Wednesday, April 23, 2014

Mobile Device / Smartphone Forensic Analysis Investigation Tools

Mobile device forensics :
                            is directly connected to digital forensics and can be defined as being the recovery of digital information or data which is often used for criminal evidence. Mobile Device Forensics by definition applies only to mobile devices, e.g. tablets, cell phones etc, but it the term also includes any portable digital device that has both internal memory and communication abilities such as PDA devices and also GPS devices.






iPhone Analyzer:
                        allows you to forensically examine or recover date from in iOS device. It principally works by importing backups produced by iTunes or third party software, and providing you with a rich interface to explore, analyses and recover data in human readable formats. Because it works from the backup files everything is forensically safe, and no changes are made to the original data.

Features

  • Supports iOS 2, iOS 3, iOS 4 and iOS 5 devices
  • Multi-platform (Java based) product, supported on Linux, Windows and Mac
  • Fast, powerful search across device including regular expressions
  • Integrated mapping supports visualisation of geo-tagged information, including google maps searches, photos, and cell-sites and wifi locations observed by the device (the infamous "locationd" data)
  • Integrated support for text messages, voicemail, address book entries, photos (including metadata), call records and many many others
  • Recovery of "deleted" sqlite records (records that have been tagged as deleted, but have not yet been purged by the device can often be recovered),/li>
  • Integrated visualisation of plist and sqlite files
  • Includes support for off-line mapping, supporting mapping on computers not connected to the Internet
  • Support for KML export and direct export to Google Earth
  • Browse the device file structure, navigate directly to key files or explore the device using concepts such as "who", "when", "what" and "where".
  • Analyse jail broken device directly over SSH without need for backup (experimental)
Download Link : http://sourceforge.net/projects/iphoneanalyzer/


BitPim:
           is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones.


Download Link : http://sourceforge.net/projects/bitpim/files/

Mobile Internal Acquisition Tool (MIAT)

                                                                this tool which discusses a crucial aspect of Mobile Device Forensics, i.e. the recovery of deleted SMS Text Messages. We are not 100% sure if this tool is publically available and if anyone reading this can help us locate where to find it we’d been very grateful!.

In examining the MIAT dump of the phone's filesystem, I found the following interesting items of evidence (note that these are not intended to be comprehensive):
  • \Windows\Profiles\guest\ - Contained the Pocket IE cache, including Cookies, index.dat (which was not extracted due to the previously specified issue), and Temporary Internet Files
  • \Windows\Messaging - Contained various .mbp files which proved to hold the text of downloaded email messages. There is also an Attachments folder under this path that may hold downloaded attachments.
  • \Windows\ActiveSync - Contained various configuration and log files from Activesync
  • \Windows\Favorites - Contained Favorite links used by Pocket IE
  • \Application Data\GoogleMaps - Contained configuration and cache files used by the installed Google Maps application. These files are all binary, but one of them, prefsext.dat, contains a variety of strings which match searches that have been performed and results (street addresses) which have been returned. Somebody could probably reverse engineer the format and write a parser for this that would be really useful.
  • \*.vol these files contain Embedded databases, which include all of the phone-related information such as call logs, phone book, appointment list, etc. I haven't yet found a free application to parse them, but there's got to be something out there.
  • I also found a number of other empty Attachments folders, as well as additional empty Profiles and Temporary Internet Folders folders. This probably means that these various locations are implementation dependant.
 Download Link : http://www.dfrws.org/2008/proceedings/p121-distefano_pres.pdf


TULP2G:
           is a .NET based forensic software framework for extracting and decoding data stored in electronic devices.

“TULP2G is a forensic software framework developed to make it easy to extract and decode data from digital devices.”

Download Link : http://sourceforge.net/projects/tulp2g/

Santoku Community Edition:
                                runs in the lightweight Lubuntu Linux distro. It can be run in VirtualBox (recommended) or VMWare Player, both available free and run on Linux, Mac or Windows. The Lubuntu download is large because it is a full .iso. We recommend you download on a fast connection. 


