Scalpel (Data Carving / Forensics) :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <img alt="Scalpel File Carving" border="0" height="401" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3VpA7fvHWtvtTu1En4hyKfrQQ-P789lCCdh2-IYD099ppsXp5Vhruf9DLfp_3pcxvEU9irpL6sjH0wpQQua8wSJVqplQItpzc4tlOPDG__ydIAUTBDybUKBMBHnVX60mxAi3pbZ0zZSJD/s1600/Scalpel+Forensics.jpg" title="Scalpel File Carving" width="640" /></div> <br /> <b>Scalpel</b> is a <b>file carving and indexing application</b> that runs on <a href="http://www.toolwar.com/search/label/Linux" target="_blank">Linux</a> and <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a>.  The first version of <b>Scalpel</b>, released in 2005, was based on <a href="http://www.toolwar.com/2013/11/foremost-tools.html" target="_blank">Foremost</a> 0.69. There have been a number of internal releases since the last public release, 1.60, primarily to support our own research.  The newest public release v2.0, has a number of additional features, including:<br /> <ul> <li>Minimum carve sizes.</li> <li>Multithreading for quicker execution on multicore CPUs.</li> <li>Asynchronous I/O that allows disk operations to overlap with pattern matching--this results in a substantial performance improvement.</li> <li>Regular expression support for headers/footers.</li> <li>Embedded header/footer matching for better processing of structured file types that may contain embedded files.</li> <li>For advanced users, support for massively-threaded execution on Graphics Processing Units (GPUs).  This feature is available only on Linux and requires installation of the NVIDIA CUDA SDK, modification of scalpel.h to enable the GPU threading mode, and compilation with the CUDA toolchain.  Our implementation also requires an NVIDIA GPU with compute capability >= 1.2, so older CUDA-capable cards probably won't work.  The NVIDIA GTX 260 is relatively inexpensive and powerful and has the appropriate compute capability.  The GPU-enhanced version of Scalpel is able to do preview carving at rates that exceed the disk bandwidth of most file servers, so for big jobs, it may be worth the extra effort required to use this feature.  Note that regular expression-based headers and footers are NOT currently supported when GPU acceleration is in use!  We might address this in a future release.</li> </ul> <br /> <b>Scalpel</b> performs <a href="http://www.toolwar.com/search/label/Carving" target="_blank">file carving</a> operations based on patterns that describe particular file or data fragment "types".  These patterns may be based on either fixed binary strings or regular expressions. A number of default patterns are included in the configuration file included in the distribution, <b>"scalpel.conf"</b>.  The comments in the configuration file explain the format of the file carving patterns supported by <b>Scalpel</b>.<br /> <br /> Important note: The default configuration file, "scalpel.conf", has all supported file patterns commented out--you must edit this file before running Scalpel to activate some patterns.  Resist the urge to simply uncomment all file carving patterns; this wastes time and will generate a huge number of false positives.  Instead, uncomment only the patterns for the file types you need.<br /> <br /> <b>Scalpel </b>options are described in the <b>Scalpel</b> man page, "scalpel.1". You may also execute Scalpel w/o any <a href="http://www.toolwar.com/search/label/CLI" target="_blank">command line</a> arguments to see a list of options.<br /> <br /> NOTE: Compilation is necessary on Unix platforms and on <a href="http://www.toolwar.com/search/label/Mac" target="_blank">Mac OS X</a>.  For Windows platforms, a precompiled scalpel.exe is provided.  If you do wish to recompile <b>Scalpel</b> on Windows, you'll need a mingw (gcc) setup. Scalpel will not compile using Visual Studio C compilers.  Note that our compilation environment for <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> is currently 32-bit; we haven't tested on the 64-bit version of mingw, but will address this int the future.<br /> <br /> <b>Other Supportive Platforms :: </b></div> <div style="text-align: justify;"> <br /> We are not currently supporting <b>Scalpel</b> on <a href="http://www.toolwar.com/search/label/Unix" target="_blank">Unix</a> variants other than Linux. Go ahead and try a ./configure and make and see what happens, but be sure to do thorough testing before using <b>Scalpel</b> in production work.  If you are interested in supporting a version of <b>Scalpel </b>on an alternate platforms, please contact us.  If you are interested in supporting a GPU-enhanced version of Scalpel on Windows, we are also interesting in hearing from you.<br /> <br /> <b>Limitations ::</b> <br /> <br /> Carving Windows physical and logical device files (e.g., \\.\physicaldrive0 or \\.\c:) isn't currently supported because it requires us to rewrite some portions of <b>Scalpel </b>to use Windows file I/O functions rather than standard Unix calls.  This may be supported in a future release.<br /> <br /> Block map features are currently disabled, as we are rewriting this subsystem to enhance interoperability with the <a href="http://www.toolwar.com/2014/01/the-sleuth-kit-tsk-forensics-framework.html" target="_blank">Sleuthkit</a>.  An improved version of the block map features will return in a subsequent release. The -s command line option ("skip") has been removed and will be replaced with a more robust facility in the next major release.<br /> <br /> <br /> <b>Dependencies ::</b><br /> <br /> Scalpel uses the POSIX threads library.  On Win32, Scalpel is distributed with the Pthreads-win32 - POSIX Threads Library for Win32, which is Copyright(C) 1998 John E. Bossom and Copyright(C) 1999,2005 by Pthreads-win32 contributors.  This library is licensed under the LGPL.<br /> <br /> Scalpel for Win32 uses the tre regular expression library and is distributed with tre-0.7.5, which is licensed under the LGPL.</div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> <h3> Tutorials :: </h3> <b>COMPILE INSTRUCTIONS ON SUPPORTED PLATFORMS :: </b><br /> <b>Linux/Mac OS X ::</b> <br /> <div style="text-align: justify;"> <span style="font-family: "Courier New",Courier,monospace;">./configure and then make</span><br /> <br /> <b>Windows :: </b> </div> cd to src directory and then:<br /> <span style="font-family: "Courier New",Courier,monospace;">mingw32-make -f Makefile.win</span><br /> <br /> and enjoy.  If you want to install the binary and man page in a more permanent place, just copy "scalpel" (or "scalpel.exe") and "scalpel.1" to appropriate locations, e.g., on Linux, "/usr/local/bin" and "/usr/local/man/man1", respectively.  On Windows, you'll also need to copy the pthreads and tre regular expression library dlls into the same directory as "scalpel.exe".<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/5Z9JsBazOdw?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3> Download ::</h3> </div> <div style="text-align: justify;"> <b>Linux | Windows | Mac :: </b><a href="https://github.com/sleuthkit/scalpel/archive/master.zip" target="_blank">Scalpel</a> (.zip)<b> </b></div> <div style="text-align: justify;"> <b>Official Website :: </b> <a href="https://github.com/sleuthkit/scalpel">https://github.com/sleuthkit/scalpel</a></div>

Scalpel (Data Carving / Forensics) :: Tools

Scalpel is a file carving and indexing application that runs on Linux and Windows .  The first version of Scalpel , released in 2005,...

Read more »

