Difference between revisions of "Tools Using TSK or Autopsy"
(→Bootable CDs with The Sleuth Kit & Autopsy) |
(→Bootable CDs with The Sleuth Kit & Autopsy) |
||
(40 intermediate revisions by 21 users not shown) | |||
Line 1: | Line 1: | ||
− | =Bootable CDs with The Sleuth Kit & Autopsy= | + | =Bootable CDs with [[The Sleuth Kit]] & [[Autopsy]]= |
(in alphabetical order) | (in alphabetical order) | ||
* [http://www.remote-exploit.org/backtrack.html BackTrack2] | * [http://www.remote-exploit.org/backtrack.html BackTrack2] | ||
− | * [http://www. | + | * [http://www.caine-live.net/ CAINE (Computer Aided INvestigative Environment)- GUI Forensics Interface] |
+ | * [http://deft.yourside.it DEFT (Digital Evidence & Forensic Toolkit) - Xubuntu based] | ||
* [http://www.lnx4n6.be/ FCCU Gnu/Linux Forensic Boot CD (knoppix)] | * [http://www.lnx4n6.be/ FCCU Gnu/Linux Forensic Boot CD (knoppix)] | ||
* [http://fire.dmzs.com/ Forensic and Incident Response Environment (FIRE)] | * [http://fire.dmzs.com/ Forensic and Incident Response Environment (FIRE)] | ||
Line 9: | Line 10: | ||
* [http://localareasecurity.com/ Local Area Security Linux] | * [http://localareasecurity.com/ Local Area Security Linux] | ||
* [http://www.linux-forensics.com/downloads.html Penguin Sleuth Kit (knoppix)] | * [http://www.linux-forensics.com/downloads.html Penguin Sleuth Kit (knoppix)] | ||
+ | * [http://www.networksecuritytoolkit.org Network Security Toolkit (NST)] | ||
* [http://www.projectplanb.org/ Plan-B] | * [http://www.projectplanb.org/ Plan-B] | ||
* [http://snarl.eecue.com/ Snarl (FreeBSD)] | * [http://snarl.eecue.com/ Snarl (FreeBSD)] | ||
* [http://www.rawpacket.org/projects/hex-livecd HeX (Freesbie2)] | * [http://www.rawpacket.org/projects/hex-livecd HeX (Freesbie2)] | ||
+ | * [http://infosecnewbie.blogspot.com/ Stagos FSE (Ubuntu based)] | ||
+ | * [http://www.iritaly-livecd.org IRItaly Live CD Project ('''Gentoo''' based)] | ||
+ | * [http://www.forlex.it/index.php?option=com_content&view=section&layout=blog&id=7&Itemid=41&lang=it ForLEx Live CD - Forensic Linux Examination ('''Debian''' based)] | ||
=Tools that Integrate The Sleuth Kit= | =Tools that Integrate The Sleuth Kit= | ||
(in alphabetical order) | (in alphabetical order) | ||
* [http://www.netmon.ch/allin1.html Allin1] | * [http://www.netmon.ch/allin1.html Allin1] | ||
+ | * [http://archivematica.org/ Archivematica] | ||
+ | * [[Autopsy]] | ||
+ | * [http://scripts4cf.sourceforge.net/tools.html NBTempo] | ||
* [http://www.agilerm.net/publications_4.html Nigilant32 for Windows] | * [http://www.agilerm.net/publications_4.html Nigilant32 for Windows] | ||
* [http://www.basistech.com/digital-forensics/odyssey.html Odyssey Digital Forensics Search] | * [http://www.basistech.com/digital-forensics/odyssey.html Odyssey Digital Forensics Search] | ||
+ | * [http://ptk.dflabs.com PTK Forensics] [[PTK]] | ||
* [http://pyflag.sourceforge.net/ PyFlag] | * [http://pyflag.sourceforge.net/ PyFlag] | ||
+ | * [http://scripts4cf.sourceforge.net/tools.html Raw2Fs] | ||
+ | * [http://code.google.com/p/revealertoolkit Revealer Toolkit] | ||
+ | * [http://sfdumper.sourceforge.net/ Selective File Dumper] | ||
* [http://www.cerias.purdue.edu/homes/forensics/timeline.php Zeitline] | * [http://www.cerias.purdue.edu/homes/forensics/timeline.php Zeitline] | ||
Line 25: | Line 37: | ||
(in alphabetical order) | (in alphabetical order) | ||
