Operative Framework v1.0b - Fingerprint Framework

This is a framework based on fingerprint action, this tool is used for get information on a website or a enterprise target with multiple modules (Viadeo search, Linkedin search, Reverse email whois, Reverse ip whois, SQL file forensics ...)

Dependency & launching

• pip install -r requirements.txt
• python operative.py

Youtube

Campaign

• You can start a (gathering/fingerprinting) campaign with :campaign command.
• Update a value of YOURWEBSITE.COM / ENTERPRISE_NAME in config.json file.
• You can add a module process for a customized campaign.

Core Modules

• core/modules/cms_gathering
• core/modules/domain_search
• core/modules/email_to_domain
• core/modules/https_gathering
• core/modules/linkedin_search
• core/modules/reverse_ipdomain
• core/modules/search_db
• core/modules/waf_gathering
• core/modules/whois_domain
• core/modules/generate_email
• core/modules/viadeo_search
• core/modules/file_common
• core/modules/get_websiteurl
• core/modules/getform_data
• core/modules/subdomain_search
• core/modules/vhost_IPchecker
• core/modules/tools_suggester
• core/modules/metatag_look
• core/modules/header_retrieval

SQL File forensics

• import database in core/dbs/
• read table
• read columns
• search information with pattern

Write module
For write module look core/modules/sample_module class

Download operative-framework

Read More

OWASP iOSForensic - Tool to help in forensics analysis on iOS

OWASP iOSForensic is a python tool to help in forensics analysis on iOS.
It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.

OWASP iOSForensic provides:

• Application's files
• Conversion of .plist files in XML
• Extract all databases
• Conversion of binary cookies
• Application's logs
• A List of all packages
• Extraction multiple packages

Options

• -h --help : show help message
• -a --about : show informations
• -v --verbose : verbose mode
• -i --ip : local ip address of the iOS terminal
• -p --port : ssh port of the iOS terminal (default 22)
• -P --password : root password of the iOS terminal (default alpine)

Examples:

./iOSForensic.py -i 192.168.1.10 [OPTIONS] APP_NAME.app INCOMPLETE_APP_NAME APP_NAME2_WITHOUT_DOT_APP
./iOSForensic.py -i 192.168.1.10 -p 1337 -P pwd MyApp.app angry MyApp2

Download OWASP iOSForensic

Read More

Collection Of Free Computer Forensic Tools

Disk tools and data capture

Name	From	Description
DumpIt	MoonSols	Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive.
EnCase Forensic Imager	Guidance Software	Create EnCase evidence files and EnCase logical evidence files [direct download link]
Encrypted Disk Detector*	Magnet Forensics	Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes
EWF MetaEditor	4Discovery	Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier)
FAT32 Format	Ridgecrop	Enables large capacity disks to be formatted as FAT32
Forensics Acquisition of Websites	Web Content Protection Association	Browser designed to forensically capture web pages
FTK Imager*	AccessData	Imaging tool, disk viewer and image mounter
Guymager	vogu00	Multi-threaded GUI imager under running under Linux
HotSwap	Kazuyuki Nakayama	Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area
LiveView	CERT	Allows examiner to boot dd images in VMware.
P2 Explorer Free	Paraben	Mount forensic images as read-only local logical and physical disks
Live RAM Capturer*	Belkasoft	Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds
OSFClone	Passmark Software	Boot utility for CD/DVD or USB flash drives to create dd or AFF images/clones.
OSFMount	Passmark Software	Mounts a wide range of disk images. Also allows creation of RAM disks
Tableau Imager*	Tableau	Imaging tool for use with Tableau imaging products
VHD Tool	Microsoft	Converts raw disk images to VHD format which are mountable in Windows Disk Management

Email analysis

Name	From	Description
EDB Viewer	Lepide Software	Open and view (not export) Outlook EDB files without an Exchange server
Mail Viewer	MiTeC	Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files
OST Viewer	Lepide Software	Open and view (not export) Outlook OST files without connecting to an Exchange server
PST Viewer	Lepide Software	Open and view (not export) Outlook PST files without needing Outlook

