|
Vital Data FoRK |
|
CD iso |
ForensicIT |
http://www.forensicit.com.au/modules/news/ |
|
When booting from the CD, you may just press "Enter" to
accept the default boot option. This will take you to "runlevel 2", or
console mode, with the initial console running the FoRK script. This script
has been written to make obtaining a forensic grade image easier.
All drives in the system are automatically detected, as well as their
partitions. The technician may press space to drop down a list box and
select the source drive or partition. Pressing TAB navigates between fields,
and again the technician may select the target drive / partition. Data on
the source drive is automatically recorded, and the technician may complete
case details to be recorded along with these. |
|
non-commercial |
Information Updated:10
Nov 2004 |
|
EnCase
Forensic Edition |
|
Win32 |
Guidance Software, Inc. |
http://www.guidancesoftware.com/products/ef_index.asp |
|
With an intuitive, yet flexible GUI, and
unmatched performance, EnCase Version 4 provides investigators with the
tools to conduct large-scale and complex investigation with accuracy and
efficiency. Our award winning solution yields completely non-invasive
computer forensic investigations while allowing examiners to easily manage
large volumes of computer evidence and view all relevant files, including
"deleted" files, file slack and unallocated space.
|
|
COMMERCIAL |
Information Updated:28 Mar 2003 |
|
EnCase
Enterprise Edition |
|
Win32 |
Guidance Software, Inc. |
http://www.guidancesoftware.com/products/ee_index.asp |
|
EnCase Enterprise Edition is a
revolutionary solution providing a platform for comprehensive enterprise
wide incident response, information auditing and forensic discovery.
Leveraging the powerful functionality of Guidance Software's flagship
product, EnCase Forensic Edition, our patent-pending technology securely
enables you to identify, preview, acquire and analyze digital media anywhere
on your network.
|
|
COMMERCIAL |
Information Updated:28 Mar 2003 |
|
Forensic
Toolkit |
|
Win32 |
AccessData Corp. |
http://www.accessdata.com/Product04_Overview.htm?ProductNum=04 |
|
General Features:
Full Text Indexing
Advanced Searching
INSO Viewers (Full & Thumbnail)
KFF (Known File Filter)
Hashing Verification
Preset Search Profiling
Encrypted File Identification
Deleted File Recovery
Audit Trail Capabilities
Enhanced Reporting
File Annotation
Interoperable with the Password Recovery Toolkit
|
|
COMMERCIAL |
Information Updated:28 Mar 2003 |
|
 |
|
The Coroners
Toolkit |
|
*nix |
Dan Farmer and Wietse Venema |
http://www.porcupine.org/forensics/tct.html |
|
TCT is a collection of programs by Dan
Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after
break-in. The software was presented first in a Computer Forensics Analysis
class in August 1999 (handouts can be found here). Examples of using TCT can
also be found on-line in a series of columns in the Doctor Dobb's Journal.
Notable TCT components are the grave-robber tool that captures information,
the ils and mactime tools that display access patterns of files dead or
alive, the unrm and lazarus tools that recover deleted files, and the
findkey tool that recovers cryptographic keys from a running process or from
files. |
|
OPEN SOURCE |
Information Updated:28 Mar 2003 |
|
The Sleuth Kit |
|
*nix |
Brian Carrier |
http://www.sleuthkit.org/ |
|
The @stake Sleuth Kit (TASK) allows an
investigator examine the file systems of a suspect computer in a
non-intrusive fashion. TASK is a collection of UNIX-based command line tools
that can analyze NTFS, FAT, FFS, EXT2FS, and EXT3FS file systems. TASK reads
and processes the file system structures itself and therefore operating
system support for the file systems is not required. Furthermore, these can
be used during Incident Response on live systems to bypass the kernel and
view files that are being hidden by rootkits. The Autopsy Forensic Browser
is a graphical interface to the tools in TASK, which allows one to more
easily conduct an investigation. Autopsy provides case management, image
integrity, keyword searching, and other automated operations.
|
|
FREEWARE |
Information Updated:28 Mar 2003 |
|
|
|
F.I.R.E. |
|
Linux (Bootable .iso) |
Dirk Loss |
http://biatchux.dmzs.com/?section=main |
|
Forensics workstation/Data Recovery
Instantly deploy a forensics workstation with tct, tctutils, mac-robber, and
autopsy
also provides perl 5.6.1 compiled with Large File Support.
Live System Incident Response
Binaries are available for Incident Response on a live machine.
Virus Scanning
Utilizing F-Prot 3.11beta http://www.f-prot.com you can scan for virii,
worms, trojans, and all around harmful code.
Just mount the filesystems that you want to scan and execute 'f-prot . '
Any filesystem you can mount, you can scan. mount and scan fat/ntfs/ext2/ext3/reiserfs
partitions
Scan your windows machines offline for virii that may not be detected with
an "after the fact" anti-virus
software installation.
