GENERAL FORENSIC

NUMEROUS LINKS TO COMMERCIAL & OPEN SOURCE FORENSIC TOOLS

http://www.forensics.nl/tools

NUMEROUS LINKS TO COMMERCIAL & OPEN SOURCE FORENSIC TOOLKITS

http://www.forensics.nl/toolkits

AIDE

http://www.cs.tut.fi/~rammer/aide.html

AIDE (ADVANCED INTRUSION DETECTION ENVIRONMENT) IS A FREE REPLACEMENT FOR TRIPWIRE. IT CREATES A DATABASE FROM THE REGULAR EXPRESSION RULES THAT IT FINDS FROM THE CONFIG FILE. ONCE THIS DATABASE IS INITIALIZED IT CAN BE USED TO VERIFY THE INTEGRITY OF THE FILES. IT HAS SEVERAL MESSAGE DIGEST ALGORITHMS (MD5,SHA1,RMD160,TIGER,HAVAL,ETC.) THAT ARE USED TO CHECK THE INTEGRITY OF THE FILE. MORE ALGORITHMS CAN BE ADDED WITH RELATIVE EASE. ALL OF THE USUAL FILE ATTRIBUTES CAN ALSO BE CHECKED FOR INCONSISTENCIES. IT CAN READ DATABASES FROM OLDER OR NEWER VERSIONS.

ARGUS

http://www.qosient.com/argus/

ARGUS IS A FIXED-MODEL REAL TIME FLOW MONITOR DESIGNED TO TRACK AND REPORT ON THE STATUS AND PERFORMANCE OF ALL NETWORK TRANSACTIONS SEEN IN A DATA NETWORK TRAFFIC STREAM. IT PROVIDES A COMMON DATA FORMAT FOR REPORTING FLOW METRICS SUCH AS CONNECTIVITY, CAPACITY, DEMAND, LOSS, DELAY, AND JITTER ON A PER TRANSACTION BASIS. THE RECORD FORMAT THAT ARGUS USES IS FLEXIBLE AND EXTENSIBLE, SUPPORTING GENERIC FLOW IDENTIFIERS AND METRICS, AS WELL AS APPLICATION/PROTOCOL SPECIFIC INFORMATION.

THE CORONER'S TOOLKIT (TCT)

http://www.porcupine.org/forensics/tct.html

TCT IS A COLLECTION OF PROGRAMS BY DAN FARMER AND WIETSE VENEMA FOR A POST-MORTEM ANALYSIS OF A UNIX SYSTEM AFTER BREAK-IN.

DCFLDD

http://dcfldd.sourceforge.net/

DCFLDD IS AN ENHANCED VERSION OF GNU DD WITH FEATURES USEFUL FOR FORENSICS AND SECURITY. BASED ON THE DD PROGRAM FOUND IN THE GNU COREUTILS PACKAGE, DCFLDD HAS THE FOLLOWING ADDITIONAL FEATURES:

  • HASHING ON-THE-FLY - DCFLDD CAN HASH THE INPUT DATA AS IT IS BEING TRANSFERRED, HELPING TO ENSURE DATA INTEGRITY.
  • STATUS OUTPUT - DCFLDD CAN UPDATE THE USER OF ITS PROGRESS IN TERMS OF THE AMOUNT OF DATA TRANSFERRED AND HOW MUCH LONGER OPERATION WILL TAKE.
  • FLEXIBLE DISK WIPES - DCFLDD CAN BE USED TO WIPE DISKS QUICKLY AND WITH A KNOWN PATTERN IF DESIRED.
  • IMAGE/WIPE VERIFY - DCFLDD CAN VERIFY THAT A TARGET DRIVE IS A BIT-FOR-BIT MATCH OF THE SPECIFIED INPUT FILE OR PATTERN.
  • MULTIPLE OUTPUTS - DCFLDD CAN OUTPUT TO MULTIPLE FILES OR DISKS AT THE SAME TIME.
  • SPLIT OUTPUT - DCFLDD CAN SPLIT OUTPUT TO MULTIPLE FILES WITH MORE CONFIGURABILITY THAN THE SPLIT COMMAND.
  • PIPED OUTPUT AND LOGS - DCFLDD CAN SEND ALL ITS LOG DATA AND OUTPUT TO COMMANDS AS WELL AS FILES NATIVELY.