General

Name	From	Description
Agent Ransack	Mythicsoft	Search multiple files using Boolean operators and Perl Regex
CaseNotes Lite	Blackthorn	Contemporaneous notes recorder
Computer Forensic Reference Data Sets	NIST	Collated forensic images for training, practice and validation
EvidenceMover*	Nuix	Copies data between locations, with file comparison, verification, logging
FastCopy	Shirouzu Hiroaki	Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc.
File Signatures	Gary Kessler	Table of file signatures
HashMyFiles	Nirsoft	Calculate MD5 and SHA1 hashes
MobaLiveCD	Mobatek	Run Linux live CDs from their ISO image without having to boot to them
Mouse Jiggler	Arkane Systems	Automatically moves mouse pointer stopping screen saver, hibernation etc.
Notepad ++	Notepad ++	Advanced Notepad replacement
NSRL	NIST	Hash sets of ‘known’ (ignorable) files
Quick Hash	Ted Technology	A Linux & Windows GUI for individual and recursive SHA1 hashing of files
USB Write Blocker	DSi	Enables software write-blocking of USB ports
USB Write Blocker	Sécurité Multi-Secteurs	Software write blocker for Windows XP through to Windows 8
Windows Forensic Environment	Troy Larson	Guide by Brett Shavers to creating and working with a Windows boot CD

File and data analysis

Name	From	Description
Advanced Prefetch Analyser	Allan Hay	Reads Windows XP,Vista and Windows 7 prefetch files
analyzeMFT	David Kovar	Parses the MFT from an NTFS file system allowing results to be analysed with other tools
Defraser	Various	Detects full and partial multimedia files in unallocated space
eCryptfs Parser	Ted Technology	Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size, signature used, etc.
Encryption Analyzer	Passware	Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file
ExifTool	Phil Harvey	Read, write and edit Exif data in a large number of file types
Forensic Image Viewer	Sanderson Forensics	View various picture formats, image enhancer, extraction of embedded Exif, GPS data
Highlighter	Mandiant	Examine log files using text, graphic or histogram views
Link Parser	4Discovery	Recursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files
LiveContactsView	Nirsoft	View and export Windows Live Messenger contact details
RSA Netwitness Investigator*	EMC	Network packet capture and analysis
Memoryze	Mandiant	Acquire and/or analyse RAM images, including the page file on live systems
MetaExtractor	4Discovery	Recursively parses folders to extract meta data from MS Office, OpenOffice and PDF files
MFTview	Sanderson Forensics	Displays and decodes contents of an extracted MFT file
NetSleuth	NetGrab	Network monitoring tool, with covert “silent port scanning”
PictureBox	Mike’s Forensic Tools	Lists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format
PsTools	Microsoft	Suite of command-line Windows utilities
Shadow Explorer	Shadow Explorer	Browse and extract files from shadow copies
Simple File Parser	Chris Mayhew	GUI tool for parsing .lnk files, prefetch and jump list artefacts
SQLite Manager	Mrinal Kant, Tarakant Tripathy	Firefox add-on enabling viewing of any SQLite database
Strings	Microsoft	Command-line tool for text searches
Structured Storage Viewer	MiTec	View and manage MS OLE Structured Storage based files
Switch-a-Roo	Mike’s Forensic Tools	Text replacement/converter/decoder for when dealing with URL encoding, etc
Windows File Analyzer	MiTeC	Analyse thumbs.db, Prefetch, INFO2 and .lnk files

