CAINE LiveCD
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Forensic Tools... whatis list

3 posters

Go down

Forensic Tools... whatis list Empty Forensic Tools... whatis list

Post  joetekno Thu Dec 17, 2009 10:35 pm

Here is my attempt at a quick "what is" list of some of the tools available on CAINE 1.5. Let me know of any errors or missing tools and I'll add them. It is my hopes to create a quick "example" guide also.

AIR
Stands for Automated Image and Restore
AIR is a GUI front-end to dd and dcfldd designed for easily creating forensic bit images.

-----------------------------------------------------------

Abiword 2.6.4
AbiWord is a free word processing program similar to Microsoft®️ Word. It is suitable for a wide variety of word processing tasks.

-----------------------------------------------------------

Autopsy 2.21
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).
Conduct File Listing, View File Content, Compare files in user created or downloaded Hash Databases, File Type Sorting by internal signatures, Create a Timeline of File Activity, conduct Keyword Searches, File System Meta Data Analysis, Data Unit (File Content) Analysis in multiple formats, File System Image Details: Case Management of one or more host computers, Event Sequencer allows you to add time-based events from other systems (ie firewall/ids logs), Notes about case, Image Integrity verification, Report Creation, Audit Logging of investigation,

-----------------------------------------------------------

Afflib
The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata. AFF is an open and extensible file format to store disk images and associated metadata. Using AFF, the user is not locked into a proprietary format that may limit how he or she may analyze it. An open standard enables investigators to quickly and efficiently use their preferred tools to solve crimes, gather intelligence, and resolve security incidents.

-----------------------------------------------------------

AtomicParsley
AtomicParsley is a lightweight command line program for reading, parsing and setting metadata into MPEG-4 files

-----------------------------------------------------------

Bkhive
bkhive is a tool to extract the Windows System-key that is used to encrypt the hashes of the userpasswords.

-----------------------------------------------------------

Cryptcat
Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts.
-----------------------------------------------------------

Chntpw
This is a utility to (re)set the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista etc system. There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing.

-----------------------------------------------------------

dos2unix
dos2unix - DOS/MAC to UNIX text file format converter

-----------------------------------------------------------


Ddrescue
ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.

-----------------------------------------------------------

Dcfldd
dcfldd is an enhanced version of GNU dd with features useful for forensics and security. dcfldd can hash the input data as it is being transferred, helping to ensure data integrity, verify that a target drive is a bit-for-bit match of the specified input file or pattern, output to multiple files or disks at the same time, split output to multiple files with more configurability than the split command, send all its log data and output to commands as well as files natively.

-----------------------------------------------------------

dc3dd
dc3dd is a patched version of GNU dd to include a number of features useful for computer forensics. Many of these features were inspired by dcfldd, but were rewritten for dc3dd.
dc3dd can write a single hexadecimal value or a text string to the output device for wiping purposes. Piecewise and overall hashing with multiple algorithms and variable size windows. Supports MD5, SHA-1, SHA-256, and SHA-512. Hashes can be computed before or after conversions are made. Progress meter with automatic input/output file size probing. Combined log for hashes and errors. Error grouping. Produces one error message for identical sequential errors. Verify mode. Able to repeat any transformations done to the input file and compare it to an output. Ability to split the output into chunks with numerical or alphabetic extensions.

-----------------------------------------------------------

Dvdisaster
dvdisaster stores data on CD/DVD/BD (supported media) in a way that it is fully recoverable even after some read errors have developed. This enables you to rescue the complete data to a new medium.

-----------------------------------------------------------

Exif
The Exchangeable image file format (Exif) is an image file format which adds or reveals lots of metadata to or from existing image formats, mainly JPEG.

-----------------------------------------------------------

Foremost
Foremost is a console program to recover files based on their headers, footers, and internal data structures. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.

-----------------------------------------------------------

Firefox 3.0.5
Web Browser

-----------------------------------------------------------

Fundl 2.0
This is a selective deleted file retriever with HTML reporting. It is TSK based.

-----------------------------------------------------------

FKLook
This script can be used to search for a keyword in many files and it copies only the files that have a matching keyword to a separate directory of your choosing.