EEYE BINARY DIFFING SUITE (EBDS)

http://research.eeye.com/html/tools/RT20060801-1.html

THE EEYE BINARY DIFFING SUITE (EBDS) IS A FREE AND OPEN SOURCE SET OF UTILITIES FOR PERFORMING AUTOMATED BINARY DIFFERENTIAL ANALYSIS. THIS BECOMES VERY USEFUL FOR REVERSE ENGINEERING PATCHES AS WELL AS PROGRAM UPDATES.

THE FIRST TOOL IS BDS, THE BINARY DIFFING STARTER FROM ANDRE DEREK PROTAS. THIS TOOL HELPS REVERSE ENGINEERS WITH BATCH-ANALYSIS OF PATCHES BY DISPATCHING IDA WITH ITS MANY POWERFUL PLUGINS AGAINST GROUPS OF BINARIES. THIS ESPECIALLY COMES IN USEFUL FOR UPDATE ROLLUPS OR SERVICE PACKS, WHERE AUTOMATION IS NECESSARY TO BE ABLE TO REVERSE ENGINEER THE UPDATES IN A REASONABLE AMOUNT OF TIME. NOTE: .NET FRAMEWORK 2+ IS REQUIRED FOR BDS TO FUNCTION.

THE SECOND TOOL IS DARUNGRIM, A CODE-ANALYSIS TOOL TO ACTUALLY FIND THE DISTINCT CODE-CHANGES BETWEEN TWO BINARIES. IN KOREAN, DARUNGRIM TRANSLATES TO "DIFFERENCE IN PICTURE". DARUNGRIM PERFORMS MULTIPLE MATCHING TECHNIQUES AGAINST FUNCTIONS IN ORDER TO FIND FUNCTION PAIRS AND ANALYZE THE DIFFERENCES/SIMILARITIES BETWEEN THE FUNCTIONS. THIS ALLOWS REVERSE ENGINEERS TO PINPOINT CODE CHANGES BETWEEN TWO BINARIES WITH A GRAPHICAL INTERFACE, MUCH MORE RAPID THAN "SIDE-BY-SIDE" DISASSEMBLY INSTANCES. MUCH LIKE MOST POWERFUL DISASSEMBLY TOOLS, DARUNGRIM IS ALSO USING THE POWER OF IDA PRO FOR ANALYSIS.

DUMPAUTOCOMPLETE V0.7

http://www.foundstone.com/us/resources/proddesc/dumpautocomplete.htm

DUMP THE FIREFOX USER'S AUTOCOMPLETE CACHE IN XML FORMAT.

NOTE: NUMEROUS OTHER TOOLS ARE AVAILABLE ON THIS WE SITE.

ENCASE (COMMERCIAL)

http://www.guidancesoftware.com/products/ef_index.asp

ENCASE FORENSIC IS THE INDUSTRY STANDARD IN COMPUTER FORENSIC INVESTIGATION TECHNOLOGY. WITH AN INTUITIVE GUI, SUPERIOR ANALYTICS, ENHANCED EMAIL/INTERNET SUPPORT AND A POWERFUL SCRIPTING ENGINE, ENCASE PROVIDES INVESTIGATORS WITH A SINGLE TOOL, CAPABLE OF CONDUCTING LARGE-SCALE AND COMPLEX INVESTIGATIONS FROM BEGINNING TO END. LAW ENFORCEMENT OFFICERS, GOVERNMENT/CORPORATE INVESTIGATORS AND CONSULTANTS AROUND THE WORLD BENEFIT FROM THE POWER OF ENCASE FORENSIC IN A WAY THAT FAR EXCEEDS ANY OTHER FORENSIC SOLUTION.

  • ACQUIRE DATA IN A FORENSICALLY SOUND MANNER USING SOFTWARE WITH AN UNPARALLELED RECORD IN COURTS WORLDWIDE.
  • INVESTIGATE AND ANALYZE MULTIPLE PLATFORMS — WINDOWS, LINUX, AIX, OS X, SOLARIS AND MORE — USING A SINGLE TOOL.
  • SAVE DAYS, IF NOT WEEKS, OF ANALYSIS TIME BY AUTOMATING COMPLEX AND ROUTINE TASKS WITH PREBUILT ENSCRIPT® MODULES, SUCH AS INITIALIZED CASE AND EVENT LOG ANALYSIS.
  • FIND INFORMATION DESPITE EFFORTS TO HIDE, CLOAK OR DELETE.
  • EASILY MANAGE LARGE VOLUMES OF COMPUTER EVIDENCE, VIEWING ALL RELEVANT FILES, INCLUDING "DELETED" FILES, FILE SLACK AND UNALLOCATED SPACE.
  • TRANSFER EVIDENCE FILES DIRECTLY TO LAW ENFORCEMENT OR LEGAL REPRESENTATIVES AS NECESSARY.
  • REVIEW OPTIONS ALLOW NON-INVESTIGATORS, SUCH AS ATTORNEYS, TO REVIEW EVIDENCE WITH EASE.
  • REPORTING OPTIONS ENABLE QUICK REPORT PREPARATION.

