Link to the project with sample video

This paper presents a detailed catalog of techniques that can be used to create local kernel-mode backdoors on Windows. These techniques include function trampolines, descriptor table hooks, model-specific register hooks, page table modifications, as well as others that have not previously been described. The majority of these techniques have been publicly known far in advance of this paper. However, at the time of this writing, there appears to be no detailed single point of reference for many of them. The intention of this paper is to provide a solid understanding on the subject of local kernel-mode backdoors. This understanding is necessary in order to encourage the thoughtful discussion of potential countermeasures and perceived advancements. In the vein of countermeasures, some additional thoughts are given to the common misconception that PatchGuard, in its current design, can be used to prevent kernel-mode rootkits.

via

More information about the ForensiX CD

Link to GetData

The programmer writes:

PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

PEiD is special in some aspects when compared to other identifiers already out there!

1. It has a superb GUI and the interface is really intuitive and simple.
2. Detection rates are amongst the best given by any other identifier.
3. Special scanning modes for *advanced* detections of modified and unknown files.
4. Shell integration, Command line support, Always on top and Drag’n'Drop capabilities.
5. Multiple file and directory scanning with recursion.
6. Task viewer and controller.
7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
8. Extra scanning techniques used for even better detections.
9. Heuristic Scanning options.
10. New PE details, Imports, Exports and TLS viewers
11. New built in quick disassembler.
12. New built in hex viewer.
13. External signature interface which can be updated by the user.

Linux Side:
- Fixed Helix Mount code for journaled file systems. Helix will NO longer change the journal mount count when you mount a journaled file system.
- Updated md5deep suite to 1.12
- Updated Clamav to 0.88.2
- Updated Sleuthkit to 2.06
- Updated Autopsy to 2.08
- Updated Foremost to 1.3
- Updated Scalpel 1.54 to carve data
- Updated EnCase Linen to 5.05f
- Updated Adepto 2.0 – With AFF support now
- Added endeavour2 file manager
- Added ssdeep 1.0 for fuzy hashing
- Added AFFlib 1.6.31 for image acquisition
- Added NTFS-3G for native NTFS write support
- Added libewf library
- Added ptfinder memory analysis code from Andreas Schuster
- Removed Solaris static binaries from CD
- Replaced evince with xpdf
Windows Side:
- Updated the Helix executable code
- Update code for command shell paths
- Update all Cygwin tools to latest
- Updated all unxutil tools
- Updated Static Binaries (linux)
- Updated MessenPass to v1.08
- Updated Mail PassView to v1.36
- Updated Protected Storage PassView to v1.63
- Updated Network Password Recovery to v1.03
- Updated IECookiesView to v1.70
- Updated IEHistoryView to v1.32
- Updated RegScanner to v1.30
- Updated FTK Imager to 1.5.1
- Updated Forensic Server Project to 1.0
- Updated PsTools Version to 2.34 (Psexec, psinfo, pslist, etc)
- Updated Process Explorer to 10.2
- Added PstPassword v1.00
- Added Access PassView 1.12
- Added PC On/Off Time
- Added Winaudit v2.15
- Added Drive Manager v3.23
- Added ReSysInfo v2.1
- Added Icon to start a NC listener
- Added code to Windows GUI for investigative notes

More information about Live View here.

“Memory dumping tools that use the PhysicalMemory device in Windows XP can be blocked by allocating memory buffers with special memory types. In older versions of Windows the tools instead could possibly cause cache incoherence with some processor types, or other adverse side effects. The problem can also occur on a system that has not been manipulated at all by any attacker.”