Currently, Gentoo lacks the ability to "emerge" tools that would be used in performing a forensic investigation. These tools include, but are not limited to: 1. The Coroner's Toolkit (http://www.porcupine.org/forensics/tct.html) 2. Sleuthkit (http://www.sleuthkit.org) 3. Autopsy (http://www.sleuthkit.org) 4. Foremost (http://foremost.sf.net) Reproducible: Always Steps to Reproduce:
neat.. got any ebuilds for these? Also, these sorts of things would be much more useful on a livecd, what do you think zhen?
These two could be moved into "app-forensics" after Mitchell attaches the ebuilds, then yn. app-admin/aide dev-util/examiner
then only a few more would be needed to justify "app-forensics"
well, could we consider the category as a place for pre and post investigation ? thus aide and tripwire and similar IDS's could go in it
Stegdetect (http://www.outgress.org/) - tries to detect steganography Fatback (http://www.sf.net/projects/biatchux/) - attempts to unerase FAT stuff http://sourceforge.net/project/showfiles.php?group_id=78332 http://odessa.sourceforge.net/ Open data duplicator Galleta - IE Cookie Parser Pasco - IE Activity Parser Rifiuti - Recycle Bin Analyzer Fun stuff to read: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-willis.pdf http://www.crazytrain.com/monkeyboy/csi_2003_linux_forensics.pdf http://sourceforge.net/softwaremap/trove_list.php?form_cat=43 I'll see if I can find anything else.
i don't know about steganography.. it's a sensitive subject in america see http://niels.xtdnet.nl/stego/
i really dont think we should let that kind of crap affect the addition of steganography related programs ... after all, if it's truely questionable, we just change the ebuild to have RESTRICT=nomirror and Gentoo should be in the clear ... we host scripts that fetch files and build them, that's it
Oops... wrong URL... http://www.outguess.org/detection.php Also: http://sourceforge.net/projects/ol2mbox/ Outlook to mbox converter (used for litigation support, etc., but also useful for anyone.) Note that this guy MIGHT have been threatened by microsoft as some of the content from his page has mysteriously disappeared that contained newer versions and they once mentioned legal issues. The program works fairly well, though. http://sourceforge.net/projects/air-imager/ AIR (Automated Image & Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images. Supports verification via MD5/SHA1, SCSI tape drives, imaging over a TCP/IP network, and complete session logging. http://sourceforge.net/projects/regviewer/ RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems. http://freshmeat.net/projects/ftimes/ FTimes is a system baselining and evidence collection tool. Its primary purpose is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis. It was designed to support the following initiatives: content integrity monitoring, incident response, intrusion analysis, and computer forensics. http://freshmeat.net/projects/rda/ RDA is a computer forensics tool to remotely acquire data. Usually disk cloning or disk/partition imaging means one has to move the disk onto another system, and things are more complicated if its a laptop disk. The alternative provided by rda is to boot the data source machine with a minimal Linux system from a floppy or CD, and simply run rda. Some of the options provided are data transfer verification with MD5 and/or CRC32 checksums, skipping read errors, and spanning over multiple files. http://software.freshmeat.net/projects/fohad/ The Forensic Hash Database is a project to combine the various hashsum sources like The KnownGoods Database, Hashkeeper, NIST NSRL, and Dan Farmer's hashsum archive into a single meta database. Integration into the forensic analysis toolkit The Sleuth Kit is provided through a patch.
wow, i don't have time to write ebuilds for all these, any volunteers?
I guess I'll do a few.
Can someone merge http://bugs.gentoo.org/show_bug.cgi?id=39934 and http://bugs.gentoo.org/show_bug.cgi?id=39935 into the portage tree as ~x86?
Created attachment 26972 [details] Foremost 0.69 ebuild Foremost ebuild that I am not sure if it works or not.
re comment #10 I don't think either of the two will be accepted as is. Both of those ebuilds look like they need to use the portage api, install docs to the right place etc..
i can write few ebuilds more about this subject this week.
I just really wanted to list my support for this particular tree for gentoo..I can't wait until the ebuilds are implemented for these packages. ~jeff~
Diego, Hows it coming?
Looks like foremost was already to the portage tree under bug #47094
Two new ebuilds have been written and added to the portage tree in order to respond to the needs of another user. The first is bug #47096, which covers sleuthkit and now replaces Diego's ebuild in bug #39935. The second is bug #47097, which covers autopsy.
= The Coroner's Toolkit - bug #39934 The rest in comment #8 and comment #5 are not implemented. David or Diego any more thoughts on the ebuilds. Package commited (or almost) stegdetect - getting around a few compile problems - hasn't been touched for ages though sys-apps/memdump - Almost there app-admin/autopsy - done app-admin/sleuthkit = done app-admin/aide - done dev-util/examiner -done app-admin/foremost -done sys-apps/air = http://air-imager.sourceforge.net/ = done
bug-wranglers hardened doesn't have the resources to support this, can you try to find someone else to do so?
Don't forget app-admin/chkrootkit app-admin/rkhunter
http://sourceforge.net/projects/pyflag is another one for consideration. FLAG was designed to simplify the process of log file analysis and forensic investigations. FLAG facilitates efficient analysis of large quantities of data within an interactive environment. PyFlag is the reimplementation of FLAG in Python
Email sent to gentoo-dev seeking approval for category. This doesn't realy bock bug 39934.
soon to be fixed....
Well the branch has been created. The herd has been created. I'm going to leave this bug open just as a reminder of a few other packages to include. Feel free to add ebuilds for them.
individual bugs created for outstanding ebuilds.
Hi, One forensics tool that could be added is AIRT for "Advanced incident response tool" It is new and actively devellopped http://159.226.5.93/projects/airt.htm
I've found a long, long list of forensics tools on this site: http://www.forinsect.de/forensics/forensics-tools.html It is huge...
AIRT - bug 79524 The Sleuth Kit (TSK) - done Autopsy - done Pepijn Vissers released a patch - need to check FLAG - obseleted by pyflag - bug 73301 mac-robber - not part of sleuthkit (just checked) will look at Foremost - done Magic Rescue - will look at gpart - sys-apps/gpart - has a few bugs open on it. The Coroner's Toolkit (TCT) - done TCTutils - low pri - see if there is any value not included elsewhere Network Forensics: nstreams: need to look slogdump - looks interesting. tcpflow - net-analyzer/tcpflow - needs version bump Chaosreader need to look driftnet - need to look Ftimes Project - last touched March 2004 - maybe - bug 73296 bmap - looks interesting autoclave - deleteing realy not in the interests of forensics :-) cryptcat - cvs version as of 20031202 - doesn't seem to be maintained Foundstone Forensic Utilities -- good link - hope these are better that the older versions on sourceforge. Fenris - looks promising e2recover - could be easy NASA tool collection - enhanced_loopback - 2.4 kernel only :-( - fatback - sounds good - bug 73299 Carvdawg's Perl Page - maybe md5deep - need to compare against ftimes dcfldd - sys-apps/dcfldd Cryogenic - nice mcore - not sure its forensics procshow - if this has something a lot better that other programs Project Odessa: bug 73300 Registry editors (non-Windows): ntreg: - needed by pyflag - TODO kregedit: wow - a gui - will look chntpw: sneeky - not realy forensics though e2salvage: - good compare to recover kern_check: potentialy Faust: maybe AIR: in portage app-forensics/air memfetch: dumps the memory of a running process - nice memdump: - what special features? elfcmp: a tool for comparing ELF binarys to processes - neat sdd: - don't think it adds that much. chkrootkit: app-forensics/chkrootkit Rootcheck: new rootkit detection tool. - will look at it Rootkit Hunter: ap-forensics/rkhunter Mail analysis tools: Mail Viewer.ok ol2mbox: an Outlook to mbox format mail converter - looking into it mboxgrep: ok getattach.pl: probably covered elsewhere Sources for Known-Good / Known-Bad hashsums: look at adding support for these in pyflag lots to look. any favourites?
more options - should write bugs on good ones initially.
kregedit-0.1 - compile failure # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: $ inherit kde DESCRIPTION="kregedit is KDE utility for viewing native Windows registry files." HOMEPAGE="http://jelmer.vernstok.nl/samba/kregedit/" SRC_URI="http://jelmer.vernstok.nl/releases/${P}.tar.gz" LICENSE="GPL-2" SLOT="0" KEYWORDS="~x86" IUSE="" editreg.cpp: In function `int data_to_ascii(unsigned char*, int, int, char*, int)': editreg.cpp:1560: error: invalid conversion from `char*' to `unsigned char*' editreg.cpp:1564: error: invalid conversion from `char*' to `unsigned char*' editreg.cpp:1568: error: invalid conversion from `char*' to `unsigned char*' editreg.cpp:1571: error: invalid conversion from `unsigned char*' to `char*' editreg.cpp: In function `REGF_HDR* nt_get_regf_hdr(REGF*)': editreg.cpp:1661: error: invalid conversion from `void*' to `char*' tcpflow version bumped too
mac-robber-1.00 added. Added another URL.
app-forensics/magicrescue-1.1.4 it suggested JPEG recovery tools: This seems to be the file type most people are trying to recover. Available utilities include <http://www.cgsecurity.org/?photorec.html>, <http://codesink.org/recover.html>, and <http://www.vanheusden.com/findfile/>.
comment 33 http://www.cgsecurity.org/?photorec.html is part of app-admin/testdisk. version bumped to 5.5
http://dftt.sourceforge.net/ for test images.
This has been added to the portage tree for quite a while now. Marking as FIXED.