Showing posts with label forensics. Show all posts
Showing posts with label forensics. Show all posts

Tuesday, August 14, 2018

Free Indicators of Compromise (IOC) Tools - FireEye

IOC Finder

FireEye Indicators of Compromise (IOC) Finder is a free tool for collecting host system data and reporting the presence of IOCs. IOCs are open-standard XML documents that help incident responders capture diverse information about threats.


The IOC Finder features:
  • Collection of full data, sufficient for general IOC matching requirements
  • Usage of a portable storage device for collection from multiple hosts
  • IOC hit reporting in simple text, full HTML and full MS Word XML formats
  • Generation of reports for specific hosts or all hosts

Download Link : https://www.fireeye.com/services/freeware/ioc-finder.html

IOC Editor

 
FireEye Indicators of Compromise (IOC) Editor is a free tool that provides an interface for managing data and manipulating the logical structures of IOCs. IOCs are XML documents that help incident responders capture diverse information about threats, including attributes of malicious files, characteristics of registry changes and artifacts in memory.

The IOC Editor includes:
  • Manipulation of the logical structures that define the IOC
  • Application of meta-information to IOCs, including detailed descriptions or arbitrary labels
  • Conversion of IOCs into XPath filters
  • Management of lists of “terms” used within IOCs
 Download Link : https://www.fireeye.com/services/freeware/ioc-editor.html

IOC Writer

IOC Writer provide a python library that allows for basic creation and editing of OpenIOC objects.

Provide a python library that allows for basic creation and editing of OpenIOC objects. It supports a basic CRUD (Create, Read, Update, Delete) for various items.
Items do not have built in Read operations, since all items can be accesed with built in ElementTree syntax or the use of XPATH to select portions of the IOC.

Download Link : https://github.com/mandiant/ioc_writer























































Wednesday, April 23, 2014

Mobile Device / Smartphone Forensic Analysis Investigation Tools

Mobile device forensics :
                            is directly connected to digital forensics and can be defined as being the recovery of digital information or data which is often used for criminal evidence. Mobile Device Forensics by definition applies only to mobile devices, e.g. tablets, cell phones etc, but it the term also includes any portable digital device that has both internal memory and communication abilities such as PDA devices and also GPS devices.






iPhone Analyzer:
                        allows you to forensically examine or recover date from in iOS device. It principally works by importing backups produced by iTunes or third party software, and providing you with a rich interface to explore, analyses and recover data in human readable formats. Because it works from the backup files everything is forensically safe, and no changes are made to the original data.

Features

  • Supports iOS 2, iOS 3, iOS 4 and iOS 5 devices
  • Multi-platform (Java based) product, supported on Linux, Windows and Mac
  • Fast, powerful search across device including regular expressions
  • Integrated mapping supports visualisation of geo-tagged information, including google maps searches, photos, and cell-sites and wifi locations observed by the device (the infamous "locationd" data)
  • Integrated support for text messages, voicemail, address book entries, photos (including metadata), call records and many many others
  • Recovery of "deleted" sqlite records (records that have been tagged as deleted, but have not yet been purged by the device can often be recovered),/li>
  • Integrated visualisation of plist and sqlite files
  • Includes support for off-line mapping, supporting mapping on computers not connected to the Internet
  • Support for KML export and direct export to Google Earth
  • Browse the device file structure, navigate directly to key files or explore the device using concepts such as "who", "when", "what" and "where".
  • Analyse jail broken device directly over SSH without need for backup (experimental)
Download Link : http://sourceforge.net/projects/iphoneanalyzer/


BitPim:
           is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones.


Download Link : http://sourceforge.net/projects/bitpim/files/

Mobile Internal Acquisition Tool (MIAT)

                                                                this tool which discusses a crucial aspect of Mobile Device Forensics, i.e. the recovery of deleted SMS Text Messages. We are not 100% sure if this tool is publically available and if anyone reading this can help us locate where to find it we’d been very grateful!.

