August 10, 2017

All of the following resources are available free of charge to the general public unless noted otherwise.

Tools - Forensics & Analysis

The Sleuth Kit: One of the better-known open source forensics tools, The Sleuth Kit is a collection of UNIX-based command line file and volume system forensic analysis tools. You may want to use it with Autopsy which is the GUI front-end. Those interested in these products should consult the The Sleuth Kit Informer newsletter. We discuss Sleuth Kit commands for computer forensics here.

Foremost: A Linux data-carving tool used in computer forensics. We provide some basic data carving instructions within our paper "Examination of overwritten files with The Sleuth Kit" here.

dcfldd: A computer forensics oriented version of dd developed by the U.S. Department of Defense Computer Forensics Lab. Enhancements over regular dd include progress output, built-in hashing of transmitted data, and simultaneous output to multiple files or disks. For those curious we show how you can use dd as a hex editor here.

SystemRescueCd: Linux-based bootable CD image for mounting and recovering data from a disk, including support for ext2/ext3/ext4, reiserfs, reiser4, btrfs, xfs, jfs, vfat, ntfs, iso9660 filesystems, and Windows registry editing.

The Volatility Framework: An open collection of tools for the extraction of digital artifacts from RAM.

Memoryze: Memory forensic software for Windows that can be used on live system memory or memory image files. Memory DD is another Windows tool for capturing memory images.

md5deep: A collection of programs used to compute MD5, SHA-1, SHA-256, Tiger, and Whirlpool message digests, with the ability to work recursively into directories and compare the results to a list of known hashes. Useful for computer forensics.

ssdeep: A program to compute Context Triggered Piecewise Hashes that can be used to identify files that are almost identical to one another.

National Software Reference Library Reference Data Set: Used alongside forensic tools, this is a collection of hashed signatures of known software applications. This is used to filter out "known" files (such as all the standard files that are part of MS Windows or Microsoft Office) when conducting an investigation, so that you can concentrate on what is hopefully the "user-made" content.

Microsoft Attack Surface Analyzer: Catalogues the changes made to the operating system attack surface by the installation of new software. Helps evaluate the risk/impact of installing a particular piece of software. Supports Windows Vista, 2008, and 7 only.

Regshot: Utility used to take snapshots and compare changes made to a Windows registry.

PeStudio: Tool that performs static investigations of executables.

Wireshark: Arguably the best network protocol analyzer. Formally known as Ethereal.

NetworkMiner: Network forensics analysis tool that can also re-assemble files by sniffing packets or reading pcap files.

Tools - Malware & Detection of Malicious Activity

Rootkit Hunter: A rootkit detector for most Linux and BSD-based systems.

Redline: Used when antivirus protection has failed, this tool inspect Windows hosts for signs of malicious activity through memory and file analysis.

McAfee FileInsight: Tool to analyze web sites and files for malicious code. Windows only.

Kaspersky Free: One of the better no-cost antivirus suites. Another one to consider is Avira.

Microsoft Safety Scanner: Free on-demand scanner from Microsoft to help find and remove malware on an infected Windows computer. It expires 10 days after being downloaded, at which point you'll need to download again the latest version.

BotHunter: A network traffic monitoring system that can locate bot (botnet) activity. More suitable for corporate settings than personal home use.

Honeyd: Open source honeypot that can simulate multiple virtual hosts on a single computer with the goal of fooling attackers into attempting to compromise the virtual machines, either for research or defensive purposes.

Dionaea: A "low interaction honeypot" that is used for collecting malware.

Beeswarm: An active honeypot/IDS where drone systems communicate with a honeypot in order to simulate a more realistic environment. We discuss how to install beeswarm on Ubuntu linux here.

psad: A collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect probes for various backdoor programs, DDoS tools, and advanced port scans.

EtherApe: A network monitoring program in a graphical interface. Simply letting it run in the background may reveal network activity originating from your computer that you were unaware of. Currently available for Linux only.

AIDE: An intrusion detection system meant to replace Tripwire. It can store various file attributes including: permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name, and also creates a cryptographic checksum or hash of each file using one or a combination of its many supported message digest algorithms. Also be sure to check out OSSEC (Open Source Host-based Intrusion Detection System) as well.

