Difference between pages "DEFT Linux 1" and "Xplico"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(corrected links)
 
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = DEFT v1 Linux |
+
   name = Xplico |
   maintainer = [[Stefano Fratepietro]] |
+
   maintainer = [[Gianluca Costa & Andrea de Franceschi]] |
 
   os = {{Linux}} |
 
   os = {{Linux}} |
   genre = {{Live CD}} |
+
   genre = {{Analysis}} |
   license = {{GPL}}, others |
+
   license = {{GPL}} |
   website = [http://www.deftlinux.net/] |
+
   website = [http://www.xplico.org www.xplico.org] |
 
}}
 
}}
  
'''DEFT v1''' is a [[Live CD]] built on top of Kubuntu 6.10 with the best tools for Computer Forensic and incident response.
+
The '''Xplico''' is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is extract from a network capture (pcap file or real-time acquisition) all application data content. For example, Xplico from a pcap file is able to extract all emails carried by the POP and SMTP protocols and all content carried by HTTP protocols.
 
+
<h2>Features</h2>
== Tools included ==
+
            <ul>
 
+
              <li>Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...];</li>
'''Deft computer and network forensic packages list:'''
+
              <li>Port Independent Protocol Identification (PIPI) for each application protocol;</li>
 
+
              <li>Multithreading;</li>
: - [[sleuthkit]], collection of UNIX-based command line tools that allow you to investigate a computer
+
              <li>Output data and information in SQLite database or Mysql database and/or files;</li>
: - [[autopsy]], graphical interface to the command line digital investigation tools in The Sleuth Kit
+
              <li>At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;</li>
: - [[AFF]] lib, advanced forensic format
+
              <li>Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer ---RAM, CPU, HD access time, ...--- );</li>
: - gpart, tool which tries to guess the primary partition table of a PC-type hard disk
+
              <li>TCP reassembly with ACK verification for any packet or soft ACK verification;</li>
: - [[ddrescue]], copy data from one file or block device to another
+
              <li>Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;</li>
: - [[foremost]], console program to recover files based on their headers, footers, and internal data structures
+
              <li>No size limit on data entry or the number of files entrance (the only limit is HD size);</li>
: - hex dump, combined hex and ascii dump of any file
+
            </ul>
: - khexedit, a versatile and customizable hex editor
+
: - stegdetect, a steganography detection software
+
: - outguess, a stegano tool
+
: - ophcrack, Windows password recovery
+
: - [[wireshark]], network sniffer
+
: - ettercap, network sniffer
+
: - nessus, vulnerability and security scanner
+
: - [[nmap]], the best network scanner
+
: - airsnort, wireless LAN (WLAN) tool which recovers encryption keys
+
: - kismet, sniffer and intrusion detection system that work with any wireless card
+
: - dmraid, discover software RAID devices
+
: - testdisk, tool to recover damaged partitions
+
: - qtparted, a Partition Magic clone written in C++ using the Qt toolkit
+
: - vinetto, tool to examine [[Thumbs.db]] files
+
: - trID, tool to identify file types from their binary signatures
+
: - readpst, a tools to read MS-Outlook pst files
+
 
+
'''Deft utility package list:'''
+
 
+
: - Linux Kernel 2.6.17
+
: - KDE 3.5.5
+
: - k3b
+
: - Samba client
+
: - OpenSSH client & server
+
 
+
 
+
and much more...
+
 
+
== External Links ==
+
 
+
* [http://www.deftlinux.net/ Official Website]
+

Revision as of 05:04, 24 May 2008

Xplico
Maintainer: Gianluca Costa & Andrea de Franceschi
OS: Linux
Genre: Analysis
License: GPL
Website: www.xplico.org

The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is extract from a network capture (pcap file or real-time acquisition) all application data content. For example, Xplico from a pcap file is able to extract all emails carried by the POP and SMTP protocols and all content carried by HTTP protocols.

Features

  • Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...;
  • Port Independent Protocol Identification (PIPI) for each application protocol;
  • Multithreading;
  • Output data and information in SQLite database or Mysql database and/or files;
  • At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
  • Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer ---RAM, CPU, HD access time, ...--- );
  • TCP reassembly with ACK verification for any packet or soft ACK verification;
  • Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
  • No size limit on data entry or the number of files entrance (the only limit is HD size);