| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
In response to bug 42498 I propose setting up an app-forensics category and |
| 6 |
forensics herd. This will contain all applications that aid the investigation |
| 7 |
of intrusions and general stuff that would be used by law enforcement |
| 8 |
agencies. |
| 9 |
|
| 10 |
Applications so far identified for this and their current maintainers: |
| 11 |
|
| 12 |
app-admin/autopsy - me |
| 13 |
app-admin/sleuthkit - me |
| 14 |
app-admin/aide - bug wrangers |
| 15 |
dev-util/examiner - nobody |
| 16 |
app-admin/foremost - Martin Schlemmer - mholzer |
| 17 |
sys-apps/air - me |
| 18 |
app-admin/chkrootkit - Aaron Walker - Ka0TTiC |
| 19 |
app-admin/rkhunter - Aaron Walker - Ka0TTiC |
| 20 |
|
| 21 |
And a few more that ebuilds haven't quite been made for: |
| 22 |
|
| 23 |
http://sourceforge.net/projects/pyflag - FLAG was designed to simplify the |
| 24 |
process of log file analysis and forensic investigations. FLAG facilitates |
| 25 |
efficient analysis of large quantities of data within an interactive |
| 26 |
environment. PyFlag is the reimplementation of FLAG in Python. |
| 27 |
|
| 28 |
http://www.outguess.org/detection.php Stegdetect (bug 35542) - Stegdetect is |
| 29 |
an automated tool for detecting steganographic content in images. It is |
| 30 |
capable of detecting several different steganographic methods to embed hidden |
| 31 |
information in JPEG images. |
| 32 |
|
| 33 |
http://sourceforge.net/projects/ol2mbox/ |
| 34 |
Outlook to mbox converter (used for litigation support, etc., but also useful |
| 35 |
for anyone.) Note that this guy MIGHT have been threatened by microsoft as |
| 36 |
some of the content from his page has mysteriously disappeared that contained |
| 37 |
newer versions and they once mentioned legal issues. The program works |
| 38 |
fairly well, though. |
| 39 |
|
| 40 |
http://sourceforge.net/projects/regviewer/ |
| 41 |
RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform |
| 42 |
independent allowing for examination of Windows registry files from any |
| 43 |
platform. Particularly useful when conducting forensics of Windows files from |
| 44 |
*nix systems. |
| 45 |
|
| 46 |
http://freshmeat.net/projects/ftimes/ |
| 47 |
FTimes is a system baselining and evidence collection tool. Its primary |
| 48 |
purpose is to gather and/or develop information about specified directories |
| 49 |
and files in a manner conducive to intrusion analysis. It was designed to |
| 50 |
support the following initiatives: content integrity monitoring, incident |
| 51 |
response, intrusion analysis, and computer forensics. |
| 52 |
|
| 53 |
http://freshmeat.net/projects/rda/ |
| 54 |
RDA is a computer forensics tool to remotely acquire data. Usually disk |
| 55 |
cloning or disk/partition imaging means one has to move the disk onto another |
| 56 |
system, and things are more complicated if its a laptop disk. The alternative |
| 57 |
provided by rda is to boot the data source machine with a minimal Linux |
| 58 |
system from a floppy or CD, and simply run rda. Some of the options provided |
| 59 |
are data transfer verification with MD5 and/or CRC32 checksums, skipping read |
| 60 |
errors, and spanning over multiple files. |
| 61 |
|
| 62 |
http://software.freshmeat.net/projects/fohad/ |
| 63 |
The Forensic Hash Database is a project to combine the various hashsum sources |
| 64 |
like The KnownGoods Database, Hashkeeper, NIST NSRL, and Dan Farmer's hashsum |
| 65 |
archive into a single meta database. Integration into the forensic analysis |
| 66 |
toolkit The Sleuth Kit is provided through a patch. |
| 67 |
|
| 68 |
http://sourceforge.net/search/?type_of_search=soft&exact=0&words=forensic |
| 69 |
lists some others that I haven't included here. |
| 70 |
|
| 71 |
Aaron Walker -(Ka0TTiC) has voluteered to join me (easily convinced in a |
| 72 |
state of sleep deprivation). |
| 73 |
|
| 74 |
Other voluteers? Anyone else? other packages worthy of consideration? |
| 75 |
|
| 76 |
- -- |
| 77 |
Daniel Black <dragonheart@g.o> |
| 78 |
-----BEGIN PGP SIGNATURE----- |
| 79 |
Version: GnuPG v1.2.4 (GNU/Linux) |
| 80 |
|
| 81 |
iD8DBQFBQm8chhpKunZncJcRAiEdAJ9EfpLGkNjUborCM1kNmkbnH96Z5wCgi99O |
| 82 |
bobmWG1bxd3b+O8UnsY6IwE= |
| 83 |
=tetz |
| 84 |
-----END PGP SIGNATURE----- |
| 85 |
|
| 86 |
-- |
| 87 |
gentoo-dev@g.o mailing list |
Archives