iSniff GPS passively sniffs for SSID probes, ARPs and MDNS (Bonjour) packets broadcast by nearby iPhones, iPads and other wireless devices. The aim is to collect data which can be used to identify each device and determine previous geographical locations, based solely on information each device discloses about previously joined WiFi networks.

iOS devices transmit ARPs which sometimes contain MAC addresses (BSSIDs) of previously joined WiFi networks, as described in [1]. iSniff GPS captures these ARPs and submits MAC addresses to Apple's WiFi location service (masquerading as an iOS device) to obtain GPS coordinates for a given BSSID. If only SSID probes have been captured for a particular device, iSniff GPS can query network names on and visualise possible locations.

By geo-locating multiple SSIDs and WiFi router MAC addresses, it is possible to determine where a device (and by implication its owner) is likely to have been.

iSniff GPS contains 2 major components and further python modules: uses Scapy to extract data from a live capture or pcap file and inserts it into a database (iSniff_GPS.sqlite3 by default).

A Django web application provides a browser-based interface to view and analyse the data collected. This includes views of all detected devices and the SSIDs / BSSIDs each has probed for, a view by network, Google Maps views for visualising possible locations of a given BSSID or SSID, and a pie chart view showing a breakdown of the most popular device manufacturers based on client MAC address Ethernet OUIs. provides a QueryBSSID() function which looks up a given BSSID (AP MAC address) on Apple's WiFi location service. It will return the coordinates of the MAC queried for and usually an additional 400 nearby BSSIDs and their coordinates.


..cantor.dust.. is an interactive binary visualization tool, a radical evolution of the traditional hex editor. By translating binary information to a visual abstraction, reverse engineers and forensic analysts can sift through mountains of arbitrary data in seconds. Even previously unseen instruction sets and data formats can be easily located and understood through their visual fingerprint. ..cantor.dust.. dramatically accelerates the analysis process, and, for the experienced user, forms an indispensable tool in the reverser's arsenal.


shellnoob is a toolkit to help you write shellcode.

convert shellcode between different formats and sources. Formats currently supported: asm, bin, hex, obj, exe, C, python, ruby, pretty, safeasm, completec, shellstorm. (All details in the "Formats description" section.)
interactive asm-to-opcode conversion (and viceversa) mode. This is useful when you cannot use specific bytes in the shellcode and you want to figure out if a specific assembly instruction will cause problems.
support for both ATT & Intel syntax. Check the --intel switch.
support for 32 and 64 bits (when playing on x86_64 machine). Check the --64 switch.
resolve syscall numbers, constants, and error numbers (now implemented for real! Smile).
portable and easily deployable (it only relies on gcc/as/objdump and python). And it just one self-contained python script!
in-place development: you run ShellNoob directly on the target architecture!
built-in support for Linux/x86, Linux/x86_64, Linux/ARM, FreeBSD/x86, FreeBSD/x86_64.
"*prepend breakpoint*" option. Check the -c switch.
read from stdin / write to stdout support (use "-" as filename)
uber cheap debugging: check the --to-strace and --to-gdb option!
Use ShellNoob as a Python module in your scripts! Check the "ShellNoob as a library" section.
Verbose mode shows the low-level steps of the conversion: useful to debug / understand / learn!
Extra plugins: binary patching made easy with the --file-patch, --vm-patch, --fork-nopper options! (all details below)


An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Investigative Forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern forensic tool suite, is also featured in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many new capabilities and tools such as log2timeline that provides a timeline that can be of enormous value to investigators.


PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:

Execute code on a target machine.

Injects a Dll into the process ID of your choosing.

Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.

Injects shellcode into the process ID of your choosing or within PowerShell locally.

Execute shellcode within the context of the running PowerShell process without making any Win32 function calls.

Cause a blue screen to occur (Windows 7 and below).

Modify and/or prepare scripts for execution on a compromised machine.

Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

Encrypts text files/scripts.

Strips comments and extra whitespace from a script.

Add persistence capabilities to a PowerShell script

Configure user-level persistence options for the Add-Persistence function.

Configure elevated persistence options for the Add-Persistence function.

Add persistence capabilities to a script.

Parse/manipulate Windows portable executables.

An in-memory and on-disk PE parsing utility.

Displays information about one or more Windows object files.

Displays symbolic information from Windows lib files.



Collection of single use scripts written for windows forensics


A small Linux app that, when run, makes your machine appear to be anywhere you specify on the internet.


GPSD is a service daemon that handles GPSes and other navigation-related sensors reporting over USB, serial, TCP/IP, or UDP connections and presents reports in a well-documented JSON application on port 2749.


OpenPuff is a professional steganography tool: •HW seeded random number generator (CSPRNG)
•Deniable steganography
•Carrier chains (up to 256Mb of hidden data)
•Carrier bits selection level
•Modern multi-cryptography (16 algorithms)
•Multi-layered data obfuscation (3 passwords)
•X-squared steganalysis resistance

Unique layers of security and obfuscation: •256bit+256bit symmetric-key cryptography with KDF4 password extension
•256bit symmetric-key data scrambling (CSPRNG-based shuffling)
•Data whitening (CSPRNG-based noise mixing)
•Adaptive non-linear carrier bit encoding

Mobius Forensic Toolkit

Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tools.

Syndicate content