1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
|
REM ****************************************************************************
REM Project: GUYMAGER
REM ****************************************************************************
REM Programmer: Guy Voncken
REM Police Grand-Ducale
REM Service de Police Judiciaire
REM Section Nouvelles Technologies
REM ****************************************************************************
REM Main configuration file
REM ****************************************************************************
REM ATTENTION
REM ---------
REM Do not edit this file; put all your changes into /etc/guymager/local.cfg instead!
REM See the notes at the end of this file.
SECTION GUYMAGER
REM How this configuration file works
REM ---------------------------------
REM guymager user interface
REM -----------------------
REM
REM The parameter Language contains the language code (for example 'de', 'fr', 'en'). If Guymager doesn't
REM find the corresponding language file it switches to english instead. Contact the author of Guymager if
REM your language is missing. The language files are named guymager_xx.qm, where xx is the language code.
REM If you installed a Debian package, they can be found in directory /usr/share/guymager.
REM
REM The StartupXxx parameters configure the position and size of the main guymager window at startup.
REM StartupSize can be set to one of the following:
REM STANDARD Let the X-Wndow manager choose what it thinks is best
REM MAXIMISED or MAXIMIZED Maximum size
REM FULLSCREEN Maximum size and take away the title bar
REM MANUAL Use the values specified for StartupSizeManualX, StartupSizeManualY,
REM StartupSizeManualDx and StartupSizeManualDy.
REM The final result always slightly depends on the X-Window manager in use. For instance, there might be
REM window managers that can't distinguish MAXIMISED and FULLSCREEN.
REM
REM The dialog that appears when chooosing the image destination path can be adjusted in a similar way by
REM of the parameters FileDialogSize, FileDialogSizeManualDx, FileDialogSizeManualDy. Unfortunately, this
REM only works when using the alternative file dialog, not the Qt file dialog (see UseFileDialogFromQt
REM below).
REM
REM NumberStyle influences the way how numbers are displayed in guymager. There 3 possible values:
REM Locale Use the value of the system LOCALE to determine the format (set the LANG environment
REM correctly).
REM DecimalComma The format would look like 78.234,56 (normal format)
REM DecimalPoint The format would look like 78,234.56 (unusual american format)
REM Remark: Using Locale, more differences are possible. Thus, with the environment variable LANG set to
REM fr_FR, the number would be displayed as 78 234,56 (space as thousands separator). Setting NumberStyle
REM to something else than Locale is not recommended (you may use it if you are too lazy to set up your
REM LANG variable correctly).
REM
REM ScreenRefreshInterval [ms] Some screen fields (speed, remaining time, ...) are refreshed regularly.
REM ScreenRefreshInterval specifies how often this should occur.
REM
REM UseFileDialogFromQt When set to Yes, guymager uses the standard Qt file/directory selection dialogs.
REM There once was a Qt version with a bug in its dialog and an alternative dialog
REM was quickly added to guymager. The bug should have gone by now and this
REM configuration parameter should be set to Yes (the Qt dialogs are better then
REM the alternative programmed by the author of guymager).
REM Adjusting the dialog size (see configuration parameters FileDialogSize,
REM FileDialogSizeManualDx and FileDialogSizeManualDy) only works with the
REM alternative dialog.
REM
REM AutoExit This parameter controls the default setting of the menu point "Misc/Exit after
REM all acquisitions have completed".
REM
REM AutoExitCountdown = 60 If the autoexit eaturebecomes active (i.e. the menu flag is set and the acquisition
REM ends), a popup appears with a countdown. AutoExitCountdown allows to set start value
REM of the countdown (in seconds).
Language='auto'
StartupSize = MANUAL
StartupSizeManualX = 130
StartupSizeManualY = 250
StartupSizeManualDx = 1000
StartupSizeManualDy = 500
FileDialogSize = MANUAL
FileDialogSizeManualDx = 800
FileDialogSizeManualDy = 500
NumberStyle=Locale
ScreenRefreshInterval = 1500
UseFileDialogFromQt = Yes
AutoExit = Off
AutoExitCountdown = 60
REM Table Fonts
REM Not in use yet. Will be used later on for adjusting the fonts used by guymager.
