24 ago 2013

SANS INVESTIGATE FORENSIC TOOLKIT (SIFT) WORKSTATION V.2.14


Desde el equipo de SANS Forensics nos presentan un nuevo conjunto de herramientas preconfiguradas para llevar a cabo investigaciones informáticas forenses, el "SANS Investigate Forensic Toolkit" (SIFT). Esta basado en Ubuntu y contiene un amplio abanico de herramientas para las necesidades forenses actuales.


Lo podéis descargarAQUÍ. [NOTA: Hay que registrarse].

A continuación podéis ver un listado de todo lo que nos ofrecen:


1. How‐Tos

1.1. How To Mount a Disk Image In Read‐Only Mode

1.1.1. VER.

1.2. How To Create a Filesystem and Registry Timeline

1.2.1. VER.

1.3. How To Create a Super Timeline

1.3.1. VER.

1.4. How To Acquire and Mount Raw, E01, AFF Disk Images

1.4.1. VER.

1.5. How to use the SIFT Workstation for Basic Memory Image Analysis

1.5.1. VER.

2. Filesystem Support

2.1. ntfs (NTFS)
2.2. iso9660 (ISO9660 CD)
2.3. hfs (HFS+)
2.4. raw (Raw Data)
2.5. swap (Swap Space)
2.6. memory (Ram Data)
2.7. fat12 (FAT12)
2.8. fat16 (FAT16)
2.9. fat32 (FAT32)
2.10. ext2 (Ext2)
2.11. ext3 (Ext3)
2.12. ufs1 (UFS1)
2.13. ufs2 (UFS2)

3. Evidence Image File Support

3.1. raw (Single raw file (dd))
3.2. aff (Advanced Forensic Format)
3.3. afd (AFF Multiple File)
3.4. afm (AFF with external metadata)
3.5. afflib (All AFFLIB image formats (including beta ones))
3.6. ewf (Expert Witness format (encase))
3.7. split raw (Split raw files)

3.8. split ewf (Split E01 files)
3.8.1. mount_ewf.py ‐ mount E01 image/split images to view single raw file and metadata

4. Partition Table Support

4.1. dos (DOS Partition Table)
4.2. mac (MAC Partition Map)
4.3. bsd (BSD Disk Label)
4.4. sun (Sun Volume Table of Contents (Solaris))
4.5. gpt (GUID Partition Table (EFI))

5. Digital Evidence Acquisition

5.1. guymager ‐ GUI Imager
5.1.1. http://guymager.sourceforge.net/.

5.2. linen ‐ Guidance Image
5.2.1. http://www.forensicswiki.org/wiki/LinEn.

5.3. dd ‐ dd, sometimes called GNU dd, is the oldest imaging tool still used.

5.4. ddrescue ‐ ddrescue is a raw disk imaging tool that "copies data from one file or block device to another, trying hard to rescue data in case of read errors." The application is developed as part of the GNU project and has written with UNIX/Linux in mind.
5.4.1. http://www.gnu.org/software/ddrescue/ddrescue.html

5.5. dc3dd ‐ dc3dd is a patched version of GNU dd with added features for computer forensics.
5.5.1. http://dc3dd.sourceforge.net/

5.6. dcfldd ‐ dcfldd is an enhanced version of dd developed by the U.S. Department of Defense Computer Forensics Lab.
5.6.1. http://dcfldd.sourceforge.net/

5.7. sdd
5.7.1. http://linux.maruhn.com/sec/sdd.html

5.8. ewfacquire ‐ create EWF (E01) file format images
5.8.1. http://linux.die.net/man/1/ewfacquire
5.8.2. http://www.forensicswiki.org/wiki/Libewf

5.9. aimage ‐ aimage can create files in raw, AFF, AFD, or AFM formats. AFF and AFD formats can be compressed or uncompressed. aimage can optionally compress and calculate MD5 or SHA‐1 hash residues while the data is being copied.
5.9.1. http://www.afflib.org/aimage.php

