Difference between pages "SIM Cards" and "Helix3"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (update on availability of multi-SIM UICC cards)
 
m (Bootable Side:)
 
Line 1: Line 1:
[[Image:Simpic.jpg|thumb|A typical SIM card.]]
+
{{Infobox_Software |
 +
  name = Helix |
 +
  maintainer = [[e-fense]] |
 +
  os = {{Linux}}, {{Windows}}, {{Solaris}} |
 +
  genre = {{Live CD}} |
 +
  license = {{GPL}}, others |
 +
  website = [http://www.e-fense.com/helix/ e-fense.com/helix/] |
 +
}}
  
== SIM-Subscriber Identity Module ==
+
'''Helix''' is a [[Live CD]] built on top of [[Knoppix]]. It focuses on [[Incident Response|incident response]] and [[computer forensics]].
  
The UICC (Universal Integrated Circuit Card) is a smart card which contains account information and memory that is used to enable GSM cellular telephones.  One of the applications running on the smart card is the SIM, or Subscriber Identity Module. In common parlance the term "UICC" is not used an the phrase "SIM" is used to describe the smart card itself.
+
== Tools included ==
  
Because the SIM is just one of several applications running on the smart card, a given card could, in theory, contain multiple SIMs. This would allow multiple phone numbers or accounts to be accessed by a single UICC. This is seldom seen, though there is at least one "12-in-1" SIM card being advertised at present.
+
===Bootable Side:===
  
Early versions of the UICC used full-size smart cards (85mm x 54mm)The card has since been shrunk to the standard size of 25mm x 15mm.
+
'''2hash'''  (v. 0.2 ) [http://trog.qgl.org/show.html?id=2477783]
 +
A simple GPL tool to calculate the md5 and sha1 hashes of a file in a single read.  If you're regularly checking/calculating hashes of large files this'll save you a lot of disk IO.
  
 +
'''Adepto''' With AFF Support  (v. 2.0 ) [http://www.e-fense.com/helix/]
 +
e-fense Imaging program utilizing dcfldd. 
  
Although UICC cards traditionally held just 16 to 64KB of memory, the recent trend has been to produce SIM cards with larger storage capacities, ranging from 512MB up to [http://www.m-systems.com/site/en-US/ M-Systems'] 1GB SIM Card slated for release in late 2006.
+
'''[[AFF]]''' (aimage)  (v. 1.6.31 )  [http://www.afflib.org/]
 +
The Advanced Forensic Format (AFF) is an extensible open format for the storage of disk images. It provide built in features such as compression, hash codes v erification, meta-data informations management.  The AFFLib provide special AFF assigned tools such : - aimage : creation of AFF images - afcat : generate a DD image from a AFF one - afcompare : verify a AFF his derivate DD image - afinfo : Validation of a AFF's image hash codes (md5, sha1) The AFFLib is developed by Dr. [[Simson Garfinkel]].
  
== SIM Security ==
+
'''[[AIR]]'''  (v. 1.2.8 )  [http://air-imager.sourceforge.net/]
 +
AIR (Automated Image & Restore) is a GUI front-end to [[dd]] and [[dcfldd]] designed for easily creating forensic bit images.  Supports verification via MD5/SHA1, SCSI tape drives, imaging over a TCP/IP network, splitting images, and detailed session logging.
  
Information inside the UICC can be protected with a PIN and a PUK.
+
'''[[Autopsy]]'''  (v. 2.08 )  [http://www.sleuthkit.org/index.php]
 +
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit.  Together, they allow you to investigate the file system and volumes of a computer.
  
The PIN (Personal Identification Number) is a code that locks access to the SIM. Not all SIMs have PINs; if a SIM has a PIN, the PIN must be entered to unlock the SIM.  
+
'''chkrootkit'''  (v. 0.46 ) [http://www.chkrootkit.org/] 
PUK (Personal Unlocking Code) codes are provided by the network provider to unlock a code.  
+
Shell script that checks system binaries for rootkit modification.
  
 +
'''chntpw'''  (v. 0.99.2 040105 )  [http://home.eunet.no/pnordahl/ntpasswd/]
 +
chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry's SAM file.  You do not need to know the old password to set a new one.  It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk).  The bootdisk includes stuff to access NTFS partitions and scripts to glue the whole thing together.  This utility works with SYSKEY and includes the option to turn it off.  A bootdisk image is provided.
  
 +
'''Clamav''' (v. 0.88.4 )  [http://www.clamav.net/stable.php]
 +
Anti-Virus program. 
  
== SIM Forensics ==
+
[[dcfldd]]  (v. 1.3.4 )  [http://dcfldd.sourceforge.net/]
 +
dcfldd is an enhanced version of GNU dd with features useful for forensics and security.
  
The data that a SIM card can provide the forensics examiner can be invaluable to an investigation. Acquiring a SIM card allows a large amount of information that the suspect has dealt with over the phone to be investigated.
+
'''endeavour2''' File Manager  (v. 2.7.1 )  [http://wolfpack.twu.net/Endeavour2/]
 +
Endeavour Mark II is a complete file management suite with file manager; image browser, archiver, recycled objects system, and a set of file and disk management utility programs. It supports disk drive mounting, a fully customizable window appearance, a MIME Types system, and interapplication drag & drop support for KDE and GNOME compatibility (although KDE and GNOME are not required).
  
In general, some of this data can help an investigator determine:
+
'''Ethereal'''  (v. 0.10.13)  [http://www.ethereal.com/]
* Phone numbers of calls made/received
+
Ethereal is used by professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. 
* Contacts
+
* [[SMS]] details (time/date, recipient, etc.)
+
* SMS text (the message itself)
+
  
There are many software solutions that can help the examiner to acquire the information from the SIM card. Several products include 3GForensics SIMIS [http://www.3gforensics.co.uk/products.htm], Inside Out's [http://simcon.no/ SIMCon], or SIM Content Controller, and Paraben Forensics' [http://www.paraben-forensics.com/catalog/product_info.php?products_id=289 SIM Card Seizure].
+
'''e2recover'''  (v. 1.0 )  [http://www.tucows.com/preview/8192]  
 +
These are tools to assist in recovering deleted files from ext2 file systems.  
  
=== Data Acquisition ===
+
'''[[e2undel]]'''  (v. 0.82 )  [http://e2undel.sourceforge.net/]
 +
This is an interactive console tool that recovers the data of deleted files on an ext2 file system under Linux. 
  
These software titles can extract such technical data from the SIM card as:
+
'''[[fatback]]'''  (v. 1.3 )  [http://sourceforge.net/project/showfiles.php?group_id=46038]
 +
A program used to recover deleted files from a FAT file system. 
  