TABLE Fonts <TableName>
REM Object Family Size Weight Italic
REM ------------------------------------------------------------------------------------------
Menu 'Arial' 10 75 no
DialogDefault 'Arial' 10 75 no
ENDTABLE
REM Table Colors
REM The table contains color settings for different items on the screen:
REM LocalDevices Color to be used for marking local devices (i.e. devices with serial numbers found in
REM configuration table LocalDevices, see above) in the user interface. The whole row gets
REM this color.
REM AdditionalStateX Devices maybe marked by this color depending on the values in the additional state info.
REM See description of configuration parameter CommandGetAddStateInfo for more information.
REM
REM All other entries refer to the colored dot of the acquisition state field for reflecting the current state:
REM StateIdle Nothing has been done with this device yet.
REM StateAcquire Acquisition running
REM StateAcquirePaused Acquisition interrupted (device cannot be accessed any longer)
REM StateVerify Verfication running
REM StateVerifyPaused Verfication interrupted (device cannot be accessed any longer)
REM StateCleanup Acquisition has been aborted by user and Guymager is removing partial files
REM StateFinished Finished successfully
REM StateFinishedBadVerify Finished, but the MD5 check while re-reading the source after acquisition failed.
REM This state only can occur if MD5 verification was switched on in the acquisition dialog.
REM StateAbortedUser Acquisition or verification aborted by user. Not an error, as it is the user's wish.
REM StateAbortedOther Acquisition or verification aborted for some other reason (for instance, if writing to
REM the destination fails). This is an error.
TABLE Colors None
REM Color R G B
REM -----------------------------------
LocalDevices 255 197 189
AdditionalState1 186 255 174
AdditionalState2 255 254 137
AdditionalState3 255 213 66
AdditionalState4 255 126 126
StateIdle 255 255 255
StateAcquire 78 132 255
StateAcquirePaused 255 174 0
StateVerify 78 132 255
StateVerifyPaused 255 174 0
StateCleanup 228 0 255
StateFinished 54 255 0
StateFinishedBadVerify 255 30 0
StateAbortedUser 255 255 255
StateAbortedOther 255 30 0
ENDTABLE
REM Image creation
REM --------------
REM
REM EwfFormat The EWF format (alias E01 format) differs depending on which software created
REM it. With this parameter, you can control which style guymager should follow.
REM Possible values are: Encase1, Encase2, Encase3, Encase4, Encase5, Encase6, Smart,
REM FTK, Linen5, Linen6 and Guymager. See libewf for more information.
REM When chosing "Guymager", the program uses its own EWF generation functions, which
REM require only very little RAM and still are as fast as libewf. With any other setting,
REM the program uses libewf i order to create the EWF images.
REM Select Guymager or Encase6 in order to be able to produce segment files bigger than 2GiB.
REM
REM EwfCompression The compression level for EWF images. Possible values are: None, Fast, Best.
REM See ewflib for more information.
REM
REM AffCompression The compression level for AFF images. Valid range: 1 - 9. A value of 1 results in a
REM fast, minimal compression and 9 in a slow, high compression.
REM See aff documentation for more information.
REM
REM AffMarkBadSectors Aff supports a possibility for marking bad sectors. If this parameter is enabled and
REM a bad sector is encountered, then the bad sector is written with a special content to
REM the image ("BAD SECTOR\0" followed by 501 random bytes). If this parameter is disabled,
REM then bad sectors are replaced by 512 zero bytes.
REM This parameter only influences images in AFF format.
REM
REM SpecialFilenameChars By default, guymager only allows the characters a-z, A-Z, 0-9 and _ to figure
REM in the image filenames. If you wannt to allow special chars and you are sure
REM that your destination file system can handle them, you might add them to
REM the parameter SpecialFilenameChars. Example: SpecialFilenameChars = '.- '
REM would allow you to use the characters . and - as well as spaces.
REM
REM CalcImageFileMD5 Switch the parameter on in order to have Guymager calculate the MD5 hashes of the image
REM file(s). The calculation is done over the whole file(s), not just the contents.
