The GNU Binutils are a collection of binary tools. For forensics, these are used for binary analysis, including 'strings'.
On Ubuntu this includes the following utils:-
CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a project of Digital Forensics
CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:
* an interoperable environment that supports the digital investigator during the four phases of the digital investigation
* a user friendly graphical interface
Cdrecord, now known as cdrtools, supports DVD-R and DVD-RW with all known DVD-writers on all UNIX-like OS and on Win32. Other optical media types are supported, as is multisession, and recently support for BluRay has been implemented (version 2.10). DVD writing support has been available in cdrecord since march 1998. Cdrecord writes DVD media similar to CD media. The readcd tool can be used to read the contents of a CD.
Clam AntiVirus is a GPL anti-virus toolkit for UNIX with a port for Windows. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software.
The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations. National Institute of Justice funded this work in part through an interagency agreement with the NIST Office of Law Enforcement Standards.
In three words, Cuckoo Sandbox is a malware analysis system.
Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.
It's mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.
But it can do much more...
It's up to you to discover what and how.
Some of the results that Cuckoo generates are:
This tool provides the user with a gui frontend (designed in perl) for the popular program, dd. The frontend has been designed to allow for the same functionality as using dd via command line or terminal.
-MD5, SHA1, and other hash methods are provided.
-GUI based directories.
-DD command line argument options.
-Imaging completion status display.
-Windows XP to 7
-Variants of Linux
-OSX versions with dd.
DOWNLOAD LOCATION: http://ddgui.myftp.org/ddgui.zip
Description: GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. [Ed: This tool is similar to, but not the same as dd_rescue]
Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd). There are several differences. dd_rescue does not provide character conversions. dd_rescue does not abort on errors on the input file, unless you specify a maximum error number. Then dd_rescue will abort when this number is reached. dd_rescue does not truncate the output file, unless asked to. You can tell dd_rescue to start from the end of a file and move backwards. It uses two block sizes, a large (soft) block size and a small (hard) block size.
DEFT Linux v5 is an Italian project that is based on Kernel 2.6.31 and uses the LXDE desktop environment and thunar file manager in conjunction with best free and open source applications dedicated to incident response and computer forensics. In addition, DEFT Extra 2.0 (Computer Forensic GUI) comes with the best freeware Windows Computer Forensic tools.
DEFT is meant to be used by:
* system administrator
* individuals who need to use forensic tools to recover data
DFF is a simple but powerfull open source tool with a flexible module system written in C++ and Python. The aim is to provide an extensible framework by which additional features may be added to analyze and recover any kind of digital artifact
The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to 'file', but gives much more details about the file system or partition table)
e2salvage is a utility which tries to do in-place data recovery a from damaged ext2 file systems. Unlike e2fsck, it does not look for the data at particular places and it don't tend to believe the data it finds; thus it can handle much more damaged file system.
eCryptfs Parser is a GUI for Linux and Windows that recursively parses the headers of every eCryptfs file found in a given directory. It will tell you what encryption algorithm was used, the original filesize of the file before it was encrypted, the private signature used etc.
The enhanced loopback driver modifies the native loopback driver of the Linux kernel and adds functionality that can make the driver emulate a disk drive in some ways. Most important to us is providing automatic interpretation and mapping of partitions contained within an image file of a hard drive.
A PHP script to parse Windows event logs.
The FCCU GNU/Linux Forensic boot CD-Rom was created by the Belgian Federal Computer Crime Unit (FCCU) to assist in the forensic analysis of computers. It is based on version 4.02 of the KNOPPIX Live CD and contains open source forensic utilities.
faust is a perl script that helps to analyze files found after an intrusion or the compromising of a honeypot. Its goal is not to make the analysis, but to extract the pieces of information that _you_ will use afterward in your analysis.
File Ripper is a file extractor based on header recognition. It can be used to recover files from unfragmented disk images where filesystem information has been lost or otherwise corrupted, or the files have been inadvertently deleted. It detects and extracts PNG, HTML, GIF, ZIP, LBM, PBM, ANM, BAT, BAS, RTF, HLP, WAV, WRI, JPG, ARJ, DOS EXE, ANS, ZZT, FRM, text BAS, BMP, MZB, FLI, MSP, DOC, MZX, GDM, IT, S3M, SAV, BRD, LZH/LHA, MOD, XM, VOC, SVX, ABM, Quetzal, and certain obscure bulletin board system formats.
FileSystem Investigator is a platform independent file system viewer and data extraction tool. It allows the user to: View the contents of the target file system in a forensically safe manner, bypassing the normal operating system mechanisms. Extract files and whole directory trees of files from the source filesystem.
Foremost is a Linux program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.
The Forensic Hash Database is a project to combine the various hashsum sources like Dan Farmer's FUCK baseline collection, The NIST National Software Reference Library (NSRL), Known Goods Database, and Hashkeeper into a single meta RDBMS (relational database management system).
Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Gatekeeping Out Of The Box: Open Source Software As A Mechanism To Assess Reliability For Digital Evidence
This article examines digital evidence reliability by first identifying and differentiating the two competing categories of software from which this evidence is derived: proprietary and Open Source. The next section explores the standards for software reliability in both the industrial marketplace and the legal arena. Specifically, the current standards are addressed in light of their value to industry and the law, as well as their respective historical origins This sets the stage for a reconciliation of standards for reliability as between industry and the courtroom.
Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
Appears to be no longer developed, however is still available for most Linux distrubutions e.g. Ubuntu, installs version 0.1h-11, n.b. Beta version.
gTableauParm is similar to the Tableau Disk Monitor for Windows. It is a GTK front-end for tableau-parm, written in C++/Gtkmm. It shows Tableau-Bridges and attached Devices in a TreeView and shows the different information's about write-protection, DCO/HPA Status etc.
guymager is a forensic imager for media acquisition. Its main features are:
* Easy user interface in different languages
* Runs under Linux
* Really fast, due to multi-threaded design, multi-threaded data compression
* Makes full usage of multi-processor machines
* Generates flat (dd), EWF (E01) and AFF images
hachoir-parser is a package of most common file format parsers written using hachoir-core.
HashLibrarian is a Linux/Unix utility that is capable of hashing a single file or a directory recursively through multiple hashing algorithms. The fun doesn't stop there, HashLibrarian also places these hashes into a database, which it then encrypts with a user's GPG key and protects through hashing. Along with this functionality, HashLibrarian can also load these protected databases back into memory, verify their integrity, and then scan a directory, locating all matches. These matches can then be placed into an HTML formatted report with just a simple command-line option.
Step by step instructions on how to start a full payload packet capture on a Cisco ASA.
A Windows\Linux GUI for demonstrating the numerical enormity of large hash algorithms like MD5 (128 bits), SHA1 (160 bits), SHA256 (256 bits) and SHA512 (512 bits). It is designed for the delivery of demonstrations about hashing to non-technical audiences such as jury panels, lawyers, students, case officers and so on by converting the scientific notation of the algorithm to "The chance of two different files having the same X hash value is 1 in XX billion\trillion....".
KS - This is a keywords searching tool. sudo bash ks.sh for running it. It mounts a DD image file; It extracts all deleted files; slackspace; It makes a data carving on the freespace only; It indexes all by RECOLL. You need:
The Sleuthkit (last release)
It stores the index DB and the recoll.conf in the chosen output directory.
NEW file formats added and README.txt for the HowTo expand the search range.
Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
The libpff package contains a shared library and tools to analyze Microsoft Outlook Personal Folder Files (PFF). PFF files such as PAB, PST and OST files, are used to store e-mails, appointments, contacts, notes, tasks, etc. libpff provides: pffexport to export PFF items, pffinfo to provide basic information about PFF files and pffexport -m recover to recover and export PFF items
Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.
log2timeline is a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analyzed by forensic investigators/analysts
Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it.
It works on any file system, but on very fragmented file systems it can only recover the first chunk of each file. Practical experience shows that chunks of 30-50MB are not uncommon.
md5sum computes a 128-bit checksum (or fingerprint or message-digest) for each specified file.
sha1sum computes a 160-bit checksum for each specified file. The usage and options of this command are precisely the same as for md5sum.
Description: Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It can be used on a trusted server to save data from a suspect system and can be used on the suspect system to send the output of tools to the server instead of writing to the suspect disk.
nxlog is a modular, multi-threaded, high-performance log management solution with multi-platform support. In concept, it is similar to syslog-ng or rsyslog, but is not limited to Unix/syslog only. It can collect logs from files in various formats, receive logs from the network remotely over UDP, TCP, or TLS/SSL on all supported platforms. It supports platform-specific sources such as the Windows Eventlog, Linux kernel logs, Android device logs, local syslog, etc. Writing and reading logs to/from databases is also supported for many database servers.
The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency [KLPD/Dutch]. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.
This paper addresses open source digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, it must be reliable and relevant. The reliability is tested by applying Daubert guidelines. This paper examines the guidelines and shows that open source tools may more clearly and comprehensively meet the guidelines than closed source tools would.
Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.
EDRM – the Electronic Discovery Reference Model – was created in 2005 by George Socha and Tom Gelbmann. Since 2005, over 300 e-discovery experts, vendors and end-users from more than 125 organizations have worked together to address the lack of standards and guidelines in the electronic discovery (e-discovery) market.
The EDRM reference model provides a common, flexible and extensible framework for the development, selection, evaluation and use of electronic discovery products and services. The completed model was placed in the public domain in May 2006.
PTK forensics is an alternative advanced framework for the TSK suite (The SleuthKit). Born as a free interface in order to improve the features already present in "Autopsy Forensic Browser" (the former TSK interface). PTK Forensics, now, is much more. In addition to providing the functions already present in Autopsy Forensic Browser it now implements numerous new essential forensic features.
The tool is an acronym for "Forensic and Log Analysis GUI", written for analysis of various log file types and network traffic analysis but can also be used for forensic analysis of disk images includes support for the Volatility framework http://www2.opensourceforensics.org/node/15 and supports file carving to recover known file types.
pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.
