This wiki was updated to MediaWiki 1.37. If you notice any issues, please report them to admin[at]

Portal:Digital forensics and incident response

Jump to: navigation, search
Icon-trash.png This article is being considered for deletion!

All related pages are marked for deletion. Project is abandoned..

Please do not blank, merge, or move this article, or remove this notice. Refer to this article's discussion page and our deletion policy for more information.

Welcome to the DFIR (Digital Forensics / Incident Response) Portal edit

The DFIR community is growing and rapidly adding opensource tools.

openSUSE 12.2 and newer offer a number of openSUSE DFIR tools. Please join the team of developers, packagers, and testers working to add tools to future releases.

There are a number of opensource digital forensic tools available. An organized list can be found at

The following tools are currently available in the openSUSE security project for the DFIR community's testing and use:

Libraries / Modules

  • afflib - Library/Tool to create "open" forensic images
  • libewf - Library/Tool to create EnCase forensic images
  • distorm3 - A library for disassembling x86 code
  • libfuzzy - A piecewise hashing library


  • dc3dd - Tool for creating "dd" forensic images -
  • ewftools - Applications to create/verify EnCase forensic images
  • afflib-tools - Applications to create/verify AFF forensic images
  • exiftool - significantly upgraded for 12.2 a tool to extract and update metadata in user files / photo files.
  • sleuthkit - a well known collection of computer forensic command line tools
  • mac-robber - a app to output Modified, Accessed, Created dates
  • bulk_extractor - Tool to scan forensic images and pull out patterns like urls
  • fiwalk - Tool to catalog files within a forensic image
  • log2timeline - App to create integrated timelines from multiple sources
  • yara - A tool for classifying malware
  • volatility - A tool for volatile memory analysys
  • aimage - Tool for creating aff images
  • analyzeMFT
  • ext4magic - a ext4 file recovery tool
  • ssdeep - a program for computing context triggered piecewise hashes

Already in openSUSE 12.1

There are a number of traditional linux tools which are useful for DFIR practitioners.

Even seemingly specialized tools like wireshark are readily available in most linux distros including openSUSE.

New to openSUSE 12.1 was sleuthkit.

Imaging Tools

Tool 11.4 12.1 12.2 factory other comment General Remarks
adepto N/A N/A N/A N/A N/A adepto is included in the helix boot cd
aimage N/A N/A N/A N/A security/3.2.5 a imaging tool to create aff format images aimage has been EOL'ed. guymager or ftkimager (windows/mac) are recommended for creating aff images.
AIR N/A N/A N/A N/A N/A Automated Image and Restore a GUI front-end to dd and dc3dd designed for easily creating forensic bit images
dc3dd N/A N/A 7.1.614 7.1.614 security/7.1.614 DoD Cyber Crime Center DD This tool was formerly known as dcfldd. When released as dc3dd it was totally rewritten.
ddrescue ? 1.14 1.14? 1.14? ? Also known as GNU ddrescue This tool is different than dd_rescue.
dd_rescue N/A N/A N/A N/A N/A This tool is different than GNU ddrescue.
ewfacquire N/A N/A 20100226 20120813 security a imaging tool to create ewf format images ewfacquire is part of ewftools in some distributions.
IXimager N/A N/A N/A N/A N/A A law enforcement only imager used in conjunction with ILook Investigator
LinEn N/A N/A N/A N/A N/A a proprietary imaging tool to create ewf format images included on the Helix boot CD
guymager N/A N/A N/A N/A N/A a imaging tool to create aff format images Guymager is an open source forensic imager. It focuses on user friendliness and high speed.
rdd N/A N/A N/A N/A N/A a dd-like tool, with forensic imaging features Rdd is robust with respect to read errors
sdd N/A N/A N/A N/A Archiving:Backup/1.52 a dd-like tool Designed to work well when IBS != OBS. Working with tape is an example.

