Major features are:
- 32bit application modern, efficient and user-friendly.
- High-performance maximises the benefit of modern machines.
- Extremely fast processing times gigabytes of data can be processed in minutes (actual time dependent upon the amount of data present on the image and the options selected for processing).
- Unattended operation
Efficient and rapid investigation of an image requires initial powerful, accurate and speedy processing of the image file content.
What does GenX do?
GenX is a 32bit application which can Extract or Map an entire image file. GenX provides a translation facility for various file systems which works by using one of two methods:
- Extraction: Extraction of files is performed to enable later examination using viewers/applications of the users choice. Files and other areas contained within the image are extracted. ***
- Mapping: A comprehensive database is created containing information about every file and discrete area within the image.
GenX in extraction mode
In this mode, GenX extracts the data from all of the partitions contained within an image and converts it to a format that is compatible with Windows. The conversion in no way alters the data content but may alter file system structure/information to allow the file to be stored on a Windows file system.
The file extraction method is a very straightforward way of processing an image. However, the mapping mode' of operation described below provides the investigator with maximum flexibility and power and is the most popular method of processing.
GenX in mapping mode
In this mode of operation GenX creates a series of index files that contain the location and details of each file within an image. As with Extraction, Mapping maps all data from other discrete areas of the image. The resulting index files are used by GenText, for further optional indexing, and GenTree to enable the user to view and manage directories, files and other data areas within the image.
Mapping provides all the flexibility required for the serious investigator.
Working in a "forensically safe" environment
By using GenX mapping, the investigator is able to build up a complete picture of the data on the disk. When used in conjunction with GenTree usage patterns can be established, and the files analysed in minute detail.
Most importantly, since this operation is carried out on the image copy of the disk, the original data is never directly accessed and so can never be inadvertently or unknowingly altered in any way. This also means that the user is protected from any viruses that may be present on the image. ***
The File System Concept
Computers store information on a variety of devices. In order to locate information quickly the computer must adhere to some kind of system. This particular system, known as a 'file system' used by a computer can vary because computer systems vary in the way they are used.
Different types of use can require different priorities from a file system. The file system designer has to decide what importance to give to each feature. Some of the more common features are:
- Security: If the computer is being used to hold sensitive information then the file system must provide some means of preventing access by unauthorised users.
- Speed: If the computer is being used for time critical operations then the file system must be able to access files as quickly as possible.
- Consistency: If something goes wrong and the computer crashes then the file system may be left in a damaged state. It can take time to sort out a damaged file system and can be expensive. Some file systems are designed so that whilst the most recent transactions are lost the remaining data can be guaranteed to be in a consistent state.
- Usability: Some file systems place restrictions on the length of filenames. Others are case insensitive. Depending on where the computer is being used this can detract from the machine's usability.
GenX has the ability to:
- Understand and process different file systems.
- Process all files and other areas within the file system.
- Process all areas outside of the file system (allowing potential investigation of deleted partitions, high-level formatted drives, corrupted file systems, etc.).
- Provide a complete log of the file system.
GenX can process the following file systems:
- 12 bit FAT.
- 16 bit FAT.
- 32 bit FAT.
- HPFS High Performance File System (OS/2).
- Novell Netware 3.x.
- Novell Netware 4.x.
- NTFS New Technology File System.
- HFS Hierarchical File System (Mac).
- HFS+ (Mac).
- Archive File System.
- EXT2/3FS (Linux).
As part of our Laboratory Services, our team of software engineers, using our specialised in-house tools and utilities, can handle literally any other type of file system.
GenX will automatically and seamlessly handle standard drive compression utilities such as DoubleSpace, DriveSpace, and many variants of compressed files.
A typical processed file system will result in GenX defining several areas including:
- Files (all files, including hidden, system, swap, spool, temporary etc.).
- Free space areas of the file system not currently allocated for data storage.
- Lost chains areas of the disk allocated to data storage but currently disconnected from the file system.
- Slack space area between the end of a file and the end of the allocation block (cluster) that it occupies.
- System areas areas of a file system reserved for use by the host operating system (e.g. FATs, boot sector etc.).
- Unused areas areas of the disk not allocated to any operating system.
- Containers objects, which exist as a file but internally contain a defined structure, which may represent more files (e.g. DriveSpace, DoubleSpace).
File Undeletion
GenX can automatically undelete files and these fall into two categories:
- Undeleted: Successful retrieval of file directory information (name, size, date and time stamps, starting cluster number etc.) and file content (clusters).
- Deleted: Successful retrieval of file directory information but no file content (clusters have been reused by other newer files).
File Typing
GenX can perform very accurate file typing by using an internal library of modules. File extensions are not to be relied upon and are not used for this purpose.
Flexibility and Control
The GenX processing software gives the user access to a number of extremely powerful processing options, including:
- The ability to process multiple image files in the same run
- The ability to select specific logical drives within a disk image
- File system area selection
- Various methods of file typing
- Automatic creation of file hashes
- Comprehensive logging
The next step of the process is to optionally run GenText, the second stage of processing. This extracts textual data and creates the index files required for word searching.
When both processes have been run, the GenTree investigation software allows the investigation of images in a fraction of the time associated with conventional methods of data investigation.
*** Viruses: If the Extraction method is used, the files are extracted "live" to a local disk or network. Warnings are given regarding the need to virus scan these files, however it is the responsibility of the user to perform virus scanning.
Copyright
Vogon International. All rights reserved.
Home
Page | Investigation
Services | Laboratory Services
| Forensic Systems
