security & forensic tools
This is a list of tools I’ve collected over the years for diagnostic analysis, penetration testing and repair of operating systems, hard drives and memory …
Internet browser with extreme privacy
The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.
The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.
It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. Simply open a page of the “mirrored” website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
The No. 1 Free, Powerful and All-in-one utility for cleaning your Windows PC. Boosts PC speed and fixes frustrating errors, crashes and freezes Protects your privacy and wipe sensitive internet and chat history Over 20 tools to maximize your Computer’s performance
freeSSHd, like it’s name says, is a free implementation of an SSH server. It provides strong encryption and authentication over insecure networks like Internet. Users can open remote console or even access their remote files thanks to built-in SFTP server.
Cmder is a software package created out of pure frustration over the absence of nice console emulators on Windows. It is based on amazing software, and spiced up with the Monokai color scheme and a custom prompt layout. Looking sexy from the start.
Take Social Engineering to the next level with a USB Rubber Ducky Deluxe hidden inside an inconspicuous “thumb drive” case. All the fixings included.
Since 2010 the USB Rubber Ducky has been a favorite amongst hackers, penetration testers and IT professionals. With origins as a humble IT automation proof-of-concept using an embedded dev-board, it has grown into a full fledged commercial Keystroke Injection Attack Platform. The USB Rubber Ducky captured the imagination of hackers with its simple scripting language, formidable hardware, and covert design.
GnuPG is the GNU project’s complete and free implementation of the OpenPGP standard as defined by RFC4880. GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME.
GPGTools Windows GPGTools for Mac
Everything you need to get started with secure communication and encrypting files in one simple package.
Use GPG Suite to encrypt, decrypt, sign and verify files or messages. Manage your GPG Keychain with a few simple clicks and experience the full power of GPG easier than ever before.
Free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux
Data Recovery (for Windows & Mac) can easily recover your lost, deleted or formatted files from various Western Digital hard drives such as Elements Desktop 1 TB, My Passport Essential, Caviar Green 2 TB etc. It can recover more than 500+ file types including documents, emails, photos, videos, archives and more. Both Windows & Mac versions are provided. Note: the program performs read-only procedure, so it is 100% risk-free and won’t do any damage to your WD drive.
TestDisk is a powerful free data recovery program! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting your Partition Table).
photoRec Same as above
PhotoRec is a File Recovery program designed to recover lost files; including video, documents and archives from Hard Disks, CDRom and lost pictures from digital camera memory (thus, its Photo Recovery name). PhotoRec ignores the filesystem and goes after the underlying data, so it can still find files even if your media’s filesystem has been severely damaged or re-formatted (overwritten data, of course, can not be recovered).
Do-it-yourself Data Recovery Software
Recover your files from an NTFS drive when the data is no longer accessible due to formatting, fdisk, virus attack, power or software failure. Get everything back even when the drive’s partition table, boot record, Master File Table or root directory is lost or corrupt.
- Acronis True Image 2014 is a backup solution. It protects your content, recovers your data in case of any disasters, and syncs it with all your devices or across computers. Safe, reliable, easy – it’s the ultimate in digital protection.
- The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files. FCIV can compute MD5 or SHA-1 cryptographic hash values. These values can be displayed on the screen or saved in an XML file database for later use and verification.
- Unix Checksum
- sha1sum is a computer program that calculates and verifies SHA-1 hashes. It is commonly used to verify the integrity of files. It (or a variant) is installed by default in most Unix-like operating systems. Variants include shasum (which permits SHA-1 through SHA-512 hash functions to be selected manually) and sha224sum, sha256sum, sha384sum and sha512sum, which use a specific SHA-2 hash function. Versions for Microsoft Windows also exist, and the ActivePerl distribution includes a perl implementation of shasum. On FreeBSD this utility is called ‘sha512’ and contains additional features.
- checksums of files among other things
WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards.
HexView is a multiple document Hexadecimal viewer that can display, print, and print preview any file as a hex dump.
- a hex/ebc/asc stream editor
- Install: Debian Package - Ubuntu hex editor
Windows File Analyzer decodes and analyzes to provide cached information for forensic analysis. Includes a tabbed interface with a multiple-document window and horizontal/vertical/cascade view settings. Analysis results can be printed in user-friendly form. The program includes a variety of analysis tools useful for seeing how much information your computer leaves behind that could represent a privacy risk or for trying to detect nefarious activity.
Features include thumbnail viewers available for Windows XP, ACDSee, Google Picasa, FastStone Viewer, and HP Digital Imaging files, displaying content with stored data and image preview. A Prefetch Analyzer looks at recent programs run and stored in the Prefetch folder while the Shortcut Analyzer for all shortcut files in specified folder and data stored in them. An Index.DAT Analyzer looks at Internet Explorer cookies, temporary files or history while a Recycle Bin decoding tool displays Info2 files that hold recycle bin content (Win2k and XP only).
Library and tools to access the Volume Shadow Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Windows Grep is a tool for searching files for text strings that you specify. Although Windows and many other programs have file searching capabilities built-in, none can match the power and versatility of Windows Grep.
