Forensics Softwares
Saturday, July 18, 2009
mobiusft-0.4.6
Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tools.
pdfresurrect-v0_5
PDFResurrect is a tool aimed at analyzing PDF documents. The PDF format allows for previous document changes to be retained in a more recent version of the document, thereby creating a running history of changes for the document. This tool attempts to extract all previous versions while also producing a summary of changes between versions. It can also "scrub" or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read.
mp3nema-v0_4
MP3nema is a tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data. This utility also supports adding data between frames and capturing streaming audio.
Interrogate 0.0.3
Interrogate is a proof-of-concept tool for identification of cryptographic keys in binary material. First and foremost for memory dump analysis and forensics usage. Able to identify AES, Serpent, Twofish and RSA keys as of version 0.1.
cadfile 11.26
Orablock allows a forensic investigator the ability to dump data from a "cold" Oracle data file.There is no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence.Orablock can also be used to locate "stale" data - data that has been deleted or updated.
xplico-0.1_deft4
Xplico is an open source Network Forensic Analysis Tool (NFAT) that allows for data extraction from traffic captures. It supports extraction of mail from POP, IMAP, and SMTP, can extract VoIP streams, etc.
msnshadow-0.3-beta
MSN Shadow is a forensics tool to analyze the MSN protocol. It has features such as: text sniffing, video sniffing, spoofing messages, hijacking sessions, shutdown users, save text sniffed in HTML format, save video sniffed in AVI format.
xplico_phpgui-0.1_deft3x.tgz
PHP GUI for the Xplico open source network forensic analysis tool.
Windows IR/CF Tools
This project is the home of tools associated with the book "Windows Forensic Analysis", as well as other subsequent tools I have written and offer to the IR/CF community. These tools include RegRipper, etc.
metagoofil-1.4.tar.gz
Metagoofil is an information gathering tool designed for extracting the Meta-Data of public documents (pdf,doc,xls,ppt,etc) available on target/victim websites. It will generate a html page with the results of the Meta-Data extracted, plus a list of potential usernames.
PExtractor_v0.18b_binary_and_src.rar
PExtractor is a forensics tool that can extract all files from an executable file created by a joiner or similar.
Vision v1.0
Vision, a host based Forensic Utility is the GUI successor to the well-known freeware tool, Fport. This innovative new product from Foundstone shows all of the open TCP and UDP ports on a machine, displays the service that is active on each port, and maps the ports to their respective applications. Vision allows users to access a large amount of supplementary information that is useful for determining host status by displaying detailed system information, applications running, as well as processes and ports in use.
Key Features
Interrogate ports and identify potential "Trojan" services by using the "Port Probe" command in the port mapper. Using "Port Probe", Vision will enable you to send a customized string of information to the port. Based on the response from the port, a determination can be made to either kill the port, using the "Kill" command, or leave it as is.
View system events by sorting by application, process, service, port, remote IP, and device drivers in ascending or descending order.
Identify and review detailed information about Services and Devices to determine if they are Running or Stopped.
dumpAutoComplete v0.7
This application will search for the default Firefox profile of the user who runs the tool and dump the AutoComplete cache in XML format to standard output. Alternatively, autocomplete files can be passed to the application and they will be parsed as well. This application understands mork based autocomplete files (Firefox 1.x) as well as SQLite based formhistory and webappsstore files (Firefox 2.x).
The download package contains a standalone windows application. The MSVCR71.dll maybe needed on systems that do not already have this file. The full Python source code is also included and can be run on Windows, Mac OS X, Linux, or any other system with Python installed (the additional "pysqlite2" modulal is required for SQLite based file parsing).
LaBrea Honeypot 2.5
LaBrea takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. The program answers connection attempts in such a way that the machine at the other end gets "stuck", sometimes for a very long time.
Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tools.
pdfresurrect-v0_5
PDFResurrect is a tool aimed at analyzing PDF documents. The PDF format allows for previous document changes to be retained in a more recent version of the document, thereby creating a running history of changes for the document. This tool attempts to extract all previous versions while also producing a summary of changes between versions. It can also "scrub" or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read.
mp3nema-v0_4
MP3nema is a tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data. This utility also supports adding data between frames and capturing streaming audio.
Interrogate 0.0.3
Interrogate is a proof-of-concept tool for identification of cryptographic keys in binary material. First and foremost for memory dump analysis and forensics usage. Able to identify AES, Serpent, Twofish and RSA keys as of version 0.1.
cadfile 11.26
Orablock allows a forensic investigator the ability to dump data from a "cold" Oracle data file.There is no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence.Orablock can also be used to locate "stale" data - data that has been deleted or updated.
xplico-0.1_deft4
Xplico is an open source Network Forensic Analysis Tool (NFAT) that allows for data extraction from traffic captures. It supports extraction of mail from POP, IMAP, and SMTP, can extract VoIP streams, etc.
msnshadow-0.3-beta
MSN Shadow is a forensics tool to analyze the MSN protocol. It has features such as: text sniffing, video sniffing, spoofing messages, hijacking sessions, shutdown users, save text sniffed in HTML format, save video sniffed in AVI format.
xplico_phpgui-0.1_deft3x.tgz
PHP GUI for the Xplico open source network forensic analysis tool.
Windows IR/CF Tools
This project is the home of tools associated with the book "Windows Forensic Analysis", as well as other subsequent tools I have written and offer to the IR/CF community. These tools include RegRipper, etc.
metagoofil-1.4.tar.gz
Metagoofil is an information gathering tool designed for extracting the Meta-Data of public documents (pdf,doc,xls,ppt,etc) available on target/victim websites. It will generate a html page with the results of the Meta-Data extracted, plus a list of potential usernames.
PExtractor_v0.18b_binary_and_src.rar
PExtractor is a forensics tool that can extract all files from an executable file created by a joiner or similar.
Vision v1.0
Vision, a host based Forensic Utility is the GUI successor to the well-known freeware tool, Fport. This innovative new product from Foundstone shows all of the open TCP and UDP ports on a machine, displays the service that is active on each port, and maps the ports to their respective applications. Vision allows users to access a large amount of supplementary information that is useful for determining host status by displaying detailed system information, applications running, as well as processes and ports in use.
Key Features
Interrogate ports and identify potential "Trojan" services by using the "Port Probe" command in the port mapper. Using "Port Probe", Vision will enable you to send a customized string of information to the port. Based on the response from the port, a determination can be made to either kill the port, using the "Kill" command, or leave it as is.
View system events by sorting by application, process, service, port, remote IP, and device drivers in ascending or descending order.
Identify and review detailed information about Services and Devices to determine if they are Running or Stopped.
dumpAutoComplete v0.7
This application will search for the default Firefox profile of the user who runs the tool and dump the AutoComplete cache in XML format to standard output. Alternatively, autocomplete files can be passed to the application and they will be parsed as well. This application understands mork based autocomplete files (Firefox 1.x) as well as SQLite based formhistory and webappsstore files (Firefox 2.x).
The download package contains a standalone windows application. The MSVCR71.dll maybe needed on systems that do not already have this file. The full Python source code is also included and can be run on Windows, Mac OS X, Linux, or any other system with Python installed (the additional "pysqlite2" modulal is required for SQLite based file parsing).
LaBrea Honeypot 2.5
LaBrea takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. The program answers connection attempts in such a way that the machine at the other end gets "stuck", sometimes for a very long time.
Post a Comment