Digital forensic tools based on opensource software

Opensources forensics tools, that I found from opensourceforensics.org. Some of the application were installed on my distro, called Stagos FSE. My suggestion, try to use all the application in here, and explore the application. Hope you like it.
For your information, opensource software has been using for years for digital forensic case around the world. America DOJ, has their own test for using digital forensic tools, include open source tools.
Today, we could find so many Linux livecd which installed with some tools which might be used to perform digital forensic.

Data Acquisition / IR Tools

Title: Advanced Forensic Format Library (afflib)
Author: Simson Garfinkel and Basis Technology
Description:The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata.
Website http://www.afflib.org/
Source: http://www.afflib.org/

Title: Automated Image and Restore (AIR)
Author: Steve Gibson
Description: AIR (Automated Image & Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.
Website http://air-imager.sourceforge.net/
Source: http://sourceforge.net/project/showfiles.php?group_id=82474

Title: dcfl-dd     Author:
DoD Computer Forensic Labs
Description: dcfl-dd is a modified version of the GNU binutils version of ‘dd’. It calculates the MD5 hash value of the data while it copies the data.
Website http://sourceforge.net/projects/biatchux
Source: http://sourceforge.net/project/showfiles.php?group_id=46038&release_id=84489

Title: dd
Author: GNU coreutils Team
Description: ‘dd’ is a common UNIX tool that copies data from one file to another. It can also be used with ‘netcat’ to send data to a server over the network.
Website http://www.gnu.org/software/coreutils/
Source: http://www.gnu.org/software/coreutils/

Title:dd_rescue
Author:Kurt Garloff
Description: Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd). There are several differences. dd_rescue does not provide character conversions. dd_rescue does not abort on errors on the input file, unless you specify a maximum error number. Then dd_rescue will abort when this number is reached. dd_rescue does not truncate the output file, unless asked to. You can tell dd_rescue to start from the end of a file and move bcakwards. It uses two block sizes, a large (soft) block size and a small (hard) block size. In case of errors, the size falls back to the small one and is promoted again after a while without errors.
Website http://www.garloff.de/kurt/linux/ddrescue/
Source: http://www.garloff.de/kurt/linux/ddrescue/

Title: ddrescue
Author: Antonio Diaz
Description: GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. [Ed: This tool is similar to, but not the same as dd_rescue]
Website http://www.gnu.org/software/ddrescue/ddrescue.html
Source: http://savannah.gnu.org/download/ddrescue/

Title: FTimes
Author: Klayton Monroe
Description: FTimes is a system baselining and evidence collection tool. The primary purpose of ftimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.
Website http://ftimes.sourceforge.net/FTimes/index.shtml
Source: http://sourceforge.net/project/showfiles.php?group_id=41134

Title: libewf
Author: Joachim Metz and Robert-Jan Mora
Description: Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART format (EWF-S01) and the EnCase format (EWF-E01). Libewf allows you to read media information within the EWF files.
Website https://www.uitwisselplatform.nl/projects/libewf/
Source: https://www.uitwisselplatform.nl/projects/libewf/

Title: liveview
Author: CERT
Description: Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to “boot up” the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because
Website http://liveview.sourceforge.net/

Title: lsof
Author: Vic Abell
Description: lsof lists open file handles for running Unix processes.
Website ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
Source: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/

Title: mac-daddy
Author: Rob Lee
Description: MAC Time collector for forensic incident response. This toolset is a modified version of the two programs tree.pl and mactime from the Coroner’s Toolkit by Dan Farmer and Venema Weiste. This program is portable and can be run directly from a floppy or a cdrom with a perl interpreter that can also be on the floppy or cdrom.
Website http://www.incident-response.org/mac_daddy.html [Site has been removed]
Source: http://www.incident-response.org/mac_daddy.html [Site has been removed]

Title: mac-robber
Author: Brian Carrier
Description: mac-robber is a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. Its output can be used as input to the ‘mactime’ tool in The Sleuth Kit to make a time line of file activity.
Website http://www.sleuthkit.org/mac-robber
Source: http://www.sleuthkit.org/mac-robber/download.php

Title:memdump
Author:Wietse Venema
Description: memory dumper for UNIX-like systems.
Website http://www.porcupine.org/forensics/tct.html
Source: http://www.porcupine.org/forensics/tct.html

