Portal:Digital forensics and incident response/TODO

Jump to: navigation, search

Released DFIR packages

  • In openSUSE 12.1
    • Computer Forensic tools
      • exiftool v8.40 - This version has limited file type support
      • photorec v6.12
      • sleuthkit v3.2.3 - This version does not have ewf and aff support compiled in
      • mac-robber v1.02
      • udftools v1.0.0b3
      • md5deep v3.9.2
      • dd_rescue v1.24
    • Network Forensic Tools
      • argus v3.0.0
      • bing v1.0.5
      • fping v2.4b2
      • hping v3-20051105
      • icmpinfo v1.11
      • iptraf v1.0.2
      • iputils s20101006
      • kismet 2011-03-R2
      • netcat-openbsd v1.89
      • ncat v5.61
      • nmap v5.61
      • ssldump v0.9b3
      • socat v1.7.1.3
      • tcpdump v4.1.1
      • wavemon v0.6.10
      • wireshark v1.4.6 (updated to v1.8.6 by a security update)
      • zenmap v5.61
    • Secure Wiping Tools (These do NOT address journals, snapshots, freespace, SSDs. They are all very common, does any tool address them? Do we need a wiki page for this?)
      • wipe v2.3.1
      • shred (as included in coreutils v8.14)
  • In 12.2
    • Computer Forensic tools
      • analyseMFT v1.7 -
      • afflib v3.7.0 - (v3.7.1 released, minor fix)
      • bulk_extractor v1.2.0
      • dc3dd v7.1.0 -
      • distorm3 - named python-distorm3
      • ext4magic v0.3.0 -
      • ewftools - virtual version 0.0.0+20100226, seg. faulted once when -E arg not provided.
      • exiftool v8.65 - supports significantly more user file / photo file types.
      • fiwalk - 0.6.16
      • libewf - virtual version 0.0.0+20100226, since it seems not to have versions
      • md5deep v4.0.1
      • python-fuse v0.2.1
      • sleuthkit v3.2.3 - with ewf and aff support compiled in
    • Network Forensic Tools
      • ncat v6.01
      • nmap v6.01
      • socat v1.7.2
      • wireshark v1.6.5 (updated to v1.8.6 by a security update)
  • In 12.3
      • ssdeep v2.7 - (v2.9 has been released)
      • tcpflow v1.3.0 - records tcp/ip traffic organized by sockets
      • httrack
      • scalpel v2.0 (File Carving) -
      • libewf-20120813 (soname 2, so this is a API change)
      • sleuthkit v4.0.0 - uses libewf2 api
      • exiftool v9.01 - version upgrade, lots of refinements, but no drastic improvements
      • ext3grep v0.10.2 - a file recovery tool for ext3
      • perl-Parse-Win32Registry v1.0 - a major update - used for timeline generation
      • log2timeline - v0.65 - Addressed license issues. (Major success getting this in. It had lots of dependencies and license issues to resolve.)
    • Secure Wiping Tools
      • srm v1.2.11

Factory and devel project status

The DFIR project is using the security repo as its devel repo.

To test many of these tools you need some sample data. One list of resources for sample data can be found at http://www2.opensourceforensics.org/tools/test-images

All new packages should be initially created in a home project, then submitted to the security project / repo. For now, only none DFIR team members will accept new packages into the security repo.

Once a package has been built and tested in the security repo, it should be submitted to factory for inclusion in the next openSUSE release (12.2 currently)



  • In factory for 13.1 inclusion
    • libewf-20130128 (soname 2, so this is a API change)
    • sleuthkit v4.0.2 - uses libewf2 api
    • exiftool v9.13
    • pfftools (A Joachim Metz tool)
    • ewftools-20130331
    • vshadowtools (A Joachim Metz tool)
    • evttools (A Joachim Metz tool)
    • evtxtools (A Joachim Metz tool)
    • lnktools (A Joachim Metz tool)
    • msiecftools (A Joachim Metz tool)
    • regftools (A Joachim Metz tool)
    • bulk_extractor 1.3.1 (package works with sleuthkit v4)
  • Submitted to factory
    • Computer Forensic tools
      • logsurfer v1.8 (rejected due to license issue. New tarball release promised by upstream.)
  • Pending - currently in security for testing
    • Computer Forensic tools
      • plaso v1.0.0 - This is still alpha, but it is going to be a major tool
      • yara v1.4 - needs testing - newer versions available - do they work with volatility?
      • volatility v2.0 -
      • Foremost - a data carver - tested to work, but has a copyrighted file that is not licensed
      • python-pefile - a python module for analysing PE files. Typically used for malware analysis.
    • In security, but won't be pushed to factory
      • aimage - (has been EOL'ed, use ftkimager or guymager instead)
      • secure-delete v3.1 (from 2002, why is it still relevant?)
    • Network Forensic Tools
      • amap v5.2 - A application port mapper
      • scapy v2.1.1
  • currently in network:utilities for testing
      • darkstat v3.0.712 (3.0.714 is available)
      • dsniff v2.4b1 (this is 10 years old, but is still referenced in current books.)
      • httping v1.5.2 (this is current)
  • Under evaluation
    • scanny (Ruby Security Auditing tool, a GSOC project, not in OBS Jan 2013)
    • xprobe2 (OS fingerprinting tool, in home project)
    • guymager - new tarball provided by upstream - doesn't currently link
    • air-imager - a dcfldd GUI - test package not yet started
    • ddrescue (in addition to dd_rescue) - test package not yet started
    • shellbags.py - not started yet
    • metasploit
    • cryptcat (No package yet, see socat in the release)
    • sqlmap (A SQL server auditing tool / pen tester - in home project)
    • suricata
    • PyFLAG (GUI Log/Disk Examination) - initial build working for 32-bit, but this tool appears obsolete
  • Other Joachim Metz packages worth consideration
    • libesedb; Extensible Storage Engine (ESE) Database File (EDB) format
    • libexe; PE/COFF Executable (EXE) format and Resources
    • libnk2; Microsoft Outlook Nickfile (NK2) format
    • libnsfdb; Notes Storage Facility (NSF) database file format
    • libolecf; OLE 2 Compound File (OLECF) format
    • libwtcdb; Windows (Vista/7) Explorer thumbnail cache database format (thumbcache.db) (at the moment documentation only)
  • Pen Testing Tools (These "may" violate German law against malware/hacking tools)
    • Back Oriface -Win98/XP remote control- rejected,
    • NetBus - Back Oriface predecessor, but works on XP/2000 - rejected
    • SubSeven v2.3 released 2010 - similar to NetBus, but works with Win7
    • hacker defender - a simple windows rootkit - rejected
    • burp suite - a suite of tools to audit webserver apps (Commercial license - rejected)
  • Under consideration