Forensic & Incident Response Environment

If you need to get this now, go to theonlypcdoctor.com store our new

site for downloads! There also discounts from our regular prices as well.

Home | Contact Us | Search | Useful Links

TheOnlyPCDoctor Store

 Up

 

What's New
The Camera Dollars Income System Manual
Tech CD Products
Data Recovery CD's
PC Protection
Mobile Cell Phone Repair
Linux Software
HOT FIX
REVEALED: The Root Cause of Psoriasis - And How To Stop It FAST, Once And For All!
Motor Vehicles
PlayStation 2 Repair Guide
F.A.Q.
Suggestions
Available Downloads
Books
Pocket PC / Palm
Server CD Support
Cable Diagrams
Cyber Cafe Software

 

F.I.R.E. Forensic and Incident Response Environment

FIRE is a portable bootable cdrom based distribution with the goal of providing an immediate environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment.

FIRE DOES NOT HAVE TO BE INSTALLED. FIRE IS A BOOTABLE LIVE LINUX CD...MEANING IT RUNS COMPLETELY OFF YOUR CD-ROM DRIVE WITHOUT HAVING TO INSTALL IT TO YOUR HARDDRIVE....you don't even need a hard disk!

FIRE also provides necessary tools for live forensics/analysis on win32, sparc solaris and x86 linux hosts just by mounting the cdrom and using trusted static binaries available in /statbins.

Forensics workstation/Data Recovery
Instantly deploy a forensics workstation with tct, tctutils, mac-robber, and autopsy also provides perl 5.6.1 compiled with Large File Support.

Live System Incident Response
Binaries are available for Incident Response on a live machine.

Q: What is F.I.R.E.?
A: F.I.R.E. is a Forensic and Incident Response Environment on a bootable CD-ROM. In other words, it is a Linux distribution with lots of useful security tools and a fine menu system which makes it very easy to use. Nothing on your computer is modified, so you can try it out safely.

F.I.R.E. was created and is maintained by William Salusky

Q: What can I do with it?
A: Among other things, you can use F.I.R.E. to
* collect data from a potentially compromised host and do a forensic analysis
* respond to a security incident using trusted binaries
* recover data from lost partitions
* do a virus check of your harddrives in a clean environment
* carry out a penetration test or vulnerability assessment

F.I.R.E. can be booted into a comfortable X-Window environment or operated from a standard text console (even over a serial cable). Menus that help you perform common tasks are available in both cases.


Q: But there are several other security/rescue Linux distributions out there.
Why should I be interested in F.I.R.E.?
A: You are right, there are several other CD-ROM- or floppy-based distros, e.g.
- Knoppix
- Trinux or
- PLAC

* Knoppix offers a huge amount of applications and excellent hardware detection but F.I.R.E. offers far more tools relevant to the security expert
* Trinux can be booted from a floppy disk and can run on very old computers but F.I.R.E. includes far more tools by default and an optional graphical X-Server which allows it to run software available only in GUI versions.
* PLAC is a good collection of security tools on a live CD-ROM but F.I.R.E. has a menu system which makes it very easy to use, it is specialized on data recovery and forensic analysis and it is actively developed.


Q: What tools are included?
A: Far too many to list here. Some popular ones are:

* Nessus, Nmap, whisker, hping2, hunt, fragrouter
* Ethereal, Snort, tcpdump, ettercap, dsniff, airsnort
* chkrootkit, F-Prot
* tct, tctutils, Autopsy
* Testdisk, fdisk, gpart
* SSH (client and Server), VNC (client and server)
* Mozilla, ircII, mc, Perl, biew, fenris, gpg

Scroll down for a more detailed list.


Q: What platforms will F.I.R.E. run on?
A: F.I.R.E. requires an Intel x86 compatible PC with at least 48MB RAM. To use the X Window System your graphics card and monitor must support 800x600 pixels and VESA frame buffer. Of course then you will need a mouse then as well.

Small List Of Software On F.I.R.E. Linux

Name Description
bsed binary stream editor

burneye v1.0 burneye ELF encryption program, x86-linux binary

cgrep v8.13 shows context of matching patterns found in files cgrep provides all the features of grep, egrep, and fgrep

cpio GNU cpio copies files into or out of a cpio or tar archive. The archive can be another file on the disk, a magnetic tape, or a pipe.

curl v7.10.4 Curl is a tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. Curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling and a busload of other useful tricks.

di v3.8 (disk info) 'di' is a disk information utility, displaying everything (and more) that your 'df' command does. It features the ability to display your disk usage in whatever format you desire/prefer/are used to.

echoping echoping is a small program to test (approximatively) performances of a remote host by sending it TCP echo (or other protocol) packets.

expect v5.32.2 Expect is a tool for automating interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, etc. Expect is also useful for testing these same applications.

fdisk fdisk - general partion tool

gentoo v0.11.34 file manager gentoo is a modern, powerful, flexible, and utterly configurable file manager for UNIX systems, written using the GTK+ toolkit. It aims to be 100% graphically configurable; there's no need to edit config files by hand and then restart the application. gentoo is somewhat inspired in its look & feel by the classic Amiga program DirectoryOpus 4, but is not a "clone".

gpg v.1.2.1 GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI Inc.

