Kali Linux - Investigation Tools
In this chapter, we will discover the investigation tools available in Kali Linux.
p0f is a tool that can identify the operating system of a target host simply by examining captured packets even when the device in question is behind a packet firewall. P0f does not generate any additional network traffic, direct or indirect; no name search; no mysterious probes; no ARIN requests; nothing. In the hands of advanced users, P0f can detect the presence of a firewall, the use of NAT, and the existence of load balancers.
Type "p0f - h into terminal to see how to use and you will get the following results.
It will even list the available interfaces.
Then type la following command: "p0f –i eth0 –p -o filename .
Where the "- i parameter is the name of the interface as shown above. "- p means it is in promiscuous mode. "- o means the output will be saved to a file.
Open a web page with the address 192.168.1.2
From the results you can see that the web server is using apache 2.x and the operating system is Debian.
pdf-parser is a tool that analyzes a PDF document to identify the fundamental elements used in the scanned pdf file. It will not render a PDF document. It's not recommended for bobon text cases for PDF parsers, but it gets the job done. Usually this is used for pdf files which you think contain a.
The command is -
pdf-parser -o 10 filepath
where "- o " is the number of objects.
As you can see in the following screenshot, pdf file opens CMD command.
The Dumpzilla application is developed in Python 3.x and aims to extract all the interesting forensic information from Firefox, Iceweasel and Seamonkey browsers to analyze.
It copies the data from one file or block device (hard drive, cdrom, etc.) to another, trying to recover the correct parts first in case of read errors.
The basic operation of ddrescue is fully automatic, that is, you don't have to wait for an error, stop the program, restart it from a new position, etc.
If you use the ddrescue mapfile function, the data is saved very efficiently (only the blocs are read). In addition, you can interrupt the rescue at any time and resume it later at the same time. The mapfile is an essential part of the efficiency of ddrescue. Use it unless you know what you are doing.
The command line is -
dd_rescue infilepath outfilepath
Parameter "- v means verbose. "/ dev / sdb is the folder to save. The file is the recovered image.
It 's another medical tool -Legal used to retrieve files. It also has a GUI. To open it, type “dff-gui” in terminal and the following web GUI will open.
Click File → "Open Proof".
The following table will open. Check "Raw format" and click "+" to select theth folder you want to recover.
Then you can browse the files on the left of the pane to see what has been recovered.