Portal:Digital forensics and incident response/Intro
The DFIR community is growing and rapidly adding opensource tools.
openSUSE 12.2 and newer offer a number of openSUSE DFIR tools. Please join the team of developers, packagers, and testers working to add tools to future releases.
There are a number of opensource digital forensic tools available. An organized list can be found at http://www2.opensourceforensics.org
The following tools are currently available in the openSUSE security project for the DFIR community's testing and use:
Libraries / Modules
- afflib - Library/Tool to create "open" forensic images
- libewf - Library/Tool to create EnCase forensic images
- distorm3 - A library for disassembling x86 code
- libfuzzy - A piecewise hashing library
Applications
- dc3dd - Tool for creating "dd" forensic images -
- ewftools - Applications to create/verify EnCase forensic images
- afflib-tools - Applications to create/verify AFF forensic images
- exiftool - significantly upgraded for 12.2 a tool to extract and update metadata in user files / photo files.
- sleuthkit - a well known collection of computer forensic command line tools
- mac-robber - a app to output Modified, Accessed, Created dates
- bulk_extractor - Tool to scan forensic images and pull out patterns like urls
- fiwalk - Tool to catalog files within a forensic image
- log2timeline - App to create integrated timelines from multiple sources
- yara - A tool for classifying malware
- volatility - A tool for volatile memory analysys
- aimage - Tool for creating aff images
- analyzeMFT
- ext4magic - a ext4 file recovery tool
- ssdeep - a program for computing context triggered piecewise hashes
- Already in openSUSE 12.1
There are a number of traditional linux tools which are useful for DFIR practitioners.
Even seemingly specialized tools like wireshark are readily available in most linux distros including openSUSE.
New to openSUSE 12.1 was sleuthkit.
Imaging Tools
Tool | 11.4 | 12.1 | 12.2 | factory | other | comment | General Remarks |
adepto | N/A | N/A | N/A | N/A | N/A | adepto is included in the helix boot cd | |
aimage | N/A | N/A | N/A | N/A | security/3.2.5 | a imaging tool to create aff format images | aimage has been EOL'ed. guymager or ftkimager (windows/mac) are recommended for creating aff images. |
AIR | N/A | N/A | N/A | N/A | N/A | Automated Image and Restore | a GUI front-end to dd and dc3dd designed for easily creating forensic bit images |
dc3dd | N/A | N/A | 7.1.614 | 7.1.614 | security/7.1.614 | DoD Cyber Crime Center DD | This tool was formerly known as dcfldd. When released as dc3dd it was totally rewritten. |
ddrescue | ? | 1.14 | 1.14? | 1.14? | ? | Also known as GNU ddrescue | This tool is different than dd_rescue. |
dd_rescue | N/A | N/A | N/A | N/A | N/A | This tool is different than GNU ddrescue. | |
ewfacquire | N/A | N/A | 20100226 | 20120813 | security | a imaging tool to create ewf format images | ewfacquire is part of ewftools in some distributions. |
IXimager | N/A | N/A | N/A | N/A | N/A | A law enforcement only imager | used in conjunction with ILook Investigator |
LinEn | N/A | N/A | N/A | N/A | N/A | a proprietary imaging tool to create ewf format images | included on the Helix boot CD |
guymager | N/A | N/A | N/A | N/A | N/A | a imaging tool to create aff format images | Guymager is an open source forensic imager. It focuses on user friendliness and high speed. |
rdd | N/A | N/A | N/A | N/A | N/A | a dd-like tool, with forensic imaging features | Rdd is robust with respect to read errors |
sdd | N/A | N/A | N/A | N/A | Archiving:Backup/1.52 | a dd-like tool | Designed to work well when IBS != OBS. Working with tape is an example. |