Topics edit

Installing the DFIR packages

The DFIR packages currently live in the openSUSE security repo, A hopefully functional set of packages is in openSUSE 12.2. If you are using openSUSE 12.2 you can skip the repository setup in most cases.

sleuthkit is in the main openSUSE 12.1 repo, but that version does not have libewf or afflib support. If that version of sleuthkit is all you need, you can also skip the below repostory setup steps:

Setting up your repositories

For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured. If you are using openSUSE 12.2 and want to ensure you have the latest packaged version of the tools, you will also need to setup the following repositories. If you are a openSUSE 12.2 log2timeline user, then it is highly recommended you add both the security and devel:languages:perl repositories to get the latest bug fixes.

  • security
  • devel:languages:perl
  • devel:languages:python

This is most easily done from the command line via (assumes openSUSE 12.1):

sudo zypper ar -f security
sudo zypper ar -f perl
sudo zypper ar -f python

zypper lr               # used to verify you have the repos installed

Installing the packages

Once you have the repos setup like the above, you can install the DFIR packages just like you would any other openSUSE packages.

For those that prefer the command line, any of the below commands should work.

sudo zypper in ewftools
sudo zypper in afflib-tools
sudo zypper in exiftool
sudo zypper in sleuthkit
sudo zypper in mac-robber
sudo zypper in dc3dd
sudo zypper in bulk_extractor
sudo zypper in fiwalk
sudo zypper in log2timeline 
sudo zypper in yara
sudo zypper in volatility
sudo zypper in analyzeMFT
sudo zypper in ssdeep

The packages are built with dependency logic, so you only need to run the above commands for tools you want to use. If they require any of the other packages, they will automatically be installed.

For instance, volatility requires yara, python-yara, and distorm3, so when you install volatility, you will be prompted if you want to install those required packages as well.

Things to do edit

Released DFIR packages

  • In openSUSE 12.1
    • Computer Forensic tools
      • exiftool v8.40 - This version has limited file type support
      • photorec v6.12
      • sleuthkit v3.2.3 - This version does not have ewf and aff support compiled in
      • mac-robber v1.02
      • udftools v1.0.0b3
      • md5deep v3.9.2
      • dd_rescue v1.24
    • Network Forensic Tools
      • argus v3.0.0
      • bing v1.0.5
      • fping v2.4b2
      • hping v3-20051105
      • icmpinfo v1.11
      • iptraf v1.0.2
      • iputils s20101006
      • kismet 2011-03-R2
      • netcat-openbsd v1.89
      • ncat v5.61
      • nmap v5.61
      • ssldump v0.9b3
      • socat v1.7.1.3
      • tcpdump v4.1.1
      • wavemon v0.6.10
      • wireshark v1.4.6 (updated to v1.8.6 by a security update)
      • zenmap v5.61
    • Secure Wiping Tools (These do NOT address journals, snapshots, freespace, SSDs. They are all very common, does any tool address them? Do we need a wiki page for this?)
      • wipe v2.3.1
      • shred (as included in coreutils v8.14)
  • In 12.2
    • Computer Forensic tools
      • analyseMFT v1.7 -
      • afflib v3.7.0 - (v3.7.1 released, minor fix)
      • bulk_extractor v1.2.0
      • dc3dd v7.1.0 -
      • distorm3 - named python-distorm3
      • ext4magic v0.3.0 -
      • ewftools - virtual version 0.0.0+20100226, seg. faulted once when -E arg not provided.
      • exiftool v8.65 - supports significantly more user file / photo file types.
      • fiwalk - 0.6.16
      • libewf - virtual version 0.0.0+20100226, since it seems not to have versions
      • md5deep v4.0.1
      • python-fuse v0.2.1
      • sleuthkit v3.2.3 - with ewf and aff support compiled in
    • Network Forensic Tools
      • ncat v6.01
      • nmap v6.01
      • socat v1.7.2
      • wireshark v1.6.5 (updated to v1.8.6 by a security update)
  • In 12.3
      • ssdeep v2.7 - (v2.9 has been released)
      • tcpflow v1.3.0 - records tcp/ip traffic organized by sockets
      • httrack
      • scalpel v2.0 (File Carving) -
      • libewf-20120813 (soname 2, so this is a API change)
      • sleuthkit v4.0.0 - uses libewf2 api
      • exiftool v9.01 - version upgrade, lots of refinements, but no drastic improvements
      • ext3grep v0.10.2 - a file recovery tool for ext3
      • perl-Parse-Win32Registry v1.0 - a major update - used for timeline generation
      • log2timeline - v0.65 - Addressed license issues. (Major success getting this in. It had lots of dependencies and license issues to resolve.)
    • Secure Wiping Tools
      • srm v1.2.11

Factory and devel project status

The DFIR project is using the security repo as its devel repo.

