Difference between pages "Tools:Network Forensics" and "Virtual Hard Disk (VHD)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Network Forensics Packages and Appliances)
 
(Image types)
 
Line 1: Line 1:
=Network Forensics Packages and Appliances=
+
{{expand}}
; [[Burst]]
+
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
+
: Expensive IP geo-location service.
+
  
; [[chkrootkit]]
+
== Image types ==
: http://www.chkrootkit.org
+
There are multiple types of Virtual Hard Disk (VHD) images:
 +
* Fixed-size hard disk image
 +
* Dynamic-size (or sparse) hard disk image
 +
* Differencing (or delta) hard disk image
  
; [[cryptcat]]
+
== External Links ==
: http://farm9.org/Cryptcat/
+
  
; [[Enterasys Dragon]]
+
* [http://en.wikipedia.org/wiki/VHD_(file_format) VHD (file format)], by Wikipedia
: http://www.enterasys.com/products/advanced-security-apps/index.aspx Instrusion Detection System includes session reconstruction.
+
* [http://technet.microsoft.com/en-us/library/bb676673.aspx Virtual Hard Disk Image Format Specification], by Microsoft
  
; [[MaxMind]]
 
: http://www.maxmind.com
 
: [[IP geolocation]] services and data provider for off-line geotagging.  Free GeoLite country database. Programmable APIs.
 
  
; [[netcat]]
+
[[Category:File Formats]]
: http://netcat.sourceforge.net/
+
 
+
; [[netflow]]/[[flowtools]]
+
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
+
: http://www.splintered.net/sw/flow-tools/
+
: http://silktools.sourceforge.net/
+
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (vmWare)
+
 
+
; NetIntercept
+
: http://www.sandstorm.net/products/netintercept
+
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
+
 
+
; [[NetworkMiner]]
+
: http://networkminer.wiki.sourceforge.net/NetworkMiner
+
: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool or to parse PCAP files for off-line analysis.
+
 
+
; [[rkhunter]]
+
: http://rkhunter.sourceforge.net/
+
 
+
; [[ngrep]]
+
: http://ngrep.sourceforge.net/
+
 
+
; [[nslookup]]
+
: http://en.wikipedia.org/wiki/Nslookup Name Server Lookup command line tool used to find IP address from domain name
+
 
+
; [[Sguil]]
+
: http://sguil.sourceforge.net/
+
 
+
; [[Snort]]
+
: http://www.snort.org/
+
 
+
; [[ssldump]]
+
: http://ssldump.sourceforge.net/
+
 
+
; [[Tcpdump]]
+
: http://www.tcpdump.org
+
 
+
; [[tcpextract]]
+
: http://tcpxtract.sourceforge.net/
+
 
+
; [[tcpflow]]
+
: http://www.circlemud.org/~jelson/software/tcpflow/
+
 
+
; [[truewitness]]
+
: http://www.nature-soft.com/forensic.html
+
: Linux/open-source. Based in India.
+
 
+
; [[etherpeek]]
+
: http://www.wildpackets.com/products/etherpeek/overview
+
 
+
; [[Whois]]
+
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
+
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
+
 
+
; [[IP Regional Registries]]
+
: http://www.arin.net/community/rirs.html
+
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
+
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
+
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
+
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
+
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
+
 
+
; [[Wireshark/Ethereal]]
+
: http://www.wireshark.org/
+
: Open Source protocol analyzer previously known as ethereal.
+
 
+
; [[Xplico]]
+
: http://www.xplico.org/
+
: Open Source Network Forensic Analysis Tool (NFAT).
+
 
+
=Command-line tools=
+
 
+
[[arp]] - view the contents of your ARP cache
+
 
+
[[ifconfig]] - view your mac and IP address
+
 
+
[[ping]] - send packets to probe remote machines
+
 
+
[[tcpdump]] - capture packets
+
 
+
[[snoop]] - captures packets from the network and displays their contents - [[Solaris]]
+
 
+
[[nemesis]] - create arbitrary packets
+
 
+
[[tcpreplay]] - replay captured packets
+
 
+
[[traceroute]] - view a network path
+
 
+
[[gnetcast]] - GNU rewrite of netcat
+
 
+
[[packit]] - Packet generator
+
 
+
[[nmap]]
+
 
+
==ARP and Ethernet MAC Tools==
+
 
+
[[arping]] - transmit ARP traffic
+
 
+
[[arpdig]] - probe LAN for MAC addresses
+
 
+
[[arpwatch]] - Watch ARP changes
+
 
+
[[arp-sk]] Perform denial of service attacks
+
 
+
[[macof]] CAM table attacks
+
 
+
[[ettercap]] Performs various low-level Ethernet network attacks.
+
 
+
==CISCO Discovery Protocol Tools==
+
[[cdpd]] - Transmit and receive CDP announcements; provides forgery capabilities.
+
 
+
==ICMP Layer Tests and Attacks==
+
[[icmp-reset]]
+
 
+
[[icmp-quench]]
+
 
+
[[icmp-mtu]]
+
 
+
[[ish]] - ICMP shell (like SSH, but uses ICMP)
+
 
+
[[isnprober]]
+
 
+
 
+
 
+
==IP Layer Tests==
+
[[iperf]] - IP multicast test
+
 
+
[[fragtest]]  IP fragment reassembly test
+
 
+
==UDP Layer Tests==
+
 
+
[[udpcast]] - Includes udp-receiver and udp-sender
+
 
+
 
+
==TCP Layer==
+
 
+
[[lft]] http://pwhois.org/lft - TCP tracing
+
 
+
[[etrace]] http://www.bindshell.net/tools/etrace
+
 
+
[[firewalk]] http://www.packetfactory.net
+

Revision as of 04:01, 13 September 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Image types

There are multiple types of Virtual Hard Disk (VHD) images:

  • Fixed-size hard disk image
  • Dynamic-size (or sparse) hard disk image
  • Differencing (or delta) hard disk image

External Links