Difference between revisions of "Tools"

From ForensicsWiki
Jump to: navigation, search
(Disk Analysis Tools)
m (Windows-based Tools)
 
(211 intermediate revisions by 69 users not shown)
Line 2: Line 2:
  
 
'''Note: This page has gotten too big and is being broken up. See:'''
 
'''Note: This page has gotten too big and is being broken up. See:'''
* [[Tools:Data Recovery]] (including file carving)
+
 
* [[Tools:Disk Imaging]]
+
* [[:Category:Disk Imaging]]
 +
* [[Tools:Data Recovery]] (including file [[carving]])
 +
* [[Tools:File Analysis]]
 +
* [[Tools:Document Metadata Extraction]]
 
* [[Tools:Memory Imaging]]
 
* [[Tools:Memory Imaging]]
 +
* [[Tools:Memory Analysis]]
 +
* [[Tools:Network Forensics]]
 +
* [[Tools:Logfile Analysis]]
 +
* [[:Category:Anti-forensics tools]]
 +
* [[:Category:Secure deletion]]
  
 
= Disk Analysis Tools =
 
= Disk Analysis Tools =
 
== Hard Drive Firmware and Diagnostics Tools ==
 
== Hard Drive Firmware and Diagnostics Tools ==
; [[PC-3000]], from [[DeepSpar Data Recovery Systems]]
+
; [[PC-3000]] from [[ACE Lab]]
: http://www.deepspar.com/products-pc-3000-drive.html
+
: http://www.acelaboratory.com/catalog/
  
 
== Linux-based Tools ==
 
== Linux-based Tools ==
; [[LINReS]], by [[NII Consulting Pvt. Ltd.]]
+
; [[LINReS]] by [[NII Consulting Pvt. Ltd.]]
 
: http://www.niiconsulting.com/innovation/linres.html
 
: http://www.niiconsulting.com/innovation/linres.html
  
; [[SMART]], by [[ASR Data]]
+
; [[SMART]] by [[ASR Data]]
 
: http://www.asrdata.com
 
: http://www.asrdata.com
 +
 +
; [[Second Look: Linux Memory Forensics]] by [[Pikewerks Corporation]]
 +
: http://secondlookforensics.com/
  
 
== Macintosh-based Tools ==
 
== Macintosh-based Tools ==
  
; [[Macintosh Forensic Software]], by [[BlackBag Technologies, Inc.]]
+
; [[Macintosh Forensic Software]] by [[BlackBag Technologies, Inc.]]
 
: http://www.blackbagtech.com/software_mfs.html
 
: http://www.blackbagtech.com/software_mfs.html
  
; [[MacForensicsLab]], by [[Subrosasoft]]
+
; [[MacForensicsLab]] by [[Subrosasoft]]
 
: [http://www.subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=39&products_id=114 MacForensicLab-Subrosasoft]
 
: [http://www.subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=39&products_id=114 MacForensicLab-Subrosasoft]
 +
 +
; [[Mac Marshal]] by [[ATC-NY]]
 +
: http://www.macmarshal.com/
 +
 +
; [[Recon for MAC OS X]] by [[Sumuri, LLC]]
 +
: https://www.sumuri.com/products/recon/
  
 
== Windows-based Tools ==
 
== Windows-based Tools ==
 +
 +
; Arsenal Recon Weapons by [[Arsenal Recon]]
 +
; https://ArsenalRecon.com/
 +
: Arsenal Recon offers unique and powerful tools to mount Windows disk images, reconstruct Windows Registries, and process Windows hibernation files.
 +
 +
; Belkasoft Acquisition Tool by [[Belkasoft]]
 +
; https://belkasoft.com/bat
 +
: BAT is a free utility to acquire a wide range of data sources: hard drives, running computers RAM memory, modern smartphones, and various types of clouds. The output can be analyzed with both Belkasoft and third-party tools.
 +
 +
; Belkasoft Evidence Center by [[Belkasoft]]
 +
; https://belkasoft.com/ec
 +
: BEC allows an investigator to perform all investigation steps: acquisition (aquire hard and removable drives, image smartphones and download cloud data), extraction of evidence (searches and carves more than 700 formats of various files and applications data), analysis (hex viewer, SQLite viewer, social graph building with communities detection etc) and reporting.
 +
 +
; [[Blackthorn GPS Forensics]]
 +
: http://www.blackthorngps.com
  
 
; [[BringBack]] by [[Tech Assist, Inc.]]
 
; [[BringBack]] by [[Tech Assist, Inc.]]
 
: http://www.toolsthatwork.com/bringback.htm
 
: http://www.toolsthatwork.com/bringback.htm
  
; [[EnCase]], by [[Guidance Software]]
+
; [[CD/DVD Inspector]] by [[InfinaDyne]]
 +
; http://www.infinadyne.com/cddvd_inspector.html
 +
: This is the only forensic-qualified tool for examinination of optical media.  It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide.
 +
 
 +
; [[EMail Detective - Forensic Software Tool]] by [[Hot Pepper Technology, Inc]]
 +
; http://www.hotpepperinc.com/emd
 +
 
 +
; [[EnCase]] by [[Guidance Software]]
 
: http://www.guidancesoftware.com/
 
: http://www.guidancesoftware.com/
  
; [[FBI]], by [[Nuix Pty Ltd]]
+
; Facebook Forensic Toolkit (FFT) by [[Afentis_forensics]]
: http://www.nuix.com.au
+
; http://www.facebookforensics.com
 +
: eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports.  
  