Tools - System Hardening

Microsoft Enhanced Mitigation Experience Toolkit: EMET is a free toolkit by Microsoft designed to make your Windows systems more resilient to exploits. It allows for enabling security measures such as Data Execution Prevention (DEP), Structure Exception Handler Overwrite Protection (SEHOP), Heap Spray & Null Page Allocation, Export Address Table Access Filtering, Address Space Layout Randomization (ASLR), and Bottom-up Randomization. We provide instructions for protecting your Windows PC through Microsoft EMET here.

Microsoft Office File Validation: Already built-into MS Office 2010, you can download this add-on for Office 2003 and 2007 to help detect exploits that are delivered through maliciously crafted MS Office files.

RHEL6 Security-Enhanced Linux: Rather than provide a link to a new tool, this is a link to a user guide for properly managing SELinux which comes bundled with various Linux distributions including Red Hat.

Tools - Vulnerability Assessment & Penetration Testing

Kali Linux: The successor to BackTrack, a Debian-based Linux distribution meant for penetration testing.

Nessus: Excellent, comprehensive vulnerability scanner. There is a free version for home use only. OpenVAS is the open source free counterpart.

Microsoft Web Application Configuration Analyzer: This tool which was updated in May 2011 is used to analyze Microsoft server configurations and compare them to security best practices for Windows, IIS , ASP.NET and SQL Server.

w3af: Web Application Attack and Audit Framework (w3af). A web application scanner that can discover and exploit web application vulnerabilities.

Burp Proxy: An intercepting proxy used for testing web application vulnerabilities by manipulating transmitted parameters.

Nmap: Network security scanner that provides network exploration and security auditing.

Hping: Often considered a complementary tool to Nmap, hping is used for network scanning, as well as crafting TCP/IP packets. We provide some hping usage examples here.

cURL: A command-line scriptable web browser, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. Also provides upload capabilities (HTTP PUT, POST), authentication, and cookie handling. Click here to see the differences between cURL and Wget (also an excellent tool). We discuss how cURL helps overcome certain limitations of spoofing user-agent strings to download malware here, and provide Wget usage examples here.

Firefox Plugin Check: A quick way to verify whether your Firefox web browser has any vulnerable versions of plugins enabled.

Microsoft Threat Analysis & Modeling Tool: Modeling tool used in application development to assess possible vulnerable points within your application and the appropriate controls to mitigate the risk.

Tools - Encryption & Confidentiality / Privacy

VeraCrypt: A fork of the discontinued TrueCrypt project, VeraCrypt is used to create virtual encrypted disks or partitions. It has been audited.

KeePass Password Safe: An open-source AES encrypted password manager for storing passwords.

CryptCat: A Twofish encryption enabled version of Netcat, also known as the "Swiss army knife" for network administrators. CryptCat uses all of the same command-line switches as Netcat. Can be used as a "Poor man's FTP". Also examine Socat for another netcat implementation that supports various other data channels. Netcat usage examples are shown here.

Stunnel: Creates a SSL tunnel to secure non-encrypted TCP protocols and applications.

Off-the-Record Messaging: Provides encryption for instant messaging.

Passware Kit Enterprise: This is actually a non-free commercial product but is included here as the password recovery page serves as a quick acid test for gauging the strength of password protection and encryption schemes for various file types. The words "Brute-force Recovery - Slow" within the recovery option column implies strong encryption for that file type.

Tor: Tor provides anonymous Internet usage. Note however that like for any web anonymizer service, people using it from a workplace environment should ask their organizations what is their usage policy towards this type of tool. Furthermore, Tor exit nodes can eavesdrop on the communications given that the last node through which traffic passes in the network has to decrypt the communication before delivering it to its final destination, so it should NOT be used for transferring any confidential information unless you use end-to-end encryption such as SSL.

Tails: A live USB or DVD bootable OS designed with privacy in mind.

ProtonVPN: Secure VPN services for various platforms from the team behind ProtonMail. They offer both free and at-cost services.

DBAN: Darik's Boot And Nuke CD. A live CD for wiping data on hard drives.

BleachBit: Frees up disk space and more importantly, deletes various data artefacts. Supports both Linux and Windows.

Tools - Browser Plugins

Adblock Plus: Block web advertisements including the phenomenon known as "malvertising." After installation make sure to access the Adblock preferences and confirm whether or not you wish to allow non-intrusive advertising.

Ghostery: Detect and disable third party web bugs and trackers that are used to track you online. uBlock Origin is a similar alternative which also includes ad-blocking capabilities. You can also consider EFF's Privacy Badger.

HTTPS-Everywhere: Force web sites that support HTTPS to not revert back to HTTP.