Tools to acquire and analyze data
  • Firmware flashing tools for multiple manufacturers
  • Imaging tools for NAND, media cards, and RAM
  • Free versions of some commercial forensics tools
  • Useful scripts and utilities specifically designed for mobile forensics
Download Link : https://santoku-linux.com/download


UFED Physical Analyzer is the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more. - See more at: http://www.toolwar.com/2014/04/ufed-physical-analyzer-mobile-forensics.html#sthash.ipUOiqQB.dpuf
 UFED Physical Analyzer :
                                         is the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more.
UFED Physical Analyzer is the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more. - See more at: http://www.toolwar.com/2014/04/ufed-physical-analyzer-mobile-forensics.html#sthash.ipUOiqQB.dpuf

UFED Physical Analyzer is the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more. - See more at: http://www.toolwar.com/2014/04/ufed-physical-analyzer-mobile-forensics.html#sthash.ipUOiqQB.dpuf
 
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool


Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Mobile Internal Acquisition Tool
Advanced capabilities for:

iOS ::

    Bypassing simple and complex passcode while performing physical and file system extraction on selected devices running iOS 3.0 or higher including iOS 6.
    Real-time decryption and decoding of data, applications, and keychain real-time decryption while revealing user passwords.
    Advanced decoding of applications.

BlackBerry ::

    Advanced decoding of BlackBerry Messenger (BBM), emails, locations, applications and more.
    Real-time decryption of protected content from selected BlackBerry devices running OS 4+ using a given password.

Android ::

    Advanced decoding of all physical extractions performed on devices running any Android versions.
    Advanced decoding of applications and application files.

GPS ::

    Portable GPS devices extraction and decoding.
    Exclusive – Physical extraction of Tom Tom trip-log files.

 Download Link : http://go.cellebrite.com/30DayPhysicalAnalyzerTrial

Oxygen Forensic® Suite:

                           Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this. Features include the ability to gather Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts, Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Task information. It also comes with a file browser which allows you to access and analyse user photos, videos, documents and device databases.


Download Link : http://www.oxygen-forensic.com/en/download/freeware


Advanced capabilities for:

iOS :: 
  • Bypassing simple and complex passcode while performing physical and file system extraction on selected devices running iOS 3.0 or higher including iOS 6.
  • Real-time decryption and decoding of data, applications, and keychain real-time decryption while revealing user passwords.
  • Advanced decoding of applications.
BlackBerry :: 
  • Advanced decoding of BlackBerry Messenger (BBM), emails, locations, applications and more.
  • Real-time decryption of protected content from selected BlackBerry devices running OS 4+ using a given password.
Android ::
  • Advanced decoding of all physical extractions performed on devices running any Android versions.
  • Advanced decoding of applications and application files.
GPS :: 
  • Portable GPS devices extraction and decoding.
  • Exclusive – Physical extraction of Tom Tom trip-log files.
- See more at: http://www.toolwar.com/2014/04/ufed-physical-analyzer-mobile-forensics.html#sthash.ipUOiqQB.dpuf
 

Tuesday, March 18, 2014

SSLAuditor- Version 4 : GUI Utility to audit SSL services

SSLAuditor- Version 4 : GUI Utility to audit SSL services


Advantages:

Check all issues on SSL including ciphers, certificates and configuration issues.
Cipher issues: sslv2 support, weak ciphers
Certificate issues: selfsigned, wildcard, expiration, weak certificate key,
Configuration issues: CRIME, , preferred cipher - BEAST, renegotiation, resumption
Flexible input - file, individual or range with multiple ports
Internal timer to adjust according to the response of the server.
Detailed and professional reporting with mitigation procedures for identified issues.

No installer; unzip and click opabinia.exe to start the program.

Only requirement is vc++ 12 runtime.
http://www.amanhardikar.com/temp/vcredist_x64.exe
If the executable is not opening, then please install vc++ libraries
and try again.

Beta version for testing:
http://www.amanhardikar.com/temp/SSLAuditor4.zip

Please let me know your feedback/bugs/features missing on the same.


Friday, March 14, 2014

Tortilla - Anonymous Security Research through Tor

Tortilla:
         is an open source tool that allows users to securely, anonymously, and transparently route all TCP/IP and DNS traffic through Tor, regardless of the client software, and without relying on VPNs or additional hardware or virtual machines.


Supported Operating Systems: The tool runs on 32 bit and 64 bit versions of Windows from XP and above

Download Link : Click Here

SHA256 150eb477cd8a48daa792fbb610345e9c0aa981597106a02db03b06e71f56b586

Thursday, March 13, 2014

Free Toolkit For Incident Response - Crowd Response

CrowdResponse:
                     is a community-based platform that may eventually support as many as 25 software modules, each serving a different aspect of the incident response process, Kurtz says. This week's release includes three modules: @dirtlist, @pslist, and @yara.


