Free forensic software for linux

Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.
The architecture forms an environment where existing forensic tools and libraries can be easily plugged into the architecture and can thus be made part of the recursive extraction of data and metadata from digital evidence.
The Open Computer Forensics Architecture aims to be highly modular, robust, fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items.
Enhancements:
- This release fixes a memory leak in the evidence library and adds a workaround to limit the impact of a memory-hungry indexer module.

SIGOF (Security Information Graphics Oriented Forensic) has been developped as a complement of ACID or BASE project by implementing useful and detailed graphical presentation of security information/events.

SIGOF is a web-based project, written in PHP, and it can exploit any secuity information stored in a ACID/BASE database schema (for example, SIGOF can exploit OSSIM project events, because it is based on the acid/base schema).

SIGOF introduces another way to manage security forensic and analysis by providing statistical and security trend thanks to very customizable graphics generation.

This approach provide the capability to manage large amount of security events.

Operator is a complete Linux (Debian) distribution that runs from a single bootable CD and runs entirely in RAM.
The Operator contains an extensive set of Open Source network security tools that can be used for monitoring and discovering networks.
This virtually can turn any PC into a network security pen-testing device without having to install any software. Operator also contains a set of computer forensic and data recovery tools that can be used to assist you in data retrieval on the local system.
Starting with the 3.3 version of Operator, we have started completely from scratch by installing a basic Debian installation then adding the KNOPPIX functionality afterwards. This allowed us to have more control and understanding of what is on the CD.
Main features:
- Debian based Linux Installation
- Linux-Kernel 2.4.31
- KDE V3.3.2-1
- wine Windows Emulator (Binary Emulator)
- Konqueror and Mozilla Firebird Web Browsers
- Koffice which includes korganizer, kword, kspread and more
- X Multimedia System (xmms) an MPEG-video, MP3
- Internet connection software kppp,pppoeconf (DSL)
- utilities for data recovery and system repairs, even for other operating systems
- network and security analysis tools for network administrators
- many programming languages, development tools
- in total more than 900 installed software packages with over 2000 executable user programs and utilities
- 100+ Unix/Windows Exploits and Tools ready to run
Enhancements:
- Modified wireless_select to use /proc/net/dev instead of /proc/net/wireless. Some cards were not showing up after they were reinserted like orinoco.
- Added package aim_1.5.286 AOL Instant Messenger
- Stripped down locales to use en_, de_, es_ only
- upgraded hydra-4.6 to hydra-4.7
- Added BusLogic driver to the kernel so that vmware would not panic when booting after an HD install.
- Updated Metasploit framework from 2.3 to 2.4
- reinstalled libnet1-dev
- fixed captive-ntfs
- Added new Exploits:
- HOD-ms05039-pnp-expl - (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
- HOD-kerio-firewall-DoS-expl - Kerio Personal Firewall Multiple IP Options Denial of Service
- HOD-ms04031-netdde-expl - Microsoft Windows NetDDE Remote Buffer Overflow Exploit
- HOD-ms04032-emf-expl - Microsoft Windows Metafile (.emf) Heap Overflow Exploit
- HOD-ms05002-ani-expl - Internet Explorer .ANI files handling Universal Exploit
- HOD-ms05017-msmq-expl - Message Queuing Buffer Overflow Universal Exploit
- DSR-cpanel - POC for Cpanel 5 and below
- cpanel-9x_RCE - POC for Cpanel 9 and below
- DSR-nethack - local exploit for Nethack 3.4.0
- phpLDAPadmin - phpLDAPadmin 0.9.6 - 0.9.7 Remote command Execution
- phpbb.php - phpBB 2.0.10 Remote command Execution
- HP_OV_NNM_RCE - HP OpenView Network Node Manager 6.2, 6.4, 7.01, 7.50 Remote Command Execution
- Added new Tools:
- zebra 0.94 - Tool that manages TCP/IP based routing protocols
- voipong 1.2 dev - VoIP call detector and voice dumper VoIPong is a utility which detects all Voice Over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to seperate wave files. It supports SIP, H323, Ciscos Skinny Client Protocol, RTP and RTCP.
- Upgraded yersinia v0.5.3 to v0.5.6 - Framework for performing layer 2 attacks
- ike-scan v1.2 - Discover and fingerprint IKE hosts (IPsec VPN Servers)

FileSystem Investigator is a platform independent file system viewer and data extraction tool. It allows the user to:

* View the contents of the target file system in a forensicly safe manner, bypassing the normal operating system mechanisms.
* Extract files and whole directory trees of files from the source filesystem.