To test many of these tools you need some sample data. One list of resources for sample data can be found at

All new packages should be initially created in a home project, then submitted to the security project / repo. For now, only none DFIR team members will accept new packages into the security repo.

Once a package has been built and tested in the security repo, it should be submitted to factory for inclusion in the next openSUSE release (12.2 currently)

  • In factory for 13.1 inclusion
    • libewf-20130128 (soname 2, so this is a API change)
    • sleuthkit v4.0.2 - uses libewf2 api
    • exiftool v9.13
    • pfftools (A Joachim Metz tool)
    • ewftools-20130331
    • vshadowtools (A Joachim Metz tool)
    • evttools (A Joachim Metz tool)
    • evtxtools (A Joachim Metz tool)
    • lnktools (A Joachim Metz tool)
    • msiecftools (A Joachim Metz tool)
    • regftools (A Joachim Metz tool)
    • bulk_extractor 1.3.1 (package works with sleuthkit v4)
  • Submitted to factory
    • Computer Forensic tools
      • logsurfer v1.8 (rejected due to license issue. New tarball release promised by upstream.)
  • Pending - currently in security for testing
    • Computer Forensic tools
      • plaso v1.0.0 - This is still alpha, but it is going to be a major tool
      • yara v1.4 - needs testing - newer versions available - do they work with volatility?
      • volatility v2.0 -
      • Foremost - a data carver - tested to work, but has a copyrighted file that is not licensed
      • python-pefile - a python module for analysing PE files. Typically used for malware analysis.
    • In security, but won't be pushed to factory
      • aimage - (has been EOL'ed, use ftkimager or guymager instead)
      • secure-delete v3.1 (from 2002, why is it still relevant?)
    • Network Forensic Tools
      • amap v5.2 - A application port mapper
      • scapy v2.1.1
  • currently in network:utilities for testing
      • darkstat v3.0.712 (3.0.714 is available)
      • dsniff v2.4b1 (this is 10 years old, but is still referenced in current books.)
      • httping v1.5.2 (this is current)
  • Under evaluation
    • scanny (Ruby Security Auditing tool, a GSOC project, not in OBS Jan 2013)
    • xprobe2 (OS fingerprinting tool, in home project)
    • guymager - new tarball provided by upstream - doesn't currently link
    • air-imager - a dcfldd GUI - test package not yet started
    • ddrescue (in addition to dd_rescue) - test package not yet started
    • - not started yet
    • metasploit
    • cryptcat (No package yet, see socat in the release)
    • sqlmap (A SQL server auditing tool / pen tester - in home project)
    • suricata
    • PyFLAG (GUI Log/Disk Examination) - initial build working for 32-bit, but this tool appears obsolete
  • Other Joachim Metz packages worth consideration
    • libesedb; Extensible Storage Engine (ESE) Database File (EDB) format
    • libexe; PE/COFF Executable (EXE) format and Resources
    • libnk2; Microsoft Outlook Nickfile (NK2) format
    • libnsfdb; Notes Storage Facility (NSF) database file format
    • libolecf; OLE 2 Compound File (OLECF) format
    • libwtcdb; Windows (Vista/7) Explorer thumbnail cache database format (thumbcache.db) (at the moment documentation only)
  • Pen Testing Tools (These "may" violate German law against malware/hacking tools)
    • Back Oriface -Win98/XP remote control- rejected,
    • NetBus - Back Oriface predecessor, but works on XP/2000 - rejected
    • SubSeven v2.3 released 2010 - similar to NetBus, but works with Win7
    • hacker defender - a simple windows rootkit - rejected
    • burp suite - a suite of tools to audit webserver apps (Commercial license - rejected)
  • Under consideration

Navigation edit

Category DFIR not found