Anti Virus Forensic Tools

chkrootkit
chkrootkit is a utility that will check for signs that a device is infected with a rootkit. It runs on Linux, FreeBSD, and OSX versions. It uses standard utlitities such as awk, grep, netstat, cut, echo, and more in order to detect signatures that suggest rootkits. The standard use of chkrootkit should contain an alternate path to trusted binaries (dont trust binaries on a machine you are scanning), along with the path to the directory to be scanned. Example usage: chkrootkit -p [path-to-trusted-binaries] -r [root-path-to-scan]

rkhunter
rkhunter is another utility used to check for signs of rootkits on Unix based systems. Usually, you will want to run the scan against a mounted filesystem, using a trusted set of binaries. In the below example, the sk option sets it so that a keypress isnt required after each test run. Example Usage: rkhunter -c sk

Digital Anti Forensics

Install truecrypt
This script is used to install Truecrypt, software that is used to create encrypted files using various encryption ciphers. It contains features such as hidden partitions inside the encyption file, as well as the ability to use files and text passwords as keys to the encryption file. Look here for a more in depth Truecrypt tutorial

Digital Forensics
hexedit
hexedit is a program that gives the user the ability to view a file in hexadecimal and ASCII view. It offers the ability to read a device as a file. It includes build in key shortcuts to make it fast and easy to edit and analyze file, including skipping to specific memory locations, cutting and pasting, changing views, modes, and syntaxes similar to that of emacs. Example usage: hexedit [filename]

Forensic Analysis Tools

bulk_extractor
bulk_extractor is a utility that scans many types of information storage (files, folders) and outputs information that it finds in them. What separates bulk_extractor from other similar tools is its speed. bulk_extractor doesnt look at file system structures on the input, so it is able to process the scan faster, and thus, more thoroughly. This tools outputs information found, such as ccn.txt (credit card numbers), email.txt (email addresses), exif.txt (EXIF data from media files), url (URLs found), and more. Example usage: bulk_extractor -o [output directory] input Note that the output directory must not already exist.

evtparse.pl
This utility takes .evt files, which contain log information for use by the event manager, and parses them into something useful for investigators. Specifically, it dumps the events as a timeline. Example usage: evtparse.pl -e [event_log]

exiftool
exiftool allows users to read or write metadate (like EXIF) to image, video, and audio files. Here are a few examples from the exiftool manpage: Example usage: exiftool -a -u -g1 [image_file] Example usage: exiftool -Comment=Enter a comment in quotes here [image_file]

missidentify
The missidentify tool finds Windows 32 executable files. It can search recursively through folders in order to find them, and then displays the results back to the user. Standard usage would usually include searching recursively (-r options). Example usage: missidentify -r [location]

mork.pl

A Perl script that will strip information from a Mork database file. Mork files were previously used by Mozilla programs to store information, such as Firefox browsing history, and Thunderbird contacts. While newer Firefox versions use SQlite database files to store browser information now, Thunderbird continues to use Mork files. The following example uses mork.pl to create an HTML file with information from a Mork file input. Example usage: mork.pl html [Mork_file]

pref.pl
This Perl script parses the content of Windows XP and Windows Vista prefetch files and directories. The output can be set to comma separated values (.csv) for easier viewing. In the following example, pref.pl is used to parse data from a folder containing prefetch files from Vista (default is XP) and output it as a csv file. Example usage: pref.pl -v -f [prefetch_file] -c

ptk
PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password toor for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.

Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).

readpst
ReadPST is a command line utility that takes Microsoft Outlook PST files, and converts them into mbox format files. Mbox files are easier to read and manipulate than PST files, so it allows investigators to view the mail contained in the PST files. In the below example, mail contained in the mail.pst file is converted to mbox format and placed on the root users desktop. Example usage: readpst -o /home/root/Desktop/ mail.pst

reglookup
RegLookUp is a utility that will output the contents of registry entries in Windows NT based systems. It outputs the information in a format that is easily readable, which aids in ease of lookup, and includes several filtering options to make the output even more useful. The below example will output all registry contents found in [registry-file] path. Example usage: reglookup -v [registry-file]

