Difference between pages "Tools" and "ALT Linux Rescue"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Windows-based Tools)
 
m (External Links: +starterkits)
 
Line 1: Line 1:
This is an '''overview of available tools''' for forensic [[investigator]]s. Please click on the name of any tool for more details.
+
{{Infobox_Software |
 +
  name = ALT Linux Rescue |
 +
  maintainer = Michael Shigorin |
 +
  os = {{Linux}} |
 +
  genre = {{Live CD}} |
 +
  license = {{GPL}}, others |
 +
  website = [http://en.altlinux.org/Rescue en.altlinux.org/rescue] |
 +
}}
  
'''Note: This page has gotten too big and is being broken up. See:'''
+
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]] with some forensic capabilities and features.
  
* [[:Category:Disk Imaging]]
+
== Intro ==
* [[Tools:Data Recovery]] (including file [[carving]])
+
* [[Tools:File Analysis]]
+
* [[Tools:Document Metadata Extraction]]
+
* [[Tools:Memory Imaging]]
+
* [[Tools:Memory Analysis]]
+
* [[Tools:Network Forensics]]
+
* [[Tools:Logfile Analysis]]
+
* [[:Category:Anti-forensics tools]]
+
* [[:Category:Secure deletion]]
+
  
= Disk Analysis Tools =
+
This weekly-updated image is intended to be text-only toolchest for data analysis and recovery.
== Hard Drive Firmware and Diagnostics Tools ==
+
; [[PC-3000]] from [[DeepSpar Data Recovery Systems]]
+
: http://www.deepspar.com/products-pc-3000-drive.html
+
: http://www.pc-3000.com/
+
  
== Linux-based Tools ==
+
It will not try to use swap partitions or autodetect and automount file systems unless requested explicitly.
; [[LINReS]] by [[NII Consulting Pvt. Ltd.]]
+
: http://www.niiconsulting.com/innovation/linres.html
+
  
; [[SMART]] by [[ASR Data]]
+
Forensic mode is available via a separate boot target for BIOS users and a rescue boot option (via F2) for UEFI users. This will skip activating MDRAID/LVM too.
: http://www.asrdata.com
+
  
; [[Second Look: Linux Memory Forensics]] by [[Pikewerks Corporation]]
+
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
: http://secondlookforensics.com/
+
  
== Macintosh-based Tools ==
+
== Tools included ==
  
; [[Macintosh Forensic Software]] by [[BlackBag Technologies, Inc.]]
+
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either; [[libevt]], [[libevtx]], [[liblnk]], [[libpff]], [[libregf]], [[libuna]], [[libvshadow]], [[libwrc]] tools have been added since 20140514.
: http://www.blackbagtech.com/software_mfs.html
+
  
; [[MacForensicsLab]] by [[Subrosasoft]]
+
X11-based software is being considered for an extended version.
: [http://www.subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=39&products_id=114 MacForensicLab-Subrosasoft]
+
  
; [[Mac Marshal]] by [[ATC-NY]]
+
== Platforms ==
: http://www.macmarshal.com/
+
  
== Windows-based Tools ==
+
i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.
  
; [[Blackthorn GPS Forensics]]
+
== Deliverables ==
: http://www.blackthorngps.com
+
  
; [[BringBack]] by [[Tech Assist, Inc.]]
+
Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).
: http://www.toolsthatwork.com/bringback.htm
+
  
; Belkasoft Evidence Center by [[Belkasoft]]
+
== Forensic issues ==
; http://www.belkasoft.com
+
: This product makes it easy for an investigator to search, analyze and store digital evidence found in Instant Messenger histories, Internet Browser histories and Outlook mailboxes.
+
  
; [[CD/DVD Inspector]] by [[InfinaDyne]]
+
Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.
; http://www.infinadyne.com/cddvd_inspector.html
+
: This is the only forensic-qualified tool for examinination of optical media.  It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide.
+
  
; [[EMail Detective - Forensic Software Tool]] by [[Hot Pepper Technology, Inc]]
+
MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch <tt>mount-system</tt> script to use <tt>ro,loop,noexec</tt> mount options (as of 20140423).
; http://www.hotpepperinc.com/emd
+
  
; [[EnCase]] by [[Guidance Software]]
+
Physical device write blocking hasn't been considered so far.
: http://www.guidancesoftware.com/
+
  
