Windows

analyzeMFT

Author: 
David Kovar

analyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in a format that allows further analysis with other tools.

Clam AnvtiVirus

Author: 
Tomasz Kojm

Clam AntiVirus is a GPL anti-virus toolkit for UNIX with a port for Windows. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software.

Computer Forensic Reference Data Sets (CFReDS)

Author: 
NIST

The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations. National Institute of Justice funded this work in part through an interagency agreement with the NIST Office of Law Enforcement Standards.

Cuckoo Sandbox

Author: 
Claudio "nex" Guarnieri

In three words, Cuckoo Sandbox is a malware analysis system.

Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.

It's mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.

But it can do much more...
It's up to you to discover what and how.

Some of the results that Cuckoo generates are:

DD - GUI Wizard [Perl Frontend]

Author: 
Thamir Alshammari & Michael Boncoddo

[Purpose]
This tool provides the user with a gui frontend (designed in perl) for the popular program, dd. The frontend has been designed to allow for the same functionality as using dd via command line or terminal.

[Features]
-Local/Remote imaging.
-Netcat/Cryptcat ready.
-MD5, SHA1, and other hash methods are provided.
-GUI based directories.
-DD command line argument options.
-Summary Reports.
-Imaging completion status display.

[OS Support]
-Windows XP to 7
-Variants of Linux
-OSX versions with dd.

DOWNLOAD LOCATION: http://ddgui.myftp.org/ddgui.zip

DeepToad

Author: 
Joxean Koret

"Deeptoad" is a (python) library and a tool to clusterize similar files using fuzzy hashing techniques. This project is inspired by the well known tool ssdeep.

DEFT Linux Boot CD

Author: 
Stefano Fratepietro

DEFT Linux v5 is an Italian project that is based on Kernel 2.6.31 and uses the LXDE desktop environment and thunar file manager in conjunction with best free and open source applications dedicated to incident response and computer forensics. In addition, DEFT Extra 2.0 (Computer Forensic GUI) comes with the best freeware Windows Computer Forensic tools.

DEFT is meant to be used by:

* police
* investigators
* system administrator
* individuals who need to use forensic tools to recover data

dff

Author: 
Frederic Baguelin, Solal Jacob, Christophe Malinge, Jeremey Mounier, and Francois Percot

DFF is a simple but powerfull open source tool with a flexible module system written in C++ and Python. The aim is to provide an extensible framework by which additional features may be added to analyze and recover any kind of digital artifact

Latest developments and contributions available from http://tracker.digital-forensic.org
Documentation available from http://wiki.digital-forensic.org

Digital Corpora

Author: 
Simson Garfinkel

DigitalCorpora.org is a website of digital corpora for use in computer forensics research. Some of the corpora on this website are freely available, while others are only available to researchers under special arrangement.

Images include

* Cell Phone Dumps
* Disk Images
* Files
* Scenarios

Digital Forensics Tool Testing (DFTT)

Author: 
Brian Carrier

A collection of file system and disk images that test the functionality of analysis tools.

Website: 

http://www.dftt.org

eCryptfs Parser

Author: 
Ted Smith

eCryptfs Parser is a GUI for Linux and Windows that recursively parses the headers of every eCryptfs file found in a given directory. It will tell you what encryption algorithm was used, the original filesize of the file before it was encrypted, the private signature used etc.

Event Log Parser

Author: 
Jamie French

A PHP script to parse Windows event logs.

Explore2fs

Author: 
John Newbigin

Explore2fs allows you to view the contents of an Ext2FS partition from within Windows.

file

Author: 
Christos Zoulas

Guesses file type based on magic header and footer values.

Forensic Acquisition Utilities

Author: 
George Garner

A collection of Windows tools such as 'dd.exe', 'md5sum.exe', 'wipe.exe', and 'nc.exe'. The version of 'dd' in this package can also image memory contents in addition to disks.

FTimes

Author: 
Klayton Monroe

FTimes is a system baselining and evidence collection tool. The primary purpose of ftimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.

Galleta

Author: 
Keith Jones

Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

Gatekeeping Out Of The Box: Open Source Software As A Mechanism To Assess Reliability For Digital Evidence

Author: 
Erin Kenneally

This article examines digital evidence reliability by first identifying and differentiating the two competing categories of software from which this evidence is derived: proprietary and Open Source. The next section explores the standards for software reliability in both the industrial marketplace and the legal arena. Specifically, the current standards are addressed in light of their value to industry and the law, as well as their respective historical origins This sets the stage for a reconciliation of standards for reliability as between industry and the courtroom.

How to do full packet capture on a Cisco Firewall, in 4 steps.

Author: 
Amar Yousif

Step by step instructions on how to start a full payload packet capture on a Cisco ASA.

