Welcome to Live-Forensics
This site is dedicated to live forensics and incident response.
The gathering of data from running systems, and the capturing of the volatile data is critical in any scenario where a system may be compromised.
I will be adding more content to the site in the near future, and will be uploading more tools that I use in my day to day job on the downloads page.
Please email me at admin@live-forensics.com with suggestions/comments.
Not dead…
Just finishing up my masters in computer forensics. I will be able to devote more time once this semester is over. Thanks for the emails.
Please use the link to sign up to dropbox! – http://db.tt/lEpvzh9
I would appreciate the help at getting some more space to store all the files and code for this site. Please sign up for dropbox through this link!
Uploaded a fixed version of DateDecoder
Thanks for SK for pointing out that DateDecoder did not print milliseconds. The information was correctly calculated, but was not outputted to the screen. In fact a few of the other date/times only output to seconds. I will review them and update datedecoder to reflect this fix. Again, thanks to SK.
You can download the updated version at:
Minor update to Unique.exe
I recently added a stdin feature. Apparently it was a big buggy. I have removed it and uploaded the old version.
Just uploaded my hashing utility. Feel free to download it.
I just uploaded my own Hash utility. HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512hashes. It has a feature where it will attempt to match the hash against the NIST/ISC MD5 hash databases. Please let me know if it works/helps.
Download it at http://www.live-forensics.com/dl/HashUtil.zip - HashUtil.zip
Please email with comments or questions.
Minor update to Dstrings.
Thanks for the tip. Dstrings.exe would hang on occasion. It was a minor bug. It should be fixed.
http://www.live-forensics.com/dl/DStrings.zip - Dstrings.zip
Software release – Unique.exe
I am releasing my windows version of uniq. It allows for unique string counts, as well as various sorting options. It is ususally used in conjuction with dstrings.exe to parse the output.
Download it at http://www.live-forensics.com/dl/Unique.zip - unique.zip
Please email with comments or questions.
Looping through browser history to see IP Addresses.
Using the recently release Dstrings, you can loop through a profile directory and search the history for IP's. This can be scripted with Dstrings and forfiles (On Windows boxes).
Using the following command:
forfiles /S /C "cmd /c c:\temp\dstrings.exe -f:@file -r:0" [This will search the local directory and subdirectories for all files and replace the variable @file with the filename]
This will loop through every file, and dstrings will then search the file for IP's address strings.