bulk_extractor
bulk_extractor is a utility that scans many types of information storage (files, folders) and outputs information that it finds in them. What separates bulk_extractor from other similar tools is its speed. bulk_extractor doesn’t look at file system structures on the input, so it is able to process the scan faster, and thus, more thoroughly. This tools outputs information found, such as ccn.txt (credit card numbers), email.txt (email addresses), exif.txt (EXIF data from media files), url (URLs found), and more.Example usage: bulk_extractor -o [output directory] input
Note that the output directory must not already exist.
evtparse.pl
This utility takes .evt files, which contain log information for use by the event manager, and parses them into something useful for investigators. Specifically, it dumps the events as a timeline.Example usage: evtparse.pl -e [event_log]
exiftool
exiftool allows users to read or write metadate (like EXIF) to image, video, and audio files. Here are a few examples from the exiftool manpage:Example usage: exiftool -a -u -g1 [image_file]
Example usage: exiftool -Comment=’Enter a comment in quotes here’ [image_file]
missidentify
The missidentify tool finds Windows 32 executable files. It can search recursively through folders in order to find them, and then displays the results back to the user.Standard usage would usually include searching recursively (-r options).
Example usage: missidentify -r [location]
mork.pl
A Perl script that will strip information from a Mork database file. Mork files were previously used by Mozilla programs to store information, such as Firefox browsing history, and Thunderbird contacts. While newer Firefox versions use SQlite database files to store browser information now, Thunderbird continues to use Mork files. The following example uses mork.pl to create an HTML file with information from a Mork file input.Example usage: mork.pl –html [Mork_file]
pref.pl
This Perl script parses the content of Windows XP and Windows Vista prefetch files and directories. The output can be set to comma separated values (.csv) for easier viewing. In the following example, pref.pl is used to parse data from a folder containing prefetch files from Vista (default is XP) and output it as a csv file.Example usage: pref.pl -v -f [prefetch_file] -c
ptk
PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.
Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).
readpst
ReadPST is a command line utility that takes Microsoft Outlook PST files, and converts them into mbox format files. Mbox files are easier to read and manipulate than PST files, so it allows investigators to view the mail contained in the PST files. In the below example, mail contained in the mail.pst file is converted to mbox format and placed on the root user’s desktop.Example usage: readpst -o /home/root/Desktop/ mail.pst
reglookup
RegLookUp is a utility that will output the contents of registry entries in Windows NT based systems. It outputs the information in a format that is easily readable, which aids in ease of lookup, and includes several filtering options to make the output even more useful. The below example will output all registry contents found in [registry-file] path.Example usage: reglookup -v [registry-file]
stegdetect
Stegdetect is a program which will attempt to detect steganographic messages embedded in media. It accepts JPEG images, and will look for signatures of several well known steganography embedding programs in order to alert the user that data may be embedded in the file. The example below runs stegdetect on [file.jpg] and returns whether or not data may be hidden in the image.Example usage: stegdetect -t jopi [file.jpg]
vinetto
Vinetto is a tool which is used to analyze thumbs.db files. Thumbs.db files contain thumbnail images and metadata of images stored on filesystems, and often remains after the original image has been deleted. Vinetto is able to take these thumbs.db files and extract information regarding images found on the system from them.Vinetto has several modes, the most useful two are elementary mode and filesystem mode. Elementary mode takes individual thumbs.db files and analyzes them, while filesystem mode takes an entire filesystem image and searches for and analyzes the thumbs.db files contained in the image. The first example below shows basic elementary mode, while the second shows elementary mode with an HTML report and the thumbnails written to a directory of choice.
Example usage: vinetto [thumbs.db file]
Example usage: vinetto -H [directory to write HTML] -o [directory to write thumbnails] [thumbs.db file]
No comments:
Post a Comment