Forensic Cop Journal Volume 2(1), Nov 2009

http://forensiccop.blogspot.com

Ubuntu Forensic
by Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS)
Commissioner Police – Coordinator of Digital Forensic Analyst Team
Forensic Lab Centre of Indonesian National Police HQ

Background

Ubuntu Forensic is the use of Ubuntu for digital forensic purposes. As it provides a wide
range of forensic tools as well as anti-forensic and cracking tools, so it is reliable to
investigate a computer crime and analyse digital evidence on it. The significant difference on
forensic applications between Ubuntu and Ms Windows is that Ubuntu applications are
freeware, while the application running under Ms Windows are commercial. The results
obtained between these applications are relatively the same. It means that digital forensic
analyst should also be well understood on the use of Ubuntu forensic applications as well as
Ms Windows’s applications. If they do it, so they will have many forensic tools which can be
applied in the investigation/analysis. When a tool does not give satisfied results, they should
be able to use other tools either under Ubuntu or Ms Windows to yield the best results.

This journal is written with aims to broaden forensic view among forensic professionals. It is
expected that they can explore packages provided on Ubuntu for forensic purposes. They
should know that not only Ms Windows forensic applications which can be used for digital
forensic, but also many tools on Ubuntu which can do the same thing with the same results.
In some extent, Ubuntu gives stronger results than Ms Windows’s applications. For instance,
dcfldd can be used for forensic imaging with different purposes. It can be used to image
some certain blocks as desired as well as the whole drive imaging. This feature is not
provided by imaging applications running under Ms Windows. Other instance is image
metadata analysis through exif. On Ubuntu, there are some tools which can be used to
analyse the image exif such as exif, exiftool and metacam. There are also tools which can be
used to manipulate the exif values such as exiv2 and libjpeg-progs. All these tools are
freeware.

One essential reason why the author frequently uses Ubuntu for digital forensic purposes
such as forensic imaging is forensically sound write protect. It is compulsory for every digital
forensic analyst to apply it when dealing with the storage drive evidence. It is aimed not to
change the contents of drive either incidentally or deliberately. Once the contents is
changed, so the next actions of digital forensic become doubt or even refused by the court,
unless digital forensic analyst can explain comprehensively why (i.e. the relevance) it is
changed and what the implications of that action. It is usually performed on live analysis
with strict procedures. On dead analysis (i.e. post mortem) the analyst is still required to
keep the contents of hard drive not changed. To reach this purpose, Ubuntu can be
modified in order to give forensically sound write protect. It is performed by modifying the

1
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

file /etc/fstab with the mount option is read-only, so whatever is done on the drive
evidence, it does not change the contents. When accessing a text file, so this action does
change the MAC (i.e. Modified, Accessed and Created) time at all. It remains unchanged,
although the file is accessed. It occurs because the modification of the file /etc/fstab gives
forensically sound write protect for any actions committed by the analyst on the drive.

With this feature, the analyst can do many things such as live analysis on the drive in order
to speed up the investigation. It is frequently done when dealing with many drives as the
evidence. If the regular procedure of digital forensic is performed, so it will take a long time
for forensic imaging on each drive. To shortcut the investigation is to apply forensically
sound write protect and then to read and analyse the drives directly. The aim of this action
is that the analyst can know which drive among the drives has strong relationship with the
case. Once it is obtained, so the analyst can carry out further analysis on it.

Below are the tools which can be used for the purposes of digital forensic analyses, anti-
forensic and cracking. The number of tools for forensic purposes is twenty-five, while fifteen
tools for anti-forensic and ten tools for cracking. Actually there are some tools having
description related on these purposes, but it is not mentioned on this journal. One of
powerful tools which is often used by the author is Autopsy. It is GUI version of The
Sleuthkit created by Brian Carrier. What commercial applications running under Ms
Windows such as Encase and FTK discover when analysing digital evidence is the same as
what Autopsy finds.

The description of each tool below is directly quoted from Synaptic Package Manager
created by Connectiva S/A and Michael Vogt on April 2009. This application provides an
ease for Ubuntu users to install or uninstall Ubuntu packages. If they are still doubt on the
use of certain package, they should read the description given on each package.