* '''International Mobile Subscriber Identity (IMSI)''': A unique identifying number that identifies the phone/subscription to the [[GSM]] network
+
[[Mozilla Firefox|Firefox]] (v. 1.5.0.1 ) [http://www.mozilla.com/en-US/firefox/all.html]
* '''Mobile Country Code (MCC)''': A three-digit code that represents the SIM card's country of origin
+
Graphical Internet browser. 
* '''Mobile Network Code (MNC)''': A two-digit code that represents the SIM card's home network
+
* '''Mobile Subscriber Identification Number (MSIN)''': A unique ten-digit identifying number that identifies the specific subscriber to the GSM network
+
* '''Mobile Subscriber International ISDN Number (MSISDN)''': A number that identifies the phone number used by the headset
+
* '''Abbreviated Dialing Numbers (ADN)''':Telephone numbers stored in sims memory
+
* '''Last Dialed Numbers (LDN)'''
+
* '''Short Message Service (SMS)''':Text Messages
+
* '''Public Land Mobile Network (PLMN) selector'''
+
* '''Forbidden PLMNs, Location Information (LOCI)'''
+
* '''General Packet Radio Service (GPRS) location'''
+
* '''Integrated Circuit Card Identifier (ICCID)'''
+
* '''Service Provider Name (SPN)'''
+
* '''Phase Identification'''
+
* '''SIM Service Table (SST)'''
+
* '''Language Preference (LP)'''
+
* '''Card Holder Verification (CHV1) and (CHV2)'''
+
* '''Broadcast Control Channels (BCCH)'''
+
* '''Ciphering Key (Kc)'''
+
* '''Ciphering Key Sequence Number'''
+
* '''Emergency Call Code'''
+
* '''Fixed Dialing Numbers (FDN)'''
+
* '''Forbidden PLMNs'''
+
* '''Local Area Identitity (LAI)'''
+
* '''Own Dialing Number'''
+
* '''Temporary Mobile Subscriber Identity (TMSI)'''
+
* '''Routing Area Identifier (RIA) netowrk code'''
+
* '''Service Dialing Numbers (SDNs)'''
+
* '''Service Provider Name'''
+
* '''Depersonalizatoin Keys'''
+
  
This information can be used to contact the service provider to obtain even more information than is stored on the SIM card.
+
'''foomatic-gui'''  (v. 0.7.4.17 )  [http://freshmeat.net/projects/foomatic-gui/]
 +
Foomatic is a database-driven system for integrating free software printer drivers with common spoolers under Unix.  It supports CUPS, LPRng, LPD, GNUlpr, Solaris LP, PPR, PDQ, CPS, and direct printing with every free software printer driver known to us and every printer known to work with these drivers.
  
== Service Provider Data ==
+
[[foremost]]  (v. 1.3 )  [http://foremost.sourceforge.net/]
 +
Foremost is a console program to recover files based on their headers, footers, and internal data structures.  This process is commonly referred to as data carving.  Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.  The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types.  These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery. 
  
Some additional information the service provider might store:
+
'''ftimes'''  (v. 3.4.0 )  [http://ftimes.sourceforge.net/FTimes/]
 +
FTimes is a system baselining and evidence collection tool.  The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.
  
* A customer database
+
'''galleta'''  ( v. 1.0 ) [http://www.foundstone.com/resources/proddesc/galleta.htm]  
* [[Call Detail Record]]s (CDR)
+
Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. 
* [[Home Location Register]] (HLR)
+
  
== Sim Card Text Encoding ==
+
'''Gcombust''' - Graphical CD Burner (v. 0.1.55-2 ) [http://www.abo.fi/~jmunsin/gcombust/]
 +
gcombust is a GTK+ frontend for mkisofs, mkhybrid, cdrecord, and cdlabelgen.  It has primitive support for controlling the directory (root) structure and size of an image without copying files/symlinking or writing 10 lines of arguments.  It can also maximize disk usage by hinting at which directories/files to use. 
  
Originally the middle-European [[GSM]] network used only a 7-bit code derived from the basic [[ASCII]] code. However as GSM spread worldwide it was concluded that more characters, such as the major characters of all living languages, should be able to be represented on GSM phones. Thus, there was a movement towards a 16-bit code known as [[UCS-2]] which is now the standard in GSM text encoding. This change in encoding can make it more difficult to accurately obtain data form [[SIM cards]] of the older generation which use the 7-bit encoding. This encoding is used to compress the hexadecimal size of certain elements of the SIMs data, particularly in [[SMS]] and [[Abbreviated Dialing Numbers]].
+
'''GHex'''  (v. 2.8.1 )  [http://directory.fsf.org/ghex.html]  
 +
GHex is a simple binary editor. It lets users view and edit a binary file in both hex and ascii with a multiple level undo/redo mechanism. Features include find and replace functions, conversion between binary, octal, decimal and hexadecimal values, and use of an alternative, user-configurable MDI concept that lets users edit multiple documents with multiple views of each.
  
== References ==
+
'''GQView'''  (v. 2.0.1 )  [http://gqview.sourceforge.net/]
 +
An image browser that features single click access to view images and move around the directory tree. 
  
* [http://www.simcon.no/ SIMCon]
+
'''Graveman''' - Graphical CD Burner  (v. 0.3.12-4-2.1 ) [http://graveman.tuxfamily.org/]
* [http://www.sectorforensics.co.uk/sim-examination.shtml Sector Forensics]
+
GRAVEMAN is a GUI frontend for CD-R tools (cdrecord, readcd, and mkisofs), cdrdao, DVD+RW tools (growisofs and dvd+rw-format), and sox. It allows you to burn audio CDs (from WAV, Ogg, MP3, or FLAC files) and data CDs or DVDs, and allows you to duplicate CDs.
* [http://www.utica.edu/academic/institutes/ecii/ijde/articles.cfm?action=issue&id=5  IJDE Spring 2003 Volume 2, Issue 1 ]: [http://www.utica.edu/academic/institutes/ecii/publications/articles/A0658858-BFF6-C537-7CF86A78D6DE746D.pdf Forensics and the GSM Mobile Telephone System] (PDF)
+
 
 +
'''grepmail'''  (v. 5.3032 )  [http://grepmail.sourceforge.net/]
 +
grepmail searches a normal or compressed mailbox (gzip, bzip2, or tzip) for a given regular expression and returns those emails that match the query.  It also supports searches constrained by date and size.
 +
 
 +
'''[[LinEn]]'''  (v. 5.05f )  [https://www.guidancesoftware.com/]
 +
EnCase also has developed a method of acquisition with Linux machines or "Linen" (EnCase for Linux), and the interface is similar to that of EnCase for DOS but of course the process is completely different from EnCase for DOS. 
 +
 
 +
'''[[md5deep]]''' Suite  (v. 1.12)  [http://md5deep.sourceforge.net/]
 +
md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files.  The programs run on Windows, Linux, Cygwin, *BSD, OS X, Solaris, and should run on most other platforms.  md5deep is similar to the md5sum program found in the GNU Coreutils package. 
 +
 
 +
'''mac_grab'''  (v. 1.0 )  [http://www.e-fense.com/helix/]
 +
e-fense created program to grab all of the MAC times from a system. 
 +
 
