Forensik-Software

 

Computer Forensics
A random List of other computer forensics blogs
Hogfly’s computer forensics blog
Harlan Carvey (the windows forensics guy) Windows Incident Response Blog
Jesse Kronblums’ A Geek Raised by Wolves
Andreas Schuster (the memory analysis guy) int for(ensic){blog;}
Mark McKinnon Computer Forensics/E-Discovery Tips/Tricks and Information
Forensic Focus
Forensic Computing
Security Monkey’s A Day in the Life of an Information Security Investigator
Checkmate, a blog on Incident Response and Digital Forensics
Bill Ethridge’s World of Replicants
Robert Hensing’s Blog about malware analysis and other stuff
Joanna Rutkowska and her blog about malware and rootkits
Didier Stevens’ blog mainly about computer forensics topics
If you want to digg deeper: Undocumented Windows 2000 “Secrets”
Microsoft’s Fundamental Computer Investigation Guide For Windows
List of Forensics CDs
Cellphone forensics work sheet on forensiczone.com
Malware Analysis Tool List - A compilation from SANS ISC
Cell Phone Forensic Tools: An overview and analysis from NIST
Forensic memory dumping intricacies - PhysicalMemory, DD, and caching issues by Arne Vidstrom
NIST test results for Hardware Write Block Devices (Main HW testing tool page from NIST)
not that fresh but usefull detailed information about SAM issues
interesting articels on Windows Incident Response
from the United States Secret Service on how to recognize digital evidence: Recognizing Potential Evidence
interessting article about iPod forensics
Windows Security Logging and Other Esoterica
Rootkit.com: The Online Rootkit Magazine
computer forensics blog of Andreas Schuster English German
Computer Forensics for Lawyers Who Can’t Set the Clock on Their VCR
Microsoft Metadata Forensics
Mounting disks with Linux’s loopback device
background information about CD-R/CD-RW
looking for a specific windows eventlog ID?
The “Tools proven in court” Question
Know your Enemy: Phishing. Behind the Scenes of Phishing Attacks
Web Browser Forensics
Writing an Incident Handling and Recovery Plan
Know your Enemy: Tracking Botnets
RAID Reassembly - A forensic Challenge
Dealing with Windows Eventlog
Forensic Tools for Mac
some Darwin Ports of Forensics Tools on Macintosh
Guidelines for Evidence Collection and Archiving RFC3227
PDA Forensic Tools an Overview and Analysis from NIST
Online Forensics of Win/32 System
Forensic Examination of Digital Evidence: A Guide for Law Enforcement
Notes on dd and Odd Sized Disks
finding security settings in windows registry files
Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect’s Computer
test results for the disk imaging tool dd from the U.S. National Insitut of Justice
an interesting testimonial about Imaging and Authentication of Computer Hard Drive or Data
link collection about forensics with opensource tools
File system and disk images for testing digital forensic analysis and acquisition tools by Brian Carrier
Wayne’s Forensics and Incident Response Resources
Pocket PC Security Resources
Paper about disk cloning
Setting up for Forensics. You have just been hacked! What do you do next?
Der Cyberfahnder (german)
WebMail Forensics
Forensics Portal
Metadata analysis on Mac Filesystems
Macintosh forensic analysis using OS X
Forensic Analysis of a Compromised Mac OS X (Client) Machine
Link Collection to Mac Forensics
A detailed forensic analysis of a Mac OS X system using primarily open source forensic utilities on a Mac OS X analysis system
yet another forensic tools link collection
Forensics with Linux 101 or How to do Forensics for Free
Forensics and the GSM mobile telephone system
Help! How do I recover that important file? (Dan Farmer)
Memory Imaging and Forensic Analysis of Palm OS Devices with pdd
forensic tool designed to capture data and report on data from a PDA
Computer Forensic Analysis Class (Dan & Wietse)
Firewall Forensics (What am I seeing?)
Help! Someone has broken into my system! (Dan Farmer)
Computer forensics can help companies uncover the digital truth
FTP Attack Case Study
How the FBI Investigates Computer Crime
Anatomy of a Break-In
The “Know Your Enemy” Series from the honeynet project: I II III
Phrack #43: Playing Hide and Seek, Unix style ( Phrack Magazine Vol.4/43, File 14 of 27 )
Phrack #59: Defeating Forensic Analysis on Unix - something that forensic investigators should know
Electronic Crime Scene Investigation: A Guide for First Responder
Cloning Operating Systems with dd and netcat
Win2K First Responder’s Guide
How to duplicate a complete PC via network
Digital Forensic - Learning from Intrusions (german language) local copy
Computers & Forensics on Reddy’s Forensic Page
Computer Investigation on Zeno’s Forensic Site
Hacker Profiling
DD and Computer Forensics: Examples of Using DD within UNIX to Create Physical Backups
Digital Forensic Links
Basic Steps in Forensic Analysis of Unix Systems
List of possible Trojan/Backdoor port activity
The Dark Side of NTFS (NTFS alternate data streams)
E-Evidence Information Center
Known Goods a checksum database
File Slack Defined
Computer Forensics News and Discussion
Computer Forensics Tool Testing (CFTT) Project Web Site
Forensic Examination of a RIM (BlackBerry) Wireless Device
Default TTL values in TCP/IP (for forensic hopcount analysis)
another article about TTL values
Using special names, when dd’ing images from cygwin/Windows
Big wordlist of linux rootkits (you can use this list for keyword searches on forensic images)
Forensics and Incident Response on SecurityFocus
Finding Hidden Data
Articles and Whitepapers on Computer Forensics Resource Center
Linux Data Hiding and Recovery
How to Design a Useful Incident Response Policy
Detecting and Removing Malicious Code
Recovering and Examining Computer Forensic Evidence
The National Center for Forensic Science: Digitale Evidence
Digital Evidence: Standards and Principles
Root Kits FAQ from Dave Dittrich
You should take a closer look at this Root Kit List
Clearing House for Incident Handling Tools
Avoiding the Trial-by-Fire Approach to Security Incidents
The File Extension Source
Open Source Digital Forensics
Open Source Computer Forensics Manual
Computer Forensics Hardware
Digital Intelligence
Forensics-Computers
ForensicPC.com
ICS
Logicube
MyKey Technology
PC Forensics
WiebeTECH
Netintercept