REM NOTE: The MD5 hashes are calculated during image verification and therefore, it only
REM is done if the checkbox for image verification is set in the acquisition dialog window.
REM
REM AvoidEncaseProblems Encase produces strange error messages if the EWF internal fields "Imager Version" and
REM "OS Version" contain more than 11 or 23 chracters, respectively. Leave this flag off
REM if you don't work wth Encase (default setting). Set it to 1 if ever you work with
REM Encase and want to avoid the Encase problems.
EwfFormat = Guymager
EwfCompression = FAST
AffCompression = 1
AffMarkBadSectors = TRUE
SpecialFilenameChars = ''
CalcImageFileMD5 = off
AvoidEncaseProblems = off
REM Acquisition dialog
REM ------------------
REM DefaultFormat This parameter decides, which forensic format should be chosen by default for the
REM first acquisition after starting Guymager. For subsequent acquisitions, the format
REM of the previous acquisition will be selected by default.
REM Possible values are DD, AFF and EWF.
DefaultFormat = EWF
REM The parameters below all refer to the acquisition dialog entry fields. Let us explain the different
REM fields first. There are 2 fields related to image file fragmentation:
REM SplitFileSwitch Decides whether the image file fragmentation is on or off. For EWF images, it
REM is always on and for AFF images always off. For DD images, the user may choose
REM himself.
REM SplitFileSize The max. size of the fragments (sometimes called segments) in MiB. The maximum
REM value for EWF images is 2047.
REM 2047 is a good choice. For EWF images, the number of files will be reduced to
REM the minimum. For DD images, the fragments stay below the FAT limitation (2GiB).
REM There are 5 fields defined by the EWF file format, their names are self-explaining:
REM EwfCaseNumber
REM EwfEvidenceNumber
REM EwfExaminer
REM EwfDescription
REM EwfNotes
REM Guymager uses these fields when choosing the EWF or the AFF format. When choosing the dd format, they
REM are of no use and decativated.
REM
REM There are 4 other important entry fields in the acquisition dialog:
REM DestImageDirectory The directory that will be used for storing the image files
REM DestInfoDirectory The directory that will be used for storing the info file
REM DestImageFilename The filename of the image files (without the extension)
REM DestInfoFilename The filename of the info file (without the extension)
REM
REM Finally, there are some checkboxes in the acquisition dialog that are controlled by the following
REM entry fields:
REM HashCalcMD5 The checkbox for MD5 hash
REM HashCalcSHA256 The checkbox for SHA-256 hash
REM HashVerifySrc The checkbox for the source verification (re-read source and chek if it
REM returns the same data than during acquisition)
REM HashVerifyDst The checkbox for the imager verification (read and check the image after
REM the acquisition has been done)
REM
REM For each one of these fields, there is an entry in configuration table DlgAcquireField. It has the
REM following structure:
REM FieldName The name of the field, as indicated above
REM
REM EntryMode Determine the bevahiour of each field; the following entry modes are available:
REM Hide The corresponding field is not shown in the acquisition dialog.
REM Nevertheless, it exists and it is always set to its default value
REM (see below). This mode useful if a certain EWF field always should
REM be filled in with the same standard value.
REM
REM ShowDefault The field is visible in the acquisiton dialog and it is automatically
REM filled in with the default value.
REM
REM ShowLast The field is shown in the acquisiton dialog. When the acquisition
REM dialog is opened for the first time after guymager startup, the field
REM is filled in with the default value. On subsequent acquisition dialog
REM appearances, the field contains the value entered previously (which
REM may still be the default value, if it was not edited).
