Recovering and Examining Computer Forensic Evidence
Basic Steps in Forensic Analysis of Unix Systems
Biatchux : portable bootable cdrom for forensics purposes Biatchux is a portable bootable cdrom based distribution with the goal of providing an immediate environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment. Also capable of providing necessary tools for live forensics/analysis, just mount the cdrom on your choice of OS win32, sparc solaris and x86 linux trusted static binaries are available in /statbins.
Forensics Server Project perl, effort to provide a degree of automation to the collection of data during a 'live' forensics, or 'root cause' investigation.
Foundstone Forensic Tools NT,W2K, free
Forensic Tool Kit :
AFind :
lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will.
HFind :
scans the disk for hidden files
SFind :
scans the disk for hidden data streams and lists the last access times
FileStat :
quick dump of all file and security attributes. It works on only one file at a time but this is usually sufficient.
Hunt :
a quick way to see if a server reveals too much info via NULL sessions
NTLast : security audit tool for event logs
Reads saved .evt files - makes it easy to search through your archives
Allows you to search before, after, and between dates - again to zoom in on something
Filters logons 'From' a certain host - helps you zoom in on suspected intrusions
Can save files in a csv format w/ time field formatted for Excel
Filters out and distinguishes web log usage - cuts down search time
BinText :
extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional "advanced" view mode. Its comprehensive filtering helps prevent unwanted text being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format.
fport :
reports all open TCP/IP and UDP ports and maps them to the owning application
Patchit :
A binary file byte-patching program
ShoWin :
display hidden password editbox fields (text behind the asterisks *****). This will work in many programs although Microsoft have changed the way things work in some of their applications, most notably MS Office products and Windows 2000. ShoWin will not work in these cases.
TCT : The Coroner's Toolkit
TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in.