Computer Forensics Tools – Part III
Mobile devices
- iPBA2
- Mario Piccinelli, Explore iOS backups.
- iPhone Analyzer
- Leo Crawford, Mat Proud, Explore the internal file structure of Pad, iPod and iPhones.
- ivMeta
- Robin Wood, Extracts phone model and software version and created date and GPS data from iPhone videos.
- Last SIM Details
- Dan Roe, Parses physical flash dumps and Nokia PM records to find details of previously inserted SIM cards..
- Rubus
- CCL Forensics, Deconstructs Blackberry .ipd backup files.
- SAFT
- SignalSEC Corp, Obtain SMS Messages, call logs and contacts from Android devices.
- Data analysis suites
- Autopsy
- Brian Carrier, Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below).
- Digital Forensics Framework
- ArxSys, Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items.
- Forensic Scanner
- Harlan Carvey, Automates ‘repetitive tasks of data collection’. Fuller description here.
- The Sleuth Kit
- Brian Carrier, Collection of UNIX-based command line file and volume system forensic analysis tools.
- Volatility Framework
- Volatile Systems, Collection of tools for the extraction of artefacts from RAM.
- File viewers
- BKF Viewer
- SysTools, View (not save or export from) contents of BKF backup files.
- DXL Viewer
- SysTools, View (not save or export) Loutus Notes DXL file emails and attachments.
- E01 Viewer
- SysTools, View (not save or export from) E01 files & view messages within EDB, PST & OST files.
- MDF Viewer
- SysTools, View (not save or export) MS SQL MDF files.
- MSG Viewer
- SysTools, View (not save or export) MSG file emails and attachments.
- OLM Viewer
- SysTools, View (not save or export) OLM file emails and attachments.
- Internet analysis
- Browser History Capturer
- Foxton Software, Captures history from Firefox, Chrome, Internet Explorer and Edge web browsers running on Windows computers.
- Browser History Viewer
- Foxton Software, Extract, view and analyse internet history from Firefox, Chrome, Internet Explorer and Edge web browsers.
- Chrome Session Parser
- CCL Forensics, Python module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”).
- ChromeCacheView
- Nirsoft, Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.
- Cookie Cutter
- Mike’s Forensic Tools, Extracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits.
- Dumpzilla
- Busindre, Runs in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information.
- Facebook Profile Saver
- Belkasoft, Captures information publicly available in Facebook profiles.
- IECookiesView
- Nirsoft, Extracts various details of Internet Explorer cookies.
- IEPassView
- Nirsoft, Extract stored passwords from Internet Explorer versions 4 to 8.
- MozillaCacheView
- Nirsoft, Reads the cache folder of Firefox/Mozilla/Netscape Web browsers.
- MozillaCookieView
- Nirsoft, Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers.
- MozillaHistoryView
- Nirsoft, Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page.
- MyLastSearch
- Nirsoft, Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace).
- PasswordFox
- Nirsoft, Extracts the user names and passwords stored by Mozilla Firefox Web browser.
- OperaCacheView
- Nirsoft, Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache.
- OperaPassView
- Nirsoft, Decrypts the content of the Opera Web browser password file, wand.dat
- Web Historian
- Mandiant, Reviews list of URLs stored in the history files of the most commonly used browsers.
- Web Page Saver
- Magnet Forensics, Takes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages.
- Registry analysis
- AppCompatCache Parser
- Eric Zimmerman, Dumps list of shimcache entries showing which executables were run and their modification dates. Further details.
- ForensicUserInfo
- Woanware, Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file.
- Process Monitor
- Microsoft, Examine Windows processes and registry threads in real time.
- RECmd
- Eric Zimmerman, Command line access to offline Registry hives. Supports simple & regular expression searches as well as searching by last write timestamp. Further details.
- Registry Decoder
- US National Institute of Justice, Digital Forensics Solutions
- For the acquisition, analysis, and reporting of registry contents.
- Registry Explorer
- Eric Zimmerman
- Offline Registry viewer. Provides deleted artefact recovery, value slack support, and robust searching. Further details.
- RegRipper
- Harlan Carvey
- Registry data extraction and correlation tool.
- Regshot
- Regshot
- Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software.
- ShellBags Explorer
- Eric Zimmerman
- Presents visual representation of what a user’s directory structure looked like. Additionally exposes various timestamps (e.g., first explored, last explored for a given folder. Further details.
- USB Device Forensics
- Woanware
- Details previously attached USB devices on exported registry hives.
- USB Historian
- 4Discovery
- Displays 20+ attributes relating to USB device use on Windows systems.
- USBDeview
- Nirsoft
- Details previously attached USB devices.
- User Assist Analysis
- 4Discovery
- Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys.
- PasswordFox
- Nirsoft
- Extracts the user names and passwords stored by Mozilla Firefox Web browser.
- UserAssist
- Didier Stevens
- Displays list of programs run, with run count and last run date and time.
- Windows Registry Recovery
- MiTec
- Extracts configuration settings and other information from the Registry.
- Application analysis
- Dropbox Decryptor
- Magnet Forensics
- Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox.
- Google Maps Tile Investigator
- Magnet Forensics
- Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context.
- KaZAlyser
- Sanderson Forensics
- Extracts various data from the KaZaA application.
- LiveContactsView
- Nirsoft
- View and export Windows Live Messenger contact details.
- SkypeLogView
- Nirsoft
- View Skype calls and chats.
- For Reference
- HotSwap
- Kazuyuki Nakayama
- Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area.
- iPhone Backup Browser
- Rene Devichi
- View unencrypted backups of iPad, iPod and iPhones.
- IEHistoryView
- Nirsoft
- Extracts recently visited Internet Explorer URLs.
- LiveView
- CERT
- Allows examiner to boot dd images in VMware.
- WhatsApp Forensics
- Zena Forensics
- Extract WhatApp messages from iOS and Android backups.
COMPUTER FORENSICS TOOLS PART IV –CONTINUED