By full investigation do you mean internal use by HR to take action on employee misconduct, for IT to determine root cause, or for use in court? Does your reporting need to make sense to you, or to others? Sleuthkit rocks, but you need the NSRL hash sets and/or custom built hash sets in order to reduce the amount of sifting you need to do. MD5deep is a good way to build your own hash sets if your target pool shares a common build with many unique files not included in the NSRL sets. How's your budget? In the 'free' category these are all good complements to SK: NSRL reference library (http://www.nsrl.nist.gov/index.html) to rule out known good OS files pasco (foundstone) for digging INDEX.DAT files readpst (http://sourceforge.net/projects/ol2mbox) convert Outlook/OE to MBOX foremost (http://foremost.sourceforge.net/) for recovering files from slack space, repartitioned drives, etc. ntreg (http://razor.bindview.com/tools/index.shtml) for registry analysis on linux Foremost needs a bit of tuning to be useful; be prepared to use xxd, od, and/or other binary viewers to look inside different file types so that you can configure foremost with the right header/footer combos to look for. There are websites that provide many of these formats (www.wotsit.org) but you may have to roll your own in some cases. HTH, Jeff -----Original Message----- From: JJ [mailto:jjhorner@SAFe-mail.net] Sent: Wednesday, August 20, 2003 3:30 PM To: forensicsat_private Subject: Windows forensics with Linux analysis machine All, I'm looking for good tools that will allow me to do a full investigation of a Windows image using linux. I'm looking at Autopsy and Sleuthkit now. Are there any other tools that will allow me to do the full investigation (view registry structures, undelete files, etc) under linux? Thanks, JJ --------------------- J. J. Horner CISSP,CCNA,CHSS,CHP ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com This communication is intended solely for the use of the addressee and may contain information that is legally privileged, confidential or exempt from disclosure. If you are not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately and delete it from his or her computer. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 14:21:30 PDT