6. Media Management

6.1. ewflib

6.1.1. VER.

6.1.2. ewfacquire ‐ ewfacquire to acquire data from a file or device and store it in the EWF format
6.1.3. ewfexport ‐ ewfexport to export data from the EWF format (Expert Witness Compression Format) to raw data or another EWF format.
6.1.4. ewfverify ‐ ewfverify to verify data stored in the EWF format (Expert Witness Compression Format).
6.1.5. ewfinfo ‐ wfinfo to determine information about the EWF format
6.1.6. mount_ewf.pl ‐ mount EWF format images/split images to view single raw file and metadata

6.2. afflib
6.2.1. http://www.afflib.org/aimage.php
6.2.2. aimage‐ ewfacquire to acquire data from a file or device and store it in the AFF format
6.2.3. afcat ‐ Output contents of an image file to stdout
6.2.4. afconvert ‐ Convert AFF images to Raw or Raw to AFF image
6.2.5. afuse ‐ mount AFF format images/split images to view single raw file and metadata

7. Mounting Disk Images

7.1. ntfs3g ‐ http://www.tuxera.com/community/ntfs‐3g‐download/
7.2. http://blogs.sans.org/computer‐forensics/2009/02/19/digital‐forensic‐sifting‐how‐to‐perform‐a‐readonly‐mount‐of‐evidence/mount‐of‐evidence/

8. Hashing Tools

8.1. http://md5deep.sourceforge.net/
8.2. md5deep ‐ Compute and compare MD5 message digests
8.3. sha1deep ‐ Compute and compare SHA‐1 message digests
8.4. sha256deep ‐ Compute and compare SHA‐256 message digests
8.5. tigerdeep ‐ Compute and compare Tiger message digests
8.6. whirlpooldeep ‐ Compute and compare Whirlpool message digests
8.7. hashdeep ‐ Compute, compare, or audit multiple message digests

8.8. Fuzzy Hashing
8.8.1. ssdeep ‐ Computes context triggered piecewise hashes

9. Disk Analysis ‐ Sleuthkit Tools

9.1. http://www.sleuthkit.org/

9.2. Media Management Layer
9.2.1. mmls ‐ Display the partition layout of a volume system (partition tables)
9.2.2. mmstat ‐ Display details about the volume system (partition tables)
9.2.3. disk_stat ‐ Check for Host Protected Area (HPA)
9.2.4. disk_sreset ‐ remove HPA

9.3. Data Layer
9.3.1. blkls ‐ List or output file system data units.
9.3.2. blkstat ‐ Display details of a file system data unit (i.e. block or sector)
9.3.3. blkcat ‐ Display the contents of file system data unit in a disk image.
9.3.4. blkcalc ‐ Converts between unallocated disk unit numbers and regular disk unit numbers
9.3.5. srch_strings ‐ print out ascii or unicode strings from a raw file
9.3.6. grep ‐ search for strings from a dirty_words list or a file

9.4. Metadata Layer
9.4.1. istat ‐ Display details of a meta‐data structure (i.e. inode)
9.4.2. ils ‐ List inode information
9.4.3. icat ‐ Output the contents of a file based on its inode number
9.4.4. ifind ‐ Find the meta‐data structure that has allocated a given disk unit or file name
9.4.5. analyszeMFT.py ‐ parse MFT structure pulling out all metadata into csv file
9.4.5.1. http://integriography.wordpress.com/2010/01/20/analyzemft‐a‐python‐tool‐to‐deconstructthe‐windows‐ntfs‐mft‐file/

9.5. Filename Layer
9.5.1. fls ‐ List file and directory names in a disk image
9.5.2. ffind ‐ Finds the name of the file or directory using a given inode

9.6. Timeline Analysis ‐ http://blogs.sans.org/computer‐forensics/2010/03/19/digital‐forensic‐sifting‐supertimeline‐analysis‐and‐creation/?utm_source=rss&utm_medium=rss&utm_campaign=digital‐forensicsifting‐super‐timeline‐analysis‐and‐creation
9.6.1. fls ‐ List file and directory names in a disk image
9.6.2. mac‐robber
9.6.3. regtime.pl ‐ list registry key last write times in a hive file
9.6.4. timescanner ‐ A recursive scanner to produce timeline data extracted from file artifacts

9.6.5. log2timeline ‐ a log file parser that produces a body file used to create timelines (for forensic investigations)Artifact Analysis
9.6.5.1. Log2timeline/Timescanner output formats
9.6.5.1.1. cef Output timeline using the ArcSight Commen Event Format (CEF)
9.6.5.1.2. cftl Output timeline in a XML format that can be read by CFTL
9.6.5.1.3. csv Output timeline using CSV (Comma Separated Value) file
9.6.5.1.4. mactime Output timeline using mactime format
9.6.5.1.5. mactime_l Output timeline using this particular output method
9.6.5.1.6. simile Output timeline in a XML format that can be read by a SIMILE widget
9.6.5.1.7. sqlite Output timeline into a SQLite database
9.6.5.1.8. tln Output timeline using H. Carvey's TLN format

9.6.5.2. Log2timeline/Timescanner Parsing Formats
9.6.5.2.1. chrome Parse the content of a Chrome history file
9.6.5.2.2. evt Parse the content of a Windows 2k/XP/2k3 Event Log
9.6.5.2.3. evtx Parse the content of a Windows Event Log File (EVTX)
9.6.5.2.4. exif Extract metadata information from files using ExifTool
9.6.5.2.5. ff_bookmark Parse the content of a Firefox bookmark file
9.6.5.2.6. firefox3 0.7 Parse the content of a Firefox 3 history file
9.6.5.2.7. iehistory Parse the content of an index.dat file containg IE history
9.6.5.2.8. iis Parse the content of a IIS W3C log file
9.6.5.2.9. isatxt Parse the content of a ISA text export log file
9.6.5.2.10. mactime Parse the content of a body file in the mactime format
9.6.5.2.11. mcafee Parse the content of a log file
9.6.5.2.12. opera Parse the content of an Opera's global history file
9.6.5.2.13. oxml Parse the content of an OpenXML document (Office 2007 documents)
9.6.5.2.14. pcap Parse the content of a PCAP file
9.6.5.2.15. pdf Parse some of the available PDF document metadata
9.6.5.2.16. prefetch Parse the content of the Prefetch directory
9.6.5.2.17. recycler Parse the content of the recycle bin directory
9.6.5.2.18. restore Parse the content of the restore point directory
9.6.5.2.19. setupapi Parse the content of the SetupAPI log file in Windows XP
9.6.5.2.20. sol Parse the content of a .sol (LSO) or a Flash cookie file
9.6.5.2.21. squid Parse the content of a Squid access log (http_emulate off)
9.6.5.2.22. tln Parse the content of a body file in the TLN format
9.6.5.2.23. userassist Parses the UserAssist Active Desktop key (part of NTUSER.DAT file)
9.6.5.2.24. win_link Parse the content of a Windows shortcut file (or a link file)
9.6.5.2.25. xpfirewall Parse the content of a XP Firewall log

10. Artifact Analysis

10.1. missidentify ‐ Find executable files without an executable extensionq
10.2. Galetta ‐ a ms‐windows cookies analyzer
10.3. Pasco ‐ a ms‐windows IExplorer cache analyzer
10.4. Rifiuti ‐ a ms‐windows trashcan analyzer
10.5. mdbtools ‐ playing with MS mdb access databases
10.6. antiword ‐ show the text and images of MS Word documents
10.7. exiftool ‐ metadata extractor (over 400 file types)
10.8. extract ‐ keyword extractor
10.9. lslnk ‐ list link file metadata information
10.10. pref.pl ‐ list prefetch directory information
10.11. reglookup
10.12. vinetto ‐ parse thumbs.db files

10.13. Windows Event Log Analysis
10.13.1. GrokEVT ‐ parse windows event logs
10.13.1.1. http://projects.sentinelchicken.org/grokevt/

10.13.2. Evtxtools ‐ Parse EVTX event logs
10.13.2.1. http://computer.forensikblog.de/en/2010/02/evtx_parser_1_0_3.html#more

11. Registry Analysis

11.1. recover_deleted_registry_keys.pl ‐ recover unallocated keys and key slack from a registry hive

11.2. ripxp.pl ‐ Windows XP Restore Point Parser
11.2.1. 1.1.1. www.regripper.net
11.3. rip.pl ‐ regripper