In examining the MIAT dump of the phone's filesystem, I found the following interesting items of evidence (note that these are not intended to be comprehensive):
  • \Windows\Profiles\guest\ - Contained the Pocket IE cache, including Cookies, index.dat (which was not extracted due to the previously specified issue), and Temporary Internet Files
  • \Windows\Messaging - Contained various .mbp files which proved to hold the text of downloaded email messages. There is also an Attachments folder under this path that may hold downloaded attachments.
  • \Windows\ActiveSync - Contained various configuration and log files from Activesync
  • \Windows\Favorites - Contained Favorite links used by Pocket IE
  • \Application Data\GoogleMaps - Contained configuration and cache files used by the installed Google Maps application. These files are all binary, but one of them, prefsext.dat, contains a variety of strings which match searches that have been performed and results (street addresses) which have been returned. Somebody could probably reverse engineer the format and write a parser for this that would be really useful.
  • \*.vol these files contain Embedded databases, which include all of the phone-related information such as call logs, phone book, appointment list, etc. I haven't yet found a free application to parse them, but there's got to be something out there.
  • I also found a number of other empty Attachments folders, as well as additional empty Profiles and Temporary Internet Folders folders. This probably means that these various locations are implementation dependant.
 Download Link : http://www.dfrws.org/2008/proceedings/p121-distefano_pres.pdf


TULP2G:
           is a .NET based forensic software framework for extracting and decoding data stored in electronic devices.

“TULP2G is a forensic software framework developed to make it easy to extract and decode data from digital devices.”

Download Link : http://sourceforge.net/projects/tulp2g/

Santoku Community Edition:
                                runs in the lightweight Lubuntu Linux distro. It can be run in VirtualBox (recommended) or VMWare Player, both available free and run on Linux, Mac or Windows. The Lubuntu download is large because it is a full .iso. We recommend you download on a fast connection. 


Tools to acquire and analyze data
  • Firmware flashing tools for multiple manufacturers
  • Imaging tools for NAND, media cards, and RAM
  • Free versions of some commercial forensics tools
  • Useful scripts and utilities specifically designed for mobile forensics
Download Link : https://santoku-linux.com/download


UFED Physical Analyzer is the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more. - See more at: http://www.toolwar.com/2014/04/ufed-physical-analyzer-mobile-forensics.html#sthash.ipUOiqQB.dpuf
 UFED Physical Analyzer :
                                         is the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more.
UFED Physical Analyzer is the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more. - See more at: http://www.toolwar.com/2014/04/ufed-physical-analyzer-mobile-forensics.html#sthash.ipUOiqQB.dpuf

UFED Physical Analyzer is the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more. - See more at: http://www.toolwar.com/2014/04/ufed-physical-analyzer-mobile-forensics.html#sthash.ipUOiqQB.dpuf
 
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool


Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Advanced capabilities for:

iOS ::

    Bypassing simple and complex passcode while performing physical and file system extraction on selected devices running iOS 3.0 or higher including iOS 6.
    Real-time decryption and decoding of data, applications, and keychain real-time decryption while revealing user passwords.
    Advanced decoding of applications.

BlackBerry ::

    Advanced decoding of BlackBerry Messenger (BBM), emails, locations, applications and more.
    Real-time decryption of protected content from selected BlackBerry devices running OS 4+ using a given password.

Android ::

    Advanced decoding of all physical extractions performed on devices running any Android versions.
    Advanced decoding of applications and application files.

GPS ::

    Portable GPS devices extraction and decoding.
    Exclusive – Physical extraction of Tom Tom trip-log files.

 Download Link : http://go.cellebrite.com/30DayPhysicalAnalyzerTrial

Oxygen Forensic® Suite:

                           Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this. Features include the ability to gather Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts, Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Task information. It also comes with a file browser which allows you to access and analyse user photos, videos, documents and device databases.


Download Link : http://www.oxygen-forensic.com/en/download/freeware


Advanced capabilities for:

iOS :: 
  • Bypassing simple and complex passcode while performing physical and file system extraction on selected devices running iOS 3.0 or higher including iOS 6.
  • Real-time decryption and decoding of data, applications, and keychain real-time decryption while revealing user passwords.
  • Advanced decoding of applications.
BlackBerry :: 
  • Advanced decoding of BlackBerry Messenger (BBM), emails, locations, applications and more.
  • Real-time decryption of protected content from selected BlackBerry devices running OS 4+ using a given password.
Android ::
  • Advanced decoding of all physical extractions performed on devices running any Android versions.
  • Advanced decoding of applications and application files.
GPS :: 
  • Portable GPS devices extraction and decoding.
  • Exclusive – Physical extraction of Tom Tom trip-log files.
- See more at: http://www.toolwar.com/2014/04/ufed-physical-analyzer-mobile-forensics.html#sthash.ipUOiqQB.dpuf