http://www.opensourceforensics.org/tools/unix.html For investigations where Windows is the target, you'll specifcally want the following programs: Title: Kregedit Author: Jelmer Vernooij Description: kregedit is KDE utility for viewing native Windows registry files. It is similar to the regedt32 utility that can be found on most Windows platforms. Only the NT registry format (NT4/2000/XP) is supported. Website: http://samba.org/~jelmer/kregedit/ Source: http://samba.org/~jelmer/kregedit/ Title: Galleta Author: Keith Jones Description: Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. Website: http://www.foundstone.com/resources/proddesc/galleta.htm Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=15241 2 Title:LibPST Author:Dave Smith Description: LibPST provides functions in library form for accessing Outlook's Personal Folders. Included with this library is a program that will take a PST file and convert it to an mbox format. Website: http://sourceforge.net/projects/ol2mbox Source: http://sourceforge.net/project/showfiles.php?group_id=18756&release_id=11731 4 Title:ntreg Author:Todd Sabin Description: ntreg is a file system driver for linux, which understands the NT registry file format. With it, you can take registry files from NT, e.g., SAM, SECURITY, etc., and mount them on linux. Currently, it's read-only, though I may add read-write capability in the future. Website: http://razor.bindview.com/tools/desc/ntreg_readme.html Source: http://razor.bindview.com/tools/index.shtml Title: Pasco Author: Keith Jones Description: Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. Website: http://www.foundstone.com/resources/proddesc/pasco.htm Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=15238 7 Title: Rifiuti Author: Keith Jones Description: Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. Website: http://www.foundstone.com/resources/proddesc/rifiuti.htm Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=15241 0 Title: foremost Author: Jesse Kornblum Description: Foremost is a Linux program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for. Website: http://foremost.sourceforge.net Source: http://foremost.sourceforge.net Title: fatback Author: Nicholas Harbour Description: Fatback is a tool for undeleting files from FAT file systems. Website: http://sourceforge.net/projects/biatchux Source: http://sourceforge.net/project/showfiles.php?group_id=46038&release_id=84491 Additionally, if you have a little bit of money to spend, I highly recommend ASRData's SMART for any Linux-based forensics, no matter what the target system is. http://www.asrdata.com/SMART/ HTH Cory Altheide Computer Forensics Specialist NNSA Cyber Forensics Center altheidecat_private > -----Original Message----- > From: JJ [mailto:jjhorner@SAFe-mail.net] > Sent: Wednesday, August 20, 2003 12:30 PM > To: forensicsat_private > Subject: Windows forensics with Linux analysis machine > > > All, > > I'm looking for good tools that will allow me to do a full > investigation of a Windows image using linux. I'm looking at > Autopsy and Sleuthkit now. Are there any other tools that > will allow me to do the full investigation (view registry > structures, undelete files, etc) under linux? > > Thanks, > JJ > > --------------------- > J. J. Horner > CISSP,CCNA,CHSS,CHP > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 17:57:45 PDT