FENRIS

http://lcamtuf.coredump.cx/fenris/devel.shtml

FENRIS IS A MULTIPURPOSE TRACER, GUI DEBUGGER, STATEFUL ANALYZER AND PARTIAL DECOMPILER INTENDED TO SIMPLIFY BUG TRACKING, SECURITY AUDITS, CODE, ALGORITHM, PROTOCOL ANALYSIS AND COMPUTER FORENSICS - PROVIDING A STRUCTURAL PROGRAM TRACE, INTERACTIVE DEBUGGING CAPABILITIES, GENERAL INFORMATION ABOUT INTERNAL CONSTRUCTIONS, EXECUTION PATH, MEMORY OPERATIONS, I/O, CONDITIONAL EXPRESSIONS AND MUCH MORE. BECAUSE IT DOES NOT REQUIRE SOURCES OR ANY PARTICULAR COMPILATION METHOD, THIS MULTI-COMPONENT PROJECT CAN BE VERY HELPFUL FOR BLACK-BOX TESTS AND EVALUATIONS - BUT IT WILL ALSO BE A GREAT TOOL FOR OPEN-SOURCE PROJECT AUDITS, AS AN UNMATCHED REAL-TIME RECONNAISSANCE TOOL - ESPECIALLY WHEN SOURCES ARE TOO COMPLEX OR TOO BADLY WRITTEN TO BE ANALYZED BY HAND IN A RELIABLE WAY AND REASONABLE TIME. FENRIS DOES NOT RELY ON GNU LIBBFD FOR ANY CRITICAL TASKS, AND BECAUSE OF THAT, IT IS POSSIBLE AND FEASIBLE TO TRACE AND ANALYZE BINARIES MODIFIED TO FOOL DEBUGGERS, CRYPTED, OR OTHERWISE TWEAKED.

FOREMOST

http://sourceforge.net/projects/foremost/

FOREMOST IS A LINUX TOOL FOR CONDUCTING FORENSIC EXAMINATIONS. ALTHOUGH INTENDED FOR LAW ENFORCEMENT PURPOSES, IT MAY BE USEFUL TO OTHER MEMBERS OF THE COMMUNITY. FOREMOST READS THROUGH A FILE, SUCH AS A DD IMAGE FILE OR A DISK PARTITION AND EXTRACTS FILE

FORENSIC ACQUISITION UTILITIES

http://users.erols.com/gmgarner/forensics

THIS IS A COLLECTION OF UTILITIES AND LIBRARIES INTENDED FOR FORENSIC OR FORENSIC-RELATED INVESTIGATIVE USE IN A MODERN MICROSOFT WINDOWS ENVIRONMENT. INCLUDED IN THIS RELEASE ARE THE FOLLOWING MODULES: DD, GETOPT, MD5LIB, MD5SUM, NETCAT, VOLUME_DUMP, WIPE AND ZLIB. ALLOWS DUMPING OF MEMORY WITH THIS VERSION OF DD, AS WELL AS ON THE FLY COMPRESSION AND GENERATION OF MD5 CHECKSUMS.

FTIMES

http://ftimes.sourceforge.net/FTimes/index.shtml

FTIMES, SHORT FOR FILE TOPOGRAPHY AND INTEGRITY MONITORING ON AN ENTERPRISE SCALE, IS SYSTEM BASELINING AND EVIDENCE COLLECTION TOOL THAT IS LIGHTWEIGHT, FLEXIBLE, AND CONDUCIVE TO INTRUSION ANALYSIS. FTIMES WAS DESIGNED TO SUPPORT THE FOLLOWING INITIATIVES: CONTENT INTEGRITY MONITORING, INCIDENT RESPONSE, INTRUSION ANALYSIS, AND COMPUTER FORENSICS.