 +
'''Magicrescue'''  (v. 1.1.4 )  [http://jbj.rapanden.dk/magicrescue/]
 +
Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them.  It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition.  As long as the file data is there, it will find it.  It works on any file system, but on very fragmented file systems it can only recover the first chunk of each file.  Practical experience (this program was not written for fun) shows, however, that chunks of 30-50MB are not uncommon. 
 +
 
 +
'''NTFS-3G'''  (v. 2006-08-22-BETA )  [http://www.ntfs-3g.org/]
 +
Finally Linux has got full read-write open source NTFS support!  Preliminary benchmarks show that the still unoptimized driver already sometimes twice as fast as ext3 and 20-50 faster than the commercial Paragon NTFS.  Interestingly Captive NTFS, which uses the native Windows NTFS driver, fails all benchmarks with file loss.
 +
 
 +
'''Outguess'''  (v. 0.2 )  [http://www.outguess.org/]
 +
Improved version of stegdetect released.  Stegdetect now supports linear discriminant analysis to detect any JPEG based stego system.  It also features improved detection of F5. 
 +
 
 +
'''pasco'''  (v. 1.0 )  [http://www.foundstone.com/resources/proddesc/pasco.htm]
 +
Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.  Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. 
 +
'''
 +
PyFlag'''  (v. 0.80.1 )  [http://pyflag.sourceforge.net/] 
 +
FLAG (Forensic and Log Analysis GUI) was designed to simplify the process of log file analysis and forensic investigations.  Often, when investigating a large case, a great deal of data needs to be analyzed and correlated.  PyFlag uses a database as a backend to assist in managing the large volumes of data.  This allows PyFlag to remain responsive and expedite data manipulation operations. 
 +
 
 +
'''qtparted'''  (v. 0.4.5-cvs )  [http://qtparted.sourceforge.net/]
 +
QTParted is a Partition Magic clone written in C++ using the Qt toolkit. 
 +
 
 +
'''Retriever'''  (v. 2.0 )  [http://www.e-fense.com/helix/]
 +
e-fense created program to give a quick look at a “live” system and identify graphic images, word documents and other file types.
 +
 
 +
'''rkhunter'''  (v. 1.2.7 )  [http://rkhunter.sourceforge.net/] 
 +
Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers.  The package contains one shell script, a few text-based databases, and optional Perl modules.  It should run on almost every Unix clone. 
 +
 
 +
'''regviewer'''  (v. 0.1 )  [http://sourceforge.net/projects/regviewer/] 
 +
RegViewer is GTK 2.2 based GUI Windows’s registry file navigator.  It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems.
 +
 
 +
'''rifiuti'''  (v. 1.0 )  [http://www.foundstone.com/resources/proddesc/rifiuti.htm]  
 +
Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.  Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. 
 +
 
 +
'''[[Scalpel]]'''  (v. 1.54 )  [http://www.digitalforensicssolutions.com/Scalpel/]
 +
A digital forensics tool used for carving data from image files based upon the configuration file requirements.  This program replaces foremost. 
 +
 
 +
'''[[Sleuthkit]]'''  (v. 2.06 )  [http://www.sleuthkit.org/index.php]
 +
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer.  The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems. 
 +
 
 +
'''[[ssdeep]]'''  (v. 1.1 )  [http://ssdeep.sourceforge.net/]
 +
Computes a checksum based on context triggered piecewise hashes for each input file.  If requested, the program matches those checksums against a file of known checksums and reports any possible matches.  Output is written to standard out and errors to standard error.  Input from standard input is not supported. 
 +
 
 +
'''stegdetect'''  (v. 0.6 )  [http://www.outguess.org/detection.php]
 +
An automated tool for detecting steganographic content in images.  It is capable of detecting several different steganographic methods to embed hidden information in JPEG images.  Currently, the detectable schemes are: jsteg, jphide (unix and windows), invisible secrets, outguess 01.3b, F5 (header analysis), appendX and camouflage.  Stegbreak is used to launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.
 +
 
 +
'''Totem'''  (v. 1.2.1-3 )  [http://www.gnome.org/projects/totem/] 
 +
A simple video media player for the Gnome desktop. 
 +
 
 +
'''Xfprot'''  (v. 1.13 )  [http://web.tiscali.it/sharp/xfprot/] 
 +
XFPROT is a graphical front end to the F-Prot Antivirus(TM) for Linux Small Business Edition from version 3.12b up to version 4.6.x. F-Prot Antivirus(TM) for Linux is Copyrighted by Frisk Software International and is free of charge for personal use and downloadable at www.f-prot.com. 
 +
 
 +
'''xhfs'''  (v. 3.2.6 )  [http://www.mars.org/home/rob/proj/hfs/] 
 +
xhfs presents a graphical front-end for browsing and copying files on HFS-formatted volumes.  This is a Macintosh HFS File Browser. 
 +
 
 +
'''Xine-ui'''  (v. 0.99.3 )  [http://xinehq.de/] 
 +
xine is a free multimedia player.  It plays back CDs, DVDs, and VCDs.  It also decodes multimedia files like AVI, MOV, WMV, and MP3 from local disk drives, and displays multimedia streamed over the Internet.  It interprets many of the most common multimedia formats available - and some of the most uncommon formats, too. 
 +
 
 +
'''Xmms'''  (v. 1.2.10 )  [http://freshmeat.net/projects/xmms/] 
 +
XMMS is a multimedia player based on the look of WinAmp. XMMS plays MPEG layer 1/2/3, Ogg Vorbis, WAV, all formats supported by libmikmod, and CD audio. XMMS has a plugin system for Input / Output / Effects / Visualization, and through plugins it can play a lot more sound and video formats. 
 +
'''
 +
xpdf'''  (v. 3.01 )  [http://www.foolabs.com/xpdf/]
 +
Xpdf is a viewer for Portable Document Format (PDF) files. (These are also sometimes also called 'Acrobat' files, from the name of Adobe's PDF software.) The Xpdf project also includes a PDF text extractor, PDF-to-PostScript converter, and various other utilities. It runs under the X Window System on UNIX, VMS, and OS/2.
 +
 
 +
===Live Windows Side:===
 +
 
 +
'''Access PassView'''  (v. 1.12 )  [http://www.nirsoft.net/utils/accesspv.html]
 +
This utility reveals the database password of every password-protected mdb file that created with Microsoft Access 95/97/2000/XP or with Jet Database Engine 3.0/4.0 . It can be very useful if you forgot your Access Database password and you want to recover it.
 +
'''
 +
Astrick Logger'''  (v. 1.02 )  [http://www.nirsoft.net/utils/astlog.html]
 +
Many applications, like CuteFTP, CoffeeCup Free FTP, VNC, IncrediMail, Outlook Express, and others, allows you to type a password for using it in the application. The typed password is not displayed on the screen, and instead of the real password, you see a sequence of asterisk ('****') characters. This utility can reveal the passwords stored behind the asterisks in standard password text-boxes.
 +
'''
 +
Drive Manager'''  (v. 3.23 )  [http://www.alexnolan.net/software/driveman.htm]
 +
Drive Manager has been written to help you easily identify drives which are of the same type.  As well as displaying the volume label it also displays vendor information so that multiply CD/DVD drives and removable drives such as USB thumb drives can be differentiated by their manufacturer’s name, version and revision date.  Also the serial number can be seen as a unique ID for each drives. 
 +
 
