|
SABRE BinDiff |
|
Extension to IDA Pro |
SABRE Security 2004 |
http://www.sabre-security.com/products/bindiff.html |
|
Do you need to analyze multiple variations of essentially the same program ?
Do you need to understand the changes between two versions of a program ?
Are you trying to detect code theft ? SABRE BinDiff uses a unique
graph-theoretical approach to allow comparison of executables by identifying
identical and similar functions. SABRE BinDiff allows you to:
Identify identical and similar functions in different binaries
Port function names from one disassembly to the other
Detect & highlight changes between two variants of the same function
|
|
COMMERCIAL |
Information Updated:18 Aug 2004 |
|
ByteBack |
|
DOS |
Tech Assist, Inc |
http://www.toolsthatwork.com/byteback.htm |
|
The standard in low-level applications for forensics and
recovery has always been ByteBack. Now with version 4, we're even better.
The addition of UDMA, ATA & SATA support, with memory management and greater
ease and control of Partition and MBR manipulations, ByteBack continues to
uphold it's viability as the computer forensics and recovery application of
professionals.
* Disk Cloning (mirroring)
* Forensic Mode (write block)
* Disk Compare (verification)
* Extensive Logging (reports)
* UDMA, ATA & SATA Drive Support (up to two terabytes)
* Low Level Format (disk wipe)
* Disk Editor (raw hex, ASCII, partition table and boot sector)
* MBR Repair (boot code & partition tables)
* Partition Table Repair (including access to logical partitions)
* Advanced Boot Sector Repair (FAT, FAT 32 and NTFS)
* MBR, Partition and LDM backup
* Basic Partition Table Management (set active, partition hiding/unhiding)
* Undo for all automatic repairs |
|
COMMERCIAL |
Information Updated:06 June 2006 |
|
History
Reader for IE 5.x and 6.x |
|
Win32 |
Wolfgang Baudisch |
http://www.wbaudisch.de/HistoryReader.htm |
|
History Reader reads all information in
the complete history database and presents you a list, either in
chronological or alphabetical order. Furthermore, you can open any URL in
Internet Explorer ®, add URLs to Favorites, copy URLs, print out or save the
listing or selected ranges as text file. When you have edited and saved a
list you can open this file again and use it in the same way as the original
one saved before. |
|
SHAREWARE |
Information Updated:31 Mar 2003 |
|
 |
|
CD/DVD
Diagnostic |
|
Win32 |
Arrowkey, Inc. |
http://www.cdrom-prod.com/cddvddiagnostic.html |
|
CD/DVD Inspector reads all major CD and
DVD filesystem formats including ISO-9660, Joliet, UDF, HFS and HFS+. When
the disc being examined contains more than a single filesystem, all
filesystems found are displayed. Multiple filesystems are present for hybrid
Macintosh/PC discs as well as for discs that are produced by DirectCD and
other packet-writing software. Supports:
DVD Media Recovery
File scanning
Data pane
Disc Memory and Checkpoint
Intensive UDF File Examination
Expanded Retry Capabilities.
Readability test.
Improved reporting capabilities.
CD Text, ISRC and RID Audio Disc information display.
|
|
COMMERCIAL |
Information Updated:31 Mar 2003 |
|
dtSearch |
|
Win32 |
dtSearch Corp. |
http://www.dtsearch.com/PLF_desktop_2.html |
|
Provides over two dozen indexed and
unindexed text search options for all popular file types. Supports full-text
as well as field searching in all supported file types. Has multiple
relevancy-ranking and other search sorting options. dtSearch can instantly
search gigabytes of text because it builds a search index that stores the
location of words in documents. dtSearch automatically recognizes and
supports all popular file formats, and never alters original files. |
|
COMMERCIAL |
Information Updated:31 Mar 2003 |
|
Hyper Hasher |
|
Win 2000/NT/XP |
Matt LaPlante |
http://www.hyperhasher.com/ |
|
Hyper Hasher is a utility that allows you to calculate
hash/checksum and HMAC values for any file on your system, as well as for a
text string. Hash and checksum values are used to verify the integrity of
computer files, as well as to uniquely identify them. The process of hashing
a file basically involves reading the entire file, and applying various
mathematical algorithms to its contents, in order to produce a text string
(the "hash"). The hashing process does not in any way alter the files being
read. Hyper Hasher is capable of calculating 26 different hashes and
checksums!