FLAG (FORENSIC AND LOG ANALYSIS GUI)

http://pyflag.sourceforge.net/index.html

FLAG (FORENSIC AND LOG ANALYSIS GUI) WAS DESIGNED TO SIMPLIFY THE PROCESS OF LOG FILE ANALYSIS AND FORENSIC INVESTIGATIONS. OFTEN, WHEN INVESTIGATING A LARGE CASE, A GREAT DEAL OF DATA NEEDS TO BE ANALYSED AND CORRELATED. PYFLAG USES A DATABASE AS A BACKEND TO ASSIST IN MANAGING THE LARGE VOLUMES OF DATA. THIS ALLOWS PYFLAG TO REMAIN RESPONSIVE AND EXPEDITE DATA MANIPULATION OPERATIONS.

SINCE PYFLAG IS WEB BASED, IT IS ABLE TO BE DEPLOYED ON A CENTRAL SERVER AND SHARED WITH A NUMBER OF USERS AT THE SAME TIME. DATA IS LOADED INTO CASES WHICH KEEP INFORMATION SEPARATED.

GALLETA

http://www.foundstone.com/us/resources/proddesc/galleta.htm

GALLETA WILL PARSE THE INFORMATION IN A COOKIE FILE AND OUTPUT THE RESULTS IN A FIELD DELIMITED MANNER SO THAT IT MAY BE IMPORTED INTO YOUR FAVORITE SPREADSHEET PROGRAM. GALLETA IS BUILT TO WORK ON MULTIPLE PLATFORMS AND WILL EXECUTE ON WINDOWS (THROUGH CYGWIN), MAC OS X, LINUX, AND *BSD PLATFORMS.

GPART

http://www.stud.uni-hannover.de/user/76201/gpart/

GPART IS A TOOL WHICH TRIES TO GUESS THE PRIMARY PARTITION TABLE OF A PC-TYPE HARD DISK IN CASE THE PRIMARY PARTITION TABLE IN SECTOR 0 IS DAMAGED, INCORRECT OR DELETED. THE GUESSED TABLE CAN BE WRITTEN TO A FILE OR DEVICE. SUPPORTED (GUESSABLE) FILESYSTEM OR PARTITION TYPES:

  • DOS/WINDOWS FAT (FAT 12/16/32)
  • LINUX EXT2
  • LINUX SWAP PARTITIONS VERSIONS 0 AND 1 (LINUX >= V2.2.X)
  • OS/2 HPFS
  • WINDOWS NT/2000 FS
  • *BSD DISKLABELS
  • SOLARIS/X86 DISKLABELS
  • MINIX FS
  • REISER FS
  • LINUX LVM PHYSICAL VOLUME MODULE (LVM BY HEINZ MAUELSHAGEN)
  • SGI XFS ON LINUX
  • BEOS FILESYSTEM
  • QNX 4.X FILESYSTEM

LIVE VIEW

http://liveview.sourceforge.net/
LIVE VIEW IS A JAVA-BASED GRAPHICAL FORENSICS TOOL THAT CREATES A VMWARE VIRTUAL MACHINE OUT OF A RAW (DD-STYLE) DISK IMAGE OR PHYSICAL DISK. THIS ALLOWS THE FORENSIC EXAMINER TO "BOOT UP" THE IMAGE OR DISK AND GAIN AN INTERACTIVE, USER-LEVEL PERSPECTIVE OF THE ENVIRONMENT, ALL WITHOUT MODIFYING THE UNDERLYING IMAGE OR DISK. BECAUSE ALL CHANGES MADE TO THE DISK ARE WRITTEN TO A SEPARATE FILE, THE EXAMINER CAN INSTANTLY REVERT ALL OF HIS OR HER CHANGES BACK TO THE ORIGINAL PRISTINE STATE OF THE DISK. THE END RESULT IS THAT ONE NEED NOT CREATE EXTRA "THROW AWAY" COPIES OF THE DISK OR IMAGE TO CREATE THE VIRTUAL MACHINE.