Bulk Extractor (Computer Forensics) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <img alt="Bulk Extractor" border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSwFRjzP4nYzs-ILiilqCBkm5oZiif74oCtqJU8AR5h2mTI_uHT4qyVykTzAKntroljTwfaPMVl2vcJLfpgcd6GaTRTidtiwi8dgXrG0Sp6F0pMD2_DCiaA94q7R02Bz4t8-nz_dhg07WE/s1600/computer-forensic-analysis.jpg" title="Bulk Extractor" width="400" /></div> <div style="text-align: justify;"> <b>Bulk Extractor</b> is a <b>computer forensics tool</b> that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools. <b>Bulk Extractor</b> also created a histograms of features that it finds, as features that are more common tend to be more important. The program can be used for law enforcement, defense, intelligence, and <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">cyber-investigation</a> applications. </div> <div style="text-align: justify;"> bulk_extractor is distinguished from other forensic tools by its speed and thoroughness. Because it ignores file system structure, <b>Bulk Extractor</b> can process different parts of the disk in parallel. In practice, the program splits the disk up into 16MiByte pages and processes one page on each available core. This means that 24-core machines process a disk roughly 24 times faster than a 1-core machine. <b>Bulk Extractor</b> is also thorough. That’s because <b>Bulk Extractor</b> automatically detects, decompresses, and recursively re-processes compressed data that is compressed with a variety of algorithms. Our <a href="http://www.toolwar.com/search/label/Testing" target="_blank">testing</a> has shown that there is a significant amount of compressed data in the unallocated regions of file systems that is missed by most <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">forensic tools</a> that are commonly in use today. </div> <div style="text-align: justify;"> Another advantage of ignoring file systems is that <b>Bulk Extractor</b> can be used to process any digital media. We have used the program to process hard drives, SSDs, optical media, camera cards, <a href="http://www.toolwar.com/search/label/Phone" target="_blank">cell phones</a>, network packet dumps, and other kinds of digital information. </div> <h3 style="text-align: justify;"> Tutorials ::</h3> <div style="text-align: justify;"> <span style="font-family: inherit;"><span style="font-size: small;"><b>Compiling for MacOS or Linux</b> :: </span></span></div> <div style="text-align: justify;"> <span style="font-family: inherit;"><span style="font-size: small;">From the downloaded source directory run bootstrap.sh, configure and make: </span></span> </div> <ul style="text-align: justify;"> <li><span style="font-family: "Courier New",Courier,monospace;">$ cd bulk_extractor </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ sh bootstrap.sh </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ sh configure </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ make </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ sudo make install </span></li> </ul> <div style="text-align: justify;"> <b>Compiling for Windows :: </b></div> <div style="text-align: justify;"> There are three ways to compile for Windows: </div> <div style="text-align: justify;"> 1. Cross-compiling from a Linux or Mac system with mingw. </div> <div style="text-align: justify;"> 2. Compiling natively on Windows using mingw. </div> <div style="text-align: justify;"> 3. Compiling natively on Windows using cygwin (untested)</div> <div style="text-align: justify;"> <br /></div> <div style="text-align: justify;"> <b>Cross-compiling for Windows using Debian Testing (wheezy) or Ubuntu 12.04 LTS (with mingw) :: </b></div> <div style="text-align: justify;"> You will need to install mingw-w64 and zlib-dev: </div> <ul style="text-align: justify;"> <li><span style="font-family: "Courier New",Courier,monospace;">$ sudo apt-get update </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ sudo apt-get upgrade </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ sudo apt-get -y install mingw-w64 </span></li> </ul> <div style="text-align: justify;"> Next, download zlib from zlib.net </div> <ul style="text-align: justify;"> <li><span style="font-family: "Courier New",Courier,monospace;">$ ./configure --host=i686-w64-mingw32 </span></li> </ul> <div style="text-align: justify;"> This allows the cross-compiling of the 64-bit and the 32-bit bulk_extractor.exe, although we do not recommend running the 32-bit version. </div> <div style="text-align: justify;"> Now you are ready to compile: </div> <ul style="text-align: justify;"> <li><span style="font-family: "Courier New",Courier,monospace;">$ git clone --recursive https://github.com/simsong/bulk_extractor.git </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ cd bulk_extractor </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ sh bootstrap.sh </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ mingw64-configure</span></li> </ul> <div style="text-align: justify;"> <br /></div> <div style="text-align: justify;"> <b>Installing on a Linux/MacOS/Mingw system :: </b></div> <ul style="text-align: justify;"> <li><span style="font-family: "Courier New",Courier,monospace;">$ ./configure </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ make </span></li> <li><span style="font-family: "Courier New",Courier,monospace;">$ sudo make install  </span></li> </ul> <div style="text-align: justify;"> <b>Usages :: </b> </div> <div style="text-align: justify;"> To get started and send an extract of image.raw to OUTPUT, use this command: </div> <ul style="text-align: justify;"> <li><span style="font-family: "Courier New",Courier,monospace;">$ /usr/local/bin/bulk_extractor -o OUTPUT image.raw </span> </li> </ul> <div style="text-align: justify;"> <b>For more & Troubleshooting :: </b><a href="https://github.com/simsong/bulk_extractor" target="_blank">Click Here</a><br /> </div> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/wTBHM9DeLq4?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <div style="text-align: justify;"> </div> <h3 style="text-align: justify;"> Download ::</h3> <div style="text-align: justify;"> <b>Linux | Mac | Windows :: </b><a href="https://github.com/simsong/bulk_extractor/archive/master.zip" target="_blank">Bulk Extractor</a> (tarball)<b> | </b><a href="http://digitalcorpora.org/downloads/bulk_extractor/bulk_extractor-1.4.1-windowsinstaller.exe" target="_blank">Bulk Extractor</a> (.exe)<b> | </b><a href="http://digitalcorpora.org/downloads/bulk_extractor/bulk_extractor-1.4.4.tar.gz" target="_blank">Bulk Extractor</a> (.tar.gz)<b> </b></div> <div style="text-align: justify;"> <b>Official Website :: </b><a href="https://github.com/simsong/bulk_extractor">https://github.com/simsong/bulk_extractor</a></div>

Bulk Extractor (Computer Forensics) :: Tools

Bulk Extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information ...

Read more »

FS-NyarL (Pentesting and Forensics) :: Framework

<div class="separator" style="clear: both; text-align: center;"> <img alt="FS-NyarL Logo" border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyvqhfIV1vfEKDsDPoTq-IY5y6kdJuGAIfRzvtSPL90-6xtK2hDdppU1kPwgvztn_cudPZFcOqOalRYynOeDEflS5wufjqugLOyzJNrbZhqLjb34aHNnZuPJhRLZ_SInYW0BFppZeFQqDm/s1600/FS-NyarL+Logo.jpg" title="FS-NyarL Logo" width="248" /></div> <div style="text-align: justify;"> <b>NyarL</b> it's Nyarlathotep, a mitological chaotic deity of the writer HP. Lovecraft's cosmogony.  It's represent Crawling Chaos and <b>FS-NyarL</b> it's The <b>Crawling Chaos of Cyber Security</b>. A <a href="http://www.toolwar.com/search/label/Network" target="_blank">network</a> takeover & <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">forensic analysis tool</a> - useful to advanced PenTest tasks & for fun and profit - but use it at your own risk! </div> <ul style="text-align: justify;"> <li>Interactive Console</li> <li>Real Time Passwords Found</li> <li>Real Time Hosts Enumeration</li> <li>Tuned Injections & Client Side Attacks</li> <li>ARP Poisoning & SSL Hijacking</li> <li>Automated HTTP Report Generator</li> </ul> <div style="text-align: justify;"> <b>ATTACKS IMPLEMENTED:</b> </div> <ul style="text-align: justify;"> <li>MITM (Arp Poisoning)</li> <li>Sniffing (With & Without Arp Poisoning)</li> <li>SSL Hijacking (Full SSL/TLS Control)</li> <li>HTTP Session Hijaking (Take & Use Session Cookies)</li> <li>Client Browser Takeover (with Filter Injection in data stream)</li> <li>Browser AutoPwn (with Filter Injection in data steam)</li> <li>Evil Java Applet (with Filter Injection in data stream)</li> <li>DNS Spoofing</li> <li>Port Scanning</li> </ul> <table class="notableborder" style="margin-left: 0px; margin-right: 0px; text-align: left;"><tbody> <tr><td colspan="2"><b>POST ATTACKS DATA OBTAINED:</b><br /> <ul> <li>Passwords extracted from data stream</li> <li>Pcap file with whole data stream for deep analysis</li> <li>Session flows extracted from data stream (Xplico & Chaosreader)</li> <li>Files extracted from data stream</li> <li>Hosts enumeration (IP,MAC,OS)</li> <li>URLs extracted from data stream</li> <li>Cookies extracted from data stream</li> <li>Images extracted from data stream</li> <li>List of HTTP files downloaded extracted from URLs</li> </ul> </td> </tr> <tr><td><b>DEPENDENCIES (aka USED TOOLS):</b><br /> <ul> <li>Chaosreader (already in bin folder)</li> <li><a href="http://www.toolwar.com/2013/11/xplico-tools.html" target="_blank">Xplico</a></li> <li><a href="http://www.toolwar.com/2013/09/ettercap-076-tools.html" target="_blank">Ettercap</a></li> <li>Arpspoof</li> <li>Arp-scan</li> <li>Mitmproxy</li> <li><a href="http://www.toolwar.com/2014/02/nmap-and-zenmap-network-discovery-and.html" target="_blank">Nmap</a></li> <li><a href="http://www.toolwar.com/2013/09/tcpdump-is-network-sniffer-we-all-used.html" target="_blank">Tcpdump</a></li> <li><a href="http://www.toolwar.com/2013/09/beef-browser-exploitation-framework.html" target="_blank">Beef</a></li> </ul> </td> <td><ul> <li><a href="http://www.toolwar.com/2013/10/social-engineering-toolkit-set-tools.html" target="_blank">SET</a></li> <li><a href="http://www.toolwar.com/2013/09/metasploit-framework.html" target="_blank">Metasploit</a></li> <li><a href="http://www.toolwar.com/2013/09/dsniff-tools.html" target="_blank">Dsniff</a></li> <li><a href="http://www.toolwar.com/2013/10/technitium-mac-address-changer-v6-tools.html" target="_blank">Macchanger</a></li> <li>Hamster</li> <li>Ferret</li> <li><a href="http://www.toolwar.com/2013/10/p0f-tools.html" target="_blank">P0f</a></li> <li><a href="http://www.toolwar.com/2013/11/foremost-tools.html" target="_blank">Foremost</a></li> <li>SSLStrip</li> <li><a href="http://www.toolwar.com/2014/02/sslsplit-mitm-attack-against-ssltls.html" target="_blank">SSLSplit</a></li> </ul> </td></tr> </tbody></table> <br /> <table class="notableborder" style="margin-left: 0px; margin-right: 0px; text-align: left;"><tbody> <tr><td><h3> Tutorials ::</h3> <b>Screenshots ::  </b><a href="http://www.fulgursecurity.com/en/content/fs-nyarl" target="_blank">Click Here</a> <br /> <h3> Download ::</h3> <b>Linux ::</b> <a href="http://www.fulgursecurity.com/tools/fs-nyarl/FS-NyarL_v1.0-kali.tar.gz" target="_blank">FS-NyarL v1.0</a> (.tar.gz)<br /> <b>Official Website :: </b><a href="http://www.fulgursecurity.com/en/content/fs-nyarl">http://www.fulgursecurity.com/en/content/fs-nyarl</a></td></tr> </tbody></table>

FS-NyarL (Pentesting and Forensics) :: Framework

NyarL it's Nyarlathotep, a mitological chaotic deity of the writer HP. Lovecraft's cosmogony.  It's represent Crawling Chaos...

Read more »

Foremost (File Carving) :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdkN2Ugs8yPIpW9bdhSCRtfTQisB-mmEgSeRyCTN_07YHLjIom3zkuOAPeUS8z8s7WHAT-qFoxrqYH6hrVHV9q-40PTsRzLLn9SMc0DbYBMNR944nbfhqU8fPWiPYTWV_PcywGGNhbEMS8/s1600/foremost+screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="foremost screenshot" border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdkN2Ugs8yPIpW9bdhSCRtfTQisB-mmEgSeRyCTN_07YHLjIom3zkuOAPeUS8z8s7WHAT-qFoxrqYH6hrVHV9q-40PTsRzLLn9SMc0DbYBMNR944nbfhqU8fPWiPYTWV_PcywGGNhbEMS8/s400/foremost+screenshot.jpg" title="foremost screenshot" width="400" /></a></div> <br /> <b>Foremost</b> is a <b><i>console program to recover files</i></b> based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. <b> Foremost</b> can work on image files, such as those generated by dd, Safeback, <a href="http://www.toolwar.com/2013/09/encase-forensics-v7-tools.html" target="_blank">Encase</a>, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use <a href="http://www.toolwar.com/search/label/CLI" target="_blank">command line</a> switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery. </div> <div style="text-align: justify;"> <br /> <h3> Tutorial ::</h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/9AkY-IefI4Q?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3> </h3> </div> <h3 style="text-align: justify;"> Download :: </h3> <div style="text-align: justify;"> <b>Linux ::</b> <a href="http://foremost.sourceforge.net/pkg/foremost-1.5.7.tar.gz" target="_blank">Foremost 1.5.7 (.tar.gz)</a><br /> <b>Official Website :: </b><a href="http://foremost.sourceforge.net/" target="_blank">http://foremost.sourceforge.net/ </a></div>

Foremost (File Carving) :: Tools

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is common...