; [[Forensic Toolkit]] ([[FTK]]), by [[AccessData]]
+
; [[Forensic Explorer]] ([[FEX]]) by [[GetData Forensics]]
 +
: http://www.forensicexplorer.com
 +
 
 +
; [[Forensic Toolkit]] ([[FTK]]) by [[AccessData]]
 
: http://www.accessdata.com/products/ftk/
 
: http://www.accessdata.com/products/ftk/
  
; [[ILook Investigator]], by [[Elliot Spencer]] and [[Internal Revenue Service|U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation]] (IRS)
+
; [[HBGary Responder Professional]]  - Windows Physical Memory Forensic Platform
: http://www.ilook-forensics.org/
+
:http://www.hbgary.com
 +
 
 +
; [[ILook]] by [[Xtremeforensics]]
 +
: http://www.xtremeforensics.biz/
 +
 
 +
; [[Internet Evidence Finder]] ([[IEF]]) by [[Magnet Forensics]]
 +
: http://www.magnetforensics.com/
 +
 
 +
; [[ISEEK]] by [[Xtremeforensics]]
 +
: http://www.xtremeforensics.biz/
 +
 
 +
; [[Mercury Indexer]] by [[MicroForensics, Inc.]]
 +
: http://www.MicroForensics.com/
 +
 
 +
; [[Nuix Desktop]] by [[Nuix Pty Ltd]]
 +
: http://www.nuix.com
 +
 
 +
; [[OnLineDFS]] by [[Cyber Security Technologies]]
 +
: http://www.cyberstc.com/
 +
 
 +
; [[OSForensics]] by [[PassMark Software Pty Ltd]]
 +
: http://www.osforensics.com/
  
 
; [[P2 Power Pack]] by [[Paraben]]
 
; [[P2 Power Pack]] by [[Paraben]]
 
: https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187
 
: https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187
 +
 +
; [[Prodiscover]] by [[Techpathways]]
 +
: http://www.techpathways.com/ProDiscoverWindows.htm
 +
 +
; [[Proof Finder]] by [[Nuix Pty Ltd]]
 +
: http://www.prooffinder.com/
  
 
; [[Safeback]] by [[NTI]] and [[Armor Forensics]]
 
; [[Safeback]] by [[NTI]] and [[Armor Forensics]]
Line 52: Line 122:
 
: http://www.x-ways.net/forensics/index-m.html
 
: http://www.x-ways.net/forensics/index-m.html
  
; [[Prodiscover]] by [[Techpathways]]
+
; [[DateDecoder]] by [[Live-Forensics]]
: http://www.techpathways.com/ProDiscoverWindows.htm
+
: http://www.live-forensics.com/dl/DateDecoder.zip
 +
: A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.
  
 +
; [[RecycleReader]] by [[Live-Forensics]]
 +
: http://www.live-forensics.com/dl/RecycleReader.zip
 +
: A command line tool that outputs the contents of the recycle bin on XP, Vista and 7.
 +
 +
; [[Dstrings]] by [[Live-Forensics]]
 +
: http://www.live-forensics.com/dl/Dstrings.zip
 +
: A command line tool that searches for strings in a given file.  It has the ability to compare the output of those strings against a dictionary to either exclude the dictionary terms in the output or only output files that match the dictionary.  It also has the ability to search for IP Addresses and URLs/Email Addresses.
 +
 +
; [[Unique]] by [[Live-Forensics]]
 +
: http://www.live-forensics.com/dl/Unique.zip
 +
: A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options.
 +
 +
; [[HashUtil]] by [[Live-Forensics]]
 +
: http://www.live-forensics.com/dl/HashUtil.zip
 +
: HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes.  It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases.
 +
 +
; [http://www.windowsscope.com WindowsSCOPE Cyber Forensics]
 +
: Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support.
 +
: Software and hardware based acquisition with [https://www.windowsscope.com/captureguard-physical-memory-acquisition-hardware-pcie-add-on/ CaptureGUARD PCIe] and [https://www.windowsscope.com/captureguard-physical-memory-acquisition-hardware-expresscard/ ExpressCard]
 +
: Hardware based acquisition of memory on a locked computer via [https://www.windowsscope.com/captureguard-gateway-access-to-locked-computers/ CaptureGUARD Gateway]
 +
 +
; [[MailXaminer]] by [[SysTools]]
 +
: http://www.mailxaminer.com/
 +
: Forensic & eDiscovery Tool to find digital email evidences from multiple email platform through its powerful Search mechanism.
 +
 +
; Twitter Forensic Toolkit (TFT) by [[Afentis_forensics]]
 +
; http://www.twitterforensics.com
 +
: eDiscovery toolkit to identify relevant Tweets, clone full profiles, download all tweets/media, data mine across comments, and generate expert reports.
 +
 +
; YouTube Forensic Toolkit (YFT) by [[Afentis_forensics]]
 +
; http://www.youtubeforensics.com
 +
: eDiscovery toolkit to identify relevant online media, download/convert videos, data mine across comments, and generate expert reports.
  
