| |
F.I.R.E.
Forensic and
Incident Response Environment
FIRE is a portable bootable cdrom based distribution with the goal of
providing an immediate environment to perform forensic analysis, incident
response, data recovery, virus scanning and vulnerability assessment.
FIRE DOES NOT HAVE TO BE INSTALLED. FIRE IS A
BOOTABLE LIVE LINUX CD...MEANING IT RUNS COMPLETELY OFF YOUR CD-ROM DRIVE
WITHOUT HAVING TO INSTALL IT TO YOUR HARDDRIVE....you don't even need
a hard disk!
FIRE also provides necessary tools for live forensics/analysis on win32,
sparc solaris and x86 linux hosts just by mounting the cdrom and using trusted
static binaries available in /statbins.
Forensics
workstation/Data Recovery
Instantly deploy a forensics workstation with tct, tctutils, mac-robber, and
autopsy also provides perl 5.6.1 compiled with Large File Support.
Live System Incident Response
Binaries are available for Incident Response on a live machine.
Q: What is
F.I.R.E.?
A: F.I.R.E. is a Forensic and Incident Response Environment on a bootable
CD-ROM. In other words, it is a Linux distribution with lots of useful security
tools and a fine menu system which makes it very easy to use. Nothing on your
computer is modified, so you can try it out safely.
F.I.R.E. was created and is maintained by William Salusky
Q: What can I do with it?
A: Among other things, you can use F.I.R.E. to
* collect data from a potentially compromised host and do a forensic analysis
* respond to a security incident using trusted binaries
* recover data from lost partitions
* do a virus check of your harddrives in a clean environment
* carry out a penetration test or vulnerability assessment
F.I.R.E. can be booted into a comfortable X-Window environment or operated from
a standard text console (even over a serial cable). Menus that help you perform
common tasks are available in both cases.
Q: But there are several other security/rescue Linux distributions out there.
Why should I be interested in F.I.R.E.?
A: You are right, there are several other CD-ROM- or floppy-based distros, e.g.
- Knoppix
- Trinux or
- PLAC
* Knoppix offers a huge amount of applications and excellent hardware detection
but F.I.R.E. offers far more tools relevant to the security expert
* Trinux can be booted from a floppy disk and can run on very old computers but
F.I.R.E. includes far more tools by default and an optional graphical X-Server
which allows it to run software available only in GUI versions.
* PLAC is a good collection of security tools on a live CD-ROM but F.I.R.E. has
a menu system which makes it very easy to use, it is specialized on data
recovery and forensic analysis and it is actively developed.
Q: What tools are included?
A: Far too many to list here. Some popular ones are:
* Nessus, Nmap, whisker, hping2, hunt, fragrouter
* Ethereal, Snort, tcpdump, ettercap, dsniff, airsnort
* chkrootkit, F-Prot
* tct, tctutils, Autopsy
* Testdisk, fdisk, gpart
* SSH (client and Server), VNC (client and server)
* Mozilla, ircII, mc, Perl, biew, fenris, gpg
Scroll down for a more detailed list.
Q: What platforms will F.I.R.E. run on?
A: F.I.R.E. requires an Intel x86 compatible PC with at least 48MB RAM. To use
the X Window System your graphics card and monitor must support 800x600 pixels
and VESA frame buffer. Of course then you will need a mouse then as well.
Small List Of Software On F.I.R.E. Linux
Name |
Description |
bsed |
binary stream editor
|
|
burneye v1.0 |
burneye ELF encryption program, x86-linux
binary
|
|
cgrep v8.13 |
shows context of matching patterns found
in files cgrep provides all the features of grep, egrep, and fgrep
|
|
cpio |
GNU cpio copies files into or out of a
cpio or tar archive. The archive can be another file on the disk, a
magnetic tape, or a pipe.
|
|
curl v7.10.4 |
Curl is a tool for transferring files with
URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT,
FILE and LDAP. Curl supports HTTPS certificates, HTTP POST, HTTP PUT,
FTP uploading, kerberos, HTTP form based upload, proxies, cookies,
user+password authentication, file transfer resume, http proxy tunneling
and a busload of other useful tricks.
|
|
di v3.8 (disk info) |
'di' is a disk information utility,
displaying everything (and more) that your 'df' command does. It
features the ability to display your disk usage in whatever format you
desire/prefer/are used to.
|
|
echoping |
echoping is a small program to test (approximatively)
performances of a remote host by sending it TCP echo (or other protocol)
packets.
|
|
expect v5.32.2 |
Expect is a tool for automating
interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip,
etc. Expect is also useful for testing these same applications.
