Lynis is an auditing and hardening tool for Unix derivatives like Linux/BSD/Solaris. It scans systems to detect software and security issues. Besides security-related information, it will also scan for general system information, installed packages, and possible configuration mistakes. The software is aimed at assisting automated auditing, software patch management, and vulnerability and malware scanning of Unix-based systems.
PTK is an alternative advanced interface for the TSK (The Sleuth Kit) suite. It was developed from scratch. Besides providing the functions already present in Autopsy, it implements numerous new features essential during forensic activity. PTK provides a graphical and highly professional interface based on AJAX technology. It also offers a great deal of features like analysis, search, and management of complex cases of digital investigation.
Xtract attempts to demonstrate how Wireshark's powerful network traffic analysis capabilities can be combined with the file carving capabilities of programs such as Foremost and NetworkMiner in a manner that is portable and extensible (hence the choice of Perl). Specifically, it offers: automated extraction of network stream sessions; visualization of networks via GraphViz; and integration of file carving capability. The scripts are intended as a proof-of-concept for how tedious tasks of reassembling TCP/UDP streams from network capture files and file carving based on these streams can be automated.
WTMParse is a script originally intended for use in forensic examinations which parses WTMP files from Unix-like operating systems and generates a CSS-styled HTML report containing the login terminal, username, log start date, and login time/date in a table. It's good for postmortem forensic examinations or as a way of getting "last"-like information when you don't have the ability to boot the machine in question but can grab the wtmp.
Xplico is an IP traffic decoder that extracts data from an Internet traffic capture. From a pcap file, it can extracts each email (POP, IMAP, and SMTP protocols), all HTTP content, VoIP calls (SIP, RTP, H323, MEGACO, MGCP), IRC, MSN, and so on. It isn't a packet sniffer or a network protocol analyzer, but rather an IP/Internet traffic decoder or network forensic analysis tool (NFAT).
The RegLookup project is devoted to direct analysis of Windows NT-based registry files. RegLookup provides command line tools, a C API, and a Python module for accessing registry data structures. The project has a focus on providing tools for digital forensic examiners (though it is useful for many purposes), and includes algorithms for retrieving deleted data structures from registry hives.
GrokEVT is a collection of scripts built for reading Windows® NT/2K/XP/2K3 event log files. The scripts work together on one or more mounted Windows partitions to extract all information needed (registry entries, message templates, and log files) to convert the logs to a human-readable format.