 
== Open Source Tools ==
 
== Open Source Tools ==
Line 63: Line 166:
 
; [[Autopsy]]
 
; [[Autopsy]]
 
: http://www.sleuthkit.org/autopsy/desc.php
 
: http://www.sleuthkit.org/autopsy/desc.php
 +
 +
; [[Bulk Extractor]]
 +
: https://github.com/simsong/bulk_extractor/wiki
 +
: Bulk Extractor provides digital media triage by extracting Features from digital media.
 +
 +
; [[Bulk Extractor Viewer]]
 +
: https://github.com/simsong/bulk_extractor/wiki/BEViewer
 +
: Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using [[Bulk Extractor]].
 +
 +
; [[Digital Forensics Framework]] (DFF)
 +
: DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://www.digital-forensic.org
  
 
; [[foremost]]
 
; [[foremost]]
 
: http://foremost.sf.net/
 
: http://foremost.sf.net/
 
: [[Linux]] based file carving program
 
: [[Linux]] based file carving program
 
; [[Scalpel]]
 
: http://www.digitalforensicssolutions.com/Scalpel/
 
: [[Linux]] and [[Windows]] file carving program originally based on [[foremost]].
 
  
 
; [[FTimes]]
 
; [[FTimes]]
Line 82: Line 192:
 
: http://www.stud.uni-hannover.de/user/76201/gpart/
 
: http://www.stud.uni-hannover.de/user/76201/gpart/
 
: Tries to ''guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted''.
 
: Tries to ''guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted''.
 +
 +
; [[Hachoir]]
 +
: A generic framework for binary file manipulation, it supports [[FAT12]], [[FAT16]], [[FAT32]], [[ext2|ext2/ext3]], Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
 +
 +
; [[hashdb]]
 +
: http://github.com/simsong/hashdb/wiki
 +
: A tool for finding previously identified blocks of data in media such as disk images.
  
 
; [[magicrescue]]
 
; [[magicrescue]]
Line 90: Line 207:
  
 
; [[pyflag]]
 
; [[pyflag]]
: web-based, database-backed forensic and log analysis GUI written in Python.
+
: http://code.google.com/p/pyflag/
 +
: Web-based, database-backed forensic and log analysis GUI written in Python.
 +
 
 +
; [[Scalpel]]
 +
: http://www.digitalforensicssolutions.com/Scalpel/
 +
: [[Linux]] and [[Windows]] file carving program originally based on [[foremost]].
  
 
; [[scrounge-ntfs]]
 
; [[scrounge-ntfs]]
Line 100: Line 222:
 
; [[The Coroner's Toolkit]] ([[TCT]])
 
; [[The Coroner's Toolkit]] ([[TCT]])
 
: http://www.porcupine.org/forensics/tct.html
 
: http://www.porcupine.org/forensics/tct.html
 
; [[Zeitline]] --- Forensic timeline editor
 
: http://projects.cerias.purdue.edu/forensics/timeline.php
 
: http://sourceforge.net/projects/zeitline/
 
 
; [[Hachoir]]
 
: A generic framework for binary file manipulation, it supports [[FAT12]], [[FAT16]], [[FAT32]], [[ext2|ext2/ext3]], Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
 
  
 
== [[NDA]] and [[scoped distribution]] tools ==
 
== [[NDA]] and [[scoped distribution]] tools ==
  
 
= Enterprise Tools (Proactive Forensics)=
 
= Enterprise Tools (Proactive Forensics)=
 +
 +
; [[LiveWire Investigator 2008]] by [[WetStone Technologies]]
 +
: http://www.wetstonetech.com/f/livewire2008.html
  
 
; [[P2 Enterprise Edition]] by [[Paraben]]
 
; [[P2 Enterprise Edition]] by [[Paraben]]
Line 116: Line 234:
  
 
= Forensics Live CDs =
 
= Forensics Live CDs =
 +
; [[Kali Linux]]
 +
: [http://www.kali.org/ http://www.kali.org/]
  
; [[FCCU Gnu/Linux Boot CD]]
+
; [[KNOPPIX]]  
: A Live CD built on top of [[Knoppix]] with a lot of tools with forensic purpose.
+
: [http://www.knopper.net/knoppix/index-en.html http://www.knopper.net/knoppix/index-en.html]
: It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.
+
  
; [[Helix]]
+
; [[BackTrack Linux]]  
: A Live CD built on top of [[Knoppix]] with special tools for [[Incident Response|incident response]] and electronic discovey.
+
: [http://www.backtrack-linux.org/ http://www.backtrack-linux.org/]
: Its a hybrid CD which also contains a [[Cygwin]] environment for use on a running Windows system (w/o rebooting) including the sysinternal tools.
+
  
; [[Knoppix STD]]
+
; [[Paladin Forensic Suite - Live Boot Ubuntu]] ([[Sumuri, LLC]])
: A Live CD built on top of [[Knoppix]].
+
: https://www.sumuri.com/products/paladin/
: http://s-t-d.org/
+
: Simplifies various forensics tasks in a forensically sound manner via the PALADIN Toolbox.
  
