REM **************************************************************************** REM Project: GUYMAGER REM **************************************************************************** REM Programmer: Guy Voncken REM Police Grand-Ducale REM Service de Police Judiciaire REM Section Nouvelles Technologies REM **************************************************************************** REM Main configuration file REM **************************************************************************** REM Copyright 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 REM Guy Voncken REM REM This file is part of Guymager. REM REM Guymager is free software: you can redistribute it and/or modify REM it under the terms of the GNU General Public License as published by REM the Free Software Foundation, either version 2 of the License, or REM (at your option) any later version. REM REM Guymager is distributed in the hope that it will be useful, REM but WITHOUT ANY WARRANTY; without even the implied warranty of REM MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the REM GNU General Public License for more details. REM REM You should have received a copy of the GNU General Public License REM along with Guymager. If not, see . REM ATTENTION REM --------- REM Do not edit this file; put all your changes into /etc/guymager/local.cfg instead! REM See the notes at the end of this file. SECTION GUYMAGER REM How this configuration file works REM --------------------------------- REM Guymager user interface REM ----------------------- REM REM The parameter Language contains the language code (for example 'de', 'fr', 'en'). If Guymager doesn't REM find the corresponding language file it switches to english instead. Contact the author of Guymager if REM your language is missing. The language files are named guymager_xx.qm, where xx is the language code. REM If you installed a Debian package, they can be found in directory /usr/share/guymager. REM Set the parameter Language to AUTO in order to detect the language in use on your system automatically. REM REM CheckRootRights decides whether or not Guymager shows the user a warning dialog when starting it without REM root rights. REM REM The StartupXxx parameters configure the position and size of the main guymager window at startup. REM StartupSize can be set to one of the following: REM STANDARD Let the X-Window manager choose what it thinks is best REM MAXIMISED or MAXIMIZED Maximum size REM FULLSCREEN Maximum size and take away the title bar REM MANUAL Use the values specified for StartupSizeManualX, StartupSizeManualY, REM StartupSizeManualDx and StartupSizeManualDy. REM The final result always slightly depends on the X-Window manager in use. For instance, there might be REM window managers that can't distinguish MAXIMISED and FULLSCREEN. REM REM The dialog that appears when chooosing the image destination path can be adjusted in a similar way by REM of the parameters FileDialogSize, FileDialogSizeManualDx, FileDialogSizeManualDy. Unfortunately, this REM only works when using the alternative file dialog, not the Qt file dialog (see UseFileDialogFromQt REM below). REM REM NumberStyle influences the way how numbers are displayed in guymager. There 3 possible values: REM Locale Use the value of the system LOCALE to determine the format (set the LANG environment REM correctly). REM DecimalComma The format would look like 78.234,56 (normal format) REM DecimalPoint The format would look like 78,234.56 (unusual american format) REM Remark: Using Locale, more differences are possible. Thus, with the environment variable LANG set to REM fr_FR, the number would be displayed as 78 234,56 (space as thousands separator). Setting NumberStyle REM to something else than Locale is not recommended (you may use it if you are too lazy to set up your REM LANG variable correctly). REM REM ScreenRefreshInterval [ms] Some screen fields (speed, remaining time, ...) are refreshed regularly. REM ScreenRefreshInterval specifies how often this should occur. REM REM UseFileDialogFromQt When set to Yes, guymager uses the standard Qt file/directory selection dialogs. REM There once was a Qt version with a bug in its dialog and an alternative dialog REM was quickly added to guymager. The bug should have gone by now and this REM configuration parameter should be set to Yes (the Qt dialogs are better then REM the alternative programmed by the author of guymager). REM Adjusting the dialog size (see configuration parameters FileDialogSize, REM FileDialogSizeManualDx and FileDialogSizeManualDy) only works with the REM alternative dialog. REM REM WarnAboutImageSize Check if image would fit uncompressed to the destination at the moment where REM the acquisition is started. If not, show a warning. REM REM WarnAboutSegmentFileCount Check if the number of segment files would exceed 14972 if the data was stored REM uncompressed in EWF format. If yes, show a warning. Remark: The 14972th segment REM would have the file extension ZZZ and thus, more than 14972 segments may lead to REM problems as there is no clear standard for EWF file names. REM REM DeleteAbortedImageFiles In case an acquisition/verification is aborted, Guymager opens a confirmation dialog REM containing a checkbox for knowing what to do with the already created image files. REM This configuration parameter allows to set the checkbox default: REM Yes - The checkbox is ticked (image files will be removed). REM No - The checkbox is not ticked (image files will be kept). REM Auto - Guymager sets the tick if the acquisition was aborted while still running REM (i.e. the image was incomplete) and doesn't if aborted during verification. REM REM AutoExit This parameter controls the default setting of the menu point "Misc/Exit" after REM all acquisitions have completed. REM REM AutoExitCountdown = 60 If the autoexit feature becomes active (i.e. the menu flag is set and the acquisitions REM end), a popup appears with a countdown. AutoExitCountdown allows to set start value REM of the countdown (in seconds). Language='auto' CheckRootRights=yes StartupSize = MANUAL StartupSizeManualX = 130 StartupSizeManualY = 250 StartupSizeManualDx = 1000 StartupSizeManualDy = 500 FileDialogSize = MANUAL FileDialogSizeManualDx = 800 FileDialogSizeManualDy = 500 NumberStyle=Locale ScreenRefreshInterval = 1500 UseFileDialogFromQt = Yes WarnAboutImageSize = Yes WarnAboutSegmentFileCount = Yes