Dissector modules
Dissector type modules can do a little more than the extractor type modules. They are able to derive
evidence data from evidence data that is handed to them. Basically a
dissector dissects a file into one or more files.
antiword
The antiword module is a simple wrapper around antiword program, used
to extract the text from a Microsoft Word file.
pdftotext
The pdftotext module is a simple wrapper around pdftotext, used to
extract the text from a pdf file.
bzip
The bzip module is a simple wrapper around bunzip2 used to decompress
bzip2 compressed files.
gzip
The gzip module is a simple wrapper around gunzip used to decompress
gzip compressed files.
tar
The tar module is a simple wrapper around tar used to dissect a tar
archive into its components.
zip
The zip module is a simple wrapper around unzip used to dissect a zip
archive into its components.
mailwash
The mailwash module is a wrapper around a perl script that extracts
files and metadata from e-mail files. This module also works with unix
mbox files, however the parent child relationships will not work as
expected.
sleuthkit
The sleuthkit module is a wrapper around a perl script that itself
again is a wrapper around the 2.04 version of the sleuthkit. The script
tries to unpack image files (encase,dd,aff) into a directory tree.
Please note that this module is seen as a temporary quick hack to get
support for encase and dd images into the open computer forensics
architecture. In the near future this functionality will move to ocfalib. The storelib will then use libewf
and libaff for direct efficient storage of encase and aff
files, while the fs abstraction
library will get a loadable module for access to the different
sleuthkit libraries. Until these fixes become available, encase,dd and
aff support will be limited to the data-only export provided by the
wrapper script.
strings
The strings module is a simple wrapper around the strings program. It
is used to try and extract text content from arbitrary content.