Computer Forensics Tools -Part II

Computer Forensics Tools -Part II

Disk tools and data capture

  • Arsenal Image Mounter
  • Arsenal Consulting, Mounts disk images as complete disks in Windows, giving access to Volume Shadow Copies, etc.
  • DumpIt
  • MoonSols, Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive.
  • EnCase Forensic Imager
  • Guidance Software, Create EnCase evidence files and EnCase logical evidence files [direct download link]
  • Encrypted Disk Detector
  • Magnet Forensics, Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes.
  • EWF MetaEditor
  • 4Discovery, Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier).
  • FAT32 Format
  • Ridgecrop, Enables large capacity disks to be formatted as FAT32.
  • Forensics Acquisition of Websites
  • Web Content Protection Association, Browser designed to forensically capture web pages.
  • FTK Imager
  • AccessData, Imaging tool, disk viewer and image mounter.
  • Guymager
  • vogu00, Multi-threaded GUI imager under running under Linux.
  • Live RAM Capturer
  • Belkasoft, Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds
  • NetworkMiner
  • Hjelmvik, Network analysis tool. Detects OS, hostname and open ports of network hosts through packet sniffing/PCAP parsing.
  • Nmap
  • Nmap, Utility for network discovery and security auditing.
  • Magnet RAM Capture
  • Magnet Forensics, Captures physical memory of a suspect’s computer. Windows XP to Windows 10, and 2003, 2008, 2012. 32 & 64 bit.
  • OSFClone
  • Passmark Software, Mount utility for CD/DVD or USB flash drives to create dd or AFF images/clones.
  • OSFMount
  • Passmark Software, Mounts a wide range of disk images. Also allows creation of RAM disks.
  • Email analysis
  • EDB Viewer
  • Lepide Software, Open and view (not export) Outlook EDB files without an Exchange server.
  • Mail Viewer
  • MiTeC, Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files.
  • MBOX Viewer
  • SysTools, View MBOX emails and attachments.
  • OST Viewer
  • Lepide Software, Open and view (not export) Outlook OST files without connecting to an Exchange server.
  • PST Viewer
  • Lepide Software, Open and view (not export) Outlook PST files without needing Outlook.
  • General
  • LOG2TIMELINE: Computer Artefact Time Creator
  • log2timeline is designed as a framework for artefact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artefacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.
  • Agent Ransack
  • Mythicsoft, Search multiple files using Boolean operators and Perl Regex.
  • Computer Forensic Reference Data Sets
  • NIST, Collated forensic images for training, practice and validation.
  • EvidenceMover
  • Nuix, Copies data between locations, with file comparison, verification, logging.
  • FastCopy
  • Shirouzu Hiroaki, Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc.
  • File Signatures
  • Gary Kessler, Table of file signatures.
  • HexBrowser
  • Peter Fiskerstrand, Identifies over 1000 file types by examining their signatures.
  • HashMyFiles
  • Nirsoft, Calculate MD5 and SHA1 hashes.
  • MobaLiveCD
  • Mobatek, Run Linux live CDs from their ISO image without having to boot to them.
  • NSRL
  • NIST, Hash sets of ‘known’ (ignorable) files.
  • Quick Hash
  • Ted Technology, A Linux & Windows GUI for individual and recursive SHA1 hashing of files.
  • USB Write Blocker
  • DSi, Enables software write-blocking of USB ports.
  • Volix
  • FH Aachen, Application that simplifies the use of the Volatility Framework.
  • Windows Forensic Environment
  • Troy Larson, Guide by Brett Shavers to creating and working with a Windows boot CD.
  • File and data analysis
  • Advanced Prefetch Analyser
  • Allan Hay, Reads Windows XP,Vista and Windows 7 prefetch files.
  • analyzeMFT
  • David Kovar, Parses the MFT from an NTFS file system allowing results to be analysed with other tools.
  • bstrings
  • Eric Zimmerman, Find strings in binary data, including regular expression searching.
  • CapAnalysis
  • Evolka, PCAP viewer.
  • Crowd Reponse
  • CrowdStike, Windows console application to aid gathering of system information for incident response and security engagements.
  • Crowd Inspect
  • CrowdStrike, Details network processes, listing binaries associated with each process. Queries VirusTotal, other malware repositories & reputation services to produce “at-a-glance” state of the system.
  • DCode
  • Digital Detective, Converts various data types to date/time values.
  • Defraser
  • Various, Detects full and partial multimedia files in unallocated space.
  • eCryptfs Parser
  • Ted Technology, Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size, signature used, etc.
  • Encryption Analyzer
  • Passware, Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file.
  • ExifTool
  • Phil Harvey, Read, write and edit Exif data in a large number of file types.
  • File Identifier
  • Toolsley.com, Drag and drop web-browser JavaScript tool for identification of over 2000 file types.
  • Forensic Image Viewer
  • Sanderson Forensics, View various picture formats, image enhancer, extraction of embedded Exif, GPS data.
  • Ghiro
  • Alessandro Tanasi, In-depth analysis of image (picture) files.
  • Highlighter
  • Mandiant, Examine log files using text, graphic or histogram views.
  • Link Parser
  • 4Discovery, Recursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files.
  • LiveContactsView
  • Nirsoft, View and export Windows Live Messenger contact details.
  • PECmd
  • Eric Zimmerman, Prefetch Explorer.
  • PlatformAuditProbe
  • AppliedAlgo, Command Line Windows forensic/ incident response tool that collects many artefacts. Manual
  • RSA Netwitness Investigator
  • EMC, Network packet capture and analysis.
  • Memoryze
  • Mandiant, Acquire and/or analyse RAM images, including the page file on live systems.
  • MetaExtractor
  • 4Discovery, Recursively parses folders to extract meta data from MS Office, OpenOffice and PDF files.
  • MFTview
  • Sanderson Forensics, Displays and decodes contents of an extracted MFT file.
  • PictureBox
  • Mike’s Forensic Tools, Lists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format.
  • PsTools
  • Microsoft, Suite of command-line Windows utilities.
  • Shadow Explorer
  • Shadow Explorer, Browse and extract files from shadow copies.
  • SQLite Manager
  • Mrinal Kant, Tarakant Tripathy, Firefox add-on enabling viewing of any SQLite database.
  • Strings
  • Microsoft, Command-line tool for text searches.
  • Structured Storage Viewer
  • MiTec, View and manage MS OLE Structured Storage based files.
  • Switch-a-Roo
  • Mike’s Forensic Tools, Text replacement/converter/decoder for when dealing with URL encoding, etc.
  • Windows File Analyzer
  • MiTeC, Analyse thumbs.db, Prefetch, INFO2 and .lnk files.
  • Xplico
  • Gianluca Costa & Andrea De Franceschi, Network forensics analysis tool.
  • Mac OS tools
  • Audit
  • Twocanoes Software, Audit Preference Pane and Log Reader for OS X.
  • ChainBreaker
  • Kyeongsik Lee, Parses keychain structure, extracting user’s confidential information such as application account/password, encrypted volume password (e.g. filevault), etc.
  • Disk Arbitrator
  • Aaron Burghardt, Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration.
  • Epoch Converter
  • Blackbag Technologies, Converts epoch times to local time and UTC.
  • FTK Imager CLI for Mac OS
  • AccessData, Command line Mac OS version of AccessData’s FTK Imager.
  • IORegInfo
  • Blackbag Technologies, Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected.
  • PMAP Info
  • Blackbag Technologies, Displays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors.
  • Volafox
  • Kyeongsik Lee, Memory forensic toolkit for Mac OS X.

COMPUTER FORENSICS TOOLS PART IIICONTINUED