REM
REM DefaultValue The default value for the field. It may contain any text you like (for the checkboxes:
REM see below). Guymager knows several special sequences, that will be replaced automatically:
REM %d% the day as number without a leading zero (1 to 31)
REM %dd% the day as number with a leading zero (01 to 31)
REM %ddd% the abbreviated localized day name (e.g. 'Mon' to 'Sun')
REM %dddd% the long localized day name (e.g. 'Monday' to 'Sunday')
REM %M% the month as number without a leading zero (1-12)
REM %MM% the month as number with a leading zero (01-12)
REM %MMM% the abbreviated localized month name (e.g. 'Jan' to 'Dec')
REM %MMMM% the long localized month name (e.g. 'January' to 'December')
REM %yy% the year as two digit number (00-99)
REM %yyyy% the year as four digit number
REM
REM %h% the hour without a leading zero (0 to 23 or 1 to 12 if AM/PM display)
REM %hh% the hour with a leading zero (00 to 23 or 01 to 12 if AM/PM display)
REM %m% the minute without a leading zero (0 to 59)
REM %mm% the minute with a leading zero (00 to 59)
REM %s% the second without a leading zero (0 to 59)
REM %ss% the second with a leading zero (00 to 59)
REM %z% the milliseconds without leading zeroes (0 to 999)
REM %zzz% the milliseconds with leading zeroes (000 to 999)
REM %AP% use AM/PM display. %AP% will be replaced by either "AM" or "PM".
REM %ap% use am/pm display. %ap% will be replaced by either "am" or "pm".
REM
REM %serial% the serial number of the device
REM %model% the model name of the device
REM %size% the device's size in human readable format (e.g. '247G', '32M')
REM %version% guymager software version
REM Remark: The date/time sequences have been copied from Trolltech's Qt documentation.
REM
REM Checkboxes: Simply put '1' if you want to have the checkbox enabled or '0' for having it
REM disabled. Attention: Putting other values may lead to unpredictable results.
REM
REM Note that all the 8 fields must by contained exactely once in the configuration table DlgAcquireField.
REM *** EXAMPLE A ***
REM TABLE DlgAcquireField NoName
REM REM Field Entry Default
REM REM name mode value
REM REM -------------------------------------------------------------------------
REM ...
REM 'EwfNotes' Hide 'Acquisition done by guymager %version%'
REM ...
REM ENDTABLE
REM The field EwfNotes would not be shown in the acquisition dialog. As it has a default value, it would always
REM be initialised with that string. The special sequence %version% would be replaced and the string written to
REM the EWF image files would be sometheing like 'Acquisition done by guymager 0.3.1'
REM
REM *** EXAMPLE B **
REM TABLE DlgAcquireField NoName
REM REM Field Entry Default
REM REM name mode value
REM REM -------------------------------------------------------------------------
REM ...
REM 'EwfExaminer' Show 'Marc Murrsky acquired it on %d%. %MMMM% %yyyy%'
REM ...
REM ENDTABLE
REM With this setting, the acquisition dialog would open up with the examiner field preset to
REM something similar to 'Marc Murrsky acquired it on 5. December 2007'
TABLE DlgAcquireField NoName
REM Field Entry mode Entry mode Default
REM name image clone value
REM ------------------------------------------------------------------------------------
'SplitFileSwitch' ShowLast Hide '1'
'SplitFileSize' ShowLast Hide '2047'
'SplitFileUnit' ShowLast Hide 'MiB'
'EwfCaseNumber' ShowLast Hide ''
'EwfEvidenceNumber' ShowDefault Hide ''
'EwfExaminer' ShowLast Hide ''
'EwfDescription' ShowDefault Hide ''
'EwfNotes' ShowDefault Hide '%serial%'
'DestImageDirectory' ShowLast Hide ''
'DestInfoDirectory' Hide ShowLast ''
'DestImageFilename' ShowDefault Hide ''
'DestInfoFilename' ShowDefault ShowDefault ''
'HashCalcMD5' ShowLast ShowLast '1'
'HashCalcSHA256' ShowLast ShowLast '0'
'HashVerifySrc' ShowLast ShowLast '0'
'HashVerifyDst' ShowLast ShowLast '1'
ENDTABLE
REM There is a another configuration table, DlgAcquireRule, which allows to copy the contents of some
REM fields automatically to others while typing. The entries in this table are processed one after the
REM other everytime you hit a key in any of the 8 fields.
REM
REM TriggerFieldName The trigger field is field where the action happens (i.e. which has the focus
REM while you are typing). If the trigger field name doesn't match, the the line
REM is ignored. If it matches, we have a trigger and Guymager does what the rest
REM of the line says.
REM
REM DestinationFieldName On trigger, this field will be filled in with the value indicated in column
REM Value.
