Linux Security and Forensics
Recover lost partitions
PhotoRec, companion program to TestDisk , is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its Photo Recovery name) from digital camera memory. PhotoRec ignores the filesystem and goes after the underlying data, so it will still work even if your medias filesystem has been severely damaged or re-formatted.
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.
If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.
Ddrescue does not write zeros to the output when it finds bad sectors in the input, and does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps without wiping out the data already rescued.
Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies.
Recordable CD and DVD media keep their data only for a finite time (typically for many years). After that time, data loss develops slowly with read errors growing from the outer media region towards the inside. Just make two (or more) copies of every important CD/DVD you burn so that you can later recover them with ddrescue.
The logfile is periodically saved to disc. So in case of a crash you can resume the rescue with little recopying.
Ddrescue also features a "fill mode" able to selectively overwrite parts of the output file, which has a number of interesting uses like wiping data, marking bad areas or even, in some cases, "repair" damaged sectors.
Scalpel is an open source data carving tool.
Scalpel is a file carving and indexing application that runs on Linux and Windows. The first version of Scalpel, released in 2005, was based on Foremost 0.69. There have been a number of internal releases since the last public release, 1.60, primarily to support our own research. The newest public release v2.0, has a number of additional features, including: o minimum carve sizes. o multithreading for quicker execution on multicore CPUs. o asynchronous I/O that allows disk operations to overlap with pattern matching--this results in a substantial performance improvement. o regular expression support for headers/footers. o embedded header/footer matching for better processing of structured file types that may contain embedded files.
As of 6/27/2013 Scalpel has been released under the Apache 2.0 License and the source is available at The Sleuth Kit github repository.
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
Easy to Use
Autopsy was designed to be intuitive out of the box. Installation is easy and wizards guide you through every step. All results are found in a single tree. See the intuitive page for more details.
Autopsy was designed to be an end-to-end platform with modules that come with it out of the box and others that are available from third-parties. Some of the modules provide:
- Timeline Analysis - Advanced graphical event viewing interface (video tutorial included).
- Hash Filtering - Flag known bad files and ignore known good.
- Keyword Search - Indexed keyword search to find files that mention relevant terms.
- Web Artifacts - Extract history, bookmarks, and cookies from Firefox, Chrome, and IE.
- Data Carving - Recover deleted files from unallocated space using PhotoRec
- Multimedia - Extract EXIF from pictures and watch videos.
- Indicators of Compromise - Scan a computer using STIX.
Everyone wants results yesterday. Autopsy runs background tasks in parallel using multiple cores and provides results to you as soon as they are found. It may take hours to fully search the drive, but you will know in minutes if your keywords were found in the user's home folder. See the fast results page for more details.
Autopsy is free. As budgets are decreasing, cost effective digital forensics solutions are essential. Autopsy offers the same core features as other digital forensics tools and offers other essential features, such as web artifact analysis and registry analysis, that other commercial tools do not provide.
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.
ClamAVis also available for Windows as the result of a partnership between Immunet Corporation (http://www.immunet.com) and Sourcefire, Inc. (http://www.sourcefire.com). It is designed to provide the ClamAV community with a free Windows-specific Anti-Virus (AV) solution using an advanced Cloud-based protection mechanism. Smallest of all AV-applications: only 3.45MB download-file (32bit). You can use ClamAV For Windows as a stand-alone, host-based AV solution, or in conjunction with your pre-installed AV solution to provide enhanced detection for the latest malware threats.
Chkrootkit is a Linux tool to locally check for signs of a rootkit. It contains:
- chkrootkit: shell script that checks system binaries for rootkit modification.
- ifpromisc.c: checks if the interface is in promiscuous mode.
- chklastlog.c: checks for lastlog deletions.
- chkwtmp.c: checks for wtmp deletions.
- chkproc.c: checks for signs of LKM trojans.
- chkdirs.c: checks for signs of LKM trojans.
- strings.c: quick and dirty strings replacement.
- chkutmp.c: checks for utmp deletions.
Clonezilla is a free software disaster recovery, disk cloning and deployment solution.
You're probably familiar with the popular proprietary commercial package Norton Ghost®. The problem with these kind of software packages is that it takes a lot of time to massively clone systems to many computers. You've probably also heard of Symantec's solution to this problem, Symantec Ghost Corporate Edition® with multicasting. Well, now there is an OpenSource clone system (OCS) solution called Clonezilla with unicasting and multicasting!
Clonezilla, based on DRBL, Partclone and udpcast, allows you to do bare metal backup and recovery. There are two types of Clonezilla available: Clonezilla live and Clonezilla SE (server edition).
Clonezilla live is suitable for single machine backup and restore.
Clonezilla SE is for massive deployment, it can clone many (40 plus!) computers simultaneously.
Clonezilla saves and restores only used blocks in the harddisk. This increases the clone efficiency.
GParted is a GTK+ frontend to GNU Parted and the official GNOME Partition Editor application. It is used for creating, deleting, resizing, moving, checking and copying partitions, and the file systems on them. This is useful for creating space for new operating systems, reorganizing disk usage, copying data residing on hard disks and mirroring one partition with another (disk imaging).
GParted is developed on GNU/Linux. It can be used on other operating systems, such as Windows or Mac OS X, by booting from media containing GParted Live, which can be installed on CD, USB, PXE server, and Hard Disk then run on an x86 machine.
The bootable image is called GParted Live and enables all the features of the GParted application.
DevDocs combines multiple developer documentations in a clean and organized web UI with instant search, offline support, mobile version, dark theme, keyboard shortcuts, and more.
- Fully-functional offline
- Fast, fuzzy search
- Toggle docs on/off
- Multi-version support
- Keyboard shortcuts
- Retina support
- Mobile version
- Dark theme
- Free and open source