Forensic Tools:

1. Vinetto:
A forensics tool to examine Thumbs.db files. A tool intended for forensics
examinations. It is a console program to extract thumbnail images and their
metadata from those thumbs.db files generated under Windows. Used in forensic
environments.
2. Autopsy:
The Autopsy Forensic Browser is a graphical interface to the command line digital
forensic analysis tools in The Sleuth Kit. Together, The Sleuth Kit and Autopsy
provide many of the same features as commercial digital forensics tools for the
analysis of Windows and UNIX file systems (NTFS, FAT, FFS, EXT2FS, and EXT3FS).

2
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

3. Rdd:
A forensic copy program developed at and used by the Netherlands Forensic
Institute (NFI). Unlike most copy programs, rdd is robust with respect to read errors,
which is an important property in a forensic operating environment.
4. Tct:
TCT is a collection of programs for a post-mortem analysis of a UNIX system after
break-in. It enables you to collect data regarding deleted files, modification times of
files and more. Install this BEFORE you need to use it, so you do not risk destroying
essential forensic data before you begin. Tools contained within this package: grave-
robber, lazarus, inode-cat, ils, unrm and pcat.
5. Galleta:
An Internet Explorer cookie forensic analysis tool. Galleta is a forensic tool that
examines the content of cookie files produced by Microsofts Internet Explorer. It
parses the file and outputs a field separated that can be loaded in a spreadsheet.
6. Pasco:
An Internet Explorer cache forensic analysis tool. Pasco is a forensic tool that
examines the content of cache files (index.dat) produced by Microsofts Internet
Explorer. It parses the file and outputs a field separated that can be loaded in a
spreadsheet.
7. Sleuthkit:
Tools for forensics analysis. The Sleuth Kit (previously known as TASK) is a collection
of UNIX-based command line file system and media management forensic analysis
tools. The file system tools allow you to examine file systems of a suspect computer
in a non-intrusive fashion. Because the tools do not rely on the operating system to
process the file systems, deleted and hidden content is shown. The media
management tools allow you to examine the layout of disks and other media. The
Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, and
Sun slices (Volume Table of Contents). With these tools, you can identify where
partitions are located and extract them so that they can be analyzed with file system
analysis tools. When performing a complete analysis of a system, we all know that
command line tools can become tedious. The Autopsy Forensic Browser is a graphical
interface to the tools in The Sleuth Kit, which allows you to more easily conduct an
investigation. Autopsy provides case management, image integrity, keyword
searching, and other automated operations.
8. Unhide:
Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits,
Linux kernel modules or by other techniques. It includes two utilities: unhide and
unhide-tcp. Unhide detects hidden processes using three techniques:
 comparing the output of /proc and /bin/ps
 comparing the information gathered from /bin/ps with the one gathered
from system calls (syscall scanning)

3
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

 full scan of the process ID space (PIDs bruteforcing)

Unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
/bin/netstat through brute forcing of all TCP/UDP ports available. This package can
be used by rkhunter in its daily scans.
9. Foremost:
This is a console program to recover files based on their headers and footers for
forensics purposes. Foremost can work on disk image files, such as those generated
by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are
specified by a configuration file, so you can pick and choose which headers you want
to look for.
10. Afflib:
Tools to use AFF segmented archive files. The Advanced Forensic Format (AFF) 1.0 is
an extensible open format for the storage of disk images and related forensic
information. The following tools are available to work with it:
 afcat - copies from the contents of an AFFILE to stdout.
 afcompare - compares two AFF files or an AFF file and a raw file
 afconvert - converts AFF->raw, raw->AFF, or AFF->AFF (or even raw-
>raw, if you want) optionally recompressed files.
 affix - Reports errors with AFF files and optioanlly fixes them.
 afinfo - prints info about an AFF file from an examination of the
segments
 afstats - prints statistics about one or more AFF files
 afxml - outputs an AFF file's metadata as XML
 aimage - Image a hard drive into AFF or raw format
11. Scalpel:
A Frugal, High Performance File Carver. A fast file carver that reads a database of
header and footer definitions and extracts matching files from a set of image files or
raw device files. Scalpel is filesystem-independent and will carve files from FATx,
NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and
file recovery.
12. Dcfldd:
Enhanced version of dd for forensics and security. Based on the dd program with the
following additional features:
 Hashing on-the-fly, dcfldd can hash the input data as it is being transferred,
helping to ensure data integrity.
 Status output, dcfldd can update the user of its progress in terms of the
amount of data transferred and how much longer operation will take.
 Flexible disk wipes, dcfldd can be used to wipe disks quickly and with a
known pattern if desired.

