Projects

Bro

Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that ... [More] compare the activity with patterns deemed troublesome. Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of failed connection attempts). [Less]

Hachoir

Hachoir is a library written in Python which allows to see and edit a binary file (or any binary stream) field per field. A field is the most basic information: a number, a string of characters, a flag (yes/no), etc. Only supported formats can be opened, it's not a magic tool. It can be used to ... [More] extract some information (eg. metadata), edit some fields of a file without the original program, or convert a file from one format to another. [Less]

Digital Forensics Framework

A simple but powerful tool with a flexible module system which will help you in your digital forensics works, including file recovery due to error or crash, evidence research and analysis, etc. Digital Forensics Framework (DFF) provides a robust architecture and some handy modules.

AlienVault OSSIM

AlienVault Open Source SIM aims to be the all-in-one security solution for enterprise needs, featuring: Low level real-time detection of known threats and unknown abnormal activity Network, host and policies Audit Network behavior analysis and profiling Log management Intelligence to improve the ... [More] accuracy of threat detection Risk oriented security analysis Compliance automation Executive and technical reports An scalable high performance architecture [Less]

fpcgui

PCGUI is a frontend to handle packet captures. Its aim is for Network Security Analysts who wants to have a non-commercial cheap storage for doing Network Forensics. It can uses daemonlogger/tcpdump/sancp for packet capturing and cxtracker for connection profiling. daemonlogger/tcpdump/sancp ... [More] is responsible for dumping pcaps to disk. cxtracker/sancp indexes connections, making them searchable. LAMP is used for GUI. to search up connections and carving out relevant pcaps. [Less]

libforensics

LibForensics is a library for developing digital forensics applications. Currently it is developed in pure Python. After a majority of the code has been developed and stabilized, the bottlenecks will likely be converted into C-based modules. I'm looking for people to use and test the ... [More] framework. I've developed some sample Python tools (under the demo directory in the repository) that use various parts of the framework. Even if you're not a coder, feel free to experiment with the tools, and report any bugs you find. LibForensics requires Python version 3.1. You can get the latest version of Python from http://www.python.org News: Whats new - March 18, 2010 I've been working on the next major release (0.3). Several things have changed, including the data typing system (we now use ctypes instead of struct), more thorough unit testing, numerous bug fixes, and API documentation. Look for a major release in the next few weeks. Some basic factoids [Less]

python-haystack

Search C Structures in a process' memory Keywords: memory,analysis,forensics,struct,ptrace

Volatility

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated ... [More] but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. [Less]

Virtual Forensic Artifact Extractor

VFAE is windows based tool written in C++ that extracts files with a known location from VMDK images running the Windows operating system. The tool utilizes the VDDK (Virtual Disk Development Kit) API for the heavy lifting such as mounting, opening, and reading the VMDK selected. When vfae.exe is ... [More] executed, it copies out files from an off-line VMDK file. The application allows the user to conduct a quick triage of the Windows directory structure by outputing the results to a specific output file (vfae_output_.txt. Additionally, it conducts a MD5 hash value of the VMDK itself if needed. For specific file searching purposes, it searches for any filetype within the off-line VMDK based on a passed in argument via the command-line. Furthermore, you can extract those file that were fou [Less]

iPhone Backup Analyzer

iPhone Backup Analyzer is an utility designed to allow the user to simply browse through the contents of the backup folder of an iPhone (or any other iOS device). Read configuration files, browse archives and lurk into databases, and so on... Provides a plugin framework to develop viewers for ... [More] specific contents (text messages, browser history, application specific data....) [Less]