42498 2004-02-22 09:49 0000 Developing an "app-forensics" tree branch for portage 2009-03-08 00:27:39 0000 1 1 1 Unclassified Gentoo Linux Unspecified unspecified All Linux RESOLVED FIXED http://www.opensourceforensics.org/tools/unix.html EBUILD P2 enhancement --- 1 mns6070@rit.edu forensics@gentoo.org abusch@gmx.net diego@envigo.net dma@dmatech.org grimmlin@pentoo.ch mns6070@rit.edu 2004-02-22 09:49:11 0000 Currently, Gentoo lacks the ability to "emerge" tools that would be used in performing a forensic investigation. These tools include, but are not limited to: 1. The Coroner's Toolkit (http://www.porcupine.org/forensics/tct.html) 2. Sleuthkit (http://www.sleuthkit.org) 3. Autopsy (http://www.sleuthkit.org) 4. Foremost (http://foremost.sf.net) Reproducible: Always Steps to Reproduce: method@gentoo.org 2004-02-22 15:18:34 0000 neat.. got any ebuilds for these? Also, these sorts of things would be much more useful on a livecd, what do you think zhen? solar@gentoo.org 2004-02-22 18:20:17 0000 These two could be moved into "app-forensics" after Mitchell attaches the ebuilds, then yn. app-admin/aide dev-util/examiner solar@gentoo.org 2004-02-22 18:21:38 0000 then only a few more would be needed to justify "app-forensics" vapier@gentoo.org 2004-02-22 18:59:14 0000 well, could we consider the category as a place for pre and post investigation ? thus aide and tripwire and similar IDS's could go in it dma@dmatech.org 2004-02-22 19:17:44 0000 Stegdetect (http://www.outgress.org/) - tries to detect steganography Fatback (http://www.sf.net/projects/biatchux/) - attempts to unerase FAT stuff http://sourceforge.net/project/showfiles.php?group_id=78332 http://odessa.sourceforge.net/ Open data duplicator Galleta - IE Cookie Parser Pasco - IE Activity Parser Rifiuti - Recycle Bin Analyzer Fun stuff to read: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-willis.pdf http://www.crazytrain.com/monkeyboy/csi_2003_linux_forensics.pdf http://sourceforge.net/softwaremap/trove_list.php?form_cat=43 I'll see if I can find anything else. method@gentoo.org 2004-02-22 19:26:23 0000 i don't know about steganography.. it's a sensitive subject in america see http://niels.xtdnet.nl/stego/ vapier@gentoo.org 2004-02-22 19:38:20 0000 i really dont think we should let that kind of crap affect the addition of steganography related programs ... after all, if it's truely questionable, we just change the ebuild to have RESTRICT=nomirror and Gentoo should be in the clear ... we host scripts that fetch files and build them, that's it dma@dmatech.org 2004-02-22 20:03:53 0000 Oops... wrong URL... http://www.outguess.org/detection.php Also: http://sourceforge.net/projects/ol2mbox/ Outlook to mbox converter (used for litigation support, etc., but also useful for anyone.) Note that this guy MIGHT have been threatened by microsoft as some of the content from his page has mysteriously disappeared that contained newer versions and they once mentioned legal issues. The program works fairly well, though. http://sourceforge.net/projects/air-imager/ AIR (Automated Image & Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images. Supports verification via MD5/SHA1, SCSI tape drives, imaging over a TCP/IP network, and complete session logging. http://sourceforge.net/projects/regviewer/ RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems. http://freshmeat.net/projects/ftimes/ FTimes is a system baselining and evidence collection tool. Its primary purpose is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis. It was designed to support the following initiatives: content integrity monitoring, incident response, intrusion analysis, and computer forensics. http://freshmeat.net/projects/rda/ RDA is a computer forensics tool to remotely acquire data. Usually disk cloning or disk/partition imaging means one has to move the disk onto another system, and things are more complicated if its a laptop disk. The alternative provided by rda is to boot the data source machine with a minimal Linux system from a floppy or CD, and simply run rda. Some of the options provided are data transfer verification with MD5 and/or CRC32 checksums, skipping read errors, and spanning over multiple files. http://software.freshmeat.net/projects/fohad/ The Forensic Hash Database is a project to combine the various hashsum sources like The KnownGoods Database, Hashkeeper, NIST NSRL, and Dan Farmer's hashsum archive into a single meta database. Integration into the forensic analysis toolkit The Sleuth Kit is provided through a patch. method@gentoo.org 2004-02-23 12:59:29 0000 wow, i don't have time to write ebuilds for all these, any volunteers? dma@dmatech.org 2004-03-05 13:41:19 0000 I guess I'll do a few. mns6070@rit.edu 2004-03-06 20:20:23 0000 Can someone merge http://bugs.gentoo.org/show_bug.cgi?id=39934 and http://bugs.gentoo.org/show_bug.cgi?id=39935 into the portage tree as ~x86? mns6070@rit.edu 2004-03-06 21:52:19 0000 Created an attachment (id=26972) Foremost 0.69 ebuild Foremost ebuild that I am not sure if it works or not. solar@gentoo.org 2004-03-06 22:04:55 0000 re comment #10 I don't think either of the two will be accepted as is. Both of those ebuilds look like they need to use the portage api, install docs to the right place etc.. diego@envigo.net 2004-03-07 08:45:40 0000 i can write few ebuilds more about this subject this week. jeffrey_caplan@hotmail.com 2004-03-28 13:12:13 0000 I just really wanted to list my support for this particular tree for gentoo..I can't wait until the ebuilds are implemented for these packages. ~jeff~ solar@gentoo.org 2004-04-25 19:20:30 0000 Diego, Hows it coming? mns6070@rit.edu 2004-04-27 11:45:21 0000 Looks like foremost was already to the portage tree under bug #47094 mns6070@rit.edu 2004-05-06 06:59:45 0000 Two new ebuilds have been written and added to the portage tree in order to respond to the needs of another user. The first is bug #47096, which covers sleuthkit and now replaces Diego's ebuild in bug #39935. The second is bug #47097, which covers autopsy. dragonheart@gentoo.org 2004-08-15 08:27:03 0000 = The Coroner's Toolkit - bug #39934 The rest in comment #8 and comment #5 are not implemented. David or Diego any more thoughts on the ebuilds. Package commited (or almost) stegdetect - getting around a few compile problems - hasn't been touched for ages though sys-apps/memdump - Almost there app-admin/autopsy - done app-admin/sleuthkit = done app-admin/aide - done dev-util/examiner -done app-admin/foremost -done sys-apps/air = http://air-imager.sourceforge.net/ = done method@gentoo.org 2004-09-08 18:22:18 0000 bug-wranglers hardened doesn't have the resources to support this, can you try to find someone