11.3.1. www.regripper.net

11.3.2. Regripper Plugins
11.3.2.1. appinitdlls [Software] ‐ Gets contents of AppInit_DLLs value
11.3.2.2. cmd_shell [Software] ‐ Gets shell open cmds for various file types
11.3.2.3. mspaper [NTUSER.DAT ‐ Gets images listed in user's MSPaper key
11.3.2.4. usb [System] ‐ Get USB subkeys info; csv output
11.3.2.5. acmru [NTUSER.DAT] ‐ Gets contents of user's ACMru key
11.3.2.6. logonusername [NTUSER.DAT] ‐ Get user's Logon User Name value
11.3.2.7. winzip [NTUSER.DAT] ‐ Get WinZip extract and filemenu values
11.3.2.8. controlpanel [NTUSER.DAT] ‐ Look for RecentTask* values in ControlPanel key (Vista)
11.3.2.9. mountdev2 [System] ‐ Return contents of System hive MountedDevices key
11.3.2.10. recentdocs [NTUSER.DAT] ‐ Gets contents of user's RecentDocs key
11.3.2.11. adoberdr [NTUSER.DAT] ‐ Gets user's Adobe Reader cRecentFiles values
11.3.2.12. usbstor2 [System] ‐ Get USBStor key info; csv output
11.3.2.13. bitbucket [Software] ‐ Get HKLM\..\BitBucket keys\values
11.3.2.14. muicache [NTUSER.DAT] ‐ Gets EXEs from user's MUICache key
11.3.2.15. bho [Software] ‐ Gets Browser Helper Objects from Software hive
11.3.2.16. listsoft [NTUSER.DAT] ‐ Lists contents of user's Software key
11.3.2.17. user_win [NTUSER.DAT] ‐ ‐‐
11.3.2.18. applets [NTUSER.DAT] ‐ Gets contents of user's Applets key
11.3.2.19. mmc [NTUSER.DAT] ‐ Get contents of user's MMC\Recent File List key
11.3.2.20. tsclient [NTUSER.DAT] ‐ Displays contents of user's Terminal Server Client\Default key
11.3.2.21. apppaths [Software] ‐ Gets content of App Paths key
11.3.2.22. timezone [System] ‐ Get TimeZoneInformation key contents
11.3.2.23. logon_xp_run [NTUSER.DAT] ‐ Autostart ‐ Get XP user logon Run key contents from NTUSER.DAT hive
11.3.2.24. auditpol [Security] ‐ Get audit policy from the Security hive file
11.3.2.25. devclass [System] ‐ Get USB device info from the DeviceClasses keys in the System hive
11.3.2.26. winlogon [Software] ‐ Get values from the WinLogon key
11.3.2.27. shutdown [System] ‐ Gets ShutdownTime value from System hive
11.3.2.28. typedurls [NTUSER.DAT] ‐ Returns contents of user's TypedURLs key.
11.3.2.29. comdlg32 [NTUSER.DAT] ‐ Gets contents of user's ComDlg32 key
11.3.2.30. winnt_cv v.20080609 [Software]‐ Get and display the contents of the Windows\CurrentVersion key
11.3.2.31. network [System] ‐ Gets info from System\Control\Network GUIDs
11.3.2.32. vista_bitbucket [NTUSER.DAT] ‐ Get BitBucket settings from Vista via NTUSER.DAT
11.3.2.33. mountdev [System] ‐ Return contents of System hive MountedDevices key
11.3.2.34. ssid [Software] ‐ Get WZCSVC SSID Info
11.3.2.35. regtime [All] ‐ Dumps entire hive, all keys sorted by LastWrite time