Refcontrol: Control what gets sent as the HTTP referer when you click on a link.

Tools - Educational

40+ Intentionally Vulnerable Websites To (Legally) Practice Your Hacking Skills: The title explains it all.

Metasploitable: An intentionally vulnerable Ubuntu Linux virtual machine designed for testing security tools and training.

Exploit Exercises: Provides a series of virtual machines, documentation and challenges that can be used to learn about computer security issues.

Tools - Other

SmoothWall Express: An easy to use Linux-based open source network firewall that also includes a web proxy, intrusion detection system, e-mail antivirus, and bandwidth management. If looking for a Linux-based firewall, you may also wish to examine IPCop which was a code fork of SmoothWall.

Sophos UTM Home Edition: The free for home use version of Sophos Unified Threat Management. Very feature rich, you will likely wish to review our article on setting up Sophos UTM, or their documentation.

PacketFence: An open source Network Access Control (NAC) solution for enterprise and academic environments. Commercial support is also available.

Maltego: A data mining tool that helps identify relationships between different objects within a very easy-to-use GUI. The Community Edition is free although it has limitations imposed.

OSSIM: Open Source Security Information Management - a security information and event management system used to provide a security overview of a system environment.

OpenSOC: Meant for enterprise use, allows for large scale collection of data for security analysis and incident response.

VirtualBox: A GNU licensed virtualization system that is currently developed by Oracle and is comparable to products by VMware. Supports Windows, Linux, Macintosh, and Solaris hosts. Excellent for security research purposes.

iodine: Used to tunnel IPv4 data through a DNS server.

iOS apps

ProtonMail: Good app for using one of the better more popular free encrypted email services.

Firefox Focus: Built to automatically block various online trackers, plus easily delete your cookies after every use.

Signal: End-to-end encryption for phone calls and messaging.

Courses & Training

Cybrary: A free online training environment. Includes training for certifications such as CISSP, CISA, and CCNA.

Ethical Hacking and Network Defense (CNIT 123): This course is lectured at the City College of San Francisco by Sam Bowne. He has also put the course online for anybody to download. An excellent introduction to the basics of ethical hacking, network, and computer security.

Advanced Ethical Hacking (CNIT 124): Same as above but this is the advanced class (CNIT 123 is the prerequisite).

Metasploit Unleashed - Mastering the Framework: Offense Security's online course for using the Metasploit Framework.

Cryptography: Course on cryptography taught by Dan Boneh of the applied cryptography group at the Computer Science department at Stanford University.

Crypto 101: Introductory course on cryptography for programmers of all ages and skill levels.

IS-100.B: Introduction to Incident Command System, ICS-100: Geared for the Business Continuity Planning and Disaster Recovery people, this course by FEMA is designed to provide incident management skills. Describes the history, features and principles, and organizational structure of the Incident Command System.

The Official Cyber Security Conference List for 2017: Extensive list of cyber security conferences for 2017.


2011 CWE/SANS Top 25 Most Dangerous Programming Errors: CWE/SANS. The top 25 most common errors made by programmers and developers that have security implications. Includes prevention and mitigation strategies.

List of TCP and UDP port numbers: Comprehensive list provided by the Internet Assigned Numbers Authority. Useful to reference when detecting unexpected network activity. Updated frequently.

Protocol Numbers: List of protocol numbers.

TCP/IP and tcpdump Pocket Reference Guide: SANS Institute. Great reference guide for TCP / UDP / ICMP headers, as well as tcpdump switches. There is also a IPv6 TCP/IP and tcpdump pocket reference guide. We provide further examples for using tcpdump here.

List of USB IDs: List of USB IDs by vendor and product.


TCP/IP Tutorial and Technical Overview: IBM. Extensive, up-to-date guide and reference book on the TCP/IP protocol. IBM also offers a hardcopy version of the book for about $100 (USD), so it is good bargain to be able to get the PDF version for free. 1004 pages.

Cisco SAFE Reference Guide: Cisco Systems. Design and implementation guidelines for building secure and reliable networks. 342 pages.

The Second Internet: InfoWeapons. A book about IPv6. 314 pages.

Handbook of Applied Cryptography: CRC Press. Intended as a reference for novice and professional cryptographers. 816 pages.

A Graduate Course in Applied Cryptography: Dan Boneh and Victor Shoup. A book for constructing practical cryptosystems. 580 pages.

