Encase5
EwfCompression = FAST
AffCompression = 1
AffMarkBadSectors = TRUE
EwfSegmentSize = 640
SpecialFilenameChars = ''
REM Acquisition dialog
REM ------------------
REM DefaultFormat This parameter decides, which forensic format should be chosen by default for the
REM first acquisition after starting Guymager. For subsequent acquisitions, the format
REM of the previous acquisition will be selected by default.
REM Possible values are DD, AFF and EWF.
DefaultFormat = EWF
REM The parameters below all refer to the acquisition dialog entry fields. Let us explain the different
REM fields first. There are 5 fields defined by the EWF file format, their names are self-explaining:
REM EwfCaseNumber
REM EwfEvidenceNumber
REM EwfExaminer
REM EwfDescription
REM EwfNotes
REM Guymager uses these fields when choosing the EWF or the AFF format. When choosing the dd format, they
REM are of no use and decativated.
REM
REM There are 4 other important entry fields in the acquisition dialog:
REM DestImageDirectory The directory that will be used for storing the image files
REM DestInfoDirectory The directory that will be used for storing the info file
REM DestImageFilename The filename of the image files (without the extension)
REM DestInfoFilename The filename of the info file (without the extension)
REM
REM For each one of these fields, there is an entry in configuration table DlgAcquireField. It has the
REM following structure:
REM FieldName The name of the field, as indicated above
REM
REM EntryMode Determine the bevahiour of each field; the following entry modes are available:
REM Hide The corresponding field is not shown in the acquisition dialog.
REM Nevertheless, it exists and it is always set to its default value
REM (see below). This mode useful if a certain EWF field always should
REM be filled in with the same standard value.
REM
REM ShowDefault The field is visible in the acquisiton dialog and it is automatically
REM filled in with the default value.
REM
REM ShowLast The field is shown in the acquisiton dialog. When the acquisition
REM dialog is opened for the first time after guymager startup, the field
REM is filled in with the default value. On subsequent acquisition dialog
REM appearances, the field contains the value entered previously (which
REM may still be the default value, if it was not edited).
REM
REM DefaultValue The default value for the field. It may contain any text you like. Guymager knows
REM several special sequences, that will be replaced automatically:
REM %d% the day as number without a leading zero (1 to 31)
REM %dd% the day as number with a leading zero (01 to 31)
REM %ddd% the abbreviated localized day name (e.g. 'Mon' to 'Sun')
REM %dddd% the long localized day name (e.g. 'Monday' to 'Sunday')
REM %M% the month as number without a leading zero (1-12)
REM %MM% the month as number with a leading zero (01-12)
REM %MMM% the abbreviated localized month name (e.g. 'Jan' to 'Dec')
REM %MMMM% the long localized month name (e.g. 'January' to 'December')
REM %yy% the year as two digit number (00-99)
REM %yyyy% the year as four digit number
REM
REM %h% the hour without a leading zero (0 to 23 or 1 to 12 if AM/PM display)
REM %hh% the hour with a leading zero (00 to 23 or 01 to 12 if AM/PM display)
REM %m% the minute without a leading zero (0 to 59)
REM %mm% the minute with a leading zero (00 to 59)
REM %s% the second without a leading zero (0 to 59)
REM %ss% the second with a leading zero (00 to 59)
REM %z% the milliseconds without leading zeroes (0 to 999)
REM %zzz% the milliseconds with leading zeroes (000 to 999)
REM %AP% use AM/PM display. %AP% will be replaced by either "AM" or "PM".
REM %ap% use am/pm display. %ap% will be replaced by either "am" or "pm".
REM
REM %serial% the serial number of the device
REM %model% the model name of the device
REM %size% the device's size in human readable format (e.g. '247G', '32M')
REM %version% guymager software version
REM Remark: The date/time sequences have been copied from Trolltech's Qt documentation.
REM
REM Note that all the 8 fields must by contained exactely once in the configuration table DlgAcquireField.
