< Prev 1 2 3 4 5 6 Next >
Category: Auditing » Forensics
AIDE (Advanced Intrusion Detection Environment)
AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with.
PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process. This can be useful in a forensic investigation.
macMatch lets you search for files by their last write, last access or creation time without changing any of these times. A tool like this can be useful in a forensic investigation.
LNS is a tool that searches for NTFS streams (aka alternate data streams or multiple data streams). This can be useful in a forensic investigation.
The Coroner's Toolkit (TCT)
TCT is a collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in. The software was presented first during a free Computer Forensics Analysis class that we gave one year ago (almost to the day). Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the keyfind tool that recovers cryptographic keys from a running process or from files.
The first tool of its kind for forensic analysis of Palm OS platform devices. pdd (Palm dd) is a Windows-based tool for Palm OS memory imaging and forensic acquisition. The Palm OS Console Mode is used to acquire memory card information and to create a bit-for-bit image of the selected memory region. No data is modified on the target device and the data retrieval is not detectable by the user of the PDA. Source code is available for research and legal verification purposes.
The modular syslog allows for an easy implementation of input and output modules. The modules that mantain compatibility with its precursor are included in the standard distribution along with four modules: om_peo (an implementation of PEO-1 and L-PEO, two algorithmic protocols for integrity checking), om_mysql and om_pgsql (modules that sends output to a mysql and postgresql database, respectively) and om_regex (a module that allows output redirection using regular expressions).
Hasher.pl is a script that creates a Tk GUI to implement a hashing utility for NT/2K. I wrote this at the request of a friend, and he specifically wanted a GUI. The script was successfully compiled using Perl2Exe, and the resulting standalone .exe file was successfully tested on NT SP6a and 2K SP2.
The binary streak is the core tool in this distribution; it will perform the actual reading, processing, hashing, writing, etc. of the data. This binary has been compiled and tested on OpenBSD 2.9, so that is the recommended platform for it's use. The floppy contains a minature OpenBSD 2.9 installation, that can run streak. See below for more information on the floppy version. A overview and short explanation of the supported options can be obtained by running the streak binary without any commandline flags, or by supplying the -h flag. If the given options aren't complete, the help overview will be given, followed by a reasonalby descriptive error message.
CrucialADS is a GUI based Alternate Data Stream scanning tool. CrucialADS is designed to quickly and easily detect the presence of Alternate Data Streams in NTFS files and directories.
Browse by category