Gentoo Archives: gentoo-dev

From: Daniel <dragonheart@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] app-forensics category and forensics herd proposal
Date: Sat, 11 Sep 2004 03:18:17
Message-Id: 200409111251.15406.dragonheart@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4
5 In response to bug 42498 I propose setting up an app-forensics category and
6 forensics herd. This will contain all applications that aid the investigation
7 of intrusions and general stuff that would be used by law enforcement
8 agencies.
9
10 Applications so far identified for this and their current maintainers:
11
12 app-admin/autopsy - me
13 app-admin/sleuthkit - me
14 app-admin/aide - bug wrangers
15 dev-util/examiner - nobody
16 app-admin/foremost - Martin Schlemmer - mholzer
17 sys-apps/air - me
18 app-admin/chkrootkit - Aaron Walker - Ka0TTiC
19 app-admin/rkhunter - Aaron Walker - Ka0TTiC
20
21 And a few more that ebuilds haven't quite been made for:
22
23 http://sourceforge.net/projects/pyflag - FLAG was designed to simplify the
24 process of log file analysis and forensic investigations. FLAG facilitates
25 efficient analysis of large quantities of data within an interactive
26 environment. PyFlag is the reimplementation of FLAG in Python.
27
28 http://www.outguess.org/detection.php Stegdetect (bug 35542) - Stegdetect is
29 an automated tool for detecting steganographic content in images. It is
30 capable of detecting several different steganographic methods to embed hidden
31 information in JPEG images.
32
33 http://sourceforge.net/projects/ol2mbox/
34 Outlook to mbox converter (used for litigation support, etc., but also useful
35 for anyone.) Note that this guy MIGHT have been threatened by microsoft as
36 some of the content from his page has mysteriously disappeared that contained
37 newer versions and they once mentioned legal issues. The program works
38 fairly well, though.
39
40 http://sourceforge.net/projects/regviewer/
41 RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform
42 independent allowing for examination of Windows registry files from any
43 platform. Particularly useful when conducting forensics of Windows files from
44 *nix systems.
45
46 http://freshmeat.net/projects/ftimes/
47 FTimes is a system baselining and evidence collection tool. Its primary
48 purpose is to gather and/or develop information about specified directories
49 and files in a manner conducive to intrusion analysis. It was designed to
50 support the following initiatives: content integrity monitoring, incident
51 response, intrusion analysis, and computer forensics.
52
53 http://freshmeat.net/projects/rda/
54 RDA is a computer forensics tool to remotely acquire data. Usually disk
55 cloning or disk/partition imaging means one has to move the disk onto another
56 system, and things are more complicated if its a laptop disk. The alternative
57 provided by rda is to boot the data source machine with a minimal Linux
58 system from a floppy or CD, and simply run rda. Some of the options provided
59 are data transfer verification with MD5 and/or CRC32 checksums, skipping read
60 errors, and spanning over multiple files.
61
62 http://software.freshmeat.net/projects/fohad/
63 The Forensic Hash Database is a project to combine the various hashsum sources
64 like The KnownGoods Database, Hashkeeper, NIST NSRL, and Dan Farmer's hashsum
65 archive into a single meta database. Integration into the forensic analysis
66 toolkit The Sleuth Kit is provided through a patch.
67
68 http://sourceforge.net/search/?type_of_search=soft&exact=0&words=forensic
69 lists some others that I haven't included here.
70
71 Aaron Walker -(Ka0TTiC) has voluteered to join me (easily convinced in a
72 state of sleep deprivation).
73
74 Other voluteers? Anyone else? other packages worthy of consideration?
75
76 - --
77 Daniel Black <dragonheart@g.o>
78 -----BEGIN PGP SIGNATURE-----
79 Version: GnuPG v1.2.4 (GNU/Linux)
80
81 iD8DBQFBQm8chhpKunZncJcRAiEdAJ9EfpLGkNjUborCM1kNmkbnH96Z5wCgi99O
82 bobmWG1bxd3b+O8UnsY6IwE=
83 =tetz
84 -----END PGP SIGNATURE-----
85
86 --
87 gentoo-dev@g.o mailing list

Replies