REM *** EXAMPLE A ***
REM TABLE DlgAcquireField NoName
REM REM Field Entry Default
REM REM name mode value
REM REM -------------------------------------------------------------------------
REM ...
REM 'EwfNotes' Hide 'Acquisition done by guymager %version%'
REM ...
REM ENDTABLE
REM The field EwfNotes would not be shown in the acquisition dialog. As it has a default value, it would always
REM be initialised with that string. The special sequence %version% would be replaced and the string written to
REM the EWF image files would be sometheing like 'Acquisition done by guymager 0.3.1'
REM
REM *** EXAMPLE B **
REM TABLE DlgAcquireField NoName
REM REM Field Entry Default
REM REM name mode value
REM REM -------------------------------------------------------------------------
REM ...
REM 'EwfExaminer' Show 'Marc Murrsky acquired it on %d%. %MMMM% %yyyy%'
REM ...
REM ENDTABLE
REM With this setting, the acquisition dialog would open up with the examiner field preset to
REM something similar to 'Marc Murrsky acquired it on 5. December 2007'
TABLE DlgAcquireField NoName
REM Field Entry Default
REM name mode value
REM -------------------------------------------------------------------------
'EwfCaseNumber' ShowLast ''
'EwfEvidenceNumber' ShowDefault ''
'EwfExaminer' ShowLast ''
'EwfDescription' ShowDefault ''
'EwfNotes' ShowDefault '%serial%'
'DestImageDirectory' ShowLast ''
'DestInfoDirectory' Hide ''
'DestImageFilename' ShowDefault ''
'DestInfoFilename' ShowDefault ''
ENDTABLE
REM There is a another configuration table, DlgAcquireRule, which allows to copy the contents of some
REM fields automatically to others while typing. The entries in this table are processed one after the
REM other everytime you hit a key in any of the 8 fields.
REM
REM TriggerFieldName The trigger field is field where the action happens (i.e. which has the focus
REM while you are typing). If the trigger field name doesn't match, the the line
REM is ignored. If it matches, we have a trigger and Guymager does what the rest
REM of the line says.
REM
REM DestinationFieldName On trigger, this field will be filled in with the value indicated in column
REM Value.
REM
REM Value The string to be written to the field DestinationFieldName if there's a trigger.
REM The value may contain the same special sequences than the ones described
REM above. Additionally, there are special sequences for referring to other fields.
REM These are constructed by putting the field name between two percent signs (for
REM example '%EwfNotes%')
REM
REM *** Example A ***
REM The info filename should always be the same than the image filename, i.e. when typing in the field
REM for the image filename, the contents should automatically be copied to the field for the info
REM filename:
REM TABLE DlgAcquireRule NoName
REM REM Trigger Destination Value
REM REM field name field name
REM REM ----------------------------------------------------------------------
REM 'DestImageFilename' 'DestInfoFilename' '%DestImageFilename%'
REM ENDTABLE
REM Read the entry like this: Everytime a key in DestImageFilename is hit, refresh DestInfoFilename with the
REM value %DestImageFilename%, which would be interpreted as a special sequence and corresponds to the
REM contents of DestImageFilename.
REM It still would be possible to edit the info filename separately and thus different image and info
REM filenames.
REM
REM *** Example B ***
REM Like example A, but do the same when editing te info filename; when typing in it, the image filename
REM should be changed to the new name typed for the info file:
REM TABLE DlgAcquireRule NoName
REM REM Trigger Destination Value
REM REM field name field name
REM REM ---------------------------------------------------------------------
REM 'DestInfoFilename' 'DestImageFilename' '%DestImageFilename%'
REM ENDTABLE
REM
REM *** Example C ***
REM Set the info field to the examiner name, the case name plus the date:
REM TABLE DlgAcquireRule NoName
REM REM Trigger Destination Value
REM REM field name field name
REM REM ----------------------------------------------------------------------------------------------
REM 'EwfExaminer' 'EwfNotes' 'Acquired by %EwfExaminer for case %EwfCaseNumber% on %d%.%MM%.%yyyy%'
REM 'EwfCaseNumber' 'EwfNotes' 'Acquired by %EwfExaminer for case %EwfCaseNumber% on %d%.%MM%.%yyyy%'
REM ENDTABLE
REM Note that we have to enter the same value twice here, as we have 2 triggers.
