Below are some FAQs about how to use specific Maresware programs, plus some other technical tips. For quick access use the alphabetical index links immediately below. Or just scroll and browse.

Alternate Data Streams are copied by Copy_ads program
Alternate Data Streams are overwritten when their host file is removed
Bates_no program assigns Bates numbers 2 ways
Bates numbers can now be removed from files
Boot disk-modify OS boot disk so it won't write to hard drive
Branding hard drives with ownership information
Calculating CRC/MD5 or SHA1 of physical drive
Cataloging files on a drive
Compare current hash values with reference set (suspect values)
Compare system hash values with reference set of system files
Copy files while maintaining tree structure at the destination
Copy large number of files (from a list) to a new destination
Declasfy on a bootable CD--uses for
"DIR"ectory listing program for forensic use
Disabling a keyboard; creating an "evidence disk"
Diskette images--making forensic quality
Hash/SHA1 of 'X' sectors (or a file) of 'A' character--simulating
Hash output records--reprocessing
Hashes: successive hashes of a file don't match
Hash values (MD5, SHA1 or 2) of a file system-calculating
Why use hash to validate data?
How many hashes on the HASH_CD?
Linux versions of Maresware
PGP encrypted files--identifying
Search a large data file for "keys" in a field (column)
String search files or drives
Upcopy can maintain original dates of directories created
Wipe files of free or slack space
Wipe files using a text file with filenames
Wiping a hard drive: considerations in choosing a program
Wiping a drive under NT

 

Q. Can I copy Alternate Data Stream files out to normal files for analysis?

A. Yes. Copy_ads can identify and copy Aternate Data Stream files. When it copies the files, it isolates the Alternate Data Streams and copies them to "normal" files for easy analysis.

Top  

Q. Is there a program that will overwrite Altnerate Data Streams when they are removed?

A. Yes. The RMD program has been redesigned to overwrite alternate data streams attached to files it removes on NTFS file systems.

Top  

Q. I have identified a few hundred files which need to be prepared and printed for legal discovery. How do I assign Bates numbers for our attorneys to use?

A. Maresware's Bates_no program is designed to number files with Bates numbers for legal use. The identified files need to be moved to a specific directory first. Bates_no can then be used to assign numbers to either the filenames or the filename extensions. Also see chapter 2  of The Handbook of Computer Crime Investigation, by Eoghan Casey[ ISBN:0-12-163103-6].

Top  

Q. I inadvertently used the Bates_no program on files that weren't supposed to be renamed. Is there a way to reverse the Bates number naming process?

A. The Bates_no program has a -U option that will remove the Bates numbers from file names.

Top  

Q. I made a WIN9x boot disk. I know that there have to be changes to some of the files to make it a forensically sound boot disk. What do I do?

A. The files that generally need to be altered to begin the forensic process are the IO.sys, MSDOS.sys and COMMAND.com. You also need to make certain that any compressed drives aren't mounted during the boot process. The Maresware Mod_com program will make the necessary modifications.

Top  

Q. A lot of companies in my jurisdiction are reporting stolen computers. It's not that easy to identify proper owners when our theft unit recovers what appears to be stolen items. Is there an easier way?

A. It's very easy. Those companies can use our Maresware Brandit program to quickly "brand" all their hard drives with ownership information. Then when you recover a branded unit, you can readily identify its owner. Just download the reader portion of Brandit, for free, at our site. It only takes about 10 seconds to read the ownership information on a branded drive.

Top  

Q. I want to perform a CRC/HASH of a physical drive. Which Maresware program do I use?

A. The Disk_crc  program performs CRC, MD5 Hash and SHA1 Hash of physical drives, or of specific sectors.

Top  

Q. I want to generate a catalog or listing of all files on the drive. Which Maresware program do I use?

A. Any of the following will generate a catalog of all files on a drive: Crckit,  Diskcat,  Hash,  MD5 . Each one has different capabilities and can be tailored to specific needs. Check the documentation to see which is most suitable for your task.

Top  

Q. If I already have the hashes (produced by hash.exe) of my operating system, how difficult is it to compare the current hashes of the same files to make certain none have been altered?