Java JRE v1.4 Sun's java run time environment


links v0.9x Links is a text-based browser with support for HTML tables and frames.

lsof v4.66 list open files

lufs v0.8.3 linux user file system support: sshfs, localefs, gvfs, ftpfs, cefs

macchanger v1.3.0 Change your mac address

mc Midnight commander interface

minicom v2.00 a unix telecomm program

Mozilla v0.9.8 Mozilla is an open-source web browser, designed for standards compliance, performance and portability.

partimage v0.6.2 Partition Image is a Linux/UNIX utility which saves partitions in many formats to an image file. (Not Forensically sound, but good for system recovery work)

perl 5.8.0 compiled with support for >2G files, including a bunch o useful perl modules to boot.

ppp ppp support

radmind v0.9.2 remote administration daemon

rlogin rlogin

rpcinfo ya gotta keep rpc enumerated...

secure-delete v2.3 secure deletion utilities - sswap, srm, ...

snmputils gotta be able to snmpwalk dontchya?

Sonar v1.0BETA4 Sonar is a network reconnaissance utility which runs all its scans from plugins. The currently supported plugins are an ICMP scan and an ACK scan which can see if hosts that don't respond to ICMP are online. Changes: This release fixes a few annoying bugs. The ICMP scan has been made more versatile, allowing you to choose an ICMP type and ICMP code

sshd v3.1p1 This is RedHat's back patched version. Yes... It IS up to date, and is NOT currently exploitable based on RedHat's rpm. (until the NEXT ssh exploit is found of course!)

tcpdump v3.7.1 Tcpdump allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect "ping attacks" or to monitor the network activities.

telnetd telnetd, sometimes you just need the basics

TestDisk v4.4 Tool to check and undelete partition Works with the following partitions: - FAT12 FAT16 FAT32 - Linux - Linux SWAP (version 1 and 2) - NTFS (Windows NT) - BeFS (BeOS) - UFS (BSD) - Netware - ReiserFS

tftpd tftpd

upx v1.24 "the Ultimate Packer for eXecutables"

w3m v0.4.1 a text based web browser and pager

webfsd v1.19 nice and lite web server daemon

wipe v2.0 Wipe is a secure file wiping utility.
AIDE v0.9 AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more.

argus the network Audit Record Generation and utilization System. The Argus Open Project is focused on developing network activity audit strategies that can do real work for the network architect, administrator and network user.

Autopsy v1.7.1 The Autopsy Forensic Browser is an HTML-based graphical interface to The Sleuth Kit and standard UNIX utilities. Autopsy automates many of the tasks required during a digital forensic analysis using the TASK collection of powerful command line tools as a foundation. Since this graphical interface is separate from the file system tools, an investigator can still use a command line interface if Autopsy cannot accomplish the desired outcome.

biew v5.3.2 BIEW- is a free, portable, advanced file viewer with built-in editor for binary, hexadecimal and disassembler modes.

bsed binary stream editor

bwplot Plot information about packet captures.

chkrootkit v0.40 chkrootkit is a tool to locally check for signs of a rootkit

CmosPwd v4.2 Cmos password recovery tools Works with the following BIOSes - ACER/IBM BIOS - AMI BIOS - AMI WinBIOS 2.5 - Award 4.5x/4.6x - Compaq (1992) - Compaq (New version) - IBM (PS/2, Activa, Thinkpad) - Packard Bell - Phoenix 1.00.09.AC0 (1994), a486 1.03, 1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06 rev 1.13.1107 - Phoenix 4 release 6 (User) - Gateway Solo - Phoenix 4.0 release 6 - Toshiba - Zenith AMI

cryptcat encryption enabled netcat

dcfldd - (or edd, enhanced dd) the original dd tool enhanced with MD5 hashing built it. development work completed by DoD Computer Forensics lab.

Disk Investigator (win32) Disk viewer

dsniff tools v2.3 dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

editreg linux command line tool to examine windows registries.

ethereal v.0.9.11 Ethereal is a free network protocol analyzer for Unix and Windows.

fatback v1.3 DoD Computer forensics lab developed tool to undelete files from FAT filesystems

fenris v0.3 fenris is a multipurpose tracer, stateful analyzer and partial decompiler intended to simplify bug tracking, security audits, code, algorithm, protocol analysis and computer forensics by providing a structural program trace, general information about internal constructions, execution path, memory operations, I/O, conditional expression info, and much more.

foremost v0.64 Digs through an image file to find files within using header information.

FTimes v3.2.1 FTimes (a.k.a ftimes) is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.

gpart 0.1h Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted. The guessed table can be written to a file or device.

hbd v0.2.3 The HomeBrew Java decompiler

hexedit v1.2.1 ncurses based hexeditor

LDE - Linux Disk Editor v2.5 LDE allows you to view and edit disk blocks as hex and/or ASCII, view/navigate directory entries, and view and edit formatted inodes. Most of the functions can be accessed using the program's curses interface or from the command line so that you can automate things with your own scripts.

logdump v1.0 Extracts syslog data from tcpdump savefiles.