|
|
SHAREWARE |
Information Updated:06 June 2006 |
|
|
|
hackman |
|
Win32 |
TechnoLogismiki |
http://www.technologismiki.com/hackman/ |
|
Hackman 7 is a freeware hex editor and
disassembler. It comes with cryptography capabilities, decoding with ready
and self-made algorithms and a fully-featured editor. You can edit virtually
any file, disk, ZIP drive, Ram Drive, Smart Media, Compact Flash I & II, IBM
Microdrive or Physical RAM with the ease of a word processor. Includes:
Hackman Editor: the most advanced and
sophisticated hex editor.
Hackman Disassembler: your choice of a 16/32 bit disassembler.
Hackman Debugger: powerful application level debugger.
INI Editor: edit INI, INF and other settings files easily.
DIZ Editor: produce or edit file_id.diz files for your applications.
Autoplay Generator: generate autorun.inf files for your CDs
|
|
SHAREWARE |
Information Updated:31 Mar 2003 |
|
Hex Workshop |
|
Win32 |
BreakPoint Software, Inc. |
http://www.hexworkshop.com/features.html |
|
The Hex Workshop Hex Editor is a set of
hexadecimal development tools for Microsoft Windows, combining advanced
binary editing with the ease and flexibility of a word processor. With Hex
Workshop you can edit, cut, copy, paste, insert, and delete hex, print
customizable hex dumps, and export to RTF or HTML for publishing.
Additionally you can goto, find, replace, compare, calculate checksums, add
smart bookmarks, color map, and generate character distributions within a
sector or file.
|
|
COMMERCIAL |
Information Updated:31 Mar 2003 |
|
KaZAlyser |
|
Win32 |
Sanderson Forensics Limited |
http://www.sandersonforensics.co.uk/products/KazAlyser.asp |
|
KaZAlyser is the successor to the popular
P2PView KaZaA/Morpheus database viewer. KaZAlyser provides significant
enhancements to the investigation process.
KaZAlyser provides the following functions
List all database entries in a tabular form
Display the file integrity tag
Allow the investigator to tag and comment each record
Identify files that appear (from title, keywords etc.) to be Child
Pornography
Identify files that have a known Child Pornography hash value
Identify all graphics/movie files
Sort by individual columns
Export the content of a database to a CSV file
Produce reports based on above
|
|
COMMERCIAL |
Information Updated:31 Mar 2003 |
|
|
|
Passware Kit |
|
Win32 |
Passware |
http://www.lostpassword.com/kit.htm |
|
Passware Kit is a password recovery
software pack, featuring:
Lotus 1-2-3 files, MS Access databases,
Acrobat files, Symantec ACT! files, MS Backup files, MS Excel files,
FileMaker files, IE Content Advisor, MS Mail files, MS Money files, MYOB
Files, Lotus Organizer files, MS Outlook, Outlook Express, Paradox
databases, Peachtree company files, MS Project files, QuickBooks files,
Quicken files, WinRAR, RAR archives, MS Schedule+ files, VBA Projects in
.doc, .xls, etc., Windows XP, 2000, NT 4.0, MS Word files, WordPerfect
Documents, Lotus WordPro files
WinZip, PKZip .zip archives
|
|
COMMERCIAL |
Information Updated:31 Mar 2003 |
|
Secret
Explorer |
|
Win32 |
LastBit Software |
http://lastbit.com/wse/default.asp |
|
Using Secret Explorer you will be able to
locate hidden information in any Windows-based system. This includes form
AutoComplete data offered by Internet Explorer every time you enter
something into an form on a web page; various Internet passwords: passwords
to password-protected websites; MS Outlook account and identity passwords,
dial-up passwords and other data stored by Microsoft in Protected Storage.
|
|
COMMERCIAL |
Information Updated:31 Mar 2003 |
|
E-mail
Examiner |
|
Win32 |
Paraben Corp |
http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=101 |
|
The right tool for forensic examination of email is
Paraben's E-mail Examiner.