 +
'''FAU'''  (v. 1035 )  [http://users.erols.com/gmgarner/forensics/]
 +
Incident Response tool that can be used to image a system’s memory as well as any attached devices. 
 +
 
 +
'''Forensic Server Project'''  (v. 1.0 )  [http://www.windows-ir.com/fsp.html]
 +
The Forensic Server Project (FSP) is a proof of concept tool for retrieving volatile (and some non-volatile) data from potentially compromised systems.  The FSP consists of several Perl scripts and third-party utilities.  The server component of the FSP is run on an investigator or administrator's system, and handles all data storage and activity logging.  The client components (i.e., FRU.pl and supporting Perl scripts and tools) of the FSP are burned to a CD, and run from the CD drive of the potentially compromised system.  Data is copied to the server component via TCP/IP.
 +
 
 +
'''FTK Imager'''  (v. 2.5.1 ) [http://www.accessdata.com/support/downloads/] 
 +
FTK Imager allows you to acquire physical device images and logically view data from FAT, NTFS, EXT 2 and 3 as well as HFS and HFS+ file systems.  Additionally, FTK Imager allows you to truly multi-task by creating multiple images from a single source and / or multiple images simultaneously. FTK Imager generates DD, SMART and Encase® images and reads several other industry standard formats.  With Isobuster technology built in, FTK Imager provides ready access to CDFS and DVD file systems - to include multi and open session CDs.
 +
 
 +
'''galleta ''' ( v. 1.0 )  [http://www.foundstone.com/resources/proddesc/galleta.htm]
 +
Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.  Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. 
 +
 
 +
'''HoverSnap'''  (v. 0.8 )  [http://www.hoverdesk.net/freeware.htm]
 +
HoverSnap is a free handy snapshot tool with jpg, png, bmp and gif support.  HoverSnap can take snapshots of the full screen, active window or a selected area.  It can even capture layered windows (alphablended ones under 2K / XP).  You can even FTP upload your screenshots!  You can set up the capture folder / filename and format.  You can reduce the capture size.  Auto-generate filename option will add the time stamp (date/time) to your filename in order to be able to take several captures without having to change the filename.  Optional sound when capture is done.
 +
 
 +
'''IECookiesView'''  (v. 1.70 )  [http://www.nirsoft.net/utils/iecookies.html]
 +
IECookiesView is a small and handy utility that displays the details of all cookies that IE stores on your computer.  In addition, it allows you to sort the cookies, delete selected ones, and view detailed information about each one and even save the cookies to a readable text file.  If you are connected to a network, you can watch the cookies of other computers, as long as you have a read permission on the cookies folder and under Windows 2000, you can view the cookies of other users (admin rights).  IECookiesView also allows you to view references to deleted cookies that are still stored in the index.dat file. 
 +
 
 +
'''IEHistoryView'''  (v. 1.32 )  [http://www.nirsoft.net/utils/iehv.html]
 +
IEHistoryView allows you to view and modify the history of visited websites in Internet Explorer.  In addition, you can also export all or selected items to HTML reports, view detailed properties for selected entries, sort them and more.  The program allows you to access the history of other user accounts or network computers as well, provided that you have the proper access rights. 
 +
 
 +
'''IRCR'''  (v. 2.3 )  [http://tools.phantombyte.com/]
 +
The Incident Response Collection Report is a script to call a collection of tools that gathers and/or analyzes data on a Microsoft Windows system.  You can think of this as a snapshot of the system in the past. Most of the tools are oriented towards data collection rather than analysis. 
 +
 
 +
'''Mail PassView'''  (v. 1.36 )  [http://www.nirsoft.net/utils/mailpv.html]
 +
Mail PassView is a small password-recovery tool that reveals the passwords and other account details for the following email clients:
 +
Outlook Express, Microsoft Outlook 2000 (POP3 and SMTP Accounts only), Microsoft Outlook 2002/2003 (POP3, IMAP, HTTP and SMTP Accounts), IncrediMail, Eudora, Netscape 6.x/7.x, Mozilla Thunderbird, Group Mail Free, Yahoo! Mail - If the password is saved in Yahoo! Messenger application, Hotmail/MSN mail - If the password is saved in MSN Messenger application and Gmail - If the password is saved by Gmail Notifier application.
 +
 
 +
'''memdump'''  (v. 2.0 )  [http://www.tssc.de/index.htm]
 +
The MEMDump utility is designed to dump or copy any part of 4GB linear memory address space under MS-DOS and Windows 9x DOS to a console, text or binary file.
 +
 
 +
'''MessenPass'''  (v. 1.08 )  [http://www.nirsoft.net/utils/mspass.html]  
 +
MessenPass allows you to recover your password(s) from a wide variety of popular Instant Messenger programs, including MSN Messenger, Windows Messenger, Yahoo Messenger, ICQ Lite 4.x/2003, AOL Instant Messenger, AOL Instant Messenger/Netscape 7, Trillian, Miranda and GAIM.  Just run the program and it will present you with a list of all accounts found on your PC, including the username and passwords.  The list can be exported to HTML or saved as text file.  MessenPass can only be used to recover the passwords for the current logged-on user on your local computer. You cannot use it for grabbing the passwords of other users. 
 +
 
 +
'''Mozilla Cookie View'''  (v. 1.11 )  [http://www.nirsoft.net/utils/mzcv.html]
 +
MozillaCookiesView is an alternative to the standard 'Cookie Manager' provided by Netscape and Mozilla browsers. It displays the details of all cookies stored inside the cookies file (cookies.txt) in one table, and allows you to save the cookies list into text, HTML or XML file, delete unwanted cookies, and backup/restore the cookies file.
 +
 
 +
'''Network Password Recovery'''  (v. 1.03 )  [http://www.nirsoft.net/utils/network_password_recovery.html]
 +
Network Password Recovery can retrieve all network passwords stored on your system for the current logged-on user.  In addition, it can also recover any .NET Passport accounts that are stored locally. 
 +
 
 +
'''pasco'''  (v. 1.0 )  [http://www.foundstone.com/resources/proddesc/pasco.htm]
 +
Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program.  Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
 +
 
 +
'''PC Inspector File Recovery'''  (v. 4.0 )  [http://www.pcinspector.de/] 
 +
PC Inspector File Recovery is a data recovery program that supports the FAT 12/16/32 and NTFS file systems.  Finds partitions automatically, even if the boot sector or FAT has been erased or damaged (does not work with the NTFS file system).  Recovers files with the original time and date stamp.  Supports saving of recovered files to network drives. 
 +
 