Mac OS tools

Name	From	Description
Audit	Twocanoes Software	Audit Preference Pane and Log Reader for OS X
Disk Arbitrator	Aaron Burghardt	Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration
Epoch Converter*	Blackbag Technologies	Converts epoch times to local time and UTC
FTK Imager CLI for Mac OS*	AccessData	Command line Mac OS version of AccessData’s FTK Imager
IORegInfo	Blackbag Technologies	Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected
Mac Memory Reader	Cyber Marshal	Command-line utility to capture physical RAM from Mac OS systems
PMAP Info*	Blackbag Technologies	Displays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors

Mobile devices

Name	From	Description
iPhone Analyzer	Leo Crawford, Mat Proud	Explore the internal file structure of Pad, iPod and iPhones
ivMeta	Robin Wood	Extracts phone model and software version and created date and GPS data from iPhone videos.
Rubus*	CCL Forensics	Deconstructs Blackberry .ipd backup files
SAFT	SignalSEC Corp	Obtain SMS Messages, call logs and contacts from Android devices
WhatsApp Forensics	Zena Forensics	Extract WhatApp messages from iOS and Android backups

Data analysis suites

Name	From	Description
Autopsy	Brian Carrier	Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below)
Backtrack	Backtrack	Penetration testing and security audit with forensic boot capability
Caine	Nanni Bassetti	Linux based live CD, featuring a number of analysis tools
Deft	Dr. Stefano Fratepietro and others	Linux based live CD, featuring a number of analysis tools
Digital Forensics Framework	ArxSys	Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items
Forensic Scanner	Harlan Carvey	Automates ‘repetitive tasks of data collection’. Fuller description here
Paladin*	Sumuri	Ubuntu based live boot CD for imaging and analysis
SIFT*	SANS	VMware Appliance pre-configured with multiple tools allowing digital forensic examinations
The Sleuth Kit	Brian Carrier	Collection of UNIX-based command line file and volume system forensic analysis tools
Ubuntu guide	How-To Geek	Guide to using an Unbuntu live disk to recover partitions, carve files, etc.
Volatility Framework	Volatile Systems	Collection of tools for the extraction of artefacts from RAM

File viewers

Name	From	Description
Microsoft PowerPoint 2007 Viewer	Microsoft	View PowerPoint presentations
Microsoft Visio 2010 Viewer	Microsoft	View Visio diagrams
VLC	VideoLAN	View most multimedia files and DVD, Audio CD, VCD, etc.

Internet analysis

Name	From	Description
Chrome Session Parser	CCL Forensics	Python module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”)
ChromeCacheView	Nirsoft	Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
Cookie Cutter	Mike’s Forensic Tools	Extracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits.
Dumpzilla	Busindre	Runs in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information.
Facebook Profile Saver	Belkasoft	Captures information publicly available in Facebook profiles.
IECookiesView	Nirsoft	Extracts various details of Internet Explorer cookies
IEPassView	Nirsoft	Extract stored passwords from Internet Explorer versions 4 to 8
MozillaCacheView	Nirsoft	Reads the cache folder of Firefox/Mozilla/Netscape Web browsers
MozillaCookieView	Nirsoft	Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers
MozillaHistoryView	Nirsoft	Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page
MyLastSearch	Nirsoft	Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace)
PasswordFox	Nirsoft	Extracts the user names and passwords stored by Mozilla Firefox Web browser
OperaCacheView	Nirsoft	Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache
OperaPassView	Nirsoft	Decrypts the content of the Opera Web browser password file, wand.dat
Web Historian	Mandiant	Reviews list of URLs stored in the history files of the most commonly used browsers
Web Page Saver*	Magnet Forensics	Takes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages

Registry analysis

Name	From	Description
ForensicUserInfo	Woanware	Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file
Process Monitor	Microsoft	Examine Windows processes and registry threads in real time
Registry Decoder	US National Institute of Justice, Digital Forensics Solutions	For the acquisition, analysis, and reporting of registry contents
RegRipper	Harlan Carvey	Registry data extraction and correlation tool
Regshot	Regshot	Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software
sbag	TZWorks	Extracts data from Shellbag entries
USB Device Forensics	Woanware	Details previously attached USB devices on exported registry hives
USB Historian	4Discovery	Displays 20+ attributes relating to USB device use on Windows systems
USBDeview	Nirsoft	Details previously attached USB devices
User Assist Analysis	4Discovery	Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys
UserAssist	Didier Stevens	Displays list of programs run, with run count and last run date and time
Windows Registry Recovery	MiTec	Extracts configuration settings and other information from the Registry