MAC Daddy MAC Time collector for forensic incident response. This toolset is a modified version of the two programs tree.pl and mactime from the Coroner's Toolkit by Dan Farmer and Venema Weiste.

mac-robber v1.0 mac-robber is a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. Its output can be used as input to the mactime tool in The Coroner's Toolkit (TCT) to make a timeline of file activity. mac-robber is similar to running the grave-robber tool with the '-m' flag, except this is written in C and not Perl. This work was done at @stake

md5deep v0.16 (linux & win32) md5deep is a cross-platform program to compute MD5 message digests on an arbitrary number of files.

memfetch v0.04b Linux on-demand process image dumper

ngrep v1.40 Ngrep is a powerful network sniffing tool which strives to provide most of GNU grep's common features, applying them to all network traffic.

ol2mbox - libPST v1.0.4 - libDBX v1.0.3 provide libraries and applications for the conversion of Outlook and Outlook Express data files to Linux MBOX format.

partimage v0.6.2 Partition Image is a Linux/UNIX utility which saves partitions in many formats to an image file. (Not Forensically sound, but good for system recovery work)

perl 5.8.0 compiled with support for >2G files, including a bunch o useful perl modules to boot.

photorec v1.0 PhotoRec is a little tool to recover pictures from digital camera memory

pwl9x v0.07 Windows 9x Password List reader is a program that will allow you to see the passwords contained in your Windows pwl database under Unix. You can check the security of these files/try to recover the main password using the bruteforce mode.

rda v0.2.1 RDA is a computer forensics tool to remotely acquire data.

rec (reverse engineering compiler) Reverse Engineering compiler

ree v1.3 ree (ROM extension extractor) scans your memory (/dev/mem) for ROM extensions, and writes them out to files. ROM extensions are BIOSes which reside on ROM chips in your computer.

snort v2.0 (inline) snort! need i say more?

ssldump v0.9b3 ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.

StegDetect v0.5 Stegdetect is an automated tool for detecting steganographic content in images. It is capable of detecting several different steganographic methods to embed hidden information in JPEG images. Currently, the detectable schemes are jsteg, jphide (Unix and Windows), invisible secrets, and outguess 01.3b.

tcpdstat get summary information of a tcpdump file. tcpdstat reads a tcpdump file using the pcap library and prints the statistics of a trace. The output includes the number of packets, the average rate and its standard deviation, the number of unique source and destination address pairs, and the breakdown of protocols.

tcpdump v3.7.1 Tcpdump allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect "ping attacks" or to monitor the network activities.

tcpflow v0.20 tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

tcpreplay v1.4 Tcpreplay is aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. Tcpreplay allows you to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically-generated artificial traffic which doesn't exercise the application/protocol inspection that a NIDS performs, and doesn't reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks.

tcpslice v1.2a1 a tool for extracting portions of packet trace files generated using tcpdump's -w flag.

tcptrace v6.2.0 tcptrace is a tool written by Shawn Ostermann at Ohio University, for analysis of TCP dump files. It can take as input the files produced by several popular packet-capture programs, including tcpdump, snoop, etherpeek, HP Net Metrix, and WinDump. tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and recieved, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis.

TCT v1.11 TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in.

TestDisk v4.4 Tool to check and undelete partition Works with the following partitions: - FAT12 FAT16 FAT32 - Linux - Linux SWAP (version 1 and 2) - NTFS (Windows NT) - BeFS (BeOS) - UFS (BSD) - Netware - ReiserFS

The Sleuth Kit v1.61 The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file system forensic tools that allow an investigator to examine NTFS, FAT, FFS, EXT2FS, and EXT3FS file systems of a suspect computer in a non-intrusive fashion. The tools have a layer-based design and can extract data from internal file system structures. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.

TNEF v1.2.0 TNEF provides a way to unpack those pesky Microsoft MS-TNEF MIME attachments. It operates like tar in order to upack any files which may have been put into the MS-TNEF attachment instead of being attached seperately.

VNC - tightvnc VNC (an abbreviation for Virtual Network Computing) is a great client/server software package allowing remote network access to graphical desktops. Used in biatchux to send remote consoles!

wipe v2.0 Wipe is a secure file wiping utility.
Price with shipping included for USA Price with shipping included for Worlwide
FIRE Linux CD
Price: $24.99
FIRE Linux CD
Price: $29.99

Home | Reset Windows Password 98 2000 XP | Hard Drive Data Recovery | System Rescue Linux CD | Forensic & Incident Response Environment | Data Recovery Made Easy | Laptop BIOS & Operating System User Password Remover


Hit Counter 

All trademarks and copyrights on the CD's are owned by their respective companies.

Questions or problems regarding this web site should be directed to [online form].
Copyright © 2002-2009 [PC Doctor]. All rights reserved.
Last modified: 07/08/10.

__________________


Get cash back on all your eBay purchases!

Click Here to Visit!