 +
'''PC On/Off Time'''  (v. 2.0)  [http://www.snapfiles.com/get/pconoff.html]
 +
This free time tracking tool shows the times your computer has been active during the last 3 weeks, with no previous setup required.  The software doesn't need to run in the background, because Windows OS tracks login and logoff times (working hours) by default, and the program analyses it. 
 +
 
 +
'''Process Explorer'''  (v. 10.2 )  [http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx]
 +
The Process Explorer display consists of two sub-windows.  The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.  Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. 
 +
 
 +
'''Protected Storage PassView'''  (v. 1.63 )  [http://www.nirsoft.net/utils/pspv.html]
 +
Protected Storage PassView is a small utility that reveals the passwords stored on your computer by Internet Explorer and Outlook Express.  The passwords are revealed by reading the information from the Protected Storage.  These include all email and web site passwords where you chose "remember password" (not cookie passwords) as well as auto-complete passwords. This utility can only show the passwords of the current logged-on user, it cannot reveal the passwords of other users.
 +
 
 +
'''PsTools Suite'''  (v. 2.34 )  [http://www.microsoft.com/technet/sysinternals/utilities/pstools.mspx]
 +
What sets these tools apart is that they all allow you to manage remote systems as well as the local one.  The first tool in the suite was PsList, a tool that lets you view detailed information about processes, and the suite is continually growing.  The "Ps" prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named "ps", so I've adopted this prefix for all the tools in order to tie them together into a suite of tools named PsTools.  The tools included in the PsTools suite, which are downloadable individually or as a package, are: 
 +
PsExec - execute processes remotely
 +
PsFile - shows files opened remotely
 +
PsGetSid - display the SID of a computer or a user
 +
PsKill - kill processes by name or process ID
 +
PsInfo - list information about a system
 +
PsList - list detailed information about processes
 +
PsLoggedOn - see who's logged on locally and via resource sharing
 +
PsLogList - dump event log records
 +
PsPasswd - changes account passwords
 +
PsService - view and control services
 +
PsShutdown - shuts down and optionally reboots a computer
 +
PsSuspend - suspends processes
 +
All of the utilities in the PsTools suite work on Windows NT, Windows 2000 and Windows XP.
 +
 
 +
'''Pst Password Viewer'''  (v. 1.00 ) [http://www.nirsoft.net/utils/pst_password.html]
 +
The password encryption in the PST file is very weak, and for each password-protected PST file, there are many passwords that can open it.  PstPassword provides 3 different passwords for each password-protected PST file.  It's possible that one of them will be the original password that you typed, and it's also possible that none of these passwords will be identical to the original one.  However, all 3 passwords provided by PstPassword will open the PST file without problems. 
 +
 
 +
'''ptfinder'''  (v. 2.0 ) [http://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.html]
 +
PTFinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads.  Some functional checks are also applied.
 +
'''
 +
PuTTY SSH Client'''  (v. 0.58 )  [http://www.chiark.greenend.org.uk/~sgtatham/putty/]
 +
PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator.
 +
 
 +
'''reg'''  (v.  )  [http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/reg.mspx?mfr=true]
 +
Adds, changes, and displays registry subkey information and values in registry entries, for the Local User. 
 +
 
 +
'''RegScanner'''  (v. 1.30 )  [http://www.nirsoft.net/utils/regscanner.html]
 +
RegScanner is a small utility that allows you to scan the Registry, find the desired Registry values that match to the specified search criteria, and display them in one list.  After finding the Registry values, you can easily jump to the right value in RegEdit, simply by double-clicking the desired Registry item.  You can also export the found Registry values into a .reg file that can be used in RegEdit. 
 +
 
 +
'''ReSysInfo'''  (v. 2.1 )  [http://www.dominik-reichl.de/freeware.shtml] 
 +
ReSysInfo is a system information viewer for Windows.  The tool has 25 total information modules: BIOS information, CMOS, desktop, DirectX, drives, environment, fonts, keyboard, locale, machine & APM, mainboard, MCI, memory, mouse, multimedia, network, OpenGL, passwords, ports, printers & fax, processes, processor, video system, general information about Windows and a summary.  ReSysInfo has a Report Wizard which can export the information to 3 different formats: plain text, HTML and XML. 
 +
 
 +
'''rifiuti'''  (v. 1.0 )  [http://www.foundstone.com/resources/proddesc/rifiuti.htm]
 +
Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. 
 +
 
 +
'''Rootkit Revealer'''  (v. 1.7 )  [http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx]
 +
Rootkit Revealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.  Rootkit Revealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: Rootkit Revealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys).  If you use it to identify the presence of a rootkit please let us know!
 +
 
 +
'''Secreport'''  (v. 3.27.07 )  [http://members.verizon.net/~vze3vkmg/index.htm]
 +
It is a small suite of two command-line tools for collecting security-related information from Windows-based system (SecReport) and comparing any two reports either from any two systems or from same system after some time (Delta).  I use these tools to quickly assess level of securing of Windows system and to compare results to baseline.  The tools are useful both in daily security administration and during incident responce - for fast collection of information.  Tools do not need to be installed on system and can be run directly from hard or CD-R disk or network drive (mapped or UNC).  Format of reports - XML.  Reports can be viewed with IE 6.0 browser. MD5 hash file for report automatically created.
 +
 
 +
'''WFT'''  (v. 2.0 )  [http://www.foolmoon.net/security/wft/]
 +
The Windows Forensic Toolchest (WFT) was written to provide an automated incident response [or even an audit] on a Windows system and collect security-relevant information from the system.  It is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound manner.  A knowledgeable security person can use it to help look for signs of an incident (when used in conjunction with the appropriate tools).  WFT is designed to produce output that is useful to the user, but is also appropriate for use in court proceedings.  It provides extensive logging of all its actions along with computing the MD5 checksums along the way to ensure that its output is verifiable.  The primary benefit of using WFT to perform incident responses is that it provides a simplified way of scripting such responses using a sound methodology for data collection. 
 +
 
 +
 
 +
'''Winaudit'''  (v. 2.15 )  [http://www.pxserver.com/WinAudit.htm]
 +
WinAudit is easy to use; no special knowledge is required to use the program.  It is a self-contained single file that needs no installation or configuration.  It can be run from a floppy disk or USB stick. Simply download the program and double click on it.  User interface translations have been kindly contributed by several people; if possible WinAudit will automatically start in your language.  The program reports on virtually every aspect of computer inventory and configuration.  Results are displayed in web-page format, categorized for ease of viewing and text searching.  Whether your interest is in software compliance, hardware inventory, technical support, security or just plain curiosity, WinAudit has it all.  The program has advanced features such as service tag detection, hard-drive failure diagnosis, network port to process mapping, network connection speed, system availability statistics as well as Windows® update and firewall settings.
 +
 
 +
 +
'''Cygwin Tools'''
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.e-fense.com/helix/faq.php Helix FAQ]
 +
* [http://www.e-fense.com/helix/downloads.php Helix CD image download]

Revision as of 12:47, 8 April 2007

Helix
Maintainer: e-fense
OS: Linux,Windows,Solaris
Genre: Live CD
License: GPL, others
Website: e-fense.com/helix/

Helix is a Live CD built on top of Knoppix. It focuses on incident response and computer forensics.

