System analysis
Analyse archives
| avfs (avfs-config) |
access archived and compressed files |
Analyse binaries
| addr2line |
translates program adresse in filename and row number |
|
| ar |
manage archives and librarys |
|
| c++filt |
analyse c-functionnames and c-librarys |
|
| elfcmp |
Compare a binary image with a process image to verify that it has not been tampered with. |
|
| nm |
search for adresses in source code |
|
| objcopy |
copy and compile object-files |
|
| objdump |
show information for object-files |
|
| ranlib |
create archive-index for faster access |
|
| readelf |
show content of ELF-Files |
|
| sigfind |
search for HEX-signature |
|
| size |
show blocksize of binary files |
|
| strings |
show readable content |
|
| strip |
remove symbols and sections |
Analyse cookies
| galleta |
analyse cookie-files |
Data recovery
| fatback |
recover FAT-file |
|
| foremost |
recover data |
|
| gzrecover (gzrt) |
recover damaged ZIP-files |
|
| LinEn |
EnCase-Tool for forensic analyse of data mediums and data |
|
| magicrescue |
recover deleted and damaged files |
|
| magicsort |
classifys from magicrescue found files |
|
| recover |
recover EXT2 filesystems |
|
| recoverdm |
recover damaged harddrives |
|
| recoverjpeg |
recover damaged JPEG-images |
|
| rifiuti |
analyse INFO2-files (trash) |
|
| rossifstools |
analyse EXT2/3, Reiser und FAT filesystems |
|
| scalpel |
enhanced version of foremost |
|
| scrounge-ntfs |
recover complete NTFS filesystems |
Expert Witness Format
| ewfacquire |
ewfacquire is a utility to aquire media data from a source and store ist in EWF format (Expert Witness Format) |
|
| ewfacquirestream |
ewfacquirestream is a utility to aquire media data from stdin source and store ist in EWF format |
|
| ewfalter |
ewfalter is a utility to alter media data in EWF files |
|
| ewfexport |
ewfexport export media data stored in EWF files |
|
| ewfinfo |
ewfinfo show meta data stored in EWF files |
|
| ewfverify |
ewfverify is a utility to verify media data stored in EWF files |
Analyse hash
| hfind |
search hashes and creates index-file |
|
| md5deep |
create MD5 hash |
|
| sha1deep |
create SHA1 hash |
|
| sha256 |
create SHA256 hash |
|
| tigerdeep |
create Tiger hash |
|
| whirlpooldeep |
create Whirlpool hash |
Analyse Hex
| hexcurse |
hexeditor |
|
| hexedit |
hexeditor |
|
| xxd |
hexdumper |
Analyse Live
| filan |
analyse processes |
|
| unhide |
find hiddes processes and ports |
|
| unhide-linus2.6 |
find hiddes processes and ports |
|
| unhide-TCP |
find open, but hidden TCP und UPD ports |
Analyse logs
| grokevt |
collectoin to read Windows event log files (> Windows NT): grokevt-addlog grokevt-builddb grokevt-parselog grokevt-ripdll |
|
| fccu.evtreader |
Windows eventlog analysis |
Analyse mail
| ibpst |
convert MS Outlook mailfiles und personel folders intp MBOX-format |
|
| mboxgrep |
analyse content of mailboxes im mbox, mh, nnmh, nnml and maildir format |
|
| pst2ldif |
get conatacts from Outlook .PST files and LDIF-files |
|
| readpst |
read Outlook .PST nach mbox (Mozilla) |
|
| readpstlog |
convert binary log-files from readpst in e.g. text-file |
Analyse mounting
| gpart |
guesse primary partition table from a harddrive with damaged, manipulated or deleted sector 0 |
|
| read_data |
|
|
| replace_data |
|
|
| search_data |
|
|
| sgzip |
mount Encase images |
|
| write_data |
|
Analyse RAM
| memdump |
create memory dump from UNIX-like systems |
|
| memdecay |
shotterm memory analysis |
|
| memfetch |
dump memory of running processes |
|
| mffind |
analyse memfetch dump-files |
|
| pfenum |
anaylse freed memory regions |
|
| procenum |
show hidden processes in memory |
|
| taskenum |
show memory information for several processes |
Analyse registry (Windows)
| Fix-w9x-lnk |
checks links for missing stupig flags |
|
| inicat |
reads .ini files |
|
| inidiff |
show differences between dumps |
|
| iniedit |
edit .ini files |
|
| Gen-app-changes |
creates differnce to original installed .inis (W95) |
|
| regdiff |
show differences between dumps |
|
| regedit |
registry dumper |
|
| regfilter |
registry dumper |
|
| reghexprint |
analyse registry-dump-files |
|
| reglookup |
analyse registry-dump-files |
|
| reglookup-timeline |
analyse registry-dump-files |
|
| regsort |
analyse registry-dump-files |
|
| regtool |
registry dumper, to SQL-statements |
Analyse timeline
| ftimes |
analyse topography and attributs from files and directorys |
|
| istat |
show details for meta-data-structures |
|
| mac-robber |
creates timeline from mac-files |
|
| Zeitline |
import events from several systems or networks and sort them to one or several timelines |
Analyse web
| dumpAutoComplete |
show Firefox AutoComplete information |
|
| mork |
show Firefox history |
|
| demork |
formats MorkFile -> XML |
|
| pasco |
Analyse MS InternetExplorer cache |
Analyse Windows
| antiword |
read and convert MS Word files |
|
| fccu-docprop |
analyse OLE Files (MS OFFICE .doc und .xls) |
|
| vinetto |
analyse thumbnail files |
|
Imaging
Investigation
PyFlag
Autopsy
Network
WLAN
Cracking
Rootkits
Steganography
Miscellaneous