; [[THE FARMER'S BOOT CD]]
+
See: [[:Category:Live CD|Forensics Live CDs]]
: A [[Linux]] [[Live CD]], designed and optimized for previewing data in a [[forensically sound]] manner. It contains a number of programs forensic practitioners can utilize to preview both [[Windows]] and [[Linux]] systems.
+
  
; [[MacQuisition Boot CD]]
+
= Personal Digital Device Tools=
: A forensic [[Live CD]] built for imaging [[Macintosh]] systems.
+
  
; [[DEFT Linux]]
+
== GPS Forensics ==
: A Live CD built on top of [[Kubuntu]] with the best tools for Computer Forensic and incident response.
+
: It is very easy to use with a lot of device driver. The first live CD with [[AFF]] and the brend new forensics tool.
+
: http://www.stevelab.net/deft
+
  
= Metadata Extraction Tools =
+
; [[Blackthorn GPS Forensics]]
 
+
; [[.XRY]]
; [[antiword]]
+
: http://www.winfield.demon.nl/
+
 
+
; [[catdoc]]
+
: http://www.45.free.net/~vitus/software/catdoc/
+
 
+
; [[jhead]]
+
: http://www.sentex.net/~mwandel/jhead/
+
: Displays or modifies [[Exif]] data in [[JPEG]] files.
+
 
+
; [[laola]]
+
: http://user.cs.tu-berlin.de/~schwartz/pmh/index.html
+
 
+
; [[vinetto]]
+
: http://vinetto.sourceforge.net/
+
: Examines [[Thumbs.db]] files.
+
 
+
; [[word2x]]
+
: http://word2x.sourceforge.net/
+
 
+
; [[wvWare]]
+
: http://wvware.sourceforge.net/
+
: Extracts metadata from various [[Microsoft]] Word files ([[doc]]). Can also convert doc files to other formats such as HTML or plain text.
+
 
+
; [[xpdf]]
+
: http://www.foolabs.com/xpdf/
+
: [[pdfinfo]] (part of the [[xpdf]] package) displays some metadata of [[PDF]] files.
+
 
+
; [[Metadata Assistant]]
+
: http://www.payneconsulting.com/products/metadataent/
+
 
+
; hachoir-metadata: part of '''[[Hachoir]]''' project
+
 
+
= File Analysis Tools =
+
 
+
== Open Source Tools ==
+
 
+
; [[file]]
+
: The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.
+
 
+
; [[ldd]]
+
: ...
+
 
+
; [[ltrace]]
+
: ...
+
 
+
; [[strace]]
+
: ...
+
 
+
; [[strings]]
+
: Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.
+
 
+
; [[Galleta]]
+
: Parses cookie files.  http://www.foundstone.com/resources/proddesc/galleta.htm
+
 
+
; The [[Open Computer Forensics Architecture]]
+
: http://ocfa.sourceforge.net/
+
 
+
; [[Pasco]]
+
; Parses '''index.dat'' files. http://www.foundstone.com/resources/proddesc/pasco.htm
+
 
+
; [[Rifiuti]]
+
; Examines the INFO2 file in the Recycle Bin    http://www.foundstone.com/resources/proddesc/rifiuti.htm
+
 
+
; [[yim2text]]
+
; Extracts the 'encrypted' info in yahoo instant messenger log files. http://www.1vs0.com/tools.html
+
 
+
; [[Hachoir]]
+
: determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats.
+
 
+
== [[NDA]] and [[scoped distribution]] tools ==
+
 
+
= Network Forensics Tools =
+
 
+
; [[chkrootkit]]
+
: ...
+
 
+
; [[cryptcat]]
+
: ...
+
 
+
; [[netcat]]
+
: ...
+
 
+
; [[netflow]]/[[flowtools]]
+
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
+
: http://www.splintered.net/sw/flow-tools/
+
 
+
; NetIntercept
+
: http://www.sandstorm.net/products/netintercept
+
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
+
; [[rkhunter]]
+
: ...
+
 
+
; [[Sguil]]
+
: http://sguil.sourceforge.net/
+
 
+
; [[Snort]]
+
: http://www.snort.org/
+
 
+
; [[Tcpdump]]
+
: http://www.tcpdump.org
+
 
+
; [[tcpextract]]
+
: http://tcpxtract.sourceforge.net/
+
 
+
; [[tcpflow]]
+
: http://www.circlemud.org/~jelson/software/tcpflow/
+
 
+
; [[truewitness]]
+
: http://www.nature-soft.com/forensic.html
+
Linux/open-source. Based in India.
+
 
+
; [[etherpeek]]
+
: http://www.wildpackets.com/products/etherpeek/overview
+
 
+
= Anti-forensics Tools =
+
 
+
; [[Slacker]]
+
: A tool to hide files within the [[slack space]] of the [[NTFS]] file system.
+
: http://www.metasploit.com/projects/antiforensics/slacker.exe
+
 
+
; [[Timestomp]]
+
: A tool that allows one to modify all four [[NTFS]] timestamp (MACE) values.
+
: http://www.metasploit.com/projects/antiforensics/timestomp.exe
+
 