Tools included

Bootable Side:

2hash (v. 0.2 ) [1] A simple GPL tool to calculate the md5 and sha1 hashes of a file in a single read. If you're regularly checking/calculating hashes of large files this'll save you a lot of disk IO.

Adepto With AFF Support (v. 2.0 ) [2] e-fense Imaging program utilizing dcfldd.

AFF (aimage) (v. 1.6.31 ) [3] The Advanced Forensic Format (AFF) is an extensible open format for the storage of disk images. It provide built in features such as compression, hash codes v erification, meta-data informations management. The AFFLib provide special AFF assigned tools such : - aimage : creation of AFF images - afcat : generate a DD image from a AFF one - afcompare : verify a AFF his derivate DD image - afinfo : Validation of a AFF's image hash codes (md5, sha1) The AFFLib is developed by Dr. Simson Garfinkel.

AIR (v. 1.2.8 ) [4] AIR (Automated Image & Restore) is a GUI front-end to dd and dcfldd designed for easily creating forensic bit images. Supports verification via MD5/SHA1, SCSI tape drives, imaging over a TCP/IP network, splitting images, and detailed session logging.

Autopsy (v. 2.08 ) [5] The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit. Together, they allow you to investigate the file system and volumes of a computer.

chkrootkit (v. 0.46 ) [6] Shell script that checks system binaries for rootkit modification.

chntpw (v. 0.99.2 040105 ) [7] chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry's SAM file. You do not need to know the old password to set a new one. It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk). The bootdisk includes stuff to access NTFS partitions and scripts to glue the whole thing together. This utility works with SYSKEY and includes the option to turn it off. A bootdisk image is provided.

Clamav (v. 0.88.4 ) [8] Anti-Virus program.

dcfldd (v. 1.3.4 ) [9] dcfldd is an enhanced version of GNU dd with features useful for forensics and security.

endeavour2 File Manager (v. 2.7.1 ) [10] Endeavour Mark II is a complete file management suite with file manager; image browser, archiver, recycled objects system, and a set of file and disk management utility programs. It supports disk drive mounting, a fully customizable window appearance, a MIME Types system, and interapplication drag & drop support for KDE and GNOME compatibility (although KDE and GNOME are not required).

Ethereal (v. 0.10.13) [11] Ethereal is used by professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product.

e2recover (v. 1.0 ) [12] These are tools to assist in recovering deleted files from ext2 file systems.

e2undel (v. 0.82 ) [13] This is an interactive console tool that recovers the data of deleted files on an ext2 file system under Linux.

fatback (v. 1.3 ) [14] A program used to recover deleted files from a FAT file system.

Firefox (v. 1.5.0.1 ) [15] Graphical Internet browser.

foomatic-gui (v. 0.7.4.17 ) [16] Foomatic is a database-driven system for integrating free software printer drivers with common spoolers under Unix. It supports CUPS, LPRng, LPD, GNUlpr, Solaris LP, PPR, PDQ, CPS, and direct printing with every free software printer driver known to us and every printer known to work with these drivers.

foremost (v. 1.3 ) [17] Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.

ftimes (v. 3.4.0 ) [18] FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.

galleta ( v. 1.0 ) [19] Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

Gcombust - Graphical CD Burner (v. 0.1.55-2 ) [20] gcombust is a GTK+ frontend for mkisofs, mkhybrid, cdrecord, and cdlabelgen. It has primitive support for controlling the directory (root) structure and size of an image without copying files/symlinking or writing 10 lines of arguments. It can also maximize disk usage by hinting at which directories/files to use.

GHex (v. 2.8.1 ) [21] GHex is a simple binary editor. It lets users view and edit a binary file in both hex and ascii with a multiple level undo/redo mechanism. Features include find and replace functions, conversion between binary, octal, decimal and hexadecimal values, and use of an alternative, user-configurable MDI concept that lets users edit multiple documents with multiple views of each.

GQView (v. 2.0.1 ) [22] An image browser that features single click access to view images and move around the directory tree.

Graveman - Graphical CD Burner (v. 0.3.12-4-2.1 ) [23] GRAVEMAN is a GUI frontend for CD-R tools (cdrecord, readcd, and mkisofs), cdrdao, DVD+RW tools (growisofs and dvd+rw-format), and sox. It allows you to burn audio CDs (from WAV, Ogg, MP3, or FLAC files) and data CDs or DVDs, and allows you to duplicate CDs.

grepmail (v. 5.3032 ) [24] grepmail searches a normal or compressed mailbox (gzip, bzip2, or tzip) for a given regular expression and returns those emails that match the query. It also supports searches constrained by date and size.

LinEn (v. 5.05f ) [25] EnCase also has developed a method of acquisition with Linux machines or "Linen" (EnCase for Linux), and the interface is similar to that of EnCase for DOS but of course the process is completely different from EnCase for DOS.

md5deep Suite (v. 1.12) [26] md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. The programs run on Windows, Linux, Cygwin, *BSD, OS X, Solaris, and should run on most other platforms. md5deep is similar to the md5sum program found in the GNU Coreutils package.

mac_grab (v. 1.0 ) [27] e-fense created program to grab all of the MAC times from a system.

Magicrescue (v. 1.1.4 ) [28] Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it. It works on any file system, but on very fragmented file systems it can only recover the first chunk of each file. Practical experience (this program was not written for fun) shows, however, that chunks of 30-50MB are not uncommon.

NTFS-3G (v. 2006-08-22-BETA ) [29] Finally Linux has got full read-write open source NTFS support! Preliminary benchmarks show that the still unoptimized driver already sometimes twice as fast as ext3 and 20-50 faster than the commercial Paragon NTFS. Interestingly Captive NTFS, which uses the native Windows NTFS driver, fails all benchmarks with file loss.

Outguess (v. 0.2 ) [30] Improved version of stegdetect released. Stegdetect now supports linear discriminant analysis to detect any JPEG based stego system. It also features improved detection of F5.

pasco (v. 1.0 ) [31] Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. PyFlag (v. 0.80.1 ) [32] FLAG (Forensic and Log Analysis GUI) was designed to simplify the process of log file analysis and forensic investigations. Often, when investigating a large case, a great deal of data needs to be analyzed and correlated. PyFlag uses a database as a backend to assist in managing the large volumes of data. This allows PyFlag to remain responsive and expedite data manipulation operations.

qtparted (v. 0.4.5-cvs ) [33] QTParted is a Partition Magic clone written in C++ using the Qt toolkit.