 

Forensics and Incident Response bootable Linux CDs
List of Forensics CDs
You probably allready know KNOPPIX. The bootable CD with a collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals. Knoppix STD (STD: Security Tools Distribution) is a special security tools distribution with lots of forensic tools.
F.I.R.E Forensic and Incident Response Environment Bootable CD (known as biatchux) out of maintenance!
F.I.R.E. enhancements
Helix is a customized distribution of the Knoppix Live Linux CD
The Penguin Sleuth Kit Bootable CD
Trinux
Plan-B
PHLAK Professional Hackers Linux Assault Kit (well, not a special forensics distro  )
Local Area Security Linux
LNX-BBC
INSERT (Inside Security Rescue Toolkit)
FCCU GNU/Linux Forensic Boot CD from the Belgian Police Computer Crime Unit
Farmer’s Boot CD
Computer Forensics Software
Statically Stripped Incident Response and Forensic Binaries
Linux x86 Static Binaries
Solaris 2.7 Static Binaries
Win32 GNU Static Binaries
Free Forensic Tools from NTI (New Technologies Inc.), Free Law Enforcement Suite
Alphabetical List of Computer Forensics Products
Forensic Software Sources
ResponseKits First Aid Kits for Unix & Windows
EnCase Forensic Solutions
ListDLLs is able to show you the full path names of loaded modules
Handle is a utility that displays information about open handles for any process in the system.
PsList is utility that shows you a combination of the information obtainable individually with pmon and pstat. You can view process CPU and memory information, or thread statistics.
Procdmp.pl is a script the correlates the output of several commands that are usually run during incident response activities.
dd for Windows
cryptcat = netcat + encryption
Forensic Tools and Utilities
Recover is a utility which automates some steps as described in the Ext2fs-Undeletion howto in order to recover a lost file
e2undel is an interactive console tool that recovers the data of deleted files on an ext2 file system under Linux
mac-robber is a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files.
mac_daddy MAC Time collector for forensic incident response. This toolset is a modified version of the two programs tree.pl and mactime from the Coroner’s Toolkit. This program is portable and can be run directly from a floppy or a cdrom with a perl interpreter.
The Coroner’s Toolkit TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in
Computer Forensics Software TCTUTILs is a collection of utilities that adds functionality to The Coroners Toolkit and the Autopsy Forensic Browser
The Autopsy Forensic Browser is a graphical interface to utilities found in The Coroners Toolkit (TCT) and TCTUTILs. It allows drive images to be analyzed at a file, block, and inode level. It also allows easy searches for strings in images.
New Versions: The @stake Sleuth Kit (TASK) and Autopsy Forensic Browser
pdd (Palm dd) is a Windows-based tool for for memory imaging and forensic acquisition of data from the Palm OS family of PDAs. pdd will preserve the crime scene by obtaining a bit-for-bit image or “snapshot” of the Palm device’s memory contents. Such data can be used by forensic investigators, incident response teams, and criminal and civil prosecutors.
foremost automatic file recovering
ILook Investigator a forensic analysis tool
Streak - the secure forensic imaging tool
md5deep is a cross-platform program to compute MD5 message digests on an arbitrary number of files with the following features: Recursive operation, Time estimation and Comparison mode
SectorSpy is a forensics analysis and text data recovery tool for computer hard drives and diskettes
Win32 First Responder’s Analyzer Tookit is a batch file developed on a SecurityFocus article highlighting the use of simple scripts on Windows32 platforms to perform basic security tasks. This script uses various Windows and 3rd Party tools to provide an effective forensic snapshot of your computer.
PenguinBackup formerly known as “The PalmPilot single-floppy backup system”
FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.
HashDig technology is a collection of utilities designed to help practitioners automate the process of resolving MD5 hashes.
IEHist dumps Internet Explorer history from index.dat files into delimited files suitable for import into other tools.
Data recovery tools
LADS - List Alternate DataStreams
ASR Data - Computer Forensic Tools (SMART)
PLAC (Portable Linux Auditing CD) is a business card sized bootable cdrom running linux. It has network auditing, disk recovery, and forensic analysis tools.
Forensic Acquisition Utilities
DCFL-DD - (an enhanced dd with MD5 hashing)
Fatback- undelete files from FAT filesystems
odessa “Open Digital Evidence Search and Seizure Architecture”
Disk Investigator. Who needs another one?
Perl Script to find Alternate Data Streams on NTFS