DeleteAbortedImageFiles = Auto AutoExit = Off AutoExitCountdown = 60 REM Table Fonts REM The font configuration table allows choosing own fonts for different GUI elements of Guymager. The left REM most column of the table below specifies the object. It may be one of the following: REM Menu The main Guymager menus, its submenus as well as the table popup menu. REM Toolbar The toolbar just below the menu bar. REM Table The main Guymager table and the table shown in the clone dialog. REM InfoField The information field in the lower part of the Guymager window. REM AcquisitionDialogs The dialogs for normally acquiting and cloning devices. REM MessageDialogs Other message dialogs. REM DialogData Dialogs with data areas (such as the device info dialog) use this font for REM their data area. A monospaced font should be used, for example 'Courier' or REM 'Ubuntu Mono'. All other parts of the dialog are using the font specified REM under MessageDialogs. REM The remaining table columns specify the font to use (Family, Size, Weight and Italic). Column 'Italic' REM may contain YES or NO. Weight is a number between 0 and 100. The following weights are copied from REM the Qt documentation: REM Light 25 REM Normal 50 REM DemiBold 63 REM Bold 75 REM Black 87 REM In order to use the default system font comment out the correspdong line or indicate an empty REM family name. TABLE Fonts None REM Object Family Size Weight Italic REM --------------- -------------------------------------------- REM Menu 'Arial' 8 75 no REM Toolbar 'Arial' 8 75 no REM Table 'Arial' 8 75 no REM InfoField 'Arial' 8 75 no REM AcquisitionDialogs 'Arial' 8 75 no REM MessageDialogs 'Arial' 8 75 no REM DialogData 'Courier' 8 50 no ENDTABLE REM Table Columns REM This table controls the columns that are to be shown in the main Guymager table as well as in the clone REM dialog. The table reflects the column order, i.e. the top most column in the configuration table is shown REM as the first one left in the GUI. Columns may also be repeated in order to have them displayed more REM than once. REM ColumnName The column name reference. This may be one of the following: SerialNr, LinuxDevice, REM Model, NativePath, ByPath, Interface, State, AdditionalStateInfo, Size, HiddenAreas, REM BadSectors, Progress, AverageSpeed, TimeRemaining, FifoUsage, SectorSizeLog, SectorSizePhys, REM CurrentSpeed, Examiner and UserField. See below for further details on column UserField. REM Alignment Alignment inside the table cell: LEFT, RIGHT or CENTER. REM MinWidth On startup, Guymager gives every column the size it needs for showing its contents. But REM certain columns change their content length while Guymager is running. As it might be REM annoying to enlarge the corresponding column manually everytime its text gets longer, REM this parameter allows for setting a bigger intial width than the one used normally. REM Set to 0 for default width. REM ShowInMainTable Decides whether the column should be shown in the main table; set to ON or OFF. REM ShowInCloneTable Decides whether the column should be shown in the clone dialog table; set to ON or OFF. REM Eventhough each one of the columns might be set to ON, there's no sense in switching on REM columns like CurrentSpeed, for example, as the clone dialog is not updated dynamically. REM REM The purpose of the special column UserField is to provide the user with a field for its own remarks. For REM example, some people use Guymager in machines connected to disk racks. They take UserField for entering the REM disk slot number in order to have a better overview. The column name may be configured to any string: REM REM UserFieldName Specify the name that should be displayed for the UserField column. If the string is left REM empty, the column's name simply is 'UserField'. REM REM AdditionalStateInfoName Similar to UserFieldName, this parameter allows for changing the name of the REM column AdditionalStateInfo. Leave it empty for the default name. REM REM Two parameters allow for setting the initial sort order REM TableSortColumn Column number, starting at 1. REM TableSortOrder Accepted values are Ascending and Descending. TABLE Columns None REM ColumnName Alignment MinWidth ShowIn ShowIn REM MainTable CloneTable REM ------------------------------------------------------------------------------ 'SerialNr' LEFT 0 YES YES 'LinuxDevice' LEFT 0 YES YES 'Model' LEFT 0 YES YES 'NativePath' LEFT 0 NO NO 'ByPath' LEFT 0 NO NO 'Interface' LEFT 0 NO NO 'State' LEFT 200 YES NO 'AdditionalStateInfo' LEFT 0 NO NO 'Size' RIGHT 0 YES YES 'HiddenAreas' RIGHT 0 YES NO 'BadSectors' RIGHT 0 YES NO 'Progress' LEFT 0 YES NO 'AverageSpeed' RIGHT 0 YES NO 'TimeRemaining' CENTER 0 YES NO 'FifoUsage' LEFT 0 YES NO 'SectorSizeLog' LEFT 0 NO NO 'SectorSizePhys' LEFT 0 NO NO 'CurrentSpeed' LEFT 0 NO NO 'UserField' LEFT 0 NO NO 'Examiner' LEFT 0 NO NO ENDTABLE UserFieldName = '' AdditionalStateInfoName = '' TableSortColumn = 1 TableSortOrder = Ascending REM Table Colors REM The table contains color settings for different items on the screen: REM LocalDevices Color to be used for marking local devices (i.e. devices with serial numbers found in REM configuration table LocalDevices, see above) in the user interface. The whole row gets REM this color. REM AdditionalStateX (where X is a number) Devices maybe marked by this color depending on the values in REM the additional state info. See description of configuration parameter REM CommandGetAddStateInfo for more information. REM REM All other entries refer to the colored dot of the acquisition state field for reflecting the current state: REM StateIdle Nothing has been done with this device yet. REM StateAcquire Acquisition running REM StateAcquirePaused Acquisition interrupted (device cannot be accessed any longer) REM StateVerify Verfication running REM StateVerifyPaused Verfication interrupted (device cannot be accessed any longer) REM StateCleanup Acquisition has been aborted by user and Guymager is removing partial files REM StateFinished Finished successfully REM StateFinishedBadVerify Finished, but the MD5 check while re-reading the source after acquisition failed. REM This state only can occur if MD5 verification was switched on in the acquisition dialog. REM StateAbortedUser Acquisition or verification aborted by user. Not an error, as it is the user's wish. REM StateAbortedOther Acquisition or verification aborted for some other