Retriever (v. 2.0 ) [34] e-fense created program to give a quick look at a “live” system and identify graphic images, word documents and other file types.

rkhunter (v. 1.2.7 ) [35] Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It should run on almost every Unix clone.

regviewer (v. 0.1 ) [36] RegViewer is GTK 2.2 based GUI Windows’s registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems.

rifiuti (v. 1.0 ) [37] Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

Scalpel (v. 1.54 ) [38] A digital forensics tool used for carving data from image files based upon the configuration file requirements. This program replaces foremost.

Sleuthkit (v. 2.06 ) [39] The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems.

ssdeep (v. 1.1 ) [40] Computes a checksum based on context triggered piecewise hashes for each input file. If requested, the program matches those checksums against a file of known checksums and reports any possible matches. Output is written to standard out and errors to standard error. Input from standard input is not supported.

stegdetect (v. 0.6 ) [41] An automated tool for detecting steganographic content in images. It is capable of detecting several different steganographic methods to embed hidden information in JPEG images. Currently, the detectable schemes are: jsteg, jphide (unix and windows), invisible secrets, outguess 01.3b, F5 (header analysis), appendX and camouflage. Stegbreak is used to launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.

Totem (v. 1.2.1-3 ) [42] A simple video media player for the Gnome desktop.

Xfprot (v. 1.13 ) [43] XFPROT is a graphical front end to the F-Prot Antivirus(TM) for Linux Small Business Edition from version 3.12b up to version 4.6.x. F-Prot Antivirus(TM) for Linux is Copyrighted by Frisk Software International and is free of charge for personal use and downloadable at www.f-prot.com.

xhfs (v. 3.2.6 ) [44] xhfs presents a graphical front-end for browsing and copying files on HFS-formatted volumes. This is a Macintosh HFS File Browser.

Xine-ui (v. 0.99.3 ) [45] xine is a free multimedia player. It plays back CDs, DVDs, and VCDs. It also decodes multimedia files like AVI, MOV, WMV, and MP3 from local disk drives, and displays multimedia streamed over the Internet. It interprets many of the most common multimedia formats available - and some of the most uncommon formats, too.

Xmms (v. 1.2.10 ) [46] XMMS is a multimedia player based on the look of WinAmp. XMMS plays MPEG layer 1/2/3, Ogg Vorbis, WAV, all formats supported by libmikmod, and CD audio. XMMS has a plugin system for Input / Output / Effects / Visualization, and through plugins it can play a lot more sound and video formats. xpdf (v. 3.01 ) [47] Xpdf is a viewer for Portable Document Format (PDF) files. (These are also sometimes also called 'Acrobat' files, from the name of Adobe's PDF software.) The Xpdf project also includes a PDF text extractor, PDF-to-PostScript converter, and various other utilities. It runs under the X Window System on UNIX, VMS, and OS/2.

Live Windows Side:

Access PassView (v. 1.12 ) [48] This utility reveals the database password of every password-protected mdb file that created with Microsoft Access 95/97/2000/XP or with Jet Database Engine 3.0/4.0 . It can be very useful if you forgot your Access Database password and you want to recover it. Astrick Logger (v. 1.02 ) [49] Many applications, like CuteFTP, CoffeeCup Free FTP, VNC, IncrediMail, Outlook Express, and others, allows you to type a password for using it in the application. The typed password is not displayed on the screen, and instead of the real password, you see a sequence of asterisk ('****') characters. This utility can reveal the passwords stored behind the asterisks in standard password text-boxes. Drive Manager (v. 3.23 ) [50] Drive Manager has been written to help you easily identify drives which are of the same type. As well as displaying the volume label it also displays vendor information so that multiply CD/DVD drives and removable drives such as USB thumb drives can be differentiated by their manufacturer’s name, version and revision date. Also the serial number can be seen as a unique ID for each drives.

FAU (v. 1035 ) [51] Incident Response tool that can be used to image a system’s memory as well as any attached devices.

Forensic Server Project (v. 1.0 ) [52] The Forensic Server Project (FSP) is a proof of concept tool for retrieving volatile (and some non-volatile) data from potentially compromised systems. The FSP consists of several Perl scripts and third-party utilities. The server component of the FSP is run on an investigator or administrator's system, and handles all data storage and activity logging. The client components (i.e., FRU.pl and supporting Perl scripts and tools) of the FSP are burned to a CD, and run from the CD drive of the potentially compromised system. Data is copied to the server component via TCP/IP.

FTK Imager (v. 2.5.1 ) [53] FTK Imager allows you to acquire physical device images and logically view data from FAT, NTFS, EXT 2 and 3 as well as HFS and HFS+ file systems. Additionally, FTK Imager allows you to truly multi-task by creating multiple images from a single source and / or multiple images simultaneously. FTK Imager generates DD, SMART and Encase® images and reads several other industry standard formats. With Isobuster technology built in, FTK Imager provides ready access to CDFS and DVD file systems - to include multi and open session CDs.

galleta ( v. 1.0 ) [54] Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

HoverSnap (v. 0.8 ) [55] HoverSnap is a free handy snapshot tool with jpg, png, bmp and gif support. HoverSnap can take snapshots of the full screen, active window or a selected area. It can even capture layered windows (alphablended ones under 2K / XP). You can even FTP upload your screenshots! You can set up the capture folder / filename and format. You can reduce the capture size. Auto-generate filename option will add the time stamp (date/time) to your filename in order to be able to take several captures without having to change the filename. Optional sound when capture is done.

IECookiesView (v. 1.70 ) [56] IECookiesView is a small and handy utility that displays the details of all cookies that IE stores on your computer. In addition, it allows you to sort the cookies, delete selected ones, and view detailed information about each one and even save the cookies to a readable text file. If you are connected to a network, you can watch the cookies of other computers, as long as you have a read permission on the cookies folder and under Windows 2000, you can view the cookies of other users (admin rights). IECookiesView also allows you to view references to deleted cookies that are still stored in the index.dat file.

IEHistoryView (v. 1.32 ) [57] IEHistoryView allows you to view and modify the history of visited websites in Internet Explorer. In addition, you can also export all or selected items to HTML reports, view detailed properties for selected entries, sort them and more. The program allows you to access the history of other user accounts or network computers as well, provided that you have the proper access rights.

IRCR (v. 2.3 ) [58] The Incident Response Collection Report is a script to call a collection of tools that gathers and/or analyzes data on a Microsoft Windows system. You can think of this as a snapshot of the system in the past. Most of the tools are oriented towards data collection rather than analysis.

Mail PassView (v. 1.36 ) [59] Mail PassView is a small password-recovery tool that reveals the passwords and other account details for the following email clients: Outlook Express, Microsoft Outlook 2000 (POP3 and SMTP Accounts only), Microsoft Outlook 2002/2003 (POP3, IMAP, HTTP and SMTP Accounts), IncrediMail, Eudora, Netscape 6.x/7.x, Mozilla Thunderbird, Group Mail Free, Yahoo! Mail - If the password is saved in Yahoo! Messenger application, Hotmail/MSN mail - If the password is saved in MSN Messenger application and Gmail - If the password is saved by Gmail Notifier application.

memdump (v. 2.0 ) [60] The MEMDump utility is designed to dump or copy any part of 4GB linear memory address space under MS-DOS and Windows 9x DOS to a console, text or binary file.