TABLE DlgAcquireRule NoName
REM Trigger Destination Value
REM field name field name
REM ----------------------------------------------------------------------
'DestImageDirectory' 'DestInfoDirectory' '%DestImageDirectory%'
'DestImageFilename' 'DestInfoFilename' '%DestImageFilename%'
ENDTABLE
REM guymager internals
REM ==================
REM
REM Device list scanning
REM --------------------
REM Guymager knows 2 methods for getting the list of the available memory devices: The old one, that uses libparted
REM and the new one one that uses DBUS/HAL. Select the method you want with the configuration parameter ScanUsingDbusHal:
REM
REM ScanUsingDbusHal = 1 Use the new method (recommended).
REM
REM ScanUsingDbusHal = 0 Use the old method. It was observed that the internal scan function hung while an acquisition
REM was running. This leads to the problem that the devices shown in guymager possibly cannot be
REM updated while an acquisition is running. When using this method, the command specified in
REM configuration parameter CommandGetSerialNumber (see below) is used for finding the serial
REM number of each device (not really elegant). Again, ScanUsingDbusHal = 1 is the recommended way.
REM
REM CommandGetSerialNumber is used to extract the serial number from a device when setting ScanUsingDbusHal to 0 (not
REM recommended). The placeholder %dev in the command string will be replaced by the device
REM (/dev/hda or /dev/sdc for instance). Examples:
REM CommandGetSerialNumber = 'bash -c "smartctl -i %dev | grep -i serial | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "'
REM CommandGetSerialNumber = 'bash -c "hdparm -I %dev | grep -i ''Serial Number'' | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "'
REM
REM ScanInterval [s] Speficies how often an automatic device scan (for detecting newly connected devices)
REM should launched. Keep in mind, that the device scan can be launched as well manually.
REM
ScanUsingDbusHal = 1
CommandGetSerialNumber = 'bash -c "smartctl -i %dev | grep -i serial | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "'
ScanInterval = 6000
REM Other settings
REM --------------
REM Block sizes: Guymager works internally with threads for doing the different jobs (read, hash calculation, compression,
REM write) and forwards the data in blocks through fifos from one thread to another. The block size may be adjusted individually
REM for the different forensic formats. There's only one exception: When using EWF with mult-threaded compression the block size
REM is 32768 bytes (32KB).
REM It is recommended to use a multiple of kilobytes or megabytes for the block sizes, because the block size corresponds to size
REM of the data read at once from the source drive and most drive's caches perform best with such "round" numbers. So, if you want to work
REM with a block size of 10 kilobyte, specify 10240 (instead of 10000).
REM
REM FifoBlockSizeDD The block size for dd images (in bytes). Recommended value: 262144 (256K).
REM
REM FifoBlockSizeEWF The block size for dd images (in bytes). Recommended value: 32768 (32K).
REM
REM FifoBlockSizeAFF The block size for dd images (in bytes). Recommended value: 10485760 (10MB).
REM
REM
REM FifoMaxMem and FifoMaxEntries Both parameters control the amount of memory used for the internal fifo queues. In different
REM ways. FifoMaxMem sets an upper limit per acquisition in MB. FifoMaxEntries indicates how many data
REM blocks may be waiting in a queue; this number, multiplied by the block size and the number of queues
REM leads to a memory size. Guymager finally uses the smallest of both memory sizes.
REM The fifo memory should be big enough to buffer temporary throughput variations of the different threads.
REM Too large fifos only consume memory and are of no help.
REM Be aware that using wrong parameters may lead to memory overflows and stopping Guymager in the middle
REM of an acquisition.