+
== Securely deleting data ==
+
 
+
; [[BCWipe]]
+
: Secure data deletion tools for [[Windows]] and [[Unix]]-like [[operating systems]].
+
 
+
; [[CyberScrub cyberCide]]
+
: This program securely erases all data from drives or partitions.
+
: http://www.cyberscrub.com/products/cybercide/index.php
+
 
+
; [[CyberScrub Privacy Suite]]
+
: This program securely erases selected data, wipes free space, powerful scheduling capabilities.
+
: http://www.cyberscrub.com/products/privacysuite/index.php
+
 
+
; [[Darik's Boot and Nuke]] ([[DBAN]])
+
: This is a bootable disk that securely wipes any hard disk it can detect. 
+
: http://dban.sourceforge.net/
+
 
+
; [[Eraser]]
+
: Offers several patterns for wiping data including [[Peter Gutmann]]'s and the [[US DoD 5200.28-STD]] standard.
+
: http://www.heidi.ie/eraser
+
 
+
; [[Ontrack Data Eraser]]
+
: ...
+
 
+
; [[shred]]
+
: Part of GNU coreutils.
+
 
+
; [[wipe]]
+
: http://abaababa.ouvaton.org/wipe/
+
 
+
; [[Lenovo SDD]]
+
: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-56394
+
 
+
== See also ==
+
 
+
* [[Anti-forensic techniques]]
+
* [[Database Encryption]].
+
 
+
= Personal Digital Device Tools=
+
  
 
== PDA Forensics ==
 
== PDA Forensics ==
 +
; [[Cellebrite UFED]]
 +
; [[.XRY]]
 
; [[Paraben PDA Seizure]]
 
; [[Paraben PDA Seizure]]
 
; [[Paraben PDA Seizure Toolbox]]
 
; [[Paraben PDA Seizure Toolbox]]
Line 313: Line 264:
  
 
== Cell Phone Forensics ==
 
== Cell Phone Forensics ==
 +
; [https://belkasoft.com/ec Belkasoft Evidence Center]
 
; [[BitPIM]]
 
; [[BitPIM]]
 +
; [[Cellebrite UFED]]
 
; [[DataPilot Secure View]]
 
; [[DataPilot Secure View]]
; [[GSM .XRY]]
+
; [[.XRY]]
 +
: http://www.msab.com/index
 +
; [[Fernico ZRT]]
 
; [[ForensicMobile]]
 
; [[ForensicMobile]]
 
; [[LogiCube CellDEK]]
 
; [[LogiCube CellDEK]]
 
; [[MOBILedit!]]
 
; [[MOBILedit!]]
; [[Oxygen PM II]]
+
; [[Oxygen Forensic Suite 2010]]
; [[Paraben Device Seizure]]
+
: http://www.oxygen-forensic.com
; [[Paraben Device Seizure Toolbox]]
+
; [[Paraben's Device Seizure]] and [[Paraben's Device Seizure Toolbox]]
 +
: http://www.paraben-forensics.com/handheld_forensics.html
 
; [[Serial Port Monitoring]]
 
; [[Serial Port Monitoring]]
 
; [[TULP2G]]
 
; [[TULP2G]]
  
 
== SIM Card Forensics ==
 
== SIM Card Forensics ==
 +
; [[Cellebrite UFED]]
 +
; [[.XRY]]
 
; [[ForensicSIM]]
 
; [[ForensicSIM]]
; [[Paraben Device Seizure]]
+
; [[Paraben's SIM Card Seizure]]
 +
: http://www.paraben-forensics.com/handheld_forensics.html
 
; [[SIMCon]]
 
; [[SIMCon]]
  
Line 333: Line 292:
 
; [[Paraben StrongHold Bag]]
 
; [[Paraben StrongHold Bag]]
 
; [[Paraben StrongHold Tent]]
 
; [[Paraben StrongHold Tent]]
 
  
 
= Other Tools =
 
= Other Tools =
 +
 +
; Chat Sniper
 +
: http://www.alexbarnett.com/chatsniper.htm
 +
:  A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
 +
 +
; Serial Port Analyzer
 +
: http://www.eltima.com/how-to-analyze-serial-port-activity/
 +
: The tool to analyze serial port and  device activity.
 +
 +
; Computer Forensics Toolkit
 +
: http://computer-forensics.privacyresources.org
 +
: This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
 +
 +
; Live View
 +
: http://liveview.sourceforge.net/
 +
: Live View is a graphical forensics tool that creates a [[VMware]] [[virtual machine]] out of a dd disk image or physical disk.
 +
 +
; Parallels VM
 +
: http://www.parallels.com/
 +
: http://en.wikipedia.org/wiki/Parallels_Workstation
 +
 +
; Serial and USB ports sharing
 +
: http://www.flexihub.com/serial-over-ethernet.html
 +
: Share and access serial and USB ports over Ethernet
 +
 +
; Microsoft Virtual PC
 +
: http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
 +
: http://en.wikipedia.org/wiki/Virtual_PC
  
 
; [[VMware]] Player
 
; [[VMware]] Player
 
: http://www.vmware.com/products/player/
 
: http://www.vmware.com/products/player/
 +
: http://en.wikipedia.org/wiki/VMware#VMware_Workstation
 
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.
 