REM
REM Value The string to be written to the field DestinationFieldName if there's a trigger.
REM The value may contain the same special sequences than the ones described
REM above. Additionally, there are special sequences for referring to other fields.
REM These are constructed by putting the field name between two percent signs (for
REM example '%EwfNotes%')
REM
REM *** Example A ***
REM The info filename should always be the same than the image filename, i.e. when typing in the field
REM for the image filename, the contents should automatically be copied to the field for the info
REM filename:
REM TABLE DlgAcquireRule NoName
REM REM Trigger Destination Value
REM REM field name field name
REM REM ----------------------------------------------------------------------
REM 'DestImageFilename' 'DestInfoFilename' '%DestImageFilename%'
REM ENDTABLE
REM Read the entry like this: Everytime a key in DestImageFilename is hit, refresh DestInfoFilename with the
REM value %DestImageFilename%, which would be interpreted as a special sequence and corresponds to the
REM contents of DestImageFilename.
REM It still would be possible to edit the info filename separately and thus different image and info
REM filenames.
REM
REM *** Example B ***
REM Like example A, but do the same when editing te info filename; when typing in it, the image filename
REM should be changed to the new name typed for the info file:
REM TABLE DlgAcquireRule NoName
REM REM Trigger Destination Value
REM REM field name field name
REM REM ---------------------------------------------------------------------
REM 'DestInfoFilename' 'DestImageFilename' '%DestImageFilename%'
REM ENDTABLE
REM
REM *** Example C ***
REM Set the info field to the examiner name, the case name plus the date:
REM TABLE DlgAcquireRule NoName
REM REM Trigger Destination Value
REM REM field name field name
REM REM ----------------------------------------------------------------------------------------------
REM 'EwfExaminer' 'EwfNotes' 'Acquired by %EwfExaminer for case %EwfCaseNumber% on %d%.%MM%.%yyyy%'
REM 'EwfCaseNumber' 'EwfNotes' 'Acquired by %EwfExaminer for case %EwfCaseNumber% on %d%.%MM%.%yyyy%'
REM ENDTABLE
REM Note that we have to enter the same value twice here, as we have 2 triggers.
TABLE DlgAcquireRule NoName
REM Trigger Destination Value
REM field name field name
REM ----------------------------------------------------------------------
'DestImageDirectory' 'DestInfoDirectory' '%DestImageDirectory%'
'DestImageFilename' 'DestInfoFilename' '%DestImageFilename%'
ENDTABLE
REM guymager internals
REM ==================
REM
REM Device list scanning
REM --------------------
REM DeviceScanMethod Guymager knows 3 methods for getting the list of the available memory devices: The old one,
REM that uses libparted, the new one that uses DBUS/HAL and the even newer one that uses
REM DeviceKit-Disks. Select your method by setting this parameter to:
REM
REM DBusDevKit or UDisks Use the newest method (recommended for Ubuntu >= 9.04). You need a Linux
REM supporting UDisks for this setting. In older versions, UDisks was named
REM DeviceKit (in Ubuntu 9.04 and 9.10 for instance). From guymager's point
REM view, UDisks and DeviceKit are both the same.
REM
REM DBusHAL Use the new method (recommended for systems like Ubuntu 8.10).
REM
REM libparted Use the old method. It was observed that the internal scan function hung
REM while an acquisition was running. This leads to the problem that the devices
REM shown in guymager possibly cannot be updated while an acquisition is running.
REM When using this method, the command specified in configuration parameter
REM CommandGetSerialNumber (see below) is used for finding the serial number of
REM each device (not really elegant). Again, DBusHAL is the recommended setting.
REM When chossing an unsupported scan method, Guymager shows the user a dialog asking to fall back
REM to a supported one.