reason (for instance, if writing to REM the destination fails). This is an error. TABLE Colors None REM Color R G B REM ---------------------------------------- LocalDevices 255 197 189 AdditionalState1 186 255 174 AdditionalState2 255 254 137 AdditionalState3 255 213 66 AdditionalState4 255 126 126 StateIdle 255 255 255 StateQueued 186 206 253 StateAcquire 15 73 205 StateAcquirePaused 255 150 0 StateVerify 78 132 255 StateVerifyPaused 255 150 0 StateCleanup 228 0 255 StateFinished 54 255 0 StateFinishedBadVerify 255 30 0 StateFinishedDuplicateFailed 255 234 0 StateAbortedUser 255 255 255 StateAbortedOther 255 30 0 ENDTABLE REM Image creation REM -------------- REM REM EwfCompression The compression level for EWF images. Possible values are: REM None No compression at all, images become very big. Not recommended. REM Empty With this setting, Guymager does no compression, except if a block contains REM zero bytes only. Such blocks are replaced by their compressed equivalent. REM Optimal settings for slow systems. REM Fast Fast Z compression. Optimal setting for most imagers. REM Best Best Z compression. Images normally become slightly smaller than REM with setting "Fast", but CPU load grows heavily. Not recommended. REM REM EwfCompressionThreshold This threshold indicates a minimal compression ratio that must be achieved or else the REM data is stored uncompressed. The default value is 0.999 which means, that a chunk will REM be stored compressed if the compressed data is less than 99.9% in size of the original REM data. This parameter has been added to avoid mmessages about "inefficiency" in XWF. REM REM EwfNaming EWF images are subdivided into segments, starting with extension E01 for the first REM segment. Subsequent segments get the filename extension E02-E99, then EAA-EZZ, then REM FAA-ZZZ. After that, it is unclear how to continue (there is no clear standard for the REM EWF file naming). REM Guymager supports two ways for naming segments beyond ZZZ: REM Old Continue with ZZZxxx, where xxx represents characters from 000 to ZZZ in base36 REM notation (i.e. 0-9 and A-Z). After that, it would continue with ZZZxxxx and so on. REM Guymager version <= 0.6.9 used this naming scheme. REM FTK After ZZZ follows E14972, E14973 and so on. This naming system is the default for REM Guymager version 0.6.10 and later. REM Attention: This parameter only has effect if EwfFormat is set to Guymager. REM REM AffEnabled Simson Garfinkel, the inventor of the AFF format, recommends not to use AFF any longer. REM Therefore, this switch has been introduced and it is 'false' by default. You might use EWF REM instead. REM Switch AffEnabled on in case you need to generate AFF images. REM REM AffCompression The compression level for AFF images. Valid range: 1 - 9. A value of 1 results in a REM fast, minimal compression and 9 in a slow, high compression. REM See aff documentation for more information. REM REM AffMarkBadSectors Aff supports a possibility for marking bad sectors. If this parameter is enabled and REM a bad sector is encountered, then the bad sector is written with a special content to REM the image ("BAD SECTOR\0" followed by 501 random bytes). If this parameter is disabled, REM then bad sectors are replaced by 512 zero bytes. REM This parameter only influences images in AFF format. REM REM SpecialFilenameChars By default, guymager only allows the characters a-z, A-Z, 0-9 and _ to figure REM in the image filenames. If you wannt to allow special chars and you are sure REM that your destination file system can handle them, you might add them to REM the parameter SpecialFilenameChars. Example: SpecialFilenameChars = '.- ' REM would allow you to use the characters . and - as well as spaces. REM REM CalcImageFileMD5 Switch the parameter on in order to have Guymager calculate the MD5 hashes of the image REM file(s). The calculation is done over the whole file(s), not just the contents. REM NOTE: The MD5 hashes are calculated during image verification and therefore, it only REM is done if the checkbox for image verification is set in the acquisition dialog window. REM Switching this parameter on is interesting for checking the individual files of an image. REM REM The Guymager info file can be passed directly to md5sum for image file verfication. In case REM you want to do so, please observe one detail: The info file uses CR/LF for beginning a new REM line (the reason is that many Windows applications fail badly when using the LF standard). REM Therefore, do not use md5sum -c myimage.info but one of the following commands: REM cat myimage.info | tr -d '\r' | md5sum -c REM or REM cat myimage.info | dos2unix | md5sum -c REM Both do the same: Eliminate the DOS-CR and pass the rest to the md5sum command. You REM may ignore md5sum's warnings about improperly formatted lines (these are simply the all REM the other text lines found in the info file). REM REM DuplicateImage Enable Guymager to produce duplicate images, i.e. generate two identical images during REM an acquisition. When switched on, the acquisition dialog has an additional button named REM "Duplicate image...". REM Switch this parameter off if you always want to do single images. REM REM DirectoryFieldEditing The destination directory for images and info files normally is selected by mouse by means REM of a dialog and the directory field is not directy editable. This is the safest way as it REM ensures that you never a select a non-existent directory. REM Switch this parameter on if you like to be able to directly type the directory path into REM the corresponding field. This might be a faster solution for people who know their REM directories by heart. At the same time it's less safe in case of typos. REM If ever you enter a non-existent directory then Guymager by default asks if you would like REM to create it (see parameter ConfirmDirectoryCreation). REM REM AllowPathInFilename The parameter is switched off by default and entering parts of the path in the filename field REM is forbidden. In case you think in relative paths it might be interesting to switch this REM parameter on and thus allow entering parts of the path together with the filename. REM Example: You set the directory field to "/mycases/case_0815/images" and enter the filename REM "JohnDoe/Laptop". The image/info files would then be stored under REM "/mycases/case_0815/images/JohnDoe/Laptop.xxx". REM REM ConfirmDirectoryCreation