Computer Forensics and Data Analysis
Software Training Services  
Maresware Programs D through F

Includes: Dateconv / Dater / Diskcat / EML_Process / Eventlog / Filbreak / Filsplit / Findrecl

All programs are command line programs.
MUST be run within a command window as administrator.


Be sure to check the help file for additional information about this program.

Is a simple program used to convert the long value of a date (ie 912345678) to a traditional month day year, date format.

It provides the time in GMT (UTC), and local time. It also displays a timezone, if one is set on the computer.

 |  Get the 32bit .exe file  |  View the html help file.  | 

Quickly adds a calendar program to the screen.

Be sure to check the help file for additional information about this program.

A simple program to place the date, time and calendar on the screen. It can also create the date and time in single string format to be sent to programs for use in determining current date.

Can also interpret and printout Julian dates.

Of course, the 32 bit version is more verbose than the 16 bit free version.

 |  Get the 16bit .exe file  |  Get the 32bit .exe file  |  View the html help file.  | 

Wipe drives according to DOD specifications

Be sure to check the help file for additional information about this program. and the Ntimage help file.

Drive wiping with Declasfy can serve many purposes where information security is a concern. For example: preparing drives for internal reuse; securing private information prior to retirement or donation of a drive; securing private information for compliance with HIPAA and other regulatory requirements.

The program is designed to "wipe" hard disks to meet Department of Defense standards from the Rainbow series concerning declassification (wiping) of hard disks and cleansing of floppy disks. Declasfy writes the entire disk with hex 0s, then 1s (0xff), then random characters or symbols. DOD standards currently specify a minimum of 5 overwrites; Declasfy defaults to perform 3 overwrites each time, so it should be instructed to run twice (-w option) to meet current DOD standards.

Declasfy finishes the wiping job completely, finding sectors on the drive that many other wipe programs may not report. It uses LBA addressing whenever possible to "search out" those sectors. With LBA drives, there are often extra sectors( from 1 to a few thousand) on the drive after the formatting process. These extra sectors could contain information that Declasfy finds and wipes. (Always check for extra sectors. Here's how: Format a drive to NTFS file system then use a sector editor to look after the last sector that Windows NT will access.)

The Speed of operation of Declasfy is totally dependent on a number of factors. In our tests using a 20 Gig hard drive, running at 5200 RPM on an 400 MHZ CPU, we averaged about 2 minutes per Gigabyte for a single pass. (A single pass means overwriting the drive only once, not the required 3 or 5 times for DOD specs.). We urge anyone comparing wipe times to be certain they have all the facts regarding the parameters (hardware and CPU specifications, and actual number of passes) used during the wipe process. In other tests on a top end computer using using SATA drives, Declasfy has wiped (single pass) a 240 GIG SATA drive in just over an hour.

A note of caution about certificates of wiping: Maresware's Declasfy has been proven one of the most effective wiping programs available. It was designed for and is used in many high-security environments. However, we do not provide a wiping "CERTIFICATE" stamp or banner on processed drives as many wiping programs do. Here's why: No software program can provide a meaningful certification that the drive was successfully wiped. That would require a complete, independent review of the wiped drive. In fact, the only thing any wiping program can actually "certify" is that it has been run. Therefore, we believe that to provide a certificate of successful wiping is misleading and engenders a false sense of security.

Without an examination of the processed drive there cannot be an absolute certainty that it was completely wiped. A wiping program can't certify that there were no hardware problems during processing. It can't certify that there was no interference from other software on the system. For instance: because of the tendency for Windows to assert control over a program, when any program is run in a Windows environment, the operation may not run according to specifications. Any of these factors could result in a drive that was processed, but not completely wiped. So, it is impossible to certify a drive as fully wiped without an independent examination of the processed drive. And while this level of risk is usually quite acceptable, sometimes it is not; for those occasions we suggest the solution below.

Wiping Verification: When very high security levels require an absolute level of proof of wiping, we use the following procedure: (1) run Maresware's Declasfy or Ntimage (with the wipe option) twice(which will meet or exceed Department of Defense standards); (2) examine the wiped drive, using a separate, appropriate software program. We use and recommend Maresware's Ss or Nt_ss program to independently confirm the successful operation of any wiping procedure, including our own.

Program assessments and reviews

You will find Declasfy in the DOD assessed product list which was published in January 2002. You can download the list from the right side of the screen (Guidance section).