Application analysis

Name	From	Description
Dropbox Decryptor*	Magnet Forensics	Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox
Google Maps Tile Investigator*	Magnet Forensics	Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context
KaZAlyser	Sanderson Forensics	Extracts various data from the KaZaA application
LiveContactsView	Nirsoft	View and export Windows Live Messenger contact details
SkypeLogView	Nirsoft	View Skype calls and chats

Abandonware

Name	From	Description
DCode	Digital Detective	Converts various data types to date/time values
iPhone Backup Browser	Rene Devichi	View unencrypted backups of iPad, iPod and iPhones
ChromeAnalysis	Foxton Software	Analysis of internet history data generated using Google Chrome
IEHistoryView	Nirsoft	Extracts recently visited Internet Explorer URLs

Source

Read More

[OS X Auditor] free Mac OS X computer forensics tool

OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:

• the kernel extensions
• the system agents and daemons
• the third party's agents and daemons
• the old and deprecated system and third party's startup items
• the users' agents
• the users' downloaded files
• the installed applications

It extracts:

• the users' quarantined files
• the users' Safari history, downloads, topsites, HTML5 databases and localstore
• the users' Firefox cookies, downloads, formhistory, permissions, places and signons
• the users' Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
• the users' social and email accounts
• the WiFi access points the audited system has been connected to (and tries to geolocate them)

It also looks for suspicious keywords in the .plist themselves.

It can verify the reputation of each file on:

• Team Cymru's MHR
• VirusTotal
• Malware.lu
• your own local database

It can aggregate all logs from the following directories into a zipball:

• /var/log (-> /private/var/log)
• /Library/logs
• the user's ~/Library/logs

Finally, the results can be:

• rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)
• rendered as a HTML log file
• sent to a Syslog server

Download OS X Auditor

Read More

[NetworkMiner v1.4.1] Network Forensic Analysis Tool (NFAT)

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD).

NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.

NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

A professional edition of NetworkMiner is available for purchase from NETRESEC

The free edition is available here: NetworkMiner_1-4-1.zip.

NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This functionality can be used to extract and save media files (such as audio or video files) which are streamed across a network from websites such as YouTube. Supported protocols for file extraction are FTP, TFTP, HTTP and SMB.

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the “Credentials” tab. The credentials tab sometimes also show information that can be used to identify a particular person, such as user accounts for popular online services like Gmail or Facebook.

NetworkMiner Professional USB flash drive

Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.

Download NetworkMiner 1.4.1

Read More

[NetSleuth] Open source Network Forensics And Analysis Tools

NetSleuth identifies and fingerprints network devices by silent network monitoring or by processing data from PCAP files.

NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet).

It also includes a live mode, silently identifying hosts and devices without needing to send any packets or put the network adapters into promiscuous mode ("silent portscanning").

NetSleuth is a free network monitoring, cyber security and network forensics analysis (NFAT) tool that provides the following features:

• An easy realtime overview of what devices and what people are connected to any WiFi or Ethernet network.
• Free. The tool can be downloaded for free, and the source code is available under the GPL.
• Simple and cost effective. No requirement for hardware or reconfiguration of networks.
• “Silent portscanning” and undetectable network monitoring on WiFi and wired networks.
• Automatic identification of a vast array of device types, including smartphones, tablets, gaming consoles, printers, routers, desktops and more.
• Offline analysis of pcap files, from tools like Kismet or tcpdump, to aid in intrusion response and network forensics.

Download Here

Read More