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.
  
Line 344: Line 331:
 
: http://www.vmware.com/products/server/
 
: http://www.vmware.com/products/server/
 
: The free server product, for setting up/configuring/running [[VMware]] [[virtual machine]].Important difference being that it can run 'headless', i.e. everything in background.
 
: The free server product, for setting up/configuring/running [[VMware]] [[virtual machine]].Important difference being that it can run 'headless', i.e. everything in background.
 
; Computer Forensics Toolkit
 
: http://computer-forensics.privacyresources.org
 
: This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
 
  
 
; Webtracer
 
; Webtracer
Line 353: Line 336:
 
: Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
 
: Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
  
; Live View
+
; Recon for MAC OS X
: http://liveview.sourceforge.net/
+
: https://www.sumuri.com/products/recon/
: Live View is a graphical forensics tool that creates a [[VMware]] [[virtual machine]] out of a dd disk image or physical disk.  
+
: RECON for Mac OS X is simply the fastest way to conduct Mac Forensics, automates what an experienced examiner would need weeks to accomplish in minutes, now includes PALADIN 6 which comes with a full featured Forensic Suite, bootable forensic imager, a software write-blocker and so much more.
 +
 
  
 
== Hex Editors ==
 
== Hex Editors ==
Line 361: Line 345:
 
; [[biew]]
 
; [[biew]]
 
: http://biew.sourceforge.net/en/biew.html
 
: http://biew.sourceforge.net/en/biew.html
 +
 +
; [[bless]]
 +
: http://home.gna.org/bless/
 +
 +
; [[Okteta]]
 +
: KDE's new cross-platform hex editor with features such as signature-matching
 +
: http://utils.kde.org/projects/okteta/
  
 
; [[hexdump]]
 
; [[hexdump]]
 
: ...
 
: ...
 +
 +
; [[HexFiend]]
 +
: A hex editor for Apple OS X
 +
: http://ridiculousfish.com/hexfiend/
  
 
; [[Hex Workshop]]
 
; [[Hex Workshop]]
Line 371: Line 366:
 
; [[khexedit]]
 
; [[khexedit]]
 
: http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
 
: http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
 +
 +
; ReclaiMe Pro
 +
: The built-in disk editor visualizes most known partition and filesystem objects: boot sectors, superblocks, partition headers in structured view. Low-level data editing for extra leverage.
 +
: http://www.ReclaiMe-Pro.com
  
 
; [[WinHex]]
 
; [[WinHex]]
 
: Computer forensics software, data recovery software, hex editor, and disk editor from [[X-Ways]].
 
: Computer forensics software, data recovery software, hex editor, and disk editor from [[X-Ways]].
 
: http://www.x-ways.net/winhex
 
: http://www.x-ways.net/winhex
 +
 +
; [[wxHexEditor]]
 +
: A Multi-OS supported, open sourced, hex and disk editor.
 +
: http://www.wxhexeditor.org
  
 
; [[xxd]]
 
; [[xxd]]
 
: ...
 
: ...
  
== Telephone Scanners/War Dialers ==
+
; [[HexReader]]
 +
: [[Live-Forensics]] software that reads windows files at specified offset and length and outputs results to the console.
 +
: http://www.live-forensics.com/dl/HexReader.zip
 +
 
 +
= Telephone Scanners/War Dialers =
  
 
;PhoneSweep
 
;PhoneSweep
 
:http://www.sandstorm.net/products/phonesweep/
 
:http://www.sandstorm.net/products/phonesweep/
 
:PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.
 
:PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.
 +
 +
;TeleSweep
 +
:http://www.securelogix.com/modemscanner/
 +
:SecureLogix is currently offering no-cost downloads of our award-winning TeleSweep Secure® modem-vulnerability scanner. This free modem scanning software can be used to dial a batch of corporate phone numbers and report on the number of modems connected to these corporate lines. *** Registration is required for obtaining a license key *** Still free however.
 +
 +
;WarVox
 +
:https://github.com/rapid7/warvox
 +
:WarVOX is a free, open-source VOIP-based war dialing tool for exploring, classifying, and auditing phone systems.
 +
 +
;Additional Software Names and Links (Jackpot!)
 +
:http://www.wyae.de/software/paw/

Latest revision as of 02:04, 1 March 2018

This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.

Note: This page has gotten too big and is being broken up. See:

Disk Analysis Tools

Hard Drive Firmware and Diagnostics Tools

PC-3000 from ACE Lab
http://www.acelaboratory.com/catalog/

Linux-based Tools

LINReS by NII Consulting Pvt. Ltd.
http://www.niiconsulting.com/innovation/linres.html
SMART by ASR Data
http://www.asrdata.com
Second Look: Linux Memory Forensics by Pikewerks Corporation
http://secondlookforensics.com/

Macintosh-based Tools

Macintosh Forensic Software by BlackBag Technologies, Inc.
http://www.blackbagtech.com/software_mfs.html
MacForensicsLab by Subrosasoft
MacForensicLab-Subrosasoft
Mac Marshal by ATC-NY
http://www.macmarshal.com/
Recon for MAC OS X by Sumuri, LLC
https://www.sumuri.com/products/recon/