Read more »

SSLsplit (MITM Attack against SSL/TLS) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <img alt="sslsplit" border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiKnDa1SmFAz2I_uUyfY8OE-KawIYa9Rk7T3wbyfUM42-zCwgo1Hs18FThDil200FpKE2OdkcCO9Uvk0_lHGNieQuDLgJxQVuvj7VN0Yhxbtky5w-AyzRHrrqWZB4Qrf8q5dafKyblfRnO/s1600/SSLsplit.jpg" title="sslsplit" width="400" /></div> <div style="text-align: justify;"> <span style="font-family: inherit;"><b>SSLsplit</b> is a tool for <b><a href="http://www.toolwar.com/search/label/MITM" target="_blank">man-in-the-middle attacks</a> against SSL/TLS</b> encrypted <a href="http://www.toolwar.com/search/label/Network" target="_blank">network</a> connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. <b>SSLsplit</b> terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">forensics</a> and <a href="http://www.toolwar.com/search/label/Penetration" target="_blank">penetration testing</a>.</span></div> <br /> <div style="text-align: justify;"> <span style="font-family: inherit;"><b>SSLsplit </b>supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, based on the original server certificate subject DN and subjectAltName extension. <b>SSLsplit</b> fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. <b>SSLsplit </b>can also use existing certificates of which the private key is available, instead of generating forged ones. <b>SSLsplit</b> supports NULL-prefix CN certificates and can deny OCSP requests in a generic way. SSLsplit removes HPKP response headers in order to prevent public key pinning.</span></div> <h3 style="text-align: justify;"> Tutorials ::</h3> <div style="text-align: justify;"> <b>Installation ::</b></div> <div style="text-align: justify;"> SSLsplit is or will be available as a package or port on the following systems:</div> <ul style="text-align: justify;"> <li>OpenBSD: security/sslsplit</li> <li>Arch Linux AUR: sslsplit</li> <li>Fedora: sslsplit</li> <li>Kali: sslsplit</li> <li>Backtrack: sslsplit</li> </ul> <div style="text-align: justify;"> <b>To install from source:</b></div> <div style="text-align: justify;"> <pre><code class=" ruby">make make <span class="keymethods">test</span> <span class="comment"># optional unit tests</span> make install <span class="comment"># optional install</span> </code></pre> </div> <div style="text-align: justify;"> <br /></div> <div style="text-align: justify;"> <b>Usage ::</b></div> <div style="text-align: justify;"> <pre><code class=" sql">% sslsplit -h <span class="keyword">Usage</span>: sslsplit [options...] [proxyspecs...] -c pemfile use CA cert (<span class="keyword">and</span> <span class="keyword">key</span>) <span class="keyword">from</span> pemfile <span class="keyword">to</span> sign forged certs -k pemfile use CA <span class="keyword">key</span> (<span class="keyword">and</span> cert) <span class="keyword">from</span> pemfile <span class="keyword">to</span> sign forged certs -C pemfile use CA chain <span class="keyword">from</span> pemfile (intermediate <span class="keyword">and</span> root CA certs) -K pemfile use <span class="keyword">key</span> <span class="keyword">from</span> pemfile <span class="keyword">for</span> leaf certs (<span class="keyword">default</span>: generate) -t certdir use cert+chain+<span class="keyword">key</span> PEM files <span class="keyword">from</span> certdir <span class="keyword">to</span> target <span class="keyword">all</span> sites matching the common <span class="keyword">names</span> (non-matching: generate if CA) -O deny <span class="keyword">all</span> OCSP requests <span class="keyword">on</span> <span class="keyword">all</span> proxyspecs -P passthrough SSL connections if they cannot be split because <span class="keyword">of</span> client cert auth <span class="keyword">or</span> <span class="keyword">no</span> matching cert <span class="keyword">and</span> <span class="keyword">no</span> CA (<span class="keyword">default</span>: <span class="keyword">drop</span>) -g pemfile use DH <span class="keyword">group</span> params <span class="keyword">from</span> pemfile (<span class="keyword">default</span>: keyfiles <span class="keyword">or</span> auto) -G curve use ECDH named curve (<span class="keyword">default</span>: secp160r2 <span class="keyword">for</span> non-RSA leafkey) -Z disable SSL/TLS compression <span class="keyword">on</span> <span class="keyword">all</span> connections -s ciphers use the given OpenSSL cipher suite spec (<span class="keyword">default</span>: <span class="keyword">ALL</span>:-aNULL) -e engine specify <span class="keyword">default</span> NAT engine <span class="keyword">to</span> use (<span class="keyword">default</span>: ipfw) -E list available NAT engines <span class="keyword">and</span> exit -u <span class="keyword">user</span> <span class="keyword">drop</span> <span class="keyword">privileges</span> <span class="keyword">to</span> <span class="keyword">user</span> (<span class="keyword">default</span> if run <span class="keyword">as</span> root: nobody) -j jaildir chroot() <span class="keyword">to</span> jaildir (<span class="keyword">default</span> if run <span class="keyword">as</span> root: /var/empty) -p pidfile <span class="keyword">write</span> pid <span class="keyword">to</span> pidfile (<span class="keyword">default</span>: <span class="keyword">no</span> pid file) -l logfile <span class="keyword">connect</span> log: log one line summary per <span class="keyword">connection</span> <span class="keyword">to</span> logfile -L logfile content log: <span class="keyword">full</span> data <span class="keyword">to</span> file <span class="keyword">or</span> named pipe (excludes -S) -S logdir content log: <span class="keyword">full</span> data <span class="keyword">to</span> separate files <span class="keyword">in</span> dir (excludes -L) -d daemon mode: run <span class="keyword">in</span> background, log error messages <span class="keyword">to</span> syslog -D debug mode: run <span class="keyword">in</span> foreground, log debug messages <span class="keyword">on</span> stderr -V print version information <span class="keyword">and</span> exit -h print <span class="keyword">usage</span> information <span class="keyword">and</span> exit proxyspec = type listenaddr+port [natengine|targetaddr+port|<span class="string">"sni"</span>+port] e.g. http <span class="number">0.0</span>.<span class="number">0.0</span> <span class="number">8080</span> www.roe.ch <span class="number">80</span> # http/<span class="number">4</span>; static hostname dst https ::<span class="number">1</span> <span class="number">8443</span> <span class="number">2001</span>:db8::<span class="number">1</span> <span class="number">443</span> # https/<span class="number">6</span>; static address dst https <span class="number">127.0</span>.<span class="number">0.1</span> <span class="number">9443</span> sni <span class="number">443</span> # https/<span class="number">4</span>; SNI DNS lookups tcp <span class="number">127.0</span>.<span class="number">0.1</span> <span class="number">10025</span> # tcp/<span class="number">4</span>; <span class="keyword">default</span> NAT engine ssl <span class="number">2001</span>:db8::<span class="number">2</span> <span class="number">9999</span> pf # ssl/<span class="number">6</span>; NAT engine <span class="string">'pf'</span> Example: sslsplit -k ca.<span class="keyword">key</span> -c ca.pem -P https <span class="number">127.0</span>.<span class="number">0.1</span> <span class="number">8443</span> https ::<span class="number">1</span> <span class="number">8443</span></code></pre> </div> <div style="text-align: justify;"> <code class=" sql"><span style="font-family: "Courier New",Courier,monospace;"><b><span style="font-weight: normal;"><span class="number"><br /></span></span></b></span> </code></div> <div style="text-align: justify;"> <br /></div> <h3 style="text-align: justify;"> Requirements ::</h3> <div style="text-align: justify;"> SSLsplit depends on the OpenSSL and libevent 2.x libraries. The build depends on GNU make and a POSIX.2 environment in <code>PATH</code>. The (optional) unit tests depend on the check library.</div> <div style="text-align: justify;"> SSLsplit currently supports the following operating systems and NAT engines:</div> <ul style="text-align: justify;"> <li>FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr</li> <li>OpenBSD: pf rdr-to and divert-to</li> <li>Linux: netfilter REDIRECT and TPROXY</li> <li>Mac OS X: ipfw fwd and pf rdr (experimental)</li> </ul> <h3> Download ::</h3> <b>Linux :: </b><a href="http://mirror.roe.ch/rel/sslsplit/sslsplit-0.4.8.tar.bz2" target="_blank">SSLsplit v0.4.8</a> (.tar.bz2)<b><br /></b><br /> <b>Official Website ::</b> <a href="http://www.roe.ch/SSLsplit">http://www.roe.ch/SSLsplit</a><br /><code class=" ruby"><span class="comment"></span> </code>

SSLsplit (MITM Attack against SSL/TLS) :: Tools

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently interc...

