Colorize and Filecompare
Colorize creates visual represations of raw file data. Filecompares looks at two files, in arbitrary block sizes, and produces output for which can be run through colorize to display them. See http://jessekornblum.livejournal.com/290358.html for details.
Source code: https://github.com/jessek/colorize/archive/1.0.zip
Computes and matches signatures for similar looking pictures. See http://jessekornblum.livejournal.com/286446.html for details.
C:\> python samecat.py [FILES]
C:\> python samecat.py -m [known] [FILES]
samecat.py version 1.0
Converts Encase hash files to plain text format. Built from the documentation at the forensics wiki entry on Encase hash file format. The zip file contains a Windows executable and the source code, both licensed under version 3 of the GNU General Public License (GPL).
C:\> encase2txt [FILES]
encase2txt version 1.0
Creates a hex dump from standard input. Designed to be similar to, but not identical, to the *nix program xxd. There is a cross-platform Python script and a C program, which are not identical. C Program Usage:
C:\> hexdump.exe [FILE]
C:\> hexdump.exe < [FILE]
C:\> echo [TEXT] | hexdump.exe
Windows executable Source code
Python script Usage:
C:\> python hexdump.py < [FILE]
C:\> type [FILE]| python hexdump.py
C:\> echo.|set /p=[TEXT]|python hexdump.py
Scans input files for AES128, AES192, and AES256 keys. Originally intended for memory images, can be used on anything. Works by eliminating anything which is not a valid AES key schedule.
findaes Related blog posts
md5deep and hashdeep
A set of cross platform tools to compute, compare, match, and audit cryptographic hashes. Supported algorithms are MD5, SHA-1, SHA-256, Tiger, and Whirlpool.
md5deep Project Page Related blog posts
A fuzzy hashing tool to identify similar but not identical files. In this case, 'similar' applies at the byte level. No effort is made to examine higher level structures. The package includes both a client program for matching and an API for adding fuzzy hashing to other programs.
ssdeep Project Page Paper Related blog posts
Identifies Win32 executables. Originally designed to detect executables that don't have an executable extension (e.g. exe, com, dll), it can also produce a list of all executables encountered.
Miss Identify Project Page
Here are some plugins I've written for the Volatility memory analysis framework. There are many more plugins listed on the Forensics Wiki list of Volatility plugins. Volatility is a trademark of Verizon. Jesse Kornblum is not sponsored or approved by, or affiliated with Verizon.
These plugins, and a few other changes I made to version 2.0 of the framework for use in my memory forensics course, SANS FOR526: Windows Memory Forensics In-Depth, are available as a separate download: Volatility 2.0 modified for SANS FOR526 .
Note that some of these were written for older versions of the framework and may not work anymore. To use any of these plugins, save them to your volatility/plugins directory.
- modmemdump and rawmoddump - Used for recovering kernel drivers when the traditional plugins don't work. See http://jessekornblum.livejournal.com/291418.html for complete details on what they are and why I wrote them.
- Displays processes which are found by the brute force search for
processes but not the walk of the operating system's list of
version of this plugin was written for release 1.4 of the framework:
pstotal for Volatility 1.4
- psinfo: Displays information about each process, with some rough detection of "suspicious" processes.
- suspicious: Highlights 'suspicious' processes with Volatility version 1.3.
- cryptoscan: Find TrueCrypt passphrases with Volatility version 1.3.
Related blog posts