|
|
fdisk |
fdisk - general partion tool
|
|
gentoo v0.11.34 file manager |
gentoo is a modern, powerful, flexible,
and utterly configurable file manager for UNIX systems, written using
the GTK+ toolkit. It aims to be 100% graphically configurable; there's
no need to edit config files by hand and then restart the application.
gentoo is somewhat inspired in its look & feel by the classic Amiga
program DirectoryOpus 4, but is not a "clone".
|
|
gpg v.1.2.1 |
GnuPG stands for GNU Privacy Guard and is
GNU's tool for secure communication and data storage. It can be used to
encrypt data and to create digital signatures. It includes an advanced
key management facility and is compliant with the proposed OpenPGP
Internet standard as described in RFC 2440. As such, it is aimed to be
compatible with PGP from NAI Inc.
|
|
Java JRE v1.4 |
Sun's java run time environment
|
|
|
links v0.9x |
Links is a text-based browser with support
for HTML tables and frames.
|
|
lsof v4.66 |
list open files
|
|
lufs v0.8.3 |
linux user file system support: sshfs,
localefs, gvfs, ftpfs, cefs
|
|
macchanger v1.3.0 |
Change your mac address
|
|
mc |
Midnight commander interface
|
|
minicom v2.00 |
a unix telecomm program
|
|
Mozilla v0.9.8 |
Mozilla is an open-source web browser,
designed for standards compliance, performance and portability.
|
|
partimage v0.6.2 |
Partition Image is a Linux/UNIX utility
which saves partitions in many formats to an image file. (Not
Forensically sound, but good for system recovery work)
|
|
perl 5.8.0 |
compiled with support for >2G files,
including a bunch o useful perl modules to boot.
|
|
ppp |
ppp support
|
|
radmind v0.9.2 |
remote administration daemon
|
|
rlogin |
rlogin
|
|
rpcinfo |
ya gotta keep rpc enumerated...
|
|
secure-delete v2.3 |
secure deletion utilities - sswap, srm,
...
|
|
snmputils |
gotta be able to snmpwalk dontchya?
|
|
Sonar v1.0BETA4 |
Sonar is a network reconnaissance utility
which runs all its scans from plugins. The currently supported plugins
are an ICMP scan and an ACK scan which can see if hosts that don't
respond to ICMP are online. Changes: This release fixes a few annoying
bugs. The ICMP scan has been made more versatile, allowing you to choose
an ICMP type and ICMP code
|
|
sshd v3.1p1 |
This is RedHat's back patched version.
Yes... It IS up to date, and is NOT currently exploitable based on
RedHat's rpm. (until the NEXT ssh exploit is found of course!)
|
|
tcpdump v3.7.1 |
Tcpdump allows you to dump the traffic on
a network. It can be used to print out the headers of packets on a
network interface that matches a given expression. You can use this tool
to track down network problems, to detect "ping attacks" or to monitor
the network activities.
|
|
telnetd |
telnetd, sometimes you just need the
basics
|
|
TestDisk v4.4 |
Tool to check and undelete partition Works
with the following partitions: - FAT12 FAT16 FAT32 - Linux - Linux SWAP
(version 1 and 2) - NTFS (Windows NT) - BeFS (BeOS) - UFS (BSD) -
Netware - ReiserFS
|
|
tftpd |
tftpd
|
|
upx v1.24 |
"the Ultimate Packer for eXecutables"
|
|
w3m v0.4.1 |
a text based web browser and pager
|
|
webfsd v1.19 |
nice and lite web server daemon
|
|
wipe v2.0 |
Wipe is a secure file wiping utility.
|
AIDE v0.9 |
AIDE (Advanced Intrusion Detection
Environment) is a free replacement for Tripwire. It does the same things
as the semi-free Tripwire and more.
|
|
argus |
the network Audit Record Generation and
utilization System. The Argus Open Project is focused on developing
network activity audit strategies that can do real work for the network
architect, administrator and network user.
|
|
Autopsy v1.7.1 |
The Autopsy Forensic Browser is an
HTML-based graphical interface to The Sleuth Kit and standard UNIX
utilities. Autopsy automates many of the tasks required during a digital
forensic analysis using the TASK collection of powerful command line
tools as a foundation. Since this graphical interface is separate from
the file system tools, an investigator can still use a command line
interface if Autopsy cannot accomplish the desired outcome.
|
|
biew v5.3.2 |
BIEW- is a free, portable, advanced file
viewer with built-in editor for binary, hexadecimal and disassembler
modes.
|
|
bsed |
binary stream editor
|
|
bwplot |
Plot information about packet captures.
