Free forensic investigations software for linux

FileSystem Investigator is a platform independent file system viewer and data extraction tool. It allows the user to:

* View the contents of the target file system in a forensicly safe manner, bypassing the normal operating system mechanisms.
* Extract files and whole directory trees of files from the source filesystem.

Since it is written in platform-neutral Java, it can be used to examine filesystems outside their native environment. For example, it can be used to view a Linux filesystem while running under Windows.

FileSystem Investigator directly accesses the source disk and processes the data using it own built in filesystem drivers. This ensures that it is safe to use FileSystem Investigator for forensic investigations.

FileSystem Investigator will never write to the source media thus important timestamps are preserved. FileSystem Investigator can also read disk-image files such as those created by dd.

Files and whole directory structures can be extracted easily from the source drive and stored for further use or analysis. Due to limitations imposed by Java, special files such as device nodes, pipes, sockets and links, cannot be extracted.

mod_diagnostics is a debugging and diagnostic tool for application developers - particularly filter modules.

mod_diagnostics.c can be inserted anywhere in the Apache filter chain, and logs traffic (buckets and brigades) passing through.

It is a purely passive watcher, and will never touch the traffic passing through.

Examples

Probably the best way to explain mod_diagnistics is by example.

Strange delays in some browsers

In an update to mod_xml, a new bug was introduced. It was not immediately obvious, but in some browsers the request would hang and then timeout. The effect was only observed when using the XSLT output filter with Xalan-C, and only happened with HTTP/1.1 browser, not with HTTP/1.0. Furthermore, hitting "cancel" before the timeout in an HTTP/1.1 browser would cause the page to display!
Inserting mod_diagnostics before and after the offending filter, the bug was immediately obvious. The module was simply failing to pass an EOS bucket down the chain. A trivial fix!

Obscure bug in a third-party library

A user of mod_proxy_html reported serious performance problems when parsing an 8Mb HTML file. He had profiled the problem, and found the entire processing time was in the final call to htmlParseChunk in libxml2.

I investigated this by inserting mod_diagnostics before and after mod_proxy_html, and running it with the largest HTML document I had available (the MySQL manual, about 2.6Mb). I was able to confirm that nothing was passed down the chain until the final call, so not only was it slow, but it had also broken Apache pipelining.

To refine the diagnosis, I added a flush in each call to the filter in mod_proxy_html. Now mod_diagnostics showed a small amount of data (under 1Kb) coming through in the first call to the filter, but nothing else until the end. Further investigation showed that the data stopped coming when the first HTML comment was encountered in the source.

At this point I ran it under gdb, looking for the comment handling. I found that it was failing to find the end of the comment. The problem was resolved only in the last call to htmlParseChunk, which didnt go through the buggy code. I disabled the buggy code, and found it was now working correctly, with approximately the same amount of input and output data in each call to the mod_proxy_html filter - so pipelining was now fixed. My correspondent reported total processing Time for his 8Mb file reduced from 30 minutes to 9 seconds (on five-year-old hardware).

The bug was reported to the libxml team, who have now fixed it.

Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.
The architecture forms an environment where existing forensic tools and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and metadata from digital evidence.
The Open Computer Forensics Architecture aims to be highly modular, robust, fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items.
Enhancements:
- This release fixes a memory leak in the evidence library and adds a workaround to limit the impact of a memory-hungry indexer module.

Regression mAKEr project is a simple modular application for data investigation.

This is an application to help user (mathematician) to make regression between series of data, draw grpahics, and export them into various formats by means of common graphics packages (i.e., gnuplot, plotutils). It is written in Python.

The user interfeace is built upon the wxPython (wxWindows) widget set.

The idea of usage is as follows: the user builds a project which is represented as a tree of modules; modules can generate data variables, as well as consume them. Essentialy, such a tree represents an algorithm of data analysis.

The system is intended to educate students.

FIRST DiskImager is an advanced, full-featured GUI disk image acquisition tool.

It was designed for forensic disk image inspection. Developed using C++ and QT. This is our 1st attempt to create an acquisition software to meet the NIST standards.

******** WARNING !!! USE THIS SOFTWARE AT YOUR OWN RISK!!! **************

Ive tested and used the software and it works for me, but there is no guarantee that it will work for you. You can very easily DESTROY DATA IRRECOVERABLY by using this software. Do not even attempt using this software unless you are VERY FAMILIAR with the process of imaging hard drives and other media. While this program is intended to make the imaging
process more convenient, it cannot THINK for you. If you mix up the source and destination targets and accidentally overwrite the original evidence, there is nothing I (or anyone else) can do for you.

