[IPhone Analyzer] IPhone Forensics Tool

iPhone Analzyer allows you to forensically examine or recover date from in iOS device. It principally works by importing backups produced by iTunes or third party software, and providing you with a rich interface to explore, analyse and recover data in human readable formats. Because it works from the backup files everything is forensically safe, and no changes are made to the original data.

Features

• Supports iOS 2, iOS 3, iOS 4 and iOS 5 devices
• Multi-platform (Java based) product, supported on Linux, Windows and Mac
• Fast, powerful search across device including regular expressions
• Integrated mapping supports visualisation of geo-tagged information, including google maps searches, photos, and cell-sites and wifi locations observed by the device (the infamous "locationd" data)
• Integrated support for text messages, voicemail, address book entries, photos (including metadata), call records and many many others
• Recovery of "deleted" sqlite records (records that have been tagged as deleted, but have not yet been purged by the device can often be recovered),/li>
• Integrated visualisation of plist and sqlite files
• Includes support for off-line mapping, supporting mapping on computers not connected to the Internet
• Support for KML export and direct export to Google Earth
• Browse the device file structure, navigate directly to key files or explore the device using concepts such as "who", "when", "what" and "where".
• Analyse jail broken device directly over SSH without need for backup (experimental)

Download IPhone Analyzer

[Memoryze] Find Evil in Live Memory (Memory Forensic Software)

Mandiant’s Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.

Mandiant’s Memoryze features:

• image the full range of system memory (not reliant on API calls).
• image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps and stacks.
• image a specified driver or all drivers loaded in memory to disk.
• enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
• report all open handles in a process (for example, all files, registry keys, etc.).
• list the virtual address space of a given process including:
• displaying all loaded DLLs.
• displaying all allocated portions of the heap and execution stack.
• list all network sockets that the process has open, including any hidden by rootkits.
• specify the functions imported by the EXE and DLLs.
• specify the functions exported by the EXE and DLLs.
• hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.  This is disk based.)
• hash the EXE and DLLs in the process address space. (This is a MemD5 of the binary in memory).
• verify the digital signatures of the EXE and DLLs. (This is disk based.)
• output all strings in memory on a per process basis.
• identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:
• specify the functions the driver imports.
• specify the functions the driver exports.
• hash the driver. (MD5, SHA1, SHA256. this is disk based.)
• verify the digital signature of the driver (This is disk based.)
• output all strings in memory on a per driver base.
• report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
• identify all loaded kernel modules by walking a linked list.
• identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs) and driver function tables (IRP tables).

Mandiant’s Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.

Memoryze officially supports:

• Windows 2000 Service Pack 4 (32-bit)
• Windows XP Service Pack 2 and Service Pack 3 (32-bit)
• Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
• *Windows Vista Service Pack 2 (64-bit)
• Windows 2003 Service Pack 2 (32-bit and 64-bit)
• Windows 7 Service Pack 0 (32-bit and 64-bit)
• *Windows 2008 Service Pack 1 and Service Pack 2 (32-bit)
• Windows 2008 R2 Service Pack 0 (64-bit)
• *Windows 8 Service Pack 0 (32-bit and 64-bit)
• *Windows Server 2012 Service Pack 0 (64-bit)

* means support for a new operating system without experience on millions of host

In order to visualize Memoryze’s output, please download Redline™ or use an XML viewer.  Redline is Mandiant’s premier free tool for investigating hosts for signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Download Memoryze

[Volatility v2.3] The advanced memory forensics framework (Support of OSX)

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work

• Windows
  • new plugins to parse IE history/index.dat URLs, recover shellbags data, dump cached files (exe/pdf/doc/etc), extract the MBR and MFT records, explore recently unloaded kernel modules, dump SSL private and public keys/certs, and display details on process privileges
  • added plugins to detect poison ivy infections, find and decrypt configurations in memory for poison ivy, zeus v1, zeus v2 and citadelscan 1.3.4.5
  • apihooks detects duqu style instruction modifications (MOV reg32, imm32; JMP reg32)
  • crashinfo displays uptime, systemtime, and dump type (i.e. kernel, complete, etc)
  • psxview plugin adds two new sources of process listings from the GUI APIs
  • screenshots plugin shows text for window titles
  • svcscan automatically queries the cached registry for service dlls
  • dlllist shows load count to distinguish between static and dynamic loaded dlls
• New address spaces
  • added support for VirtualBox ELF64 core dumps, VMware saved state (vmss) and snapshot (vmsn) files, and FDPro’s non-standard HPAK format
  • associated plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract
• Mac
  • new MachO address space for 32- and 64-bit Mac memory samples
  • over 30+ plugins for Mac memory forensics
• Linux/Android
  • new ARM address space to support memory dumps from Linux and Android devices on ARM
  • added plugins to scan linux process and kernel memory with yara signatures, dump LKMs to disk, and check TTY devices for rootkit hooks
  • added plugins to check the ARM system call and exception vector tables for hooks

Operating Systems

Volatility supports the following operating systems and versions. All Windows profiles are included in the standard Volatility package. You can download sample Linux profiles from the LinuxProfiles wiki page or read LinuxMemoryForensics on how to build your own. You can download a single archive of 38 different Mac OSX profiles or read MacMemoryForensics to build your own.

• Windows
  • 32-bit Windows XP Service Pack 2 and 3
  • 32-bit Windows 2003 Server Service Pack 0, 1, 2
  • 32-bit Windows Vista Service Pack 0, 1, 2
  • 32-bit Windows 2008 Server Service Pack 1, 2
  • 32-bit Windows 7 Service Pack 0, 1
  • 64-bit Windows XP Service Pack 1 and 2
  • 64-bit Windows 2003 Server Service Pack 1 and 2
  • 64-bit Windows Vista Service Pack 0, 1, 2
  • 64-bit Windows 2008 Server Service Pack 1 and 2
  • 64-bit Windows 2008 R2 Server Service Pack 0 and 1
  • 64-bit Windows 7 Service Pack 0 and 1
• Linux
  • 32-bit Linux kernels 2.6.11 to 3.5
  • 64-bit Linux kernels 2.6.11 to 3.5
  • OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
• Mac OSX
  • (new) 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn’t supported)
  • (new) 32-bit 10.6.x Snow Leopard
  • (new) 64-bit 10.6.x Snow Leopard
  • (new) 32-bit 10.7.x Lion
  • (new) 64-bit 10.7.x Lion
  • (new) 64-bit 10.8.x Mountain Lion (there is no 32-bit version)

Download Volatility v2.3

[OS X Auditor] free Mac OS X computer forensics tool

OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:

• the kernel extensions
• the system agents and daemons
• the third party's agents and daemons
• the old and deprecated system and third party's startup items
• the users' agents
• the users' downloaded files
• the installed applications

It extracts:

• the users' quarantined files
• the users' Safari history, downloads, topsites, HTML5 databases and localstore
• the users' Firefox cookies, downloads, formhistory, permissions, places and signons
• the users' Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
• the users' social and email accounts
• the WiFi access points the audited system has been connected to (and tries to geolocate them)

It also looks for suspicious keywords in the .plist themselves.

It can verify the reputation of each file on:

• Team Cymru's MHR
• VirusTotal
• Malware.lu
• your own local database

It can aggregate all logs from the following directories into a zipball:

• /var/log (-> /private/var/log)
• /Library/logs
• the user's ~/Library/logs

Finally, the results can be:

• rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)
• rendered as a HTML log file
• sent to a Syslog server

Download OS X Auditor