4
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

 Image/wipe Verify, dcfldd can verify that a target drive is a bit-for-bit match
of the specified input file or pattern.
 Multiple outputs, dcfldd can output to multiple files or disks at the same
time.
 Split output, dcfldd can split output to multiple files with more configurability
than the split command.
 Piped output and logs, dcfldd can send all its log data and output to
commands as well as files natively.
13. Gzrt:
gzip recovery toolkit. gzrecover will attempt to skip over corrupted data in a gzip
archive, thereby allowing the remaining data to be recovered. Please install cpio to
facilitate recovery from damaged gzipped tarballs.
14. Chntpw:
NT SAM password recovery utility. This little program provides a way to view
information and change user passwords in a Windows NT/2000 user database file.
Old passwords need not be known since they are overwritten. In addition it also
contains a simple registry editor (same size data writes) and an hex-editor which
enables you to fiddle around with bits and bytes in the file as you wish. If you want
GNU/Linux boot disks for offline password recovery you can add this utility to
custom image disks or use those provided at the tools homepage.
15. Testdisk:
Partition scanner and disk recovery tool. TestDisk checks the partition and boot
sectors of your disks. It is very useful in recovering lost partitions. It works with :
 DOS/Windows FAT12, FAT16 and FAT32
 NTFS ( Windows NT/2K/XP )
 Linux Ext2 and Ext3
 BeFS ( BeOS )
 BSD disklabel ( FreeBSD/OpenBSD/NetBSD )
 CramFS (Compressed File System)
 HFS and HFS+, Hierarchical File System
 JFS, IBM's Journaled File System
 Linux Raid
 Linux Swap (versions 1 and 2)
 LVM and LVM2, Linux Logical Volume Manager
 Netware NSS
 ReiserFS 3.5 and 3.6
 Sun Solaris i386 disklabel

5
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

 UFS and UFS2 (Sun/BSD/...)

 XFS, SGI's Journaled File System
PhotoRec is file data recovery software designed to recover lost pictures from digital
camera memory or even Hard Disks. It has been extended to search also for non
audio/video headers. It searchs for
 Sun/NeXT audio data (.au)
 RIFF audio/video (.avi/.wav)
 BMP bitmap (.bmp)
 bzip2 compressed data (.bz2)
 Source code written in C (.c)
 Canon Raw picture (.crw)
 Canon catalog (.ctg)
 FAT subdirectory
 Microsoft Office Document (.doc)
 Nikon dsc (.dsc)
 HTML page (.html)
 JPEG picture (.jpg)
 MOV video (.mov)
 MP3 audio (MPEG ADTS, layer III, v1) (.mp3)
 Moving Picture Experts Group video (.mpg)
 Minolta Raw picture (.mrw)
 Olympus Raw Format picture (.orf)
 Portable Document Format (.pdf)
 Perl script (.pl)
 Portable Network Graphics (.png)
 Raw Fujifilm picture (.raf)
 Contax picture (.raw)
 Rollei picture (.rdc)
 Rich Text Format (.rtf)
 Shell script (.sh)
 Tar archive (.tar )
 Tag Image File Format (.tiff)
 Microsoft ASF (.wma)
 Sigma/Foveon X3 raw picture (.x3f) and zip archive (.zip)