Title: netcat
Author: hobbit
Description: Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It can be used on a trusted server to save data from a suspect system and can be used on the suspect system to send the output of tools to the server instead of writing to the suspect disk.
Website http://www.securityfocus.com/tools/137
Source: http://www.securityfocus.com/tools/137

Title:RDA
Author: Chris Boubalos and Stefanos Koutsoutos
Description: rda is a command line Linux tool to remotely acquire data (like disk cloning or disk/partition imaging) and verify the transfer using md5 and/or crc32 checksums. The program is both the server and the client.
Website http://md5sa.com/downloads/rda/index.htm
Source: http://md5sa.com/downloads/rda/index.htm

Title:sdd
Author:Jörg Schilling
Description: ‘sdd’ is a replacement for a program called ‘dd’. sdd is much faster than dd in cases where input block size (ibs) is not equal to the output block size (obs). Statistics are more easily understoon than those from ‘dd’.Timing available, -time option will print transfer speed Timing & Statistics available at any time with SIGQUIT (^\) Can seek on input and output Fast null input Fast null output. Support for the RMT (Remote Tape Server) protocol makes remote I/O fast and easy.
Website http://directory.fsf.org/sysadmin/Backup/sdd.html
Source: http://directory.fsf.org/sysadmin/Backup/sdd.html

Title: Webjob
Author: Klayton Monroe
Description: WebJob downloads a program over HTTP/HTTPS and executes it in one unified operation. The output, if any, may be directed to stdout/stderr or a Web resource. WebJob may be useful in incident response and intrusion analysis as it provides a mechanism to run known good diagnostic programs on a potentially compromised system.
Website http://webjob.sourceforge.net/WebJob/index.shtml
Source: http://sourceforge.net/project/showfiles.php?group_id=40788

Media Management Analysis Tools

Title: CDfs
Author: Michiel Ronsse
Description:CDfs is a file system for Linux systems that `exports’ all tracks and boot images on a CD as normal files. These files can then be mounted (e.g. for ISO and boot images), copied, played (audio and VideoCD tracks).
Website http://www.elis.rug.ac.be/~ronsse/cdfs/
Source: http://www.elis.rug.ac.be/~ronsse/cdfs/download/

Title: Cdrecord
Author: J. Schilling
Description: Cdrecord supports DVD-R and DVD-RW with all known DVD-writers on all UNIX-like OS and on Win32. DVD writing support is implemented in cdrecord since march 1998. Cdrecord writes DVD media similar to CD media. The readcd tool can be used to read the contents of a CD.
Website http://freshmeat.net/projects/cdrecord/
Source: ftp://ftp.berlios.de/pub/cdrecord/

Title: disktype
Author: Christoph Pfisterer
Description: The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to ‘file’, but gives much more details about the file system or partition table)
Website http://disktype.sourceforge.net/
Source: http://disktype.sourceforge.net/

Title: gpart
Author: Michail Brzitwa
Description: Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
Website http://www.stud.uni-hannover.de/user/76201/gpart/
Source: http://www.stud.uni-hannover.de/user/76201/gpart/#download

Title: The Sleuth Kit
Author: Brian Carrier
Description: A collection of command line tools for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.
Website http://www.sleuthkit.org/sleuthkit/
Source: http://www.sleuthkit.org/sleuthkit/download.php

Title:TestDisk
Author: Christophe Grenier
Description: Tool to check and undelete partition. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3, Linux SWAP (version 1 and 2), NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, and ReiserFS.
Website http://www.cgsecurity.org/testdisk.html
Source: http://www.cgsecurity.org/testdisk.html

File System Analysis Tools

Title: Autopsy Forensic Browser
Author: Brian Carrier
Description: Autopsy is a graphical interface to the command line tools in The Sleuth Kit and allows one to view deleted NTFS, FAT, EXTxFS, and FFS files, perform keyword searches, and create timelines of file activity.
Website http://www.sleuthkit.org/autopsy
Source: http://www.sleuthkit.org/autopsy/download.php

Title:disktype
Author:Christoph Pfisterer
Description: The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to ‘file’, but gives much more details about the file system or partition table)
Website http://disktype.sourceforge.net/
Source: http://disktype.sourceforge.net/