* Comeforth: [http://sourceforge.net/project/showfiles.php?group_id=55685&package_id=128368 Script] that uses TSK tools to process raw data. It is similar to lazarus, but Dan Higgens says that it provides a bit more flexibility for processing very large data sets. | * Comeforth: [http://sourceforge.net/project/showfiles.php?group_id=55685&package_id=128368 Script] that uses TSK tools to process raw data. It is similar to lazarus, but Dan Higgens says that it provides a bit more flexibility for processing very large data sets. | ||
+ | * FUNDL - File Undeleter: [http://sfdumper.sourceforge.net/fundl.htm Script] that uses TSK tools (fls and icat), for recovering the deleted files - Windows version [http://sfdumper.sourceforge.net/fundl.htm Script]. | ||
* foremost: [http://brainspark.nl/?show=tools_sleuthkit Patch] to use [http://foremost.sourceforge.net/ foremost] with Autopsy. By Pepijn Vissers (vissers at fox-it dot com). | * foremost: [http://brainspark.nl/?show=tools_sleuthkit Patch] to use [http://foremost.sourceforge.net/ foremost] with Autopsy. By Pepijn Vissers (vissers at fox-it dot com). | ||
* Forensic Hash Database: [http://www.forinsect.de/forensics/ Patch] to use hfind and sorter with the Forensic Hash Database. By Matthias Hofherr (matthias at mhofherr dot de). | * Forensic Hash Database: [http://www.forinsect.de/forensics/ Patch] to use hfind and sorter with the Forensic Hash Database. By Matthias Hofherr (matthias at mhofherr dot de). | ||
* Index Search: [http://brainspark.nl/?show=tools_sleuthkit Patch] to let Autopsy and The Sleuth Kit index the ASCII words in an image. This provides faster keyword searches in Autopsy than by just extracting the strings. By Paul Bakker ( bakker at fox-it dot com). | * Index Search: [http://brainspark.nl/?show=tools_sleuthkit Patch] to let Autopsy and The Sleuth Kit index the ASCII words in an image. This provides faster keyword searches in Autopsy than by just extracting the strings. By Paul Bakker ( bakker at fox-it dot com). | ||
− | * Recoup Directory Contents: [http:// | + | * Recoup Directory Contents: [http://davehenk.blogspot.com/2007/06/recover-deleted-files.html Script] to run fls and icat on a directory to export the files and create the needed subdirectories. By Dave Henkewick (dave at hoax dot ca). |
+ | * Qt bindings for TSK: [https://github.com/rpoisel/qttsk qttsk] provides the user with a graphical frontend to fls and icat. In the future mmls will also be supported. | ||
* Unicode: (NOTE: This patch is no longer needed as of version 2.03) [http://www.t-dori.net/forensics/ Patches] for the NTFS code in The Sleuth Kit to show Unicode names. By TAKAHASHI Motonobu (monyo at home dot monyo dot com) and tessy (tessy at tessy dot jp). | * Unicode: (NOTE: This patch is no longer needed as of version 2.03) [http://www.t-dori.net/forensics/ Patches] for the NTFS code in The Sleuth Kit to show Unicode names. By TAKAHASHI Motonobu (monyo at home dot monyo dot com) and tessy (tessy at tessy dot jp). | ||
− | |||
− | |||
= Sleuth Kit Packages= | = Sleuth Kit Packages= | ||
− | The following packages have been contributed by Sleuth Kit users. NOTE: They have not been validated, reviewed, or tested by the original developers and have no warranties of any kind. Some packages may not be of the latest release, so check the version first. | + | The following packages have been contributed by Sleuth Kit users and/or distribution developers. NOTE: They have not been validated, reviewed, or tested by the original developers and have no warranties of any kind. Some packages may not be of the latest release, so check the version first. |
− | * [http://www.spenneberg.com/6.html?subject=%2FForensics%2F Ralf Spenneberg] | + | |
+ | * Ralf Spenneberg: [http://www.spenneberg.com/6.html?subject=%2FForensics%2F Ralf Spenneberg] | ||
