Forensic Tools (資安鑑定)
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. GNU ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps. The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.
AIR (Automated Image & Restore) is a GUI front-end to dd/dc3dd designed for easily creating forensic disk/partition images. Supports MD5/SHAx hashes, SCSI tape drives, imaging over a TCP/IP network, splitting images, and detailed session logging. This program is license under GNU General Public License v2.
Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.
The Coroner's Toolkit (TCT) is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system. The software was presented first in a Computer Forensics Analysis class in August 1999 (handouts can be found in web site). Examples of using TCT can be found in our Forensic Discovery book. Note: consider using Brian Carrier's Sleuthkit. It is the official successor, based on parts from TCT. Development of the Coroner's Toolkit was stopped years ago. It is updated only for for bugfixes which are very rare, and after Wietse discovers that the programs no longer work on a new machine.
Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary informa-tion about this process, and optionally kill the process if it was spawned by an unauthorized user. A "magic" group can be specified, allowing members of this group to run any setuid/setgid root executable.
FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.
AFF and AFF-Related Forensic Software
USB History Dump is a forensic tool used to trace evidence of USB thumb drive activity from the Windows Registry. It can be used to gather information such as the last time the thumb drive or mp3 player was connected as well as the last drive letter.
FLAG (Forensic and Log Analysis GUI) is an advanced forensic tool for the analysis of large volumes of log files and forensic investigations. PyFlag features a rich FeatureList which include the ability to load many different log file formats, Perform forensic analysis of disks and images. PyFlag can also analyse network traffic as obtained via tcpdump quickly and efficiently.
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
This is a collection of utilities and libraries intended for forensic or forensic-related investigative use in a modern Microsoft Windows environment. The components in this collection are intended to permit the investigator to sterilize media for forensic duplication, discover where logical volume information is located and to collect the evidence from a running computer system while at the same time ensuring data integrity (e.g. with a cryptographic checksums) and while minimizing distortive alterations to the subject system.