-----------------------------------------------------------

Fod
FOD stands for Foremost output divide. This is a script for splitting foremost output directories contents into subdirectories with a defined number of files for each type of format file.

-----------------------------------------------------------

Fatback
A program for recovering files from FAT file systems.

-----------------------------------------------------------

GCalcTool
'gcalctool' is the desktop calculator.

-----------------------------------------------------------

Geany
Geany is a text editor.

-----------------------------------------------------------

Gparted
The GParted application is a partition editor for creating, reorganizing, and deleting disk partitions.

-----------------------------------------------------------

gtk-recordmydesktop
recordMyDesktop is a desktop session recorder that attempts to be easy to use, yet also effective at it's primary task.

-----------------------------------------------------------

Galleta
Galleta is an Internet Explorer Cookie Forensic Analysis Tool. Galleta was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.

-----------------------------------------------------------

Gtkhash
A GTK+ utility for computing message digests or checksums using the mhash library. Currently supported hash functions include MD5, SHA1, SHA256, SHA512, RIPEMD, HAVAL, TIGER and WHIRLPOOL.

-----------------------------------------------------------

Guymager
guymager is a forensic imager for media acquisition.

-----------------------------------------------------------

HFSutils
HFS is the “Hierarchical File System,” the native volume format used on modern Macintosh computers. hfsutils is the name of a comprehensive software package being developed to permit manipulation of HFS volumes from UNIX and other systems.

-----------------------------------------------------------

Hex Editor (Ghex)
GHex - a hex editor for GNOME
GHex allows the user to load data from any file, view and edit it in either hex or ascii.

-----------------------------------------------------------

LRRP
LRRP is a bash script for gathering information on the devices you need to acquire for making a forensic image file.

-----------------------------------------------------------

Libewf
Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART format (EWF-S01) and the EnCase format (EWF-E01). Libewf allows you to read and write media information within the EWF files.

-----------------------------------------------------------

Lnk-parse
This is a perl script for parsing the *.lnk files

-----------------------------------------------------------

lnk.sh
Analysis of Windows LNK files

-----------------------------------------------------------

liveusb

-----------------------------------------------------------

mork.pl
This is a perl script for reading firefox history data

-----------------------------------------------------------

MD5deep
md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. md5deep is able to recursive examine an entire directory tree. md5deep can accept a list of known hashes and compare them to a set of input files and more.

-----------------------------------------------------------

md5sum
md5sum - compute and check MD5 message digest

-----------------------------------------------------------

ntfs-3g
NTFS-3G is a stable read/write NTFS driver for Linux, Mac OS X, FreeBSD, NetBSD, OpenSolaris, QNX, Haiku, and other operating systems. It provides safe and fast handling of the Windows XP, Windows Server 2003, Windows 2000, Windows Vista, Windows Server 2008 and Windows 7 file systems.

-----------------------------------------------------------

Offset_Brute_Force
This shell script will brute force the partition offset looking for a hidden partition and try to mount it.

-----------------------------------------------------------


Ophcrack
Ophcrack is a free Windows password cracker based on rainbow tables.

-----------------------------------------------------------

Pasco
Pasco is an Internet Explorer activity forensic analysis tool. Pasco was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.

-----------------------------------------------------------

Photorec
PhotoRec recovers files from the unallocated space using file type-specific header and footer values.

-----------------------------------------------------------

Reglookup
RegLookup is an small command line utility for reading and querying Windows NT-based registries. Currently the program allows one to read an entire registry and output it in a (mostly) standardized, quoted format. It also provides features for filtering of results based on registry path and data type.

-----------------------------------------------------------

Rifiuti
Rifiuti is a Recycle Bin Forensic Analysis Tool. Rifiuti was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.

-----------------------------------------------------------

Rifiuti2
As its name indicates, rifiuti2 is a rewrite of rifiuti, Rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. It also Supports Windows file names in any languages, Supports Vista and Windows 2008 “$Recycle.Bin” (no more uses INFO2 file), Enables localization (that is, translatable) by using glib, More rigorous error checking, Supports output in XML format.

-----------------------------------------------------------

Readpst
readpst converts PST (MS Outlook Personal Folders) files to mbox and other formats.