else to do so? abusch@gmx.net 2004-09-09 01:29:50 0000 Don't forget app-admin/chkrootkit app-admin/rkhunter dragonheart@gentoo.org 2004-09-09 21:46:40 0000 http://sourceforge.net/projects/pyflag is another one for consideration. FLAG was designed to simplify the process of log file analysis and forensic investigations. FLAG facilitates efficient analysis of large quantities of data within an interactive environment. PyFlag is the reimplementation of FLAG in Python dragonheart@gentoo.org 2004-09-11 04:47:50 0000 Email sent to gentoo-dev seeking approval for category. This doesn't realy bock bug 39934. dragonheart@gentoo.org 2004-09-11 23:10:32 0000 soon to be fixed.... dragonheart@gentoo.org 2004-09-17 17:11:48 0000 Well the branch has been created. The herd has been created. I'm going to leave this bug open just as a reminder of a few other packages to include. Feel free to add ebuilds for them. dragonheart@gentoo.org 2004-12-03 22:13:15 0000 individual bugs created for outstanding ebuilds. grimmlin@pentoo.ch 2005-01-25 13:23:44 0000 Hi, One forensics tool that could be added is AIRT for "Advanced incident response tool" It is new and actively devellopped http://159.226.5.93/projects/airt.htm grimmlin@pentoo.ch 2005-01-25 13:34:57 0000 I've found a long, long list of forensics tools on this site: http://www.forinsect.de/forensics/forensics-tools.html It is huge... dragonheart@gentoo.org 2005-01-25 16:26:13 0000 AIRT - bug 79524 The Sleuth Kit (TSK) - done Autopsy - done Pepijn Vissers released a patch - need to check FLAG - obseleted by pyflag - bug 73301 mac-robber - not part of sleuthkit (just checked) will look at Foremost - done Magic Rescue - will look at gpart - sys-apps/gpart - has a few bugs open on it. The Coroner's Toolkit (TCT) - done TCTutils - low pri - see if there is any value not included elsewhere Network Forensics: nstreams: need to look slogdump - looks interesting. tcpflow - net-analyzer/tcpflow - needs version bump Chaosreader need to look driftnet - need to look Ftimes Project - last touched March 2004 - maybe - bug 73296 bmap - looks interesting autoclave - deleteing realy not in the interests of forensics :-) cryptcat - cvs version as of 20031202 - doesn't seem to be maintained Foundstone Forensic Utilities -- good link - hope these are better that the older versions on sourceforge. Fenris - looks promising e2recover - could be easy NASA tool collection - enhanced_loopback - 2.4 kernel only :-( - fatback - sounds good - bug 73299 Carvdawg's Perl Page - maybe md5deep - need to compare against ftimes dcfldd - sys-apps/dcfldd Cryogenic - nice mcore - not sure its forensics procshow - if this has something a lot better that other programs Project Odessa: bug 73300 Registry editors (non-Windows): ntreg: - needed by pyflag - TODO kregedit: wow - a gui - will look chntpw: sneeky - not realy forensics though e2salvage: - good compare to recover kern_check: potentialy Faust: maybe AIR: in portage app-forensics/air memfetch: dumps the memory of a running process - nice memdump: - what special features? elfcmp: a tool for comparing ELF binarys to processes - neat sdd: - don't think it adds that much. chkrootkit: app-forensics/chkrootkit Rootcheck: new rootkit detection tool. - will look at it Rootkit Hunter: ap-forensics/rkhunter Mail analysis tools: Mail Viewer.ok ol2mbox: an