11.3.2.36. usbstor [System] ‐ Get USBStor key info
11.3.2.37. aim [NTUSER.DAT] ‐ Gets info from the AOL Instant Messenger (not AIM) instal
11.3.2.38. compdesc [NTUSER.DAT] ‐ Gets contents of user's ComputerDescriptions key
11.3.2.39. fileexts [NTUSER.DAT] ‐ Get user FileExts values
11.3.2.40. mp2 [NTUSER.DAT] ‐ Gets user's MountPoints2 key contents
11.3.2.41. shares [System] ‐ Get list of shares from System hive file
11.3.2.42. realplayer6 [NTUSER.DAT] ‐ Gets user's RealPlayer v6 MostRecentClips(Default) values
11.3.2.43. services [System] ‐ Lists services/drivers in Services key by LastWrite times
11.3.2.44. uninstall [Software] ‐ Gets contents of Uninstall key from Software hive
11.3.2.45. ide [System] ‐ Get IDE device info from the System hive file
11.3.2.46. mndmru [NTUSER.DAT] ‐ Get contents of user's Map Network Drive MRU
11.3.2.47. user_run [NTUSER.DAT] ‐ Autostart ‐ get Run key contents from NTUSER.DAT hive
11.3.2.48. userassist [NTUSER.DAT] ‐ Displays contents of UserAssist Active Desktop key
11.3.2.49. imagedev [System] ‐ ‐‐
11.3.2.50. networkcards [Software] ‐ Get NetworkCards
11.3.2.51. wallpaper [NTUSER.DAT] ‐ Parses Wallpaper MRU Entries
11.3.2.52. profilelist [Software] ‐ Get content of ProfileList key
11.3.2.53. compname [System] ‐ Gets ComputerName value from System hive
11.3.2.54. fw_config [System] ‐ Gets the Windows Firewall config from the System hive
11.3.2.55. vncviewer [NTUSER.DAT] ‐ Get VNCViewer system list
11.3.2.56. assoc [Software] ‐ Get list of file ext associations
11.3.2.57. shutdowncount [System] ‐ Retrieves ShutDownCount value
11.3.2.58. userinit [Software] ‐ Gets UserInit value
11.3.2.59. svc [System] ‐ Lists services/drivers in Services key by LastWrite times, short format
11.3.2.60. imagefile [Software] ‐ Gets Image File Execution Options subkeys w/ Debugger value
11.3.2.61. removdev [Software] ‐ Parses Windows Portable Devices key (Vista)
11.3.2.62. mrt [Software] ‐ Check to see if Malicious Software Removal Tool has been run
11.3.2.63. samparse [SAM] ‐ Parse SAM file for user/group mbrshp info
11.3.2.64. snapshot [Software] ‐ Check ActiveX comp kill bit; Access Snapshot
11.3.2.65. termserv [System] ‐ Gets fDenyTSConnections value from System hive
11.3.2.66. nic_mst2 [System] ‐ Gets NICs from System hive; looks for MediaType = 2
11.3.2.67. mpmru [NTUSER.DAT] ‐ Gets user's Media Player RecentFileList values
11.3.2.68. officedocs [NTUSER.DAT] ‐ Gets contents of user's Office doc MRU keys
11.3.2.69. winrar [NTUSER.DAT] ‐ Get WinRAR\ArcHistory entries
11.3.2.70. runmru [NTUSER.DAT] ‐ Gets contents of user's RunMRU key
11.3.2.71. soft_run [Software] ‐ Autostart ‐ get Run key contents from Software hive

