Just received a notification about faust and it looks interesting. You can download it here.

faust stands for "File AUdit Security Toolkit". Its goal is not to make the analysis of files retrieved after an intrusion, but to extract the pieces of information that _you_ will use afterward in your analysis. Extracted information is stored in several files, and displayed in a html page.

faust is designed to be highly configurable: default settings can easily be changed and adapted to specific needs.

Elf analysis
* General information: MD5, type, stat, header, dynamic libraries.
* Elf sections: select the Elf sections you want to look in, and how you want to display them (asm code or strings for instance).
* Symbols: if the binary is not stripped, symbols are extracted and sorted by categories.
* strings: all strings you can extract using the string (take care that you get more strings by looking directly in some sections).
* live analysis (risky): select the mode you want (cmd or trace) to run the analyzed program and get the associated information.

Bash Scripts
* General information: MD5, type.
* Texts: comments in the script, and echoed messages.
* Commands: by default cp, mv, ftp, wget and mail are displayed.
* Directories: access to /etc, /dev and /home are reported.
* cross references: for each line matching one of the above categories, faust keeps track of where it belongs to.


This is an early but working version. Lots of things are still to be done in forensics, and specifically for analysis of honeypots :
network flow analysis, time base events correlation, identification of rootkits and other similar softwares ... and many more.
I've played with a few forensics tools but not in a great amount of depth. I've heard of TCT (The Coroner's Toolkit) and was curious as to how useful/successful/helpful these truly are at recovering whatever needs to be recovered.