LIVE VIEW IS CAPABLE OF BOOTING:

  • FULL DISK RAW IMAGES
  • BOOTABLE PARTITION RAW IMAGES
  • PHYSICAL DISKS (ATTACHED VIA A USB OR FIREWIRE BRIDGE) CONTAINING THE FOLLOWING OPERATING SYSTEMS
  • WINDOWS XP, 2000, 2003, NT, ME, 98
  • LINUX (LIMITED SUPPORT)

MAGIC RESCUE

http://jbj.rapanden.dk/magicrescue/

MAGIC RESCUE SCANS A BLOCK DEVICE FOR FILE TYPES IT KNOWS HOW TO RECOVER AND CALLS AN EXTERNAL PROGRAM TO EXTRACT THEM. IT LOOKS AT "MAGIC BYTES" IN FILE CONTENTS, SO IT CAN BE USED BOTH AS AN UNDELETE UTILITY AND FOR RECOVERING A CORRUPTED DRIVE OR PARTITION. AS LONG AS THE FILE DATA IS THERE, IT WILL FIND IT. IT WORKS ON ANY FILE SYSTEM, BUT ON VERY FRAGMENTED FILE SYSTEMS IT CAN ONLY RECOVER THE FIRST CHUNK OF EACH FILE. PRACTICAL EXPERIENCE (THIS PROGRAM WAS NOT WRITTEN FOR FUN) SHOWS, HOWEVER, THAT CHUNKS OF 30-50MB ARE NOT UNCOMMON.

PASCO

http://www.foundstone.com/us/resources/proddesc/pasco.htm

PASCO WILL PARSE THE INFORMATION IN AN INDEX.DAT FILE AND OUTPUT THE RESULTS IN A FIELD DELIMITED MANNER SO THAT IT MAY BE IMPORTED INTO YOUR FAVORITE SPREADSHEET PROGRAM. PASCO IS BUILT TO WORK ON MULTIPLE PLATFORMS AND WILL EXECUTE ON WINDOWS (THROUGH CYGWIN), MAC OS X, LINUX, AND *BSD PLATFORMS.

PHOTOREC

http://www.cgsecurity.org/photorec.html

PHOTOREC IS FILE DATA RECOVERY SOFTWARE DESIGNED TO RECOVER LOST PICTURES OR LOST FILES FROM DIGITAL CAMERA MEMORY (COMPACTFLASH, MEMORY STICK, SECUREDIGITAL, SMARTMEDIA, MICRODRIVE, MMC, USB MEMORY DRIVES…), EVEN HARD DISKS AND CDROM. IT WORKS AT LEAST WITH FAT, NTFS, EXT2/EXT3 FILESYSTEM EVEN IF THEY ARE SEVERELY DAMAGED. PHOTOREC IS SAFE TO USE, IT WILL NEVER ATTEMPT TO WRITE TO THE DRIVE OR MEMORY SUPPORT YOU ARE ABOUT TO RECOVER FROM. RECOVERED FILES ARE INSTEAD WRITTEN IN THE DIRECTORY FROM WHERE YOU ARE RUNNING THE PHOTOREC PROGRAM.

RIFIUTI

http://www.foundstone.com/us/resources/proddesc/rifiuti.htm

RIFIUTI WILL PARSE THE INFORMATION IN AN INFO2 FILE AND OUTPUT THE RESULTS IN A FIELD DELIMITED MANNER SO THAT IT MAY BE IMPORTED INTO YOUR FAVORITE SPREADSHEET PROGRAM. RIFIUTI IS BUILT TO WORK ON MULTIPLE PLATFORMS AND WILL EXECUTE ON WINDOWS (THROUGH CYGWIN), MAC OS X, LINUX, AND *BSD PLATFORMS.

ROT13 CONVERSION PROGRAM

http://www.dmares.com/maresware/ps.htm#ROT13

A SIMPLE COMMAND LINE PROGRAM THAT WILL CONVERT A FILE THAT IS ROT-13 ENCODED/ENCRYPTED TO A CONVENTIONAL (READABLE) FILE. THE PROGRAM MAKES NO ASSESSMENTS, JUDGMENTS, OR ANALYSIS AS TO WHAT NEEDS TO BE CONVERTED AND WHAT DOESN'T. IT CONVERTS THE ENTIRE FILE. SO IF A SECTION IS NOT ROT-13 ENCODED, IT WILL CONVERT IT TO ROT-13, AND VISE-VERSA. FROM A LINE EXTRACTED OUT OF FTK REGISTRY VIEWER REPORT ON THE USERASSIST KEY, IT CONVERTED THE TOP LINE TO THE CORRECT TEXT.

