Tools
md5deep and hashdeep
A set of cross platform tools to compute, compare, match, and audit cryptographic hashes.
Supported algorithms are MD5, SHA-1, SHA-256, Tiger, and Whirlpool.
md5deep
Project Page
Related blog posts
ssdeep
A fuzzy hashing tool to identify similar but not identical files. In this case,
'similar' applies at the byte level. No effort is made to examine higher level
structures. The package includes both a client program for matching and an API
for adding fuzzy hashing to other programs.
ssdeep
Project Page
Paper
Related blog posts
Miss Identify
Identifies Win32 executables. Originally designed to detect executables that don't have
an executable extension (e.g. exe, com, dll), it can also produce a list of all executables
encountered.
Miss Identify
Project Page
Foremost
A linear file carver. Uses headers and footers to recover files from a data stream.
Foremost
Project Page
Volatility Plugins
Here are two plugins for the
Volatility
framework for memory analysis. For more, please see the
Forensics Wiki list of Volatility plugins.
Find 'suspicious' processes
Find TrueCrypt passphrases
Related blog posts
Clear Memory
Attempts to push data into the paging file by allocating gobs of memory.
Used to test programs to read the pagefile on Microsoft Windows.
Source Code
Win32 Executable