Title: e2salvage
Author: Marek Zelem, Milan Pikula, Martin Leopold
Description: e2salvage is a utility which tries to do in-place data recovery a from damaged ext2 filesystems. Unlike e2fsck, it does not look for the data at particular places and it don’t tend to believe the data it finds; thus it can handle much more damaged filesystem.
Website http://e2salvage.sourceforge.net/
Source: http://sourceforge.net/project/showfiles.php?group_id=91345

Title: Enhanced Linux Loopback
Author: Jason Luttgens (NASA)
Description: The enhanced loopback driver modifies the native loopback driver of the Linux kernel and adds functionality that can make the driver emulate a disk drive in some ways. Most important to us is providing automatic interpretation and mapping of partitions contained within an image file of a hard drive.
Website ftp://ftp.hq.nasa.gov/pub/ig/ccd/enhanced_loopback/readme.txt
Source: ftp://ftp.hq.nasa.gov/pub/ig/ccd/enhanced_loopback

Title: fatback
Author: Nicholas Harbour
Description: Fatback is a tool for undeleting files from FAT file systems.
Website http://sourceforge.net/projects/biatchux
Source: http://sourceforge.net/project/showfiles.php?group_id=46038&release_id=84491

Title:File System Investigator
Author:Bill Rossi
Description: FileSystem Investigator is a platform independent file system viewer and data extraction tool. It allows the user to: View the contents of the target file system in a forensicly safe manner, bypassing the normal operating system mechanisms. Extract files and whole directory trees of files from the source filesystem.
Website http://www.rossi.com/fstools/intro.html
Source: http://www.rossi.com/fstools/download.html

Title: Linux Loopback
Author: Linux Community
Description: Loopback support in the Linux kernel allows one to mount a file system image read-only for a forensic analysis of allocated data.
Website http://www.linux.org
Source: http://www.linux.org/dist/index.html (Depends on the distribution)

Title:pyflag
Author:David Collett & Michael Cohen
Description: FLAG was designed to simplify the process of log file analysis and forensic investigations. Often, when investigating a large case, a great deal of data needs to be analysed and correlated. Flag uses a database as a backend to assist in managing the large volumes of data. This allows flag to remain responsive and expedite data manipulation operations.
Website http://pyflag.sourceforge.net/
Source: http://pyflag.sourceforge.net/

Title: SalvageNTFS   

Author:Will Glynn
Description: SalvageNTFS is a set of applications and an associated library aimed at data recovery from NTFS volumes. It can “undelete” files, bypass file system permissions, and retrieve information from badly corrupted or inconsistent volumes.
Website http://www.salvagentfs.com/
Source: http://www.salvagentfs.com/

Title: The Sleuth Kit
Author: Brian Carrier
Description: A collection of command line tools for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.
Website http://www.sleuthkit.org/sleuthkit/
Source: http://www.sleuthkit.org/sleuthkit/download.php

Title: The Coroner’s Toolkit (TCT)
Author: Dan Farmer & Wietse Venema
Description: TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in.
Website http://www.porcupine.org/forensics/tct.html
Source: http://www.porcupine.org/forensics/tct.html#source_code

Title: TCTUTILs
Author: Brian Carrier
Description: Adds file name support and additional utilities to TCT.
Website http://www.digital-evidence.org/tools/index.html
Source: http://www.digital-evidence.org/tools/index.html

Application Analysis Tools

Title: Autopsy Forensic Browser
Author: Brian Carrier
Description: Autopsy is a graphical interface to the command line tools in The Sleuth Kit and allows one to view deleted NTFS, FAT, EXTxFS, and FFS files, perform keyword searches, and create timelines of file activity.
Website http://www.sleuthkit.org/autopsy
Source: http://www.sleuthkit.org/autopsy/download.php

Title: binutils
Author: GNU binutils Team
Description: The GNU Binutils are a collection of binary tools. For forensics, these are used for binary analysis, including ‘strings’.
Website http://www.gnu.org/software/binutils/
Source: http://www.gnu.org/software/binutils/

Title: chkrootkit
Author: Nelson Murilo
Description: chkrootkit is a tool to locally check for signs of a rootkit.
Website http://www.chkrootkit.org/
Source: http://www.chkrootkit.org/

Title: Clam AntiVirus
Author:Tomasz Kojm
Description: Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software.
Website http://www.clamav.net
Source: http://www.clamav.net

Title:Event Log Parser
Author:Jamie French
Description: A PHP script to parse through Windows event logs.
Website http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html
Source: http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html

Title: File AUdit Security Toolkit (FAUST)
Author: Frederic Raynal
Description: faust is a perl script that helps to analyze files found after an intrusion or the compromising of a honeypot. Its goal is not to make the analysis, but to extract the pieces of information that _you_ will use afterward in your analysis.
Website http://security-labs.org/index.php3?page=faust
Source: http://security-labs.org/index.php3?page=faust

Title: find
Author: GNU findutils Team
Description: The find program searches a directory tree to find a file or group of files. It traverses the directory tree and reports all occurrences of a file matching the user’s specifications. The find program includes very powerful searching capability.
Website http://www.gnu.org/software/findutils/
Source: http://www.gnu.org/software/findutils/

Title: file
Author: Christos Zoulas
Description: Guesses file type based on magic header and footer values.
Website ftp://ftp.astron.com/pub/file/
Source: ftp://ftp.astron.com/pub/file/

Title: foremost
Author: Jesse Kornblum
Description: Foremost is a Linux program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.
Website http://foremost.sourceforge.net
Source: http://foremost.sourceforge.net

Title: Forensic Hash Database
Author: Matthias Hofherr
Description: The Forensic Hash Database is a project to combine the various hashsum sources like Dan Farmer’s FUCK baseline collection, The NIST National Software Reference Library (NSRL), Known Goods Database, and Hashkeeper into a single meta RDBMS (relational database management system).
Website http://www.forinsect.de/forensics/
Source: http://www.forinsect.de/forensics/

Title: Galleta
Author: Keith Jones
Description: Galleta, the Spanish word meaning “cookie”, was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website http://www.foundstone.com/resources/proddesc/galleta.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152412

Title: grep
Author: GNU grep Team
Description: Grep searches one or more input files for lines containing a match to a specified pattern. By default, grep prints the matching lines.
Website http://www.gnu.org/software/grep/grep.html
Source: http://www.gnu.org/software/grep/grep.html

Title:GrokEVT
Author:Sentinel Chicken Networks.
Description: GrokEVT is a collection of scripts built for reading Windows NT™ event log files.
Website http://www.sentinelchicken.org/projects/grokevt/
Source: http://www.sentinelchicken.org/projects/grokevt/download/

Title: Hachoir
Author: Julien Muchembled and Victor Stinner
Description: hachoir-parser is a package of most common file format parsers written using hachoir-core.
Website http://hachoir.org/wiki/hachoir-parser
Source: http://hachoir.org/wiki/hachoir-parser

Title: Kregedit
Author: Jelmer Vernooij
Description: kregedit is KDE utility for viewing native Windows registry files. It is similar to the regedt32 utility that can be found on most Windows platforms. Only the NT registry format (NT4/2000/XP) is supported.
Website http://samba.org/~jelmer/kregedit/
Source: http://samba.org/~jelmer/kregedit/

Title:LibPST
Author:Dave Smith
Description: LibPST provides functions in library form for accessing Outlook’s Personal Folders. Included with this library is a program that will take a PST file and convert it to an mbox format.
Website http://sourceforge.net/projects/ol2mbox
Source: http://sourceforge.net/project/showfiles.php?group_id=18756&release_id=117314

Title: Magic Rescue
Author: jbj
Description: Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at “magic bytes” in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it.
Website http://jbj.rapanden.dk/magicrescue/
Source: http://jbj.rapanden.dk/magicrescue/

Title: md5deep
Author: Jesse Kornblum
Description: md5deep is an MD5 program that can compute recursively, compare hashes with a database, and estimates the time to completion.
Website http://md5deep.sourceforge.net/
Source: http://md5deep.sourceforge.net/

Title: md5sum
Author: GNU coreutils Team
Description: Calculates the MD5 hash value for a file.
Website http://www.gnu.org/software/coreutils/
Source: http://www.gnu.org/software/coreutils/

Title: ntreg
Author:Todd Sabin
Description: ntreg is a file system driver for linux, which understands the NT registry file format. With it, you can take registry files from NT, e.g., SAM, SECURITY, etc., and mount them on linux. Currently, it’s read-only, though I may add read-write capability in the future.
Website http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm
Source: http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm

Title: Pasco
Author: Keith Jones
Description: Pasco, the latin word meaning “browse”, was developed to examine the contents of Internet Explorer’s cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website http://www.foundstone.com/resources/proddesc/pasco.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152387

