Be sure to check the help file for additional information about this program.

When long filenames are deleted in Windows, there remain remnants of the 8.3 filename in the directory. When undeleting the long filename it must match the original exactly; otherwise, an internal checksum won't match and the file won't be displayed.

To confirm that the 8.3 filename and the internal checksum stored for the long filename are correct, use Lfn-crc to calculate what the checksum should be.

 |  Get lfn_crc.exe  | 
 |  View the html help file.  |  Top

This program will take a path/tree/folder as a starting location and create an output html file (usually index.htm) with links to all the files it locates within the specified folder.

The output is then generally used to supply to someone with a browser, and they will use this file as a starting point to browse/view the files identified.

 |  Get mak_html.exe  | 
 |  View the html help file.  |  Top

Be sure to check the help file for additional information about this program.

Makedir is a very efficient alternative to the MD program. It will make multiple subdirectories based on command line input. It will make any and all subdirectories up to and including the final subdirectory listed on the command line.

It can also make multiple subdirectories in different locations based on just one command line input.

 |  Get the program  |  Get the .hlp file  |  Get the .pdf file  |  Get the entire .zip file  | 
 |  View the html help file.  |  Top

Be sure to check the help file for additional information about this program.

Md5 is designed to quickly calculate the MD5 hash value of a file. The advantage of Maresware's Md5 is that it adds formatting capability to the standard output produced by MD5sum. It can also calculate a 32 bit CRC or 160 bit SHA value.

A special time limited version (currently expires 5/2006) is available that will allow the user to perform hashes on only a section of a file. This is becomming more and more popular with those verifying video and other multimedia files. If this capability proves useful, it will be incorporated into the full version.

Historically, the MD5 algorithm has been used to "fingerprint" files. No two files will ever produce the same fingerprint unless they are identical. According to R. Rivest in his 1992 article:

The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. [Find Rivest's article on the Internet by searching the World Wide Web for MD5.]

CERT at Carnegie Mellon University uses an MD5 signature to validate sensitive data sent out over the Internet. When information is distributed with the MD5 signature value, the MD5 program can be used to validate the integrity of the data.

NOTE: The MD5 algorithm is also used in Maresware's Hash program. It provides more information and is more flexible, allowing customized output.

 |  GET the 16 bit .exe  |  GET the 32 bit .exe  | 
 |  Get the .hlp file  |  Get the .pdf file  |  GET the zip file  | 
 |  View the html help file.  | 
GET the (time limited) modified 32 bit version that does partial hashes  | 
Top

This program is similar to the Windows verion named sha_verify. It can take a set of files with a sequential extension (.000, .001, .002 etc) and perform MD5 or SHA1 on the files as if they were a single file. In effect it "merges" the content of hte files when performing the calculaton.

This is important when trying to confirm that the outputs from a dd, dcfldd, or ntimage program have produced the correct outputs.

 |  GET the LInux program  | 

 |  View the html help file.  |  Top

Be sure to check the help file for additional information about this program.

Mdir gives the user the look and feel of the DOS DIR program but it is designed to facilitate forensic work. It provides more information and greater flexibility in programming the types of files displayed on the screen.

The 32 bit version can also display the 3 file time types generated by WIN95 and WINNT file systems. Under NTFS it can show instances of Multiple Data Streams.

 |  Get the 16 bit .exe  |  GET the 32 bit .exe  | 
 |  Get the .hlp file  |  Get the .pdf file  |  Get the .zip file  | 
 |  View the html help file.  |  Top

(this is a free program). Mktemp can be used to create sample test (temporary) files. The files it creates are of known size and content. This is useful when testing software operation on known entities.

The program is capable of creating a number of subdirectories in a tree structure also.

 |  Get the .exe  | 
 |  html help file not available.  |  TOP

Be sure to check the help file for additional information about this program.

(this is a free program). When booting a computer from a floppy disk with DOS 6.22 or later there is a risk of altering the hard drive if compression programs like DRVSPACE or DBLSPACE are present on the hard disk. Such an alteration is unacceptable in forensic processing.

In order to keep DRVSPACE or DBLSPACE from altering the hard disk the user must change the boot files (IO.SYS, IBMBIO.COM, etc.) so that the operating system doesn’t call the compression software or alter the DRVSPACE.BIN or DBLSPACE.BIN files.

To do this manually you use a hex editor program and remove from the operating system files all references to DRVSPACE or DBLSPACE.BIN. This is time consuming, and creates an opportunity for errors.

Mod_com make this tedious task simple. It automatically alters all .COM, .SYS, and COMMAND.COM files it finds on the floppy disk A: to eliminate all references to the .BIN files.

 |  Get the .exe  |  Get the .hlp file  |  Get the .pdf file  |  Get the .zip file  | 
 |  View the html help file.  |  TOP

Be sure to check the help file for additional information about this program.