REM
REM CommandGetSerialNumber is used to extract the serial number from a device when setting DeviceScanMethod to libparted (not
REM recommended). The placeholder %dev in the command string will be replaced by the device
REM (/dev/hda or /dev/sdc for instance). Examples:
REM CommandGetSerialNumber = 'bash -c "smartctl -i %dev | grep -i serial | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "'
REM CommandGetSerialNumber = 'bash -c "hdparm -I %dev | grep -i ''Serial Number'' | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "'
REM
REM CommandGetAddStateInfo contains the command to be executed in order to gather additional state information. By default, CommandGetAddStateInfo
REM simply is an empty string and no additional information is read nor displayed. If set, the command executed
REM is expected to return its information in three separate lines (separated by \n):
REM 1st line: Information text. This text is displayed in the device specific screen area of Guymager
REM (bottom area of the main window).
REM 2nd line: A value of 0 tells Guymager that the device cannot be acquired. Guymager forbids the
REM acquisition of the device in that case. Any other value enables device acquisition.
REM If this parameter is missing, the device can be acquired.
REM 3rd line: An integer number indicating the color to be used for marking the device. The number
REM refers to the colors named AdditionalStateX in the configuration table Colors (see
REM above), where X corresponds to the color returned by the command. If this parameter
REM is missing, the default color (wite) is used.
REM The command may include the two placeholders %dev and %local which will be replaced accordingly. See
REM the description of CommandGetSerialNumber above for the use of %dev. %local will be replaced by 1
REM if the %dev refers to a local device and 0 otherwise.
REM
REM If you plan to use this feature, you may do a first test with the configuration setting
REM CommandGetAddStateInfo='bash -c "/usr/share/guymager/stateinfo.sh %dev"'
REM where the file /usr/share/guymager/stateinfo.sh is executable and contains the lines
REM echo "Moie Welt! - $1"
REM echo "0"
REM echo "2"
REM
REM ScanInterval Speficies how often an automatic device scan (for detecting newly connected devices)
REM should launched. Unit: Seconds. Keep in mind, that the device scan can be launched as well manually.
REM
REM QueryDeviceMediaInfo Guymager has the possibility to gather extended media info about the connected devices. The media info
REM mainly includes HPA/DCO settings. Some non-standard devices do not expect the corresponding ATA
REM commands and may even need to be resetted when trying to query media info. In such cases,
REM QueryDeviceMediaInfo may be switched off. By default, it is on.
REM
REM DirectIO Decides whether Guymager reads data in direct IO mode or not. Normally, direct mode should be a little
REM faster, but it was observed that reading from SSDSs may be much slower in direct mode. The default
REM setting therefore is "off".
REM Note that direct IO only can be switched on if parameter FifoMemoryManager is also on.
DeviceScanMethod = UDisks
CommandGetSerialNumber = 'bash -c "smartctl -i %dev | grep -i serial | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "'
CommandGetAddStateInfo = ''
ScanInterval = 6000
QueryDeviceMediaInfo = on
DirectIO = off
REM Other settings
REM --------------
REM Block sizes: Guymager works internally with threads for doing the different jobs (read, hash calculation, compression,
REM write) and forwards the data in blocks through fifos from one thread to another. The block size may be adjusted individually
REM for the different forensic formats. There's only one exception: When using EWF with mult-threaded compression the block size
REM is 32768 bytes (32KB).
REM It is recommended to use a multiple of kilobytes or megabytes for the block sizes, because the block size corresponds to size
REM of the data read at once from the source drive and most drive's caches perform best with such "round" numbers. So, if you want to work
REM with a block size of 10 kilobyte, specify 10240 (instead of 10000).
REM
REM FifoBlockSizeDD The block size for dd images (in bytes). Recommended value: 262144 (256K).
REM
REM FifoBlockSizeEWF The block size for EWF images (in bytes). Recommended value: 32768 (32K).
REM
REM FifoBlockSizeAFF The block size for AFF images (in bytes). Recommended value: 65536 (64K).
REM
REM FifoMaxMem The amount of memory used for the internal FIFO queues of an acquisition. The value is indicated in
REM Megabytes. If you set it to 0, Guymager uses 1/8 of the available RAM, maximally 64MB per acquisition.
REM Keep in mind, that the total amount of memory used by Guymager may be much higher: With a value of
REM 256 and 4 acquisitions running in parallel, a total of 1GB RAM would be used by Guymager - only for
REM the FIFOs, not counting the overhead required by Guymager and the libs it uses (Qt, libewf, ...).