The original "free" version 2.05.12 (circa 1992) has been evaluated by the U. S. Air Force Cryptologic Support Center, Kelly AFB, San Antonio, TX, and is listed under Project Assessment Report #92-502, 23 June 1992. It has been evaluated, tested and complies with DOD Green book standards for declassifying hard disks. This version is no longer supported by the author. (quite frankly, you wouldn't want it even if it was).

As of 4/1999 it has been replaced by the upgraded version. (which handles large drives, and HPA). The upgraded version has not been evaluated by any testing agency. (Air Force, and NSA don't do this any more). However all efforts were made to keep it in compliance with the required standards. Because of the date of the assessed products list (Jan. 2002), you will find that many of the versions listed there are no longer available and have either been eliminted or replaced by newer versions. Programs that perform the required operation of wiping disks like any other software must be constantly upgraded to keep up with technology. For this reason, the current version of declasfy that is available is not the one posted in the 2002 list. There are two current versions available: for commercial use: version 4.01.xx, and for law enforcement and site license: version 3.01.xx. They are both virtually identicle, with the exception of the internal licensing schemes.

Current Licensing Structure

As of May 2009, I have opened up the declasfy program, and the 16 bit version download should allow you to use it on any machine without registration. However, since it is 16 bit, it is extremely slow.

 |  Get the .exe file  |  View the html help file.  | 

Disable the computer keyboard on seized evidence computers

Be sure to check the help file for additional information about this program.

After a computer is seized it is critical to ensure that no one tampers with it while it is classified as evidence.

Disable is placed in either the config.sys file (a separate program is used to accomplish this), or the autoexec.bat file of a bootable floppy disk. Then when the computer attempts to boot from the floppy drive Disable disables all keyboard activity and places a message on the screen indicating that this computer is seized evidence.

Caveat: Always take these three precautions:
First, make certain the computer is set to boot from the A: drive(this is set in the BIOS).
Second, consider using a DOS 5.x or before OS on the disk. This will eliminate the ability to interrupt the boot process with the function keys.
Third, consider sanitizing the OS using Maresware's Mod_com utility to make certain the OS doesn't call any disk compression or other programs from the C: drive. This is partially to ensure no writes to the hard drive are attempted during bootup.

Note: the warning message can also be customized to tell the user who to contact.

Disable turns off all keyboard activity, thus disabling the CTRL-ALT-DEL, and CTRL-C keys to break out of the program and restart the computer.

The only way to stop the Disable program is to shut off the computer's power.

The auxiliary program Dis_labl is used to insert the "brand" into Disable. Or you can use the command line:
disable disable.exe

Check the help file for all the instructions before using this program.

 |  Get the disable.exe file  |  Get the dis_labl.exe program to brand disable  |  View the html help file.  | 


Catalogs all files on disks

Be sure to check the help file for additional information about this program.

Diskcat is short for "disk cataloguer.' It creates a listing (catalog) of all files and/or directories on a hard or floppy disk. With its many options, the operation can be customized to your needs. It is especially useful for forensic purposes and for file maintenance. Output is a fixed length record and database compatible(for further analysis/sorting.) Among its many capabilities, it can:

  • Create a MD5 of all files.
  • Check the headers of each file based on 4 logical operators(see the [+-hH] options) for match or mismatch.
  • Find files based on:
    • specific dates (date created, modified, or accessed)
    • size
    • name
    • attributes
  • Search for files meeting specific criteria(can be "programmed").
  • Execute "some" DOS command on each identified file.
    • Run pkzip -v on all zip files thus showing the contents of all zip files.
    • Run any user-designed batch file.
    • Delete specified files (based on user-specified date, size, name and or attribute.)
  • Tag each output record with a label specifying which disk contained that file.
  • Identify NTFS encrypted files.
  • Display all file attributes in the listing.
  • Use the -88 option to add the LongFileName to the end of the record.

 |  GET the 16 bit .exe FILE  |  GET the 32 bit .exe  | GET the 64 bit .exe
View the html help file.  | 

Forensic copies of diskettes

Be sure to check the help file for additional information about this program, and the Ntimage help file.

The Diskimag program has 3 components. It is designed to make a copy or copies of suspect floppy disks onto a hard drive for analysis. It can also be used to make a copy of a disk onto a hard drive which can later be restored to as many floppies as necessary.

After you have copied the contents of the disk to the hard drive, you can use Maresware's Strsrch to search for strings in the file(s) that are created(this is much faster than searching the diskette).

Diskimag is also capable of running other programs which allow you to do the following: catalog the files using Maresware's Diskcat or Hash; do a logical file copy of the directory structure to a hard disk; check for a Mirror file on the floppy.

The reverse operation can be used to restore the image to a new floppy disk(convenient for producing identical copies for distribution or evidence uses).

