Monday, December 2, 2013

Malware Forensics Tools

Windows Prefetch Files:


WinPrefetchView :


                            is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.





                               WinPrefetchView doesn't require any installation process or additional DLL files. In order to start using it, simply run the executable file - WinPrefetchView.exe

                                 The main window of WinPrefetchView contains 2 panes: The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.


                                 These is also special Prefetch file, with 'NTOSBOOT-B00DFAAD.pf' filename, which can show you the list of files that are loaded during Windows boot process.



                                 WinPrefetchView also allows you to delete the selected Prefetch files. However, be aware that even when your delete a Prefetch file, it'll be created again by the operating system when you run the same program again.

 Download Link : http://www.nirsoft.net/utils/winprefetchview.zip


 Windows Registry Hives:

 RegRipper:

                    is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.



                     RegRipper consists of two basic tools, both of which provide similar capability. The RegRipper GUI allows the analyst to select a hive to parse, an output file for the results, and a profile (list of plugins) to run against the hive. When the analyst launches the tool against the hive, the results go to the file that the analyst designated. If the analyst chooses to parse the System hive, they might also choose to send the results to system.txt. The GUI tool will also create a log of it's activity in the same directory as the output file, using the same file name but using the .log extension (i.e., if the output is written to system.txt, the log will be written to system.log).

 RegRipper also includes a command line (CLI) tool called rip. Rip can be pointed against to a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT. Rip can be included in batch files, using the redirection operators to send the output to a file. Rip does not write a log of it's activity.

RegRipper is similar to tools such as Nessus, in that the application itself is simply an engine that runs plugins. The plugins are individual Perl scripts that each perform a specific function. Plugins can locate specific keys, and list all subkeys, as well as values and data, or they can locate specific values. Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.


Note: Plugins also serve as a means of retaining corporate knowledge, in that an analyst finds something, creates a plugin, and adds that plugin to a repository that other analysts can access. When the plugin is shared, this has the effect of being a force multiplier, in that all analysts know have access to the knowledge and experience of one analyst. In addition, plugins remain long after analysts leave an organization, allowing for retention of knowledge.

Download Link : http://code.google.com/p/regripper/downloads/list



Auto_rip:

                 auto_rip is a wrapper script for RegRipper. The script automates 
the execution of the RegRipper plug-ins according to the categories below:

all              gets information from all categories
os               gets General Operating System Information
users            gets User Account Information
software         gets Installed Software Information
network          gets Networking Configuration Information
storage          gets Storage Information
execution        gets Program Execution Information
autoruns         gets Autostart Locations Information
log              gets Logging Information
web              gets Web Browsing Information
user_config      gets User Account Configuration Information
user_act         gets User Account General Activity
user_network     gets User Account Network Activity
user_file        gets User Account File/Folder Access Activity
user_virtual     gets User Account Virtualization Access Activity
comm             gets Communication Software Information
 
SHA1 Checksum: 
 
 55828924ce01190b5e4c292c3fb979b3b5b12c88
 
Download Link : http://regripper.googlecode.com/files/auto_rip-5-16-2013.zip 
 
 

NTFS Artifacts

AnalyzeMFT

                     analyzeMFT.py is designed to fully parse the MFT file from an NTFS
filesystem and present the results as accurately as possible in multiple formats.
 
Documentation : http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf 

Download Link : https://github.com/dkovar/analyzeMFT
 
 

Windows Journal Parser (jp) :

                                                  jp is a command line tool that targets NTFS change log journals. The change journal is a component of NTFS that will, when enabled, record changes made to files. The change journal is located in the $UsnJrnl MFT entry, and the journal entries are located in the alternate data stream $J. Each entry is of variable size and its internal structure is documented in the MSDN.

                                                   The change journal will record amongst other things: (a) time of the change, (b) affected file/directory, (c) change type - delete, rename, size extend, etc, and therefore makes a useful tool when looking at a computer forensically.







Downloads



32-bit Version64-bit Version


Windows:jp32.v.1.07.win.zipjp64.v.1.07.win.zip


Linux:jp32.v.1.07.lin.tar.gzjp64.v.1.07.lin.tar.gz


Mac OS X:jp.v.1.07.osx.tar.gzjp.v.1.07.osx.tar.gz












































No comments:

Post a Comment

Open source Tools for Live Meeting(Web Conferencing)

posts. Guys the most of you find these posts a valuable resource for the e-Learning community. As a result, the following post is Free and Open Source Web Conferencing (Online Meetings, Webinars) Tools for e-Learning.




The following list contains free and open source Web Conferencing tools that are n't in particular order.



Also, you should be sure that the e-Learning community will highly appreciate:

  1. if you post a comment with your experience with these tools and/or,

  2. if you post a comment with a link to any other free and open source Web Conferencing tool.

We support Free eLearning! Do you?



I support Free eLearning




BigBluebutton* is built for Higher Education. It enables universities and colleges to deliver a high-quality learning experience to remote students. BigBlueButton is an active open source project that focuses on usability, modularity, and clean design -- both for the user and the developer. The project is hosted at Google Code. BigBlueButton is built by combining over fourteen open source components.



*note: Epignosis has created a module that provides integration of BigBlueButton conferencing in eFront Open Source Learning Management System. BigBlueButton is a free web-conferencing tool with text chat, audio and video capabilites, a virtual whiteboard and many more presentation and conferencing features.




OpenMeetings is a free browser-based software that allows you to set up instantly a conference in the Web. You can use your microphone or webcam, share documents on a white board, share your screen or record meetings. It is available as hosted service or you download and install a package on your server with no limitations in usage or users.



OpenMeetings Key Features Mini Demo





Mikogo is a free desktop sharing tool full of features to assist you in conducting the perfect online meeting or web conference. Take advantage of the opportunity to share any screen content or application over the Internet in true color quality with up to 10 participants simultaneously, while still sitting at your desk.












Yugma free web conferencing allows anyone, anywhere to instantly share their desktop and ideas online with others. To start hosting your own meetings you have to sign up for FREE. Your Yugma Free web conferencing account allows you to invite up to 20 attendees







Using WebHuddle, you have options and flexibility. Meetings can be conducted either in conjunction with an enterprise’s existing teleconferencing service, or utilizing WebHuddle’s optional voice over IP. WebHuddle also offers recording capabilities -- presentations can easily be recorded for playback over any web browser for those who missed the live meeting.










With Vyew you can give a presentation to a hundred people online or post a document you've been working on for review by your colleagues at the convenience. Vyew is extremely flexible alloying you to bring online collaboration and conferencing into your workflow on your terms.









Dimdim delivers synchronized live presentations, whiteboards and web pages while sharing your voice and video over the Internet - with no download. With the Free edition you can get 10 person meetings, 1 way video, standard support, Dimdim branded rooms, and public meetings.



*note: Epignosis has created a module that provides integration of Dimdim conferencing in eFront  Open Source Learning Management System.




Adobe® ConnectNow is a great way to share ideas, discuss details, and complete work with others all online. Reduce travel costs, save time, and increase productivity with a web conferencing solution that's easy to access and simple to use. ConnectNow operates inside a web browser. There's no installation required, so getting started is easy and Free