Displaying 20 to 40 from 53 results

RecuperaBit - A tool for forensic file system reconstruction.

  •    Python

A software which attempts to reconstruct file system structures and recover files. Currently it supports only NTFS. You can get more information about the reconstruction algorithms and the architecture used in RecuperaBit by reading my MSc thesis or checking out the slides.

yara-forensics - Set of Yara rules for finding files using magics headers

  •    Shell

Yara is the pattern matching swiss knife for malware researchers (and everyone else). Basically Yara allow us to scan files based on textual or binary patterns, thus we can take advantage of Yara's potential and focus it in forensic investigations. For now I have created a set of rules that search for magic headers on files and dump files like raw image of dd as well. So I invite anyone to add or improve rules regarding forensics stuff.

docker-volatility - Volatility Dockerfile

  •    Makefile

This repository contains a Dockerfile of Volatility. Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.

lsrootkit - Rootkit Detector for UNIX

  •    C

Warning!!: the code is bullshit (is only a beta prototype). Very Important: if lsrootkit process crash you can have a rootkit in the system with some bugs: memory leaks etc.




dnslog - Minimalistic DNS logging tool

  •    Python

Minimalistic DNS logging tool. Captures all DNS traffic and stores its textual presentation (in compressed form) to the /var/log/dnslog/<date>.log.gz. Created for the network forensics purposes.

bits_parser - Extract BITS jobs from QMGR queue and store them as CSV records

  •    Python

Extract BITS jobs from QMGR queue and store them as CSV records. QMGR queues are usually .dat files located in the folder %%ALLUSERSPROFILE%%\Microsoft\Network\Downloader on a Windows system.

bootcode_parser - A boot record parser that identifies known good signatures for MBR, VBR and IPL.

  •    Python

bootcode_parser.py is a Python script designed to perform a quick offline analysis of the boot records used by BIOS based systems (UEFI is not supported). It is intended to help the analyst triaging individual boot record dumps or whole disk images. The latter is preferred since it allows the script to perform additional checks that would not be possible on individual dumps alone.


Email4n6 - A simple cross-platform forensic program for processing email files.

  •    Java

Currently only PST and OST (untested) files are supported, once these formats are well tested, support for files such as EML should follow. Email4n6 requires Java 8 to be installed. If you're running on Linux and are using OpenJDK, please make sure to also install OpenJFX.

c-aff4 - An AFF4 C++ implementation.

  •    C++

The Advanced Forensics File Format 4 (AFF4) is an open source format used for the storage of digital evidence and data. This project implementats a C/C++ library for creating, reading and manipulating AFF4 images. The project also includes the canonical aff4imager binary which provides a general purpose standalone imaging tool.

qed - quod erat demonstrandum - verifiable data structure

  •    Go

qed is a software to test the scalability of authenticated data structures. Our mission is to design a system which, even when deployed into a non-trusted server, allows one to verify the integrity of a chain of events and detect modifications of single events or parts of its history. This software is experimental and part of the research being done at BBVA Labs. We will eventually publish our research work, analysis and the experiments for anyone to reproduce.

Hibr2Bin - Comae Hibernation File Decompressor

  •    C++

Back in 2007 [1], after reversing Microsoft Windows Kernel Power Management functions and its compression algorithm. I started an open source project called Enter SandMan that aimed at decompressing hibernation files on Windows and extracting information out of it via an interactive shell - 10 years later hibernation file based memory forensics became very popular in the Law Enforcement World and helped many investigators to solve many cases all over the World. SandMan initially started as an open-source project, but in 2008 a German company called X-Ways stole[2][3][4] my open source code without giving any proper due credits. As a results, I stopped open sourcing my projects.

swsusp2bin - Utility to decompress Linux swsusp hibernation file.

  •    C++

swsusp (Software Suspend) is a kernel feature/program which is part of power management framework in the Linux kernel. It's the default suspend framework as of kernel 3.8. This command saves the system state on the hard disk drive and powers off the machine. When you turn the machine back on, the system then restores its state from the saved data without having to boot again. Because the system state is saved on the hard disk and not in RAM, the machine does not have to maintain electrical power to the RAM module, but as a consequence, restoring the system from hibernation is significantly slower than restoring it from suspend mode.

THRecon - Threat Hunting Reconnaissance Toolkit

  •    PowerShell

Collect endpoint information for use in incident response, threat hunting, live forensics, baseline monitoring, etc. * Info pulled from current running processes or their executables on disk.

tr1pd - tamper resistant audit log

  •    Rust

tr1pd is a tamper resistant audit log. Make sure you have the following dependencies installed: Debian/Ubuntu: libsodium-dev libseccomp-dev libzmq3-dev, Archlinux: libsodium libseccomp zeromq, Alpine: make libsodium-dev libseccomp-dev zeromq-dev, OpenBSD: libsodium zeromq.

local-blockchain-parser - Searches for hidden files in local blockchain .DAT files.

  •    Go

Parses blockchain .dat files and spits out various types of information contained in them. Either rename the executable to local-blockchain-parser or use the existing executable name for the commands listed below under "Usage".

btrfscue - Recover files from damaged BTRFS filesystems

  •    Go

btrfscue is an advanced data recovery tool for the BTRFS filesystem. Despite being a state of the art filesystem, at the time when I started writing this (Q2 2011), BTRFS did not have a stable fsck tool that is capable of restoring a filesystem to a mountable state after a power failure or system crash. Recently, this situation has somewhat improved with the btrfs restore command. Unlike this official tool, btrfscue is designed to be able to restore data from disk images that were obtained from faulty storage devices or if all superblocks were overwritten inadvertently. Being a recovery tool, btrfscue works best on disk images and will write recovered data to a directory. It can thus be used to convert BTRFS filesystems to any other filesystem supported by the host OS. It will also recover recently deleted files and directories and aid in BTRFS filesystem forensics.

joincap - Merge multiple pcap files together, gracefully.

  •    Go

Merge multiple pcap files together, gracefully. I believe skipping corrupt packets is better than failing the entire merge job. When using tcpslice or mergecap sometimes pcapfix is needed to fix bad input pcap files.