@dirlist

This is the directory-listing module. This sounds quite simple, but it is actually extremely powerful.
The CrowdResponse DirList module enables the following features:
  • Verify and display digital signature information
  • Utilize a path exclusion/inclusion regular expression filter that acts on the full path name
  • Use a file wildcard mask to limit processing to specific file name components
  • SHA256 and MD5 file hashing
  • Perform "quick" hash of only the first 512 bytes of the file
  • Option to not hash files greater than a given size
  • Display application resource information
  • Select recursive listings and control recursion depth
  • Display creation, modification and access times for files
  • Optionally process only Windows executable (PE) files

@pslist

This is the active running process listing module.
The CrowdResponse PSList module enables the following features:
  • Verify the digital signature of the process executable
  • Obtain process command line
  • Obtain detailed PE file information for each process executable
  • Perform SHA256 and MD5 hashes of process executables
  • Enumerate loaded modules for each process
  • Control PE output detail level of function names for imports and exports
  • Control PE output detail level of resource information
  • Control format (nested or flat) for PE file resource information
  • Check for process thread injection

@yara

The YARA processing module is the one I am most excited about. YARA will be familiar to many as an incredibly useful tool aimed at helping malware researchers identify and classify malware. It can act on files on disk or in-memory process images and runs a set of pattern matching rules against the target of investigation.
While we have incorporated a fully functional version of YARA into CrowdResponse, we have made it very simple to use for analyzing all active process binaries and memory. Along with the regular ability to target a specific single-process ID or one or more files, we can automatically enumerate all running processes and launch YARA rules against them all by simply specifying a single tool option. This enables quick and easy evaluation of a system without resorting to cumbersome scripting. This functionality greatly speeds the scan time and aids a responder in quickly pinpointing adversary activity on a suspect system.
The CrowdResponse YARA module enables the following features:
  • Scan memory of all currently active running processes
  • Scan on-disk files of all currently active running processes
  • Download YARA rule files from a provided URL
  • Control target path recursion depth
  • Utilize a target path exclusion/inclusion regular expression filter that acts on the full path name
  • Use a file target wildcard mask to limit processing to specific file name components
  • Option to only show positive hits
  • Option to specify YARA rule file name mask
  • Utilize a YARA file inclusion regular expression filter that acts on the full path name
  • Scan all loaded module files of active processes
  • Operate on a single process ID
  • Optional recursion into provided YARA rules directory

Crowd Response is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. The application contains numerous modules, each of them invoked by providing specific command line parameters to the main application. Modules are all built into the main application in C++ language utilizing the Win32 API to achieve their functionality.
Crowd Response results may be viewed in a variety of ways, particularly when leveraging CrowdStrike’s CRconvert. By default, output from Crowd Response is provided in an XML file. CRconvert will flatten this XML to CSV, TSV or HTML, if desired. The various format options were created to support the different needs and analysis preferences of the end user.
Supported Operating Systems: The tool runs on 32 bit and 64 bit versions of Windows from XP and above.


Download Link : Click Here
  • MD5 87b58fb3da849cedff3a107bfe600e9b
  • SHA1 08e5bed8e7ba7316e6ff23610561b14057a58d4c
  • SHA256 c5ab1006f47bba30fe23bccf9eebedf824efa3bc6212989c748aa147221b5103
     

Sunday, January 5, 2014

SpiderFoot 2.1.0 - Open Source Footprinting Tool

SpiderFoot:

                    simple web-based interface enables you to kick off a scan immediately after install - just give your scan a name, the domain name of your target and select which modules to enable.

                    You will quickly obtain information such as: URLs handling passwords, network ranges (netblocks), web servers, open ports, information about SSL certificates, and much more.




                       "Footprinting" is the process of understanding as much as possible about a given target in order to perform a more complete security penetration test. Particularly for large networks, this can be a daunting task.

                         The main objective of SpiderFoot is to automate this process to the greatest extent possible, freeing up a penetration tester's time to focus their efforts on the security testing itself.

                        SpiderFoot is designed from the ground-up to be modular. This means you can easily add your own modules that consume data from other modules to perform whatever task you desire.