Pen-Testing Platform
I should NOT have to explain this portion:
If the tools you would like to use are not in the distribution please make a
request! |
|
OPEN SOURCE |
Information Updated:31 Mar 2003 |
|
snarl |
|
BSD (bootable .iso) |
eecue |
http://snarl.eecue.com/articles/
|
|
snarl is a bootable forensics ISO based
on FreeBSD and using @stake's autopsy and task as well as scmoo's list of
known good checksums. Once you boot the iso just log in as root there is no
password. You will boot into a dialog driven menu. select the first option
and choose the checksum set for the OS you are auditing. this will convert
the schmoo checksum database into a format that autopsy understands. Then
select the second option. this will configure and start autopsy. Then select
the third option and links will be launched browsing the autopsy page. You
can also select exit and use the large collection of security related ports.
|
|
OPEN SOURCE |
Information Updated:31 Mar 2003 |
|
Portable
Linux Auditing CD |
|
Linux (Bootable .iso) |
droopy and ranger-x |
http://sourceforge.net/projects/plac/ |
|
PLAC is a business card sized bootable
cdrom running linux. It has network auditing, disk recovery, and forensic
analysis tools. ISO will be avialable and scripts to roll you own cd. |
|
OPEN SOURCE |
Information Updated:31 Mar 2003 |
|
|
|
Forensic
Acquisition Utilities |
|
Win 2000/XP |
George M. Garner Jr |
http://users.erols.com/gmgarner/forensics/ |
|
This is a collection of utilities and
libraries intended for forensic or forensic-related investigative use in a
modern Microsoft Windows environment. The components in this collection are
intended to permit the investigator to sterilize media for forensic
duplication, discover where logical volume information is located and to
collect the evidence from a running system while at the same time
guaranteeing data integrity (e.g. with a cryptographic checksum) and while
minimizing changes to the subject system. The present release attempts to
reduce the time required for volume or drive imaging by reducing, if not
eliminating, the need for piping and by incorporating cryptographic
verification into the imaging application.
Included in this release are the
following modules:
1. dd.exe: A modified version of the popular GNU dd utility program
2. md5lib.dll: A modified version of Ulrich Drepper's MD5 checksum
implementation in Windows DLL format.
3. md5sum.exe: A modified version of Ulrich Drepper's MD5sum utility.
4. Volume_dump.exe: An original utility to dump volume information
5. wipe.exe: An original utility to sterilize media prior to forensic
duplication.
6. zlibU.dll: A modified version of Jean-loup Gailly and Mark Adler's zlib
library based on zlib-1.1.4.
7. nc.exe: A modified version of the netcat utility by Hobbit.
8. getopt.dll: An implementation of the POSIX getopt function in a Windows
DLL format.
|
|
GPL |
Information Updated:31 Mar 2003 |
|
Knoppix |
|
Linux (Bootable .iso) |
Klaus Knopper |
http://www.knopper.net/knoppix/index-en.html
|
|
KNOPPIX is a bootable CD with a collection
of GNU/Linux software, automatic hardware detection, and support for many graphics
cards, sound cards, SCSI and USB devices and other peripherals. KNOPPIX can be used
as a Linux demo, educational CD, rescue system, or adapted and used as a platform
for commercial software product demos. It is not necessary to install anything on
a hard disk. Due to on-the-fly decompression, the CD can have up to 2 GB of
executable software installed on it.
|
|
GPL |
Information Updated:31 Mar 2003 |
|
SMART |
|
Linux |
ASR Data |
http://www.asrdata.com/tools/
|
|
SMART can acquire digital evidence from a wide variety of workstations,
servers and digital devices. SMART authenticates the data it acquires using any or all of the CRC32,
MD5SUM and SHA1 algorithms. SMART also provides for the compression of data using standard Gzip or BZ2
compression, as well as a seekable compression format. SMART "understands" many file systems, including
VFAT, NTFS, ext2, ext3, Reiser, HFS, HFS+, XFS, JFS, ISO9660, BeFS and many more. SMART can recover deleted
files from these file systems and interpret file system meta-data such as date and time stamps, file attributes,
etc. SMART enables complex searches to be conducted quickly and easily. Full GREP syntax, intelligent rules
based options and fully automated recovery are possible without scripting or programming.
|
|
COMMERCIAL |
Information Updated:06 Apr 2003 |
|
|
|
Computer Network Defence Ltd
Information Security Consultancy and Recruiting
enquiries@securitywizardry.com
Copyright © 2004 Computer
Network Defence Ltd. All Rights Reserved.
|
PO Box 2680, Corsham, Wiltshire, SN13 0ZR, UK
Phone 0870 3219014
International +44 (0) 1225 811806
|
|
