While this feature's primary use is for locating user data and resources you may use, such as Applications and system preferences, it can also be used to find practically any file on the system.

• 2Command-line tools

E-Detective

http://www.edecision4u.com/

http://www.digi-forensics.com/home.html

Burst

http://www.burstmedia.com/release/advertisers/geo_faq.htm

Expensive IP geolocation service.

CapAnalysis

http://www.capanalysis.net

DEMO: http://pcap.capanalysis.net

Open Source web visual tool for information security specialists, system administrators and everyone who needs to analyze large amounts of captured network traffic.

CapAnalysis performs indexing of data set of PCAP files and presents their contents in many forms, starting from a list of TCP, UDP or ESP streams/flows, passing to the geo-graphical representation of the connections.

chkrootkit

http://www.chkrootkit.org

cryptcat

http://farm9.org/Cryptcat/

Enterasys Dragon

http://www.enterasys.com/products/advanced-security-apps/index.aspx

Instrusion Detection System, includes session reconstruction.

ipfix/netflow v5/9

http://www.mantaro.com/products/MNIS/collector.htm

MNIS Collector is an IPFIX collector which also supports legacy Netflow. It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX.

Mantaro Network Intelligence Solutions (MNIS)

http://www.mantaro.com/products/MNIS/index.htm

MNIS is a comprehensive and scalable network intelligence platform for network forensics and various other applications. It is built on high speed Deep Packet Inspection and metadata alerting. It can be used to understand network events before and after an event. It scales from LAN environments to 20 Gbps service provider networks.

http://www.mantaro.com/products/MNIS/network_intelligence_applications.htm#network_forensics

MaxMind

http://www.maxmind.com

IP geolocation services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.

netcat

http://netcat.sourceforge.net/

Which Tool Can Be Used To Search For Both Files And Applications On A Mac

netflow/flowtools

http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml

http://www.splintered.net/sw/flow-tools/

http://silktools.sourceforge.net/

http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)

NetDetector

http://www.niksun.com/product.php?id=4

NetDetector is a full-featured appliance for network security surveillance, signature-based anomaly detection, analytics and forensics. It complements existing network security tools, such as firewalls, intrusion detection/prevention systems and switches/routers, to help provide comprehensive defense of hosted intellectual property, mission-critical network services and infrastructure

NetIntercept

http://www.sandstorm.net/products/netintercept

NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.

Netstat

NetVCR

http://www.niksun.com/product.php?id=3

NetVCR delivers comprehensive real-time network, service and application performance management. It is an integrated, single-point solution that decisively replaces multiple network performance monitoring and troubleshooting systems. NetVCR’s scalable architecture easily adapts to data centers, core networks, remote branches or central offices for LAN and WAN requirements

NIKSUN Full Function Appliance

http://www.niksun.com/product.php?id=11

NIKSUN’s Full-Function Appliance combines the value of both NetDetector and NetVCR for complete network performance and security surveillance. This plug-and-play appliance offers customers a complete range of network security and performance monitoring solutions that identify, capture and analyze the root-cause of any security or network incident the first time! The unique enterprise-wide network visibility provided by this product is extremely attractive to large enterprises requiring an integrated and proactive solution to combat the constant barrage of security and network incidents such as worms, viruses, Trojan-horse attacks, Denial of Service (DoS) attacks, outages, overload and service slowdown, etc.

NetOmni

http://www.niksun.com/product.php?id=1

NetOmni provides global visibility across the network so IT professionals can manage multiple products and vendors from one central location. NetOmni streamlines the network management process in a manner conducive to a “best-practices” model that ensures Service Level Agreements (SLA), Quality of Services (QoS) and maximum revenue opportunities.

NISUN Puma Portable

http://www.niksun.com/product.php?id=15

NIKSUN's Puma, a portable network monitoring appliance, allows customers to leverage the state-of-the-art network performance, security and compliance monitoring technology as a robust luggable appliance that can be conveniently used in the field. Deployed in a few short steps, Puma offers with exceptional functionality of NIKSUN's renowned performance and security monitoring technology within minutes to field personnel. Puma, is now capable of monitoring networks at 10G speeds. The incorporation of real-time 10G monitoring to the Puma feature-set enhances the already excellent value that Puma provides to customers, making it the go-to portable monitoring and forensics tool for network professionals

ipfix/netflow v5/9

http://www.mantaro.com/products/MNIS/collector.htm

MNIS Collector is an IPFIX collector which also supports legacy Netflow. It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX.

http://www.netgrab.co.uk/

NetSleuth is a free network analysis tool released under the GPL. NetSleuth can be used to analyse and fingerprint hosts from pcap files, designed for post event incident response and network forensics. It also supports a live sniffing mode, silently identifying and fingerprinting devices without needing to send any traffic onto a network.