; Facebook Forensic Toolkit (FFT) by [http://www.forensicswiki.org/wiki/Afentis_forensics Afentis Forensics]
+
== Credits ==
; http://www.facebookforensics.com
+
: eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports.
+
  
; [[Forensic Toolkit]] ([[FTK]]) by [[AccessData]]
+
* [[User:.FUF]] for [[Forensic Live CD issues]] page, sound advice and early userspace patch
: http://www.accessdata.com/products/ftk/
+
  
; [[HBGary Responder Professional]]  - Windows Physical Memory Forensic Platform
+
== External Links ==
:http://www.hbgary.com
+
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
 
+
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus
; [[ILook Investigator]] by [[Elliot Spencer]] and [[Internal Revenue Service|U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation]] (IRS)
+
* Rescue image within [http://en.altlinux.org/Starterkits ALT Linux Starterkits] based on stable branch has gained the same features as of 20140612
: http://www.ilook-forensics.org/
+
 
+
; [[Mercury Indexer]] by [[MicroForensics, Inc.]]
+
: http://www.MicroForensics.com/
+
 
+
; [[Nuix Desktop]] by [[Nuix Pty Ltd]]
+
: http://www.nuix.com
+
 
+
; [[OnLineDFS]] by [[Cyber Security Technologies]]
+
: http://www.cyberstc.com/
+
 
+
; [[OSForensics]] by [[PassMark Software Pty Ltd]]
+
: http://www.osforensics.com/
+
 
+
; [[P2 Power Pack]] by [[Paraben]]
+
: https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187
+
 
+
; [[Prodiscover]] by [[Techpathways]]
+
: http://www.techpathways.com/ProDiscoverWindows.htm
+
 
+
; [[Proof Finder]] by [[Nuix Pty Ltd]]
+
: http://www.prooffinder.com/
+
 
+
; [[Safeback]] by [[NTI]] and [[Armor Forensics]]
+
: http://www.forensics-intl.com/safeback.html
+
 
+
; [[X-Ways Forensics]] by [[X-Ways AG]]
+
: http://www.x-ways.net/forensics/index-m.html
+
 
+
; [[DateDecoder]] by [[Live-Forensics]]
+
: http://www.live-forensics.com/dl/DateDecoder.zip
+
: A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.
+
 
+
; [[RecycleReader]] by [[Live-Forensics]]
+
: http://www.live-forensics.com/dl/RecycleReader.zip
+
: A command line tool that outputs the contents of the recycle bin on XP, Vista and 7.
+
 
+
; [[Dstrings]] by [[Live-Forensics]]
+
: http://www.live-forensics.com/dl/Dstrings.zip
+
: A command line tool that searches for strings in a given file.  It has the ability to compare the output of those strings against a dictionary to either exclude the dictionary terms in the output or only output files that match the dictionary.  It also has the ability to search for IP Addresses and URLs/Email Addresses.
+
 
+
; [[Unique]] by [[Live-Forensics]]
+
: http://www.live-forensics.com/dl/Unique.zip
+
: A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options.
+
 
+
; [[HashUtil]] by [[Live-Forensics]]
+
: http://www.live-forensics.com/dl/HashUtil.zip
+
: HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes.  It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases.
+
 
+
; [http://www.windowsscope.com WindowsSCOPE Pro, Ultimate, Live]
+
: Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support.
+
: Software and hardware based acquisition with [http://www.windowsscope.com/index.php?option=com_virtuemart&Itemid=34 CaptureGUARD PCIe and ExpressCard]
+
: Hardware based acquisition of memory on a locked computer via [http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=30&category_id=1&option=com_virtuemart&Itemid=34 CaptureGUARD Gateway]
+
: [http://www.windowsscope.com  WindowsSCOPE] Live provides memory analysis of Windows computers on a network from Android phones and tablets.
+
 
+
== Open Source Tools ==
+
 
+
; [[AFFLIB]]
+
: A library for working with [[disk image]]s. Currently AFFLIB supports raw, [[AFF]], [[AFD]], and [[EnCase]] file formats. Work to support segmented raw, [[iLook]], and other formats is ongoing.
+
 
+
; [[Autopsy]]
+
: http://www.sleuthkit.org/autopsy/desc.php
+
 
+
; [[Bulk Extractor]]
+
: https://github.com/simsong/bulk_extractor/wiki
+
: Bulk Extractor provides digital media triage by extracting Features from digital media.
+
 