OpenSSL Cookbook: Feisty Duck. A tutorial on OpenSSL with tips and instructions that can be applied to most enterprises. However you need to provide your email address to download. 60 pages.

OSSEC How-To - The Quick and Dirty Way: Savoir-faire Linux. An ebook on how to use OSSEC. 65 pages.

Alternative DNS Servers: UIT Cambridge. Although this book's topic is about DNS and not security, we include it here since having a understanding of DNS is important in security. 696 pages.


Investigations Involving the Internet and Computer Network: US Department of Justice. Guide which discusses the investigative process for Internet related crimes, starting from the first responder, to the laboratory, to the courtroom. 137 pages.

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants: Jason Franklin, Carnegie Mellon University. Paper which studies the underground economy that specializes in the commoditization of activities such as credit card fraud, identity theft, etc. Provides insight into how these transactions take place, and proposes a method of offensive attacks on the reputation of buyers and sellers in order to disrupt these underground activities. 14 pages.

Studying Malicious Websites and the Underground Economy on the Chinese Web: Peking University & University of Mannheim. A detailed overview of the underground black market in China as well as the interaction between the different actors within this underground economy. 18 pages.

Characterizing the IRC-based Botnet Phenomenon: Peking University & University of Mannheim. A 12 month study of 3,290 unique IRC-based botnets (with uniqueness defined as a unique combination of DNS name, port number and channel name.) The paper examines botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size, commands issued by bot herders, and location of victims. 16 pages.

An Analysis of Conficker C: SRI International. Excellent analysis of the behavior and mechanisms of the Conficker C malware. 17 pages.

W32.Stuxnet Dossier: Symantec. Symantec's lengthy analysis on the Stuxnet threat, which at the time of its discovery was largely toted as the most sophisticated malware to date. 69 pages.

Tracking GhostNet: Information Warfare Monitor. A paper that hints at the possibility of Chinese government involvement in a botnet used for cyber espionage. 53 pages.

Shadows in the Cloud: Information Warfare Monitor & Shadowserver Foundation. A continuation of Tracking GhostNet, this report uncovers a system of espionage that compromised and exfiltrated sensitive data from government, business, and academic targets, often by using free online services such as Yahoo Mail, Twitter, Google Groups, Blogspot, etc. as command and control channels. 58 pages.

The Command Structure of the Aurora Botnet: Damballa. Analysis of the Aurora botnet operators behind the high-profile attack against Google in 2009. 31 pages.

An Analysis of the iKee.B (Duh) iphone Botnet: SRI International. Analysis of the iKee.B botnet which targeted jailbroken iPhones. iKee.B was based on the nearly identical iKee.A worm, but included command and control logic to render infected iPhones under control of a bot master. 9 pages.

Analyzing the SS8 Interceptor Application for the BlackBerry Handheld: Chirashi Security. An analysis of the spyware software that was rolled out as an update to Blackberry subscribers of the UAE Telecommunications operator, Etisalat. 4 pages.

The Anatomy of Clickbot.A: Google. Analyzes the anatomy and architecture of the "Clickbot.A" botnet that was used to perform click fraud. 11 pages.

A Picture's Worth - Digital Image Analysis and Forensics: Dr. Neal Krawetz. Describes common and uncommon forensic methods used to distinguish real images from computer generated ones, and to identify pictures that have been digitally manipulated. 31 pages.

Thwarting Virtual Machine Detection: Tom Liston, Ed Skoudis. Discusses methods used by malware to detect whether they are running inside a virtual machine, and how to make this detection more difficult. 27 pages.

The TCP Split Handshake: Practical Effects on Modern Network Equipment: Macrothink Institute. An examination on the behaviour of systems in which a TCP connection is established via a method that blends the "traditional" three-way handshake and simultaneous-open methods. 21 pages.

Side-Channel Leaks in Web Applications: Indiana University. Researchers reveal how an attacker can determine the input/output being submitted/retrieved through an encrypted web application simply by examining the packet sizes and flow. 16 pages.

Peter Gutmann's Godzilla Crypto Tutorial: University of Auckland. Covers a large list of subjects related to encryption. 900+ slides saved in PDF format.

Harmonized TRA: Communications Security Establishment Canada & Royal Canadian Mounted Police. The Harmonized Threat and Risk Assessment Methodology is a set of instructions for conducting security assessments. 290 pages.

Radio Spectrum Allocations: Industry Canada. Excellent chart showing radio frequency allocations between 9 Hz and 275 GHz.