Free computer forensic tools -Part I
List of over 140 free tools is provided as a free resource for all involved in computer forensics investigations
Computer Forensics Lab offers no support or warranties for the listed software and it is the user’s responsibility to verify licensing agreements. Inclusion on the list does not equate to a recommendation. Using forensic software does not, on its own, make the user a forensic analyst or the output court admissible. Evidence is more likely to be admissible if it is produced by a trained professional computer forensic analyst.
List of security & computer forensics Linux distros:
- Kali Linux 2018
- Parrot Linux 4.1
- Backbox 5.1
- Samurai 3.3.2
- BlackArch Linux 2016-06-01
- Pentoo 2016
- Deft 8
- Caine 9 –Fully featured
- Paladin Forensics 7.04
- Network Security Toolkit (NST) [Network forensics]
- SIFT Workstation by SANS Forensics (Includes super timeline tool LOG2TIMELINE); SIFT can be installed on top of UBUNTU.
- Helix Forensics by E-Fense
Some Common Tools:
- USE brew install [name of the tool] to install Linux applications in Mac OS.
- For memory analysis: “volatility”
- For data recovery: “foremost” or “photorec”
- Show and save file metadata: “exiftool”
- For the file type: “file”
- To display the file in hexa and see the magic bytes/numbers: “hexdump”
- To show printable characters in a file: “Strings”
- To see partition table: “fdisk” or “mmls”
- For mounting image files: “osmount“, “mount” or “ewfmount” or “xmount” or “bdemount”
- For website malware analysis “online sandbox”
- Online reputation website check “virustotal”
- For network traffic and packet analysis: “wireshark” (and sometimes “Tshark”)
- For file listing, directory listing and reporting of files and directories: “Directory Lister“
OPEN SOURCE INVESTIGATIVE TOOL: Autopsy /Sleuth Kit
Below is the list of Autopsy features.
- Multi-User Cases: Collaborate with fellow examiners on large cases.
- Timeline Analysis: Displays system events in a graphical interface to help identify activity.
- Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
- Web Artifacts: Extracts web activity from common browsers to help identify user activity.
- Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
- LNK File Analysis: Identifies short cuts and accessed documents
- Email Analysis: Parses MBOX format messages, such as Thunderbird.
- EXIF: Extracts geo location and camera information from JPEG files.
- File Type Sorting: Group files by their type to find all images or documents.
- Media Playback: View videos and images in the application and not require an external viewer.
- Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
- Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit.
- Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
- Tags: Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
- Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
- File Type Detection based on signatures and extension mismatch detection.
- Interesting Files Module will flag files and folders based on name and path.
- Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.
Input Formats in Autopsy
Autopsy analyses disk images, local drives, or a folder of local files. Disk images can be in either raw/dd or E01 format. E01 support is provided by libewf.
Reporting in Autopsy
Autopsy has an extensible reporting infrastructure that allows additional types of reports for investigations to be created. By default, an HTML, XLS, and Body file report are available. Each are configurable depending on what information an investigator would like included in their report:
- HTML and Excel: The HTML and Excel reports are intended to be fully packaged and shareable reports. They can include references to tagged files along with comments and notes inserted by the investigator as well as other automated searches that Autopsy performs during ingest. These include bookmarks, web history, recent documents, keyword hits, hashset hits, installed programs, devices attached, cookies, downloads, and search queries.
- Body File: Primarily for use in timeline analysis, this file will include MAC times for every file in an XML format for import by external tools, such as mactime in The Sleuth Kit.
An investigator can generate more than one report at a time and either edit one of the existing or create a new reporting module to customize the behaviour for their specific needs.