12. RAM Analysis

12.1. pdfbook ‐ extract facebook chats from ram
12.1.1. http://blogs.sans.org/computer‐forensics/2009/11/20/facebook‐memory‐forensics/

12.2. pdgmail ‐ extract gmail from ram
12.2.1. http://blogs.sans.org/computer‐forensics/2008/10/20/pdgmail‐new‐tool‐for‐gmail‐memoryforensics/

12.3. pdymail ‐ extrat yahoo mail from ram
12.3.1. http://blogs.sans.org/computer‐forensics/2009/01/12/pdymail‐yahoo‐mail‐in‐memory/

12.4. skypeex ‐ recover skype chat from ram
12.4.1. http://nickfurneaux.blogspot.com/2010/03/skype‐chat‐carver‐from‐ram‐skypeex.html

12.5. volatility ‐ https://www.volatilesystems.com/default/volatility
12.5.1. connections Print list of open connections
12.5.2. connscan Scan for connection objects
12.5.3. connscan2 Scan for connection objects (New)
12.5.4. datetime Get date/time information for image
12.5.5. dlllist Print list of loaded dlls for each process
12.5.6. dmp2raw Convert a crash dump to a raw dump
12.5.7. dmpchk Dump crash dump information
12.5.8. files Print list of open files for each process
12.5.9. hibinfo Convert hibernation file to linear raw image
12.5.10. ident Identify image properties
12.5.11. memdmp Dump the addressable memory for a process
12.5.12. memmap Print the memory map
12.5.13. modscan Scan for modules
12.5.14. modscan2 Scan for module objects (New)
12.5.15. modules Print list of loaded modules
12.5.16. procdump Dump a process to an executable sample
12.5.17. pslist Print list of running processes
12.5.18. psscan Scan for EPROCESS objects
12.5.19. psscan2 Scan for process objects (New)
12.5.20. raw2dmp Convert a raw dump to a crash dump
12.5.21. regobjkeys Print list of open regkeys for each process
12.5.22. sockets Print list of open sockets
12.5.23. sockscan Scan for socket objects
12.5.24. sockscan2 Scan for socket objects (New)
12.5.25. strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
12.5.26. thrdscan Scan for ETHREAD objects
12.5.27. thrdscan2 Scan for thread objects (New)
12.5.28. vaddump Dump the Vad sections to files
12.5.29. vadinfo Dump the VAD info
12.5.30. vadwalk Walk the vad tree

12.6. volatility plugins
12.6.1. apihooks [VAP] Detect API hooks in user and/or kernel space
12.6.2. cachedump Dump (decrypted) domain hashes from the registry
12.6.3. cryptoscan Find TrueCrypt passphrases
12.6.4. driverscan Scan for driver objects
12.6.5. fileobjscan Scan for file objects
12.6.6. getsids Print the SIDs owning each process
12.6.7. hashdump Dump (decrypted) LM and NT hashes from the registry
12.6.8. hivedump Dump registry hives to CSV
12.6.9. hivelist Print list of registry hives
12.6.10. hivescan Scan for _CMHIVE objects (registry hives)
12.6.11. idt [VAP] Print Interrupt Descriptor Table (IDT) entries
12.6.12. keyboardbuffer Print BIOS keyboard buffer
12.6.13. ldr_modules [VAP] Detect unlinked LDR_MODULE using mapped file names
12.6.14. lsadump Dump (decrypted) LSA secrets from the registry
12.6.15. malfind Dump and rebuild executables
12.6.16. malfind2 [VAP] Detect hidden and injected code
12.6.17. moddump Dump loaded kernel modules to disk.
12.6.18. mutantscan Scan for mutant (mutex) objects
12.6.19. orphan_threads [VAP] Find kernel threads that don't map back to loaded modules
12.6.20. printkey Print a registry key, and its subkeys and values
12.6.21. pstree
12.6.22. ssdt Display SSDT entries
12.6.23. suspicious Find suspicious command lines and display them
12.6.24. symlinkobjscan Scan for symbolic link objects
12.6.25. thread_queues Print message queues for each thread
12.6.26. volshell Shell in the memory image

13. Data Carving

13.1. foremost ‐ carve files based on headers/footers/max length
13.2. magicresuce
13.3. safecopy
13.4. testdisk
13.5. rapier ‐

14. Compression Tools

14.1. p7zip ‐ Wrapper on 7zr, a 7‐zip file archiver with high compression ratio
14.2. rar ‐ archive files with compression
14.3. unrar ‐ extract files from rar archives
14.4. gzrecover
14.5. bzip/bzip2

15. Malware Analysis

15.1. yara ‐ yara ‐ find files matching patterns and rules written in a special‐purpose language

16. PDF Tools

16.1. pdfid.py ‐ differentiate between PDF documents that could be malicious and those that are most likely not
16.1.1. http://blog.didierstevens.com/2009/03/31/pdfid/

16.2. pdf‐parser.py ‐ parse a PDF document to identify the fundamental elements used in the analyzed file
16.2.1. http://blog.didierstevens.com/programs/pdf‐tools/
16.2.2. http://blog.didierstevens.com/2008/10/20/analyzing‐a‐malicious‐pdf‐file/

16.3. make‐pdf‐javascript.py ‐ create a simple PDF document with embedded JavaScript that will execute upon opening of the PDF document
16.3.1. http://blog.didierstevens.com/programs/pdf‐tools/

16.4. pdftohtml ‐ program to convert pdf files into html, xml and png images
16.5. pdfinfo ‐ Portable Document Format (PDF) document information extractor
16.6. pdfimages ‐ Portable Document Format (PDF) image extractor
16.7. pdftotext ‐ Portable Document Format (PDF) to text converter

