Forensic Tools (資安鑑定)
The ext3 or third extended filesystem is a journaled file system that is commonly used by the Linux kernel. It is the default file system for many popular Linux distributions. Stephen Tweedie first revealed that he was working on extending ext2 in Journaling the Linux ext2fs Filesystem in a 1998 paper and later in a February 1999 kernel mailing list posting, and the filesystem was merged with the mainline Linux kernel in November 2001 from 2.4.15 onward. This project is mainly to read EXT2/3 information. The extension is currently in alpha phase but will be released soon (eta within 2/3 weeks)
This tool is programmed in Python so you'll need a Python interpreter which is pretty usual on Linux boxes but not in Windows. Be aware that TSpoofer nowadays only deals with atime a mtime so it's rather vulnerable to be detected by tools that use ctime to find anomalies like (mtime!=ctime). I'm working on a TSpoofer version capable of changing ctime too but I'll have to deal with low-level stuff so it wont be easy. TSpoofer usage is quite simple. When you want to modify a folder use this tool to store its timestamps (it uses a recursive algorithm so you'll only have to use it against top level folder). After modifying any file inside stored folder you can use TSpoofer to set every file timestamps to its previous value. Last step wold be erasing temp files created by TSpoofer.
A qt4 app that visualizes on disk registry hives. It provides a gui, and basic statistics. Annotates some binary fields in SAM hives to allow them to be interpreted more easiliy. Decrypts SAM hashes and lsa secrets (PolEncryptionKey & PolEKlist). The project developed on linux, tested for windows. Also, is licensed under GNU General Public License v2 (GPLv2).
Trisul is a flexible network traffic monitor. It meters bandwidth usage, counts sessions, and stores raw packets for future analysis. All traffic data is stored in a SQLITE3 database. It communicates with the outside world via the Trisul Remote Protocol (TRP) and via a Ruby-on-rails application called Web-Trisul. The applications: 1. Remote probe for network analyzers; 2. Source of statistical and flow data; 3. Standalone web based traffic monitor.
Script to extract information from windows prefetch folder (forensics use). Version 1.1 - Added MD5/SHA1 hash function. Version 1.2 - Added function to list top x accessed executables and more websites to perform lookup on executable names. Version 1.4 - Added speed optimization and multicores support (reduced from 3.8mb to 2.2mb for executable). Tis project is licensed under GNU General Public License v3 (GPLv3).
Revealer Web Access (RWA) is a frontend web application designed to use and manage the Revealer Toolkit (RVT) computer forensics software. The aim of this project is to provide a visual, easy and intuitive management of RVT, extending its functionality. RWA is designed to implement the following features: (1) Investigator authentification. (2) Case/device/disk management using context menus. (3) Case/device/disk navigation. (4) Select and automate RVT scripts execution based on queues. (5) Provide plugins for the visualization of script results (such as image browsing, timeline viewing...) (6) Bookmarks system that allows investigators to anotate and organize relevant results. (7) Cross-Plataform to allow its use on Internet Explorer, Firefox, Opera or Safari web browsers.
dbcGrabber is a thin JDBC wrapper similar to the defunct P6Spy wrapper. With it, you can wrap a vendor's JDBC wrapper in order to capture diagnostic information about what kind of SQL is being executed by your application. The wrapper's pluggable architecture allows you to develop any kind of "sink" you like to process statements. Its original intention was to reverse engineer legacy applications inside corporations where documentation is scarce and the original developers are gone.
This project is an implementation of a Google Wave Robot designed to perform very basic file forensic analysis. The ultimate purpose of its creation is to evaluate Wave's potential to accomplish more sophisticated tasks in digital forensics analysis. To use Forensie, add 'email@example.com' to your Wave contacts, then simply add Forensie to the wave and input the data to be processed.
Vol2html takes output files created by Volatility and creates an html report for correlation and easier browsing. The script is zipped in order to preserve its integrity, you can use 7zip to extract it. This project is license under GNU General Public License v3 (GPLv3).