FileDisk is a virtual disk driver for Windows NT/2000/XP that uses one or more files to emulate physical disks. A console application is included that let you dynamically mount and unmount files. With FileDisk you can mount forensic dd-images read only for further analysis.
Evidor is a particularly easy and convenient way for any investigator to find and gather digital evidence on computer media.
WinHex is a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing
Paraben’s E-Mail examiner supports many mailbox formats
NT registry filesystem for linux
PropertiesPlus can modify file attributes, file extensions, and the time stamps of single files, multiple files, or files contained within the folders and display the bytes allocated
Antiword for reading ascii content of world files
Metadata Assistant: Finding hidden data in word and excel files
Mount Image Pro is a tool for Computer Forensic investigations. It enables you to mount ENCASE®, Unix DD, or SMART forensic images as a drive letter on your file system.
Like dd, dd_rescue does copy data from one file or block device to another.
AIR - Automated Image and Restore
chaosreader can trace TCP or UDP sessions and fetch application data from tcpdump or snoop logs
cryogenic freezes the process state of a running system
faust (File AUdit Security Toolkit) is a perl script that helps to bash scripts and elf binaries
FLAG Forensic and Log Analysis GUI
FileSystem Investigator (fstools) is a platform independent file system viewer and data extraction tool written in Java
PDASeizure is a comprehensive tool that allows PDA (PocketPC, PalmOS and Blackberry!) data to be acquired, viewed, and reported.
File Date Time Extractor
MailNavigator allows to read multiple Mailbox file formats
Protected Storage Explorer is a freeware utility which allows you to view the protected storage in Windows 2000, Windows XP and Windows 2003 in an ‘explorer style’ fashion.
CD/DVD Inspector is for forensic analysis, recovery and reporting for forensic and law enforcement use.
accuhash for calculating checksumms
rda (Remote Data Acquisition utility) is a command line Linux tool to remotely acquire data (like disk cloning or disk/partition imaging) and verify the transfer using md5 and/or crc32 checksums
.dat-viewer for analyzing Kazaa Traces
DataLifter contains 10 tools to assist with Computer Forensics, Information Auditing, Information Security and Data Recovery.
Sterilize sterilizes the media to be used for working / examination copies.
TestDisk: Tool to check and undelete partition
X-Ways Forensics. Must have tool if you rely on windows
Ext2IFS mounting ext2 and ext3 volumes under windows r/w
pmdump.exe is a tool that dumps memory for a specified process to a file (as opposed to tools like memdump and dd which dump all of the RAM at once). It is useful for analysing things that might store hidden information in memory (for example, Bots, Trojan horses or VPN clients, email clients, and instant-messaging applications).
UndeleteSMS if you have to undelete Short Text Messages (SMS) from SIM cards
Web Historian assists users in reviewing websites (URLs) that are stored in the history files of the most commonly used browsers.
misc Computer Forensics Software for Criminal Investigators and Consumers from Robware.com
CDRoller is a powerful toolset for CD/DVD data recovery.
SilentRunners checks a windows system for trojans and other malicous software
Paraben Forensics cell phone and SIM card investigation toolbox
Windows Forensics and Incident Recovery: The First Responder Utility (FRU)
Windows Forensic Toolchest (WFT)
tcpxtract is a tool for extracting files from network traffic based on file signatures.
Mount Image Pro is a tool for Computer Forensics investigations. It enables the mounting of EnCase, Unix DD or SMART forensic images as a drive letter on your Windows.
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files.
Unmask is a demonstration of how to fingerprint users based only on their emails or IRC postings.
ptfinder.pl from Andreas Schuster is a Perl script that parses through a dump of Windows physical memory searching for the different structures
Memory forensics tools from trapkit.de: Process Dumper allows you to make a dump of a running process and Memory Parser can be used to analyse process dumps made with pd.
Live View is a graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk.
MacForensicsLab is a complete suite of forensics and analysis tools.
TULP2G is a free program helps to examine cell phones and SIM cards.
Volatools enables one to analyze memory dumps in raw (or dd) format for performing digital investigations on volatile memory images.
The Honeynet Project To learn the tools, tactics, and motives of the blackhat community, and share those lessons learned.
Intrusion Detection Systems

