geschonneck.com » Tools

Windows Memory Forensics Tools [update]

Alexander Geschonneck — Tue, 23 Dec 2008 20:32:58 +0000

SANS recently published a good summary of Windows memory forensics acquisition and analysis tools. It’s a good compilation of must have tools for the right occasion.

SANS forensics

[update] new url [/update]

new linux incident response script

Alexander Geschonneck — Sat, 18 Oct 2008 10:53:05 +0000

We updated the ForensiX Linux Incident Response Script. You can find the new version at my german site http://computer-forensik.org/tools/ix/ix-special/.

The Sleuthkit 2.10

Alexander Geschonneck — Thu, 13 Dec 2007 08:37:54 +0000

A new version of The sleuthkit (TSK) is out now. There are some minor bug fixes included. Changelog and download can be found here.

New Forensics Live Response CD published

Alexander Geschonneck — Thu, 21 Jun 2007 12:49:53 +0000

I’m proud to announce, that my team published yesterday a very cool Live Response CD for Linux and Windows in cooperation with the german journal iX. It contains a brand new Linux Live Response script and a build script for your own static binaries. This Live Response Script contains also an extract option, if you like to organize the memory dump for an easy investigation.

More information about the ForensiX CD

Booting EnCase Images

Alexander Geschonneck — Wed, 02 May 2007 17:48:23 +0000

GetData now bundles their forensics tool MountImage Pro v2 with Virtual Forensic Computing (VFC) from MD5 Ltd. You can now mount a forensic image with Windows and create a VMware virtual machine configuration. Hmm, WTF is the difference between VFC and the freely available LiveView? VFC is able to mount and boot EnCase and SMART images.

Link to GetData

Sector Inspector (SecInspect.exe)

Alexander Geschonneck — Mon, 09 Apr 2007 11:52:16 +0000

Microsoft published a tool called Sector Inspector (SecInspect.exe) with the Windows 2003 Server Resource Kit. This is a command-line diagnostics tool that allows administrators to view the contents of master boot records, boot sectors, and IA64 GUID partition tables. Additional features include creating hex dumps of binary files and backup/restore of sector ranges. With this tool you get a bunch of information about a connected (USB/Writeblock) drive. You can use it for documentation purposes during a forensic acquisition.

Download Link

via HogFly

The Sleuthkit 2.08

Alexander Geschonneck — Fri, 06 Apr 2007 11:34:58 +0000

The Sleuthkit (TSK) 2.08 is out now. The new version contains
several minor bug fixes and many internal updates. This version will cleanly compile on Cygwin and hfind is now available on Win32.

Download TSK

DFRWS 2007 File Carving Challenge

Alexander Geschonneck — Tue, 20 Feb 2007 06:44:30 +0000

The new DFRWS File Carving Challenge for the year 2007 has been released. The say: “The goal of this challenge is to design and develop AUTOMATED file carving algorithms that have high true positive and low false positive rates.”

The challenge is organized by Brian Carrier, Eoghan Casey and Wietse Venema. The subimssions due is july 9, 2007.

File Image and Submission Details

The Sleuthkit 2.07

Alexander Geschonneck — Sat, 16 Dec 2006 19:08:41 +0000

Brian Carrierr released version 2.07 of his file system analysis tool The Sleuthkit:

There are a lot of updates and bug fixes. The summarized list is below. The executive summary is that there are new flags for ils to find orphan files and new flags for dls to specify allocation status.There were a lot of internal updates as well. There were a few NTFS bug fixes as well and a sorter fix for Cygwin.

Updates in version 2.07:

Added ‘-p’ flag to ils to find orphan files
Added ‘-a’ and ‘-A’ flags to dls to specify allocation status
Detect and prevent infinite loops in corrupt directories and FAT files.
Updated AFFLIB, libewf, and file
improved FAT dentry detection (check size)
new internal fs_read_file()
Windows visual studio files included with source code
cleaned up error reporting code
added caching to FAT code.
Added a NULL check to fs_inode_free (Michael Cohen)
Improved ifind_path code so that allocated names are given priority (Dave Collett)

Bug Fixes in version 2.07:

NTFS compression bug with corrupt data
sanity check to dcat_lib in case the requested number of blocks was too big.
fs_data lookup bug fixes by Dave Collett.
sorter does not clear path so it can run under Cygwin
Memory leak fixes in FAT and NTFS.

You can download The Sleuthkit here

New Helix version released

Alexander Geschonneck — Thu, 12 Oct 2006 14:09:13 +0000

There is a new Helix (Incident Response & Computer Forensics Live CD based on Knoppix) version released. Version 1.8 has a now Andreas Schuster’s PTFinder included an will no longer change JFS information. You can donwload Helix here.
All new features at a glance:

Linux Side:
- Fixed Helix Mount code for journaled file systems. Helix will NO longer change the journal mount count when you mount a journaled file system.
- Updated md5deep suite to 1.12
- Updated Clamav to 0.88.2
- Updated Sleuthkit to 2.06
- Updated Autopsy to 2.08
- Updated Foremost to 1.3
- Updated Scalpel 1.54 to carve data
- Updated EnCase Linen to 5.05f
- Updated Adepto 2.0 – With AFF support now
- Added endeavour2 file manager
- Added ssdeep 1.0 for fuzy hashing
- Added AFFlib 1.6.31 for image acquisition
- Added NTFS-3G for native NTFS write support
- Added libewf library
- Added ptfinder memory analysis code from Andreas Schuster
- Removed Solaris static binaries from CD
- Replaced evince with xpdf
Windows Side:
- Updated the Helix executable code
- Update code for command shell paths
- Update all Cygwin tools to latest
- Updated all unxutil tools
- Updated Static Binaries (linux)
- Updated MessenPass to v1.08
- Updated Mail PassView to v1.36
- Updated Protected Storage PassView to v1.63
- Updated Network Password Recovery to v1.03
- Updated IECookiesView to v1.70
- Updated IEHistoryView to v1.32
- Updated RegScanner to v1.30
- Updated FTK Imager to 1.5.1
- Updated Forensic Server Project to 1.0
- Updated PsTools Version to 2.34 (Psexec, psinfo, pslist, etc)
- Updated Process Explorer to 10.2
- Added PstPassword v1.00
- Added Access PassView 1.12
- Added PC On/Off Time
- Added Winaudit v2.15
- Added Drive Manager v3.23
- Added ReSysInfo v2.1
- Added Icon to start a NC listener
- Added code to Windows GUI for investigative notes

FSP/FRU File Copy Client released

Alexander Geschonneck — Tue, 03 Oct 2006 13:02:16 +0000

Harlan Carvey just released the FSP/FRU File Copy Client on SourceForge. The FCli is a GUI client that the investigator can use to select files to be copied from the suspect system, over to the FSP server.

Live Evidence Preview with Shadow 2

Alexander Geschonneck — Fri, 29 Sep 2006 17:10:20 +0000

For the German journal iX we tested recently the Shadow 2 box from VOOM Technologies. The VOOM Shadow 2 is a computer hardware device that is designed to aid the investigation of a suspect hard drive. It provides investigators with virtual read write access from the host computer’s perspective, while maintaining the original hard drive unchanged. You can use this for preview a drive prior to imaging in the field. We checked with HPA and DCO – everything worked fine according to our checksums.
Read more on my German computer forensics blog.

Update: No, I have no connection with this vendor.