The framework is shipped with about 300 tests grouped in 9 testing modules:
python-registry is a pure Python module for reading from Windows Registry files (NTUSER.DAT, userdiff, etc.). It exposes a high level interface analogous to the MSDN APIs, and a low level interface for working with the internal structure of the Registry.
A Linux & Windows GUI to enable the rapid selection and subsequent MD5, SHA1, SHA256 or SHA512 hashing of files, either individually or recursively throughout a folder structure, single text strings and, when used on Linux, physical or logical disks. The tool was designed for practitioners wanting to easily hash files in Linux but without the understanding of command line tools like sha1sum. It is also available for Windows.
It's possible to resolve the file name starting from the carved file name generated by the Foremost tool and save it, it generates an HTML report. It's possible to resolve the file name starting from the offset of a "grep" keywords search. The tool identifies automatically the change of the partition and, if the keyword is contained into the slack space, saves the sector/cluster/block where it is. (TSK based)
The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems.
Harlan Carvey has written a number of extremely useful tools, and his blog is an extremely useful resource. e.g.
It is also worth noting that regripper has its own dedicated forum. Additionally regripper can be harnessed together with Moyix's tool to parse registry information from Volatility.
Regutils is a collection of programs that can assist in the installation of windows 9x software on diskless clients. The basic procedure is to take a snap shot of a system before and after a piece of software is installed and then look at what changed.
RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems.
Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
As its name indicates, rifiuti2 is a rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. Analysis of Windows Recycle Bin is usually carried out during Windows computer forensics. Quoting from original Foundstone page:
Rootkit scanner is scanning tool to ensure you for about 99.9% you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like: MD5 hash compare, Look for default files used by rootkits, Wrong file permissions for binaries, Look for suspected strings in LKM and KLD modules, Look for hidden files, Optional scan within plaintext and binary files.
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel resulted from a complete rewrite of foremost 0.69, a popular open source file carver, to enhance performance and decrease memory usage.
Description: 'sdd' is a replacement for a program called 'dd'. sdd is much faster than dd in cases where input block size (ibs) is not equal to the output block size (obs). Statistics are more easily understood than those from 'dd'.Timing available, -time option will print transfer speed Timing & Statistics available at any time with SIGQUIT (^\) Can seek on input and output Fast null input Fast null output. Support for the RMT (Remote Tape Server) protocol makes remote I/O fast and easy.
SMTPCAT will read a pcap file and attempt to identify all smtp conversations and print info about them in the following format:
a. [INDEX] (Sender IP) --> (SMTP Server IP)
b. [INDEX] (Sender e-mail) --> (Receiver e-mail) (Date)
c. [INDEX] (SUBJECT)
d. [INDEX] (AuthSMTP Passwd) <-- this is outputted only with the –p option
This is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
In addition to packet capture it can be used to read back a capture file. It is able to decode layer 2 through to layer 4 protocols, and some higher layer protocols as well. Decoded packets may be displayed in raw or ASCII.
Perhaps the most powerful feature is the inclusion of an extremely powerful filtering language called the "Berkley Packet Filter" BPF.
tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis
tcpreplay is a BSD-style licensed tool to replay saved tcpdump files at arbitrary speeds. It provides a variety of features for replaying traffic for both passive sniffer devices as well as inline devices such as routers, firewalls, and the new class of inline IDS's.
Tool to check and undelete partition. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3/EXT4, Linux SWAP (version 1 and 2), Linux Logical Volume Manager (LVM), Linux Raid, Linux LUKS, NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, and ReiserFS.
Operating System support is comprehensive, with precompiled binaries available for many popular types.
A collection of command line tools and a C library for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.
An approach to track or identify, the sender of an email through the use of social engineering and a remotely hosted image.
Volatility is an extensible memory forensics tool using python. Volatility comes with a number of standard plugins. The plugins use various techniques to extract artifacts from volatile memory (RAM) samples, these include:
- Running processes
- Open network sockets
- Open network connections
- DLLs loaded for each process
- Open files for each process
Volatility also has support for extracting artificats from Windows Hibernation files and Windows crash dump files.
To view further documentation and follow latest developments visit http://code.google.com/p/volatility/
WebJob downloads a program over HTTP/HTTPS and executes it in one unified operation. The output, if any, may be directed to stdout/stderr or a Web resource. WebJob may be useful in incident response and intrusion analysis as it provides a mechanism to run known good diagnostic programs on a potentially compromised system.
Wireshark® is the world's most popular network protocol analyzer. It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology.
xmount allows you to convert on-the-fly between multiple input and output hard disk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file.
The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract from a network capture (pcap file or real-time acquisition) all application data content. For example, Xplico is able to extract all emails carried by the POP and SMTP protocols and all content carried by HTTP protocols from a pcap file.
A graphical front-end that allows an investigator to manage event reconstruction. Super events may be created based on selected sub-events. Events may be moved around via drag-and-drop or directly assigned to a super event hierarchy. The event hierarchy can be displayed in a tree-like view allowing to collapse all or select branches. This way, an investigator can concentrate on events only relevant to his direct attention.