More Information

FCCU GNU/Linux Forensic Bootable CD

Changes: The ability to start in non-graphical mode by passing "live 3" as a boot parameter. An updated version of Guymager (0.3.1). Two Windows tools to copy Win32 memory (including Vista): win32dd and mantech mdd. The memory analysis tool Volatility was added. The registry analysis tool regripper was added. aeskeyfinder and rsakeyfinder were added. A better starting Web page and a better description of the tools on the CD. An updated version (0.40) of the Perl library Parse-win32Registry. Version 3.3.4 of afflib. Many other updates.

Changes: The CD is now based on the Debian Live Project. There is a graphical user interface by default (xfce4). A new graphical tool, GuyMager, is used for forensic copy. GuyMager supports Encase ewf images (through libewf), and it makes intelligent use of multi-core CPUs in a way that compressed copies will be done faster than uncompressed ones. A new low interaction honeypot, Amun, was added.

Changes: This release adds a new set of tools that allow an investigator to capture the memory from another host trough the Firewire bus, even if the target host is an MS Windows box. A new tool to retrieve images from Thumbs.db (MS win thumbnails cache) was added. Rdd, a new forensic image acquisition tool, was added. A lot of other tools were added and upgraded.

Changes: A PXE boot feature was added to search keywords in large scale networks. An MS eventlog viewer and a registry viewer were added. mwcollect and nepenthes were added to ease malware hunting. Lots of packages were added.

Changes: This release is based on Knoppix 3.9 with the slow USB (UB) driver removed. A lot of new packages were added, including mork.pl, a tool to read firefox history, fccu-docprop to read MS OLE doc properties, and dd_rhelp to ease the use of dd_rescue. Most of the packages were upgraded to the latest versions, including The Sleuthkit.