CyberGuerrilla 2018
Saturday,Nov 23,2019 
By r0gu3Sec | January 6, 2018 - 10:51 | Posted in CyberGuerrilla | Comments Off on Forensics Tools in Kali

Once again something I found useful for me and others comes from the site hackingarticles.in that on some sites are blocked from sharing.. So what do we do when we want freedom on the internet?

We do a workaround 😉

Author: Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher.

** Let`s begin 🙂

Kali linux is often thought of in many instances, it’s one of the most popular tools available to security professionals. It contains all the robust package of programs that can be used for conducting a host of security based operations. One of the many parts in its division of tools is the forensics tab, this tab holds a collection of tools that are made with the explicit purpose of performing digital forensics.

Forensics is becoming increasingly important in today’s digital age where many crimes are committed using digital technology, having an understanding of forensics can greatly increase the chance of making certain that criminals don’t get away with a crime.

This article is aimed at giving you an overview of the forensics capabilities possessed by Kali Linux.

So, let’s start with the programs as they appear in the forensics menu:


A tool used by the military, law enforcement and entities when it comes time to perform forensic operations. This package is probably one of the most robust ones available through open source, it combines the functionalities of many other smaller packages that are more focused in their approach in one neat application with a web browser based UI.

It is used to investigate disk images. When you click on Autopsy, it starts the service and its user interphase can be accessed on the web browser at https://9999:Localhost/autopsy It gives the user a full range of options required to create a new case file: Case Name, Description, Investigators Name, Host name, Host time zone, etc.

Its functionalities include – Timeline analysis, keyword search, web artifacts, hash filtering, data carving, multimedia and indicators of compromise. It accepts disk images in RAW or E01 formats and generates reports in HTML, XLS and body file depending on what is required for a particular case.

Its robustness is what makes it such a great tool, be it case management, analysis or reporting, this tool has you covered.


This tool is used while dealing with binary images, it has the capability of finding embedded file and executable code by exploring the image file. It is a very powerful tool for those who know what they are doing, if used right, it can be used to find sensitive information hidden in firmware images that can be used to uncover a hack or used to find a loophole to exploit.

This tool is written in python and uses the libmagic library, making it perfect for usage with magic signatures created for Unix file utility. To make things easier for investigators, it contains a magic signature file which holds the most commonly found signatures in firmware’s, making it easier to spot anomalies.

Bulk Extractor 

This is a very interesting tool, when an investigator is looking to extract certain kind of data from the digital evidence file, this tool can carve out email addresses, URL’s, payment card numbers, etc. This is tool works on directories, files and disk images. The data can be partially corrupted or it can be compressed, this tool will find its way into it.

The tool comes with features which help create a pattern in the data that is found repeatedly, such as URL’s, email ids and more and presents them in a histogram format. It has a feature by which it creates a word list from the data found, this can assist in cracking the passwords of encrypted files.


This program is mostly used in a live boot setting. It is used to locally check the host for any installed rootkits. It comes in handy trying to harden an endpoint or making sure that a hacker has not compromised a system.

It has the capability to detect system binaries for rootkit modification, lastlog deletions, quick and dirty string replacements and utemp deletions. This is just a taste of what it can do, the package seems simple at first glance but to a forensic investigator, its capabilities are invaluable.


Deleted files which might help solve a data incident? No problem, Foremost is an easy to use open source package that can carve data out of formatted disks. The filename itself might not be recovered but the data it holds can be carved out.

Foremost was written by US Air Force special agents. It can files by referencing a list of headers and footers even if the directory information is lost, this makes for fast and reliable recovery.


When following a trail of cookies, this tool will parse them into a format that can be exported into a spreadsheet program.

Understanding cookies can be a tough nut to crack, especially if the cookies might be evidence in a cybercrime that was committed, this program can lend a hand by giving the capability to structure the data in a better form and letting you run it through an analysis software, most of which usually require the data to be in some form of a spreadsheet.


This program is a must when dealing with hashes. Its defaults are focused on MD5 and SHA-256. It can be existing files that have moved in a set or new files placed in a set, missing files or matched files, Hashdeep can work with all these conditions and give reports that can be scrutinized, it is very helpful for performing audits.

One of its biggest strengths is performing recursive hash computations with multiple algorithms, which is integral when time is of the essence.


This is a memory analysis tool that has been written in Python, it is focused towards memory forensics for MAC OS X. It works on the Intel x86 and IA-32e framework. If you’re trying to find malware or any other malicious program that was or is residing on the system memory, this is the way to go.


Probably one of the most popular frameworks when it comes to memory forensics. This is a python based tool that lets investigators extract digital data from volatile memory (RAM) samples. It is compatible to be used with majority of the 64 and 32 bit variants of windows, selective flavors of Linux distros including android. It accepts memory dumps in various forms, be it raw format, crash dumps, hibernation files or VM snapshots, it can give a keen insight into the runtime state of the machine, this can be done independently of the hosts investigation.

Here’s something to consider, decrypted files and passwords are stored in the RAM, and if they are available, investigating files that might be encrypted in the hard disk can be a lot easier and the overall time of the investigation can be considerably reduced.

We will be following up this particular article with an in-depth review of the tools we have mentioned, with test cases.

Have fun and stay ethical.

Author: Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher.



Off topic… Kinda..

