guymager
Guymager is a Qt-based forensic imaging tool that produces images in EWF, AFF, and dd formats. It features a user-friendly interface, high imaging speed, and parallel compression for multi-processor systems.
Description
Guymager is designed for forensic acquisition of disk images, supporting multiple image formats including EWF, AFF, and dd. Its primary strengths include an easy-to-use graphical interface, exceptional imaging speed through multi-threaded operations, and comprehensive acquisition metadata logging. The tool is optimized for forensic investigators needing reliable, fast disk cloning in legal and incident response contexts.
Use cases include creating verifiable forensic copies of hard drives, USB devices, and other storage media during digital investigations. It ensures chain-of-custody through detailed logging and hash verification (MD5 and SHA1). Guymager requires root privileges to access physical devices and is particularly effective on modern multi-core systems due to its parallelized engine.
The tool integrates well with other forensic workflows, providing extended acquisition info files that document the imaging process. Configuration is flexible via command-line options or config files, allowing customization for different environments.
How It Works
Guymager employs a multi-threaded architecture separating reading from source devices, hash calculation (MD5 and SHA1), writing to image files, and parallelized compression. This design maximizes performance on multi-processor and hyper-threading systems. It supports EWF, AFF, and dd output formats, with logging to track acquisition details and verify integrity.
Installation
sudo apt install guymagerFlags
Examples
guymager log=my.logguymager cfg=template.cfgguymager cfg=my.cfg CompressionThreads=4guymagerguymager log=/custom/path/guymager.log cfg=/custom/path/guymager.cfgsudo guymager