|
|
chkrootkit v0.40 |
chkrootkit is a tool to locally check for
signs of a rootkit
|
|
CmosPwd v4.2 |
Cmos password recovery tools Works with
the following BIOSes - ACER/IBM BIOS - AMI BIOS - AMI WinBIOS 2.5 -
Award 4.5x/4.6x - Compaq (1992) - Compaq (New version) - IBM (PS/2,
Activa, Thinkpad) - Packard Bell - Phoenix 1.00.09.AC0 (1994), a486
1.03, 1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06 rev 1.13.1107 - Phoenix 4
release 6 (User) - Gateway Solo - Phoenix 4.0 release 6 - Toshiba -
Zenith AMI
|
|
cryptcat |
encryption enabled netcat
|
|
dcfldd - (or edd, enhanced dd) |
the original dd tool enhanced with MD5
hashing built it. development work completed by DoD Computer Forensics
lab.
|
|
Disk Investigator (win32) |
Disk viewer
|
|
dsniff tools v2.3 |
dsniff is a collection of tools for
network auditing and penetration testing. dsniff, filesnarf, mailsnarf,
msgsnarf, urlsnarf, and webspy passively monitor a network for
interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof,
and macof facilitate the interception of network traffic normally
unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and
webmitm implement active monkey-in-the-middle attacks against redirected
SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
|
|
editreg |
linux command line tool to examine windows
registries.
|
|
ethereal v.0.9.11 |
Ethereal is a free network protocol
analyzer for Unix and Windows.
|
|
fatback v1.3 |
DoD Computer forensics lab developed tool
to undelete files from FAT filesystems
|
|
fenris v0.3 |
fenris is a multipurpose tracer, stateful
analyzer and partial decompiler intended to simplify bug tracking,
security audits, code, algorithm, protocol analysis and computer
forensics by providing a structural program trace, general information
about internal constructions, execution path, memory operations, I/O,
conditional expression info, and much more.
|
|
foremost v0.64 |
Digs through an image file to find files
within using header information.
|
|
FTimes v3.2.1 |
FTimes (a.k.a ftimes) is a system
baselining and evidence collection tool. The primary purpose of FTimes
is to gather and/or develop information about specified directories and
files in a manner conducive to intrusion analysis.
|
|
gpart 0.1h |
Gpart is a tool which tries to guess the
primary partition table of a PC-type hard disk in case the primary
partition table in sector 0 is damaged, incorrect or deleted. The
guessed table can be written to a file or device.
|
|
hbd v0.2.3 |
The HomeBrew Java decompiler
|
|
hexedit v1.2.1 |
ncurses based hexeditor
|
|
LDE - Linux Disk Editor v2.5 |
LDE allows you to view and edit disk
blocks as hex and/or ASCII, view/navigate directory entries, and view
and edit formatted inodes. Most of the functions can be accessed using
the program's curses interface or from the command line so that you can
automate things with your own scripts.
|
|
logdump v1.0 |
Extracts syslog data from tcpdump
savefiles.
|
|
MAC Daddy |
MAC Time collector for forensic incident
response. This toolset is a modified version of the two programs tree.pl
and mactime from the Coroner's Toolkit by Dan Farmer and Venema Weiste.
|
|
mac-robber v1.0 |
mac-robber is a forensics and incident
response program that collects Modified, Access, and Change (MAC) times
from files. Its output can be used as input to the mactime tool in The
Coroner's Toolkit (TCT) to make a timeline of file activity. mac-robber
is similar to running the grave-robber tool with the '-m' flag, except
this is written in C and not Perl. This work was done at @stake
|
|
md5deep v0.16 (linux & win32) |
md5deep is a cross-platform program to
compute MD5 message digests on an arbitrary number of files.
|
|
memfetch v0.04b |
Linux on-demand process image dumper
|
|
ngrep v1.40 |
Ngrep is a powerful network sniffing tool
which strives to provide most of GNU grep's common features, applying
them to all network traffic.
|
|
ol2mbox - libPST v1.0.4 - libDBX v1.0.3 |
provide libraries and applications for the
conversion of Outlook and Outlook Express data files to Linux MBOX
format.
|
|
partimage v0.6.2 |
Partition Image is a Linux/UNIX utility
which saves partitions in many formats to an image file. (Not
Forensically sound, but good for system recovery work)
|
|
perl 5.8.0 |
compiled with support for >2G files,
including a bunch o useful perl modules to boot.
|
|
photorec v1.0 |
PhotoRec is a little tool to recover
pictures from digital camera memory
|
|
pwl9x v0.07 |
Windows 9x Password List reader is a
program that will allow you to see the passwords contained in your
Windows pwl database under Unix. You can check the security of these
files/try to recover the main password using the bruteforce mode.
|
|
rda v0.2.1 |
RDA is a computer forensics tool to
remotely acquire data.