stegdetect
Stegdetect is a program which will attempt to detect steganographic messages embedded in media. It accepts JPEG images, and will look for signatures of several well known steganography embedding programs in order to alert the user that data may be embedded in the file. The example below runs stegdetect on [file.jpg] and returns whether or not data may be hidden in the image. Example usage: stegdetect -t jopi [file.jpg]

vinetto
Vinetto is a tool which is used to analyze thumbs.db files. Thumbs.db files contain thumbnail images and metadata of images stored on filesystems, and often remains after the original image has been deleted. Vinetto is able to take these thumbs.db files and extract information regarding images found on the system from them. Vinetto has several modes, the most useful two are elementary mode and filesystem mode. Elementary mode takes individual thumbs.db files and analyzes them, while filesystem mode takes an entire filesystem image and searches for and analyzes the thumbs.db files contained in the image. The first example below shows basic elementary mode, while the second shows elementary mode with an HTML report and the thumbnails written to a directory of choice. Example usage: vinetto [thumbs.db file] Example usage: vinetto -H [directory to write HTML] -o [directory to write thumbnails] [thumbs.db file]

Forensic Carving Tools

fatback
Fatback is a tool which is used to recover deleted files from FAT filesystems. Fatback will read an image of a FAT filesystem, and then outputs all deleted files into a directory determined by the user. This is useful in investigations with Windows machines, since many older Windows installs utilize some form of a FAT filesystem (FAT16, FAT32). Many USB flash drives currently employ some form of a FAT filesystem. The example below takes a FAT filesystem image, outputs the log created by fatback to a directory determined by the user, writes verbosely to the terminal screen, outputs deleted files to a directory determined by the user, and automatically recovers all files the have been deleted. Example usage: fatback [image] -l [logfile to output] -v -o [output directory] -a

foremost
Foremost is a well known utility that specializes in file carving. It takes image files, such as those created by dd, and will search for file headers in order to recover files. It returns information to the user by outputting files found to a predetermined directory set by the user. The example below outputs JPEG images found in image.img (an image file created by dd) and outputs everything found in /root/Desktop/output/. Example usage: foremost -v -t jpeg -o /root/Desktop/output/ -i image.img

magicrescue
Magic Rescue is a program that searches a filesystem image for magic number bytes, and attempts to recover the files that these magic numbers belong to. Magic numbers are basically several bytes of data that act as a file identifier, giving basic information such as file type. The below example usage uses the jpeg-jfif recipe (others are found in /usr/local/share/magicrescue/recipes), meaning it looks for JPEG files based on the JFIF header. The output directory is /root/Desktop/output/, and the image being analyzed in /dev/sdb1, although it can be any filesystem or image file. Example usage: magicrescue -r jpeg-jfif -d /root/Desktop/output/ /dev/sdb1

recoverjpeg
RecoverJPEG is another utility to recover JPEG images from a filesystem. RecoverJPEG can take input either as a partition (like /dev/sda1) or an image file, like those produced by dd. The below example will recover JPEG images found in the image.img file. Example usage: recoverjpeg image.img

safecopy
Safecopy is a program used to recover as much data as possible from a damaged device, such as a hard drive or USB drive. Unlike other programs such as dd, cat, or cp, safecopy specializes in damaged devices. Other programs will stop reading data once a damaged area is hit, while Safecopy will read to a point designated by the user, regardless of damaged areas. It does this by identifying the damaged areas, and skipping around them. This example shows how to use Safecopy to recover data on /dev/sdb1, a mounted device that other programs such as cp or dd fail on. It outputs data recovered to /root/Desktop/rescued_files: Example usage: safecopy /dev/sdb1 /root/Desktop/rescued_files

scalpel
Scalpel is a well known file carving utility that searches a database of known file header and footer signatures, and attempts to carve files from a disk image file. To begin using Scalpel, the scalpel.conf file needs to edited to tell