* Oden Eriksson: [http://rpmfind.net/linux/rpm2html/search.php?query=sleuthkit RPM Find] | * Oden Eriksson: [http://rpmfind.net/linux/rpm2html/search.php?query=sleuthkit RPM Find] | ||
− | |||
* Thomas Rude: [http://www.crazytrain.com/down.html crazytrain.com] | * Thomas Rude: [http://www.crazytrain.com/down.html crazytrain.com] | ||
* Matthew Shannon: [http://sleuthkit.sourceforge.net/packages/shannon/sleuthkit-1.62-1.src.rpm src], [http://sleuthkit.sourceforge.net/packages/shannon/sleuthkit-1.62-1.i686.rpm i686] (Note that no Autopsy rpms match this rpm). | * Matthew Shannon: [http://sleuthkit.sourceforge.net/packages/shannon/sleuthkit-1.62-1.src.rpm src], [http://sleuthkit.sourceforge.net/packages/shannon/sleuthkit-1.62-1.i686.rpm i686] (Note that no Autopsy rpms match this rpm). | ||
* Dag Wieers: [http://dag.wieers.com/packages/sleuthkit/ dag.wieers.com] | * Dag Wieers: [http://dag.wieers.com/packages/sleuthkit/ dag.wieers.com] | ||
− | * | + | * Gentoo: [http://packages.gentoo.org/package/app-forensics/sleuthkit sleuthkit ebuilds] |
− | * Debian | + | * OpenBSD: [http://www.openbsd.org/cgi-bin/cvsweb/ports/sysutils/sleuthkit/ OpenBSD Packages] |
+ | * FreeBSD: [http://www.freebsd.org/cgi/ports.cgi?query=^sleuthkit&stype=all FreeBSD Packages] | ||
+ | * Debian: [http://packages.debian.org/stable/admin/sleuthkit Debian Packages (stable)] | ||
+ | * Slackware: [http://www.linuxpackages.net/search_view.php?by=name&name=sleuthkit Slackware Packages] | ||
=Autopsy Packages= | =Autopsy Packages= | ||
The following packages have been contributed by Autopsy users. NOTE: They have not been validated, reviewed, or tested by the original developers of Autopsy and have no warranties of any kind. Some packages may not be of the latest release, so check the version first. | The following packages have been contributed by Autopsy users. NOTE: They have not been validated, reviewed, or tested by the original developers of Autopsy and have no warranties of any kind. Some packages may not be of the latest release, so check the version first. | ||
+ | |||
* Ralf Spenneberg: [http://www.spenneberg.com/6.html?subject=%2FForensics%2F www.spenneberg.com] (NOTE: If you use this RPM, make sure you use Ralf's Sleuth Kit RPM as well to ensure the binaries are in the correct place). | * Ralf Spenneberg: [http://www.spenneberg.com/6.html?subject=%2FForensics%2F www.spenneberg.com] (NOTE: If you use this RPM, make sure you use Ralf's Sleuth Kit RPM as well to ensure the binaries are in the correct place). | ||
− | |||
* Dag Wieers: [http://dag.wieers.com/packages/autopsy/ dag.wieers.com] | * Dag Wieers: [http://dag.wieers.com/packages/autopsy/ dag.wieers.com] | ||
* Michael Scherer: [http://rpmfind.net/linux/rpm2html/search.php?query=autopsy&submit=Search+...&system=&arch= RPM Find] | * Michael Scherer: [http://rpmfind.net/linux/rpm2html/search.php?query=autopsy&submit=Search+...&system=&arch= RPM Find] | ||
− | * | + | * Gentoo: [http://packages.gentoo.org/package/app-forensics/autopsy Autopsy ebuilds] |
− | * Debian | + | * FreeBSD: [http://www.freebsd.org/cgi/ports.cgi?query=^autopsy&stype=all FreeBSD Packages] |
+ | * Debian: [http://packages.debian.org/stable/admin/autopsy Debian Packages (stable)] | ||
+ | * Slackware: [http://www.linuxpackages.net/search_view.php?by=name&name=autopsy Slackware Packages] | ||
+ | * Ubuntu: [http://packages.ubuntu.com/search?keywords=autopsy Ubuntu Packages] |
Latest revision as of 05:06, 19 December 2016
Contents
Bootable CDs with The Sleuth Kit & Autopsy
(in alphabetical order)
- BackTrack2