|
|
rec (reverse engineering compiler) |
Reverse Engineering compiler
|
|
ree v1.3 |
ree (ROM extension extractor) scans your
memory (/dev/mem) for ROM extensions, and writes them out to files. ROM
extensions are BIOSes which reside on ROM chips in your computer.
|
|
snort v2.0 (inline) |
snort! need i say more?
|
|
ssldump v0.9b3 |
ssldump is an SSLv3/TLS network protocol
analyzer. It identifies TCP connections on the chosen network interface
and attempts to interpret them as SSLv3/TLS traffic. When it identifies
SSLv3/TLS traffic, it decodes the records and displays them in a textual
form to stdout. If provided with the appropriate keying material, it
will also decrypt the connections and display the application data
traffic.
|
|
StegDetect v0.5 |
Stegdetect is an automated tool for
detecting steganographic content in images. It is capable of detecting
several different steganographic methods to embed hidden information in
JPEG images. Currently, the detectable schemes are jsteg, jphide (Unix
and Windows), invisible secrets, and outguess 01.3b.
|
|
tcpdstat |
get summary information of a tcpdump file.
tcpdstat reads a tcpdump file using the pcap library and prints the
statistics of a trace. The output includes the number of packets, the
average rate and its standard deviation, the number of unique source and
destination address pairs, and the breakdown of protocols.
|
|
tcpdump v3.7.1 |
Tcpdump allows you to dump the traffic on
a network. It can be used to print out the headers of packets on a
network interface that matches a given expression. You can use this tool
to track down network problems, to detect "ping attacks" or to monitor
the network activities.
|
|
tcpflow v0.20 |
tcpflow is a program that captures data
transmitted as part of TCP connections (flows), and stores the data in a
way that is convenient for protocol analysis or debugging. A program
like 'tcpdump' shows a summary of packets seen on the wire, but usually
doesn't store the data that's actually being transmitted. In contrast,
tcpflow reconstructs the actual data streams and stores each flow in a
separate file for later analysis.
|
|
tcpreplay v1.4 |
Tcpreplay is aimed at testing the
performance of a NIDS by replaying real background network traffic in
which to hide attacks. Tcpreplay allows you to control the speed at
which the traffic is replayed, and can replay arbitrary tcpdump traces.
Unlike programmatically-generated artificial traffic which doesn't
exercise the application/protocol inspection that a NIDS performs, and
doesn't reproduce the real-world anomalies that appear on production
networks (asymmetric routes, traffic bursts/lulls, fragmentation,
retransmissions, etc.), tcpreplay allows for exact replication of real
traffic seen on real networks.
|
|
tcpslice v1.2a1 |
a tool for extracting portions of packet
trace files generated using tcpdump's -w flag.
|
|
tcptrace v6.2.0 |
tcptrace is a tool written by Shawn
Ostermann at Ohio University, for analysis of TCP dump files. It can
take as input the files produced by several popular packet-capture
programs, including tcpdump, snoop, etherpeek, HP Net Metrix, and
WinDump. tcptrace can produce several different types of output
containing information on each connection seen, such as elapsed time,
bytes and segments sent and recieved, retransmissions, round trip times,
window advertisements, throughput, and more. It can also produce a
number of graphs for further analysis.
|
|
TCT v1.11 |
TCT is a collection of programs by Dan
Farmer and Wietse Venema for a post-mortem analysis of a UNIX system
after break-in.
|
|
TestDisk v4.4 |
Tool to check and undelete partition Works
with the following partitions: - FAT12 FAT16 FAT32 - Linux - Linux SWAP
(version 1 and 2) - NTFS (Windows NT) - BeFS (BeOS) - UFS (BSD) -
Netware - ReiserFS
|
|
The Sleuth Kit v1.61 |
The Sleuth Kit (previously known as TASK)
is a collection of UNIX-based command line file system forensic tools
that allow an investigator to examine NTFS, FAT, FFS, EXT2FS, and EXT3FS
file systems of a suspect computer in a non-intrusive fashion. The tools
have a layer-based design and can extract data from internal file system
structures. Because the tools do not rely on the operating system to
process the file systems, deleted and hidden content is shown.
|
|
TNEF v1.2.0 |
TNEF provides a way to unpack those pesky
Microsoft MS-TNEF MIME attachments. It operates like tar in order to
upack any files which may have been put into the MS-TNEF attachment
instead of being attached seperately.
|
|
VNC - tightvnc |
VNC (an abbreviation for Virtual Network
Computing) is a great client/server software package allowing remote
network access to graphical desktops. Used in biatchux to send remote
consoles!
|
|
wipe v2.0 |
Wipe is a secure file wiping utility. |
Price with shipping included for USA |
Price with shipping included for Worlwide |
FIRE Linux CD
Price: $24.99
|
FIRE Linux CD
Price: $29.99
|
|