A. It is a simple 3 line batch file using hash.exe and compare.exe. It should take approximately 10 minutes to complete.

Top  

Q. Once I have the hashes of files on two systems, (i.e., the suspect drive, and the restored drive), how can I determine if anything has changed?

A. The Maresware Compare program is a generic program designed to compare data files for common or mismatched records. However, the Hashcmp program is specifically written to compare the output of the hash.exe program, and is lightning fast. The Hash_dup program can list duplicate hash values in the hash output files.

Top  

Q. Can Upcopy work with a text list of source files to copy to a destination?

A. Yes, you can provide Upcopy with a text list containing the paths/filenames of all the source files that you want copied to the specific destination. This is especially useful if the source file list comes from a data base.

Top  

Q. I often have situations where I want to copy all of a certain type of file or all of certain tree structures to a work drive. I must maintain tree structure while doing this. Which Maresware program do I use?

A. The Upcopy program will copy any files or directories to any specified location and maintain tree integrity.

Top  

Q. Can Declasfy be run from a bootable CD?

A. Declasfy can be provided to you on a bootable CD running an open source DOS operating system. Since that version is a non-restrictive version, different pricing applies.

Top  

Q. Is there a forensic substitute for the DIR program?

A. Yes, the Maresware Mdir program was designed specifically for forensic use. It shows much more information by default than DIR, and can almost be "programmed" to the user's needs.

Top  

Q. I have a seized computer, and I want to keep prying hands from turning it on and corrupting evidence. What can I do?

A. Other than disconnecting the hard drive, you might try creating a DOS 5.0 boot disk, and putting the Maresware Disable program into the autoexec.bat file. Disable will prevent the keyboard from being used. We suggest using DOS 5.0 as an operating system, because it was the last version that did not allow the function keys (F6, F8) to interrupt the boot up process.

Top  

Q. How do I make forensic copies of diskettes?

A. Maresware's Diskimag program is designed to make forensic copies of diskettes. And it can handle linux ext2 and Mac diskettes. It is frequently used to make a number of copies of disks--for training purposes, for instance.

Top  

Q. I have wiped the drive with all 0's, and I have X number of sectors on the drive. I have a third party program that is saying the MD5 hash is ABCD...etc. Is there a way of determining what the true MD5 value of X sectors of hex 0's should be?

A. Yes, Maresware's Sha_verify will simulate in memory any number of sectors or bytes containing a single value. It will also perform SHA1 and SHA2 on files.

Top  

Q. If I use Crckit, Diskcat, Hash, or MD5 to create a catalog of the drive, can I get the output in the format I need for further processing?

A. These programs output their information in what is called a fixed length record. So, almost any data base or spreadsheet program can easily import the output of these programs. And if a fixed length record is not sufficient, these programs also allow you to add delimiters between fields (columns) so that the data can be imported into any data base and spreadsheet programs which have these input requirements. [All Maresware programs which produce the kind of output that you might want to further analyze/process gives you that output in fixed-length records.]

Top  

Q. I ran Hash on the same file a number of times, and each time I get a different value. The file is very large, over 600 meg. What can be the problem?

A. This happens occasionally, particularly with very large files. The cause is an improper transfer of data somewhere between the hard drive, the OS, and the program. This is usually caused by one or all of the following:

1. You have the drive in a removable tray, and the speed of the tray is not matched to the bus speed. (Try using DMA 100 trays.)
2. There is a memory leak problem. This is the most common cause. It is sporadic, hard to duplicate, and very hard to find.(Try replacing your memory sticks.)
3. The OS is improperly buffering the disk reads. (This is more prevalent with Win9X. Try running Hash under a different OS; Windows 2000 appears to be more stable in this operation.)
4. Some other very obscure hardware/data transfer problem. (Try another computer.)

Our suggestion is to remove the drive from the tray, and hook it directly to the IDE cable on another machine. This usually fixes the hash errors, but doesn't solve your underlying hardware problem. Remember, if you are experiencing a data transfer problem running Hash, it is quite likely that the problem is corrupting your data in other programs without your knowledge, so you might want to check them too.

Top  

Q. I want to perform a CRC/HASH of an entire file system(logical file structure). Which Maresware program do I use?

A. The Diskcat  program will perform a 32 bit CRC of files. But the one most often used is Hash (the program used to create the HashKeeper hashes). Another alternative, with different output capability, is the MD5 program. Refer to its documentation for details about the output options.