Read more »

Autopsy (Digital Investigation Analysis) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <img alt="Autopsy logo" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjf21td83eNESL_QTE9NjV-ZSQnqexy4JbWFatUW-4KkqydKjwnSYKqQmPFBy6cnZG7rQZEG7X211P1v_klRTAzd3_Ee5pDqpYn3sfpupP4ff-ao6WwTUaeq8fqKi0PgJQiwb-loD4CvqrI/s1600/autopsy+logo.jpg" title="Autopsy logo" width="200" /></div> <div style="text-align: justify;"> <b>Autopsy</b> is a graphical interface to the <a href="http://www.toolwar.com/search/label/CLI" target="_blank"><i>command line</i></a> <b>digital investigation analysis tools</b> in <a href="http://www.toolwar.com/2014/01/the-sleuth-kit-tsk-forensics-framework.html" target="_blank"> The Sleuth Kit</a>. Together, they can analyze <i>Windows and UNIX</i> disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).</div> <div style="text-align: justify;"> <b>The Sleuth Kit </b>and <b>Autopsy</b> are both Open Source and run on UNIX platforms (you can use Cygwin to run them both on <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a>). As <b>Autopsy</b> is HTML-based, you can connect to the <b>Autopsy</b> server from any platform using an HTML browser. Autopsy provides a "File Manager"-like interface and shows details about deleted data and file system structures.</div> <h3 style="text-align: justify;"> <span style="font-size: small;">Analysis Modes</span></h3> <ul style="text-align: justify;"> <li>A <b>dead analysis</b> occurs when a dedicated <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a> system is used to examine the data from a suspect system. In this case, <b>Autopsy</b> and The Sleuth Kit are run in a trusted environment, typically in a lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats. </li> <li>A <b>live analysis</b> occurs when the suspect <a href="http://www.toolwar.com/search/label/System" target="_blank">system</a> is being analyzed while it is running. In this case, <b>Autopsy</b> and The Sleuth Kit are run from a CD in an untrusted environment. This is frequently used during incident response while the incident is being confirmed. After it is confirmed, the system can be acquired and a dead analysis performed. </li> </ul> <h3 style="text-align: justify;"> Evidence Search Techniques</h3> <ul style="text-align: justify;"> <li><b>File Listing</b>: Analyze the files and directories, including the names of deleted files and files with Unicode-based names.</li> <li><b>File Content</b>: The contents of files can be viewed in raw, hex, or the ASCII strings can be extracted. When data is interpreted, Autopsy sanitizes it to prevent damage to the local analysis system. Autopsy does not use any client-side scripting languages.</li> <li><b>Hash Databases</b>: Lookup unknown files in a <a href="http://www.toolwar.com/search/label/Hash" target="_blank">hash</a> database to quickly identify it as good or bad. Autopsy uses the NIST <i>National Software Reference Library (NSRL)</i> and user created databases of known good and known bad files </li> <li><b>File Type Sorting</b>: Sort the files based on their internal signatures to identify files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type to identify files that may have had their extension changed to hide them.</li> <li><b>Timeline of File Activity</b>: In some cases, having a timeline of file activity can help identify areas of a file system that may contain evidence. Autopsy can create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files.</li> <li><b>Keyword Search</b>: Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions. Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching. </li> <li><b>Meta Data Analysis</b>: Meta Data structures contain the details about files and directories. Autopsy allows you to view the details of any meta data structure in the file system. This is useful for recovering deleted content. Autopsy will search the directories to identify the full path of the file that has allocated the structure.</li> <li><b>Data Unit Analysis</b>: Data Units are where the file content is stored. Autopsy allows you to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings. The file type is also given and Autopsy will search the meta data structures to identify which has allocated the data unit. </li> <li><b>Image Details</b>: File system details can be viewed, including on-disk layout and times of activity. This mode provides information that is useful during data recovery. </li> </ul> <h3 style="text-align: justify;"> Case Management</h3> <ul style="text-align: justify;"> <li><b>Case Management</b>: Investigations are organized by <i>cases</i>, which can contain one or more <i>hosts</i>. Each host is configured to have its own time zone setting and clock skew so that the times shown are the same as the original user would have seen. Each host can contain one or more file system images to analyze. </li> <li><b>Event Sequencer</b>: Time-based events can be added from file activity or IDS and firewall logs. Autopsy sorts the events so that the sequence of incident events can be more easily determined. </li> <li><b>Notes</b>: Notes can be saved on a per-host and per-investigator basis. These allow you to make quick notes about files and structures. The original location can be easily recalled with the click of a button when the notes are later reviewed. All notes are stored in an ASCII file. </li> <li><b>Image Integrity</b>: It is crucial to ensure that files are not modified during analysis. Autopsy, by default, will generate an MD5 value for all files that are imported or created. The integrity of any file that Autopsy uses can be validated at any time. </li> <li><b>Reports</b>: Autopsy can create ASCII reports for files and other file system structures. This enables you to quickly make consistent data sheets during the investigation.</li> <li><b>Logging</b>: Audit logs are created on a case, host, and investigator level so that actions can be easily recalled. The exact Sleuth Kit commands that are executed are also logged.</li> <li><b>Open Design</b>: The code of Autopsy is open source and all files that it uses are in a raw format. All configuration files are in ASCII text and cases are organized by directories. This makes it easy to export the data and archive it. It also does not restrict you from using other tools that may solve the specific problem more appropriately.</li> <li><b>Client Server Model</b>: Autopsy is HTML-based and therefore you do not have to be on the same system as the file system images. This allows multiple investigators to use the same server and connect from their personal systems.</li> </ul> <div style="text-align: justify;"> <b>Autopsy</b> is written in <a href="http://www.toolwar.com/2013/09/perl-language.html" target="_blank">Perl</a> and runs on the same UNIX platforms as <a href="http://www.toolwar.com/2014/01/the-sleuth-kit-tsk-forensics-framework.html" target="_blank">The Sleuth Kit</a>:</div> <ul style="text-align: justify;"> <li><a href="http://www.toolwar.com/search/label/Linux" target="_blank">Linux</a></li> <li><a href="http://www.toolwar.com/search/label/Mac" target="_blank">Mac OS X</a></li> <li>Open & FreeBSD</li> <li>Solaris</li> <li>Cygwin (you cannot use the win32 executables that can be downloaded from this site, you must build in Cygwin) </li> </ul> <h3> Tutorial ::</h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/RUgmkvt2WNg?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3>  </h3> <h3> Download ::</h3> <b>Windows :: </b><a href="http://sourceforge.net/projects/autopsy/files/autopsy/3.0.8/autopsy-3.0.8-32bit.msi/download" target="_blank">Autopsy 3.0.8x32</a> (.msi) | <a href="http://sourceforge.net/projects/autopsy/files/autopsy/3.0.8/autopsy-3.0.8-64bit.msi/download" target="_blank">Autopsy 3.0.8x64</a> (.msi)<br /> <b>Linux :: </b><a href="http://sourceforge.net/projects/autopsy/files/autopsy/2.24/autopsy-2.24.tar.gz/download" target="_blank">Autopsy 2.08</a> (.tar.gz)<br /> <b>Official Website :: </b><a href="http://www.sleuthkit.org/autopsy/index.php" target="_blank">http://www.sleuthkit.org/autopsy/index.php </a>

Autopsy (Digital Investigation Analysis) :: Tools

Autopsy is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit . Together, they can anal...

Read more »

Oryon C Portable (Intelligence Investigations) :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <img alt="Oryon C Portable Logo" border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9kco19KpeXKaOauklNcyR7Mqb7aJToI227Jp6oVRMqzmUOFIlCx9AYR3LMlp8AGhOmyEa0UPcI5NByrn9hNG9fuAw57vrtUBXHIMsrLXi-W0kkuu8ZML7Dl0gTJV-ElkjIiF733Q5Kh1k/s1600/Oryon+c+Prortable.png" title="Oryon C Portable Logo" width="400" /></div> <b>Oryon C Portable</b> is a <a href="http://www.toolwar.com/search/label/Browser" target="_blank"><b>web browser</b></a> designed to <i>assist researchers</i> in conducting <b>Open Source Intelligence investigations</b>. <b>Oryon</b> comes with dozens of pre-installed <a href="http://www.toolwar.com/search/label/Tools" target="_blank">tools</a> and a select set of links cataloged by category – including those that can be found in the OI Shared Resources.<br /> <br /> <b>Specification ::</b><br /> <br /> - Based on SRWare Iron version 31.0.1700.0 (Chromium)<br /> - More than 70 pre-installed tools to support investigators in their everyday work<br /> - More than 600 links to specialized sources of information and online investigative tools<br /> - Additional privacy protection features<br /> - A ready to use opml file containing a sorted collection of information sources in the fields such as: OSINT, Intelligence, InfoSec, defense, and more.<br /> <br /> <b>Version Info ::</b><br /> 0.1 Initial release<br /> <br /> <b>Type ::</b><br /> Portable. No need to install, you can start using straightaway in your desktop, pendrive, etc.<br /> <br /> <b>Platform ::</b><br /> <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> : XP, Vista, 7 x32 & x64<br /> <br /> <b>License ::</b><br /> Various Open Source Licenses</div> <div style="text-align: justify;"> <br /></div> <h3 style="text-align: justify;"> Tutorials ::</h3> <div style="text-align: justify;"> <b>Documentation ::</b> <a href="http://osintinsight.com/Documentation.pdf" target="_blank">Click Here</a></div> <div style="text-align: justify;"> <br /></div> <h3 style="text-align: justify;"> Download ::</h3> <div style="text-align: justify;"> <b>Windows :: </b><a href="http://sourceforge.net/projects/oryon/files/latest/download" target="_blank">Oryon C Portable-v0.1</a><b> (.exe)</b></div> <div style="text-align: justify;"> <b>Official Website :: </b><a href="http://osintinsight.com/oryon.php">http://osintinsight.com/oryon.php</a></div> <div style="text-align: justify;"> <b>Submitted By ::</b> OSINTINSIGHT</div>

Oryon C Portable (Intelligence Investigations) :: Tools

Oryon C Portable is a web browser designed to assist researchers in conducting Open Source Intelligence investigations . Oryon comes...