Outlook to mbox format mail converter - looking into it mboxgrep: ok getattach.pl: probably covered elsewhere Sources for Known-Good / Known-Bad hashsums: look at adding support for these in pyflag lots to look. any favourites? dragonheart@gentoo.org 2005-01-25 16:34:25 0000 more options - should write bugs on good ones initially. dragonheart@gentoo.org 2005-01-25 18:19:13 0000 kregedit-0.1 - compile failure # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: $ inherit kde DESCRIPTION="kregedit is KDE utility for viewing native Windows registry files." HOMEPAGE="http://jelmer.vernstok.nl/samba/kregedit/" SRC_URI="http://jelmer.vernstok.nl/releases/${P}.tar.gz" LICENSE="GPL-2" SLOT="0" KEYWORDS="~x86" IUSE="" editreg.cpp: In function `int data_to_ascii(unsigned char*, int, int, char*, int)': editreg.cpp:1560: error: invalid conversion from `char*' to `unsigned char*' editreg.cpp:1564: error: invalid conversion from `char*' to `unsigned char*' editreg.cpp:1568: error: invalid conversion from `char*' to `unsigned char*' editreg.cpp:1571: error: invalid conversion from `unsigned char*' to `char*' editreg.cpp: In function `REGF_HDR* nt_get_regf_hdr(REGF*)': editreg.cpp:1661: error: invalid conversion from `void*' to `char*' tcpflow version bumped too dragonheart@gentoo.org 2005-01-25 18:44:57 0000 mac-robber-1.00 added. Added another URL. dragonheart@gentoo.org 2005-01-25 19:00:41 0000 app-forensics/magicrescue-1.1.4 it suggested JPEG recovery tools: This seems to be the file type most people are trying to recover. Available utilities include <http://www.cgsecurity.org/?photorec.html>, <http://codesink.org/recover.html>, and <http://www.vanheusden.com/findfile/>. dragonheart@gentoo.org 2005-01-25 20:41:37 0000 comment 33 http://www.cgsecurity.org/?photorec.html is part of app-admin/testdisk. version bumped to 5.5 dragonheart@gentoo.org 2005-04-28 02:09:01 0000 http://dftt.sourceforge.net/ for test images. polynomial-c@gentoo.org 2009-03-08 00:27:39 0000 This has been added to the portage tree for quite a while now. Marking as FIXED. 26972 2004-03-06 21:52 0000 Foremost 0.69 ebuild foremost-0.69.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA0IEdlbnRvbyBUZWNobm9sb2dpZXMsIEluYy4KIyBEaXN0cmli dXRlZCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIHYy CiMgJEhlYWRlcjogJAoKREVTQ1JJUFRJT049IkZvcmVtb3N0IGlzIGEgY29uc29sZSBwcm9ncmFt IHRvIHJlY292ZXIgZmlsZXMgYmFzZWQgb24gdGhlaXIgaGVhZGVycyBhbmQgZm9vdGVycy4gRm9y ZW1vc3QgY2FuIHdvcmsgb24gaW1hZ2UgZmlsZXMsIHN1Y2ggYXMgdGhvc2UgZ2VuZXJhdGVkIGJ5 IGRkLCBTYWZlYmFjaywgRW5jYXNlLCBldGMsIG9yIGRpcmVjdGx5IG9uIGEgZHJpdmUuIFRoZSBo ZWFkZXJzIGFuZCBmb290ZXJzIGFyZSBzcGVjaWZpZWQgYnkgYSBjb25maWd1cmF0aW9uIGZpbGUs IHNvIHlvdSBjYW4gcGljayBhbmQgY2hvb3NlIHdoaWNoIGhlYWRlcnMgeW91IHdhbnQgdG8gbG9v ayBmb3IuIgpIT01FUEFHRT0iaHR0cDovL2ZvcmVtb3N0LnNvdXJjZWZvcmdlLm5ldC8iClNSQ19V Ukk9Imh0dHA6Ly9mb3JlbW9zdC5zb3VyY2Vmb3JnZS5uZXQvcGtnLyR7UH0udGFyLmd6IgpMSUNF TlNFPSJwdWJsaWMtZG9tYWluIgpTTE9UPSIwIgpLRVlXT1JEUz0ifng4NiIKSVVTRT0iIgpERVBF TkQ9IiIKUz0ke1dPUktESVJ9LyR7UH0KCnNyY19jb21waWxlKCkgewp9CgpzcmNfaW5zdGFsbCgp IHsKCSMgWW91IG11c3QgKnBlcnNvbmFsbHkgdmVyaWZ5KiB0aGF0IHRoaXMgdHJpY2sgZG9lc24n dCBpbnN0YWxsCgkjIGFueXRoaW5nIG91dHNpZGUgb2YgREVTVERJUjsgZG8gdGhpcyBieSByZWFk aW5nIGFuZAoJIyB1bmRlcnN0YW5kaW5nIHRoZSBpbnN0YWxsIHBhcnQgb2YgdGhlIE1ha2VmaWxl cy4KCW1ha2UgREVTVF9ESVI9JHtEfSBpbnN0YWxsIHx8IGRpZQoKfQo=