Skip to content

Forensics Live CD

April 7, 2007

DEFT v1.0

You may wish to check out DEFT (“Digital Evidence & Forensic Toolkit”) v1.0 by Stefano Fratepietro which was released recently  on March 28, 2007. It’s a nice security / forensics Live CD distro built on top of Kubuntu.

It contains the Sleuth kit & Autopsy frontend, the afflib “Advanced Forensic Format” tools, dd rescue, foremost, hex dump, ophcrack – a windows password recovery tool, qtparted, testdisk, vinetto (examine Thumbs.db files), readpst (examine MS-Outlook pst files), kismet, wireshart, ettercap, airsnort, and other network sniffers.

One downside of this distro is it appears to require 256mb of ram and won’t work on systems with 128mb.
Personally, I need a live CD distro that can easily run on legacy systems that I frequently need to work on.

Another ubuntu based live CD security distro you may wish to check out is nubuntu.

Backtrack 2

Another recently released (March 6th, 2007) security live CD distro with some forensics tools is Backtrack 2.  It is based on top of slackware/SLAX, and uses a KDE or Fluxbox windows manager.   Apparently two other security distros, WHAX and Auditor, were combined to make this excellent tool.   It’s main focus is penetration and network security testing, and has broadcom driver support too! It contains hundreds of tools, to numerous to list, however some of the forensics tools include;  the Sleuthkit and Autopsy, allin1 – automation frontend for sleuthkit, dd_rescue, dcfldd – an updated an enhanced version of dd), foremost, magicrescue – scan a block device for known file types, mboxgrep – searches a variety of types of mailbox folders, vinetto, pasco – to examine IE’s cache files.  Highly Recommended!


Helix v 1.8 was released in October 2006, and is based on customized distribution of the Knoppix Live CD.   It is likely the best data forensics Live CD distro out there to date.  It is more compatible with legacy hardware, using an XFCE window manager and runs nicely on only 128mb of ram (perhaps less?).    A excellent beginner’s guide in PDF is on the site, as well as user support forums.  Here’s a listing of the tools from the HELIX website:

sleuthkit : Brian Carrier’s replacement to TCT.
autopsy : Web front-end to sleuthkit.
mac-robber : TCT’s graverobber written in C.
fenris : debugging, tracing, decompiling.
wipe : Secure file deletion.
MAC_Grab : e-fense MAC time utility.
AIR : Steve Gibson Forensic Acquisition Utility.
foremost : Carve files based on header and footer.
fatback : Analyze and recover deleted FAT files.
md5deep : Recursive md5sum with db lookups.
sha15deep : Recursive sha1sum with db lookups.
dcfldd : dd replacement from the DCFL.
sdd : Specialized dd w/better preformance.
PyFLAG : Forensic and Log Analysis GUI.
Faust : Analyze elf binaries and bash scripts.
e2recover : Recover deleted files in ext2 file systems.
Pasco : Forensic tool for Internet Explorer Analysis.
Galleta : Cookie analyzer for Internet Explorer.
Rifiuti : “Recycle BIN” analyzer.
Bmap : Detect & Recover data in used slackspace.
Ftimes : A toolset for forensic data acquisition.
chkrootkit : Look for rootkits.
rkhunter : Rootkit hunter.
ChaosReader : Trace tcpdump files and extract data.
lshw : Hardware Lister.
logsh : Log your terminal session (Borrowed from FIRE).
ClamAV : ClamAV Anti Virus Scanner.
F-Prot : F-Prot Anti Virus Scanner.
2 Hash : MD5 & SHA1 parallel hashing.
glimpse : Indexing and query system.
Outguess : Stego detection suite.
Stegdetect : Stego detection suite.
Regviewer : Windows Registry viewer.
Chntpw : Change Windows passwords.
Grepmail : Grep through mailboxes.
logfinder : EFF logfinder utility.
linen : EnCase Image Acquisition Tool.
Retriever : Find pics/movies/docs/web-mail.
Scalpel : Carve files based on header and footer.

Powered by ScribeFire.

5 Comments leave one →
  1. May 31, 2007 9:24 am


    Now there is the new DEFT v2!

    Check 😉

  2. June 7, 2007 4:47 am

    Hai! Thanks for the review…

  3. July 3, 2009 12:28 am

    good info

  4. July 5, 2009 8:15 am

    That was a nice read.


  1. Audit and security resources « Spartakan

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: