Bug 42498 - Developing an "app-forensics" tree branch for portage
|
Bug#:
42498
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: enhancement
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: forensics@gentoo.org
|
Reported By: mns6070@rit.edu
|
|
Component: Unspecified
|
|
|
URL:
http://www.opensourceforensics.org/tools/unix.html
|
|
Summary: Developing an "app-forensics" tree branch for portage
|
|
Keywords: EBUILD
|
|
Status Whiteboard:
|
|
Opened: 2004-02-22 09:49 0000
|
neat.. got any ebuilds for these?
Also, these sorts of things would be much more useful on a livecd, what do you think zhen?
These two could be moved into "app-forensics" after Mitchell attaches the
ebuilds, then yn.
app-admin/aide
dev-util/examiner
then only a few more would be needed to justify "app-forensics"
well, could we consider the category as a place for pre and post investigation
? thus aide and tripwire and similar IDS's could go in it
i really dont think we should let that kind of crap affect the addition of
steganography related programs ...
after all, if it's truely questionable, we just change the ebuild to have
RESTRICT=nomirror and Gentoo should be in the clear ... we host scripts that
fetch files and build them, that's it
Oops... wrong URL... http://www.outguess.org/detection.php
Also:
http://sourceforge.net/projects/ol2mbox/
Outlook to mbox converter (used for litigation support, etc., but also useful for anyone.) Note that this guy MIGHT have been threatened by microsoft as some of the content from his page has mysteriously disappeared that contained newer versions and they once mentioned legal issues. The program works fairly well, though.
http://sourceforge.net/projects/air-imager/
AIR (Automated Image & Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images. Supports verification via MD5/SHA1, SCSI tape drives, imaging over a TCP/IP network, and complete session logging.
http://sourceforge.net/projects/regviewer/
RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems.
http://freshmeat.net/projects/ftimes/
FTimes is a system baselining and evidence collection tool. Its primary purpose is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis. It was designed to support the following initiatives: content integrity monitoring, incident response, intrusion analysis, and computer forensics.
http://freshmeat.net/projects/rda/
RDA is a computer forensics tool to remotely acquire data. Usually disk cloning or disk/partition imaging means one has to move the disk onto another system, and things are more complicated if its a laptop disk. The alternative provided by rda is to boot the data source machine with a minimal Linux system from a floppy or CD, and simply run rda. Some of the options provided are data transfer verification with MD5 and/or CRC32 checksums, skipping read errors, and spanning over multiple files.
http://software.freshmeat.net/projects/fohad/
The Forensic Hash Database is a project to combine the various hashsum sources like The KnownGoods Database, Hashkeeper, NIST NSRL, and Dan Farmer's hashsum archive into a single meta database. Integration into the forensic analysis toolkit The Sleuth Kit is provided through a patch.
wow, i don't have time to write ebuilds for all these, any volunteers?
re comment #10
I don't think either of the two will be accepted as is. Both of those ebuilds look like they need to use the portage api, install docs to the right place etc..
i can write few ebuilds more about this subject this week.
I just really wanted to list my support for this particular tree for gentoo..I
can't wait until the ebuilds are implemented for these packages.
~jeff~
Looks like foremost was already to the portage tree under bug #47094
Two new ebuilds have been written and added to the portage tree in order to
respond to the needs of another user. The first is bug #47096, which covers
sleuthkit and now replaces Diego's ebuild in bug #39935. The second is bug
#47097, which covers autopsy.
= The Coroner's Toolkit - bug #39934
The rest in comment #8 and comment #5 are not implemented.
David or Diego any more thoughts on the ebuilds.
Package commited (or almost)
stegdetect - getting around a few compile problems - hasn't been touched for ages though
sys-apps/memdump - Almost there
app-admin/autopsy - done
app-admin/sleuthkit = done
app-admin/aide - done
dev-util/examiner -done
app-admin/foremost -done
sys-apps/air = http://air-imager.sourceforge.net/ = done
bug-wranglers
hardened doesn't have the resources to support this, can you try to find someone else to do so?
Don't forget
app-admin/chkrootkit
app-admin/rkhunter
http://sourceforge.net/projects/pyflag is another one for consideration.
FLAG was designed to simplify the process of log file analysis and forensic investigations. FLAG facilitates efficient analysis of large quantities of data within an interactive environment. PyFlag is the reimplementation of FLAG in Python
Email sent to gentoo-dev seeking approval for category.
This doesn't realy bock bug 39934.
Well the branch has been created. The herd has been created. I'm going to leave
this bug open just as a reminder of a few other packages to include. Feel free
to add ebuilds for them.
individual bugs created for outstanding ebuilds.
AIRT - bug 79524
The Sleuth Kit (TSK) - done
Autopsy - done
Pepijn Vissers released a patch - need to check
FLAG - obseleted by pyflag - bug 73301
mac-robber - not part of sleuthkit (just checked) will look at
Foremost - done
Magic Rescue - will look at
gpart - sys-apps/gpart - has a few bugs open on it.
The Coroner's Toolkit (TCT) - done
TCTutils - low pri - see if there is any value not included elsewhere
Network Forensics:
nstreams: need to look
slogdump - looks interesting.
tcpflow - net-analyzer/tcpflow - needs version bump
Chaosreader need to look
driftnet - need to look
Ftimes Project - last touched March 2004 - maybe - bug 73296
bmap - looks interesting
autoclave - deleteing realy not in the interests of forensics :-)
cryptcat - cvs version as of 20031202 - doesn't seem to be maintained
Foundstone Forensic Utilities -- good link - hope these are better that the older versions on sourceforge.
Fenris - looks promising
e2recover - could be easy
NASA tool collection
- enhanced_loopback - 2.4 kernel only :-(
- fatback - sounds good - bug 73299
Carvdawg's Perl Page - maybe
md5deep - need to compare against ftimes
dcfldd - sys-apps/dcfldd
Cryogenic - nice
mcore - not sure its forensics
procshow - if this has something a lot better that other programs
Project Odessa: bug 73300
Registry editors (non-Windows):
ntreg: - needed by pyflag - TODO
kregedit: wow - a gui - will look
chntpw: sneeky - not realy forensics though
e2salvage: - good compare to recover
kern_check: potentialy
Faust: maybe
AIR: in portage app-forensics/air
memfetch: dumps the memory of a running process - nice
memdump: - what special features?
elfcmp: a tool for comparing ELF binarys to processes - neat
sdd: - don't think it adds that much.
chkrootkit: app-forensics/chkrootkit
Rootcheck: new rootkit detection tool. - will look at it
Rootkit Hunter: ap-forensics/rkhunter
Mail analysis tools:
Mail Viewer.ok
ol2mbox: an Outlook to mbox format mail converter - looking into it
mboxgrep: ok
getattach.pl: probably covered elsewhere
Sources for Known-Good / Known-Bad hashsums:
look at adding support for these in pyflag
lots to look. any favourites?
more options - should write bugs on good ones initially.
kregedit-0.1 - compile failure
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
inherit kde
DESCRIPTION="kregedit is KDE utility for viewing native Windows registry files."
HOMEPAGE="http://jelmer.vernstok.nl/samba/kregedit/"
SRC_URI="http://jelmer.vernstok.nl/releases/${P}.tar.gz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~x86"
IUSE=""
editreg.cpp: In function `int data_to_ascii(unsigned char*, int, int, char*, int)':
editreg.cpp:1560: error: invalid conversion from `char*' to `unsigned char*'
editreg.cpp:1564: error: invalid conversion from `char*' to `unsigned char*'
editreg.cpp:1568: error: invalid conversion from `char*' to `unsigned char*'
editreg.cpp:1571: error: invalid conversion from `unsigned char*' to `char*'
editreg.cpp: In function `REGF_HDR* nt_get_regf_hdr(REGF*)':
editreg.cpp:1661: error: invalid conversion from `void*' to `char*'
tcpflow version bumped too
mac-robber-1.00 added. Added another URL.
This has been added to the portage tree for quite a while now. Marking as
FIXED.