6
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

16. Gddrescue:
The GNU data recovery tool. It copies data from one file or block device (hard disc,
cdrom, etc) to another, trying hard to rescue data in case of read errors. Gddrescue
does not truncate the output file if not asked to. So, every time you run it on the
same output file, it tries to fill in the gaps. The basic operation of ddrescue is fully
automatic. That is, you don't have to wait for an error, stop the program, read the
log, run it in reverse mode, etc. If you use the logfile feature of ddrescue, the data is
rescued very efficiently (only the needed blocks are read). Also you can interrupt the
rescue at any time and resume it later at the same point. Automatic merging of
backups: If you have two or more damaged copies of a file, cdrom, etc, and run
ddrescue on all of them, one at a time, with the same output file, you will probably
obtain a complete and error-free file. This is so because the probability of having
damaged areas at the same places on different input files is very low. Using the
logfile, only the needed blocks are read from the second and successive copies. The
logfile is periodically saved to disc. So in case of a crash you can resume the rescue
with little recopying. Also, the same logfile can be used for multiple commands that
copy different areas of the file, and for multiple recovery attempts over different
subsets. Gddrescue aligns its I/O buffer to the sector size so that it can be used to
read from raw devices. For efficiency reasons, also aligns it to the memory page size
if page size is a multiple of sector size.
17. Recover:
Undelete files on ext2 partitions. Recover automates some steps as described in the
ext2-undeletion howto. This means it seeks all the deleted inodes on your hard drive
with debugfs. When all the inodes are indexed, recover asks you somequestions
about the deleted file. These questions are:
 Hard disk device name
 Year of deletion
 Month of deletion
 Weekday of deletion
 First/Last possible day of month
 Min/Max possible file size
 Min/Max possible deletion hour
 Min/Max possible deletion minute
 User ID of the deleted file
If recover found any fitting inodes, it asks to give a directory name and dumps the
inodes into the directory. Finally it asks you if you want to filter the inodes again (in
case you typed some wrong answers). Note that recover works only with ext2
filesystems - it does not support ext3.
18. E2undel:
Undelete utility for the ext2 file system. Interactive console tool to recover the data
of deleted files on an ext2 file system under Linux. It does not require knowledge

7
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

about how ext2 file systems works and should be usable by most people. This tools
searches all inodes marked as deleted on a file system and lists them as sorted by
owner and time of deletion. Additionally, it gives you the file size and tries to
determine the file type in the way file(1) does. If you did not just delete a whole
bunch of files with a 'rm -r *', this information should be helpful to find out which of
the deleted files you would like to recover. E2undel will not work on ext3 (journaling)
filesystems.
19. Ext3grep:
Tool to help recover deleted files on ext3 filesystems. Ext3grep is a simple tool
intended to aid anyone who accidentally deletes a file on an ext3 filesystem, only to
find that they wanted it shortly thereafter.
20. Sqlitebrowser:
GUI editor for SQLite databases. SQLite Database Browser is a freeware, public
domain, open source visual tool used to create, design and edit database files
compatible with SQLite. Its interface is based on QT, and is meant to be used for
users and developers that want to create databases, edit and search data using a
familiar spreadsheet-like interface, without the need to learn complicated SQL
commands.Controls and wizards are available for users to:
 Create and compact database files
 Create, define, modify and delete tables
 Create, define and delete indexes
 Browse, edit, add and delete records
 Search records
 Import and export records as text
 Import and export tables from/to CSV files
 Import and export databases from/to SQL dump files
 Issue SQL queries and inspect the results
 Examine a log of all SQL commands issued by the application
SQLite Database Browser is not a visual shell for the sqlite command line tool. It does
not require familiarity with SQL commands. It is a tool to be used both by developers
and by end users, and it must remain as simple to use as possible in order to achieve
its goals.
21. Exifprobe:
Read metadata from digital pictures. Exifprobe reads image files produced by digital
cameras (including several so-called "raw" file formats) and reports the structure of
the files and the auxiliary data and metadata contained within them. In addition to
TIFF, JPEG, and EXIF, the program understands several formats which may contain
"raw" camera data, including MRW, CIFF/CRW, JP2/JPEG2000, RAF, and X3F, as well
as most most TIFF-derived "raw" formats, including DNG, ORF, CR2, NEF,
K25/KDC/DCR, and PEF.

