Home     Publications     Presentations     Utilities     Tools     Blog


Colorize and Filecompare
Colorize creates visual represations of raw file data. Filecompares looks at two files, in arbitrary block sizes, and produces output for which can be run through colorize to display them. See http://jessekornblum.livejournal.com/290358.html for details.

Windows: http://jessekornblum.com/tools/colorize/colorize-1.1.zip
Source code: https://github.com/jessek/colorize/archive/release-1.1.zip
Development: https://github.com/jessek/colorize/

Computes and matches signatures for similar looking pictures. See http://jessekornblum.livejournal.com/286446.html for details.
C:\> python samecat.py [FILES]
C:\> python samecat.py -m [known] [FILES]

samecat.py version 1.0

Converts Encase hash files to plain text format. Built from the documentation at the forensics wiki entry on Encase hash file format. The zip file contains a Windows executable and the source code, both licensed under version 3 of the GNU General Public License (GPL).
C:\> encase2txt [FILES]

encase2txt version 1.0

Creates a hex dump from standard input. Designed to be similar to, but not identical, to the *nix program xxd. There is a cross-platform Python script and a C program, which are not identical. C Program Usage:
C:\> hexdump.exe [FILE]
C:\> hexdump.exe < [FILE]
C:\> echo [TEXT] | hexdump.exe

Windows executable    Source code

Python script Usage:
C:\> python hexdump.py < [FILE]
C:\> type [FILE]| python hexdump.py
C:\> echo.|set /p=[TEXT]|python hexdump.py


Scans input files for AES128, AES192, and AES256 keys. Originally intended for memory images, can be used on anything. Works by eliminating anything which is not a valid AES key schedule.
findaes      Related blog posts

md5deep and hashdeep
A set of cross platform tools to compute, compare, match, and audit cryptographic hashes. Supported algorithms are MD5, SHA-1, SHA-256, Tiger, and Whirlpool.
md5deep     Project Page     Related blog posts

A fuzzy hashing tool to identify similar but not identical files. In this case, 'similar' applies at the byte level. No effort is made to examine higher level structures. The package includes both a client program for matching and an API for adding fuzzy hashing to other programs.
ssdeep     Project Page     Paper     Related blog posts

Miss Identify
Identifies Win32 executables. Originally designed to detect executables that don't have an executable extension (e.g. exe, com, dll), it can also produce a list of all executables encountered.
Miss Identify     Project Page

A linear file carver. Uses headers and footers to recover files from a data stream.
Foremost     Project Page

Volatility™ Plugins
Here are some plugins I've written for the Volatility™ memory analysis framework. There are many more plugins listed on the Forensics Wiki list of Volatility™ plugins. Volatility™ is a trademark of Verizon. Jesse Kornblum is not sponsored or approved by, or affiliated with Verizon.

These plugins, and a few other changes I made to version 2.0 of the framework for use in my memory forensics course, SANS FOR526: Windows Memory Forensics In-Depth, are available as a separate download: Volatility 2.0 modified for SANS FOR526 .

Note that some of these were written for older versions of the framework and may not work anymore. To use any of these plugins, save them to your volatility/plugins directory.

Related blog posts

Clear Memory
Attempts to push data into the paging file by allocating gobs of memory. Used to test programs to read the pagefile on Microsoft Windows.
Source Code     Win32 Executable