chkrootkit is a tool to locally check for signs of a rootkit.

In three words, Cuckoo Sandbox is a malware analysis system.

Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.

It's mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.

But it can do much more...
It's up to you to discover what and how.

Some of the results that Cuckoo generates are:

DFF is a simple but powerfull open source tool with a flexible module system written in C++ and Python. The aim is to provide an extensible framework by which additional features may be added to analyze and recover any kind of digital artifact

Latest developments and contributions available from http://tracker.digital-forensic.org
Documentation available from http://wiki.digital-forensic.org

eCryptfs Parser is a GUI for Linux and Windows that recursively parses the headers of every eCryptfs file found in a given directory. It will tell you what encryption algorithm was used, the original filesize of the file before it was encrypted, the private signature used etc.

Guesses file type based on magic header and footer values.

File Ripper is a file extractor based on header recognition. It can be used to recover files from unfragmented disk images where filesystem information has been lost or otherwise corrupted, or the files have been inadvertently deleted. It detects and extracts PNG, HTML, GIF, ZIP, LBM, PBM, ANM, BAT, BAS, RTF, HLP, WAV, WRI, JPG, ARJ, DOS EXE, ANS, ZZT, FRM, text BAS, BMP, MZB, FLI, MSP, DOC, MZX, GDM, IT, S3M, SAV, BRD, LZH/LHA, MOD, XM, VOC, SVX, ABM, Quetzal, and certain obscure bulletin board system formats.

Foremost is a Linux program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.

Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

GrokEVT is a collection of scripts built for reading Windows NT/2K/XP/2K3 event log files.

A Windows\Linux GUI for demonstrating the numerical enormity of large hash algorithms like MD5 (128 bits), SHA1 (160 bits), SHA256 (256 bits) and SHA512 (512 bits). It is designed for the delivery of demonstrations about hashing to non-technical audiences such as jury panels, lawyers, students, case officers and so on by converting the scientific notation of the algorithm to "The chance of two different files having the same X hash value is 1 in XX billion\trillion....".

KS - This is a keywords searching tool. sudo bash ks.sh for running it. It mounts a DD image file; It extracts all deleted files; slackspace; It makes a data carving on the freespace only; It indexes all by RECOLL. You need:
The Sleuthkit (last release)
Photorec
MD5Deep
RECOLL
It stores the index DB and the recoll.conf in the chosen output directory.
NEW file formats added and README.txt for the HowTo expand the search range.
Website:
http://scripts4cf.sourceforge.net/tools.html

Library and tooling to access the Windows Event Log (EVT) format.

Library and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.

The libpff package contains a shared library and tools to analyze Microsoft Outlook Personal Folder Files (PFF). PFF files such as PAB, PST and OST files, are used to store e-mails, appointments, contacts, notes, tasks, etc. libpff provides: pffexport to export PFF items, pffinfo to provide basic information about PFF files and pffexport -m recover to recover and export PFF items

Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it.

It works on any file system, but on very fragmented file systems it can only recover the first chunk of each file. Practical experience shows that chunks of 30-50MB are not uncommon.

md5sum computes a 128-bit checksum (or fingerprint or message-digest) for each specified file.
Documentation: http://www.gnu.org/software/coreutils/manual/coreutils.html#md5sum-invoc...

sha1sum computes a 160-bit checksum for each specified file. The usage and options of this command are precisely the same as for md5sum.
Documentation: http://www.gnu.org/software/coreutils/manual/coreutils.html#sha1sum-invo...

NBTempo - This is a GUI (Graphical User Interface) Bash script for making files timelines and reporting them in CSV (electronic sheet) format. It needs TSK 3.2.1 and YAD (Yet Another Dialog).(TSK based)

The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency [KLPD/Dutch]. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.

Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

PlainSight is a versatile computer forensics tool that allows both experienced and inexperienced forensic practitioners perform common tasks using powerful open source tools.

The tool is an acronym for "Forensic and Log Analysis GUI", written for analysis of various log file types and network traffic analysis but can also be used for forensic analysis of disk images includes support for the Volatility framework http://www2.opensourceforensics.org/node/15 and supports file carving to recover known file types.

It's possible to resolve the file name starting from the carved file name generated by the Foremost tool and save it, it generates an HTML report. It's possible to resolve the file name starting from the offset of a "grep" keywords search. The tool identifies automatically the change of the partition and, if the keyword is contained into the slack space, saves the sector/cluster/block where it is. (TSK based)

The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems.

Harlan Carvey has written a number of extremely useful tools, and his blog is an extremely useful resource. e.g.
http://windowsir.blogspot.com/2008/04/updated-regripper.html

It is also worth noting that regripper has its own dedicated forum. Additionally regripper can be harnessed together with Moyix's tool to parse registry information from Volatility.

RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems.

RFIDIOt is an open source python library for exploring RFID devices!

As its name indicates, rifiuti2 is a rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. Analysis of Windows Recycle Bin is usually carried out during Windows computer forensics. Quoting from original Foundstone page:

Parses the Safari XML Downloads.plist file and prints the results in TAB delimited format.

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel resulted from a complete rewrite of foremost 0.69, a popular open source file carver, to enhance performance and decrease memory usage.

A program for computing 'fuzzy hashes'. These can be used to identify files which are similar but not identical. The hashes are signatures, like MD5 hashes, but match non-identical files.

Tool to extract, recover and undelete e-mail messages from Outlook Express .dbx files.

Volatility is an extensible memory forensics tool using python. Volatility comes with a number of standard plugins. The plugins use various techniques to extract artifacts from volatile memory (RAM) samples, these include:
- Running processes
- Open network sockets
- Open network connections
- DLLs loaded for each process
- Open files for each process
Volatility also has support for extracting artificats from Windows Hibernation files and Windows crash dump files.

To view further documentation and follow latest developments visit http://code.google.com/p/volatility/

xmount allows you to convert on-the-fly between multiple input and output hard disk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file.