17. F‐Response Compatibility

17.1. iSCSI

18. GUI Forensic Analysis

18.1. Autopsy
18.1.1. http://www.sleuthkit.org/autopsy/

18.2. PTK
18.2.1. http://ptk.dflabs.com/

18.3. PyFLAG
18.3.1. http://www.pyflag.net/cgi‐bin/moin.cgi

19. Anti‐Virus

19.1. ClamAV ‐ Anti‐Virus
19.1.1. http://www.clamav.net/lang/en/

19.2. rkhunter ‐ Rootkit Hunter
19.2.1. http://www.rootkit.nl/

19.3. chkrootkit
19.3.1. http://www.chkrootkit.org/

20. Password Crackers

20.1. CmosPwd ‐ BIOS Cracker 5.0
20.2. john the ripper (john ‐ a tool to find weak passwords of your users)
20.3. samdump : a tool to extract password hashes from MS Windows registry files
20.4. bkhive ‐‐ dumps the syskey bootkey from a Windows NT/2K/XP/Vista system hive
20.5. fcrackzip ‐ a Free/Fast Zip Password Cracker

20.6. ophcrack ‐ Cracks Windows passwords with Rainbow tables
20.6.1. http://ophcrack.sourceforge.net/

21. Stego

21.1. outguess ‐ universal steganographic tool

21.1.1. stegbreak
21.1.2. stegcompare
21.1.3. stegdeimage
21.1.4. stegdetect

22. Crypto

22.1. cryptcat ‐ twofish encryption enabled version of nc
22.2. outguess ‐ universal steganographic tool
22.3. bcrypt ‐ blowfish file encryption
22.4. ccrypt ‐ encrypt and decrypt files and streams

23. Mail

23.1. readpst ‐ convert PST (MS Outlook Personal Folders) files to mbox and other formats
23.2. bulk_extractor ‐ create histogram of email addresses on a hard drive

24. Network Forensics

24.1. Snort ‐ open source network intrusion detection system
24.2. tcpdump ‐ dump traffic on a network
24.3. wireshark ‐ Interactively dump and analyze network traffic
24.4. ettercap ‐ A multipurpose sniffer/contet filter for man in the middle attacks
24.5. driftnet ‐ capture images from network traffic and display them in an Xwindow; optionally, capture audio streams and play them.
24.6. tcpreplay ‐ Replay network traffic stored in pcap files
24.7. tcpxtract ‐ extract files from captured network packets
24.8. tcptrack ‐ Monitor TCP connections on the network
24.9. tcpflow ‐ TCP flow recorder
24.10. p0f ‐ identify remote systems passively
24.11. arping ‐ send ARP REQUEST to a neighbour host
24.12. ngrep ‐ network grep
24.13. netwox ‐ examples/tools of the network library netwib
24.14. lft ‐ display the route packets take to a network host/socket; optionally show heuristic network information in transit.
24.15. netsed ‐ network packet stream editor
24.16. socat ‐ Multipurpose relay (SOcket CAT)
24.17. oftcat ‐ OFT package, which is a package created by AIM when sending files over the network
24.18. pcapcat ‐ reads a PCAP file and prints out all the connections in the file and gives the user the option of dumping the content of the TCP stream.
24.19. findsmtpinfo.py ‐ cript creates a report of the SMTP information, stores any emails in msg format, stores any attachments from the emails, decompresses them if they are a compressed format (zip, docx), checks MD5 hashes of all files including the msg files.

25. Network Scanning

25.1. knocker ‐ An easy to use network security port scanner
25.2. nikto ‐ web security scanner
25.3. nbtscan ‐ program for scanning networks for NetBIOS name information

26. Utilities

26.1. winexe ‐ psexec for linux
26.1.1. http://eol.ovh.org/winexe/

26.2. ent ‐ entropy calculator
26.3. rdesktop ‐ Remote Desktop Protocol client
26.4. seahorse ‐ manage and examine key files
26.5. uni2ascii ‐ convert UTF‐8 Unicode to various 7‐bit ASCII representations
26.6. sqlite ‐ A command line interface for SQLite
26.7. bless ‐ hex editor
26.8. ghex2 ‐ hex editor



Publicado por en
Etiquetas:

No hay comentarios:

Publicar un comentario