Unhide : To find processes hidden by rootkits:
Unhide is a forensic tool to find processes hidden by rootkits, Linux kernel modules or by other techniques. It detects hidden processes using six techniques:
Compare /proc vs /bin/ps output
Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for Linux 2.6 version
Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
Full PIDs space ocupation (PIDs bruteforcing). ONLY for Linux 2.6 version
Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for Linux 2.6 version
Reverse search, verify that all thread seen by ps are also seen in the kernel.
6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for Linux 2.6 version.
Hashbot Online Forensic Web Tool
Hashbot is a forensic web tool to acquire and validate, over time, the status of an individual web page or web document.
Acquire: Insert the URL to acquire, select your favourite user agent (default is Firefox) and click on submit. Wait for creating process finish and download the zip archive.
Validate: Unzip the archive downloaded by the creation service, open the <code>-code.txt file and use the “Validate Info” section to fill in the validation form. Click on submit and wait for the server response.
Registry Decoder – Digital Forensics Tool
Digital forensics deals with the analysis of artefacts on all types of digital devices.
One of the most prevalent analysis techniques performed is that of the registry hives contained in Microsoft Windows operating systems.
Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.
A Recycle Bin Forensic Analysis Tool.
Many important files within Microsoft Windows have structures that are undocumented.
One of the principals of computer forensics is that all analysis methodologies must be well documented and repeatable, and they must have an acceptable margin of error. Currently, there are a lack of open source methods and tools that forensic analysts can rely upon to examine the data found in proprietary Microsoft files.
Many computer crime investigations require the reconstruction of a subject’s Recycle Bin. Since this analysis technique is executed regularly, we researched the structure of the data found in the Recycle Bin repository files (INFO2 files). Rifiuti, the Italian word meaning “trash”, was developed to examine the contents of the INFO2 file in the Recycle Bin.
The foundation of Rifiuti’s examination methodology is presented in the white paper located here. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favourite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X,
Linux, and *BSD platforms.
rifiuti [options] <filename>
-t Field Delimiter (TAB by default)
[kjones:rifiuti/rifiuti_20030410_1/bin] kjones% ./rifiuti INFO2 > INFO2.txt
Open INFO2.txt as a TAB delimited file in MS Excel to further sort and filter your results.
Its identifies and fingerprints network devices by silent network monitoring or by processing data from PCAP files.
NetSleuth is an open source network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet). It is a free network monitoring, cyber security and network forensics analysis (NFAT) tool.
Bugtraq system offers the most comprehensive distribution, optimal, stable and automatic security to date. Bugtraq is a distribution based on the 2.6.38 kernel has a wide range of penetration and forensic tools. Bugtraq can be installed from a Live DVD or USB drive, the distribution is customized to the last package, configured and updated the kernel. The kernel has been patched for better performance to recognize a variety of hardware, including wireless injection patches pentesting that other distributions do not recognize.
- Patching the kernel 2.6.38 to recognize 4 gigs of RAM in 32-bit.
- Tools perfectly configured, automated installation scripts and tools like Nessus, OpenVAS, Greenbone, Nod32, Hashcat, Avira, BitDefender, ClamAV, Avast, AVG, etc…
- Unique Scripts from Bugtraq-Team (SVN updates tools, delete tracks, backdoors, Spyder-sql, etc.
The Hex Workshop Hex Editor is a set of hexadecimal development tools for Microsoft Windows, combining advanced binary editing with the ease and flexibility of a word processor. With Hex Workshop you can Edit, cut, copy, paste, insert, and delete of Hex Script.
Hex values can be grouped by 1, 2, 4, 8 or 16 bytes.
Search using Hex Strings (including wildcards).
Find and replace by Hex Strings, Text, Strings or values.
Sector edit partitions or physical disks.
Checksum either entire document or a selection.
Arithmetic operations: +, -, *, /, %, ().
C/C++ Plug-in API.
Hex/Decimal calculator supporting: +,-,*,/,|,&,^,<<,>>, ~
Helix is more on the forensics and incident response side than the networking or pen-testing side. Still a very useful tool to carry.
Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.
All in One Bootable CD which has all utilities..