Forensic Cop Journal Volume 2(1), Nov 2009
Rdd:A forensic copy program developed at and used by the Netherlands ForensicInstitute (NFI). Unlike most copy programs, rdd is robust with respect to read errors,which is an important property in a forensic operating environment.4.
Tct:TCT is a collection of programs for a post-mortem analysis of a UNIX system afterbreak-in. It enables you to collect data regarding deleted files, modification times of files and more. Install this BEFORE you need to use it, so you do not risk destroyingessential forensic data before you begin. Tools contained within this package: grave-robber, lazarus, inode-cat, ils, unrm and pcat.5.
Galleta:An Internet Explorer cookie forensic analysis tool. Galleta is a forensic tool thatexamines the content of cookie files produced by Microsofts Internet Explorer. Itparses the file and outputs a field separated that can be loaded in a spreadsheet.6.
Pasco:An Internet Explorer cache forensic analysis tool. Pasco is a forensic tool thatexamines the content of cache files (index.dat) produced by Microsofts InternetExplorer. It parses the file and outputs a field separated that can be loaded in aspreadsheet.7.
Sleuthkit:Tools for forensics analysis. The Sleuth Kit (previously known as TASK) is a collectionof UNIX-based command line file system and media management forensic analysistools. The file system tools allow you to examine file systems of a suspect computerin a non-intrusive fashion. Because the tools do not rely on the operating system toprocess the file systems, deleted and hidden content is shown. The mediamanagement tools allow you to examine the layout of disks and other media. TheSleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, andSun slices (Volume Table of Contents). With these tools, you can identify wherepartitions are located and extract them so that they can be analyzed with file systemanalysis tools. When performing a complete analysis of a system, we all know thatcommand line tools can become tedious. The Autopsy Forensic Browser is a graphicalinterface to the tools in The Sleuth Kit, which allows you to more easily conduct aninvestigation. Autopsy provides case management, image integrity, keywordsearching, and other automated operations.8.
Unhide:Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits,Linux kernel modules or by other techniques. It includes two utilities: unhide andunhide-tcp. Unhide detects hidden processes using three techniques:
comparing the output of /proc and /bin/ps
comparing the information gathered from /bin/ps with the one gatheredfrom system calls (syscall scanning)