Windows-based Tools

Arsenal Recon Weapons by Arsenal Recon
https://ArsenalRecon.com/
Arsenal Recon offers unique and powerful tools to mount Windows disk images, reconstruct Windows Registries, and process Windows hibernation files.
Belkasoft Acquisition Tool by Belkasoft
https://belkasoft.com/bat
BAT is a free utility to acquire a wide range of data sources: hard drives, running computers RAM memory, modern smartphones, and various types of clouds. The output can be analyzed with both Belkasoft and third-party tools.
Belkasoft Evidence Center by Belkasoft
https://belkasoft.com/ec
BEC allows an investigator to perform all investigation steps: acquisition (aquire hard and removable drives, image smartphones and download cloud data), extraction of evidence (searches and carves more than 700 formats of various files and applications data), analysis (hex viewer, SQLite viewer, social graph building with communities detection etc) and reporting.
Blackthorn GPS Forensics
http://www.blackthorngps.com
BringBack by Tech Assist, Inc.
http://www.toolsthatwork.com/bringback.htm
CD/DVD Inspector by InfinaDyne
http://www.infinadyne.com/cddvd_inspector.html
This is the only forensic-qualified tool for examinination of optical media. It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide.
EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc
http://www.hotpepperinc.com/emd
EnCase by Guidance Software
http://www.guidancesoftware.com/
Facebook Forensic Toolkit (FFT) by Afentis_forensics
http://www.facebookforensics.com
eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports.
Forensic Explorer (FEX) by GetData Forensics
http://www.forensicexplorer.com
Forensic Toolkit (FTK) by AccessData
http://www.accessdata.com/products/ftk/
HBGary Responder Professional - Windows Physical Memory Forensic Platform
http://www.hbgary.com
ILook by Xtremeforensics
http://www.xtremeforensics.biz/
Internet Evidence Finder (IEF) by Magnet Forensics
http://www.magnetforensics.com/
ISEEK by Xtremeforensics
http://www.xtremeforensics.biz/
Mercury Indexer by MicroForensics, Inc.
http://www.MicroForensics.com/
Nuix Desktop by Nuix Pty Ltd
http://www.nuix.com
OnLineDFS by Cyber Security Technologies
http://www.cyberstc.com/
OSForensics by PassMark Software Pty Ltd
http://www.osforensics.com/
P2 Power Pack by Paraben
https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187
Prodiscover by Techpathways
http://www.techpathways.com/ProDiscoverWindows.htm
Proof Finder by Nuix Pty Ltd
http://www.prooffinder.com/
Safeback by NTI and Armor Forensics
http://www.forensics-intl.com/safeback.html
X-Ways Forensics by X-Ways AG
http://www.x-ways.net/forensics/index-m.html
DateDecoder by Live-Forensics
http://www.live-forensics.com/dl/DateDecoder.zip
A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.
RecycleReader by Live-Forensics
http://www.live-forensics.com/dl/RecycleReader.zip
A command line tool that outputs the contents of the recycle bin on XP, Vista and 7.
Dstrings by Live-Forensics
http://www.live-forensics.com/dl/Dstrings.zip
A command line tool that searches for strings in a given file. It has the ability to compare the output of those strings against a dictionary to either exclude the dictionary terms in the output or only output files that match the dictionary. It also has the ability to search for IP Addresses and URLs/Email Addresses.
Unique by Live-Forensics
http://www.live-forensics.com/dl/Unique.zip
A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options.
HashUtil by Live-Forensics
http://www.live-forensics.com/dl/HashUtil.zip
HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes. It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases.
WindowsSCOPE Cyber Forensics
Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support.
Software and hardware based acquisition with CaptureGUARD PCIe and ExpressCard
Hardware based acquisition of memory on a locked computer via CaptureGUARD Gateway
MailXaminer by SysTools
http://www.mailxaminer.com/
Forensic & eDiscovery Tool to find digital email evidences from multiple email platform through its powerful Search mechanism.
Twitter Forensic Toolkit (TFT) by Afentis_forensics
http://www.twitterforensics.com
eDiscovery toolkit to identify relevant Tweets, clone full profiles, download all tweets/media, data mine across comments, and generate expert reports.
YouTube Forensic Toolkit (YFT) by Afentis_forensics
http://www.youtubeforensics.com
eDiscovery toolkit to identify relevant online media, download/convert videos, data mine across comments, and generate expert reports.

Open Source Tools

AFFLIB
A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
Autopsy
http://www.sleuthkit.org/autopsy/desc.php
Bulk Extractor
https://github.com/simsong/bulk_extractor/wiki
Bulk Extractor provides digital media triage by extracting Features from digital media.
Bulk Extractor Viewer
https://github.com/simsong/bulk_extractor/wiki/BEViewer
Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using Bulk Extractor.
Digital Forensics Framework (DFF)
DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://www.digital-forensic.org
foremost
http://foremost.sf.net/
Linux based file carving program
FTimes
http://ftimes.sourceforge.net/FTimes/index.shtml
FTimes is a system baselining and evidence collection tool.
gfzip
http://www.nongnu.org/gfzip/
gpart
http://www.stud.uni-hannover.de/user/76201/gpart/
Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
Hachoir
A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
hashdb
http://github.com/simsong/hashdb/wiki
A tool for finding previously identified blocks of data in media such as disk images.
magicrescue
http://jbj.rapanden.dk/magicrescue/
The Open Computer Forensics Architecture
http://ocfa.sourceforge.net/
pyflag
http://code.google.com/p/pyflag/
Web-based, database-backed forensic and log analysis GUI written in Python.
Scalpel
http://www.digitalforensicssolutions.com/Scalpel/
Linux and Windows file carving program originally based on foremost.
scrounge-ntfs
http://memberwebs.com/nielsen/software/scrounge/
Sleuthkit
http://www.sleuthkit.org/
The Coroner's Toolkit (TCT)
http://www.porcupine.org/forensics/tct.html