-----------------------------------------------------------

Scalpel
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.

-----------------------------------------------------------

SFDumper 2.1
SFDumper is a selective file retriever, it works on active, deleted and carved files. It can do a keyword search among the files retrieved. It is TSK based.

-----------------------------------------------------------

Stegdetect
Stegdetect is an automated tool for detecting steganographic content in images. It is capable of detecting several different steganographic methods to embed hidden information in JPEG images.

-----------------------------------------------------------

Smartmontools
The smartmontools package contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (SMART) built into most modern ATA and SCSI harddisks. In many cases, these utilities will provide advanced warning of disk degradation and failure.
Smartmontools… automatically reports and highlights any anomalies; allows enabling/disabling SMART; allows enabling/disabling Automatic Offline Data Collection - a short self-check that the drive will perform automatically every four hours with no impact on performance; supports configuration of global and per-drive options for smartctl; performs SMART self-tests; displays drive identity information, capabilities, attributes, and self-test/error logs; can read in smartctl output from a saved file, interpreting it as a read-only virtual device; works on most smartctl-supported operating systems; has extensive help information.

-----------------------------------------------------------

sha256sum
sha256sum - compute and check SHA256 message digest

-----------------------------------------------------------

Steghide
Steghide is a steganography program that is able to embed or extract data in various kinds of image- and audio-files.

-----------------------------------------------------------

Shred
shred - delete a file securely, first overwriting it to hide its contents

-----------------------------------------------------------

sha512sum
sha512sum - compute and check SHA512 message digest

-----------------------------------------------------------

Testdisk
TestDisk was primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table).

-----------------------------------------------------------

TheSleuthKit 3.0.1
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.


-----------------------------------------------------------

Tigerdeep
tigerdeep - Computer Tiger message digests

-----------------------------------------------------------

Tableau-Parm
tableau-parm is an small commandline utility designed to interact with Tableau forensic write blockers. It performs functions similar to the Tableau Disk Monitor, except that it operates under select UNIX platforms.

-----------------------------------------------------------

Tkdiff
tkdiff is a graphical front end to the diff program. It provides a side-by-side view of the differences between two files, along with several innovative features such as diff bookmarks and a graphical map of differences for quick navigation.

-----------------------------------------------------------

Userassist
This is a perl script offline parser for the “UserAssist” registry key.

-----------------------------------------------------------

VLC
VLC media player is a highly portable multimedia player and multimedia framework capable of reading most audio and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1, mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and various streaming protocols.

-----------------------------------------------------------

Wicd
Wicd is an open source wired and wireless network manager for Linux which aims to provide a simple interface to connect to networks with a wide variety of settings.

-----------------------------------------------------------

Whirpooldeep
Compute Whirlpool message digests

-----------------------------------------------------------

Wipe
Wipe is a secure file wiping utility.

-----------------------------------------------------------

Xhfs
xhfs presents a graphical front-end for browsing and copying files on HFS-formatted volumes.

-----------------------------------------------------------

Xdeview
XDeview is a smart decoder for attachments that you have received in encoded form via electronic mail or from the usenet.

-----------------------------------------------------------
joetekno
joetekno

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

http://network.nwtc.edu

Back to top Go down

Forensic Tools... whatis list Empty Re: Forensic Tools... whatis list

Post  denis Fri Dec 18, 2009 4:22 pm

Thank's Joe!!
I'll talk to Nanni to put this list on Caine site!
Thank's!

denis

Number of posts : 52
Località : Torino, Italy
Registration date : 2008-10-27

http://www.denisfrati.it

Back to top Go down

Forensic Tools... whatis list Empty Re: Forensic Tools... whatis list

Post  nannib Fri Dec 18, 2009 6:09 pm

Thank JoeTekno, many thanks...here is your work:
http://www.caine-live.net/page11/page11.html
thanks again Wink great job!
nannib
nannib
Admin

Number of posts : 273
Age : 53
Registration date : 2008-10-28

http://www.nannibassetti.com/

Back to top Go down

Forensic Tools... whatis list Empty Re: Forensic Tools... whatis list

Post  Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum