Home > Computer forensics > Says the command line, “I’m not dead yet!”

Says the command line, “I’m not dead yet!”

Dan Mares has been writing command line utilities for computer forensics, ediscovery, and other purposes for years. The quality and capability of each utility demonstrates how long he’s been doing this, and how well he knows these fields. Unfortunately, his site now has a warning that reads “All Maresware is command line driven, and as such has gone out of style so it is being discontinued.” I’m here to say that the command line is a long way from going out of style for a significant number of us.

First off, I went through college earning most of my CS degree on Linux. The command line is an old friend, and stringing processes together with utilities is second nature. But even if you’re fresh out of college and have never seen Linux you will quickly find that the GUI driven tools just don’t cover all of your needs, and probably never will. This is particularly true if you’re working with a client on a small budget or a client who lacks in house litigation support. Why? You can’t deliver your work via load files or an expensive review platform. Instead, you need to send over zip files and massage the contents so they can be reviewed with commonly available applications. But even in large ediscovery and forensics projects, the GUI driven tools don’t give you 100% coverage.

Case in point. Using dtSearch I had identified 700 files spanning four volumes mounted using FTK Imager. The list of files was in a single text file. I needed to pack all of these files up in multiple zip containers due to bandwidth issues for delivery to a client without modifying their MAC times. And, by the way, the filenames weren’t unique so I couldn’t just zip them up, and I couldn’t copy them to one location and then zip up that location. I also couldn’t put them in a traditional evidence container using FTK Imager because the client didn’t have FTK Imager or MIP.

I eventually wrote my own utility that drove xxcopy ’cause robocopy is designed for directories, not files and xcopy doesn’t preserve MAC times and neither of them will take a list of files to work on as a command line option. It got the job done, but I spent a lot of time thrashing around before I stumbled on this.

Enter Dan Mares and the upcopy utility. It has an incredible number of useful options, but for my purposes, three really stood out:

  1. It preserves MAC times
  2. The –flatten option will take a tree structure and copy all the files to a single directory
  3. The –nodupe option will detect duplicate files that would result in name collisions and add a unique suffix to each duplicate file
Using a combination of these features, I was able to copy 700 files from three different volumes into a single destination directory while preserving duplicates.
I spent some time looking through some of Dan’s other tools and was truly impressed. He’s created utilities that solve a lot of problems that confront us on a daily basis and is offering them for free. If you’re at all willing to step away from your GUI, you should check out Dan’s site:

http://www.dmares.com/index.htm (follow the various links in the direct links section.)

Please note that, despite the disclaimer, Dan is still actively supporting his tools and is still very active in the community.

Categories: Computer forensics
  1. May 23, 2011 at 1:29 am

    I concur – command line is not dead! It has many superior features, and in my experience is faster to get a given job done. Case in point, there are many GUI utilities that will copy live files and preserve metadata, but none (again, in my experience) are as fast (as upcopy). Too much overhead. And possibly, choice of programming language.

    I’m glad Dan is still actually supporting his tools. That’s good to know.


  2. May 23, 2011 at 7:44 am

    Great post David, and a good reminder of the power of the CLI. I’ll definitely be checking out Dan Mares’ site.

    One little question though, the client you mention who didn’t have FTK Imager; wasn’t it appropriate in the circumstances to give them the download link and a little tutorial?

    • May 23, 2011 at 11:08 am

      You raise a good point. We explored the possibility of educating the client on FTK Imager but the client didn’t feel comfortable with the additional complexity.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: