10 Best Kali linux Forensics tools

Top 10 Best Kali Forensics Tools

Kali Linux is a flexible and robust Operating System, it is used by security professionals to carry-out several exploits.

One of it main characteristics lies with it tools, which enable security professonals to perform certain robust task, one of the exploit that can be done is digital forensics.

Forensics is a process where security professonals perform in-depth investigation and analysis to get evidence on digital crime. 

One of the usefulness of Kali Linux is the tools it holds to perform forensics on digital crime.

This article is aimed at listing out the Top 10 best Kali Linux forensic tools used in Kali Linux during forensics.

Top 10 Best Forensic tools on Kali Linux.

1. Bulk Extractor

Bulk Extractor is a forensics tool used in Kali Linux to extract emails. Bulk Extractor is used by investigator to look or extract data from the available digital evidence files.

This tool works on disk images and directories, it also help carving out email addresses, payment card numbers, URL's.

One main function of this tool is its abiltiy to find broken files or corrupted files, and still find some useful forensic evidence in them.

The tool can also help cracking passwords and decrypting files during forensics.

2. Autopsy

Autopsy is one of the most popular forensic tool, it is used mostly by the US military and other entities, it functionality in investigation makes it to perform forensic task easily, the tool is well programmed and neatly arranged in one program.

Autopsy in Kali can be used to perform several forensics and get equipped evidence, it can be used to investigate disk images.

The application runs on a web server based UI, when you start the application it starts the service, and the service interphase can be accessed on localhost web server https://9999:Localhost/autopsy

Autopsy also provides its users the ability to create New case files; Case Name, Investigator Name, Host, Host Timezones , Description.

3. Binwalk 

Binwalk is a forensic tool that can be used to carry-out forensics on binary images.

The tool is made so flexible that it is able to find loopholes and vulnerabilities used in carrying out an exploit.

Binwalk also helps to show the signature behind an exploit, it combines the technique of comparing several similar signatures to detect the signature behind an exploit.

This Kali Linux forensic tool is written in python thereby, it supports libmagic library.

The tool is flexible and has robust features for those who knows how to use it.

4. Chkrootkit

Chkrootkit is a forensic tool that is used mostly for live boot setting. It comes with the ability to harden system endpoint, this make sure a hacker has not compromised a system. It also check host locally to detect any installed rootkits.

Chkrootkit also detects last log deletions, quick and dirty string replacement, system binaries for rootkits and temp deletions.

5. Galleta

Galleta is a kali Linux forensic which helps in trailing cookies, this forensic tool can parse cookies into format that can be easily exported into spreadsheet.

Cookies can be really be a tough nut to crack, this is often very hard when the cookies is embodied in a cyber-crime that was committed, this program helps minimize the stress of carrying in-depth analysis on cookies by investigators, this Kali Linux forensic tool lend and structure the form of cookies into a form that is understandable by a analysis software.

Subsequently, the data is usually accepted in a spreadsheet format by an analysis software, gallete helps in doing the conversation.

6. Foremost

Foremost is one the best data recovery softwares, it was written by US special agents. Foremost is a forensic tool that carve out items on a system during investigation.

One of the useful things done with formost is it ability to carve out files that were deleted from the system during the exploit, it runs a full scan to recover files, Although it might not get the filename but it has the capability of recovering the files it holds.

This forensic software is mostly used by forensics to recover files during digtal investigation. It's a reliable tool used to gather information.

7. Hashdeep

Hashdeep is a kali Linux forensic tool that is used for hashes, It defaults are focused on MD5 and SHA-256.

Hashdeep can help get exiting files, maybe moved in a set or new files placed on a set, it can also get missing files or matched files.

Hashdeep can be mainly used to perform recursive hash computation, one of its major features is performing audits .

8. Volafox

Volafox is a Kali Linux forensic tool that can be used for memory analysis. This tool is written in Python, it is focused towards memory forensics for MAC OS X. 

Volafox also helps to detect malwares or any malicious program installed to distort the computer, this tool can be used to find malware that reside in the system memory. It works on the Intel x86 and IA-32e

9. Volatility

Volatility is one of the best framework Kali Linux forensic tool that can be used to carry-out memory forensics. The forensic tool crrated with python, its main function allows investigators to easily extract digital data from a volatile memory (RAM). 

Volatility forensic tool is compatible with  majority of x64 and 32bits variant windows, it can also be used on Kali Linux distros including Android devices. It accepts memory dumps i.e crash dumps, hibernation files , Virtual Machine snapshots and raw format.

You should know decrypted files and passwords are stored in the RAM, if these files are available, getting evidence files from hardisk would be a lot easier and time taken for the investigation would be lessen.

10. theHarvester

The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.

This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.

root@kali:~# theharvester

*******************************************************************
*                                                                 *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __| '_ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* TheHarvester Ver. 3.0.0                                         *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*******************************************************************


Usage: theharvester options 

       -d: Domain to search or company name
       -b: data source: baidu, bing, bingapi, dogpile, google, googleCSE,
                        googleplus, google-profiles, linkedin, pgp, twitter, vhost, 
                        virustotal, threatcrowd, crtsh, netcraft, yahoo, all

       -s: start in result number X (default: 0)
       -v: verify host name via dns resolution and search for virtual hosts
       -f: save the results into an HTML and XML file (both)
       -n: perform a DNS reverse query on all ranges discovered
       -c: perform a DNS brute force for the domain name
       -t: perform a DNS TLD expansion discovery
       -e: use this DNS server
       -p: port scan the detected hosts and check for Takeovers (80,443,22,21,8080)
       -l: limit the number of results to work with(bing goes from 50 to 50 results,
            google 100 to 100, and pgp doesn't use this option)
       -h: use SHODAN database to query discovered hosts

Examples:
        theharvester -d microsoft.com -l 500 -b google -h myresults.html
        theharvester -d microsoft.com -b pgp
        theharvester -d microsoft -l 200 -b linkedin
        theharvester -d apple.com -b googleCSE -l 500 -s 300

theharvester Usage Example

Search from email addresses from a domain (-d kali.org), limiting the results to 500 (-l 500), using Google (-b google):

root@kali:~# theharvester -d kali.org -l 500 -b google

*******************************************************************
*                                                                 *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __| '_ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* TheHarvester Ver. 3.0.0                                         *
* Coded by Christian Martorella                                   *
* Edge-Security Research                                          *
* cmartorella@edge-security.com                                   *
*******************************************************************


[-] Starting harvesting process for domain: kali.org

[-] Searching in Google:
    Searching 0 results...
    Searching 100 results...
    Searching 200 results...
    Searching 300 results...
    Searching 400 results...
    Searching 500 results...

 Harvesting results