Computer Forensics Tools -Part IV

Some More FREE CF Tools:

Frameworks

• DFF (Digital Forensics Framework) – an open source platform applicable for data retrieval and analysis.
• PowerForensics is a PowerShell based utility intended for live disk forensic analysis

Real-Time Utilities

• Grr (GRR Rapid Response) is a remote live forensics tool for incident response.
• Mig (Mozilla Investigator) – a distributed real-time platform for investigating incidents on remote endpoints.

Imaging Tools (Data Acquisition and Cloning)

• Dc3dd – an enhanced edition of the GNU dd utility featuring on-the-fly hashing, pattern writing, file verification, and other functions for digital evidence acquisition.
• Dcfldd is yet another improved version of the dd program.
• Guymager is an imaging tool running under Linux that allows viewing and cloning data media.

Data Extraction

• Bstrings is an improved version of the popular strings utility.
• bulk_extractor enables you to extract email addresses, IP addresses and phone numbers from files.
• Flare-floss is a utility using static analysis techniques to automatically extract obfuscated strings from malware binaries.
• Photorec is a recovery tool that extracts deleted files, including documents, archives, photos, and videos from hard drives and CDs.

RAM Memory Forensics

• inVtero.net – this tool’s distinguishing hallmark is the high speed of extracting data directly from memory.
• KeeFarse extracts KeePass passwords from memory.
• Rekall is a Python-based tool for analyzing RAM memory dumps.
• Volatility framework is a collection of utilities for extracting digital artifacts from RAM memory samples.
• VolUtility provides a web interface for the Volatility Framework mentioned above.

Network Analysis

• SiLK Tools is a traffic analysis toolkit that facilitates security analysis for large networks.
• Wireshark is one of the world’s most popular network sniffers.

Windows Artefacts (Extracting Files, Downloads History, USB memory stick data, etc.)

• FastIR Collector is an all-in-one tool for harvesting Windows information (registry, file system, services, startup programs, etc.).
• FRED is a cross-platform Windows registry analysis utility.
• MFT Parsers is a tool facilitating comparative analysis of Master File Table information.
• MFTExtractor – another handy parser of Master File Table.
• RecuperaBit reconstructs NTFS file system.
• python-ntfs is a Python library for NTFS analysis.

OS X Analysis

• OS X Auditor is a popular free forensics tool supporting Mac OS X that parses and hashes various system artefacts.

Internet Artefacts

• chrome-url-dumper is intended for extracting different types of web surfing information from Google Chrome.
• Hindsight analyzes Google Chrome/Chromium history.

Timeline Analysis

• plaso is a tool that extracts and aggregates timestamps.
• Timesketch facilitates collaborative timeline analysis.

Hex Editors

• 0xED is a hex editor for Mac OS X.
• Synalyze It! is a popular hex editor for Mac OS X featuring an intuitive interface and extensible controls.
• Hexinator is a Windows/Linux version of Synalyze It!.
• HxD – a lightweight and fast hex editor.
• iBored is a cross-platform hex editor supporting Windows, Linux, and Mac OS X.
• wxHexEditor is another free cross-platform hex editor delivering extensive features for file comparison.

Data Converters

• CyberChef is a universal tool for encryption, decoding, compression, and data analysis.
• DateDecode is applicable for decoding random unintelligible date strings provided in 13 different formats.

File Analysis

• 010 Editor Templates is a collection of binary templates for the 010 Editor tool.
• HFSPlus Grammars is a collection of HFS+ components for Synalyze It!.
• Synalyze It! Grammar is a resource encompassing grammar files for the Synalyze It! hex editor.
• WinHex Templates – file components for the WinHex and X-Ways Forensics utilities.

Disk Image Processing

• imagemounter is a command line tool that helps mount/unmount disk images.
• libewf is a library and toolkit to access and work with EWF (Expert Witness Compression Format) and E01 format files.
• xmount is a utility that converts between different disk image types.

A FULLY UPDATED LIST ALL COMPUTER FORENSICS TOOLS CAN BE FOUND HERE: 

• https://www.forensicswiki.org/wiki/Category:Tools
• https://forensicswiki.org/wiki/Tools
• https://forensicswiki.org/wiki/Tools#Open_Source_Tools

All suggestions and additions or updates can be emailed to info@cflab.co.uk