Scalpel which filetypes you are looking for. Example config files can be found here. Just uncomment the lines for each filetype you are searching for. This example uses a configuration file named scalpel.conf, searches the disk image file image.img, and outputs all files carved to /root/Desktop/scalpel_results/ Example usage: scalpel -c scalpel.conf image.img -o /root/Desktop/scalpel_results/

scrounge-ntfs
Scrounge-NTFS is a utility that can be used to recover information from an NTFS partition. Scrounge-NTFS will use information provided by the user in order to rebuild the filesystem tree, which is places on another partition. This program requires you to know the start and end block of the filesystem, but it provides a page to help youguess partition information. The example below uses a cluster size of 8 (the most common, always multiples of 2), sets the output directory to /root/Desktop/output/, reads data from /dev/sda1, starts at sector 63 and ends at sector 81920000, meaning the overall disk has around 40 GB of space. Example usage: scrounge -c 8 -o /root/Desktop/output/ /dev/sdb1 63 81920000

testdisk
TestDisk is a program that specializes in recovering lost disk partitions, and making disks bootable. It has the ability to rebuild partition tables, rebuild boot sectors, fix the Master File Table (MFT), recover files, and more. The program contains many features, so rather than post a small example usage here, I would suggest looking at their very thorough Step by Step Guide.

Forensic Hashing Tools

hashdeep
Hashdeep is a utility that can compute hashes for many files, looking recursively through directories and computing hashes for each file found. It also contains features to compare and audit message digests. By default, it computes the MD5 and SHA256 hash of the files, although other types can be specified. Available hash types are MD5, SHA1, SHA256, Tiger, and Whirlpool. The below example generates MD5 and SHA256 hashes (same as default no -c given) for files in the /root/Desktop/files/ directory. Example usage: hashdeep -c md5,sha256 /root/Desktop/files/

md5deep
md5deep is a tool used to compute and compare MD5 message digests. The example below recursively creates MD5 message digests of files found in /root/Desktop/ Example usage: md5deep /root/Desktop/*

sha1deep
Like md5deep, sha1deep is used to computer and compare message digests. Sha1deep deals with SHA1 digests. The usage is the same as md5deep, and the below example creates SHA1 digests of files found in /root/Desktop/ Example usage: sha1deep /root/Desktop/*

sha256deep
Like md5deep, sha256deep is used to computer and compare message digests. Sha256deep deals with SHA256 digests. The usage is the same as md5deep, and the below example creates SHA256 digests of files found in /root/Desktop/ Example usage: sha256deep /root/Desktop/*

tigerdeep
Like md5deep,tigerdeep is used to computer and compare message digests. tigerdeep deals with tiger digests. The usage is the same as md5deep, and the below example creates tiger digests of files found in /root/Desktop/ Example usage: tigerdeep /root/Desktop/*

whirlpooldeep
Like md5deep, whirlpooldeep is used to computer and compare message digests. whirlpooldeep deals with whirlpool digests. The usage is the same as md5deep, and the below example creates whirlpool digests of files found in /root/Desktop/ Example usage: whirlpooldeep /root/Desktop/*

Forensic Imaging Tools

air
AIR, or Automated Image and Restore, is a utility used to create forensics-grade disk images from device drives. AIR itself is a GUI frontend for dd/dc3dd, which is the program that is actually used to create the image. On Backtrack, when you first select air, it will download and compile the necessary components to run the program. From here, the GUI is easy to use.

AIR GUI

dc3dd
dc3dd is an altered version of dd, the utility that is used to operate low level disk functions. dc3dd contains several features that are of great use to forensics investigates, including features that help safeguard the original disk being copied. The example below shows how to split a large disk image into smaller pieces, which is extremely useful when dealing with image files that are too large to be moved around easily. It takes /dev/sda as the input file, calculates hashes for the individual new files and the original large file, splits the large file into 2 GB pieces with 000 as a suffix in the filename, logs all data to /root/Desktop/log.txt, and outputs the smaller files to /root/Desktop/images Example usage: dc3dd if=/dev/sda progress=on hashconv=after hash=md5,sha1 hashwindow=2GB splitformat=000 split=2GB log=/root/Desktop/log.txt bs=512 iflag=direct conv=noerror, sync of=/root/Desktop/images