If ever the entered destination directory does not exist, Guymager tries to create it. If REM this parameter is switched on then Guymager only does so after asking the user. When set to REM 'off' it automatically creates the directories without asking. REM Attention: Setting this parameters to 'off' might lead to uncontrolled directory creation in REM case of typing errors. REM Normally, this parameter only has an effect if DirectoryFieldEditing or AllowPathInFilename REM are switched on. Otherwise, the destination directory should always exist as it has been selected REM by the file selection dialog and thus doesn't need to be created (except in the unlikely case REM where the directory had been deleted in the meantime). REM REM AvoidEncaseProblems Encase produces strange error messages if the EWF internal fields "Imager Version" and REM "OS Version" contain more than 11 or 23 characters, respectively. Leave this flag OFF REM if you don't work with Encase (default setting). Set it to ON if ever you work with REM Encase and want to avoid the Encase problems. REM REM AvoidCifsProblems Some NAS systems have problems for closing files (function fclose) when running under heavy REM load (i.e., running several acquisitions in parallel, for example). This may result in REM acquisitions aborting with errors. The problem only has been observed on systems attached via REM Cifs/Samba so far. NFS systems seem to run fine. When switching parameter AvoidCifsProblems REM on, Guymager flushes and synchronizes buffers before closing image files, thus avoiding the REM error. The downside is a performance loss, which can be reduced by choosing a large image REM file segment size. EwfCompression = FAST EwfCompressionThreshold = 0.999 EwfNaming = FTK AffEnabled = false AffCompression = 1 AffMarkBadSectors = TRUE SpecialFilenameChars = '' CalcImageFileMD5 = off DuplicateImage = on DirectoryFieldEditing = off AllowPathInFilename = off ConfirmDirectoryCreation = on AvoidEncaseProblems = off AvoidCifsProblems = off REM Acquisition dialog REM ------------------ REM DefaultFormat This parameter decides, which forensic format should be chosen by default for the REM first acquisition after starting Guymager. For subsequent acquisitions, the format REM of the previous acquisition will be selected by default. REM Possible values are Raw (same as DD), AFF and EWF. DefaultFormat = EWF REM InfoFieldsForRaw The raw format has no possibility for storing meta information about an image. Hence, the REM fields examiner, notes, etc. usually are greyed out in the acquisition dialog when selecting REM raw format. By switching on this parameter, those entry fields become available for raw images REM also. The strings entered will then be written to the info file. InfoFieldsForRaw = disabled REM The parameters below all refer to the acquisition dialog entry fields. Let us explain the different REM fields first. There are 2 fields related to image file fragmentation: REM SplitFileSwitch Decides whether the image file fragmentation is on or off. For EWF images, it REM is always on and for AFF images always off. For raw images, the user may choose REM himself. REM SplitFileSize The max. size of the fragments (sometimes called segments) in MiB. The maximum REM value for EWF images is 2047. REM 2047 is a good choice. For EWF images, the number of files will be reduced to REM the minimum. For raw images, the fragments stay below the FAT limitation (2GiB). REM There are 5 fields defined by the EWF file format, their names are self-explaining: REM EwfCaseNumber REM EwfEvidenceNumber REM EwfExaminer REM EwfDescription REM EwfNotes REM Guymager uses these fields when choosing the EWF or the AFF format. When choosing the raw format, they REM are of no use except if parameter InfoFieldsForRaw is switched on. REM REM There are 4 other important entry fields in the acquisition dialog: REM DestImageDirectory The directory that will be used for storing the image files REM DestInfoDirectory The directory that will be used for storing the info file REM DestImageFilename The filename of the image files (without the extension) REM DestInfoFilename The filename of the info file (without the extension) REM REM Finally, there are some checkboxes in the acquisition dialog that are controlled by the following REM entry fields: REM HashCalcMD5 The checkbox for MD5 hash REM HashCalcSHA1 The checkbox for SHA-1 hash REM HashCalcSHA256 The checkbox for SHA-256 hash REM HashVerifySrc The checkbox for the source verification (re-read source and chek if it REM returns the same data than during acquisition) REM HashVerifyDst The checkbox for the imager verification (read and check the image after REM the acquisition has been done) REM REM For each one of these fields, there is an entry in configuration table DlgAcquireField. It has the REM following structure: REM FieldName The name of the field, as indicated above REM REM EntryMode Determine the bevahiour of each field; the following entry modes are available: REM Hide The corresponding field is not shown in the acquisition dialog. REM Nevertheless, it exists and it is always set to its default value REM (see below). This mode useful if a certain EWF field always should REM be filled in with the same standard value. REM REM ShowDefault The field is visible in the acquisiton dialog and it is automatically REM filled in with the default value. REM REM ShowLast The field is shown in the acquisiton dialog. When the acquisition REM dialog is opened for the first time after guymager startup, the field REM is filled in with the default value. On subsequent acquisition dialog REM appearances, the field contains the value entered previously (which REM may still be the default value, if it was not edited). REM REM DefaultValue The default value for the field. It may contain any text you like (for the checkboxes: See REM below). Guymager knows several special sequences, that will be replaced automatically. REM See "Special Tokens" below. REM REM Checkboxes: Simply put '1' if you want to have the checkbox enabled or '0' for having it REM disabled. Attention: Putting other values may lead to unpredictable results. REM REM Note that each and every field must be contained exactely once in the configuration table DlgAcquireField. REM REM *** Example A *** REM TABLE DlgAcquireField NoName REM REM Field Entry Default REM REM name mode value REM REM ------------------------------------------------------------------------- REM ... REM 'EwfNotes' Hide 'Acquisition done by guymager %version%' REM ... REM ENDTABLE REM The field EwfNotes would not be shown in the acquisition dialog. As it has a default value, it would always REM be initialised with that string. The special sequence %version% would be replaced and the string written to REM the EWF image files would be sometheing like 'Acquisition done by guymager 0.3.1' REM REM *** Example B ** REM TABLE DlgAcquireField NoName REM REM Field Entry Default REM REM name mode value REM REM ------------------------------------------------------------------------- REM ... REM 'EwfExaminer' Show 'Marc Cramlowski acquired it on %d%. %MMMM% %yyyy%' REM ... REM ENDTABLE REM With this setting, the acquisition dialog would open up with the examiner field preset to REM something similar to 'Marc Cramlowski acquired it on 6. December 2020' TABLE DlgAcquireField NoName REM Field Entry mode Entry mode Default REM name image clone value REM ------------------------------------------------------------------------------------ 'SplitFileSwitch' ShowLast Hide '1' 'SplitFileSize' ShowLast Hide '2047' 'SplitFileUnit' ShowLast Hide 'MiB' 'EwfCaseNumber' ShowLast Hide '' 'EwfEvidenceNumber' ShowDefault Hide '' 'EwfExaminer' ShowLast Hide '' 'EwfDescription' ShowDefault Hide '' 'EwfNotes' ShowDefault Hide '%serial%' 'UserField' Hide Hide '' 'DestImageDirectory' ShowLast Hide '' 'DestInfoDirectory' Hide ShowLast '' 'DestImageFilename' ShowDefault Hide '' 'DestInfoFilename' ShowDefault ShowDefault '' 'HashCalcMD5' ShowLast ShowLast '1' 'HashCalcSHA1' ShowLast ShowLast '0' 'HashCalcSHA256' ShowLast ShowLast '0' 'HashVerifySrc' ShowLast ShowLast '0' 'HashVerifyDst' ShowLast ShowLast '1' ENDTABLE REM There is a another configuration table, DlgAcquireRule, which allows to copy the contents of some REM fields automatically to others while typing. The entries in this table are processed one after the REM other everytime you hit a key in any of the 8 fields. REM REM TriggerFieldName The trigger field is field where the action happens (i.e. which has the focus REM while you are typing). If the trigger field name doesn't match, the the line REM is ignored. If it matches, we have a trigger and Guymager does what the rest REM of the line says. REM REM DestinationFieldName On trigger, this field will be filled in with the value indicated in column REM Value. REM REM Value The string to be written to the field DestinationFieldName if there's a trigger. REM The value may contain the same special sequences than the ones described REM above. Additionally, there are special sequences for referring to other fields. REM These are constructed by putting the field name between two percent signs (for REM example '%EwfNotes%') REM REM *** Example A *** REM The info filename should always be the same than the image filename, i.e. when typing in the field REM for the image filename, the contents should automatically be copied to the field for the info REM filename: REM TABLE DlgAcquireRule NoName REM REM Trigger Destination Value REM REM field name field name REM REM ---------------------------------------------------------------------- REM 'DestImageFilename' 'DestInfoFilename' '%DestImageFilename%' REM ENDTABLE REM Read the entry like this: Everytime a key in DestImageFilename is hit, refresh DestInfoFilename with the REM value %DestImageFilename%, which would be interpreted as a special sequence and corresponds to the REM contents of DestImageFilename. REM It still would be possible to edit the info filename separately and thus different image and info REM filenames. REM REM *** Example B *** REM Like example A, but do the same when editing te info filename; when typing in it, the image filename REM should be changed to the new name typed for the info file: REM TABLE DlgAcquireRule NoName REM REM Trigger Destination Value REM REM field name field name REM REM --------------------------------------------------------------------- REM 'DestInfoFilename' 'DestImageFilename' '%DestImageFilename%' REM ENDTABLE REM REM *** Example C *** REM Set the info field to the examiner name, the case name plus the date: REM TABLE DlgAcquireRule NoName REM REM Trigger Destination Value REM REM field name field name REM REM ---------------------------------------------------------------------------------------------- REM 'EwfExaminer' 'EwfNotes' 'Acquired by %EwfExaminer for case %EwfCaseNumber% on %d%.%MM%.%yyyy%' REM 'EwfCaseNumber' 'EwfNotes' 'Acquired by %EwfExaminer for case %EwfCaseNumber% on %d%.%MM%.%yyyy%' REM ENDTABLE REM Note that we have to enter the same value twice here, as we have 2 triggers. TABLE DlgAcquireRule NoName REM Trigger Destination Value REM field name field name REM ---------------------------------------------------------------------- 'DestImageDirectory' 'DestInfoDirectory' '%DestImageDirectory%' 'DestImageFilename' 'DestInfoFilename' '%DestImageFilename%' ENDTABLE REM Special tokens REM -------------- REM Guymager uses special tokens whenever text needs to replaced automatically according to the user's instructions. REM Currently, these tokens are used in the configuration tables DlgAcquireRule and DlgAcquireField, RunStats module REM and configuration parameter CommandAcquisitionEnd. REM Date and time tokens REM %d% the day as a number without a leading zero (1 to 31) REM %dd% the day as a number with a leading zero (01 to 31) REM %ddd% the abbreviated localized day name (e.g. 'Mon' to 'Sun') REM %dddd% the long localized day name (e.g. 'Monday' to 'Sunday') REM %M% the month as a number without a leading zero (1-12) REM %MM% the month as a number with a leading zero (01-12) REM %MMM% the abbreviated localized month name (e.g. 'Jan' to 'Dec') REM %MMMM% the long localized month name (e.g. 