Modify/change file attributes (takes the place of the DOS attrib command.)

The program can change the attributes of files with a simpler command structure than the DOS attrib command. It allows you to change the following: hidden; read/write; archive; and system attributes.

 |  Get the .exe  |  Get the .hlp file  |  Get the .pdf file  |  Get the .zip file  | 
 |  View the html help file.  |  Top

Be sure to check the help file for additional information about this program.

Mouse is designed to work on files which have fixed length records and do not have the traditional Carriage Return / Line Feed characters. (CR/LF). It will display the file on the screen based on the length input by the user. It can also be used to add returns to text files and redirect output to a new file with these returns in it.

Mouse was named as an alternative to the *ix cat command which displays a file contents to the screen.

 |  Get the .exe  |  Get the .hlp file  |  Get the .pdf file  |  Get the .zip file  | 
 |  View the html help file.  |  Top

Be sure to check the help file for additional information about this program, and the Upcopy help file

Mxcopy has been superseded by the Maresware Upcopy program. However, Mxcopy is being retained because it can be run directly from within and by Maresware's Diskcat program; Upcopy can't.

Mxcopy is designed to do a logical file structure (tree) copy of files on a floppy disk to a subdirectory on a hard drive. It is similar to MS-DOS XCOPY but with enhancments. XCOPY copies most of the files from a floppy to the hard drive. However, it does not copy system hidden files such as MS-DOS.SYS or IBMBIO.COM, etc. For forensic work, these files need to be copied as well. The files copied to the hard disk can then be forensically analyzed.

Mxcopy copies ALL the files from the floppy to the hard drive--regardless of the file attributes. It leaves the original file date and time intact.

For copying hard drive directories -> hard drive directory Maresware's Upcopy program should be used.

 |  Get the .exe  |  Get the .hlp file  |  Get the .pdf file  |  Get the .zip file  | 
 |  View the html help file.  |  Top

Nist_crc is a program compiled from (slightly modified) source code obtained from the NIST/NSRL web site. The program will compute the CRC, MD4, MD5, and SHA1 of a file. However, the Maresware program Sha_verify is a little more robust than this one.

 |  Get NIST_Crc  |  Top

Be sure to check the help file for additional information about this program.

The Ntimage program is designed to be able to create forensic images (within the capabilities of the OS) while running directly under the NT, W2K, XP operating systems. One use of this program is to image a drive when the system cannot be shut down.

Other capabilities are:

• creating a disk to disk clone.
• create an output image file. single file, or sections to write to CD.
• create a compressed output file for easier storage.
• creating of a drive clone while simultaneoulsy creating an image file.
•  
• Performing CRC32, MD5, SHA1, SHA2 (256, 384, 512bit), hashes on the drive while imaging.
• Performing CRC32, MD5, SHA1, SHA2 (256, 384, 512bit), hashes on the drive independent of the imaging.
• Performing CRC32, MD5, SHA1, SHA2 hashes on specific sectors of the drive.
•  
• Wiping the drive.
•  
• This program supercedes Nt_wipe

Drives can be restored from any of the image file formats created.

If used in a controlled situation, a hardware write blocker is obviously called for. Mykey technology  has such a hardware write blocker available.

There is currently no working sample of this program available.
To get a demo copy of the program call dan mares 770-237-8870
 |  View the html help file.  |  Top

Be sure to check the help file for additional information about this program.

The Nt_ss program is designed to run under an NT type operating system (XP, W2K, NT) and do one or many simultaneous string searches on a physical drive at the sector level.

Other capabilities are:

• search for a large number of search strings with or no performance hit.
• confirm a drive has been wiped with a single character.
• create an output file that is fixed in length for import into a spreadsheed.
• search for file headers indicating possible recovery of files in freespace.

Top

Be sure to check the help file for additional information about this program.

Ntwipe is designed to be run strictly under the NT operating system. It is designed to wipe out (overwrite) a physical disk that is visible to the operating system.

The purpose is to cleanse and overwrite disks of any data before reusing them. This is an excellent forensic tool for wiping drives.

When operating under a SCIS controller, it will wipe zip and Jazz disks.

Because of NT's muliprocessing capability, Ntwipe can wipe multiple drives at the same time. One user reported setting up 5 drives in SCIS bays, and wiping all 5 at the same time.

Because the NT operating system is somewhat protective of its physical devices, this program may not be able to wipe the system drive. (NT has some self preservation technology built in). In order to confidently wipe the NT system drive, you should use Maresware's Declasfyprogram.

See also the wiping section of Nt_image.

 |  Get the .exe  |  Get the .hlp file  |  Get the .pdf file  |  Get the .zip file  | 
 |  View the html help file.  |  Top