I Have The Power

Author: 
Ted Smith

A Windows\Linux GUI for demonstrating the numerical enormity of large hash algorithms like MD5 (128 bits), SHA1 (160 bits), SHA256 (256 bits) and SHA512 (512 bits). It is designed for the delivery of demonstrations about hashing to non-technical audiences such as jury panels, lawyers, students, case officers and so on by converting the scientific notation of the algorithm to "The chance of two different files having the same X hash value is 1 in XX billion\trillion....".

INDXParse

Author: 
Willi Ballenthin

INDXParse parses NTFS INDX/$I30 files to extract file entry information, such as filenames and timestamps. The tool supports recovering entries from the slack space within the INDX structures. The tool outputs results to CSV or Bodyfile formats.

libbde

Author: 
Joachim Metz

Library and tools to support the BitLocker Drive Encryption (BDE) format.

libesedb

Author: 
Joachim Metz

Library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.

libevt

Author: 
Joachim Metz

Library and tooling to access the Windows Event Log (EVT) format.

libewf

Author: 
Joachim Metz

Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.

LibForensics

Author: 
Michael Murr

LibForensics is a Python framework for developing computer forensics applications. LibForensics also includes a series of demo tools that use the framework to extract information from various types of evidence/artifacts.

libfvde

Author: 
Omar Choudary, Joachim Metz

Library and tools for reading FileVault2 Drive Encryption (FVDE) encrypted volumes.

liblnk

Author: 
Joachim Metz

Library and tools to access the Windows Shortcut File (LNK) Format.

libmsiecf

Author: 
Joachim Metz

Library and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.

libnk2

Author: 
Joachim Metz

Library and tooling to support the Microsoft Outlook Nickfile (NK2) format. The nickfile is used to store email address aliases.

libpff

Author: 
Joachim Metz

The libpff package contains a shared library and tools to analyze Microsoft Outlook Personal Folder Files (PFF). PFF files such as PAB, PST and OST files, are used to store e-mails, appointments, contacts, notes, tasks, etc. libpff provides: pffexport to export PFF items, pffinfo to provide basic information about PFF files and pffexport -m recover to recover and export PFF items

libvshadow

Author: 
Joachim Metz

Library and tools to support the Volume Shadow Snapshot (VSS) format.

Live View

Author: 
CERT

Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.

md5deep

Author: 
Jesse Kornblum

md5deep is an MD5 program that can compute recursively, compare hashes with a database, and estimates the time to completion.

MD5summer

Author: 
Luke Pascoe

MD5summer is an application for Microsoft Windows 9x, NT, ME, 2000 and XP which generates and verifies md5 checksums. Its output file is compatible with the output of the Linux GNU MD5Sum and it will also read Linux generated files.

netcat

Author: 
hobbit

Description: Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It can be used on a trusted server to save data from a suspect system and can be used on the suspect system to send the output of tools to the server instead of writing to the suspect disk.

NetSleuth

Author: 
NetGrab Ltd

NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet). It also includes a live mode, silently identifying hosts and devices without needing to send any packets or put the network adapters into promiscuous mode ("silent portscanning").

As a new tool, the authors are keen to receive feedback and improve the tool for the forensic community.

Network Miner

Author: 
Erik Hjelmvik

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

nxlog

Author: 
nxlog.org

nxlog is a modular, multi-threaded, high-performance log management solution with multi-platform support. In concept, it is similar to syslog-ng or rsyslog, but is not limited to Unix/syslog only. It can collect logs from files in various formats, receive logs from the network remotely over UDP, TCP, or TLS/SSL on all supported platforms. It supports platform-specific sources such as the Windows Eventlog, Linux kernel logs, Android device logs, local syslog, etc. Writing and reading logs to/from databases is also supported for many database servers.

Website: 

http://nxlog.org

Open Source Computer Forensics Manual

Author: 
Matias Bevilacqua

An open-source manual for computer forensics covering methodology, process and delving into technical standard operating procedures.

Open Source Digital Forensics Tools: The Legal Argument

Author: 
Brian Carrier

This paper addresses open source digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, it must be reliable and relevant. The reliability is tested by applying Daubert guidelines. This paper examines the guidelines and shows that open source tools may more clearly and comprehensively meet the guidelines than closed source tools would.

OpenGates

Author: 
Dan Gillen

Outport

Author: 
cheiflic

Outport provides a means of migrating information from Microsoft Outlook to Ximian Evolution and several standard data formats.

pasco

Author: 
Keith Jones

Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

peedf

Author: 
Jose Miguel Esparza

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.

psloggedon

Author: 
Mark Russinovich

You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely. PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one.

PST files from Enron Energy Corporation

Author: 
Electronic Discovery Reference Model (EDRM)

EDRM – the Electronic Discovery Reference Model – was created in 2005 by George Socha and Tom Gelbmann. Since 2005, over 300 e-discovery experts, vendors and end-users from more than 125 organizations have worked together to address the lack of standards and guidelines in the electronic discovery (e-discovery) market.