Title: regutils
Author: Michael Rendell
Description: Regutils is a collection of programs that can assist in the installation of windows 9x software on diskless clients. The basic procedure is to take a snap shot of a (diskfull) system before and after a piece of software is installed and then look at what changed.
Website http://www.cs.mun.ca/~michael/regutils/
Source: http://www.cs.mun.ca/~michael/regutils/

Title: RegViewer
Author: Chris Eagle
Description: RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems.
Website http://sourceforge.net/projects/regviewer/
Source: http://sourceforge.net/project/showfiles.php?group_id=96788

Title: Rootkit Hunter
Author: Michael Boelen, Stephane Dudzinski
Description: Rootkit scanner is scanning tool to ensure you for about 99.9% you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like: MD5 hash compare, Look for default files used by rootkits, Wrong file permissions for binaries, Look for suspected strings in LKM and KLD modules, Look for hidden files, Optional scan within plaintext and binary files.
Website http://www.rootkit.nl/projects/rootkit_hunter.html
Source: http://www.rootkit.nl/projects/rootkit_hunter.html

Title: Rifiuti
Author: Keith Jones
Description: Rifiuti, the Italian word meaning “trash”, was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website http://www.foundstone.com/resources/proddesc/rifiuti.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152410

Title: Safari_download
Author: Jake Cunningham
Description: Parses the Safari XML Downloads.plist file and prints the results in TAB delimited format.
Website http://jafat.sourceforge.net/files.html

Title: safari_hist
Author: Jake Cunningham
Description: Parses the Safari binary History.plist file and prints the results in TAB delimited format.
Website http://jafat.sourceforge.net/files.html

Title: Scalpel
Author: Golden G. Richard III
Description: Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel resulted from a complete rewrite of foremost 0.69, a popular open source file carver, to enhance performance and decrease memory usage.
Website http://www.digitalforensicssolutions.com/Scalpel
Source: http://www.digitalforensicssolutions.com/Scalpel

Title: The Sleuth Kit
Author: Brian Carrier
Description: A collection of command line tools for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.
Website http://www.sleuthkit.org/sleuthkit/
Source: http://www.sleuthkit.org/sleuthkit/download.php

Title: Vinetto
Author: Michel Roukine
Description: Vinetto is a forensics tool to examine Thumbs.db files. It is a command line python script that works on Linux, Mac OS X and Cygwin(win32).
Website http://vinetto.sourceforge.net/

Title: Zeitline
Author: Florian Buchholz
Description:A graphical front-end that allows an investigator to manage event reconstruction. Super events may be created based on selected sub-events. Events may be moved around via drag-and-drop or directly assigned to a super event hierarchy. The event hierarchy can be displayed in a tree-like view allowing to collapse all or select branches. This way, an investigator can concentrate on events only relevant to his direct attention.
Website http://www.cerias.purdue.edu/homes/forensics/timeline.php
Source: http://www.cerias.purdue.edu/homes/forensics/timeline.php

Network Analysis Tools

Title: Ethereal
Author: Ethereal Team
Description: Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows.
Website http://www.ethereal.com/
Source: http://www.ethereal.com/download.html

Title: tcpflow
Author: Jeremy Elson
Description: tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like ‘tcpdump’ shows a summary of packets seen on the wire, but usually doesn’t store the data that’s actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
Website http://www.circlemud.org/~jelson/software/tcpflow/
Source: http://www.circlemud.org/~jelson/software/tcpflow/

Title: tcpreplay
Author: Aaron Turner
Description: tcpreplay is a BSD-style licensed tool to replay saved tcpdump files at arbitrary speeds. It provides a variety of features for replaying traffic for both passive sniffer devices as well as inline devices such as routers, firewalls, and the new class of inline IDS’s.
Website http://tcpreplay.sourceforge.net/
Source: http://tcpreplay.sourceforge.net/

Memory Analysis

Title: Unhide
Author: YJesus
Description: Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
Website http://www.security-projects.com/?Unhide

Analysis Frameworks

Title: Open Computer Forensics Architecture
Author: Dutch National Police Agency
Description: The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.
Website http://ocfa.sourceforge.net/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Spentera

We are specializing in penetration test, vulnerability assessment, computer forensics, as well as intrusion analyst and malware analysis. Customers can contact us directly at contact[at]spentera[dot]id, or use Contact Our Team menu on the sidebar.