Top  

Q. Why should I consider using hash to validate software and data?

A. The MD5 and SHA algorithms in the Hash program are the generally accepted standard for validating evidence files and data files. See Hash faqs

Top  

Q. How many unique hashes are on the Maresware Hash cd?

A. As of March 2003, there were over 6 million known file hashes on the Maresware Hash_cd.

Top  

Q. I suspect that there are PGP encrypted files on a seized computer. How can I determine that?

A. Maresware's Ispgp program will answer that question. It has been thoroughly tested and is extremely reliable in detecting PGP encrypted files and keyrings.

Top  

Q. I have a data file extracted from a mainframe data base with well over 10 million records in it. I want to search a field for the occurrence of over 100 keys (these are phone numbers). Which Maresware program do I use?

A. The Search program can sequentially search a typical data file of 10 million records in under a minute on a 2 GHz. computer running a 7200 rpm. hard drive.

Top  

Q. I need to perform string searches. Which Maresware program should I use?

A. The Ss program will perform string searches on a physical disk. Its output is fixed length, and identifies the sector where the item was located. The Strsrch program will perform string searches on the logical file system. It is an extremely fast and efficient program. Its output is also fixed length. (Fixed length outputs lend themselves very nicely to reprocessing.) Both programs provide surrounding text.

Top  

Q. When copying files to destination directories, the directory trees created always seem to have today's date. Is there a way to have Upcopy maintain the original date on the directories it creates?

A. The option -M will cause Upcopy to 'M'aintain the source dates of any of the original directories it creates during the copy process. For reference purposes, this option also causes any empty source directories to be created.

Top  

Q. Which Maresware program would I use to overwrite individual files, slack, or free space on a drive?

A. The Rm and Rmd programs can wipe/overwrite a file or files, file slack or disk free space. Under NTFS, it also can wipe alternate data streams, and clean the MFT. The Rm program merely deletes files, and doesn't overwrite them.

Top  

Q. Can Rm and Rmd work with a text list of source files to remove?

A. Yes, you can provide Rm with a text list containing the paths/filenames of all the source files that you want to remove. This is especially useful if the source file list comes from a data base of some sort. It is also useful if you have a list of contraband files which need to be removed from a computer.

Top  

Q. How do I choose a program to wipe a hard disk?

A. If you are going to reuse the disk for forensic purposes, or going to release it outside your organization, we suggest using the Maresware Declasfy program. It complies with Department of Defense specs, and is on their Assessed Products list. One of the DOD requirements is that a wiping program overwrite every bit of data at least five times. In addition, Declasfy leaves no residual information on the drive, such as evidence of the wiping operation itself.

Declasfy has the advantage of working from a boot disk, and is not encumbered by Windows operating system restrictions or shortcomings. (One problem is that Windows often doesn't allow access to hardware in a manner required to perform a complete wipe. Another problem is that when working through the Windows operating system, you aren't certain about the level of control of the system resources required to perform the wipe.)

When you want to save some time, and don't need to meet DOD standards, there are quicker wiping procedures. These may be adequate for, perhaps, personal reuse or for reusing a disk within an organization. This is a simple three step procedure used by National White Collar Crime Center: (1) Quick format the hard drive (format d: /q), which takes about 15 seconds; (2) Run Maresware Rmd on the drive (rmd d:); and (3) Quick format the hard drive again. The drive is clean enough for reuse, and no data is left on it.

Top  

Q. Is there a way to wipe a drive running under the NT operating system? And will it wipe to DOD standards?

A. Yes; the only one we know of is the Maresware Ntwipe program. It's easy; it's extremely fast; it meets DOD wiping standards; and if you have SCSI drives, you can wipe them simultaneously. (We know of one federal agency that uses this program routinely to wipe 4-5 SCSI's at a time.)

Top  

Q. Are the Linux versions of Maresware compatable with the DOS versions, as far as operation and output?

A. Yes, where possible, with programs like Hash and Sstrsrch, both the Linux and DOS versions provide similar output record format, similar command line structures and options, and similar speed. This allows the user to mix or combine outputs from the two runs.

Top