22.4 Bootable Forensics CD-ROMs

 <  Day Day Up  >  

This section descibes a few bootable CD-ROMs that you may find useful.

22.4.1 Biatchux /FIRE

Forensic and Incident Response Environment (FIRE), previously known as Biatchux (http://biatchux.dmzs.com or http://fire.dmzs.com) is a portable, bootable, CD-based distribution designed to provide an immediate environment in which to perform forensic analysis, incident response, data recovery, virus scanning, and vulnerability assessment. FIRE is available in a special distribution that provides core tools for live forensic analysis; simply mount the CD-ROM on your choice of OS, including Win32, SPARC, Solaris, and Linux. The following list describes the tools that come in the base Forensics/Data Recovery distribution. Most of the distribution is released under GNU General Public License (GPL), but be sure to double-check the copyright on each specific program.

Autopsy v.1.01

The Autopsy forensic browser is an HTML-based frontend interface to a useful forensics tool known as TCT (The Coroner's Toolkit) and the TCT-Utils package. It allows an investigator to browse forensic images. It also provides a convenient interface for searching for key words on an image.

chkrootkit v0.35

chkrootkit is a tool to locally check for signs of a rootkit.


Cryptcat is an encryption-enabled netcat.

dsniff tools v2.3

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, email, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Ethereal v.0.9.2

Ethereal is a free network protocol analyzer for Unix and Windows.

foremost v0.61

foremost digs through an image file to find files within using header information.

hexedit v1.2.1

hexedit is an ncurses-based hexeditor.

LDE (Linux Disk Editor) v2.5

LDE allows you to view and edit disk blocks as hex and/or ASCII and to view or navigate directory entries. Most of the functions can be accessed using the program's curses interface or from the command line so that you can automate things with your own scripts.

MAC Daddy

MAC Daddy is a MAC (modified, access, and change) time collector for forensic incident response. This toolset is a modified version of the two programs tree.pl and MAC-time, from TCT.

MAC-robber v1.0

MAC-robber is a forensics and incident response program that collects modified, access, and change (MAC) times from files. Its output can be used as input to the MAC-time tool in TCT to make a timeline of file activity. MAC-robber is similar to running the grave-robber tool with the -m flag, except it is written in C and not Perl.

ngrep v1.40

ngrep is a powerful network sniffing tool that strives to provide most of GNU grep's common features, applying them to all network traffic.

Perl 5.6.1

Perl is compiled with support for >2G files, including a bunch of useful Perl modules.


The Windows 9x Password List reader is a program that allows you to see the passwords contained in your Windows pwl database under Unix. You can try to recover the main password using the brute force mode.

Snort v1.8.2

Snort is a legendary network IDS that can also be used as a fancy sniffer.

ssldump v0.9a1

ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them to stdout in a textual form. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.

StegDetect v0.5

StegDetect is an automated tool for detecting steganographic content in images. It is capable of detecting several different steganographic methods to embed hidden information in JPEG images. Currently, the detectable schemes are jsteg , jphide (Unix and Windows), invisible secrets, and outguess 01.3b.

tcpdump v3.6

tcpdump allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that match a given expression. You can use this tool to track down network problems, detect ping attacks, or monitor network activities.

tcpreplay v1.0.1

tcpreplay is aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. tcpreplay allows you to control the speed at which the traffic is replayed and can replay arbitrary tcpdump traces. Unlike programmatically generated artificial traffic, which doesn't exercise the application/protocol inspection that a NIDS performs and doesn't reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks.

TCT v1.09

TCT is a collection of programs by Dan Farmer and Wietse Venema for postmortem analysis of a Unix system after a break-in.

TCT-Utils v1.01

TCT-Utils is a collection of utilities that adds functionality to The Coroner's Toolkit.


tightvnc (an abbreviation for Virtual Network Computing) is a client/server software package allowing remote network access to graphical desktops. It is used in Biatchux to send remote consoles.

wipe v2.0

wipe is a secure file-wiping utility.

22.4.2 ForensiX

ForensiX is a bootable CD-ROM distributed by security researcher Fred Cohen. Based on his public White Glove Linux distribution, ForensiX is currently available to law enforcement only. Features of ForensiX include the following:

  • Provides a comprehensive Digital Forensic Analysis Package

  • Images and analyzes Mac, DOS, Windows, Unix, and other disks and files

  • Images and analyzes PCMCIA cards, IDE, SCSI, parallel, serial, etc.

  • Images and analyzes IP traffic and other data sources

  • Searches for known site names and common drug terms

  • Searches rapidly for known digital fingerprints

  • Provides assured integrity of its data sets

  • Automatically produces chain-of-evidence information

  • Original evidence is "never touched" once collected

  • Replay of analysis with automatic analysis integrity verification

  • "Just Doesn't Look Right" interface identifies files by content to find attempts to conceal evidence

ForensiX capabilities include the following:

  • Images to disks, tapes, files, and CDs

  • Provides large-volume information storage and analysis

  • Examines deleted files, unused blocks, swap space, "bad" blocks, and "unused" portions of blocks and filesystems

  • Views graphics files from disks at the rate of one every second

  • Provides programmable and customizable analysis capabilities

  • Many preprogrammed search and analysis scripts

  • Plug-ins for special-purpose analysis and search lists

  • Web-based user manual and audio training built in

  • On-line help and easy-to-use graphical interface

 <  Day Day Up  >  

Security Warrior
Security Warrior
ISBN: 0596005458
EAN: 2147483647
Year: 2004
Pages: 211

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net