From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 4234 invoked from network); 11 Sep 2004 03:18:17 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 11 Sep 2004 03:18:17 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.34) id 1C5yOx-0003XM-I7 for arch-gentoo-dev@lists.gentoo.org; Sat, 11 Sep 2004 03:18:14 +0000 Received: (qmail 23539 invoked by uid 89); 11 Sep 2004 03:18:10 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 24495 invoked from network); 11 Sep 2004 03:18:09 +0000 From: Daniel Organization: Gentoo To: gentoo-dev@lists.gentoo.org Date: Sat, 11 Sep 2004 12:51:00 +0930 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Disposition: inline Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Message-Id: <200409111251.15406.dragonheart@gentoo.org> Subject: [gentoo-dev] app-forensics category and forensics herd proposal X-Archives-Salt: 7d31da0d-d45d-4888-92ff-b0ad238adce8 X-Archives-Hash: 40ee4ed9673e7a0e729b0cd5157a8cc6 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In response to bug 42498 I propose setting up an app-forensics category and= =20 forensics herd. This will contain all applications that aid the investigati= on=20 of intrusions and general stuff that would be used by law enforcement=20 agencies. Applications so far identified for this and their current maintainers: app-admin/autopsy - me app-admin/sleuthkit - me app-admin/aide - bug wrangers dev-util/examiner - nobody app-admin/foremost - Martin Schlemmer - mholzer sys-apps/air - me app-admin/chkrootkit - Aaron Walker - Ka0TTiC app-admin/rkhunter - Aaron Walker - Ka0TTiC And a few more that ebuilds haven't quite been made for: http://sourceforge.net/projects/pyflag - FLAG was designed to simplify the= =20 process of log file analysis and forensic investigations. FLAG facilitates= =20 efficient analysis of large quantities of data within an interactive=20 environment. PyFlag is the reimplementation of FLAG in Python. http://www.outguess.org/detection.php Stegdetect (bug 35542) - Stegdetect i= s=20 an automated tool for detecting steganographic content in images. It is=20 capable of detecting several different steganographic methods to embed hidd= en=20 information in JPEG images. http://sourceforge.net/projects/ol2mbox/ Outlook to mbox converter (used for litigation support, etc., but also usef= ul=20 for anyone.) Note that this guy MIGHT have been threatened by microsoft as= =20 some of the content from his page has mysteriously disappeared that contain= ed=20 newer versions and they once mentioned legal issues. The program works=20 fairly well, though. http://sourceforge.net/projects/regviewer/ RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platf= orm=20 independent allowing for examination of Windows registry files from any=20 platform. Particularly useful when conducting forensics of Windows files fr= om=20 *nix systems.=20 http://freshmeat.net/projects/ftimes/ =46Times is a system baselining and evidence collection tool. Its primary=20 purpose is to gather and/or develop information about specified directories= =20 and files in a manner conducive to intrusion analysis. It was designed to=20 support the following initiatives: content integrity monitoring, incident=20 response, intrusion analysis, and computer forensics.=20 http://freshmeat.net/projects/rda/ RDA is a computer forensics tool to remotely acquire data. Usually disk=20 cloning or disk/partition imaging means one has to move the disk onto anoth= er=20 system, and things are more complicated if its a laptop disk. The alternati= ve=20 provided by rda is to boot the data source machine with a minimal Linux=20 system from a floppy or CD, and simply run rda. Some of the options provide= d=20 are data transfer verification with MD5 and/or CRC32 checksums, skipping re= ad=20 errors, and spanning over multiple files.=20 http://software.freshmeat.net/projects/fohad/ The Forensic Hash Database is a project to combine the various hashsum sour= ces=20 like The KnownGoods Database, Hashkeeper, NIST NSRL, and Dan Farmer's hashs= um=20 archive into a single meta database. Integration into the forensic analysis= =20 toolkit The Sleuth Kit is provided through a patch. http://sourceforge.net/search/?type_of_search=3Dsoft&exact=3D0&words=3Dfore= nsic lists some others that I haven't included here. Aaron Walker -(Ka0TTiC) has voluteered to join me (easily convinced in a=20 state of sleep deprivation).=20 Other voluteers? Anyone else? other packages worthy of consideration? =2D --=20 Daniel Black =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBQm8chhpKunZncJcRAiEdAJ9EfpLGkNjUborCM1kNmkbnH96Z5wCgi99O bobmWG1bxd3b+O8UnsY6IwE=3D =3Dtetz =2D----END PGP SIGNATURE----- -- gentoo-dev@gentoo.org mailing list