Jessland - Jess Garcia's Website

Linux Forensics Tools

Content Leader: Jess Garcia - Last Updated: November 28, 2006

Sources:
- http://www.lnx4n6.be/index.php?sec=Documentation&page=bootcdcontent

Forensic acquisition

dd: tool to make bit to bit copies and backups
dd_rescue: more or less the same as dd but handles disk errors
dd_rhelp: a script to facilitate the use of dd_rescue
dcfldd: tool to make bit to bit copies
AFFLIB: Advanced Forensic Format tools
sdd: a dd clone specialized in tapes
AIR: A graphical frontend for dd and dcfldd

Forensic analysis

Sleuthkit/Autopsy: tool to find deleted files (and many more features)
Galetta: a ms-windows cookies analyzer
Pasco: a ms-windows IExplorer cache analyzer
Rifiuti: a ms-windows trashcan analyzer
mork.pl: perl script to read firefox history.dat
cookie_cruncher.pl: a tool to parse cookies
dumpster_dive.pl: a tool to read m$ recycle bin files
browser-history-viewer: as the name says

Document Metadata Analysis

extract: Displays meta-data from files of arbitrary type

PDF

pdftk: A tool to work with pdf files
pdfinfo:: Part of the xpdf tool. Provides more information than pdftk.

Undelete

Sleuthkit/Autopsy: tool to find deleted files (and many more features)
testdisk: tool to recover damaged partitions (WIP version)
gpart: Tool to recover damaged partitions
NTFS Tools: tools to find deleted files on NTFS partitions
Scrounge-NTFS: a tool to rescue data from NTFS partitions
recoverjpeg: a tool to recover jpeg images
fatback: a tool to undelete files on a fat filesytsem
foremost: a tool to find files on a raw disk based on their headers
magicrescue: another one
e2undel: recover deleted files on ext2
recover: like e2undel
e2retrieve: a tool to recover deleted files on ext2 filesystems
myrescue: a tool to recover data on damaged hard disk drives
recoverdm: another tool to recover data on damaged hard disk drives
scalpel: another foremost/magicrescue like tool
gzrecover: a tool to recover data from damaged gz files
safecopy: a tool to recover data from damaged devices

Hardware utils

discover: a tool to discover hardware
lshw: a very useful tool to list hardware
scsitools: some useful scsi tools
scsiadd: a script to rescan scsi chain
blktool: a tool to display or change block devices settings

Disk/partition utils

setmax: A tool to change Host Protected Area settings (no support of large disks)
testdisk: tool to recover damaged partitions (WIP version)
disktype: a tool to list disk partitions and other useful informations
ms-sys: a tool to create ms boot sectors (fdisk /mbr)
safecopy: a tool to recover data from damaged devices

Archive tools

zoo: the zoo compression algorythm support
p7zip: the 7zip compression tools
orange: cab file reader
spantape: a tool to span data on multiple tapes
unshield: a reader for self extraction shield files
unrar: a tool to uncompress rar files
unace: a tool to uncompress ace files
gzrecover: a tool to recover data from damaged gz files

Pictures tools

FBI: tool to view images in console mode
exiftags: a tool to extract exif informations in jpeg files
exif: another one
metacam: a third one
jhead: a fourth one
dcraw: a tool to read raw photo images from digital cameras
jpeginfo: a tool view jpeg files informations
recoverPhotos: another image recovery tool
exifprobe: another exif extractor

Video tools

MPlayer: tool to view movies in console mode

Password cracker

cmospwd: a tool to recover cmos passwords
pwl: a tool to crack win 9x pwl files
John the ripper: a password cracker for unixes, and win nt,2k and xp passwords
lcrack: lepton cracker
chntpw: a tool to help cracking NT passwords
crack: a password cracker
samdump: a tool to extract password hashes from MS Windows registry files
bkhive: a tool to extract Syskey bootkey from MS Windows system hive file
pgpcrack: a pgp brute force attacker
nasty: a tool to try to recover PGP or GPG passphrases
fcrackzip: a zip file password cracker
medussa: a distributed password cracker