The EDRM reference model provides a common, flexible and extensible framework for the development, selection, evaluation and use of electronic discovery products and services. The completed model was placed in the public domain in May 2006.

pyflag

Author: 
Michael Cohen

The tool is an acronym for "Forensic and Log Analysis GUI", written for analysis of various log file types and network traffic analysis but can also be used for forensic analysis of disk images includes support for the Volatility framework http://www2.opensourceforensics.org/node/15 and supports file carving to recover known file types.

pytbull

Author: 
Sebastien Damaye

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 9 testing modules:

python-registry

Author: 
Willi Ballenthin

python-registry is a pure Python module for reading from Windows Registry files (NTUSER.DAT, userdiff, etc.). It exposes a high level interface analogous to the MSDN APIs, and a low level interface for working with the internal structure of the Registry.

Quick Hash

Author: 
Ted Smith

A Linux & Windows GUI to enable the rapid selection and subsequent MD5, SHA1, SHA256 or SHA512 hashing of files, either individually or recursively throughout a folder structure, of text, of single files, and (since v.2.4.0) physical disks. The tool was designed for practitioners wanting to easily hash files in Linux but without the understanding of command line tools like sha1sum. It is also available for Windows.

RegRipper

Author: 
Harlan Carvey

The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems.

Harlan Carvey has written a number of extremely useful tools, and his blog is an extremely useful resource. e.g.
http://windowsir.blogspot.com/2008/04/updated-regripper.html

It is also worth noting that regripper has its own dedicated forum. Additionally regripper can be harnessed together with Moyix's tool to parse registry information from Volatility.

RFIDIOt

Author: 
Adam Laurie

RFIDIOt is an open source python library for exploring RFID devices!

Website: 

http://rfidiot.org

Rifiuti

Author: 
Keith Jones

Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

shellbags.py

Author: 
Willi Ballenthin

shellbags.py is a cross-platform Windows Registry shellbag parser written in the Python programming language. The tool processes Registry hive files and produces output in the Bodyfile format. Shellbags.py supports shellbags from Windows XP and greater operating systems.

ssdeep

Author: 
Jesse Kornblum

A program for computing 'fuzzy hashes'. These can be used to identify files which are similar but not identical. The hashes are signatures, like MD5 hashes, but match non-identical files.

tcpdump

Author: 
Several - Collaborative

This is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
In addition to packet capture it can be used to read back a capture file. It is able to decode layer 2 through to layer 4 protocols, and some higher layer protocols as well. Decoded packets may be displayed in raw or ASCII.

Perhaps the most powerful feature is the inclusion of an extremely powerful filtering language called the "Berkley Packet Filter" BPF.

TestDisk

Author: 
Christophe Grenier

Tool to check and undelete partition. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3/EXT4, Linux SWAP (version 1 and 2), Linux Logical Volume Manager (LVM), Linux Raid, Linux LUKS, NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, and ReiserFS.

Operating System support is comprehensive, with precompiled binaries available for many popular types.

The disktype File System Sampler

Author: 
Christoph Pfisterer

The disktype File System Sampler is a collection of disk images with various file systems. Its purpose is to aid in the testing and development of the disktype program.

The Sleuth Kit

Author: 
Brian Carrier

A collection of command line tools and a C library for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.

Tracking an anonymous e-mailer

Author: 
Amar Yousif

An approach to track or identify, the sender of an email through the use of social engineering and a remotely hosted image.

TULP2G

Author: 
Netherlands Forensic Institute (NFI)

TULP2G is a forensic software framework developed to make it easy to extract and decode data from digital devices. Besides the framework, it is distributed along with several plug-ins to read data from digital devices (at this point, mobile phones and SIM cards).

UnDBX

Author: 
Avi Rozen

Tool to extract, recover and undelete e-mail messages from Outlook Express .dbx files.

UnxUtils

Author: 
Karl Syring

Ports of GNU tools, including 'dd', that do not need special DLLs.

volatility

Author: 
AAron Walters

Volatility is an extensible memory forensics tool using python. Volatility comes with a number of standard plugins. The plugins use various techniques to extract artifacts from volatile memory (RAM) samples, these include:
- Running processes
- Open network sockets
- Open network connections
- DLLs loaded for each process
- Open files for each process
Volatility also has support for extracting artificats from Windows Hibernation files and Windows crash dump files.

To view further documentation and follow latest developments visit http://code.google.com/p/volatility/

Webjob

Author: 
Klayton Monroe

WebJob downloads a program over HTTP/HTTPS and executes it in one unified operation. The output, if any, may be directed to stdout/stderr or a Web resource. WebJob may be useful in incident response and intrusion analysis as it provides a mechanism to run known good diagnostic programs on a potentially compromised system.

Webscavator

Author: 
Sarah Lowman

Webscavator is a visualisation suite for the analysis of internet history. It accepts CSV files from Net Analysis, Web Historian and may other browser log parsers, and produces images and graphs to display the data. Webscavator is web based, and is written in Python and Javascript.

Wireshark

Author: 
Wireshark Team

Wireshark® is the world's most popular network protocol analyzer. It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology.

Syndicate content