This section contains some useful info aimed to build up some basic in a non parrot or kali distro..

And yes there might be typos and stuff… Take it or leave it or complain in the comment field 😉


Metasploit is the world’s most used penetration testing software. Uncover weaknesses in your defenses, focus on the right risks, and improve security.

The Rapid7 Exploit Database is an archive of Metasploit modules for publicly known exploits0days, remote exploits, shellcode, and more for researches and penetration testers to review. 3,000 plus modules are all available.

Rapid7 now provide a Metasploit Penetration Testing Framework installer script that makes this process much easier than before when a manual install was necessary.

To install MSF simply run the following as root in terminal:

curl https://raw.githubusercontent.com/…/metasploi…/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \

The above will add the Rapid7 APT repostitory and install the package metasploit-framework.
After installation drop root permissions by typing exit at the prompt.
Run metasploit-framework: msfconsole
Verify the database is connected using: msfdb status

Disable firewall – ufw disable
msfconsole – msfdb status – msfupdate – search smb

use gather/search_email_collector
show options
set DOMAIN gmail.com

— Oh you want more?

7,000 Dorks for hacking into various sites

Latest Google Dorks Or SQL Dorks List Uploaded: 2017-10-28

apt-get install python
aptitude install python
apt install python-pip
apt install python3-pip
pip install –upgrade pip
pip install requests
sudo add-apt-repository ppa:pi-rho/security
apt-get install hydra

sudo apt-get install crunch

— Install mdk3

git clone https://github.com/charlesxsh/mdk3-master.git
cd mdk3-master
sudo make install
cd ..

— Install PixieWPS dependencies, download PixieWPS source, compile and install PixieWPS

sudo apt-get install libssl-dev
git clone https://github.com/wiire/pixiewps.git
cd pixiewps
sudo make install
cd ../..

— Install bully dependencies, download bully source, compile and install bully

sudo apt-get -y install build-essential libpcap-dev libssl-dev
git clone https://github.com/aanarchyy/bully.git
cd bully*/
sudo make install
cd ../..

— Installation hashcat 64-bit

sudo apt-get -y install p7zip-full
cd /tmp/ && wget http://hashcat.net/`curl -s https://hashcat.net/hashcat/ | grep -E -o ‘/files/hashcat-[0-9]{1,2}[.][0-9]{1,2}[.][0-9]{1,2}[.]7z’ | head -n 1` && 7z x hashcat-*7z && sudo mkdir /opt/hashcat && sudo mv hashcat-*/* /opt/hashcat && sudo touch /bin/hashcat && echo -e ‘#!/bin/bash\n/opt/hashcat/hashcat64.bin “$@”‘ > ./hashcat && sudo mv ./hashcat /bin/hashcat && sudo chmod +x /bin/hashcat && cd ~/bin

— Installing Bettercap

sudo apt-get install build-essential ruby-dev libpcap-dev net-tools
sudo apt-get install ruby
sudo gem install bettercap

— Installing BeEF

sudo apt-get install ruby sqlite
sudo gem update –system
sudo gem install bundler rake rubocop
git clone git://github.com/beefproject/beef.git
cd beef
sudo bundle install
cd ..
sudo mv beef/ /opt/
echo -e ‘#!/bin/bash\ncd /opt/beef/\n/opt/beef/beef “$@”‘ > ./beef && sudo mv ./beef /bin/beef && sudo chmod +x /bin/beef

— Install setoolkit in ubuntu linux and clone any website

sudo -sH
cd /opt
git clone https://github.com/trustedsec/social-engineer-toolkit/ set/
cd /opt/set
python setup.py install

— Install TheHarvester in ubuntu linux and get gmail id list

cd /opt
svn checkout https://github.com/laramies/theHarvester
cd theHarvester/trunk
Now let’s generate the gmail list
Python theHarvester.py -d gmail.com -l 500 -b google

— Install airgeddon

git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git
cd airgeddon/

It is recommended to run the following commands:
sudo systemctl stop NetworkManager
sudo airmon-ng check kill
They will close the applications (including the Network Manager) that might interfere.

Launching airgeddon:
sudo bash airgeddon.sh

After you are sure everything is ok, you can clean OS from unnecessary any more files.
cd ~/bin/
sudo rm -rf aircrack-ng/ bully/ mdk3-master/ pixiewps/ crunch*

— Dictionary for airgeddon 

While cracking passwords by bruteforce you can use mask attack or dictionary attack. The last one requires a wordlist. Rockyou is powerful dictionary and it will come in handy. The next commands will download rockyou and clean it from inappropriate password candidates.

sudo apt-get install hydra
cd ~/bin/
git clone git://git.kali.org/packages/wordlists.git
gunzip wordlists/rockyou.txt.gz
cat wordlists/rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > ~/bin/newrockyou.txt
rm -rf wordlists/

Now your ready to use wordlist is placed in the directory ~/bin/newrockyou.txt
To get the absolute path issue the command

ls ~/bin/newrockyou.txt

The end for now.. Need coffee..

Hail our Supreme, Glorius Leader Chairman Meow he was right as always! ..::: (All standup & applause …) :::..

(Visited 768 times, 1 visits today)

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

This Post is Tagged with:
Whoever you are, we are ungovernable! Whoever lays his hand on us to govern us, is a usurper and tyrant, and we declare you our enemy.