Results 1 to 2 of 2

Thread: faust (File AUdit Security Toolkit)

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    faust (File AUdit Security Toolkit)

    Just received a notification about faust and it looks interesting. You can download it here.

    faust stands for "File AUdit Security Toolkit". Its goal is not to make the analysis of files retrieved after an intrusion, but to extract the pieces of information that _you_ will use afterward in your analysis. Extracted information is stored in several files, and displayed in a html page.

    faust is designed to be highly configurable: default settings can easily be changed and adapted to specific needs.

    Elf analysis
    * General information: MD5, type, stat, header, dynamic libraries.
    * Elf sections: select the Elf sections you want to look in, and how you want to display them (asm code or strings for instance).
    * Symbols: if the binary is not stripped, symbols are extracted and sorted by categories.
    * strings: all strings you can extract using the string (take care that you get more strings by looking directly in some sections).
    * live analysis (risky): select the mode you want (cmd or trace) to run the analyzed program and get the associated information.

    Bash Scripts
    * General information: MD5, type.
    * Texts: comments in the script, and echoed messages.
    * Commands: by default cp, mv, ftp, wget and mail are displayed.
    * Directories: access to /etc, /dev and /home are reported.
    * cross references: for each line matching one of the above categories, faust keeps track of where it belongs to.


    This is an early but working version. Lots of things are still to be done in forensics, and specifically for analysis of honeypots :
    network flow analysis, time base events correlation, identification of rootkits and other similar softwares ... and many more.
    I've played with a few forensics tools but not in a great amount of depth. I've heard of TCT (The Coroner's Toolkit) and was curious as to how useful/successful/helpful these truly are at recovering whatever needs to be recovered.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Thanks Mittens, always looking for another toolset to play with.

    Most of my experience thus far has been with windows tools, so my experience with linux apps is limited. Heck, I'm having a difficult time just getting a stable version of anything working.

    The tools do work, and they work very well. The appeal of Linux for me is the fact that for the most part they are cross platform...and I am working hard to make the switch. (and there are so many more tools available)

    I have yet to use any of the tools for anything other than simply learning how to use the tools, so I can't comment on actual usefulness yet.

    This particular toolkit you mention seems to focus on honeypot analysis, and IMHO, anyone involved with system administration should have at least some working knowledge of how intrusions "look", if only for the sake of knowing the correct way to preserve evidence for real "professional" analysis. So in that sense, I think they are indeed useful.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •