Computer Forensics and Data Analysis
Software Training Services  
      Search:
Featuring

Home
What's New
Software

Training
Services
Reference

About Us
FAQs
Articles
Resources

Our Company

Legal Notices
Contact Us

Quick Help

Order: online
How to Order
e-mail us

MARESWARE GENERAL INFORMATION

Versions of these programs authored before Dec. 1, 1998 are no longer supported by the author but may be available from IRS via a FOIA (Freedom of Information Act) request. Versions after Dec. 1, 1998 contain copyrighted material and may not be used by anyone without proper licensing agreements and authorizations from the author.

Before going any further, a word about the spelling of MARESWARE. Sometimes you will see it spelled MARESWARE and sometimes MARSWARE. The reason is that in order to fit the file names into a DOS format I use MARS. However, my name is properly spelled MARES, but pronounced like the planet MARS. When I reference a specific disk file I use MARS. When I Reference the entire library I use MARES.

The documentation contained here is the complete text for all the files making up the MARESWARE SUITE of programs. Every attempt is made to maintain the individual help files with the current version of any particular program. However, sometimes I forget to upgrade the help file at the same time I modify the program operation. Therefore, I urge you to review the online help (help screens) provided in each of the programs. The online help of each program is always more up to date than the help file. The online help is generally modified when the program is modified. The ultimate test of whether an operation is still functional is to test it.

Most of the significat programs are Windows/32 bit OS compatable. This means they will run under the Windows operating systems. These programs, even though they are 32 bit software, MUST be run from within a DOS window on the platform. Many of you who may have developed WIN9X boot disks for forensic purposes will find that these 32 bit programs will not run from a boot disk. This is because, WIN9x from a boot disk does not use the full 32 bit capabilities of the computer (meaning a lot of the required .dll files are missing), and is really a fancy 16 bit operating system. (enough about that).

When installing the software on your system, it is suggested you make a separate sub-directory for the 32 bit versions. This is because, after proper registration, the 16 and 32 bit versions should carry the same name, and if you copy the 32 bit versions in the same directory as the 16 bit ones, the 32’s will overwrite the 16 bit versions, or vise versa. Also! You should adjust your path, so that the 32 bit versions are found first. This way, if there is a 32 bit version, it will operate when in the 32 bit environment, and if there is not a 32 bit version, then the 16 bit directory is accessed and the 16 bit version is run.

Some cautions when attempting to run the 32 bit software (and the 16 bit versions under a 32 bit operating system).

These cautions are general, and each program has a different use. So apply the caution to the program that tries to accomplish that type of task. (i.e. when talking about display of disk free space, this would only apply to those programs whose operation depend on an accurate representation of such).

* If at all possible DO NOT run the 16 bit versions on a 32 bit operating system. For one, they are extremely slow because the operating system has to emulate a 16 bit environment which takes a lot of time. For another, the 16 bit versions cannot process long file names, large file sizes or Multiple Data Stream files.

*Most of the 16 bit versions that indicate a free space value (i.e. MDIR, RMD) do not produce accurate results when running on NTFS and 32 bit FAT systems. Only the 32 bit versions produce accurate free space numbers. The 16 bit ones are close, but no cigar.

*All of the 16 bit versions will NOT work on files over 2 GIG or drives over 8 GIG. However, the 32 bit versions work fine with large files and drives. (Some programs have been tested on individual files as large as 6 gig in size).

*Most people using forensic software know it is possible to name a file with some very unusual characters in the file name. An example is a file name containing extended ascii characters greater than 128 (usually referred to as a graphic character, perhaps like the copyright (©) symbol.) Because windows uses a different set of characters in this range, some programs written for ascii characters (i.e. the 16 bit versions, and some 32 bit software not properly designed) will not be able to properly find, identify, and open for processing these files with “weird” names. I have made every effort to make these programs responsive to this type of situation. But the user should be aware that not only Maresware, but other programs may fall into this ir-responsive category. If you think you have unusually named files, run some tests. Also, file names viewed under “explorer” and “dir” will produce different graphic characters as names.

*None of the 16 bit versions can display directory and/or filename greater than the traditional DOS 8.3 convention. All of the 32 bit versions have been designed to be long filename compliant.

*Don’t forget that when dealing with long file names which contain spaces, like (C:\Program Files\etc etc\file) you can most often get the program to properly respond by quoting the entire file name. This is a little DOS trick.

LINUX/UNIX

Bates_no, Diskcat (catalog), HASH, Hashcmp, Hexdump and STRSRCH and some of the data processing programs have been converted to LINUX I386 platforms. If you get a copy of these programs, you should thoroughly familiarize yourself with their operations. These versions will only work efficiently if the user has root privileges. Also, the time values used for determining which files to process are based on the LINUX file dates of access, status ‘c’hange, and modification. I haven’t determined the true difference of change and modification yet. But when I do, I’ll add it in to the documentation. Until then, you're on your own.

UPDATES

Because I am constantly upgrading the software you should check in periodically to see if there have been any enhancments. Please keep checking the web site for updates. Also, if you find any program that is operationally challenged (my programs don’t have bugs) please let me know. I can’t fix what I don’t know is broke. Also, you may not be the only person with this problem. Often it is a simple command line error. In any case, don’t put up with it. Call me and I’ll try to fix it. Maybe there is a newer version of the program with the problem already fixed. You’ll never know unless you call.

As always, if you need an enhancement to the software, or a new program, let me know. I always like a challenge.

INI Capability.

Most of the software can now take an INI type file to set those options which the user routinely uses. This is a great benefit for repeating the same operation over and over.

MARESWARE INSTALLATION

You should have received an installation diskette when you purchased the Maresware suite. Use this diskette to initially register the software, or register any updates you download from the web site. Once you have registered the software, you can copy it to any computer for which you have a license to use it on.

After installing the utilities, you should make certain the path statement in your autoexec.bat file includes the directory that these programs are now located in.

HINTS on how to use the software:

This section contains some general hints and standards that are used throughout the programs. In most cases the items described here are consistent throughout unless otherwise noted.

The programs follow standard UNIX and “C” conventions for input and operation. If you have questions about this consult a manual on UNIX for more help.

I like to think that my motto has evolved from a quote I once heard about my software, “I find something I don’t like and fix it”.

ERRORLEVEL

Most of the file processing programs will return different error level numbers to DOS upon their completion. The error level returned is dependent on the exit status of the program. The following error levels are returned when the specific condition exists.

#7 = abnormal exit condition not otherwise identified
#6 = insufficient memory for necessary buffers. 
#5 = incorrect option exit condition
#4 = cannot open/access paramater file 
#3 = cannot open/create/access output file
#2 = cannot open/access input file
#1 = user aborted program. (^C or ESC was entered)
#0 = NORMAL exit condition. Program finished w/o error.

These errors can be tested for and handled in a batch file similar to the one provided here. Note: that in order for this to work properly, the error levels must be tested for the highest number first.

if errorlevel  7 goto  seven
if errorlevel  6 goto  six 
if errorlevel  5 goto  five 
if errorlevel  4 goto  four 
if errorlevel  3 goto  three 
if errorlevel  2 goto  two 
if errorlevel  1 goto  one 
if errorlevel  0 goto  end 
:six  
echo  handle this error here 
goto end 
:five  
echo  handle this error here 
goto end 
:four  
echo  handle error four here 
etc for the rest

:end

echo this is the end of the batch file

PAUSE ENVIRONMENT

SET PAUSE=on.

The programs read the system environment and when they see the PAUSE environment set, they automatically turn on the -p option, so you don’t have to.

If at any time you don’t want the -p option to run, you can negate it at runtime by using a /p (slash p). The /p turns off the default PAUSE if it is on. If it is off, nothing is done.

As time goes on, more and more programs will take on consistant defaults that are set using environment variables. Look for them either in the help screens, or documentation.

Many people use the accounting -A option for most of the programs. This -A has also been implemented as an automatic environment option. To turn on the -A use the set command again with this setting:

ACCOUNTING FILES

To disengage the automatic accounting option from any program that has it simply use the /A option. This turns off the -A. To determine which programs currently have the auto accounting check the help screens or the current documentation. As always, the help screens are probably more current than the printed documentation.

Also, in many cases the -a accounting option defaults to a file called acct-ing in the default directory. This is an old carry over. The new option (generally a -1 filename) thats a one, will allow you to set a particular filename for the accounting statistics. Check the program options for a -1 or -2 option.

MARESWARE COMMAND LINES

Command lines, are the command you give at the DOS prompt to get the program to run. Just like the more complex DOS commands, my command lines take input and output file names, in addition to many options (switches). Each program needs a different command line, but the format is the same for all the programs.

The general format is this:

program_name -options
program_name  input  output  parameterfile  -options

CASE:

Since all of the programs were written in “C“ the commands and any keyboard input you use will be case dependent. This means that upper and lower case letters are different.

Most of the programs will allow you to input various options to modify the program operation. Notice that they are listed as either UPPER or lower case.