ddrescue
ddrescue is a tool used to copy data from a file or device to another. In the case of a damaged device, it attempts to reconstruct the damaged areas, unlike dd, which simply fills the damaged areas with zeros. ddrescue can also be used to merge damaged copies a file together, created a single copy of the file with (hopefully) no damage. Here is an example of ddrescue being used, as found on their website. Together, these commands are used to rescue a disk containing 3 ext2 partitions, including using a logfile and e2fsck to check the filesystems. Example usage: ddrescue -f -n /dev/hda /dev/hdb logfile Example usage: ddrescue -d -f -r3 /dev/hda /dev/hdb logfile Example usage: fdisk /dev/hdb Example usage: e2fsck -v -f /dev/hdb1 Example usage: e2fsck -v -f /dev/hdb2

ewfacquire
ewfacquire is a tool used to create disk images in the EWF format. EWF formatted images are used in several forensic toolkits, including the EnCase and FTK (Forensic Toolkit). It includes several message digests including MD5 and SHA1. The example below shows ewfacquire creating an image from /dev/sdb1, creating a SHA1 message digest, and logging data to /root/Desktop/log.txt Example usage: ewfacquire -d sha1 -l /root/Desktop/log.txt /dev/sdb1

Forensic Suites
ptk
PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password toor for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config. Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).

setup autopsy
Autopsy is a GUI (uses web interface) to tools found in the Sleuthkit forensics toolkit. Autopsy specializes in analyzing disk images, and can retrieve information from them using search or browse functions. For a tutorial on retrieving deleted information from a disk, take a look at this Autopsy Tutorial.

sleuthkit
Sleuthkit is a forensic toolkit containing many utilities that can be used in a digital forensics investigation. Sleuthkit is the official successor of The Coroners Toolkit (TCT). Sleuthkit itself is not a program, rather it is the name given to the collection of many programs. Some of these included utilities are: ils, blkls, fls, fsstat, ffind, mactime, disk_stat. The below example shows how to use MACTime in order to recursively list files that have been accessed since 1/1/2011: Example usage: mactime -y -R -d / 1/1/2011

Network Forensics

driftnet
Driftnet is a network utility that sniffs traffic for images and other media, and displays them in an X window. This is useful during investigations where users Internet habits are being monitored. Rather than sniffer all traffic using utilities like Wireshark, Driftnet makes it easier by automatically picking out images and media and displaying it to the user. In the example below, we use the wireless interface wlan0 in promiscuous mode to capture traffic, and instruct driftnet to be verbose in its output. Example Usage: driftnet -i wlan0 -v &nbsp

p0f
p0f is a passive host identifier. p0f uses a fingerprinting technqiue that looks at the structure of TCP/IP packets from the host in order to guess the operating system and other properties of the host. What sets p0f apart from other host analyzers is that p0f is completely passive. All the host has to do is connect to the same network or be contacted by another host on the network. The packets generated through these transactions are enough to give p0f enough data to guess the system. Note that you need a file containing fingerprints in order to identify hosts. In this example, we read fingerprints from /etc/p0f/p0f.fp and listens on wlan0 via libpcap. Example Usage:p0f -f /etc/p0f/p0f.fp -i wlan0

tcpreplay
tcpreplay is a suite of network utilities that can take previously sniffed traffic and replay the packets onto the live network. This is often used for testing devices on the network, such as firewalls or Intrusion Prevention/Detection Systems (IPS/IDS). The suite itself consists of tcpprep, tcprewrite, tcpreplay, tcpreplay-edit, tcpbridge, and tcpcapinfo. tcpprep: analyze packet capture files to determine client/server and create caches for use by tcpreplay and tcprewrite tcprewrite: edit packet capture files in Layer 2 headers tcpreplay: inject packet capture files back into the live network tcpreplay-edit: replay and edit files into the network tcpbridge: bridge two sections of a network together using tcprewrite tcpcapinfo: decode raw packet capture files and debug them

Wireshark
Wireshark is the famous packet capture and analysis program that has been used by thousand of professionals and amateurs alike. The program allows users to listen in on a network interface using libpcap, and logs the traffic sniffed. In addition to capturing the data, Wireshark provides an easy, graphical method to filter and analyze the traffic. This includes following TCP/IP streams, filtering out ARP or broadcast packets, and virtually any other filtering option you can imagine.