Read more »

TCPXtract (Network Traffic Extracting) :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <img alt="tcpxtract" border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAqmL04htFo4cwsqJf60ruYKJbVcXmUbnsVr1NDB1wzSsk8wfB8iamSOsfzWyNH0v1iebn8mHNvwO-8axc4WJdJLZmoXI_3x0tQUpTiPg4Prr5CYbJTMM3xExj4w9FAXAXPlvmmPMw3Wm6/s1600/tcpxtract.jpg" title="tcpxtract" width="400" /></div> <b>tcpxtract</b> is a tool for <b>extracting files from network traffic</b> based on file signatures. Extracting files based on file type headers and footers (sometimes called <i>"carving"</i>) is an age old data <a href="http://www.toolwar.com/search/label/Recovery" target="_blank">recovery</a> technique. Tools like <a href="http://www.toolwar.com/2013/11/foremost-tools.html" target="_blank">Foremost</a> employ this technique to recover files from arbitrary data streams. <b>Tcpxtract</b> uses this technique specifically for the application of intercepting files transmitted across a <a href="http://www.toolwar.com/search/label/Network" target="_blank">network</a>. Other <a href="http://www.toolwar.com/search/label/Tools" target="_blank">tools</a> that fill a similar need are driftnet and EtherPEG. driftnet and <b>EtherPEG</b> are tools for <a href="http://www.toolwar.com/search/label/Monitoring" target="_blank">monitoring</a> and extracting graphic files on a network and is commonly used by network administrators to police the internet activity of their users. The major limitations of driftnet and EtherPEG is that they only support three filetypes with no easy way of adding more. The search technique they use is also not scalable and does not search across <a href="http://www.toolwar.com/search/label/Packet" target="_blank">packet</a> boundries. <b>tcpxtract</b> features the following:<br /> <ul> <li>Supports 26 popular file formats out-of-the-box. New formats can be added by simply editing its config file.</li> <li>With a quick conversion, you can use your old Foremost config file with tcpxtract.</li> <li>Custom written search algorithm is lightning fast and very scalable.</li> <li>Search algorithm searches across packet boundries for total coverage and forensic quality.</li> <li>Uses libpcap, a popular, portable and stable library for network data capture.</li> <li>Can be used against a live network or a tcpdump formatted capture file. </li> </ul> <br /> <h3> Tutorial ::</h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/uLQokDjcivU?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <br /> <h3> Download :: </h3> <b>Linux :: </b><a href="http://prdownloads.sourceforge.net/tcpxtract/tcpxtract-1.0.1.tar.gz?download" target="_blank">tcpxtract v1.01</a> (.tar.gz)<b> </b><br /> <b>Official Website ::</b> <a href="http://tcpxtract.sourceforge.net/">http://tcpxtract.sourceforge.net/</a></div>

TCPXtract (Network Traffic Extracting) :: Tools

tcpxtract is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and...

Read more »

Revealer Toolkit (Forensics) :: Framework

<div class="separator" style="clear: both; text-align: center;"> <img alt="Computer Forensics" border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8e3p7c82cxcOtvuuFyaZfuwteN-5PuOGb4hjr_eqQM0XsdOx3B6JtMf0p2-3aV7hm2q1UkbKhCdPSeBde9jJsffYi7TsG-AJJ7pmNgOPo-OkvXlubRiq52JKd9tI0FQb1R6NnbPKhXF-V/s400/computer-forensics.jpg" title="Computer Forensics" width="400" /></div> <div style="text-align: justify;"> <strong>Revealer Toolkit</strong> is a <a href="http://www.toolwar.com/search/label/Frameworks" target="_blank">framework</a> and simple scripts for <b>computer forensics</b>. It uses Brian Carrier's <a href="http://www.toolwar.com/2014/01/the-sleuth-kit-tsk-forensics-framework.html" target="_blank">The Sleuth Kit</a> as the backbone, as well as other <a href="http://www.toolwar.com/search/label/Free" target="_blank">free tools</a>. </div> <div style="text-align: justify;"> The aim of the <b> Revealer Toolkit</b> is to automate rutinary tasks and to manage sources and results from another perspective than the usual forensic frameworks. It will be specially useful in cases with several computers and digitals forensic sources. </div> <div style="text-align: justify;"> RVT is developed and actively tested by computer <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">forensic</a> investigators working at EVIDENTIA and INCIDE, spanish companies sited at the beautiful city of Barcelona.</div> <h3 style="text-align: justify;"> Introduction to version 0.2.1</h3> <div style="text-align: justify;"> The current state of the project can be described as a <i>proof of concept</i>, that is, RVT version 0.2 proofs that the objectives we are looking for are reachable, but further work is necessary in order to have a stable version. </div> <div style="text-align: justify;"> Therefore, RVT v0.2 can be used to automate computer forensic tasks on a group of several digital forensic images, but the code is still buggy, some tasks have to be run manually, and the interface has to be improved.</div> <h3 style="text-align: justify;"> Tutorials ::</h3> <div style="text-align: justify;"> <b>Wiki :: </b><a href="http://code.google.com/p/revealertoolkit/w/list" target="_blank">Click Here </a><b><br /></b></div> <div style="text-align: justify;"> <b>Revealer User Guide ::</b> <a href="http://revealertoolkit.googlecode.com/files/RVT-userGuide.pdf" target="_blank">Click Here</a> (.pdf)</div> <h3 style="text-align: justify;"> Download ::</h3> <div style="text-align: justify;"> <b>Windows ::</b> <a href="http://revealertoolkit.googlecode.com/files/RVT_v0.2.1.zip" target="_blank">Revealer Toolkit 0.2.1 </a></div> <div style="text-align: justify;"> <b>Source Website ::</b> <a href="http://code.google.com/p/revealertoolkit/" target="_blank">http://code.google.com/p/revealertoolkit/</a></div>

Revealer Toolkit (Forensics) :: Framework

Revealer Toolkit is a framework and simple scripts for computer forensics . It uses Brian Carrier's The Sleuth Kit as the backbo...

Read more »

iPhone Analyzer :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <img alt="iphone analysis" border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyVrxfsAbT1zhDHt5nIp-4u2AZSwoZbbGPfy91RQmjyHX4TU-0qcH4M5fHpd1PuEVma0RI6zVJLki1tJcwrYoHZ3x9BTvqnrE-LvuJsFDLDqOG_K8IX0B0eufoAkJj5cB1qEqlO8f79Kjw/s1600/iphone+analysis.jpg" title="iphone analysis" width="400" /></div> </div> <div style="text-align: justify;"> <b>iPhone Analzyer</b> allows you to <i>forensically examine or recover date from in iOS device</i>. It principally works by <i>importing backups</i> produced by iTunes or third party software, and providing you with a rich interface to explore, <i><a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analyse</a> and recover data</i> in human readable formats. Because it works from the backup files everything is <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">forensically</a> safe, and no changes are made to the original data.</div> <h3 style="text-align: justify;"> <span style="font-size: small;">Features ::</span></h3> <ul style="text-align: justify;"> <li>Supports iOS 2, iOS 3, iOS 4 and iOS 5 devices</li> <li>Multi-platform (<a href="http://www.toolwar.com/search/label/Java" target="_blank">Java</a> based) product, supported on <a href="http://www.toolwar.com/search/label/Linux" target="_blank">Linux</a>, <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> and <a href="http://www.toolwar.com/search/label/Mac" target="_blank">Mac</a></li> <li>Fast, powerful search across device including regular expressions</li> <li>Integrated mapping supports visualisation of geo-tagged information, including google maps searches, photos, and cell-sites and <a href="http://www.toolwar.com/search/label/WiFi" target="_blank">wifi</a> locations observed by the device (the infamous "locationd" data)</li> <li>Integrated support for text messages, voicemail, address book entries, photos (including metadata), call records and many many others</li> <li>Recovery of "deleted" sqlite records (records that have been tagged as deleted, but have not yet been purged by the device can often be recovered),/li> </li> <li>Integrated visualisation of plist and sqlite files</li> <li>Includes support for off-line mapping, supporting mapping on computers not connected to the Internet</li> <li>Support for KML export and direct export to Google Earth</li> <li>Browse the device file structure, navigate directly to key files or explore the device using concepts such as "who", "when", "what" and "where".</li> <li>Analyse jail broken device directly over SSH without need for backup (experimental)</li> <li class="feature">iPhone Backup Browsing</li> <li class="feature">Native file viewing (plist, sqlite, etc)</li> <li class="feature">Searching including regular expressions</li> <li class="feature">ssh access for <a href="http://www.toolwar.com/search/label/Jailbreak" target="_blank">jailbroken</a> phones (beta)</li> <li class="feature">Reports</li> <li class="feature">Restore files</li> <li class="feature">Recover backups</li> <li class="feature">View all iPhone photos</li> <li class="feature">examine address book, sms and loads of others</li> <li class="feature">find and recover passwords</li> <li class="feature">Export files to local filesytem </li> <li class="feature"><a href="http://www.toolwar.com/search/label/Online" target="_blank">Online</a> and offline mapping</li> <li class="feature">Geo track where a device has been</li> <li class="feature">IOS5 and earlier versions supported</li> <li class="feature">IOS6 is only partially supported (several known problems) </li> </ul> <h3 style="text-align: justify;"> Tutorials ::</h3> <div style="text-align: justify;"> <b>User Manual (PDF) ::</b><a href="http://www.crypticbit.com/files/ipa_user_guide.pdf" target="_blank"> Click Here </a></div> <h3 style="text-align: justify;"> Download ::  </h3> <div style="text-align: justify;"> <b>JAR :: </b><a href="http://sourceforge.net/projects/iphoneanalyzer/files/latest/download" target="_blank">iPhone Analyzer (.jar)</a></div> <div style="text-align: justify;"> <b>Official Website ::</b> <a href="http://www.crypticbit.com/zen/products/iphoneanalyzer">http://www.crypticbit.com/zen/products/iphoneanalyzer</a></div>

iPhone Analyzer :: Tools

iPhone Analzyer allows you to forensically examine or recover date from in iOS device . It principally works by importing backups pr...