SCALPEL

http://www.digitalforensicssolutions.com/Scalpel/

SCALPEL IS A FAST FILE CARVER THAT READS A DATABASE OF HEADER AND FOOTER DEFINITIONS AND EXTRACTS MATCHING FILES FROM A SET OF IMAGE FILES OR RAW DEVICE FILES. SCALPEL IS FILESYSTEM-INDEPENDENT AND WILL CARVE FILES FROM FATX, NTFS, EXT2/3, OR RAW PARTITIONS. IT IS USEFUL FOR BOTH DIGITAL FORENSICS INVESTIGATION AND FILE RECOVERY. SCALPEL RESULTED FROM A COMPLETE REWRITE OF FOREMOST 0.69, A POPULAR OPEN SOURCE FILE CARVER, TO ENHANCE PERFORMANCE AND DECREASE MEMORY USAGE.

SCROUNGE NTFS

http://memberwebs.com/nielsen/software/scrounge/

DATA RECOVERY PROGRAM FOR NTFS FILE SYSTEMS. READS EACH BLOCK OF THE HARD DISK TO AND RETRIEVES REBUILDS FILE SYSTEM TREE ON ANOTHER PARTITION.

THE SLEUTH KIT

http://www.sleuthkit.org/sleuthkit/desc.php

THE SLEUTH KIT (PREVIOUSLY KNOWN AS TASK) IS A COLLECTION OF UNIX-BASED COMMAND LINE FILE AND VOLUME SYSTEM FORENSIC ANALYSIS TOOLS. THE FILE SYSTEM TOOLS ALLOW YOU TO EXAMINE FILE SYSTEMS OF A SUSPECT COMPUTER IN A NON-INTRUSIVE FASHION. BECAUSE THE TOOLS DO NOT RELY ON THE OPERATING SYSTEM TO PROCESS THE FILE SYSTEMS, DELETED AND HIDDEN CONTENT IS SHOWN. THE VOLUME SYSTEM (MEDIA MANAGEMENT) TOOLS ALLOW YOU TO EXAMINE THE LAYOUT OF DISKS AND OTHER MEDIA. THE SLEUTH KIT SUPPORTS DOS PARTITIONS, BSD PARTITIONS (DISK LABELS), MAC PARTITIONS, SUN SLICES (VOLUME TABLE OF CONTENTS), AND GPT DISKS. WITH THESE TOOLS, YOU CAN IDENTIFY WHERE PARTITIONS ARE LOCATED AND EXTRACT THEM SO THAT THEY CAN BE ANALYZED WITH FILE SYSTEM ANALYSIS TOOLS.

WHEN PERFORMING A COMPLETE ANALYSIS OF A SYSTEM, WE ALL KNOW THAT COMMAND LINE TOOLS CAN BECOME TEDIOUS. THE AUTOPSY FORENSIC BROWSER IS A GRAPHICAL INTERFACE TO THE TOOLS IN THE SLEUTH KIT, WHICH ALLOWS YOU TO MORE EASILY CONDUCT AN INVESTIGATION. AUTOPSY PROVIDES CASE MANAGEMENT, IMAGE INTEGRITY, KEYWORD SEARCHING, AND OTHER AUTOMATED OPERATIONS.

  • ANALYZES RAW (I.E. DD), EXPERT WITNESS (I.E. ENCASE) AND AFF FILE SYSTEM AND DISK IMAGES. (SLEUTH KIT INFORMER #11)
  • SUPPORTS THE NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, AND ISO 9660 FILE SYSTEMS (EVEN WHEN THE HOST OPERATING SYSTEM DOES NOT OR HAS A DIFFERENT ENDIAN ORDERING).
  • TOOLS CAN BE RUN ON A LIVE UNIX SYSTEM DURING INCIDENT RESPONSE. THESE TOOLS WILL SHOW FILES THAT HAVE BEEN "HIDDEN" BY ROOTKITS AND WILL NOT MODIFY THE A-TIME OF FILES THAT ARE VIEWED. (SLEUTH KIT INFORMER #13) SEARCH TECHNIQUES
  • LIST ALLOCATED AND DELETED ASCII AND UNICODE FILE NAMES. (SLEUTH KIT INFORMER #14 (FAT RECOVERY), #16 (NTFS ORPHAN FILES))
  • DISPLAY THE DETAILS AND CONTENTS OF ALL NTFS ATTRIBUTES (INCLUDING ALL ALTERNATE DATA STREAMS).
  • DISPLAY FILE SYSTEM AND META-DATA STRUCTURE DETAILS.
  • CREATE TIME LINES OF FILE ACTIVITY, WHICH CAN BE IMPORTED INTO A SPREAD SHEET TO CREATE GRAPHS AND REPORTS. (SLEUTH KIT INFORMER #5)
  • LOOKUP FILE HASHES IN A HASH DATABASE, SUCH AS THE NIST NSRL, HASH KEEPER, AND CUSTOM DATABASES THAT HAVE BEEN CREATED WITH THE 'MD5SUM' TOOL. (SLEUTH KIT INFORMER #6, SLEUTH KIT INFORMER #7)
  • ORGANIZE FILES BASED ON THEIR TYPE (FOR EXAMPLE ALL EXECUTABLES, JPEGS, AND DOCUMENTS ARE SEPARATED). PAGES OF THUMBNAILS CAN BE MADE OF GRAPHIC IMAGES FOR QUICK ANALYSIS. (SLEUTH KIT INFORMER #3, #4, #5) THE SLEUTH KIT IS WRITTEN IN C AND PERL AND USES SOME CODE AND DESIGN FROM THE CORONER'S TOOLKIT (TCT).