Crypto/Stegano tools

cryptcat: a encrypted version of netcat
outguess: a stegano tool
stegdetect: a tool to detect stegano
bcrypt: crypto utility
ccrypt: an encryption decryption tool

Anti-virus

clamav: command line antivirus
rkhunter: a rootkit hunter

MS files tools

Galetta: a ms-windows cookies analyzer
Pasco: a ms-windows IExplorer cache analyzer
Rifiuti: a ms-windows trashcan analyzer
readpst: a tools to read ms-Outlook pst files
antiword: a tool to read ms-Word files
mdbtools: playing with MS mdb access databases
ripole: A tool to rip attachements from MS files
tnef: A tool to decode MS encapsulation format
fccu-docprop: a tool to read MS OLE files (mainly doc, xls) properties
fccu.evtreader: a tool to parse MS evt log files
reglookup: MS windows registry viewer
grokevt: An MS win event log viewer with dll message import
eindeutig: read and convert dbx files
clit: convert MS e-books
cookie_cruncher.pl: a tool to parse cookies
dumpster_dive.pl: a tool to read m$ recycle bin files
mscompress: Decompress files compressed with compress.exe

Network

RIP and PXE boot: A complete system for large network keyword search
sbd: a netcat like utility with encryption supprot
smbc: samba commander
p0f: A passive OS fingerprinting tool
arping: a ping utility
ngrep: grep utility for network packets
netwox: a toolbox with more than 200 network tools
sshfs: a filesystem client based on ssh
lft: a traceroute tool
socat: a netcat like tool
netdiscover: a tool to discover networks
mimms: download mms streams
weplab: a wep security analyzer
netsed: network srteam altering tool

Network scanner

knocker: TCP security port scanner
nikto: web server security scanner
nbtscan: a smb network scanner

Network capture

tcpick: textmode sniffer
tcptrack: another one
tcpflow: a tool to capture tcp packets
tcpreplay: a tool to replay TCP dumps (replay a tap)
tcpextract: a tool to extract files from network traffic based on file headersw
netdude: a tool to analyze captured tcp packets
dsniff: a tool to sniff packets on a network
hunt: packet sniffer
sniffit: another one
ettercap: a packet sniffer
driftnet: sniff images (jpegs ...) on the network
karpski: another sniffer
nast: another one
scapy: packet manipulation tool
hydra: a network services password guessing tool
chatsniff: an instant messenger sniffer
msn-capture: a tool to capture msn traffic from the network
imsniff: an instant messaging sniffer
darkstat: another packet sniffer
netwox: a toolbox with more than 200 network tools
prismstumbler: a wireless sniffer

Malware collection

nepenthes: A tool to collect malware
mwcollect: A tool to collect malware

VNC utils

xvncviewer: a VNC client (runs under X)
direct-vnc: a VNC client in console mode

Common tools

pipebench: a pipe progress viewer
pv: another pipe progress viewer
cpipe: another pipe progress viewer
pipemeter: another pipe progress viewer
biew: an HEX editor
bfr: a buffer optimizer
biabam: Bash Attachement mailer
aish: convert too and from uuencode or base 64
mimedecode: like the name says
ftimes: a tool to gather informations about files
md5deep: a tool to recursively calculate md5 hashes
glark: a sort of colorized grep
curl: a tool to play with http like mirroring a website
star: a tar archiver
sgrep: a grep for structures

Other (unsorted)

slocate: a file location database
wdutch,wfrench: french and dutch dictionaries
gpsd: a gps deamon
sg3-utils: some scsi utilities
dds2tar: dds tapes utilities
nomarch: A tool to extract arc archives
mpack: A tool to unpack mime format
upx: A tool to uncompress UPX executables
nxclient: A client for NX servers
fccu-checker.sh: A script to check for all those useful utilities
heme: Another Hex editor
multitail: like tail for multiple files
vlc: a media client with framebuffer support
dmidecode: a tool to display hardware informations
shed: an text based hexa editor
hexcat: like cat but with hexadecimal output
mbuffer: another pipe measurement tool
w3m: a tool to get web pages like curl or wget