Difference between pages "DEFT Linux 1" and "Xplico"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
m
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = DEFT v1 Linux |
+
   name = Xplico |
   maintainer = [[Stefano Fratepietro]] |
+
   maintainer = [[Gianluca Costa & Andrea de Franceschi]] |
 
   os = {{Linux}} |
 
   os = {{Linux}} |
   genre = {{Live CD}} |
+
   genre = {{Analysis}} |
   license = {{GPL}}, others |
+
   license = {{GPL}} |
   website = [http://www.stevelab.net/deft] |
+
   website = [http://www.xplico.org www.xplico.org] |
 
}}
 
}}
  
'''DEFT v1''' is a [[Live CD]] built on top of Kubuntu 6.10 with the best tools for Computer Forensic and incident response.
+
The '''Xplico''' is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract all application data content from a network capture (pcap file or real-time acquisition). For example, Xplico is able to extract all e-mails carried by the POP and SMTP protocols, and all content carried by HTTP protocol from a pcap file.
 
+
<h2>Features</h2>
== Tools included ==
+
            <ul>
 
+
              <li>Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...];</li>
'''Deft computer and network forensic packages list:'''
+
              <li>Port Independent Protocol Identification (PIPI) for each application protocol;</li>
 
+
              <li>Multithreading;</li>
: - sleuthkit, collection of UNIX-based command line tools that allow you to investigate a computer
+
              <li>Output data and information in SQLite database or MySQL database and/or files;</li>
: - autopsy, graphical interface to the command line digital investigation tools in The Sleuth Kit
+
              <li>At each data reassembled by Xplico is associated a [[XML]] file that uniquely identifies the flows and the pcap containing the data reassembled;</li>
: - aff lib, advanced forensic format
+
              <li>Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer ---RAM, CPU, HD access time, ...--- );</li>
: - gpart, tool which tries to guess the primary partition table of a PC-type hard disk
+
              <li>TCP reassembly with ACK verification for any packet or soft ACK verification;</li>
: - dd rescue, copy data from one file or block device to another
+
              <li>Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;</li>
: - foremost, console program to recover files based on their headers, footers, and internal data structures
+
              <li>No size limit on data entry or the number of files entrance (the only limit is HD size).</li>
: - hex dump, combined hex and ascii dump of any file
+
            </ul>
: - khex edit, a versatile and customizable hex editor
+
: - steg detect, a steganography detection software
+
: - outguess, a stegano tool
+
: - ophcrack, Windows password recovery
+
: - wireshark, network sniffer
+
: - ettercap, network sniffer
+
: - nessus, vulnerability and security scanner
+
: - nmap, the best network scanner
+
: - airsnort, wireless LAN (WLAN) tool which recovers encryption keys
+
: - kismet, sniffer and intrusion detection system that work with any wireless card
+
: - dmraid, discover software RAID devices
+
: - testdisk, tool to recover damaged partitions
+
: - qtparted, a Partition Magic clone written in C++ using the Qt toolkit
+
: - vinetto, tool to examine Thumbs.db files
+
: - trID, tool to identify file types from their binary signatures
+
: - readpst, a tools to read ms-Outlook pst files
+
 
+
'''Deft utility package list:'''
+
 
+
: - linux Kernel 2.6.17
+
: - lkDE 3.5.5
+
: - k3b
+
: - samba client
+
: - open SSH client & server
+
 
+
 
+
and mutch more...
+
 
+
== External Links ==
+
 
+
* [http://www.stevelab.net/deft Official Website]
+

Revision as of 10:51, 8 October 2008

Xplico
Maintainer: Gianluca Costa & Andrea de Franceschi
OS: Linux
Genre: Analysis
License: GPL
Website: www.xplico.org

The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract all application data content from a network capture (pcap file or real-time acquisition). For example, Xplico is able to extract all e-mails carried by the POP and SMTP protocols, and all content carried by HTTP protocol from a pcap file.

Features

  • Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...;
  • Port Independent Protocol Identification (PIPI) for each application protocol;
  • Multithreading;
  • Output data and information in SQLite database or MySQL database and/or files;
  • At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
  • Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer ---RAM, CPU, HD access time, ...--- );
  • TCP reassembly with ACK verification for any packet or soft ACK verification;
  • Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
  • No size limit on data entry or the number of files entrance (the only limit is HD size).
Retrieved from "http://www.forensicswiki.org/w/index.php?title=DEFT_Linux_1&oldid=8027"