Read more »

RegistryDecoder (Windows Registry Forensics) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <img alt="registrydecoder icon" border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMIhBRUMLX-a4LG7hoynF82A7nZ5ngAu4onGUOBohjYbLn-IK4dmej-52Gm9WbEUW3G_GW8-L8FWNEUG7vINlaxS0WNP8AiLqL_PFc5P8OfHcpf-3A5H4yMIdRnaZIx6-GlK3wDOKDOHhm/s1600/registrydecoder.png" title="registrydecoder icon" width="400" /></div> <span itemprop="description" style="font-size: small;"><b>RegistryDecoder</b> is a automated <i>Acquisition, Analysis, and Reporting of Registry</i> Contents</span><span style="font-size: small;">. <b>Registry Decoder</b> provides a single tool in which to perform <i>browsing, searching, <a href="http://www.toolwar.com/search/label/Analysis" target="_blank">analysis</a>, and reporting of <a href="http://www.toolwar.com/search/label/Registry" target="_blank">registry</a> hive</i> contents. All functionality is exposed through an intuitive <a href="http://www.toolwar.com/search/label/GUI" target="_blank">GUI</a> interface and accommodates even novice investigators. <b>Registry Decoder</b> also acts as a great resource for new research and experimenting within the registry.</span><br /> <div style="text-align: justify;"> <span style="font-size: small;"><b>Digital <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">forensics</a></b> deals with the analysis of artifacts on all types of digital devices. One of the most prevalent analysis techniques performed is that of the registry hives contained in Microsoft <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> operating systems. <b> Registry Decoder</b> was developed with the purpose of providing a single <a href="http://www.toolwar.com/search/label/Tools" target="_blank">tool</a> for the acquisition, analysis, and reporting of registry contents.</span></div> <div class="MsoNormal" style="text-align: justify;"> <span style="font-family: "Times New Roman","serif"; font-size: small; line-height: 115%;"><b>Registry Decoder</b> consists of two components, the first of which is a tool for <a href="http://www.toolwar.com/search/label/Online" target="_blank">online</a> acquisition of registry files from a running machine. To safely acquire files from a running machine, we ‘freeze’ a copy of the current registry files using the System Restore Facility. This places the files into a read-only location and ensures that the operating system will not have the files opened (which would prevent them from being copied to external storage).</span></div> <div class="MsoNormal" style="text-align: justify;"> <span style="font-family: "Times New Roman","serif"; font-size: small; line-height: 115%;">Beyond the current set of registry files, the acquisition component can also acquire historical files from the running system. These historical files are acquired from XP machines through the <a href="http://www.toolwar.com/search/label/System" target="_blank">System </a>Restore Point facility and through the Volume Shadow Service on Vista and Windows 7 machines.</span></div> <div style="text-align: justify;"> <span style="font-size: small;"><br /></span></div> <div class="MsoNormal" style="text-align: justify;"> <span style="font-family: "Times New Roman","serif"; font-size: small; line-height: 115%;">The analysis section of the offline component contains a number of powerful features. The first feature is Search, which allows for powerful searching across <a href="http://www.toolwar.com/search/label/Registry" target="_blank">registry</a> hives. The searching abilities include:</span></div> <div class="MsoNormal" style="text-align: justify;"> <br /></div> <ul style="text-align: justify;"> <li><span style="font-family: Symbol; font-size: 12pt; line-height: 115%;"><span style="font: 7pt "Times New Roman";"> </span></span><span style="font-family: "Times New Roman","serif"; font-size: 12pt; line-height: 115%;">Filtering by hive keys, name, and data</span></li> <li><span style="font-family: Symbol; font-size: 12pt; line-height: 115%;"><span style="font: 7pt "Times New Roman";"> </span></span><span style="font-family: "Times New Roman","serif"; font-size: 12pt; line-height: 115%;">Filtering by the last write time of keys</span></li> <li><span style="font-family: Symbol; font-size: 12pt; line-height: 115%;"><span style="font: 7pt "Times New Roman";"> </span></span><span style="font-family: "Times New Roman","serif"; font-size: 12pt; line-height: 115%;">Searching individual terms or with a newline delimited search term file</span></li> <li><span style="font-family: Symbol; font-size: 12pt; line-height: 115%;"><span style="font: 7pt "Times New Roman";"> </span></span><span style="font-family: "Times New Roman","serif"; font-size: 12pt; line-height: 115%;">Exact or wildcard based search</span><span style="font-family: Symbol; font-size: 12pt; line-height: 115%;"><span style="font: 7pt "Times New Roman";"> </span></span></li> <li><span style="font-family: Symbol; font-size: 12pt; line-height: 115%;"><span style="font: 7pt "Times New Roman";"> </span></span><span style="font-family: "Times New Roman","serif"; font-size: 12pt; line-height: 115%;">Viewing of search results</span></li> <li><span style="font-family: Symbol; font-size: 12pt; line-height: 115%;"><span style="font: 7pt "Times New Roman";"> </span></span><span style="font-family: "Times New Roman","serif"; font-size: 12pt; line-height: 115%;">Automated reporting of search contents to HTML, PDF, or XLS</span></li> </ul> <br /> <h3> Tutorials ::</h3> <b>Text Tutorial (PDF) :: </b><a href="http://registrydecoder.googlecode.com/files/RegistryDecoder-Offline-Analysis-Instructions-v1.1.pdf" target="_blank">Click Here </a><br /> <b>FAQ ::</b> <a href="http://code.google.com/p/registrydecoder/wiki/FAQ" target="_blank">Click Here </a><br /> <br /> <h3> Download ::</h3> <b>Windows :: </b><a href="http://registrydecoder.googlecode.com/files/regedcoderR103.zip" target="_blank">RegistryDecoder (.zip)</a><b><br /></b><br /> <b>Official Website :: </b><a href="http://www.registrydecoder.com/">http://www.registrydecoder.com/</a><b><br /></b>

RegistryDecoder (Windows Registry Forensics) :: Tools

RegistryDecoder is a automated Acquisition, Analysis, and Reporting of Registry Contents . Registry Decoder provides a single tool in w...

Read more »

DumpIt (Memory Dumper) :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl1bY2gWBxFbDW6zcu5qqN5pd8LX2USAWKhJjUlLmtBS1KoN1FMMaR3s8W1oHCYpWEuPHEbHidQAWflYj5GdkPp4Q-pEW29n_qEHr12TYWvtkt0W84JFga96n0xFyymp6wnhs0Bt6O4A0a/s1600/System-Memory-icon.png" style="margin-left: 1em; margin-right: 1em;"><img alt="dumpit icon" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl1bY2gWBxFbDW6zcu5qqN5pd8LX2USAWKhJjUlLmtBS1KoN1FMMaR3s8W1oHCYpWEuPHEbHidQAWflYj5GdkPp4Q-pEW29n_qEHr12TYWvtkt0W84JFga96n0xFyymp6wnhs0Bt6O4A0a/s1600/System-Memory-icon.png" title="dumpit icon" /></a></div> <br /> <b>DumpIt</b> is a fusion of two trusted <a href="http://www.toolwar.com/search/label/Tools" target="_blank">tools</a>, win32dd and win64dd, combined into one one executable. <b>DumpIt</b> is designed to be provided to a non-technical user using a removable USB drive. The person needs to simply double-click the <b>DumpIt</b> executable and allow the tool to run. <b> DumpIt</b> will then take the snapshot of the host’s physical <a href="http://www.toolwar.com/search/label/Memory" target="_blank">memory</a> and save it to the folder where the <b>DumpIt</b> executable was located.</div> <div style="text-align: justify;"> Memory <a href="http://www.toolwar.com/search/label/Forensics" target="_blank">forensics</a> is becoming an essential aspect of digital forensics and incident response. When a system is believed to have been compromised or infected, the investigator needs a convenient way to take a memory snapshot of the host. <b>DumpIt</b>, a new tool from <b>MoonSols</b>, makes this very easy, even if the person in front of the affected computer isn’t technical.</div> <div style="text-align: justify;"> The user can then provide the investigator with the USB key, which will contain the memory snapshot file. The administrator can use free memory forensics tools such as The <a href="http://www.toolwar.com/2013/09/volatility-framework.html" target="_blank">Volatility Framework,</a> Mandiant Redline and HB Gary Responder Community Edition to examine the memory file’s contents for malicious artifacts.</div> <div style="text-align: justify;"> <b>DumpIt</b> provides an easy way of obtaining a memory image of a <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows</a> system even if the investigator is not physically sitting in front of the target computer. It’s so easy to use, even a naive user can do it. It’s not appropriate for all scenarios, but it will definitely make memory acquisition easier in many situations.</div> <div style="text-align: justify;"> <br /></div> <h3 style="text-align: justify;"> Tutorials :: </h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/SEs4ZAolED0?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3 style="text-align: justify;">  </h3> <h3 style="text-align: justify;"> Download ::</h3> <div style="text-align: justify;"> <b>Windows ::  </b><a href="https://github.com/thimbleweed/All-In-USB/blob/master/utilities/DumpIt/DumpIt.exe?raw=true" target="_blank">DumpIt.exe</a><br /> <b>Official Website :: </b><a href="http://www.moonsols.com" rel="nofollow" target="_blank">http://www.moonsols.com/</a></div> <div style="text-align: justify;"> </div>

DumpIt (Memory Dumper) :: Tools

DumpIt is a fusion of two trusted tools , win32dd and win64dd, combined into one one executable. DumpIt is designed to be provided to...

