XVI32 Hex Editor

XVI32 is a freeware hex editor for Windows and runs under version 9x, NT, 2000, XP, Vista, and 7. It's super-lightweight (Fits on a floppy!) and loads and searches large files very quickly.

It just so happens to be Jerbo's favorite quick-n-dirty hex editor for Windows.

Gnome Partition Editor (GParted) Live

A Debian based boot disc with various packages including gpart, partimage, parted and others. GParted supports a variety of filesystems including popular Windows and *nix based filesystems


An application for viewing passwords and keys stored by a Windows based system including: Email, IM Clients, Product Keys and Autocomplete-saved passwords.


Windows 7, Vista, XP, Windows 2003 server , Windows 2000/NT


Show information about Windows. Reveal passwords etc.

ShoWin displays useful information about windows by dragging a cursor over them.

Perhaps one of the most popular uses of this program is to display hidden password editbox fields (text behind the asterisks *****). This will work in many programs although Microsoft have changed the way things work in some of their applications, most notably MS Office products and Windows 2000. ShoWin will not work in these cases. Neither will it work for password entry boxes on web pages, at least with most web browsers.

Additional features include the ability to enable windows that have been disabled, unhide hidden windows (try the program with the include invisibles option set and see how many windows you have on your desktop that you didn't know about!) and force windows to stay on top or be placed below others.


A Internet Explorer Cookie Forensic Analysis Tool.

Many important files within Microsoft Windows have structures that are undocumented. One of the principals of computer forensics is that all analysis methodologies must be well documented and repeatable, and they must have an acceptable margin of error. Currently, there are a lack of open source methods and tools that forensic analysts can rely upon to examine the data found in proprietary Microsoft files.

Many computer crime investigations require the reconstruction of a subject's Internet Explorer Cookie files. Since this analysis technique is executed regularly, we researched the structure of the data found in the cookie files. Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. The foundation of Galleta's examination methodology will be documented in an upcoming whitepaper. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

galleta [options]
-t Field Delimiter (TAB by default)

Example Usage:
[kjones:galleta/galleta_20030410_1/bin] kjones% ./galleta antihackertoolkit.txt > cookies.txt

Open cookies.txt as a TAB delimited file in MS Excel to further sort and filter your results

Forensic Toolkit

Tools to help examine NTFS for unauthorized activity.

The Forensic ToolKit™ contains several Win32 Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity. We built these tools to help us do our job, we hope they can help you as well.

Key Features
AFind is the only tool that lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will. AFind allows you to search for access times between certain time frames, coordinating this with logon info provided from ntlast, you can to begin determine user activity even if file logging has not been enabled.

HFind scans the disk for hidden files. It will find files that have either the hidden attribute set, or NT's unique and painful way of hiding things by using the directory/system attribute combination. This is the method that IE uses to hide data. HFind lists the last access times.

Bin Text

Finds Ascii, Unicode and Resource strings in a file.

A small, very fast and powerful text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional "advanced" view mode. Its comprehensive filtering helps prevent unwanted text being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format.

** NOTE: Some Anti-virus packages may falsely report this product as a keylogger/trojan application. Please upgrade to the latest anti-virus definitions as this has been corrected by most vendors.**


Reports all open TCP and UDP ports and maps them to the owning process or application.

Vision, a host based Forensic Utility is the GUI successor to the well-known freeware tool, Fport. This innovative new product from Foundstone shows all of the open TCP and UDP ports on a machine, displays the service that is active on each port, and maps the ports to their respective applications. Vision allows users to access a large amount of supplementary information that is useful for determining host status by displaying detailed system information, applications running, as well as processes and ports in use.

Key Features
Interrogate ports and identify potential "Trojan" services by using the "Port Probe" command in the port mapper. Using "Port Probe", Vision will enable you to send a customized string of information to the port. Based on the response from the port, a determination can be made to either kill the port, using the "Kill" command, or leave it as is.

View system events by sorting by application, process, service, port, remote IP, and device drivers in ascending or descending order.

Identify and review detailed information about Services and Devices to determine if they are Running or Stopped.

Q. Will Vision work on Windows 9x, Me, or XP?
A. Vision will not work on Windows 9x, or Me. It will work with Windows XP.

Q. I get “Must be Admin” error when trying to launch. I am the Administrator, so what’s the problem?
A. Check to ensure that nbt binding is enabled. In NT 4 this is done in your network interface bindings. Under Win2k check to ensure that you have the TCP/IP Netbios helper enabled.

System Requirements
NT 4/ Win 2000
NT 4 needs psapi.dll
800x600 res. minimum
256 colors min

Process Monitor

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Process Monitor includes powerful monitoring and filtering capabilities, including:
* More data captured for operation input and output parameters
* Non-destructive filters allow you to set filters without losing data


"The goal of Xplico is extract from an Internet traffic capture the applications data contained.
For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT)."

In a nut shell, it's like Wireshark on crack. Rather than digging through the individual packets and putting them back together this will dissect and parse the individual protocols and traffic back out to human readable. Anyone who has ever reassembled emails like this can vouch for the pita it is.

Anyone who works in a industry where captures live from the wire, or from cap file can see the use and abuse of such a product. You can select specific dissectors for the traffic of interest.

I found a good bit of info on configuring this at the link below.

I'd highly advise checking out some screen shots at the following link, the interface is very nice. I like the geomap!

Syndicate content