- Kernel Debugger Extensions A set of debugger extensions that can assist you in the examination and analysis of a wider range of kernel data structures, especially when dealing with crash dumps.
- Kernel Memory Space Analyzer A heuristics-based kernel memory crash dump analysis tool which is delivered with several different “personalities”
- User Mode Process Dump A tool that permits users to create Dr. Watson-compatible User.dmp files of any running Win32 process, such as Csrss.exe or Explorer.exe, without invading or debugging them, and without terminating them when debugging is complete. This tool permits manual creation of dump files via the command line or a hot-key, or automatic creation when exceptions occur in monitored processes. The ability to create an on-the-fly “snapshot” dump of a process would permit someone to debug the problem off-line using a Windows debugger.
- Kernel Mode to User Mode Process Dump Extraction Utility A tool used to extract information from a kernel mode crash dump file about the processes that existed at the time of the crash, and generate user mode process dump files for these processes which can be then debugged by a Windows debugger.
- Windows NT File System (NTFS) File Sector Information Utility (nfi.exe) A tool used to dump information about an NTFS volume, and determine which volume and file contains a particular sector. Driver Verifier and System Information Application Programming Interface (API) Wrapper
- Copy a file, converting and formatting according to the operands From Wikipedia, the free encyclopedia dd is a command on Unix and Unix-like operating systems whose primary purpose is to convert and copy a file.
- On Unix, device drivers for hardware (such as hard disks) and special device files (such as /dev/zero and /dev/random) appear in the file system just like normal files; dd can also read from (and in some cases write to) these files. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, and obtaining fixed amount of random data. The dd program can also perform conversions on the data as it is copied, including byte order swapping and conversion to and from the ASCII and EBCDIC text encodings.
On Cygwin… dd if=/dev/sdb conv=sync,noerror bs=64K gzip -c > h:/sdb.img.gz
- od - dump files in octal and other formats
- e.g. od -Ad -tx1z mbrcopy
- dcfldd is an enhanced version of dd developed by the U.S. Department of Defense Computer Forensics Lab. It has some useful features for forensic investigators such as:
- On-the-fly hashing of the transmitted data.
- Progress bar of how much data has already been sent.
- Wiping of disks with known patterns.
- Verification that the image is identical to the original drive, bit-for-bit.
- Simultaneous output to more than one file/disk is possible.
- The output can be split into multiple files.
- Logs and data can be piped into external applications.
- The program only produces raw image files. Install: sudo apt-get install dcfldd
- sleuthkit.org is the official web site for The Sleuth Kit™ and Autopsy™. Both are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows, Linux, OS X, and other Unix systems. They can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types. fsstat - Display general details of a file system
- Web UI for sleuthKit
- Reads MFT extracts filetimes Or from gist linked above
- DiskView shows you a graphical map of your disk, allowing you to determine where a file is located or, by clicking on a cluster, seeing which file occupies it. Double-click to get more information about a file to which a cluster is allocated.
- The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.
- Scans for deleted files
- Ntfsundelete -s
- recover deleted files
- Accidentally deleted an important file? Lost something important when your computer crashed? No problem! Recuva recovers files deleted from your Windows computer, Recycle Bin, digital camera card, or MP3 player. And it’s free!
- A quick reference from the SANS Institute on memory forensics
- MoonSols DumpIt is a fusion of win32dd and win64dd in one executable, no options is asked to the end-user. Only a double click on the executable is enough to generate a copy of the physical memory in the current directory. DumpIt is the perfect utility to be deploy on a USB key for quick incident response operations. Fast, small and portable.
- Mandiant’s Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.
- Memoryze for the Mac is free memory forensic software that helps incident responders find evil in memory… on Macs. Memoryze for the Mac can acquire and/or analyze memory images. Analysis can be performed on offline memory images or on live systems.
Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile. With Redline, users can:
- Thoroughly audit and collect all running processes and drivers from memory, file system metadata, registry data, event logs, network information, services, tasks, and web history.
- Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
- Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
- Identify processes more likely worth investigating based on the Redline Malware Risk Index (MRI) score.
- Perform Indicator of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline - Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.
Volatile memory artifact extraction utility framework
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
The Volatility Framework demonstrates our committment to and belief in the importance of open source digital investigation tools.Volatile Systems is committed to the belief that the technical procedures used to extract digital evidence should be open to peer analysis and review We also believe this is in the best interest of the digital investigation community, as it helps increase the communal knowledge about systems we are forced to investigate. Similarly, we do not believe the availability of these tools should be restricted and therefore encourage people to modify, extend, and make derivative works, as permitted by the GPL.
- Mac Memory Reader is a simple command-line utility to capture the contents of physical RAM on a suspect computer, letting an investigator gather volatile state information prior to shutting the machine down. Results are stored in either a Mach-O binary file or a raw-format file for later off-line analysis by the investigator. Researchers can also use Mac Memory Reader to capture memory-mapped device data, such as shared video memory. Mac Memory Reader is available free of charge. It executes directly on 32- and 64-bit target machines running Mac OS X 10.4 through 10.8 and requires a PowerPC G4 or newer or any Intel processor.