Read more »

LSASecretsDump :: Tools

<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrymio5IP8dgRUToTlGLTxYxjBYQI-x19I5HJdDb0URU10aoaS0EX1wObj_kEZnQmsGjN5hEwOw3N94v7Ure1ZdMMizpkKpaw_7VT58x1O1ekM3-6bWgggqQSrIGGD3kUNOV8FKY5EpWXz/s1600/lsasecretsview.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="LSAsecretsdump screenshot" border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrymio5IP8dgRUToTlGLTxYxjBYQI-x19I5HJdDb0URU10aoaS0EX1wObj_kEZnQmsGjN5hEwOw3N94v7Ure1ZdMMizpkKpaw_7VT58x1O1ekM3-6bWgggqQSrIGGD3kUNOV8FKY5EpWXz/s400/lsasecretsview.gif" title="LSAsecretsdump screenshot" width="400" /></a></div> <div style="text-align: justify;"> <b>LSASecretsDump </b>is a small <i>console application</i> that <i>extract the LSA secrets from the Registry, </i> decrypt them, and dump them into the console window. <br /> The LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain your RAS/VPN passwords, Autologon password, and other system passwords/keys. </div> <h3 class="utilsubject" style="text-align: justify;"> Using LSASecretsDump</h3> <div style="text-align: justify;"> <b>LSASecretsDump</b> is a console application, so in order the view the output, you have to run it in console (Command-Prompt) window. <br /> As with any console application, you dump the output into a file, for example: <br /> LSASecretsDump.exe > c:\temp\lsa.txt </div> <h3 class="utilsubject" style="text-align: justify;"> System Requirement</h3> <div style="text-align: justify;"> This utility works on Windows 2000/XP/2003/2008/Vista/7. Windows 98/ME is not supported. </div> <h3 style="text-align: justify;"> Download :: </h3> <div style="text-align: justify;"> <b>Windows :: </b><a href="http://www.nirsoft.net/utils/lsasecretsdump.zip" target="_blank">LSASecretsDump 1.21</a></div> <div style="text-align: justify;"> <b>Official Website ::</b> <a href="http://www.nirsoft.net/utils/lsa_secrets_dump.html" target="_blank">http://www.nirsoft.net/utils/lsa_secrets_dump.html</a></div>

LSASecretsDump :: Tools

LSASecretsDump is a small console application that extract the LSA secrets from the Registry, decrypt them, and dump them into the cons...

Read more »

Skype Log Viewer :: Tools

<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAflgbadf6ct9bAFvVqWdD_92MW4Nah8u2BN1NGhc5Z19vDLaQonrxXaZ3nksPZJsBtTnT7OJ3omSnkBRTVG3SLqnVSvhAGNqzbZDjqBaDnTnmZBsRqUEFlcbCATZ4k1iRpenoDpRy7QF5/s1600/skypelogview.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Skype Log Viewer screenshot" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAflgbadf6ct9bAFvVqWdD_92MW4Nah8u2BN1NGhc5Z19vDLaQonrxXaZ3nksPZJsBtTnT7OJ3omSnkBRTVG3SLqnVSvhAGNqzbZDjqBaDnTnmZBsRqUEFlcbCATZ4k1iRpenoDpRy7QF5/s1600/skypelogview.gif" title="Skype Log Viewer screenshot" /></a></div> <div style="text-align: justify;"> <b>SkypeLogView</b> reads the log files created by <b>Skype</b> application, and displays the details of incoming/outgoing calls, chat messages, and file transfers made by the specified Skype account. You can select one or more items from the logs list, and then copy them to the clipboard, or export them into text/html/csv/xml file. </div> <div style="text-align: justify;"> </div> <h4 class="utilsubject" style="text-align: justify;"> System Requirements</h4> <div style="text-align: justify;"> This utility works on any version of <a href="http://www.toolwar.com/search/label/Windows" target="_blank">Windows </a>starting from Windows 2000 and up to Windows 2008. You don't have to install Skype in order to use this utility. You only need the original log files created by skype, even if they are on an external drive. </div> <div style="text-align: justify;"> <h3> Download :: </h3> </div> <div style="text-align: justify;"> <b>Windows :: </b> <a href="http://www.nirsoft.net/utils/skypelogview.zip" target="_blank">Skype Log Viewer </a></div>

Skype Log Viewer :: Tools

SkypeLogView reads the log files created by Skype application, and displays the details of incoming/outgoing calls, chat messages, and...

Read more »

RadioGraPhy (Windows Forensics):: Tools

<h1 style="text-align: justify;"> </h1> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGdfL6aAjuUZfL4cv2ishXKH3b7wm0sBeE4Mv263XGux7kLLjdPx__2bfEER6EfwdbeuHKidz9M_nQnouYZOdT9g4CP8dg9gYZnPyIeR22fWyzdCN8nK9OJwlrCztFqYhjnDtG_ChHcUGu/s1600/radiography+screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="RadioGraPhy Screenshot" border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGdfL6aAjuUZfL4cv2ishXKH3b7wm0sBeE4Mv263XGux7kLLjdPx__2bfEER6EfwdbeuHKidz9M_nQnouYZOdT9g4CP8dg9gYZnPyIeR22fWyzdCN8nK9OJwlrCztFqYhjnDtG_ChHcUGu/s320/radiography+screenshot.jpg" title="RadioGraPhy Screenshot" width="320" /></a></div> <div style="text-align: justify;"> <b>Radiography</b> is a<i> forensic tool </i>which <i>grabs as much information as possible from a Windows system.</i></div> <h3 style="text-align: justify;"> Its checks:</h3> <ul style="text-align: justify;"> <li><b>Registry keys related to startup process</b></li> <li><b>Registry keys with Internet Explorer settings</b></li> <li><b>System Accounts and properties</b></li> <li><b>Startup files</b></li> <li><b>System services</b></li> <li><b>Hosts file contents</b></li> <li><b>TaskScheduler tasks</b></li> <li><b>Loaded System Drivers</b></li> <li><b>NetBios Shares</b></li> <li><b>Hidden Windows</b></li> <li><b>System processes running (and their location if possible)</b></li> <li><b>Network information (Open connections, listening ports ...) </b></li> </ul> <h3 style="text-align: justify;"> <b>It has also unique features:</b></h3> <div style="text-align: justify;"> -When it identifies a process (running or configured in registry keys, startup directories or task scheduler) it checks its hash with Team Cymru's MALWARE HASH REGISTRY<span style="font-size: 14px; line-height: 1.4em;"> service to identify potential threats</span></div> <div style="text-align: justify;"> -RadioGraPhy does a process integrity test using 'WinUnhide' to catch hidden processes</div> <div style="text-align: justify;"> -Dump a copy of Eventlog and grab a copy of the process binaries for later review </div> <div style="text-align: justify;"> RadioGraPhy is <b>OpenSource</b> (GPL License) and come with a <b>CLI version</b> and a <b>graphic frontend</b> (please have a look to Screenshots section)</div> <h3 style="text-align: justify;">  </h3> <h3 style="text-align: justify;"> Download ::  </h3> <div style="text-align: justify;"> <b>Windows :: </b><a href="http://sbdtools.googlecode.com/files/RadioGraPhyV2.zip" target="_blank"><b></b>RadioGraPhy 2.0</a><br /> <h3> Official Website :: </h3> http://www.security-projects.com/ </div>

RadioGraPhy (Windows Forensics):: Tools

Radiography is a forensic tool which grabs as much information as possible from a Windows system. Its checks: Registry keys relat...

Read more »

USBDeviceForensics :: Tools

<div class="separator" style="clear: both; text-align: center;"> <img alt="USBDeviceForensics " border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivy2ewa1vXYlJsngnLLgNW_xU3Nws3UpG84lud9sbXntXzXiSKCvGjOWOI2gfHK_jp5QvTSRYrOilAtp2nHCwIWqSGebWtVM8EE6I5X2YRNeX_MRLNAQaUjj3QWLWfO5mxTx2dWnwjUVH-/s320/USB-Device-Forensics.png" title="USBDeviceForensics " width="320" /></div> <div style="text-align: justify;"> <b>USBDeviceForensics</b> is an application to <i>extract numerous bits of information regarding USB devices</i>. It uses the information from a SANS blog posting to retrieve operating system specific information. It now has the ability to process multiple NTUSER.dat registry hives in one go.</div> <div style="text-align: justify;"> It should be noted that whilst the information in the blog posting is accurate, there is a caveat to be aware of. During my testing I have found that an unknown process can update the Date/Time values across all keys, in particular the USBSTOR keys. Therefore, you could see the same Last Written Date/Time value on each device key. If you see this occurring, then you obviously cannot rely on the values retrieved. All of the dates should be UTC.</div> <div style="text-align: justify;"> It is possible to set a time zone offset by using the Time Zone window e.g. Tools->Time Zone menu item. The Install date time zone appears to be the local time zone.</div> <h3 style="text-align: justify;"> Download ::</h3> <div style="text-align: justify;"> <b>Windows :: </b><a href="http://www.woanware.co.uk/downloads/USBDeviceForensics.v.1.0.11.zip" target="_blank">USB Device Forensics </a> </div> <div style="text-align: justify;"> <br /></div>

USBDeviceForensics :: Tools

USBDeviceForensics is an application to extract numerous bits of information regarding USB devices . It uses the information from a SAN...