+
; [[Bulk Extractor Viewer]]
+
: https://github.com/simsong/bulk_extractor/wiki/BEViewer
+
: Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using [[Bulk Extractor]].
+
 
+
; [[Digital Forensics Framework]] (DFF)
+
: DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://www.digital-forensic.org
+
 
+
; [[foremost]]
+
: http://foremost.sf.net/
+
: [[Linux]] based file carving program
+
 
+
; [[FTimes]]
+
: http://ftimes.sourceforge.net/FTimes/index.shtml
+
: FTimes is a system baselining and evidence collection tool.
+
 
+
; [[gfzip]]
+
: http://www.nongnu.org/gfzip/
+
 
+
; [[gpart]]
+
: http://www.stud.uni-hannover.de/user/76201/gpart/
+
: Tries to ''guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted''.
+
 
+
; [[Hachoir]]
+
: A generic framework for binary file manipulation, it supports [[FAT12]], [[FAT16]], [[FAT32]], [[ext2|ext2/ext3]], Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
+
 
+
; [[magicrescue]]
+
: http://jbj.rapanden.dk/magicrescue/
+
 
+
; The [[Open Computer Forensics Architecture]]
+
: http://ocfa.sourceforge.net/
+
 
+
; [[pyflag]]
+
: http://code.google.com/p/pyflag/
+
: Web-based, database-backed forensic and log analysis GUI written in Python.
+
 
+
; [[Scalpel]]
+
: http://www.digitalforensicssolutions.com/Scalpel/
+
: [[Linux]] and [[Windows]] file carving program originally based on [[foremost]].
+
 
+
; [[scrounge-ntfs]]
+
: http://memberwebs.com/nielsen/software/scrounge/
+
 
+
; [[Sleuthkit]]
+
: http://www.sleuthkit.org/
+
 
+
; [[The Coroner's Toolkit]] ([[TCT]])
+
: http://www.porcupine.org/forensics/tct.html
+
 
+
== [[NDA]] and [[scoped distribution]] tools ==
+
 
+
= Enterprise Tools (Proactive Forensics)=
+
 
+
; [[LiveWire Investigator 2008]] by [[WetStone Technologies]]
+
: http://www.wetstonetech.com/f/livewire2008.html
+
 
+
; [[P2 Enterprise Edition]] by [[Paraben]]
+
: http://www.paraben-forensics.com/enterprise_forensics.html
+
 
+
= Forensics Live CDs =
+
; [[Kali Linux]]
+
: [http://www.kali.org/ http://www.kali.org/]
+
 
+
; [[KNOPPIX]]
+
: [http://www.knopper.net/knoppix/index-en.html http://www.knopper.net/knoppix/index-en.html]
+
 
+
; [[BackTrack Linux]]
+
: [http://www.backtrack-linux.org/ http://www.backtrack-linux.org/]
+
 
+
See: [[:Category:Live CD|Forensics Live CDs]]
+
 
+
= Personal Digital Device Tools=
+
 
+
== GPS Forensics ==
+
 
+
; [[Blackthorn GPS Forensics]]
+
; [[.XRY]]
+
 
+
== PDA Forensics ==
+
; [[Cellebrite UFED]]
+
; [[.XRY]]
+
; [[Paraben PDA Seizure]]
+
; [[Paraben PDA Seizure Toolbox]]
+
; [[PDD]]
+
 
+
== Cell Phone Forensics ==
+
; [[BitPIM]]
+
; [[Cellebrite UFED]]
+
; [[DataPilot Secure View]]
+
; [[.XRY]]
+
: http://www.msab.com/index
+
; [[Fernico ZRT]]
+
; [[ForensicMobile]]
+
; [[LogiCube CellDEK]]
+
; [[MOBILedit!]]
+
; [[Oxygen Forensic Suite 2010]]
+
: http://www.oxygen-forensic.com
+
; [[Paraben's Device Seizure]] and [[Paraben's Device Seizure Toolbox]]
+
: http://www.paraben-forensics.com/handheld_forensics.html
+
; [[Serial Port Monitoring]]
+
; [[TULP2G]]
+
 