8
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

22. Podsleuth:
Tool to discover detailed information about Apple iPods. PodSleuth is a tool to
discover detailed model information about an Apple ™ iPod (TM). Its primary role is
to be run as a callout by HAL because root access is needed to scan the device for
required information. When the model information is discovered, it is merged into
HAL as properties for other applications to use.With PodSleuth installed, applications
can expect to have rich iPod (TM) metadata merged into the device tree on the iPod
data volume node. PodSleuth metadata properties are in the org.banshee-
project.podsleuth namespace.
23. Exif:
Command-line utility to show EXIF information in JPEG files. Most digital cameras
produce EXIF files, which are JPEG files with extra tags that contain information
about the image. 'exif' is a small command-line utility to show EXIF information
hidden in JPEG files.
24. Libimage-exiftool-perl:
Library and program to read and write meta information in multimedia files. ExifTool
is a Perl module with an included command-line application for reading and writing
meta information in image, audio and video files. It recognizes EXIF, GPS, IPTC, XMP,
JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3 meta information as
well as the maker notes of many digital cameras including Canon, Casio, FujiFilm,
JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson,
Panasonic/Leica, Pentax/Asahi, Ricoh, Sanyo and Sigma/Foveon.
25. Metacam:
Extract EXIF information from digital camera files. EXIF stands for Exchangeable
Image File Format, and is a standard for storing interchange information in image
files, especially those using JPEG compression. Most digital cameras now use the
EXIF format. The format is part of the DCF standard created by JEIDA to encourage
interoperability between imaging devices. In addition to the standard EXIF fields,
MetaCam also supports vendor-specific extensions from Nikon, Olympus, Canon and
Casio.

Anti-Forensic Tools:

1. Wipe:
Secure file deletion. Recovery of supposedly erased data from magnetic media is
easier than what many people would like to believe. A technique called Magnetic
Force Microscopy (MFM) allows any moderately funded opponent to recover the last
two or three layers of data written to disk. Wipe repeatedly writes special patterns
to the files to be destroyed, using the fsync() call and/or the O_SYNC bit to force disk
access.

9
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

2. Bcrypt:
Cross platform file encryption utility using blowfish. Bcrypt is a cross platform file
encryption utility. Encrypted files are portable across all supported operating
systems and processors. In addition to encrypting your data, bcrypt will by default
overwrite the original input file with random garbage three times before deleting it
in order to thwart data recovery attempts by persons who may gain access to your
computer. Bcrypt uses the blowfish encryption algorithm published by Bruce
Schneier in 1993.
3. Exiv2:
EXIF/IPTC metadata manipulation tool. Exiv2 can:
 print the Exif metadata of JPEG, TIFF and several RAW image formats as
summary info, interpreted values, or the plain data for each tag
 print the IPTC metadata of JPEG images
 print, set and delete the JPEG comment of JPEG images
 set, add and delete Exif and IPTC metadata of JPEG images
 adjust the Exif timestamp (that's how it all started...)
 rename Exif image files according to the Exif timestamp
 extract, insert and delete Exif metadata, IPTC metadata and JPEG comments
 extract, insert and delete the thumbnail image embedded in the Exif
metadata
 fix the Exif ISO setting of picture taken with Nikon cameras
4. Libjpeg-progs:
Programs for manipulating JPEG files. This package contains programs for
manipulating JPEG files:
 cjpeg/djpeg: convert to/from the JPEG file format
 rdjpgcom/wrjpgcom: read/write comments in JPEG files
 jpegtran: lossless transformations of JPEG files
 jpegexiforient/exifautotran: manipulate EXIF orientation tag
5. Secure-delete:
Tools to wipe files, free disk space, swap and memory. Even if you overwrite a file
10+ times, it can still be recovered. This package contains tools to securely wipe data
from files, free disk space, swap and memory.
6. Aespipe:
AES-encryption tool with loop-AES support. Aespipe is an encryption tool that reads
from standard input and writes to standard output. It uses the AES (Rijndael) cipher.
It can be used as an encryption filter, to create and restore encrypted tar/cpio
backup archives and to read/write and convert loop-AES compatible encrypted