Xplico
Xplico is a Network Forensic Analysis Tool (NFAT) that specializes in extracting application data from packet capture files. Although it includes a live traffic capture feature, it is best suited for pcap anaylsis. Xplico can extract email, HTTP, VoIP, FTP, and other data directly from the pcap file, and presents it to the user as the original application data. For example, it can reconstruct an image sent via FTP from the packet capture of the FTP session. In the example below, we use Xplico to decode the information from capture.pcap. Example Usage: xplico -m pcap -f capture.pcap

Password Forensics Tools

CmosPwd
CmosPwd is a BIOS password cracker. With support for many different models of BIOS, CmosPwd has different methods of cracking for each type of BIOS. Since a BIOS password prevents you from booting on that computer, it does require some physical manipulation. Once you get the hardware aspect out of the way, usage is very easy. In the following example, we kill CMOS all together. Example Usage: cmospwd /k

fcrackzip
fcrackzip is a utility used to crack Zip file password protection. There are many Zip crackers out there, however, fcrackzip excels in speed and features, especially the brute force option. It is very easy to use, and in the examples below, we use it to crack a zip file called crack.zip using a brute force method and a dictionary based attack taking passwords from passwords.txt. Example Usage:fcrackzip -b crack.zip Example Usage:fcrackzip -D -p passwords.txt crack.zip

samdump
Samdump is a utility that can extract password hashes from SAM files. SAM files are the files located on Windows based systems that contain the passwords for local users. By using samdump, you can retrieve the password hashes, and then use them for cracking with another program. In this example, we retrieve hashes from an exported SAM file named sam.file. Example Usage:samdump sam.file

PDF Forensic Tools

pdfid
pdfid is a utility that can extract useful information from a PDF file. Specifically, pdfid extracts header information from the PDF such as obj, endobj, stream and other information. Some PDF exploits alter this information, so pdfid can sometimes show the user what exactly is going on inside of the PDF. In this example, we simply gather information from a PDF file called file.pdf. Example Usage: pdfid.py file.pdf

pdf-parser
pdf-parser is a program used to display detailed information about a PDF file. A very useful feature is the ability to run a stream of data thorugh a filter, such as FlateDecode and ASCIIHexDecode. These filters are sometimes used to obfuscate code in PDF files, so this feature can help expose exploit attempts. In addition to this, pdf-parser can display individual object and data streams, as well as provide statistics for the PDF document. In the example below, we use pdf-parser to provide an overview of the file.pdf PDF file using the stats option. Example Usage:pdf-parser.py stats file.pdf nbsp;

peepdf
peepdf is a very thorough utility that is used to analyze and edit PDF documents on the byte level. It offers the basic command line usage, but also offers an in depth interactive console. The command line usage provides a more basic overview of the PDF file, while the interactive console provides more powerful functions. In the first example, we use peepdf to provide an overview of file.pdf, while the second one shows how to enter interactive mode using file.pdf. Example Usage:peepdf.py file.pdf Example Usage:peepdf.py -i file.pdf

RAM Forensics Tools

pdfbook.py
pdfbook.py is a utility that gathers information relating to Facebook from a process dump. On a Windows system, run pd -p [pid] > file.dump where [pid] is the process ID of a browser, then on a Linux system run strings -el file.dump > fbookstrings. Finally, we use pdfbook.py on the fbookstrings file resulting from the strings command. Example Usage:pdfbook.py -f fbookstrings

pdgmail
pdgmail.py is a utility similar to pdfbook.py, but instead of gathering Facebook information from process dumps, it gathers Gmail information. On a Windows system, run pd -p [pid] > file.dump where [pid] is the process ID of a

browser, then on a Linux system run strings -el file.dump > gmailstrings. Finally, we use pdgmail.py on the gmailstrings file resulting from the strings command. Example Usage:pdgmail.py -f gmailstrings

PTK
PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password toor for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.

Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).

Volatility
Volatility is a framework writen in Python that specializes in RAM analysis. The Volatility Framework can analyze volatile memory dumps from any system type, and can provide a deep insight into the state of the system while it was running. The Volatility Framework has been tested on Windows, OS X, Linux, and even Cygwin. In the example below, we use Volatility in order to list processes that were running on the system while the RAM image ram.img was taken. Example Usage:volatility plist -f ram.img