'January' to 'December') REM %yy% the year as two digit number (00-99) REM %yyyy% the year as four digit number REM REM %h% the hour without a leading zero (0 to 23 or 1 to 12 if AM/PM display) REM %hh% the hour with a leading zero (00 to 23 or 01 to 12 if AM/PM display) REM %m% the minute without a leading zero (0 to 59) REM %mm% the minute with a leading zero (00 to 59) REM %s% the second without a leading zero (0 to 59) REM %ss% the second with a leading zero (00 to 59) REM %z% the milliseconds without leading zeroes (0 to 999) REM %zzz% the milliseconds with leading zeroes (000 to 999) REM %AP% use AM/PM display. %AP% will be replaced by either "AM" or "PM". REM %ap% use am/pm display. %ap% will be replaced by either "am" or "pm". REM Remark: The date/time tokens have been copied from Trolltech's Qt documentation. REM REM Static tokens REM %Version% Guymager software version REM %MacAddr% MAC address of the 1st ethernet card found REM %HostName% Computer's host name REM REM Device / acquisition related tokens REM %Dev% Device, for example /dev/sdf REM %Size% Device size in bytes REM %SizeHuman% Device size in human readable format (e.g. '247G', '32M') REM %SizeHumanNoSep% Like %SizeHuman%, but wihtout thousands separator REM %State% The acquisition state REM %ExtendedState% The acquisition state as shwon in the main GUI REM %Serial% Serial number of the device REM %Model% Device model REM %LocalDevice% Device is part of the local PC, value is YES or NO (see configutaion table LocalDevices) REM %CurrentSpeed% Current speed, unit MB/s REM %AverageSpeed% Average speed, unit MB/s REM %Progress% Progress, unit % REM %TimeRemaining% Estimated time remaining to accomplish acquisition (format hh:mm:ss) REM %BadSectors% Number of bad sectors REM %HiddenAreas% The information about hidden areas as shown in the GUI REM %SplitFileSize% File size of image fragmnets REM %VerifySrc% Verify source, value is YES or NO REM %CalcMD5% MD5 calculation enabled, value is YES or NO REM %CalcSHA1% SHA1 calculation enabled, value is YES or NO REM %CalcSHA256% SHA256 calculation enabled, value is YES or NO REM %Clone% Device is cloned, MD5 value is YES or NO REM %Duplicate% A duplicate image is written, value is YES or NO REM %UserField% Contents of the user field REM %AddStateInfo% Additional state information REM The following tokens are related to the acquisition dialog input fields. They all exist a second time with a "2" REM appended, for example "%CaseNumber%" and "%CaseNumber2%". The second one only is set if %Duplicate% is YES. It's empty REM otherwise. REM %CaseNumber% Case number \ REM %Examiner% Examiner | as entered in the REM %EvidenceNumber% Evidence number | corresponding field REM %Description% Description | of the acqusition dialog REM %Notes% Notes / REM %Image% Path and file name of image REM %InfoFile% Path and file name of .info file REM %VerifyDst% Verify image, value is YES or NO REM REM Not all tokens are meaningful in every position. For example, there's no sense in specifying token %Progress% REM in configuration table DlgAcquireRule, as the acquisition is not even started yet when the acquisition dialog REM is shown. REM REM The special token %DEVICE_BLOCK% only can be used for the Runstats module. See the description of the RunStats REM module below. REM Guymager internals REM ------------------ REM REM Device list scanning REM -------------------- REM DeviceScanMethod Guymager knows 3 methods for getting the list of the available memory devices: The old one, REM that uses libparted, the new one that uses DBUS/HAL and the even newer one that uses REM DeviceKit-Disks. Select your method by setting this parameter to: REM REM libudev The newest method (recommended for Ubuntu >= 15.10). See remarks for REM UDisks below. REM REM DBusDevKit or UDisks Recommended for 9.04 <= Ubuntu <= 15.04. You need a Linux system REM supporting UDisks for this setting. In older versions, UDisks was named REM DeviceKit (in Ubuntu 9.04 and 9.10 for instance). From guymager's point REM view, UDisks and DeviceKit are both the same. Newer distributions switched REM from UDisks to UDisks2, but UDisks2 is incompatible and unusable. Guymager REM therefore should be run with libudev on those systems. REM REM DBusHAL Use the previous method (recommended for systems like Ubuntu 8.10). REM REM libparted Use the old method. It was observed that the internal scan function hung REM while an acquisition was running. This leads to the problem that the devices REM shown in guymager possibly cannot be updated while an acquisition is running. REM When using this method, the command specified in configuration parameter REM CommandGetSerialNumber (see below) is used for finding the serial number of REM each device (not really elegant). Again, DBusHAL is the recommended setting. REM When choosing an unsupported scan method, Guymager shows the user a dialog asking to fall back REM to a supported one. REM REM CommandGetSerialNumber is used to extract the serial number from a device when setting DeviceScanMethod to libparted (not REM recommended). When choosing another scan method, the command will never be called, except if parameter REM ForceCommandGetSerialNumber is set (see below). The placeholder %dev in the command string will be replaced REM by the device (/dev/hda or /dev/sdc for instance). Examples: REM CommandGetSerialNumber = 'bash -c "smartctl -i %dev | grep -i serial | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "' REM CommandGetSerialNumber = 'bash -c "hdparm -I %dev | grep -i ''Serial Number'' | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "' REM REM ForceCommandGetSerialNumber Use CommandGetSerialNumber not only when DeviceScanMethod is libparted, but also for others. This REM can be interesting in case wrong serial numbers are displayed, which was observed to happen with REM certain USB adapter devices. REM REM CommandGetAddStateInfo contains the command to be executed in order to gather additional state information. By default, CommandGetAddStateInfo REM simply is an empty string and no additional information is read nor displayed. If set, the command executed REM is expected to return its information in three separate lines (separated by \n): REM 1st line: Information text. This text is displayed in the device specific screen area of Guymager REM (bottom area of the main window). REM 2nd line: A value of 0 tells Guymager that the device cannot be acquired. Guymager forbids the REM acquisition of the device in that case. Any other value enables device acquisition. REM If this parameter is missing, the device can be acquired. REM 3rd line: An integer number indicating the color to be used for marking the device. The number REM refers to the colors named AdditionalStateX in the configuration table Colors (see REM above), where X corresponds to the color returned by the command. If this parameter REM is missing, the default color (wite) is used. REM The command may include the two placeholders %dev and %local which will be replaced accordingly. See REM the description of CommandGetSerialNumber above for the use of %dev. %local will be replaced by 1 REM if the %dev refers to a local device and 0 otherwise. REM REM If you plan to use this feature, you may do a first test with the configuration setting REM CommandGetAddStateInfo='bash -c "/usr/share/guymager/stateinfo.sh %dev"' REM where the file /usr/share/guymager/stateinfo.sh is executable and contains the lines REM echo "Moie Welt! - $1" REM echo "0" REM echo "2" REM REM CommandAcquisitionEnd The command given is called whenever an acquisition ends. Guymager knows several special tokens (chraracter sequences) REM that will be replaced automatically. See "Special tokens" above. REM The parameter is left empty by default and no script called in that case. REM REM ScanInterval Speficies how often an automatic device scan (for detecting newly connected devices) REM should launched. Unit: Seconds. Keep in mind, that the device scan can be launched as well manually. REM REM QueryDeviceMediaInfo Guymager has the possibility to gather extended media info about the connected devices. The media info REM mainly includes HPA/DCO settings. Some non-standard devices do not expect the corresponding ATA REM commands and may even need to be resetted when trying to query media info. In such cases, REM QueryDeviceMediaInfo may be switched off. By default, it is on. REM REM DirectIO Decides whether Guymager reads data in direct IO mode or not. Normally, direct mode should be a little REM faster, but it was observed that reading from SSDSs may be much slower in direct mode. The default REM setting therefore is "off". REM IMPORTANT: REM Linux does not read single sectors when DirectIO is off. While this is good for speed, it's a REM problem for disks with bad sectors ("contagious error"). Therefore, Guymager switches DirectIO REM on when it encounters bad sectors, disregarding the DirectIO configuration parameter. After REM the bad sectors area has been read, it switched back to the configured DirectIO mode. REM See also www.elsevierscitech.com/pdfs/Contagious_errors.pdf for more information about the REM contagious error problem. DeviceScanMethod = libudev CommandGetSerialNumber = 'bash -c "smartctl -i %dev | grep -i serial | awk ''{print $3 $4 $5 $6 $7 $8 $9}'' "' ForceCommandGetSerialNumber = false CommandGetAddStateInfo = '' CommandAcquisitionEnd = '' ScanInterval = 6000 QueryDeviceMediaInfo = on DirectIO = off REM The RunStats module allows to forward information about Guymager's current state to users or applications. REM Principally, Guymager takes a user provided template file, modifies its contents according to the REM instructions given in the template file and writes the result to the output file. The template and output REM are specified by the parameters RunStatsTemplateActive and RunStatsOutput. REM REM RunStatsTemplateActive contains the filename for the active template, i.e. the template used when Guymager REM is running. When Guymager ends, it modifies the output file one last time just before exiting according to REM the contents of another template file, specified by parameter RunStatsTemplateEnded. If parameter REM RunStatsTemplateEnded is empty or doesn't point to a valid file, Guymager leaves the output with the content REM it last wrote before exiting. REM REM The template file may contain special tokens which are to be replaced by Guymager. All other text is REM transferred directly to the output file. Tokens always start and end with the % character, see "Token list" REM above. REM REM The token %DEVICE_BLOCK% is specififc to the Runstats module. This token must appear twice in the RunStats REM template file. The part in between is repeated as many times as there are devices shown in Guymager's main REM device table. REM REM If you installed Guymager from a Debian package (usual way for installing programs on a Debian, Ubuntu REM or other Debian based system) you find examples of RunStats template files in /usr/share/doc/guymager/ REM or /usr/share/doc/guymager-beta/ . REM REM Parameter RunStatsInterval specifies how often the output file is to be updated (unit: seconds). Guymager REM reads the template at startup and after every 10 output file updates, thus allowing for template file changes REM to in the appear in the output file without restarting Guymager. REM REM In order to switch off the Runstats module, set RunStatsInterval to 0 ot set the active template or output REM file to an empty string. RunStatsTemplateActive = '' RunStatsTemplateEnded = '' RunStatsOutput = '' RunStatsInterval = 60 REM Other settings REM -------------- REM Block sizes: Guymager works internally with threads for doing the different jobs (read, hash calculation, compression, REM write) and forwards the data in blocks through fifos from one thread to another. The block size may be adjusted individually REM for the different forensic formats. There's only one exception: When using EWF with mult-threaded compression the block size REM is 32768 bytes (32KB). REM It is recommended to use a multiple of kilobytes or megabytes for the block sizes, because the block size corresponds to size REM of the data read at once from the source drive and most drive's caches perform best with such "round" numbers. So, if you want REM to work with a block size of 10 kilobyte, specify 10240 (instead of 10000). REM REM FifoBlockSizeRaw The block size for raw (dd) images (in bytes). Recommended value: 262144 (256K). REM REM FifoBlockSizeEWF The block size for EWF images (in bytes). Recommended value: 32768 (32K). ATTENTION: Tests have shown REM that the software "X-Ways Forensics" is not able to handle EWF images with a block size above 256K. Thus, REM the recommended maximum value for FifoBlockSizeEWF is 262144. REM REM FifoBlockSizeAFF The block size for AFF images (in bytes). Recommended value: 16777216 (16M). REM REM FifoMaxMem The amount of memory used for the internal FIFO queues of an acquisition. The value is indicated in REM Megabytes. If you set it to 0, Guymager uses 1/8 of the available RAM, maximally 64MB per acquisition. REM Keep in mind, that the total amount of memory used by Guymager may be much higher: With a value of REM 256 and 4 acquisitions running in parallel, a total of 1GB RAM would be used by Guymager - only for REM the FIFOs, not counting the overhead required by Guymager and the libs