DO NOT USE THIS SOFTWARE FOR ACTUAL PRODUCTION OR CASE WORK UNTIL YOU HAVE THOUROUGHLY TESTED IT AND HAVE SATISFIED YOURSELF THAT IT DOES WHAT YOU WANT IT TO DO. I WILL NOT BE RESPONSIBLE FOR UNEXPECTED RESULTS OBTAINED FROM THE USE OF THIS SOFTWARE WHETHER THEY ARE THE RESULT OF PROGRAM BUGS, USER ERROR, HARDWARE FAILURES, OR ACTS OF GOD. AGAIN, IF YOU USE THIS SOFTWARE YOU DO SO AT YOUR OWN RISK AND ASSUME ALL RESPONSIBILITY FOR THE RESULTS.
***************************************************************************

Operator is a complete Linux (Debian) distribution that runs from a single bootable CD and runs entirely in RAM.
The Operator contains an extensive set of Open Source network security tools that can be used for monitoring and discovering networks.
This virtually can turn any PC into a network security pen-testing device without having to install any software. Operator also contains a set of computer forensic and data recovery tools that can be used to assist you in data retrieval on the local system.
Starting with the 3.3 version of Operator, we have started completely from scratch by installing a basic Debian installation then adding the KNOPPIX functionality afterwards. This allowed us to have more control and understanding of what is on the CD.
Main features:
- Debian based Linux Installation
- Linux-Kernel 2.4.31
- KDE V3.3.2-1
- wine Windows Emulator (Binary Emulator)
- Konqueror and Mozilla Firebird Web Browsers
- Koffice which includes korganizer, kword, kspread and more
- X Multimedia System (xmms) an MPEG-video, MP3
- Internet connection software kppp,pppoeconf (DSL)
- utilities for data recovery and system repairs, even for other operating systems
- network and security analysis tools for network administrators
- many programming languages, development tools
- in total more than 900 installed software packages with over 2000 executable user programs and utilities
- 100+ Unix/Windows Exploits and Tools ready to run
Enhancements:
- Modified wireless_select to use /proc/net/dev instead of /proc/net/wireless. Some cards were not showing up after they were reinserted like orinoco.
- Added package aim_1.5.286 AOL Instant Messenger
- Stripped down locales to use en_, de_, es_ only
- upgraded hydra-4.6 to hydra-4.7
- Added BusLogic driver to the kernel so that vmware would not panic when booting after an HD install.
- Updated Metasploit framework from 2.3 to 2.4
- reinstalled libnet1-dev
- fixed captive-ntfs
- Added new Exploits:
- HOD-ms05039-pnp-expl - (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
- HOD-kerio-firewall-DoS-expl - Kerio Personal Firewall Multiple IP Options Denial of Service
- HOD-ms04031-netdde-expl - Microsoft Windows NetDDE Remote Buffer Overflow Exploit
- HOD-ms04032-emf-expl - Microsoft Windows Metafile (.emf) Heap Overflow Exploit
- HOD-ms05002-ani-expl - Internet Explorer .ANI files handling Universal Exploit
- HOD-ms05017-msmq-expl - Message Queuing Buffer Overflow Universal Exploit
- DSR-cpanel - POC for Cpanel 5 and below
- cpanel-9x_RCE - POC for Cpanel 9 and below
- DSR-nethack - local exploit for Nethack 3.4.0
- phpLDAPadmin - phpLDAPadmin 0.9.6 - 0.9.7 Remote command Execution
- phpbb.php - phpBB 2.0.10 Remote command Execution
- HP_OV_NNM_RCE - HP OpenView Network Node Manager 6.2, 6.4, 7.01, 7.50 Remote Command Execution
- Added new Tools:
- zebra 0.94 - Tool that manages TCP/IP based routing protocols
- voipong 1.2 dev - VoIP call detector and voice dumper VoIPong is a utility which detects all Voice Over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to seperate wave files. It supports SIP, H323, Ciscos Skinny Client Protocol, RTP and RTCP.
- Upgraded yersinia v0.5.3 to v0.5.6 - Framework for performing layer 2 attacks
- ike-scan v1.2 - Discover and fingerprint IKE hosts (IPsec VPN Servers)