REM It is recommended to set both values to 0 for automatic memory usage calculation.
REM
REM UseSeparatehashThread The hash calculation can be done in a separate thread or in the read thread (i.e. the thread reading
REM the data from the source). Using a separate thread led to a slight performance advantage on the
REM developer's machine.
REM
REM CompressionThreads The number of threads for parallel compression. The recommended value is the number of processors.
REM This parameter has a significant performance influence when working with compressed file format
REM (EWF format). It has no impact on other formats (dd).
REM Set to AUTO will use the number of CPUs installed in the system (recommended).
REM Set to 0 for disabling multi-threaded compression and build EWF file the conventional way.
REM
FifoBlockSizeDD = 262144
FifoBlockSizeEWF = 32768
FifoBlockSizeAFF = 10485760
FifoMaxMem = 0
FifoMaxEntries = 0
UseSeparatehashThread = Yes
CompressionThreads = AUTO
REM Debug settings
REM --------------
REM SignalHandling For debug purpose only. Switch off SignalHandling only when working with debuggers (gdb).
REM Recommended value: Enabled.
REM
REM WriteToDevNull For debug purpose only. Writes image to /dev/null instead of the indicated file. This switch can
REM be used for performance tests. Only used when creating a dd images.
REM
REM UseMemWatch For debug purpose only. Uses the memwatch malloc/free functions for finding dynamic memory problems.
REM Creates a file named memwatch.log when enabled in the directory where guymager is started. MemWatch
REM may slow down guymager significantly.
REM
REM VerboseLibewf For debug purpose only. Have libewf output internal messages to stderr.
REM
REM CheckEwfData For debug purpose only. When using the EWF format and working with separate compression thread(s),
REM Guymager does a special check on the data if this parameter is set. The check is done just before
REM passing the data to the EWF library function that writes it to the image. It checks if the data can
REM be uncompressed correctly, if the lengths match and if the CRC is ok.
SignalHandling = Enabled
WriteToDevNull = false
UseMemWatch = false
VerboseLibewf = false
CheckEwfData = false
REM Device info commands
REM --------------------
REM In order to get a complete set of information for each acquired drives, guymager executes several standard Linux
REM commands. These commands are contained in the list named DeviceInfoCommands, see below. They are executed when
REM - selecting the "Info" menu point for a device (results are shown in a dialog window)
REM - starting an acquisition (results are written to the .info file)
REM They are executed in the order they appear. The string %dev will be replaced by the corresponding device path
REM (i.e. /dev/hdb for instance). Examples for interesting commands:
REM 'bash -c "smartctl -s on %dev ; smartctl -a %dev"' -- for switching SMART interface on and showing SMART info
REM 'bash -c "hdparm -I %dev"' -- for showing other identification info
TABLE DeviceInfoCommands NoName
REM Command
REM -------------------------------------------
'bash -c "search="`basename %dev`: H..t P.......d A..a de.....d" && dmesg | grep -A3 "$search" || echo "No kernel HPA messages for %dev""'
'bash -c "smartctl -s on %dev ; smartctl -a %dev"'
'bash -c "hdparm -I %dev"'
REM 'bash -c disk_stat %dev'
ENDTABLE
REM Table LocalDevices
REM The local devices may be entered here. Guymager will not allow to acquire these devices. The table allows for
REM entering the Linux device path as well as the serial number. Examples:
REM '/dev/hda'
REM 'S042J10XC57542'
TABLE LocalDevices NoName
REM Device
REM -------------------------------------------
ENDTABLE
REM At the of this configuration, we include a local configuration file. All entries in the local
REM configuration file will override the ones above.
REM If ever you want to cange the settings above, don't do directly here, as all your changes would be
REM gone when installing a new version of guymager.
REM Edit /etc/guymager/local.cfg instead.
INCLUDE_OPTIONAL /etc/guymager/local.cfg
INCLUDE_OPTIONAL ./local.cfg
ENDSECTION
|