it uses. REM The recommended value is 0 (automatic memory usage calculation). REM REM CompressionThreads The number of threads for parallel compression. The recommended value is the number of processors. REM This parameter has a significant performance influence when working with compressed file format REM (EWF format). It has no impact on other formats (dd). REM Set to AUTO will use the number of CPUs installed in the system (recommended). REM Set to 0 for disabling multi-threaded compression and build EWF file the conventional way. REM REM BadSectorLogThreshold This parameter has been introduced in order to prevent Guymager from writing excessively big log files REM when acquiring devices with many (millions) bad sectors. As soon as the threshold has been reached, REM Guymager does not any longer log every single bad sector it encounters but only logs from time to time. REM The number of log entries after reaching BadSectorLogThreshold depends on parameter BadSectorLogModulo. REM When setting BadSectorLogModulo to 1000, then only every 1000th bad sector will be logged after reaching REM BadSectorLogThreshold. REM A value of 0 deactivates the bad sector log threshold feature. REM REM BadSectorLogModulo Only active if BadSectorLogThreshold is not zero. REM See BadSectorLogThreshold for explanations. REM REM LimitJobs Limit the number of acquisitions running in parallel to the value specified in this parameter. If REM the number of acquisitions started exceeds the value given by LimitJobs, the ones started last are REM queued and will be held until a former acquisition ends. REM The reason for this parameter is that some users observed degraded performance with heavy SATA IO load. REM They claimed, that the overall performance is better when limiting the number of parallel jobs. However, REM the author of Guymager has not been presented any performance test results up until now. REM Setting this parameter OFF results in starting acqusitions immediately. A value of AUTO corresponds REM to half the number of CPUs installed, with a maximum of value 4. REM REM JobMaxBadSectors Only active if LimitJobs is ON. REM With the introduction of the job queue, a problem arises with faulty disks. It could happen that healthy REM disks are not going to be acquired because of faulty disks blocking the job queue. JobMaxBadSectors prevents REM from this by ending acquisitions exceeding the given number of bad sectors. REM Set JobMaxBadSectors to 0 in order not to end acquisitions because of bad sectors. REM REM JobDisconnectTimeout Only active if LimitJobs is ON. REM See remarks for JobMaxBadSectors. JobDisconnectTimeout works in a similar way. It ends acquisitions REM which have been in state "disconnected" (i.e. which can no longer be accessed) for too long. REM Set JobDisconnectTimeout to 0 in order not to end acquisitions because of switching to state REM disconnected. Unit: Seconds. FifoBlockSizeRaw = 262144 FifoBlockSizeEWF = 32768 FifoBlockSizeAFF = 16777216 FifoMaxMem = 0 CompressionThreads = AUTO BadSectorLogThreshold = 0 BadSectorLogModulo = 1000 LimitJobs = OFF JobMaxBadSectors = 200 JobDisconnectTimeout = 10000 REM Debug settings REM -------------- REM SignalHandling For debug purpose only. Switch off SignalHandling only when working with debuggers (gdb). REM Recommended value: Enabled. REM REM UseMemWatch For debug purpose only. Uses the memwatch malloc/free functions for finding dynamic memory problems. REM Creates a file named memwatch.log when enabled in the directory where guymager is started. MemWatch REM may slow down guymager significantly. REM SignalHandling = Enabled UseMemWatch = false REM Device info commands REM -------------------- REM In order to get a complete set of information for each acquired drives, guymager executes several standard Linux REM commands. These commands are contained in the list named DeviceInfoCommands, see below. They are executed when REM - selecting the "Info" menu point for a device (results are shown in a dialog window) REM - starting an acquisition (results are written to the .info file) REM They are executed in the order they appear. The string %dev will be replaced by the corresponding device path REM (i.e. /dev/sdb for instance). Examples of interesting commands: REM 'bash -c "smartctl -s on %dev ; smartctl -a %dev"' -- for switching SMART interface on and showing SMART info REM 'bash -c "hdparm -I %dev"' -- for showing other identification info TABLE DeviceInfoCommands NoName REM Command REM ------------------------------------------- 'bash -c "search="`basename %dev`: H..t P.......d A..a de.....d" && dmesg | grep -A3 "$search" || echo "No kernel HPA messages for %dev""' 'bash -c "smartctl -s on %dev ; smartctl -a %dev"' 'bash -c "hdparm -I %dev"' 'bash -c "CIDFILE=/sys/block/$(basename %dev)/device/cid; echo -n "CID: " ; if [ -e $CIDFILE ] ; then cat $CIDFILE ; else echo "not available" ; fi "' REM 'bash -c disk_stat %dev' ENDTABLE REM Tables LocalDevices and HiddenDevices REM The local devices may be entered here. Guymager will mark them colored and will not allow to acquire them. The REM table allows for entering the Linux device path, serial number, model, native path or by path. Examples: REM '/dev/sda' REM 'S042J10XC57542' REM REM Table HiddenDevices works the same way, except that devices listed here won't appear at all in the Guymaer GUI. REM REM LocalHiddenDevicesUseRegExp defines whether the given strings for local and hidden devices should be interpreted REM as regular expressions or not. Example: With LocalHiddenDevicesUseRegExp switched on, the following string would REM match all loop devices in the range 10-15 (i.e. /dev/loop10 .. /dev/loop15): REM '/dev/loop1[0-5]' REM REM For both (reg. exp. on and off) the comparison is case independent. LocalHiddenDevicesUseRegExp = false TABLE LocalDevices NoName REM Device REM ------------------------------------------- ENDTABLE TABLE HiddenDevices NoName REM Device REM ------------------------------------------- ENDTABLE REM Below we include a local configuration file. All entries in the local configuration file will override the ones above. REM REM If ever you want to change some of the settings above, don't do it directly here, as all your changes would be REM gone when installing a new version of guymager. Edit /etc/guymager/local.cfg instead. INCLUDE_OPTIONAL /etc/guymager/local.cfg INCLUDE_OPTIONAL ./local.cfg ENDSECTION