{"category":{"categoryid":440,"name":"app-forensics","summary":"The app-forensics category contains software which helps detect and analyse security breaches."},"packages":[{"categoryid":440,"description":"Library that implements the AFF image standard","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"afflib","packageid":55048},{"categoryid":440,"description":"american fuzzy lop - compile-time instrumentation fuzzer","firstseen":"2014-11-16T14:49:24.558164","maintainer":"hanno@gentoo.org","name":"afl","packageid":62805},{"categoryid":440,"description":"Fork of AFL, the popular compile-time instrumentation fuzzer","firstseen":"2021-04-01T01:08:54.023959","name":"aflplusplus","packageid":72646},{"categoryid":440,"description":"AIDE (Advanced Intrusion Detection Environment) is a file integrity checker","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"aide","packageid":52074},{"categoryid":440,"description":"Tool to locally check for signs of a rootkit","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"chkrootkit","packageid":47238},{"categoryid":440,"description":"CmosPwd decrypts password stored in cmos used to access BIOS SETUP","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"cmospwd","packageid":52102,"summary":"CmosPwd decrypts password stored in cmos used to access BIOS SETUP. Works with the following BIOSes - ACER\/IBM BIOS - AMI BIOS - AMI WinBIOS 2.5 - Award 4.5x\/4.6x\/6.0 - Compaq (1992) - Compaq (New version) - IBM (PS\/2, Activa, Thinkpad) - Packard Bell - Phoenix 1.00.09.AC0 (1994), a486 1.03, 1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06 rev 1.13.1107 - Phoenix 4 release 6 (User) - Gateway Solo - Phoenix 4.0 release 6 - Toshiba - Zenith AMI"},{"categoryid":440,"description":"Digital Forensics XML","firstseen":"2017-09-23T08:07:59.857251","name":"dfxml","packageid":68041},{"categoryid":440,"description":"Utilizes the objdump command to disassemble and comment foreign binaries","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"examiner","packageid":52545},{"categoryid":440,"description":"Console program to recover files based on their headers and footers","firstseen":"2010-05-04T00:54:45.661860","maintainer":"ikelos@gentoo.org","maintainername":"Gentoo Forensics Project","name":"foremost","packageid":48386},{"categoryid":440,"description":"IE Cookie Parser","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"galleta","packageid":53684},{"categoryid":440,"description":"A general purpose fuzzer with feedback support","firstseen":"2016-09-11T13:38:51.432849","name":"honggfuzz","packageid":65797},{"categoryid":440,"description":"Security and system auditing tool","firstseen":"2010-05-04T00:54:45.661860","maintainer":"idl0r@gentoo.org","maintainername":"Christian Ruppert","name":"lynis","packageid":53017},{"categoryid":440,"description":"mac-robber is a digital forensics and incident response tool that collects data","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"mac-robber","packageid":51820,"summary":"mac-robber is a digital forensics and incident response tool that collects data from allocated files in a mounted file system. The data can be used by the mactime tool in The Sleuth Kit to make a timeline of file activity. The mac-robber tool is based on the grave-robber tool from TCT and is written in C instead of Perl. mac-robber requires that the file system be mounted by the operating system, unlike the tools in The Sleuth Kit that process the file system themselves. Therefore, mac-robber will not collect data from deleted files or files that have been hidden by rootkits. mac-robber will also modify the Access times on directories that are mounted with write permissions. \"What is mac-robber good for then\", you ask? mac-robber is useful when dealing with a file system that is not supported by The Sleuth Kit or other forensic tools. mac-robber is very basic C and should compile on any UNIX system. Therefore, you can run mac-robber on an obscure, suspect UNIX file system that has been mounted read-only on a trusted system. I have also used mac-robber during investigations of common UNIX systems such as AIX."},{"categoryid":440,"description":"Find deleted files in block devices","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"magicrescue","packageid":50104,"summary":"Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at \"magic bytes\" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it. It works on any file system, but on very fragmented file systems it can only recover the first chunk of each file. Practical experience (this program was not written for fun) shows, however, that chunks of 30-50MB are not uncommon."},{"categoryid":440,"description":"Simple memory dumper for UNIX-Like systems","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"memdump","packageid":52845},{"categoryid":440,"description":"IE Activity Parser","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"pasco","packageid":52273},{"categoryid":440,"description":"A general-purpose fuzzer","firstseen":"2016-09-11T13:38:51.432849","name":"radamsa","packageid":65798},{"categoryid":440,"description":"Recycle Bin Analyzer","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"rifiuti","packageid":52633},{"categoryid":440,"description":"Rootkit Hunter scans for known and unknown rootkits, backdoors, and sniffers","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"rkhunter","packageid":52488},{"categoryid":440,"description":"A high performance file carver","firstseen":"2011-05-28T14:37:31.818237","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"scalpel","packageid":57386,"summary":"Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files or data fragments from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2\/3, HFS+, or raw partitions. It is useful for both digital forensics investigation and file recovery."},{"categoryid":440,"description":"A collection of file system and media management forensic analysis tools","firstseen":"2010-05-04T00:54:45.661860","maintainer":"forensics@gentoo.org","maintainername":"Gentoo Forensics Project","name":"sleuthkit","packageid":53511},{"categoryid":440,"description":"Forensic tool to find hidden processes and TCP\/UDP ports by rootkits\/LKMs","firstseen":"2011-12-02T14:35:38.514694","maintainer":"blueness@gentoo.org","maintainername":"Anthony G. Basile","name":"unhide","packageid":58246},{"categoryid":440,"description":"Framework for analyzing volatile memory","firstseen":"2022-04-05T04:54:59.363570","name":"volatility3","packageid":74734,"summary":"Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system."},{"categoryid":440,"description":"A malware identification and classification tool","firstseen":"2022-01-28T05:41:42.639875","name":"yara","packageid":74274,"summary":"YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns."},{"categoryid":440,"description":"A malware identification and classification tool","firstseen":"2024-05-31T02:01:35.425338","name":"yara-x","packageid":77550,"summary":"YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. YARA-X is a re-incarnation of YARA rewritten in Rust, eventually replacing YARA."},{"categoryid":440,"description":"Transparent application input fuzzer","firstseen":"2010-05-04T00:54:45.661860","name":"zzuf","packageid":52152}]}