FIRE, the Forensic and Incident Response Environment, (formerly known as Biatchux) is a portable, bootable CD-ROM-based distribution providing an immediate environment for performing forensics analysis, data recovery, virus scanning, and pen-testing. It also provides the necessary tools for live forensics/analysis/incident response.
Vexira Antivirus is virus defense system. It can identify which files may contain malicious code requiring further investigation, which greatly increases virus scanning speed. It features the ability to scan files automatically as they are accessed, configurable path protection, email notification, blocking of access to infected files, options to repair, rename, or delete infected files, automated Internet updating, virus scan archives (.zip, .rar, gz, .tar, etc.), a commandline scanner, scalable concurrent scanning, heuristic detection of new macro viruses, and low system resource requirements.
ThePacketMaster Linux Security Server is a CD-based security auditing tool that boots and runs penetration testing and forensic analysis tools. It is handy for security auditors. Some tools included are nessus, ethereal, The Coroner's Toolkit, chntpw, and minicom. It includes modules for any Linux 2.4.20 SCSI driver.
SafeClean quickly removes Internet history files, caches, bookmarks, email, and conversation logs that can allow others to find out what you have been doing on the Internet, possibly revealing personal and potentially compromising information. It allows you to permanently destroy information about your Web browsing activities, private email messages, and even information on your use of Instant Messenger programs. It is easy to use, and provides a one-click method to protect your Internet privacy. For power users, SafeClean is completely configurable so that you can decide which types of information or which Internet applications you wish to clean for privacy purposes.
INSERT (the Inside Security Rescue Toolkit) aims to be a multi-functional, multi-purpose disaster recovery and network analysis system. It boots from a credit card-sized CD-ROM and is basically a stripped-down version of Knoppix. It features good hardware detection, fluxbox, emelfm, links-hacked, ssh, tcpdump, nmap, chntpwd, and much more. It provides full read-write support for NTFS partitions (using ntfs-3g), and the ClamAV virus scanner (including a fairly recent signature database and a GUI). It provides partition handling with gParted and also has a network boot facility.
Grml is a live system (live CD) based on Debian. It includes a collection of GNU/Linux software especially for system administrators and users of texttools. It provides automatic hardware detection and its default shell is the zsh. You can use it e.g. as a rescue system, for analyzing systems/networks, or as a working environment. It is not necessary to install anything to a hard disk; you don't even need a hard disk to run it. Due to on-the-fly decompression, it includes more than 2 GB of software and documentation on the CD.
The RegLookup project is devoted to direct analysis of Windows NT-based registry files. RegLookup provides command line tools, a C API, and a Python module for accessing registry data structures. The project has a focus on providing tools for digital forensic examiners (though it is useful for many purposes), and includes algorithms for retrieving deleted data structures from registry hives.
GrokEVT is a collection of scripts built for reading Windows® NT/2K/XP/2K3 event log files. The scripts work together on one or more mounted Windows partitions to extract all information needed (registry entries, message templates, and log files) to convert the logs to a human-readable format.