THE SLEUTH KIT HAS BEEN TESTED ON:

  • LINUX
  • MAC OS X
  • OPEN & FREEBSD
  • SOLARIS
  • CYGWIN

TIMEMACHINE

http://www.net.t-labs.tu-berlin.de/research/tm/

THE TIMEMACHINE CAN RECORD THE ENTIRE CONTENTS OF A HIGH-VOLUME NETWORK TRAFFIC STREAM IN ORDER TO LATER "TRAVEL BACK IN TIME" AND INSPECT ACTIVITY THAT HAS ONLY BECOME INTERESTING IN RETROSPECT. TWO EXAMPLES OF USE ARE SECURITY FORENSICS (DETERMINING JUST HOW AN ATTACKER COMPROMISED A GIVEN MACHINE) AND NETWORK TROUBLE-SHOOTING, SUCH AS INSPECTING THE PRECURSORS TO A FAULT AFTER THE FAULT. THE TIMEMACHINE IS DESIGNED TO WORK IN GIGABIT ENVIRONMENTS AND TO STORE SEVERAL DAYS OF NETWORK TRAFFIC.

USBDUMPER 2.2

http://www.valgasu.org/

GRAPHICAL AND ENHANCED VERSION OF ORIGINAL USBDUMPER TOOL THAT SILENTLY COPIES CONTENT OF AN INSERTED USB DEVICE

AIMJECT

http://jon.oberheide.org/projects/aimject/

AIMJECT FACILITATES MAN-IN-THE-MIDDLE ATTACKS AGAINST AOL INSTANT MESSENGER'S OSCAR PROTOCOL VIA A SIMPLE GTK INTERFACE.

FEATURES:

SIGN-ON/OFF DETECTION
MESSAGE INTERCEPTION/DECODING
MESSAGE INJECTION INTO ARBITRARY CONVERSATIONS SYNCHRONIZATION OF AIM SEQUENCE NUMBERS AND FNAC IDS CLONING OF FONT STYLES/SCREENNAME FORMATTING TO AVOID DETECTION SELECTIVE MUTING OF CONVERSATION PARTICIPANTS SESSION STATISTICS
INTEGRATED ARP/DNS SPOOFING

YIM2TEXT

http://www.1vs0.com/code/yim2text-0.1.0.tar.bz2

INSTANT MESSAGING IS EVERYWHERE. YAHOO IM OFTEN LOGS IT'S MESSAGES LOCALLY ON THE HARD DISK OF THE COMPUTER USED WHEN SENDING THE MESSAGE. THE LOG FILES ARE 'ENCRYPTED' USING A SIMPLE XOR. YIM2TEXT IS A PYTHON SCRIPT TO DECODE THESE FILES AND SHOW YOU THE CHAT LOGS.

ZEPPOO

http://www.zeppoo.net/

ZEPPOO IS A TOOL THAT ATTEMPTS TO DETECT IF A ROOTKIT IS INSTALLED ON YOUR SYSTEM. IT ALSO MAKES IT POSSIBLE TO DETECT HIDDEN TASKS, MODULES, SYSCALLS, SOME CORRUPTED SYMBOLS AND ALSO HIDDEN CONNECTIONS.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License