Faerion IRC Server project consists of an advanced, secure, multi-lingual IRC server for Unix/Win32.
Faerion is a Unicode-based IRC server. It features enhanced support and transparent conversion for different charsets, and provides a stealth network model, persistent channels, compressed links, etc.
Main features:
- Support for transparent, user-controlled charset translation (virtually) from anything to anything. This is done by using Unicode mappings, which can be installed or removed on the fly, without having to interrupt the server. The server supports a special "fallback" conversion table which maps all characters that are not supported by a users preferred charset to the closest looking characters. This process is typically referred to as "transliteration" and is widely used on Russian IRC networks to avoid problems with incompatible charsets. The difference is that with Faerion, the server takes all necessary investigation to see what should be transliterated, and what can be passed without changes.
- Clients that have native support for Unicode (UTF-8), will benefit from using it at full scale without the implication of "cryptic writings" (which raw UTF-8 is for a typical human eye).
- Support for "persistent channels": channels registered with the Channel Service (mode +r) are not deleted when the last user leaves. This slightly saves bandwidth and helps mitigate several privacy issues (such as channel key revelation).
- Support for channel forwarding based on user address matching rules: with channel mode +f enabled, all ban masks can have a ",#channel" suffix appended to them to forward clients to another channel instead of declining the attempt to join the channel.
- Limited portability. The server is currently available for most POSIX platforms (modern BSD and Linux variants) and Microsoft Windows.
Enhancements:
- The LIST command now requires users with unregistered nicknames to additionally specify a pseudo random number to prove their human nature, otherwise the command is ignored.
- Opers no longer need an O-line to use any command; remotely set +o works just fine.
- Fixed the charset conversion problem when a user gets registered on the server.
- Invite list no longer overrides ban list.
- Fixed a crash in WHOIS.
- Fixed to compile without warnings in -Werror mode with GCC 3+.
- Fixed the +c channel mode to disallow colors instead of stripping them.Also, when a topic is being changed by a nonop on a +c-t channel to something that contains colors, the attempt is denied.

SimSoup is a graphical Artificial Chemistry simulator for Linux and Windows.
The program enables a Chemistry to be defined in terms of Molecule Types and the possible Interactions between them. A simulation run involves setting up a number of Molecules of various Molecule Types in a Reactor, and then allowing Interactions to take place over a period of time. Interactions taking place in the Reactor are shown on a graphical display.
The motivation for development of the program is to enable investigations into the behaviour of networks, particularly in relation to metabolism first theories of the origin of life, although the basic design of SimSoup supports modelling of any network in which interactions can take place between nodes.
Currently, SimSoup development has reached prototype stage.
Enhancements:
- A Chemistry including Molecule Types and Interaction Types
- A Reactor in which Interactions take place between Molecules
- Graphical views of the Chemistry and Reactor. Interactions taking place in the Reactor are displayed in real time
- Display of Simulation Statistics in real time. Statistics can be displayed in two formats:-
- Data Series Plots: These show the real-time behaviour of a range of variables that are monitored as the simulation runs. The Data Series to be displayed are selectable from a list
- Manhattan Plot: This shows the amount of variability in the composition of the material in the Reactor.
- Simulation Control facilities, including the ability to use Predefined Scenarios to control the operation of the simulation, and a facility enabling Action Requests to be setup to customise Predefined Scenarios or create user defined scenarios.
- A (partly hidden) System Monitor screen - mainly for diagnostic purposes
SimSoup has an object oriented design.The main benefit of this is that it allows concepts such as Molecule and Interaction Type to be represented as self contained units in the program. This makes understanding the code easier, and therefore improves maintainability of the code.
I use techniques such as inheritance and polymorphism sparingly, but they are used in the case of the Interaction Types listed above. All eight Interaction Types are variants derived from a base Interaction class. As a result of this approach, implementation of the six Interaction Types not yet completed should be relatively straightforward.
SimSoup is a cross platform C++ program for Linux and Windows. It has been compiled and linked using the Borland products Kylix 3 Open Edition (Linux) and C++ Builder 6 Personal (Windows). The KDE product KDevelop has been used for code navigation and editing. The code makes considerable use of the C++ Standard Template Library (STL). I believe that the benefits of using this library more than justify the effort required to learn the STL basics.
This source code distribution includes the Kylix code only. The cross platform code enables SimSoup to be compiled and linked using both Kylix and C++ Builder. If possible, a future distribution will include the cross platform code enabling out of the box compilation using C++ Builder on Windows as well as Kylix.
The user interface is relatively basic, but I have tried to make it as intuitive as possible. Its worth looking at Help | Quick Start for notes on editing Interaction Types in the Chemistry view.
Installation
Your system needs to have X installed. SimSoup runs on both KDE and Gnome, but also runs fine on lighter window managers such as WindowMaker.
Extract from the file SimSoup-0.1-i386-pc-linux-tar.gz to a directory of your choice. Now copy the file libborqt-6.9.0-qt2.3.so to a library directory on your system. On SuSE 8.1 the directory /usr/lib can be used.
If for some reason the above does not work, or you want to try SimSoup without copying the file to a system directory, then you can get started by copying the file libborqt-6.9.0-qt2.3.so to any directory of your choice (eg /home/chris/libs) and then typing the following at a bash prompt
LD_LIBRARY_PATH=/home/chris/libs
export LD_LIBRARY_PATH
You can now run SimSoup. Using the -ns command line option (./SimSoup -ns) will run the program without the startup message.