Python script to parse NTFS transaction log entries from the UsnJrnl alternate data stream. The $USNJRNL logs changes to the NTFS file system. It will record that changes occurred to file data or metadata, but will not record the content of the changes. It is enabled by default in Vista and is optional in XP. All Windows version after XP have the capability to log changes. On systems where the $USNJRNL is enabled, it can be found at the root of the NTFS partition in the $EXTEND folder. The file consists of two data streams, $USNJRNL $MAX and $USNJRNL $J. The $J data stream actually contains the transaction log entries that this tool is intended to parse. This tool is intended to assist in computer forensics examinations of Windows systems. It will provide a description of the change, the filename, and the timestamp for each log entry.
Poorcase is a perl script that takes all the dirty work of virtually reconstructing a "dd 4g" split disk image back into something more friendly under a Linux operating system. It supports both read-write and read-only mode, and does not require you to concatenate the split disk image together yourself -- this is all done using Device Mapper, partx, and loopback devices. The author use this to decrypt "whole disk encryption" through a virtual machine booted from a "universal boot cd" with the encryption software pre-packaged, along with the recovery key.
dd is a common Unix program whose primary purpose is the low-level copying and conversion of raw data. dd is an application that will "convert and copy a file". dd is used to copy a specified number of bytes or blocks, performing on-the-fly byte order conversions, it can also be used to copy regions of raw device files.
Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. It can also list communications open by each process. Open files in the system include disk files, pipes, network sockets and devices opened by all processes. One use for this command is when a disk cannot be unmounted because (unspecified) files are in use. The listing of open files can be consulted (suitably filtered if necessary) to identify the process that is using the files.
Fatback is a forensic tool for undeleting files from FAT file systems. Fatback is different from other undelete tools in that it does the following: (1) Runs under UNIX environments; (2) Can undelete files automatically; (3) Supports Long File Names; (4) Supports FAT12, FAT16, and FAT32; (5) Powerful interactive mode; (6) Recursively undeletes deleted directories; (7) Recovers lost cluster chains; (8) Works with single partitions or whole disks.
This PSmisc package is a set of some small useful utilities that use the proc filesystem. We're not about changing the world, but providing the system administrator with some help in common tasks. There is options for using SELinux if you need it and fuser understands IPv6. It also speaks various languages using the gettext facilities. The package contains the following programs: fuser, killall, pstree, peekfd.
aw2vmdk is an OS independent Java utility that allows you to mount raw disk images, like images created by "dd", using VMware, VirtualBox or any other virtualization platform supporting the VMDK disk format. The main features are: (1) Very simple command line interface; (2) No waiting for the raw image to be converted, just run and mount. (3) OS independent.
Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART format (EWF-S01) and the EnCase format (EWF-E01). Libewf allows you to read and write media information within the EWF files. Its main features are: (1) Read or write access for E01 and s01; (2) Read and write access using delta files for E01 and s01; (3) Resume write for E01 and s01; (4) Read access for L01 (logical evidence file).
A simple GTK+ frontend for tableau-parm to view attached Tableau bridges and devices. gTableauParm is similar to the Tableau Disk Monitor for Windows. It is a GTK front-end for tableau-parm, written in C++/Gtkmm. It shows Tableau-Bridges and attached Devices in a TreeView and shows the different information's about write-protection, DCO/HPA Status etc.
guymager is a forensic imager for media acquisition. Its main features are: (1) Easy user interface in different languages; (2) Runs under Linux; (3) Really fast, due to multi-threaded, pipelined design, multi-threaded data compression; (4) Makes full usage of multi-processor machines; (5) Generates flat (dd), EWF (E01) and AFF images. Guymager is contained in the standard repositories of several distributions, for example Debian (Squeeze or later) and Ubuntu (10.04 or later). In Ubuntu, the universe repository must be activated. You may select the Ubuntu menu System / Administration / Software Sources for doing so.