+
== SIM Card Forensics ==
+
; [[Cellebrite UFED]]
+
; [[.XRY]]
+
; [[ForensicSIM]]
+
; [[Paraben's SIM Card Seizure]]
+
: http://www.paraben-forensics.com/handheld_forensics.html
+
; [[SIMCon]]
+
 
+
== Preservation Tools ==
+
; [[Paraben StrongHold Bag]]
+
; [[Paraben StrongHold Tent]]
+
 
+
= Other Tools =
+
; Chat Sniper
+
: http://www.alexbarnett.com/chatsniper.htm
+
:  A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
+
 
+
; Computer Forensics Toolkit
+
: http://computer-forensics.privacyresources.org
+
: This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
+
 
+
; Live View
+
: http://liveview.sourceforge.net/
+
: Live View is a graphical forensics tool that creates a [[VMware]] [[virtual machine]] out of a dd disk image or physical disk.
+
 
+
; Parallels VM
+
: http://www.parallels.com/
+
: http://en.wikipedia.org/wiki/Parallels_Workstation
+
 
+
; Microsoft Virtual PC
+
: http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
+
: http://en.wikipedia.org/wiki/Virtual_PC
+
 
+
; [[VMware]] Player
+
: http://www.vmware.com/products/player/
+
: http://en.wikipedia.org/wiki/VMware#VMware_Workstation
+
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.
+
 
+
; [[VMware]] Server
+
: http://www.vmware.com/products/server/
+
: The free server product, for setting up/configuring/running [[VMware]] [[virtual machine]].Important difference being that it can run 'headless', i.e. everything in background.
+
 
+
; Webtracer
+
: http://www.forensictracer.com
+
: Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
+
 
+
== Hex Editors ==
+
 
+
; [[biew]]
+
: http://biew.sourceforge.net/en/biew.html
+
 
+
; [[Okteta]]
+
: KDE's new cross-platform hex editor with features such as signature-matching
+
: http://utils.kde.org/projects/okteta/
+
 
+
; [[hexdump]]
+
: ...
+
 
+
; [[HexFiend]]
+
: A hex editor for Apple OS X
+
: http://ridiculousfish.com/hexfiend/
+
 
+
; [[Hex Workshop]]
+
: A hex editor from [[BreakPoint Software, Inc.]]
+
: http://www.bpsoft.com
+
 
+
; [[khexedit]]
+
: http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
+
 
+
; [[WinHex]]
+
: Computer forensics software, data recovery software, hex editor, and disk editor from [[X-Ways]].
+
: http://www.x-ways.net/winhex
+
 
+
; [[wxHexEditor]]
+
: A Multi-OS supported, open sourced, hex and disk editor.
+
: http://www.wxhexeditor.org
+
 
+
; [[xxd]]
+
: ...
+
 
+
; [[HexReader]]
+
: [[Live-Forensics]] software that reads windows files at specified offset and length and outputs results to the console.
+
: http://www.live-forensics.com/dl/HexReader.zip
+
 
+
= Telephone Scanners/War Dialers =
+
 
+
;PhoneSweep
+
:http://www.sandstorm.net/products/phonesweep/
+
:PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.
+

Revision as of 05:00, 14 June 2014

ALT Linux Rescue
Maintainer: Michael Shigorin
OS: Linux
Genre: Live CD
License: GPL, others
Website: en.altlinux.org/rescue

ALT Linux Rescue is yet another sysadmin's Live CD with some forensic capabilities and features.

Intro

This weekly-updated image is intended to be text-only toolchest for data analysis and recovery.

It will not try to use swap partitions or autodetect and automount file systems unless requested explicitly.

Forensic mode is available via a separate boot target for BIOS users and a rescue boot option (via F2) for UEFI users. This will skip activating MDRAID/LVM too.

Build profile suitable for ALT Linux mkimage tool is included as .disk/profile.tgz.

Tools included

Most of the usual rescue suspects should be there; biew, chntpw, dc3dd/dcfldd, foremost, john, md5deep, nmap, scalpel, sleuthkit, wipefreespace to name a few are available either; libevt, libevtx, liblnk, libpff, libregf, libuna, libvshadow, libwrc tools have been added since 20140514.

X11-based software is being considered for an extended version.

Platforms

i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.

Deliverables

Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).

Forensic issues

Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.

MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch mount-system script to use ro,loop,noexec mount options (as of 20140423).

Physical device write blocking hasn't been considered so far.

Credits

External Links