Paraben's E-mail Examiner is one of the most comprehensive forensically
sound e-mail examination tools available. E-mail Examiner recovers more
active and deleted mail messages than the leading competitor. E-mail
Examiner doesn't just recover e-mail in the deleted folders; it recovers
e-mail deleted from deleted items (deleted/deleted). With bookmarking and
advanced searching features including multiple word & multiple phrase
searching, examining e-mail has never been so simple and thorough.
With the ability to examine AOL 9.0, PST files, and ability to examine over
14 other mail types, you'll have the right tool for e-mail examination in
your toolbox.
|
|
COMMERCIAL |
Information Updated:06 June 2006 |
|
|
|
Device Seizure |
|
Win32 |
Paraben Corp. |
http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=342 |
|
Digital forensics has taken a giant leap forward with the
evolution of Device Seizure. By combining the technologies of Paraben's PDA
Seizure & Paraben's Cell Seizure, investigators now have access to a
powerful forensic investigation tool for handheld devices. Unlike data
management software turned forensic tool, Device Seizure has its roots in
digital forensics with such things as PDD (Palm DD command line
acquisition), deleted data recovery, full data dumps of certain cell phone
models, logical and physical acquisitions of PDAs, data cable access, and
advanced reporting. Accessing phones via IrDA and Bluetooth is like
performing a computer forensic exam on a machine connected to the
Internet...you open your case up to doubt and suspicion. With support for
more devices than ever before and the addition of Symbian 6.0 support, no
toolbox will be complete without Device Seizure. |
|
COMMERCIAL |
Information Updated:06 June 2006 |
|
Maresware |
|
Win32 |
Mares and Company, LLC |
http://www.dmares.com/maresware/suite.htm |
|
Maresware: The Suite provides an
essential set of tools for investigating computer records plus powerful data
analysis capabilities. This bundled suite of over 40 separate,
highly-targeted programs gives you the flexibility to accomplish a wide
variety of tasks.
Computer Forensics: discovery
of "hidden" files(such as NTFS Alternate Data Streams), for incident
response purposes, evaluation of timelines, powerful file key word searching
and comparing, files verification, drive wiping for information privacy and
security, keyboard locking, diskette imaging, file reformatting, documenting
all the examiner's steps and procedures.
data analysis: comparisons
and exceptions-testing, stratification and aging, statistical sampling or
creating test samples, identifying gaps, analyzing date (kiting analysis)
and numerical sequences, identifying duplicates
|
|
COMMERCIAL |
Information Updated:31 Mar 2003 |
|
|
|
National
Software Reference Library (NSRL) Project |
|
All |
U.S. Department of Justice's National
Institute of Justice (NIJ), and the National Institute of Standards and
Technology (NIST) |
http://www.nsrl.nist.gov/ |
|
Promotes efficient and effective use of
computer technology in the investigation of crimes involving computers.
Numerous other sponsoring organizations from law enforcement, government,
and industry are providing resources to accomplish these goals.
The National Software Reference Library (NSRL) is designed to collect
software from various sources and incorporate file profiles computed from
this software into a Reference Data Set (RDS) of information. The RDS can be
used by law enforcement, government, and industry organizations to review
files on a computer by matching file profiles in the RDS. This will help
alleviate much of the effort involved in determining which files are
important as evidence on computers or file systems that have been seized as
part of criminal investigations.
|
|
COMMERCIAL |
Information Updated:05 Mar 2003 |
|
Offline NT
Password & Registry Editor, Bootdisk |
|
Linux (Boot disk) |
pnordahl |
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html |
|
I've put together a single floppy or CD
which contains things needed to edit the passwords on most systems.