 

The ULTIMATELY Secure IPS 
Intrusion Detection Systems usefull lists of available programms in this sector with “practical” reviews
Eight Steps to A Working Intrusion Detection System
FAQ: Network Intrusion Detection Systems
FAQ: Sniffing (network, wiretap, sniffer)
www.incidents.org by The SANS Institute
CSI Intrusion Detection System Resource
some IDS tools

 

Snort The Lightweight Network Intrusion Detection System
Sourcefire black boxes and professional services for/with snort
arachNIDS advanced reference archive of current heuristics for network intrusion detection systems
chkrootkit Checker for known Rootkits
Tripwire File integrity checker
AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more.
RealSecure from ISS
Cisco Secure Intrusion Detection System (formerly NetRanger)
Intruder Alert/ NetProwler from Symantec
Network Flight Recorder a comprehensive, integrated, intrusion detection system that protects networks and hosts from known attacks, misuse, abuse and anomalies
NetworkIce is now ISS
Windows NT Intruder Detection Checklist from CERT/CC
Intrusion Detection Level Analysis of Nmap and Queso Article in LinuxSecurity/SecurityFocus
Dshield.org Distributed Intrusion Detection System
doshelp.com Intrusion & attack reporting center
Virtual Burglar Alarm - Intrusion Detection Systems
50 Ways to Defeat Your Intrusion Detection System
IDSWakeup is a false positive alarm generator for network based IDS
Honeyd is a small daemon that creates virtual hosts on a network
The “Know Your Enemy” Series from the honeynet project: I II III
Justifying the Expense of IDS
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics
Honeypots: Tracking Hackers