NetworkMiner

http://sourceforge.net/projects/networkminer/

http://www.netresec.com/?page=NetworkMiner

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner has, since the first release in 2007, become popular tool among incident responce teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.

NetworkMiner is available both as a free open source tool and as a commercial network forensics tool.

pcap2wav

http://pcap2wav.xplico.org/

VoIP/RTP decoder. pcap2wav is part (a sub-project) of Xplico and it supports and decodes the following audio codecs: G711ulaw, G711alaw, G722, G729, G723, G726 and MSRTA (x-msrta: Real Time Audio).

rkhunter

http://rkhunter.sourceforge.net/

ngrep

http://ngrep.sourceforge.net/

nslookup

http://en.wikipedia.org/wiki/Nslookup

Name Server Lookup command line tool used to find IP address from domain name.

Sguil

http://sguil.sourceforge.net/

Snort

http://www.snort.org/

ssldump

http://ssldump.sourceforge.net/

tcpdump

http://www.tcpdump.org

tcpxtract

http://tcpxtract.sourceforge.net/

tcpflow

http://www.circlemud.org/~jelson/software/tcpflow/

truewitness

http://www.nature-soft.com/forensic.html

Linux/open-source. Based in India.

OmniPeek by WildPackets

http://www.wildpackets.com/solutions/network_forensics

http://www.wildpackets.com/products/network_analysis/omnipeek_network_analyzer/forensics_search

OmniPeek is a network forensics tool used to capture, store, and analyze historical network traffic.

Whois

http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.

http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN

IP Regional Registries

http://www.arin.net/community/rirs.html

http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)

http://www.afrinic.net/ African Network Information Center (AfriNIC)

http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)

http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)

http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)

Wireshark / Ethereal

http://www.wireshark.org/

Open Source protocol analyzer previously known as ethereal.

Kismet

http://www.kismetwireless.net/

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.

kisMAC

http://www.http://kismac-ng.org/

KisMAC is an open-source and free sniffer/scanner application for Mac OS X.

Xplico

http://www.xplico.org/

Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...

VoIP sniffer and decoder. Audio codec supported: G711ulaw, G711alaw, G722, G729, G723, G726 and MSRTA

Expert Team - 3i System

http://www.expert-team.net

Expert Team 3i System provides real-time data traffic reconstruction which allows raw data packet stream to be decoded, reassemble and reconstruct back to the original content view receive/compose/sent by the target users. Supported layer 7 protocols and applications include HTTP (Web URL and Content, Web Video, Web File Upload and Download, Email - POP3, IMAP, SMTP, Webmail, Social Networking Sites, FTP File Upload and Download, Instant Messaging, VoIP etc....

fmadio 10G Packet Capture

http://fmad.io

Cost effective full line rate 10G packet capture to disk appliance. Featuring a slim 1U solution with 4 hot swap drives and 16TB of raw disk space, generating nanosecond PCAP files that can be downloaded for further processing at 10Gbit speed. This is a commercial appliance by a small independent vendor.

arp - view the contents of your ARP cache

ifconfig - view your mac and IP address

ping - send packets to probe remote machines

SplitCaphttp://splitcap.sourceforge.net/ - SplitCap is a free open source pcap file splitter.

tcpdump - capture packets

snoop - captures packets from the network and displays their contents (Solaris)

Which Tool Can Be Used To Search For Both Files And Applications On A Mac

nemesis - create arbitrary packets

tcpreplay - replay captured packets

traceroute - view a network path

gnetcast - GNU rewrite of netcat

packit - packet generator

nmap - utility for network exploration and security auditing

Xplico Open Source Network Forensic Analysis Tool (NFAT)

pcap_latency_analyzerhttps://github.com/fmadio/pcap_latency_analyzer - Analyze packet latency between 2 PCAP`s or between 2 MAC`s or any packets with the same payloads.

ARP and Ethernet MAC Tools

arping - transmit ARP traffic

arpdig - probe LAN for MAC addresses

arpwatch - watch ARP changes

arp-sk - perform denial of service attacks

macof - CAM table attacks

ettercap - performs various low-level Ethernet network attacks

CISCO Discovery Protocol Tools

cdpd - transmit and receive CDP announcements; provides forgery capabilities

ICMP Layer Tests and Attacks

ish - ICMP shell (like SSH, but uses ICMP)

IP Layer Tests

iperf - IP multicast test

fragtest - IP fragment reassembly test

UDP Layer Tests

udpcast - includes UDP-receiver and UDP-sender

TCP Layer

lfthttp://pwhois.org/lft - TCP tracing