The bootdisk supports standard (dual)IDE controllers, and most
SCSI-controllers with the drivers supplied in a separate archive. It does
not need any other special hardware, it will run on 486 or higher, with at
least 32MB (I think) ram or more.
|
|
FREEWARE |
Information Updated:31 Mar 2003 |
|
DETECTIVE |
|
DOS/Win32 |
Tech Assist, Inc. |
http://www.toolsthatwork.com/detective.htm |
|
DETECTIVE...
Hunts down information, old and new, on the user's PC
Shows you a slide show of downloaded images
Runs from the floppy drive
Takes up few resources within a network or computer system
Lets you customize the search parameters
Generates custom reports
Can be installed on the file server and
operated in batch mode. This will simultaneously scan network workstations
and save results on the network server for easy retrieval by the system
administrator. |
|
COMMERCIAL |
Information Updated:31 Mar 2003 |
|
|
|
Computer
Forensics & Security Software Tools |
|
DOS/WIN32 |
New Technologies Armor, Inc |
http://www.forensics-intl.com/thetools.html |
|
NTI's forensic software tools are used in
security reviews, internal audits and computer related investigations. Some
of the tools are also used to identify and eliminate sensitive data leakage
in classified government agencies. They are sold separately and they are
also bundled in suites of software.
* Too many tools to list here. Many are
familiar tools such as SafeBack, and others. |
|
COMMERCIAL |
Information Updated:31 Mar 2003 |
|
pstools |
|
Win NT/2000/XP |
sysinternals/Mark Russinovich |
http://www.sysinternals.com/Utilities/PsTools.html |
|
The tools included in the PsTools suite, which are downloadable
individually or as a package, are:
PsExec - execute processes remotely
PsFile - shows files opened remotely
PsGetSid - display the SID of a computer or a user
PsKill - kill processes by name or process ID
PsInfo - list information about a system
PsList - list detailed information about processes
PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
PsLogList - dump event log records
PsPassswd - changes account passwords
PsService - view and control services
PsShutdown - shuts down and optionally reboots a computer
PsSuspend - suspends processes
* Many other useful freeware tools are available at
http://www.sysinternals.com/ |
|
FREEWARE |
Information Updated:06 Apr 2003 |
|
NetAnalysis |
|
Win 32 |
Craig Wilson |
http://www.digital-detective.co.uk/netanalysis.asp |
|
NetAnalysis will automatically rebuild HTML web pages
from an extracted cache, automatically adding the correct location of the graphics allowing
you to view the page as the suspect did. NetAnalysis also allows you to easily view JPEG
and other pictures that have been viewed by the suspect, straight from the cache!
NetAnalysis also has a unique feature to quickly identify possible child pornography sites,
search criteria typed by the user, passwords and usernames and access to online storage.
NetAnalysis comes with an Encase en-script which will extract internet history records
from Unallocated Space in a format that can be readily loaded into the software. It also
has the ability to hunt through Unallocated Space file chunks, looking for internet history
records.
|
|
COMMERCIAL |
Information Updated:06 Apr 2003 |
|
|
|
chkrootkit |
|
Linux/BSD/Solaris |
Pangeia Informatica |
http://www.chkrootkit.org/ |
|
chkrootkit: shell script that checks system binaries
for rootkit modification. 45 rootkits, worms and LKMs are currently detected. The following
tests are made:
aliens asp bindshell lkm rexedcs sniffer wted scalper slapper z2 amd basename biff chfn chsh
cron date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf
init identd killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2
pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd
timed traceroute w write
ifpromisc.c: checks if the interface is in promiscuous mode.
chklastlog.c: checks for lastlog deletions.
chkwtmp.c: checks for wtmp deletions.
check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
chkproc.c: checks for signs of LKM trojans.
chkdirs.c: checks for signs of LKM trojans.
strings.c: quick and dirty strings replacement.
