Computer Forensics Tools Part III

Computer Forensics Tools – Part III

Mobile devices

  • iPBA2
  • Mario Piccinelli, Explore iOS backups.
  • iPhone Analyzer
  • Leo Crawford, Mat Proud, Explore the internal file structure of Pad, iPod and iPhones.
  • ivMeta
  • Robin Wood, Extracts phone model and software version and created date and GPS data from iPhone videos.
  • Last SIM Details
  • Dan Roe, Parses physical flash dumps and Nokia PM records to find details of previously inserted SIM cards..
  • Rubus
  • CCL Forensics, Deconstructs Blackberry .ipd backup files.
  • SAFT
  • SignalSEC Corp, Obtain SMS Messages, call logs and contacts from Android devices.
  • Data analysis suites
  • Autopsy
  • Brian Carrier, Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below).
  • Digital Forensics Framework
  • ArxSys, Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items.
  • Forensic Scanner
  • Harlan Carvey, Automates ‘repetitive tasks of data collection’. Fuller description here.
  • The Sleuth Kit
  • Brian Carrier, Collection of UNIX-based command line file and volume system forensic analysis tools.
  • Volatility Framework
  • Volatile Systems, Collection of tools for the extraction of artefacts from RAM.
  • File viewers
  • BKF Viewer
  • SysTools, View (not save or export from) contents of BKF backup files.
  • DXL Viewer
  • SysTools, View (not save or export) Loutus Notes DXL file emails and attachments.
  • E01 Viewer
  • SysTools, View (not save or export from) E01 files & view messages within EDB, PST & OST files.
  • MDF Viewer
  • SysTools, View (not save or export) MS SQL MDF files.
  • MSG Viewer
  • SysTools, View (not save or export) MSG file emails and attachments.
  • OLM Viewer
  • SysTools, View (not save or export) OLM file emails and attachments.
  • Internet analysis
  • Browser History Capturer
  • Foxton Software, Captures history from Firefox, Chrome, Internet Explorer and Edge web browsers running on Windows computers.
  • Browser History Viewer
  • Foxton Software, Extract, view and analyse internet history from Firefox, Chrome, Internet Explorer and Edge web browsers.
  • Chrome Session Parser
  • CCL Forensics, Python module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”).
  • ChromeCacheView
  • Nirsoft, Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.
  • Cookie Cutter
  • Mike’s Forensic Tools, Extracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits.
  • Dumpzilla
  • Busindre, Runs in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information.
  • Facebook Profile Saver
  • Belkasoft, Captures information publicly available in Facebook profiles.
  • IECookiesView
  • Nirsoft, Extracts various details of Internet Explorer cookies.
  • IEPassView
  • Nirsoft, Extract stored passwords from Internet Explorer versions 4 to 8.
  • MozillaCacheView
  • Nirsoft, Reads the cache folder of Firefox/Mozilla/Netscape Web browsers.
  • MozillaCookieView
  • Nirsoft, Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers.
  • MozillaHistoryView
  • Nirsoft, Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page.
  • MyLastSearch
  • Nirsoft, Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace).
  • PasswordFox
  • Nirsoft, Extracts the user names and passwords stored by Mozilla Firefox Web browser.
  • OperaCacheView
  • Nirsoft, Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache.
  • OperaPassView
  • Nirsoft, Decrypts the content of the Opera Web browser password file, wand.dat
  • Web Historian
  • Mandiant, Reviews list of URLs stored in the history files of the most commonly used browsers.
  • Web Page Saver
  • Magnet Forensics, Takes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages.
  • Registry analysis
  • AppCompatCache Parser
  • Eric Zimmerman, Dumps list of shimcache entries showing which executables were run and their modification dates. Further details.
  • ForensicUserInfo
  • Woanware, Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file.
  • Process Monitor
  • Microsoft, Examine Windows processes and registry threads in real time.
  • RECmd
  • Eric Zimmerman, Command line access to offline Registry hives. Supports simple & regular expression searches as well as searching by last write timestamp. Further details.
  • Registry Decoder
  • US National Institute of Justice, Digital Forensics Solutions
  • For the acquisition, analysis, and reporting of registry contents.
  • Registry Explorer
  • Eric Zimmerman
  • Offline Registry viewer. Provides deleted artefact recovery, value slack support, and robust searching. Further details.
  • RegRipper
  • Harlan Carvey
  • Registry data extraction and correlation tool.
  • Regshot
  • Regshot
  • Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software.
  • ShellBags Explorer
  • Eric Zimmerman
  • Presents visual representation of what a user’s directory structure looked like. Additionally exposes various timestamps (e.g., first explored, last explored for a given folder. Further details.
  • USB Device Forensics
  • Woanware
  • Details previously attached USB devices on exported registry hives.
  • USB Historian
  • 4Discovery
  • Displays 20+ attributes relating to USB device use on Windows systems.
  • USBDeview
  • Nirsoft
  • Details previously attached USB devices.
  • User Assist Analysis
  • 4Discovery
  • Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys.
  • PasswordFox
  • Nirsoft
  • Extracts the user names and passwords stored by Mozilla Firefox Web browser.
  • UserAssist
  • Didier Stevens
  • Displays list of programs run, with run count and last run date and time.
  • Windows Registry Recovery
  • MiTec
  • Extracts configuration settings and other information from the Registry.
  • Application analysis
  • Dropbox Decryptor
  • Magnet Forensics
  • Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox.
  • Google Maps Tile Investigator
  • Magnet Forensics
  • Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context.
  • KaZAlyser
  • Sanderson Forensics
  • Extracts various data from the KaZaA application.
  • LiveContactsView
  • Nirsoft
  • View and export Windows Live Messenger contact details.
  • SkypeLogView
  • Nirsoft
  • View Skype calls and chats.
  • For Reference
  • HotSwap
  • Kazuyuki Nakayama
  • Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area.
  • iPhone Backup Browser
  • Rene Devichi
  • View unencrypted backups of iPad, iPod and iPhones.
  • IEHistoryView
  • Nirsoft
  • Extracts recently visited Internet Explorer URLs.
  • LiveView
  • CERT
  • Allows examiner to boot dd images in VMware.
  • WhatsApp Forensics
  • Zena Forensics
  • Extract WhatApp messages from iOS and Android backups.

COMPUTER FORENSICS TOOLS PART IV –CONTINUED