Forensic Tools (資安鑑定)
ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
Platform: Windows/Linux/BSD/Mac OS;License: GNU General Public License
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit. Together, they allow you to investigate the file system and volumes of a computer. They can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).
Platform: Windows/Linux/BSD;License: GNU General Public License v2
DWIP is short for Disk Wiping and Imaging Tool. This tool is being built for Mississippi State Universities National Forensics Training Center for use on a live cd to give out to it's students. The main features are: (1) Wipe media using a zero pattern, a 1 pattern, a user entered hex string, a random hex string, and using a pseudo DOD style wipe. The DOD wipe is 7 passes 3 passes each time 1's the first time 0's the second time and random the third time. (2) Imaging media in DD, E01, and AFF format. Copy one image to another location.
Platform: Linux/BSD;License: GNU General Public License
This project is the home of tools associated with the book "Windows Forensic Analysis", as well as other subsequent tools I've written and offer to the IR/CF community. These tools include RegRipper, etc. The project is licensed under GNU General Public License (GPL).
Platform: Windows;License: GNU General Public License
ff3hr is a forensic tool to recover deleted history records from Firefox 3. This browser uses various SQLite databases to store the history, and this tool can search and recover records from four different tables in an whole disk image. The project is licensed under GNU General Public License (GPL).
Platform: Firefox 3;License: GNU General Public License
WebJob downloads a program or script from a remote WebJob server and executes it in one unified operation. Any output produced by the program/script is packaged up and sent to a remote, possibly different, WebJob server. WebJob is useful because it provides a mechanism for running known good programs on damaged or potentially compromised systems. This makes it ideal for remote diagnostics, incident response, and evidence collection. WebJob also provides a framework that is conducive to centralized management. Therefore, it can support and help automate a large number of common administrative tasks and host-based monitoring scenarios such as periodic system checks, file updates, integrity monitoring, patch/package management, and so on.
Platform: Windows/Linux/BSD/AIX/Solaris;License: BSD License
Netcat is a featured networking utility which reads and writees data across network connections, using the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
Platform: Linux/BSD;License: GNU General Public License v3
'sdd' is a replacement for a program called 'dd'. sdd is much faster than dd in cases where input block size (ibs) is not equal to the output block size (obs). Statistics are more easily understoon than those from 'dd'. Timing available, -time option will print transfer speed Timing & Statistics available at any time with SIGQUIT (^\) Can seek on input and output Fast null input Fast null output. Support for the RMT (Remote Tape Server) protocol makes remote I/O fast and easy.
Platform: Windows/Linux/BSD/Mac OS;License: GNU Lesser General Public License
"Deeptoad" is a (python) library and a tool to clusterize similar files using fuzzy hashing techniques. A cryptographic function tries to identify unequivocally one given input (i.e., tries to identify only one file). Extracted from the wikipedia, an ideal cryptographic hash function have 4 properties: 1. it is easy to compute the hash value for any given message, 2. it is infeasible to find a message that has a given hash, 3. it is infeasible to modify a message without changing its hash, 4. it is infeasible to find two different messages with the same hash. This project is inspired by the well known tool ssdeep and license under GNU Lesser General Public License.
Platform: Windows/Linux/BSD/Mac OS;License: GNU Lesser General Public License
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Platform: Windows/Linux/BSD/Mac OS;License: GNU General Public License v2
LibForensics is a library for developing digital forensics applications. Currently it is developed in pure Python. After a majority of the code has been developed and stabilized, the bottlenecks will likely be converted into C-based modules. LibForensics requires Python version 3.1. You can get the latest version of Python from https://www.python.org. This program is license under GNU Lesser General Public License.
Platform: Windows;License: GNU Lesser General Public License v2.1
fastDDF is a cross platform, distributed tool to perform ASCII searches across large disk images. It was produced as part of a requirement for an award within the modular scheme at the University of Gloucestershire. The scope is: A three computer system with one co-ordinator and two workers. The co-ordinator should be able to distribute a hard disk image between workers, issue user commands to the workers and receive, store and display results from the worker nodes. The nodes should be able to receive commands and disk image portions from a co-ordinator, perform the commands and return any results to the co-ordinator.
Platform: Windows/Linux/BSD/Mac OS;License: GNU General Public License v3
atv-forensics means "Forensics patchstick for the Apple TV". The project focus on Apple TV, and its purpose is Apple TV forensics patchstick. The first released at the DoD Cyber Crime Conference 2010. All source code is just a shell script, means easy to learn, easy to hack. This program is license under GNU General Public License v2 (GPLv2).
Platform: Mac OS;License: GNU General Public License v3
DEFT (acronym of 'Digital Evidence & Forensic Toolkit) is a customized distribution of the Kubuntu live Linux CD. It is a very easy to use system that includes an excellent hardware detection and the best open source applications dedicated to incident response and computer forensics. Deft is meant to be used by: (1) police; (2) investigators; (3) system administrator; (4) individuals. And all the people who need to use forensic tool but don't know the open source operative systems and the Forensic techniques.
Platform: Linux;License: GNU General Public License v2
viaForensics has developed many techniques for forensically acquiring data from Android devices. One strategy is to develop an open source framework for the logical extraction of data from Android devices. For various reasons, the project decided to remove the source code for this project however they distribuite it for free to active law enforcement and government employees responsible for digital forensics.
Platform: Android;License: GNU General Public License v3
Fenris is a suite of tools suitable for code analysis, debugging, protocol analysis, reverse engineering, forensics, diagnostics, security audits, vulnerability research and many other purposes. A high-level tracer, a tool that detects the logic used in C programs to find and classify functions, logic program structure, calls, buffers, interaction with system and libraries, I/O and many other structures. Fenris is mostly a "what's inside" tracer, as opposed to ltrace or strace, tracers intended to inspect external "symptoms" of the internal program structure. Fenris does not depend on libbfd for accessing ELF structures, and thus is much more robust when dealing with "anti-debugging" code.
BIEW is multiplatform portable viewer of binary files with built-in editor with binary, hexadecimal, and disassembler modes. It uses native Intel syntax for disassembly and offers many useful features such as highlighting for AVR/Java/x86-AMD64/ARM-XScale/PPC-64 code, Russian codepage converter, full preview of formats MZ, NE, PE, NLM, COFF32, ELF (and partially a.out, LE, LX, PharLap), code navigator, and much more.
secUbuntu is means "Ubuntu based Linux distribution focused on security testing". secUbuntu aims to bundle the most common tools used for security testing and analysis as well as data recovery in one easy to install package. Documentation for performing specific tasks will also be included.
Wbf means "Web Browser Forensics: a tool for UNIX forensics". Computer crime is evolving and more tools are needed to perform investigations. This is a tool to perform forensics operations on firefox, opera and konqueror when they are executed on UNIX operating systems. This project is licensed under GNU General Public License v3 (GPLv3).