|
|
GPL |
Information Updated:06 Apr 2003 |
|
Rootkit ID project |
|
*nix |
Philippe Bourcier |
http://rk.cyberabuse.org/ |
|
The CyberAbuse Rootkit ID project is made of a software and
a database which allows a unix user to detect rootkit files on his machine. The software compares
SHA1 checksum of the files on the unix machine with the checksum present in our database. If the
checksum matches, then an ALERT is reported to the user.
|
|
GPL |
Information Updated:06 Apr 2003 |
|
Foremost |
|
*nix |
Special Agent Jesse Kornblum |
http://foremost.sourceforge.net/ |
|
Foremost is a Linux program to recover files based on
their headers and footers. Foremost can work on image files, such as those generated by dd,
Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a
configuration file, so you can pick and choose which headers you want to look for. Developed
by the United States Air Force Office of Special Investigations, foremost has been opened to
the general public.
|
|
GPL |
Information Updated:06 Apr 2003 |
|
|
|
md5deep |
|
Most All |
Special Agent Jesse Kornblum |
http://md5deep.sourceforge.net/ |
|
md5deep is a cross-platform program to compute MD5
message digests on an arbitrary number of files. The program is known to run on Windows,
Linux, FreeBSD, OS X, Solaris, and should run on most other platforms. md5deep is similar
to the md5sum program found in the GNU Coreutils package, but has the following additional
features:
Recursive operation - md5deep is able to recursive examine an entire directory tree. That is,
compute the MD5 for every file in a directory andf for every file in every subdirectory.
Time estimation - md5deep can produce a time estimate when it's processing very large files.
Comparison mode - md5deep can accept a list of known hashes and compare them to a set of input files.
The program can display either those input files that match the list of known hashes or those that do not match.
|
|
GPL |
Information Updated:06 Apr 2003 |
|
PMDump |
|
Win NT/XP/2000 |
Arne Vidstrom |
http://ntsecurity.nu/toolbox/pmdump/ |
|
PMDump is a tool that lets you dump the memory contents
of a process to a file without stopping the process. This can be useful in a forensic investigation.
|
|
FREEWARE |
Information Updated:06 Apr 2003 |
|
PowerControls |
|
Win NT/XP/2000 |
Kroll Ontrack Ltd |
http://www.ontrack.co.uk/powercontrols/ |
|
Ontrack PowerControls 1.1 is a powerful tool for copying
and searching mailbox data directly from an un-mounted Exchange database (.edb) file. It lets
you restore single mailboxes, individual folders, or any number of messages and attachments to
any mailbox on the network or directly into an Outlook .pst file on your local drive. You can also
easily search and create copies of all archived email that match a set of criteria based on keywords,
recipients, senders, dates, and search for all files as they appear in Microsoft Outlook - calendar
items, tasks, notes, journal entries, etc.
|
|
COMMERCIAL |
Information Updated:06 Apr 2003 |
|
GNU Parted |
|
Linux |
Free Software Foundation, Inc |
http://www.gnu.org/software/parted/ |
|
GNU Parted is a program for creating, destroying,
resizing, checking and copying partitions, and the file systems on them. This is useful
for creating space for new operating systems, reorganising disk usage, copying data between
hard disks and disk imaging. Supported disk labels: raw access (useful for RAID and LVM),
MS-DOS partition tables, Intel GPT partition tables, MIPS partition tables, PC98 partition
tables, Sun and BSD disk labels and Macintosh partition maps.