10
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

images. Aespipe can be used for non-destructive in-place encryption of existing disk
partitions for use with the loop-AES encrypted loopback kernel module.
7. Ccrypt:
Secure encryption and decryption of files and streams. Ccrypt is a utility for
encrypting and decrypting files and streams. It was designed as a replacement for
the standard unix crypt utility, which is notorious for using a very weak encryption
algorithm. ccrypt is based on the Rijndael cipher, which is the U.S. government's
chosen candidate for the Advanced Encryption Standard (AES, see
http://www.nist.gov/aes). This cipher is believed to provide very strong security.
8. Encfs:
Encrypted virtual filesystem. EncFS integrates file system encryption into the
Unix(TM) file system. Encrypted data is stored within the native file system, thus no
fixed-size loopback image is required. EncFS uses the FUSE kernel driver and library
as a backend.
9. Makepasswd:
Generate and encrypt passwords. Generates true random passwords by using the
/dev/random feature of Linux, with the emphasis on security over pronounceability.
It can also encrypt plaintext passwords given in a temporary file.
10. Cryptcat:
A lightweight version netcat extended with twofish encryption. Cryptcat is a simple
Unix utility which reads and writes data across network connections, using TCP or
UDP protocol while encrypting the data being transmitted. It is designed to be a
reliable "back-end" tool that can be used directly or easily driven by other programs
and scripts. At the same time, it is a feature-rich network debugging and exploration
tool, since it can create almost any kind of connection you would need and has
several interesting built-in capabilities.
11. Gdecrypt:
GUI for mapping/mounting and creating encrypted volumes. Gdecrypt was written
for making the use of decrypted partitions under Linux more easy. It currently
contains a GUI written in PyGTK for decrypting/mounting, unmounting and
encryption partitions or container files and it supports partitions created with
truecrypt (see http://truecrypt.org for details) and LUKS. Note that truecrypt <= 4.3a
is required for truecrypt supprt and cryptsetup with luks is required for luks support.
12. Enigmail:
Enigmail - GPG support for Thunderbird. OpenPGP extension for Thunderbird.
Enigmail allows users to access the features provided by the popular GnuPG
software from within Thunderbird. Enigmail is capable of signing, authenticating,
encrypting and decrypting email. Additionally, it supports both the inline PGP
format, as well as the PGP/MIME format as described in RFC 3156.

11
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

13. Steghide:
A steganography hiding tool. Steghide is steganography program which hides bits of
a data file in some of the least significant bits of another file in such a way that the
existence of the data file is not visible and cannot be proven. Steghide is designed to
be portable and configurable and features hiding data in bmp, wav and au files,
blowfish encryption, MD5 hashing of passphrases to blowfish keys, and pseudo-
random distribution of hidden bits in the container data.
14. Outguess:
Universal Steganographic tool. OutGuess is a universal steganographic tool that
allows the insertion of hidden information into the redundant bits of data sources.
The nature of the data source is irrelevant to the core of OutGuess. The program
relies on data specific handlers that will extract redundant bits and write them back
after modification. In this version the PNM and JPEG image formats are supported.
15. Snowdrop:
Plain text watermarking and watermark recovery. Snowdrop provides reliable,
difficult to remove stenographic watermarking of text documents (internal memos,
draft research papers, advisories and other writing) and C sources (limited
distribution software, licensed software, or freely available code) so that:
 leaks can be identified if the data goes public
 original source can be determined and demonstrated if part of the document
is claimed by somebody else, copied without permission, etc.
Snowdrop uses redundant steganography using four different logical channels, and
should be proof to many modifications, including reformatting,spell checking and so
on. Warning: Snowdrop is currently in beta, and may produce bad or corrupted
results, especially when run on C source code.

