|
(Page 4 of 6) < Prev 1 2 3 4 5 6 Next > Category: Auditing » Forensics AIDE (Advanced Intrusion Detection Environment) Added 2002-02-11 AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with. PMDump Added 2002-02-05 PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process. This can be useful in a forensic investigation. macMatch Added 2002-02-05 macMatch lets you search for files by their last write, last access or creation time without changing any of these times. A tool like this can be useful in a forensic investigation. LNS Added 2002-02-05 LNS is a tool that searches for NTFS streams (aka alternate data streams or multiple data streams). This can be useful in a forensic investigation. The Coroner's Toolkit (TCT) Added 2001-12-18 TCT is a collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in. The software was presented first during a free Computer Forensics Analysis class that we gave one year ago (almost to the day). Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the keyfind tool that recovers cryptographic keys from a running process or from files. pdd Added 2001-12-06 The first tool of its kind for forensic analysis of Palm OS platform devices. pdd (Palm dd) is a Windows-based tool for Palm OS memory imaging and forensic acquisition. The Palm OS Console Mode is used to acquire memory card information and to create a bit-for-bit image of the selected memory region. No data is modified on the target device and the data retrieval is not detectable by the user of the PDA. Source code is available for research and legal verification purposes. Modular Syslog Added 2001-12-05 The modular syslog allows for an easy implementation of input and output modules. The modules that mantain compatibility with its precursor are included in the standard distribution along with four modules: om_peo (an implementation of PEO-1 and L-PEO, two algorithmic protocols for integrity checking), om_mysql and om_pgsql (modules that sends output to a mysql and postgresql database, respectively) and om_regex (a module that allows output redirection using regular expressions). hasher.pl Added 2001-11-22 Hasher.pl is a script that creates a Tk GUI to implement a hashing utility for NT/2K. I wrote this at the request of a friend, and he specifically wanted a GUI. The script was successfully compiled using Perl2Exe, and the resulting standalone .exe file was successfully tested on NT SP6a and 2K SP2. Streak Added 2001-10-31 The binary streak is the core tool in this distribution; it will perform the actual reading, processing, hashing, writing, etc. of the data. This binary has been compiled and tested on OpenBSD 2.9, so that is the recommended platform for it's use. The floppy contains a minature OpenBSD 2.9 installation, that can run streak. See below for more information on the floppy version. A overview and short explanation of the supported options can be obtained by running the streak binary without any commandline flags, or by supplying the -h flag. If the given options aren't complete, the help overview will be given, followed by a reasonalby descriptive error message. TCTUTILs Added 2001-10-22 TCTUTILs is a collection of utilities that adds additional functionality to The Coroners Toolkit (TCT). Features: - List directory inode contents to view file, device, and directory names. This also allows deleted file names to be viewed and with some platforms an entire file that was recently deleted can be easily recovered. - Get Modified, Accessed, and Created time data on deleted files (not possible on all systems) and merge the data into the mactimes output from TCT. - Find the names of files and directories that are using a given inode. On some systems, deleted file names will also be given. - Find the inode that is using a given block. On some systems, the inode may not even be allocated. - Display the contents of a given block in several formats - Display the details of an inode (including all block numbers) Browse by category |
|
|
Privacy Statement |