MessenPass (v. 1.08 ) [61] MessenPass allows you to recover your password(s) from a wide variety of popular Instant Messenger programs, including MSN Messenger, Windows Messenger, Yahoo Messenger, ICQ Lite 4.x/2003, AOL Instant Messenger, AOL Instant Messenger/Netscape 7, Trillian, Miranda and GAIM. Just run the program and it will present you with a list of all accounts found on your PC, including the username and passwords. The list can be exported to HTML or saved as text file. MessenPass can only be used to recover the passwords for the current logged-on user on your local computer. You cannot use it for grabbing the passwords of other users.

Mozilla Cookie View (v. 1.11 ) [62] MozillaCookiesView is an alternative to the standard 'Cookie Manager' provided by Netscape and Mozilla browsers. It displays the details of all cookies stored inside the cookies file (cookies.txt) in one table, and allows you to save the cookies list into text, HTML or XML file, delete unwanted cookies, and backup/restore the cookies file.

Network Password Recovery (v. 1.03 ) [63] Network Password Recovery can retrieve all network passwords stored on your system for the current logged-on user. In addition, it can also recover any .NET Passport accounts that are stored locally.

pasco (v. 1.0 ) [64] Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

PC Inspector File Recovery (v. 4.0 ) [65] PC Inspector File Recovery is a data recovery program that supports the FAT 12/16/32 and NTFS file systems. Finds partitions automatically, even if the boot sector or FAT has been erased or damaged (does not work with the NTFS file system). Recovers files with the original time and date stamp. Supports saving of recovered files to network drives.

PC On/Off Time (v. 2.0) [66] This free time tracking tool shows the times your computer has been active during the last 3 weeks, with no previous setup required. The software doesn't need to run in the background, because Windows OS tracks login and logoff times (working hours) by default, and the program analyses it.

Process Explorer (v. 10.2 ) [67] The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

Protected Storage PassView (v. 1.63 ) [68] Protected Storage PassView is a small utility that reveals the passwords stored on your computer by Internet Explorer and Outlook Express. The passwords are revealed by reading the information from the Protected Storage. These include all email and web site passwords where you chose "remember password" (not cookie passwords) as well as auto-complete passwords. This utility can only show the passwords of the current logged-on user, it cannot reveal the passwords of other users.

PsTools Suite (v. 2.34 ) [69] What sets these tools apart is that they all allow you to manage remote systems as well as the local one. The first tool in the suite was PsList, a tool that lets you view detailed information about processes, and the suite is continually growing. The "Ps" prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named "ps", so I've adopted this prefix for all the tools in order to tie them together into a suite of tools named PsTools. The tools included in the PsTools suite, which are downloadable individually or as a package, are: PsExec - execute processes remotely PsFile - shows files opened remotely PsGetSid - display the SID of a computer or a user PsKill - kill processes by name or process ID PsInfo - list information about a system PsList - list detailed information about processes PsLoggedOn - see who's logged on locally and via resource sharing PsLogList - dump event log records PsPasswd - changes account passwords PsService - view and control services PsShutdown - shuts down and optionally reboots a computer PsSuspend - suspends processes All of the utilities in the PsTools suite work on Windows NT, Windows 2000 and Windows XP.

Pst Password Viewer (v. 1.00 ) [70] The password encryption in the PST file is very weak, and for each password-protected PST file, there are many passwords that can open it. PstPassword provides 3 different passwords for each password-protected PST file. It's possible that one of them will be the original password that you typed, and it's also possible that none of these passwords will be identical to the original one. However, all 3 passwords provided by PstPassword will open the PST file without problems.

ptfinder (v. 2.0 ) [71] PTFinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads. Some functional checks are also applied. PuTTY SSH Client (v. 0.58 ) [72] PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator.

reg (v. ) [73] Adds, changes, and displays registry subkey information and values in registry entries, for the Local User.

RegScanner (v. 1.30 ) [74] RegScanner is a small utility that allows you to scan the Registry, find the desired Registry values that match to the specified search criteria, and display them in one list. After finding the Registry values, you can easily jump to the right value in RegEdit, simply by double-clicking the desired Registry item. You can also export the found Registry values into a .reg file that can be used in RegEdit.

ReSysInfo (v. 2.1 ) [75] ReSysInfo is a system information viewer for Windows. The tool has 25 total information modules: BIOS information, CMOS, desktop, DirectX, drives, environment, fonts, keyboard, locale, machine & APM, mainboard, MCI, memory, mouse, multimedia, network, OpenGL, passwords, ports, printers & fax, processes, processor, video system, general information about Windows and a summary. ReSysInfo has a Report Wizard which can export the information to 3 different formats: plain text, HTML and XML.

rifiuti (v. 1.0 ) [76] Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

Rootkit Revealer (v. 1.7 ) [77] Rootkit Revealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. Rootkit Revealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: Rootkit Revealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!

Secreport (v. 3.27.07 ) [78] It is a small suite of two command-line tools for collecting security-related information from Windows-based system (SecReport) and comparing any two reports either from any two systems or from same system after some time (Delta). I use these tools to quickly assess level of securing of Windows system and to compare results to baseline. The tools are useful both in daily security administration and during incident responce - for fast collection of information. Tools do not need to be installed on system and can be run directly from hard or CD-R disk or network drive (mapped or UNC). Format of reports - XML. Reports can be viewed with IE 6.0 browser. MD5 hash file for report automatically created.

WFT (v. 2.0 ) [79] The Windows Forensic Toolchest (WFT) was written to provide an automated incident response [or even an audit] on a Windows system and collect security-relevant information from the system. It is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound manner. A knowledgeable security person can use it to help look for signs of an incident (when used in conjunction with the appropriate tools). WFT is designed to produce output that is useful to the user, but is also appropriate for use in court proceedings. It provides extensive logging of all its actions along with computing the MD5 checksums along the way to ensure that its output is verifiable. The primary benefit of using WFT to perform incident responses is that it provides a simplified way of scripting such responses using a sound methodology for data collection.


Winaudit (v. 2.15 ) [80] WinAudit is easy to use; no special knowledge is required to use the program. It is a self-contained single file that needs no installation or configuration. It can be run from a floppy disk or USB stick. Simply download the program and double click on it. User interface translations have been kindly contributed by several people; if possible WinAudit will automatically start in your language. The program reports on virtually every aspect of computer inventory and configuration. Results are displayed in web-page format, categorized for ease of viewing and text searching. Whether your interest is in software compliance, hardware inventory, technical support, security or just plain curiosity, WinAudit has it all. The program has advanced features such as service tag detection, hard-drive failure diagnosis, network port to process mapping, network connection speed, system availability statistics as well as Windows® update and firewall settings.


Cygwin Tools

External Links