Cracking Tools:

1. Cifer:
Multipurpose classical cryptanalysis and code-breaking tool. Cifer provides many
functions designed to aid in cracking classical ciphers; a group of ciphers used
historically, but which have now fallen into disuse because of their suceptability to
ciphertext-only attacks. In general, they were designed and implemented by hand,
and operate on an alphabet of letters (such as [A-Z]). It operates using text files as
input and output, and can perform both brute force and other, more sophisticated,
attacks against many classic encryption schemes. In addition, it provides many
utilities such as frequency analysis and automated encryption/decryption of texts.
2. Samdump:
Dump Windows 2k/NT/XP password hashes. This tool is designed to dump Windows
2k/NT/XP password hashes from a SAM file. It requires the syskey key which can be

12
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

found with tools like bkhive. Syskey is a Windows feature that adds an additional
encryption layer to the password hashes stored in the SAM database.
3. Bkhive:
Dump the syskey bootkey from a Windows NT/2K/XP system hive. This tool is
designed to recover the syskey bootkey from a Windows NT/2K/XP system hive.
Then we can decrypt the SAM file with the syskey and dump password hashes.
Syskey is a Windows feature that adds an additional encryption layer to the
password hashes stored in the SAM database.
4. Fcrackzip:
Password cracker for zip archives. Fcrackzip is a fast password cracker partly written
in assembler. It is able to crack password protected zip files with brute force or
dictionary based attacks, optionally testing with unzip its results. It can also crack
cpmask'ed images.
5. aircrack-ng:
Wireless WEP/WPA cracking utilities. Aircrack-ng is an 802.11a/b/g WEP/WPA
cracking program that can recover a 40-bit, 104-bit, 256-bit or 512-bit WEP key once
enough encrypted packets have been gathered. Also it can attack WPA1/2 networks
with some advanced methods or simply by brute force. It implements the standard
FMS attack along with some optimizations, thus making the attack much faster
compared to other WEP cracking tools. It can also fully use a multiprocessor system
to its full power in order to speed up the cracking process. Aircrack-ng is a fork of
aircrack, as that project has been stopped by the upstream maintainer.
6. Pdfcrack:
PDF files password cracker. Pdfcrack is a simple tool for recovering passwords from
pdf-documents. It should be able to handle all pdfs that uses the standard security
handler but the pdf-parsing routines are a bit of a quick hack so you might stumble
across some pdfs where the parser needs to be fixed to handle. Pdfcrack allows
configure the size of the searched password, use an external wordlist file and save
cracking sessions to restore it later.
7. Medussa:
Distributed password cracking system. Medussa is a distributed password cracking
system that can attempt various types of attacks to crypted passwords distributing
the work on many machines.
8. Ophcrack:
Microsoft Windows password cracker using rainbow tables (gui). Ophcrack is a
Windows password cracker based on a time-memory trade-off using rainbow tables.
This is a new variant of Hellman's original trade-off, with better performance. It
recovers 99.9% of alphanumeric passwords in seconds. It works for Windows
NT/2000/XP/Vista. This package contains ophcrack with QT4 based graphical UI.
Please note that it can be used in command line as well.

13
Forensic Cop Journal Volume 2(1), Nov 2009
http://forensiccop.blogspot.com

9. Weplab:
Tool designed to break WEP keys. WepLab is a tool designed to teach how WEP
works, what different vulnerabilities it has, and how they can be used in practice to
break a WEP protected wireless network. WepLab can dump network traffic, analyse
it or crack the WEP key.
10. John:
Active password cracking tool. John, mostly known as John the Ripper, is a tool
designed to help systems administrators to find weak (easy to guess or crack through
brute force) passwords, and even automatically mail users warning them about it, if
it is desired. It can also be used with different cyphertext formats, including Unix's
DES and MD5, Kerberos AFS passwords, Windows' LM hashes, BSDI's extended DES,
and OpenBSD's Blowfish.

Bibliography

1. Al-Azhar, M. (2009). Forensically Sound Write Protect on Ubuntu. Forensic Cop

Journal. 1(3). Available: http://forensiccop.blogspot.com. Last accessed 26
November 2009.
2. Al-Azhar, M. (2009). Similarities and Differences between Ubuntu Windows on
Forensic Applications. Forensic Cop Journal. 1(2). Available at:
http://forensiccop.blogspot.com. Last accessed 26 November 2009.
3. Connectiva S/A and Vogt, M. (2009). Synaptic Package Manager 0.62.5. Ubuntu 9.04.

14