|
|
GPL |
Information Updated:06 Apr 2003 |
|
|
|
gpart |
|
*nix |
Michail Brzitwa |
http://www.stud.uni-hannover.de/user/76201/gpart/ |
|
Gpart is a tool which tries to guess the primary partition
table of a PC-type hard disk in case the primary partition table in sector 0 is damaged,
incorrect or deleted. The guessed table can be written to a file or device. Supported (guessable)
filesystem or partition types:
DOS/Windows FAT (FAT 12/16/32)
Linux ext2
Linux swap partitions versions 0 and 1 (Linux >= v2.2.X)
OS/2 HPFS
Windows NT/2000 FS
*BSD disklabels
Solaris/x86 disklabels
Minix FS
Reiser FS
Linux LVM physical volume module (LVM by Heinz Mauelshagen)
SGI XFS on Linux
BeOS filesystem
QNX 4.x filesystem
|
|
GPL |
Information Updated:06 Apr 2003 |
|
mac-robber |
|
*nix |
Brian Carrier |
http://www.sleuthkit.org/mac-robber/desc.php |
|
mac-robber is a digital investigation tool that collects
data from allocated files in a mounted file system. This is useful during
incident response when analyzing a live system or when analyzing a dead
system in a lab. The data can be used by the mactime tool in The Sleuth Kit
to make a timeline of file activity. The mac-robber tool is based on the
grave-robber tool from TCT and is written in C instead of Perl.
mac-robber requires that the file system be mounted by the operating system,
unlike the tools in The Sleuth Kit that process the file system themselves.
Therefore, mac-robber will not collect data from deleted files or files that
have been hidden by rootkits. mac-robber will also modify the Access times
on directories that are mounted with write permissions.
"What is mac-robber good for then", you ask? mac-robber is useful when
dealing with a file system that is not supported by The Sleuth Kit or other
file system analysis tools. mac-robber is very basic C and should compile on
any UNIX system. Therefore, you can run mac-robber on an obscure, suspect
UNIX file system that has been mounted read-only on a trusted system. I have
also used mac-robber during investigations of common UNIX systems such as
AIX.
|
|
FREEWARE |
Information Updated:07 June 2006 |
|
|
|
WinHex |
|
Win 32 |
X-Ways AG |
http://www.sf-soft.de/winhex/index-m.html |
|
Features include:
Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media,
Compact Flash memory cards, and more. FAT12, FAT16, FAT32, NTFS, CDFS
RAM editor, providing access to other processes' virtual memory
Data interpreter, knowing 20 data types
Editing data structures using templates (e.g. to repair partition table/boot sector)
Concatenating and splitting files, unifying and dividing odd and even bytes/words
Analyzing and comparing files
Particularly flexible search and replace functions
Disk cloning, with a specialist license also under DOS
Drive images & backups (optionally compressed or split into 650 MB archives)
Programming interface (API) and scripting (professional & specialist licenses only)
128-bit encryption, checksums, CRC32, hashes (MD5, SHA-1, ...)
Erase (wipe) confidential files securely, hard drive cleansing to protect your privacy
Import all clipboard formats, incl. ASCII hex values
Convert between binary, hex ASCII, Intel Hex, and Motorola S
Character sets: ANSI ASCII, IBM ASCII, EBCDIC, (Unicode)
Instant window switching. Printing. Random-number generator.
Supports files >4 GB. Very fast. Easy to use. Extensive online help.
|
|
Free Trial |
Information Updated:06 Apr 2003 |
|
IDA Pro Disassembler |
|
Win 32 |
DataRescue |
http://www.datarescue.com/idabase/ |
|
Features include:
IDA Pro is programmable through a built-in C like language.
IDA offers an open Plugin Architecture. Our PE debugger is nothing more than a plugin!
Multiple Processor : same interface and features for dozens of processors
80x86 Windows PE Debugger. (New Material 2003)
Fully customizable work environment. (New Material 2003)
Fully Interactive : you work with the disassembler and forget about tedious multiple passes.
High level constructs such as unions, structures, variable sized structures and Low level constructs
such as bitfields.(New Material 2003)
Stack Variables keep track of your local variables, Local Variables.
Graphing : through a VCG Port. Graphing as it stands in version 4.21. Graphing Tutorial (New Material 2003)
Program Navigator Toolbar
Fully dynamic Global and Local Labels.
Interactive Register Renaming makes RISC processors easy.
Auto-commenting : you can even define and use your own comments base.
