Forensics

Pin - A Binary Instrumentation Tool

Overview

Pin is a dynamic binary instrumentation framework for the IA-32 and x86-64 instruction-set architectures that enables the creation of dynamic program analysis tools. Some tools built with Pin are VTune Amplifier XE, Inspector XE, Advisor XE and SDE. The tools created using Pin, called Pintools, can be used to perform program analysis on user space applications in Linux and Windows. As a dynamic binary instrumentation tool, instrumentation is performed at run time on the compiled binary files. Thus, it requires no recompiling of source code and can support instrumenting programs that dynamically generate code.

Pin provides a rich API that abstracts away the underlying instruction-set idiosyncrasies and allows context information such as register contents to be passed to the injected code as parameters. Pin automatically saves and restores the registers that are overwritten by the injected code so the application continues to work. Limited access to symbol and debug information is available as well.

Pin was originally created as a tool for computer architecture analysis, but its flexible API and an active community (called "Pinheads") have created a diverse set of tools for security, emulation and parallel program analysis.

Distribution

Pin is proprietary software developed and supported by Intel and is supplied free of charge for non-commercial use. Pin includes the source code for a large number of example instrumentation tools like basic block profilers, cache simulators, instruction trace generators, etc. It is easy to derive new tools using the examples as a template.

FTimes

FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.FTimes is a lightweight tool in the sense that it doesn't need to be "installed" on a given system to work on that system, it is small enough to fit on a single floppy, and it provides only a command line interface.Preserving records of all activity that occurs during a snapshot is important for intrusion analysis and evidence admissibility. For this reason, FTimes was designed to log four types of information: configuration settings, progress indicators, metrics, and errors. Output produced by FTimes is delimited text, and therefore, is easily assimilated by a wide variety of existing tools.FTimes basically implements two general capabilities: file topography and string search. File topography is the process of mapping key attributes of directories and files on a given file system. String search is the process of digging through directories and files on a given file system while looking for a specific sequence of bytes. Respectively, these capabilities are referred to as map mode and dig mode.FTimes supports two operating environments: workbench and client-server. In the workbench environment, the operator uses FTimes to do things such as examine evidence (e.g., a disk image or files from a compromised system), analyze snapshots for change, search for files that have specific attributes, verify file integrity, and so on. In the client-server environment, the focus shifts from what the operator can do locally to how the operator can efficiently monitor, manage, and aggregate snapshot data for many hosts. In the client-server environment, the primary goal is to move collected data from the host to a centralized system, known as an Integrity Server, in a secure and authenticated fashion.

pyflag

PyFlag features a rich FeatureList which include the ability to load many different log file formats, Perform forensic analysis of disks and images. PyFlag can also analyze network traffic as obtained via tcpdump quickly and efficiently.Since PyFLAG is web based, it is able to be deployed on a central server and shared with a number of users at the same time. Data is loaded into cases which keeps information separated.

bulk_extractor

bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.

MetaExtractor

Extract Internal Metadata from Microsoft Office and Adobe PDF Files It’s no secret that many document types can contain metadata that can reveal a wealth of information. This data can reveal information about the history, usage, authors, and contributors of a document. This data can be a great source of information for your investigation. MetaExtractor can retrieve this information in bulk against thousands of documents in minutes.

Features:
New: Support for OpenOffice files
New: Support for parsing SolidWorks CAD Drawings
Native file parsing (does not require Office or Acrobat to be installed)
Support for Office 2003/2007/2010/2013 file formats
Support for Adobe PDF documents
Can recursively parse a folder (and subfolders) of files
Multi-Select individual files
Exports to CSV for easy analysis and reporting
GUI supports Date/Time sorting for quick review
Support for over 40 metadata fields
Requirements: Microsoft .NET Framework v4.0
Free for both personal and commercial use

Foremost

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.

WebSiteSniffer

WebSiteSniffer is a packet sniffer tool that captures all Web site files downloaded by your Web browser while browsing the Internet, and stores them on your hard drive under the base folder that you choose. WebSiteSniffer allows you to choose which type of Web site files will be captured: HTML Files, Text Files, XML Files, CSS Files, Video/Audio Files, Images, Scripts, and Flash (.swf) files.While capturing the Web site files, the main window of WebSiteSniffer displays general statistics about the downloaded files for every Web site / host name, including the total size of all files (compressed and uncompressed) and total number of files for every file type (HTML, Text, Images, and so on)

Free Hex Editor Neo

Free Hex Editor Neo is award-winning large files optimized freeware editor for everyone who works with ASCII, hex, decimal, float, double and binary data.Freeware Hex Editor Neo allows you to view, modify, analyze your hexadecimal data and binary files, edit, exchange data with other applications through the clipboard, insert new data and delete existing data, as well as perform other editing actions.Make patches with just two mouse clicks; manipulate your EXE, DLL, DAT, AVI, MP3, JPG files with unlimited undo/redo. Taste the visual operation history with branching.This hex and binary code data editing software utility for Windows includes the following basic functionality: Unlimited Undo/Redo; Find; Replace; Visual History Save and Load; Patch Creation; Clipboard Operations; Bytes, Words, Double Words, Quad Words, Floats and Doubles Edit Mode.

HxD

HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.
The easy to use interface offers features such as searching and replacing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of files, statistics and much more.Editing works like in a text editor with a focus on a simple and task-oriented operation, as such functions were streamlined to hide differences that are purely technical.For example, drives and memory are presented similar to a file and are shown as a whole, in contrast to a sector/region-limited view that cuts off data which potentially belongs together. Drives and memory can be edited the same way as a regular file including support for undo. In addition memory-sections define a foldable region and inaccessible sections are hidden by default.

Operating System:
Windows 95, 98, ME, NT 4, 2000, XP, 2003, Vista, or 7

LastActivityView

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...

System Requirements
This utility works on any version of Windows, starting from Windows 2000 and up to Windows 10. Both 32-bit and 64-bit systems are supported.

Known Limitations
This tool gathers information from various sources, including the Registry, the events log of Windows, the Prefetch folder of Windows (C:\windows\Prefetch), the MiniDump folder of Windows (C:\Windows\Minidump), and more... The accuracy and the availability of the information displayed by LastActivityView might be different from one system to another. For example, if the user or a software makes changes in the Registry, the action time displayed by LastActivityView might be wrong, because it's based on the modified time of some Registry keys. Also, for every type of action/event, there is some limitation according to the way that the information is saved in the system. For example, the 'Select file in open/save dialog-box' action is limited for one action of every file extension, so if the user opened 2 .doc files with the open/save dialog-box, only the last one will be displayed.

Syndicate content