- CAINE (Computer Aided INvestigative Environment)- GUI Forensics Interface
- DEFT (Digital Evidence & Forensic Toolkit) - Xubuntu based
- FCCU Gnu/Linux Forensic Boot CD (knoppix)
- Forensic and Incident Response Environment (FIRE)
- Helix (knoppix)
- Knoppix STD
- Local Area Security Linux
- Penguin Sleuth Kit (knoppix)
- Network Security Toolkit (NST)
- Plan-B
- Snarl (FreeBSD)
- HeX (Freesbie2)
- Stagos FSE (Ubuntu based)
- IRItaly Live CD Project (Gentoo based)
- ForLEx Live CD - Forensic Linux Examination (Debian based)
Tools that Integrate The Sleuth Kit
(in alphabetical order)
- Allin1
- Archivematica
- Autopsy
- NBTempo
- Nigilant32 for Windows
- Odyssey Digital Forensics Search
- PTK Forensics PTK
- PyFlag
- Raw2Fs
- Revealer Toolkit
- Selective File Dumper
- Zeitline
Add-ons / Patches for The Sleuth Kit and Autopsy
The following were written by Sleuth Kit users and provide additional capabilities. Note that a patch may not work with the current version.
(in alphabetical order)
- Comeforth: Script that uses TSK tools to process raw data. It is similar to lazarus, but Dan Higgens says that it provides a bit more flexibility for processing very large data sets.
- FUNDL - File Undeleter: Script that uses TSK tools (fls and icat), for recovering the deleted files - Windows version Script.
- foremost: Patch to use foremost with Autopsy. By Pepijn Vissers (vissers at fox-it dot com).
- Forensic Hash Database: Patch to use hfind and sorter with the Forensic Hash Database. By Matthias Hofherr (matthias at mhofherr dot de).
- Index Search: Patch to let Autopsy and The Sleuth Kit index the ASCII words in an image. This provides faster keyword searches in Autopsy than by just extracting the strings. By Paul Bakker ( bakker at fox-it dot com).
- Recoup Directory Contents: Script to run fls and icat on a directory to export the files and create the needed subdirectories. By Dave Henkewick (dave at hoax dot ca).
- Qt bindings for TSK: qttsk provides the user with a graphical frontend to fls and icat. In the future mmls will also be supported.
- Unicode: (NOTE: This patch is no longer needed as of version 2.03) Patches for the NTFS code in The Sleuth Kit to show Unicode names. By TAKAHASHI Motonobu (monyo at home dot monyo dot com) and tessy (tessy at tessy dot jp).
Sleuth Kit Packages
The following packages have been contributed by Sleuth Kit users and/or distribution developers. NOTE: They have not been validated, reviewed, or tested by the original developers and have no warranties of any kind. Some packages may not be of the latest release, so check the version first.
- Ralf Spenneberg: Ralf Spenneberg
- Oden Eriksson: RPM Find
- Thomas Rude: crazytrain.com
- Matthew Shannon: src, i686 (Note that no Autopsy rpms match this rpm).
- Dag Wieers: dag.wieers.com
- Gentoo: sleuthkit ebuilds
- OpenBSD: OpenBSD Packages
- FreeBSD: FreeBSD Packages
- Debian: Debian Packages (stable)
- Slackware: Slackware Packages
Autopsy Packages
The following packages have been contributed by Autopsy users. NOTE: They have not been validated, reviewed, or tested by the original developers of Autopsy and have no warranties of any kind. Some packages may not be of the latest release, so check the version first.
- Ralf Spenneberg: www.spenneberg.com (NOTE: If you use this RPM, make sure you use Ralf's Sleuth Kit RPM as well to ensure the binaries are in the correct place).
- Dag Wieers: dag.wieers.com
- Michael Scherer: RPM Find
- Gentoo: Autopsy ebuilds
- FreeBSD: FreeBSD Packages
- Debian: Debian Packages (stable)
- Slackware: Slackware Packages
- Ubuntu: Ubuntu Packages