The program can create self-replicating images in the form of an exe file, and can also compress the images if necessary. Using the compression saves a lot of space when tranmitting to another location.

 |  GET the 16 bit .exe FILE  |  View the html help file.  | 

Disk Crc
Calculate the 32 bit CRC, MD5, or SHA of a physical disk

Be sure to check the help file for additional information about this program, and the Ntimage help file.

Disk_crc reads the contents of a disk, floppy or hard disk and produces a 32 bit CRC, 128 bit MD5, or 160 bit SHA representing the hash of that disk. This value can be used later as a reference to verify that the contents of the disk have/have not been changed.

Disk_crc can also create a hash of a section (specified sectors) of a disk. This is useful to calculate the values of partitions.

The program is useful for validating evidence using the following procedure: Use Disk_crc to create a reference CRC of a suspect disk drive. Then, using a backup of the physical disk, generate a second CRC from the backup copy. If the original(reference) CRC and the second CRC are identical, then the copy is an authentic copy of the original.

We always recommend independently confirming the operation of any copy or imaging program. If the imaging program has internal confirmation, and there is a flaw in the implementation, the confirmation will never fail.

Other uses of Disk_crc:

  • Check for altered data anytime: Create a reference CRC; then at any later time create another comparison CRC. Any difference would indicate altered data.
  • Verify that a copy of a floppy disk is an exact copy.
  • Detect where an alteration has occurred on a hard disk.

 |  GET the 16 bit .exe FILE  |  View the html help file.  | 


Process/filter eml files to obtain header items

This program takes eml files, and parses the header information identifying key header fields. Those fields are then used to create a record (for each eml file processed) that is delimeted so you can import the data to spreadsheets.

The output can also be sent to Verticle  to reform the fields to seperate lines.

 |  GET the .exe FILE  |  View the html help file.  | 


Clean up NT eventlog output

Be sure to check the help file for additional information about this program.

The text output from NT eventlogs is not easily manipulated or evaluated and is difficult to import into databases. Eventlog will take the output of an NT security eventlog and reformat it to single lines, so it contains pipes for importing into a database or spreadsheet.

The program also creates a "pipefix" parameter file which will give fixed length output. See the description of pipefix for how to create fixed length records.


 |  GET the 32 bit .exe FILE  |  View the html help file.  | 


Reformats the record structure of a file

Be sure to check the help file for additional information about this program.

Filbreak will allow you to select sections of an input record and put them into an output record of a different format. You select fields of the input record, rearrange them, then write them to a new output record formatted to your specifications. Filbreak can also process ebcdic, packed decimal, and signed fields which may show up in files obtained from mainframe COBOL generated data files.

You can use this program to create a data record formatted as if it were a final report. Then use a word processor, or copy the output directly to a printer. Used in conjunction with Maresware's Pagefmt you can create on-the-fly text reports easily, without the use of a data base.

(Many of the Filbreak operations are also available in Maresware's Search program.)

 |  Get the .exe  |  View the html help file.  | 

Split/break a file into pieces

Be sure to check the help file for additional information about this program.

Filsplit allows you to copy a section of records from an input file and place them to an output file. You can select: a chunk of records from within the file; a random sample of every nth record; or a specific number of characters.

The sections thus split can then be used as a sample of the original file to test your processing procedures.

Records are split according to command line options input by the user.

If needed, you can "trick" the program into using a false record size in order to copy the desired number of characters to the output. So, you do not have to use the actual record size, but can specify any number of characters as a record.

 |  Get the .exe  |  Get the 32 bit .exe  |  View the html help file.  | 

Find the record length of fixed length files

Be sure to check the help file for additional information about this program.

Anyone who works with mainframe data knows that there is usually no record delimeter (i.e., carriage return/line feed). That makes working with these files on a PC difficult. Findrecl simplifies the transition by finding the record length of fixed length data files.

This program assumes that the files do not have line/record delimiters. Also, files must not have any padding at the end of the file.

If the files are carriage return delimited, the carriage return will dictate the file size.

 |  GET the .exe  |  View the html help file.  | 


Home  |  Whats New  |  How to Order  |  Training  |  Services  |
About Us  |  FAQs  |  Articles  |  Resources  |  Legal Notices  |  Contact Us  |
Files A-C  |  Files D-F  |  Files G-K  |  Files L-O  |  Files P-S  |  Files T-Z  |
 |  SoftwareData Analysis Software  |  Forensic Processing Software  |  Linux Processing Software  |
copyright 1998-2013 by Mares and Company, LLC