REM The recommended value is 0 (automatic memory usage calculation).
REM
REM FifoMemoryManager Set to on to use the internal FIFO memory manager. If switched off, the classical C functions malloc and
REM free are used. FifoMemoryManager must be switched on in order to use direct IO (see parameter DirectIO).
REM
REM UseSeparatehashThread The hash calculation can be done in a separate thread or in the read thread (i.e. the thread reading
REM the data from the source). Using a separate thread led to a slight performance advantage on the
REM developer's machine.
REM
REM CompressionThreads The number of threads for parallel compression. The recommended value is the number of processors.
REM This parameter has a significant performance influence when working with compressed file format
REM (EWF format). It has no impact on other formats (dd).
REM Set to AUTO will use the number of CPUs installed in the system (recommended).
REM Set to 0 for disabling multi-threaded compression and build EWF file the conventional way.
REM
FifoBlockSizeDD = 262144
FifoBlockSizeEWF = 32768
FifoBlockSizeAFF = 65536
FifoMaxMem = 0
FifoMemoryManager = On
UseSeparatehashThread = Yes
CompressionThreads = AUTO
REM Debug settings
REM --------------
REM SignalHandling For debug purpose only. Switch off SignalHandling only when working with debuggers (gdb).
REM Recommended value: Enabled.
REM
REM WriteToDevNull For debug purpose only. Writes image to /dev/null instead of the indicated file. This switch can
REM be used for performance tests. Only used when creating a dd images.
REM
REM UseMemWatch For debug purpose only. Uses the memwatch malloc/free functions for finding dynamic memory problems.
REM Creates a file named memwatch.log when enabled in the directory where guymager is started. MemWatch
REM may slow down guymager significantly.
REM
REM VerboseLibewf For debug purpose only. Have libewf output internal messages to stderr.
REM
REM CheckEwfData For debug purpose only. When using the EWF format and working with separate compression thread(s),
REM Guymager does a special check on the data if this parameter is set. The check is done just before
REM passing the data to the EWF library function that writes it to the image. It checks if the data can
REM be uncompressed correctly, if the lengths match and if the CRC is ok.
SignalHandling = Enabled
WriteToDevNull = false
UseMemWatch = false
VerboseLibewf = false
CheckEwfData = false
REM Device info commands
REM --------------------
REM In order to get a complete set of information for each acquired drives, guymager executes several standard Linux
REM commands. These commands are contained in the list named DeviceInfoCommands, see below. They are executed when
REM - selecting the "Info" menu point for a device (results are shown in a dialog window)
REM - starting an acquisition (results are written to the .info file)
REM They are executed in the order they appear. The string %dev will be replaced by the corresponding device path
REM (i.e. /dev/hdb for instance). Examples for interesting commands:
REM 'bash -c "smartctl -s on %dev ; smartctl -a %dev"' -- for switching SMART interface on and showing SMART info
REM 'bash -c "hdparm -I %dev"' -- for showing other identification info
TABLE DeviceInfoCommands NoName
REM Command
REM -------------------------------------------
'bash -c "search="`basename %dev`: H..t P.......d A..a de.....d" && dmesg | grep -A3 "$search" || echo "No kernel HPA messages for %dev""'
'bash -c "smartctl -s on %dev ; smartctl -a %dev"'
'bash -c "hdparm -I %dev"'
REM 'bash -c disk_stat %dev'
ENDTABLE
REM Table LocalDevices
REM The local devices may be entered here. Guymager will not allow to acquire these devices. The table allows for
REM entering the Linux device path as well as the serial number. Examples:
REM '/dev/hda'
REM 'S042J10XC57542'
TABLE LocalDevices NoName
REM Device
REM -------------------------------------------
ENDTABLE
REM At the of this configuration, we include a local configuration file. All entries in the local
REM configuration file will override the ones above.
REM If ever you want to cange the settings above, don't do directly here, as all your changes would be
REM gone when installing a new version of guymager.
REM Edit /etc/guymager/local.cfg instead.
INCLUDE_OPTIONAL /etc/guymager/local.cfg
INCLUDE_OPTIONAL ./local.cfg
ENDSECTION
|