- Scalpel is an open source program for recovering deleted data originally based on foremost, although significantly more efficient. Written by Golden G. Richard III and presented at the DFRWS conference in 2005, it allows an examiner to specify a number of headers and footers to recover filetypes from a piece of media.
SANS Investigate Forensic Toolkit (SIFT)
- VMware Appliance
- Ready to tackle forensics
- Cross compatibility between Linux and Windows
- Forensic tools preconfigured
- A portable lab workstation you can now use for your investigations
- Option to install stand-alone via (.iso) or use via VMware Player/Workstation
- OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
- In addition to being a disassembler, IDA is also a powerful and versatile debugger. It supports multiple debugging targets and can handle remote applications, via a “remote debugging server”.
- Security Distribution of linux, this distribution used to be the go-to hack tool but is not is not that well maintained now. Kali is the one i use now.
- Security Distribution of linux that comes preloaded with most of what you will need as a hobbiest.
- UNetbootin allows you to create bootable Live USB drives for Ubuntu, Fedora, and other Linux distributions without burning a CD. It runs on Windows, Linux, and Mac OS X.
- Rufus allows you to create bootable Live USB drives for Windows.
- OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system. In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF).
- EasyBCD allows you to create a multiboot environment in order to run multiple operating systems on the same computer. The application also features BCD (Boot Configuration Data) Backup / Repair utilities that provide users with the possibility to reset the BCD configuration or to recreate and repair boot files.
- Bart’s PE Builder helps you build a “BartPE” (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks.
- Bart’s PE Builder helps you build a “BartPE” (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks.
- Program to Create Portable Windows 7 PE
The Plop Boot Manager is a small program with unbelievable many features. Here is a list of features, but you can do more…
- USB boot without BIOS support (UHCI, OHCI and EHCI)
- CD/DVD boot without BIOS support (IDE)
- PCMCIA CardBus support to enable boot from USB PC-Cards
- Floppy boot
- Different profiles for operating systems
- Define up to 16 partitions
- No extra partition for the boot manager
- OSFMount allows you to mount local disk image files (bit-for-bit copies of a disk partition) in Windows with a drive letter. You can then analyze the disk image file with PassMark OSForensics™ by using the mounted volume’s drive letter. By default, the image files are mounted as read only so that the original image files are not altered.
- ImageUSB is a free utility which lets you write an image concurrently to multiple USB Flash Drives. Capable of creating exact bit-level copies of USB Flash Drive (UFDs), ImageUSB is an extremely effective tool for the mass duplication of UFDs. ImageUSB also supports writing of an ISO file byte by byte directly to an USB drive (*). ImageUSB can also be used to install OSFClone to a USB Drive for use with PassMark OSForensics™.
- This program is designed to write a raw disk image to a removable device or backup a removable device to a raw image file. It is very useful for embedded development, namely Arm development projects (Android, Ubuntu on Arm, etc). Anyone is free to branch and modify this program. Patches are always welcome.
- Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.
- A Tool For Mass Password Auditing of Windows Systems
- Nmap (Network Mapper) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
- Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
- Burp Suite is an integrated platform for performing security testing of web applications
- To Run on Backtrack : java -jar -Xmx1024m /path/to/burp.jar
Network Monitoring Software
PRTG Network Monitor runs on a Windows machine within your network, collecting various statistics from the machines, software, and devices which you designate. (It can also autodiscover them, helping you map out your network.) It also retains the data so you can see historical performance, helping you react to changes.
- The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications
- OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
The versatile Nessus® vulnerability scanner provides patch, configuration, and compliance auditing; mobile, malware, and botnet discovery; sensitive data identification; and many other features.
With a continuously updated library of more than 60,000 plugins and the support of Tenable’s expert vulnerability research team, Nessus delivers accuracy to the marketplace. Nessus provides multi-scanner support, scales to serve the largest organizations, and is easy to deploy on premise or in the Amazon Web Services (AWS) cloud.
- Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
- Protected Storage Viewer Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. See passwords in Windows memory before they are encrypted and transferred to HD
- WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.
- a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
- Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.
- Fiddler is a free web debugging proxy which logs all HTTP(s) traffic between your computer and the Internet. Use it to debug traffic from virtually any application that supports a proxy like IE, Chrome, Safari, Firefox, Opera and more.
- Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.
View HTTP headers of a page and while browsing.
- Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.
- Arp manipulates the kernel’s ARP cache in various ways. The primary options are clearing an address mapping entry and manually setting up one. For debugging purposes, the arp program also allows a complete dump of the ARP cache.
- Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.
sudo apt-get install arpwatch
[DNS Sniff] (http://www.monkey.org/~dugsong/dsniff/)
- dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
sudo apt-get install arpspoof
- Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
- BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
- A Freeware Malware Analysis and Cyber Threat Intelligence Software.
RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
The UserAssist utility displays a table of programs executed on a Windows machine, complete with running count and last execution date and time.
These are some great pieces of virtualization software. Check them out for details.
- vmware player
- VMWare Fusion
- vinetto - thumbs
- pasco - IE history
- gallata - IE cookies
- rifiuti - Recycle Bin - INFO2
- hachoir - extract sub files like images from word docs