In instances where both the upper and lower case of a letter are not used to support different options, either the UPPER or lower case will be accepted. This is not always true and it would be best to only use the option as it appears in the documentation.

FORMAT:

All items (usually filenames) on the command line must be separated by at least one space. The only exception to this is when you are listing options. Multiple options (except as noted) can be grouped together without spaces.

PARAMETER FILES

ALWAYS EDIT/CREATE THE PARAMETER FILE WITH A SIMPLE TEXT EDITOR. NEVER NEVER NEVER (GET THE POINT) EDIT A PARAMETER WITH A WORD PROCESSOR OR PROGRAM THAT DOES NOT CREATE SIMPLE ASCII TEXT AS ITS OUTPUT

Parameter files are the heart of most of the data file processing programs. Since the programs are designed to work with fixed length records, (this means they have no carriage return to identify the end of a record) the program does not have any way of knowing where the end of a record is. The programs also cannot read your mind (although many people expect them to) about what field/fields you want the program to examine when processing each record.

A way had to be designed for the program to determine certain things about the file you are accessing and what fields it should examine or process. The parameter files do this.

Depending on the actual program operation (what it is designed to do) the parameter files will contain different information. Even though the information in the parameter files are different for each program, the overall idea of the contents remains the same. So once you are familiar with parameter file contents, it should not be hard to create parameter files for those programs needing them.

The parameter files usually contain a minimum of information about the file(s) you are processing, and/or about the output you are expecting.

Some of the items that a parameter file contains are: the blocksize of the input file. The blocksize normally is an EVEN multiple of the record length of the data files, with a maximum blocksize of 32768 characters. So if your input record was 80 characters you could use an input block of 80, 16000, 24000 or 32000, or any multiple in between. Usually a blocksize between 20-30000 characters gives optimum throughput performance depending on your computers internal buffer setup. (If you are using a tape input, you are restricted to the blocksizes of the physical tape block. Check the documentation for this).

The next thing you have to provide the program is the record length of the data files. It has to know this in order to process the records. The record length should be self explanitority. Remember, that the unprintable carriage returns that exist in some files are considered parts of the record length.

The next thing that the program needs to know is the location of the data item (field) you want to examine. Some programs require more than one field to operate on. You will need to provide all this information to the program. The location of the field is usually called the displacement of the field. Displacements in all programs except DISKSORT are counted from 0 (zero) not 1.

After you have provided a displacement, you have to tell it how long the field is. This is simply a number indicating the length. If we were looking at a persons social security number, the length would normally be 9.

These items talked about so far are pretty much standard for all the programs.

Next, depending on the program you have to provide it with specific information (program dependent) about what the program is to do with these fields once it locates them. That is what a parameter file does.

ABOUT DATA FILES

All of the data file processing programs in the MARESWARE collection work on fixed length records.

This means that each record in the data file MUST be of a fixed length. It does NOT require the traditional carriage return on the end of a record. If the records/file you are processing do have a carriage return on the end of it, it should be treated just as any other data character when considering the record length of the file.

In addition, the programs REQUIRE data files to contain only data records and no additional information. This additional information is what mainframe users call padding. MANY word processors and/or text editors add padding to files when they are edited. This padding causes the data file to now contain an incorrect last record. It will at a minimum cause the programs to provide incorrect results. The worst case is the programs will just not run. You should be extremely cautious when processing a data file that has been examined, or edited using an editor that adds “padding” to the end of a file. Maresware programs are smart but not smart enough to detect this inconsistancy. You have to watch out for it yourself and take appropriate steps to eliminate this problem. The hexdump, chsize and hexdump2 programs will provide assistance in determining and eliminating this padding.

Always be on the lookout for file anomolies when something doesn’t work as you expect. If you are certain you are using the programs correctly, then the data file must have errors in it. Become comfortable with using the hexdump programs. They can help detect many problems.

If you have any questions about the operation or design of any of the software, don't hesitate to call. Your idea may help others also.

Author: Dan Mares, info @ maresware . com
Portions Copyright (1998-2008) Mares and Company, LLC,
Phone: (770)237-8870


Home  |  Whats New  |  Software  |  Howto Order  |  Training  |  Services  |
About Us  |  FAQ's | Articles  |  Resources  |  Legal Notices  |  Contact Us  |
Files A-C  |  Files D-F  |  Files G-K  |  Files L-O  |  Files P-S  |  Files T-Z  |
Data File Processing  |  Forensic Processing  |  Linux Processing  |
Complete helpfile.zip  | Complete pdf_s.zip  | Complete 16 bit software.zip  | Complete 32 bit software.zip  |
 
copyright © 1998-2008 by Mares and Company, LLC