Read more »

OSForensics :: Tools

<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9KEAg94layniw3-bxaqyqfRHExQ5nF5fE3mHBF29YBYuyLHnlZrGCKU8UsFQAgRTuC6XVgoQr7eGIrjFrQlwZBudUF26hWQDDBWmjO7Gy1qYYLAz3x2CyFYzTnDzulf40Xk7mwbiGOHul/s1600/OSForensics+Screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="OSForensics Screenshot" border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9KEAg94layniw3-bxaqyqfRHExQ5nF5fE3mHBF29YBYuyLHnlZrGCKU8UsFQAgRTuC6XVgoQr7eGIrjFrQlwZBudUF26hWQDDBWmjO7Gy1qYYLAz3x2CyFYzTnDzulf40Xk7mwbiGOHul/s320/OSForensics+Screenshot.png" title="OSForensics Screenshot" width="320" /></a></div> <div style="text-align: justify;"> <b>OSForensics</b> provides one of the fastest and most powerful ways to <i> locate files on a Windows computer.</i> You can search by filename, size, creation and modified dates, and other criteria.Results are returned and made available in several different useful views. This includes the Timeline View which allows you to sift through the matches on a timeline, making evident the pattern of user activity on the machine.  </div> <div style="text-align: justify;"> <b>OSForensics</b> allows you to identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory and binary data. <b>OSForensics </b>lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively.</div> <h2 class="featuresmall" style="text-align: justify;"> Features</h2> <div style="text-align: justify;"> <b>Discover Forensic Evidence Faster</b></div> <ul id="download_list" style="text-align: justify;"> <li>Find files faster, search by filename, size and time</li> <li>Search within file contents using the Zoom search engine</li> <li>Search through email archives from Outlook, ThunderBird, Mozilla and more </li> <li>Recover and search deleted files </li> <li>Uncover recent activity of website vists, downloads and logins</li> <li>Collect detailed system information</li> <li>Password recovery from web browsers, decryption of office documents </li> <li>Discover and reveal hidden areas in your hard disk</li> <li>Browse Volume Shadow copies to see past versions of files</li> </ul> <div style="text-align: justify;"> <b>Identify Suspicious Files and Activity</b></div> <ul id="download_list" style="text-align: justify;"> <li>Verify and match files with MD5, SHA-1 and SHA-256 hashes</li> <li>Find misnamed files where the contents don't match their extension</li> <li>Create and compare drive signatures to identify differences</li> <li>Timeline viewer provides a visual representation of system activity over time</li> <li>File viewer that can display streams, hex, text, images and meta data</li> <li>Email viewer that can display messages directly from the archive</li> <li>Registry viewer to allow easy access to Windows registry hive files</li> </ul> <div style="text-align: justify;"> <b>Manage Your Digital Investigation</b></div> <ul id="download_list" style="text-align: justify;"> <li>Case management enables you to aggregate and organize results and case items</li> <li>HTML case reports provide a summary of all results and items you have associated with a case</li> <li>Rebuild RAID arrays from individual disk images</li> <li>OSForensics can be installed on a USB flash drive for more portability</li> </ul> <h4 class="feature"> System requirements</h4> Windows XP SP2, Vista & Win 7<br /> Windows Server 2000, 2003, 2008<br /> 32bit and 64bit support, (64bit recommended)<br /> Minimum 1GB of RAM. (4GB+ recommended)<br /> 30MB of free disk space, or can be run from USB drive<br /> <h3> Tutorials ::</h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/tMuCTkSSza0?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3 style="text-align: justify;"> Download :: </h3> <div class="feature"> <b>Windows :: </b><a href="http://www.osforensics.com/downloads/osf_2_3_beta.exe" target="_blank">OSForensics 2.3.1 Beta</a></div> <div class="feature"> <b>For More Videos ::</b> <a href="http://www.osforensics.com/faqs-and-tutorials/video_demonstrations.html" target="_blank">Click Here  </a><br /> <b>Official Website ::</b> http://www.osforensics.com/</div>

OSForensics :: Tools

OSForensics provides one of the fastest and most powerful ways to locate files on a Windows computer. You can search by filename, size...

Read more »

MagicRescue (File Carving) :: Tools

<div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjorQ5EZnU6iOJ6pD4BIWoEAYCX9YQdach2XSKLG2E7C7BqqXyF-fRInYuSijnX-ho2R5YNr_RJUmnQlkSydxTJUdKoc5R31WumBeSIVuSkNJUUHk_yHym8LLR1oHKzX3_4qN_LV3AGFPsf/s1600/magicrescue+screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="magicrescue screenshot" border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjorQ5EZnU6iOJ6pD4BIWoEAYCX9YQdach2XSKLG2E7C7BqqXyF-fRInYuSijnX-ho2R5YNr_RJUmnQlkSydxTJUdKoc5R31WumBeSIVuSkNJUUHk_yHym8LLR1oHKzX3_4qN_LV3AGFPsf/s320/magicrescue+screenshot.jpg" title="magicrescue screenshot" width="320" /></a></div> <b>MagicRescue</b> is a <b>file carving </b>utility it scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it.</div> <div style="text-align: justify;"> <b>MagicRescue</b> works on any file system, but on very fragmented file systems it can only recover the first chunk of each file. Practical experience (this program was not written for fun) shows, however, that chunks of 30-50MB are not uncommon.</div> <h3 style="text-align: justify;"> Tutorial ::</h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/VJ41EkP5jVg?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3 style="text-align: justify;"> Download ::</h3> <div style="text-align: justify;"> <b>Linux ::</b> <a href="http://www.itu.dk/~jobr/magicrescue/release/magicrescue-1.1.9.tar.gz" target="_blank">MagicRescue 1.1.9</a></div>

MagicRescue (File Carving) :: Tools

MagicRescue is a file carving utility it scans a block device for file types it knows how to recover and calls an external program to ex...

Read more »

Orion Browser Dumper (Browser History Dumper) :: Tools

<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaCJd3-0xxZqzg5KSVfpz7T0byRvE7nyrSvbaMHp06mBJQWkhR7jRz3Inz6VABoE-Vak0RkQcDMPCrwHCnYXvT5-pce_iHHODP0FhCRnTxkEgJdUdJ3llmfXPdRC5PoUb-LhkiOyyud_ed/s1600/orion-browser-dumper-screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Orion Browser Dumper Screenshot" border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaCJd3-0xxZqzg5KSVfpz7T0byRvE7nyrSvbaMHp06mBJQWkhR7jRz3Inz6VABoE-Vak0RkQcDMPCrwHCnYXvT5-pce_iHHODP0FhCRnTxkEgJdUdJ3llmfXPdRC5PoUb-LhkiOyyud_ed/s400/orion-browser-dumper-screenshot.png" title="Orion Browser Dumper Screenshot" width="400" /></a></div> <div style="text-align: justify;"> <b>Orion Browser Dumper</b> is an <i>advanced local browser history extractor (dumper)</i>, in less than few seconds (like for Browser Forensic Tool) it will extract the whole history content of most famous web browser, Actually Internet Explorer, Mozilla FireFox, Google Chrome, COMODO Dragon, Rockmelt and Opera. </div> <div style="text-align: justify;"> <b>Orion Browser Dumper</b> is a console application which means runs under a MS-DOS environment (No User Interface or UI). Console applications are very useful in case you want to make some sort of automatism or want to use a simple BATCH script to launch the dump process (from, say, a USB Device).We designed this tool to be very easy to understand for every user. It even simulates progress bars to show the progress of each browser scan. </div> <div style="text-align: justify;"> <br /></div> <h3 style="text-align: justify;"> Tutorials ::</h3> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/dC-27m0pDBU?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> <h3 style="text-align: justify;"> Download ::</h3> <div style="text-align: justify;"> <b>Windows :: </b> <a href="http://phrozensoft.com/downloads/OrionBrowserDumperV1_setup.zip" target="_blank">Orion Browser Dumper  v1.0</a></div> <h3 style="text-align: justify;"> </h3> <div class="separator" style="clear: both; text-align: center;"> </div> <h3 style="text-align: justify;"> </h3>

Orion Browser Dumper (Browser History Dumper) :: Tools

Orion Browser Dumper is an advanced local browser history extractor (dumper) , in less than few seconds (like for Browser Forensic Tool...

Read more »

p0f (OS and Application Fingerprinting) :: Tools

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxMdkwqLhu3-pobymZBIO1qkTOxYwuX4bDCm4Q611wMbhHmVJFqDwC9T4Kry2DSL2ce_ZpjZSs3_1aULLvVDqe4vFIpOWUhyphenhyphenEX_EdPrmfz-HG-XmVhf9ArdZ8L37QRcjw75UeZOC30pf8G/s1600/p0f+screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="p0f screenshot" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxMdkwqLhu3-pobymZBIO1qkTOxYwuX4bDCm4Q611wMbhHmVJFqDwC9T4Kry2DSL2ce_ZpjZSs3_1aULLvVDqe4vFIpOWUhyphenhyphenEX_EdPrmfz-HG-XmVhf9ArdZ8L37QRcjw75UeZOC30pf8G/s320/p0f+screenshot.jpg" title="p0f screenshot" width="320" /></a></div> <div style="text-align: justify;"> <b>p0f</b> is a versatile <i>passive OS and application fingerprinter,</i> and a tool for <i>detecting NAT/connection sharing</i>. It is useful for <i>penetration testing, routine network monitoring, and forensics</i>, and to aid abuse detection tools such as IDSes, spam filters, or honeypots. <b>P0f</b> is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP). </div> <div style="text-align: justify;"> Some of p0f's capabilities include: </div> <ul style="text-align: justify;"> <li> Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection - especially in settings where <a href="http://www.nmap.org/">NMap</a> probes are blocked, too slow, unreliable, or would simply set off alarms. </li> <li> Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on. </li> <li> Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups. </li> <li> Detection of clients and servers that forge declarative statements such as <i>X-Mailer</i> or <i>User-Agent</i>. </li> </ul> <div style="text-align: justify;"> <b>p0f</b> can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to. </div> <div style="text-align: justify;"> Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics. </div> <div style="text-align: justify;"> <br /></div> <div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="allowfullscreen" frameborder="0" height="266" mozallowfullscreen="mozallowfullscreen" src="https://www.youtube.com/embed/OROE_HoN8mg?feature=player_embedded" webkitallowfullscreen="webkitallowfullscreen" width="320"></iframe></div> </div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> <br /> Download Here :: <a href="http://lcamtuf.coredump.cx/p0f3/releases/p0f-3.06b.tgz" target="_blank">p0f-3.06b.tgz (for Linux)</a></div> <div style="text-align: justify;"> Official Website :: http://lcamtuf.coredump.cx/p0f3/</div> </div>

p0f (OS and Application Fingerprinting) :: Tools

p0f is a versatile passive OS and application fingerprinter, and a tool for detecting NAT/connection sharing . It is useful for pene...

Read more »