Since it is written in platform-neutral Java, it can be used to examine filesystems outside their native environment. For example, it can be used to view a Linux filesystem while running under Windows.

FileSystem Investigator directly accesses the source disk and processes the data using it own built in filesystem drivers. This ensures that it is safe to use FileSystem Investigator for forensic investigations.

FileSystem Investigator will never write to the source media thus important timestamps are preserved. FileSystem Investigator can also read disk-image files such as those created by dd.

Files and whole directory structures can be extracted easily from the source drive and stored for further use or analysis. Due to limitations imposed by Java, special files such as device nodes, pipes, sockets and links, cannot be extracted.

FIRST DiskImager is an advanced, full-featured GUI disk image acquisition tool.

It was designed for forensic disk image inspection. Developed using C++ and QT. This is our 1st attempt to create an acquisition software to meet the NIST standards.

******** WARNING !!! USE THIS SOFTWARE AT YOUR OWN RISK!!! **************

Ive tested and used the software and it works for me, but there is no guarantee that it will work for you. You can very easily DESTROY DATA IRRECOVERABLY by using this software. Do not even attempt using this software unless you are VERY FAMILIAR with the process of imaging hard drives and other media. While this program is intended to make the imaging
process more convenient, it cannot THINK for you. If you mix up the source and destination targets and accidentally overwrite the original evidence, there is nothing I (or anyone else) can do for you.

DO NOT USE THIS SOFTWARE FOR ACTUAL PRODUCTION OR CASE WORK UNTIL YOU HAVE THOUROUGHLY TESTED IT AND HAVE SATISFIED YOURSELF THAT IT DOES WHAT YOU WANT IT TO DO. I WILL NOT BE RESPONSIBLE FOR UNEXPECTED RESULTS OBTAINED FROM THE USE OF THIS SOFTWARE WHETHER THEY ARE THE RESULT OF PROGRAM BUGS, USER ERROR, HARDWARE FAILURES, OR ACTS OF GOD. AGAIN, IF YOU USE THIS SOFTWARE YOU DO SO AT YOUR OWN RISK AND ASSUME ALL RESPONSIBILITY FOR THE RESULTS.
***************************************************************************

Tvark is a network monitoring tool (sniffer) with a GUI front-end, and is tied to a MySQL database. Tvark is necessarily resource-intensive. It is a multithreaded, database utility for recording network traffic. As a consequence, it uses 100% of the CPU simply because of context-switching and packet handling. Additionally, using the database with Tvark on a high traffic network will generate a great deal of stored data quite rapidly, hence filtering options.
The database is set to record traffic based on the filtering options selected in the GUI. This will change in a future release so that database population will have its own filtering options without having to run the GUI.
What we are looking to provide is a forensic tool that meets two needs. First, an admin should be able to get a feel for traffic on the network by running the GUI, and be able to determine traffic of interest quickly and visually. Second, a simple database of traffic information allows us, and anyone else, to build forensic modules that display traffic information in a customized (and thereby useful) way.
Enhancements:
- Rename MIN/MAX to avoid name conflicts.
- Avoid creating mutex before pthread_create to make some libcs happy.

Wyd project is a password profiler.
In current IT security environments, files and services are often password protected. In certain situations it is required to get access to files and/or data even when they are protected and the password is unknown.
wyd.pl was born of those two of situations:
.A penetration test should be performed and the default wordlist does not contain a valid password
.During a forensic crime investigation a password protected file must be opened without knowing the the password.
The general idea is to personalize or profile the available data about a "target" person or system and generate a wordlist of possible passwords/passphrases out of the available information.
Instead of just using the command strings to extract all the printable characters out of all type of files, we wanted to eliminate as much false-positives as possible.
The goal was to exlude as much "unusable" data as possible to get an effective list of possible passwords/passphrases.
Supported file types:
- plain
- html
- php (partially, as html)
- doc
- pdf
- mp3
- ppt
- jpeg
- odt / ods / odp
Enhancements:
- New Plugins for: JPEG, ODT
- -n switch to disable modules-abort check
- Fixed bug in HTML which resulted in no words being extracted