Versatility : loads and disassemble virtually any file. Visit our gallery for a small subset.
|
|
COMMERCIAL |
Information Updated:06 Apr 2003 |
|
|
|
OllyDbg |
|
Win 32 |
Oleh Yuschuk |
http://www.ollydbg.de/ |
|
OllyDbg is a 32-bit assembler level analysing
debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly
useful in cases where source is unavailable. OllyDbg is a shareware, but you can download
and use it for free. Special highlights are:
Intuitive user interface
Code analysis - traces registers, recognizes procedures, loops, API calls, switches, tables, constants and strings
Object file scanning - locates routines from object files and libraries
Allows for user-defined labels, comments and function descriptions
Understands debugging information in Borland® format
Saves patches between sessions, writes them back to executable file and updates fixups
Open architecture - allows for third-party plugins
No installation - no trash in registry or system directories
Debugs multithread applications
Attaches to running programs
Configurable disassembler, supports both MASM and IDEAL formats
MMX, 3DNow! and SSE data types and instructions, including Athlon extensions
Full UNICODE support
Dynamically recognizes ASCII and UNICODE strings - also in Delphi format!
Recognizes complex code constructs, like call to jump to procedure
Decodes calls to more than 1900 standard API and 400 C functions
Gives context-sensitive help on API functions from external help file
Sets conditional, logging, memory and hardware breakpoints
Traces program execution, logs arguments of known functions
more...
|
|
SHAREWARE |
Information Updated:06 Apr 2003 |
|
knowngoods |
|
Web-based |
The Shmoo Group |
http://www.knowngoods.org/ |
|
The web interface is farily straight forward,
point your favorite web brower here, choose an OS and enter an application name,
or full path to the file.
command line
knowngoods.org/search.php can be used to search for any file in the database.
This includes executables, packages, source code releases, or ISO images.
|
|
FREEWARE |
Information Updated:06 Apr 2003 |
|
OnlineDFS - Online Digital Forensics Suite |
|
Server: Windows XP |
Cyber Security Technologies Corporation |
http://www.cyberstc.com |
|
OnlineDFS enables network-based, real-time investigations of live, running computer systems. It is ideal
for rapid incident response, compliance management and e-discovery in enterprises, and for the needs of
law enforcement. OnLineDFS enables the rapid, forensically sound examination of a computer without
disrupting the operations of the enterprise. It delivers an extensive suite of functionality for the
investigation and capture of volatile and persistent data from the computer under examination.
Key benefits and features of OnLineDFS include:
- Examines running systems: The fundamental goal of OnLineDFS is to capture information from a running system
- volatile information that is lost when traditional disk duplication approaches are used. This information
includes open ports, running processes, related applications and files, network connections, listening
servers and memory. There are several vital benefits:
1. Information is gathered about the running state of the target computer that cannot be gained any other
way;
2. This information can be critical to quickly identifying a potential problem and initiating corrective
action in time to make a difference
3. Information can be gathered cost-effectively, without disrupting the operations of the target computer.
- Begins with "triage" of the target computer, and enables an investigation to proceed wherever the
initial results lead
Target computers can include
* Microsoft Windows XP Professional
* Microsoft Windows 2000
* Microsoft Windows Server 2003
* Microsoft Windows NT 4
* Redhat Linux 9
* Redhat Enterprise Server
* Redhat Fedora Core
* Suse Linux 8 - United Linux version
* FreeBSD 4.10
* Solaris 8 - SPARC hardware only
* Mac OS X - version 10.3
- Minimizes impact to and disruption of the target system
- Operates as inconspicuously as possible
- Offers protection from unauthorized investigations
- Requires no preloaded software
- Supports secure remote investigation
- Adheres to forensic best practices
- Provides an easy-to-use user interface
- Allows for use of third-party tools
|
|
Commercial |
Information Updated:10 Sep 2007 |
|
Last page update: 10
Sep 2007 |
|
Computer Network Defence Ltd
Information Security Consultancy and Recruiting
enquiries@securitywizardry.com
Copyright © 2004 Computer
Network Defence Ltd. All Rights Reserved.
|
PO Box 2680, Corsham, Wiltshire, SN13 0ZR, UK
Phone 0870 3219014
International +44 (0) 1225 811806
|
|