                         As a simple example, you could create a module that automatically attempts to brute-force usernames and passwords any time a password-handling webpage is identified by the spidering module.


 

SpiderFoot 2.1.0 is now available, a major update over 2.0.5 which was released back in September.

Major improvements are as follows:

- Identifies sites co-hosted on IPs of your target.
- Checks whether your target, affiliates or co-hosts have a bad reputation (PhishTank, Google
SafeBrowsing, McAfee SiteAdvisor, abuse.ch and many more.)
- Identifies the ISPs and BGP AS of your target.
- Smarter at identifying owned netblocks.
- UI enhancements, including some data visualizations.
- More comprehensive searches across other Internet TLDs.
- Identifies the use of non-standard HTTP headers.
- Bing searches.
- Many tweaks, improvements and bug fixes.




Website & Download: http://www.spiderfoot.net
GitHub: https://github.com/smicallef/spiderfoot/tree/2.1
 Source Forge : http://sourceforge.net/projects/spiderfoot/



Thursday, January 2, 2014

Arachni v0.4.6-0.4.3 (Open Source Web Application Security Scanner Framework)

Arachni v0.4.6-0.4.3 has been released :

                     (Open Source Web Application Security Scanner Framework)

                      There's a new version of Arachni, an Open Source, modular and
high-performance Web Application Security Scanner Framework written in Ruby.






Brief list of changes:

Framework
----------
* Massively decreased RAM consumption.
* Amount of performed requests cut down by 1/3 -- and thus 1/3 decrease in scan times.
* Overhauled timing attack and boolean/differential analysis algorithms to fix
  SQLi false-positives with misbehaving webapps/servers.
* Vulnerability coverage optimizations with 100% scores on WAVSEP's tests for:
  * SQL injection
  * Local File Inclusion
  * Remote File Inclusion
  * Non-DOM XSS -- DOM XSS not supported until Arachni v0.5.





WebUI
-----
* Implemented Scan Scheduler with support for recurring scans.
* Redesigned Issue table during the Scan progress screen, to group
  and filter issues by type and severity. 


Issues table

The issues table has been massively redesigned to provide more context at a glance and help you prioritize and focus on the issues that interest you most.




While the scan is running and new issues appear, High and Medium severity type groups will, by default, be displayed as expanded, to show each logged issue, while Low and Informational severity ones will be displayed as collapsed. This way your attention will be drawn to where it’s most needed.
Of course, you can change the visibility settings to suit your preferences, using the controls on the left of the table, as well as reset them to their default configuration.

Scan scheduling

The major change for the web interface is the addition of the much awaited Scheduler, which combined with the existing incremental/revisioned scans provides quite a powerful feature. In essence, it allows you to schedule a scan to run at a later time and optionally configure it to be a recurring one.





                                            What’s interesting here is the recurring bit, each scan occurrence is not a separate entity but a revision of the previous scan, this way you’ll be able to track changes in your website’s security with ease. It also allows you to speed things up by providing you with the ability to feed the sitemaps of previous revisions to the next one (either to extend or restrict the scope), thus making the crawl process much faster (or skipping it altogether).



 For more details about the new release please visit:
    http://www.arachni-scanner.com/blog/arachni-0-4-6-0-4-3-release/

Download page:               http://www.arachni-scanner.com/download/

Homepage                      - http://www.arachni-scanner.com
Blog                                 - http://www.arachni-scanner.com/blog
Documentation               - https://github.com/Arachni/arachni/wiki
Support                           - http://support.arachni-scanner.com
GitHub page                   - http://github.com/Arachni/arachni
Code Documentation     - http://rubydoc.info/github/Arachni/arachni
Copyright                        - 2010-2014
License                             - Apache License v2

Thursday, December 19, 2013

Hook Analyser 3.0 Released with Cyber Threat Intelligence Features


Hook Analyser : ( Released V3.0)

                          a new module has been added - Cyber Threat Intelligence. Threat Intel module is being created to gather and analyse information related to Cyber Threats and vulnerabilities.

The module can be run using HookAnalyser.exe (via Option 6 ), or can be run directly.


The module present information on a web browser (with dashboard alike representation) with the following sections -

  1. Threat Vectors - by (%) Country
  2. Threat Vectors - by Geography 
  3. Vulnerability / Threat Feed.
Project documentation - Click Here

Here is the screenshot of the Cyber Threat Intelligence dashboard -





To download the project - Click Here