NDA and scoped distribution tools

Enterprise Tools (Proactive Forensics)

LiveWire Investigator 2008 by WetStone Technologies
http://www.wetstonetech.com/f/livewire2008.html
P2 Enterprise Edition by Paraben
http://www.paraben-forensics.com/enterprise_forensics.html

Forensics Live CDs

Kali Linux
http://www.kali.org/
KNOPPIX
http://www.knopper.net/knoppix/index-en.html
BackTrack Linux
http://www.backtrack-linux.org/
Paladin Forensic Suite - Live Boot Ubuntu (Sumuri, LLC)
https://www.sumuri.com/products/paladin/
Simplifies various forensics tasks in a forensically sound manner via the PALADIN Toolbox.

See: Forensics Live CDs

Personal Digital Device Tools

GPS Forensics

Blackthorn GPS Forensics
.XRY

PDA Forensics

Cellebrite UFED
.XRY
Paraben PDA Seizure
Paraben PDA Seizure Toolbox
PDD

Cell Phone Forensics

Belkasoft Evidence Center
BitPIM
Cellebrite UFED
DataPilot Secure View
.XRY
http://www.msab.com/index
Fernico ZRT
ForensicMobile
LogiCube CellDEK
MOBILedit!
Oxygen Forensic Suite 2010
http://www.oxygen-forensic.com
Paraben's Device Seizure and Paraben's Device Seizure Toolbox
http://www.paraben-forensics.com/handheld_forensics.html
Serial Port Monitoring
TULP2G

SIM Card Forensics

Cellebrite UFED
.XRY
ForensicSIM
Paraben's SIM Card Seizure
http://www.paraben-forensics.com/handheld_forensics.html
SIMCon

Preservation Tools

Paraben StrongHold Bag
Paraben StrongHold Tent

Other Tools

Chat Sniper
http://www.alexbarnett.com/chatsniper.htm
A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
Serial Port Analyzer
http://www.eltima.com/how-to-analyze-serial-port-activity/
The tool to analyze serial port and device activity.
Computer Forensics Toolkit
http://computer-forensics.privacyresources.org
This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
Live View
http://liveview.sourceforge.net/
Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
Parallels VM
http://www.parallels.com/
http://en.wikipedia.org/wiki/Parallels_Workstation
Serial and USB ports sharing
http://www.flexihub.com/serial-over-ethernet.html
Share and access serial and USB ports over Ethernet
Microsoft Virtual PC
http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
http://en.wikipedia.org/wiki/Virtual_PC
VMware Player
http://www.vmware.com/products/player/
http://en.wikipedia.org/wiki/VMware#VMware_Workstation
A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
VMware Server
http://www.vmware.com/products/server/
The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
Webtracer
http://www.forensictracer.com
Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
Recon for MAC OS X
https://www.sumuri.com/products/recon/
RECON for Mac OS X is simply the fastest way to conduct Mac Forensics, automates what an experienced examiner would need weeks to accomplish in minutes, now includes PALADIN 6 which comes with a full featured Forensic Suite, bootable forensic imager, a software write-blocker and so much more.


Hex Editors

biew
http://biew.sourceforge.net/en/biew.html
bless
http://home.gna.org/bless/
Okteta
KDE's new cross-platform hex editor with features such as signature-matching
http://utils.kde.org/projects/okteta/
hexdump
...
HexFiend
A hex editor for Apple OS X
http://ridiculousfish.com/hexfiend/
Hex Workshop
A hex editor from BreakPoint Software, Inc.
http://www.bpsoft.com
khexedit
http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
ReclaiMe Pro
The built-in disk editor visualizes most known partition and filesystem objects: boot sectors, superblocks, partition headers in structured view. Low-level data editing for extra leverage.
http://www.ReclaiMe-Pro.com
WinHex
Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
http://www.x-ways.net/winhex
wxHexEditor
A Multi-OS supported, open sourced, hex and disk editor.
http://www.wxhexeditor.org
xxd
...
HexReader
Live-Forensics software that reads windows files at specified offset and length and outputs results to the console.
http://www.live-forensics.com/dl/HexReader.zip

Telephone Scanners/War Dialers

PhoneSweep
http://www.sandstorm.net/products/phonesweep/
PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.
TeleSweep
http://www.securelogix.com/modemscanner/
SecureLogix is currently offering no-cost downloads of our award-winning TeleSweep Secure® modem-vulnerability scanner. This free modem scanning software can be used to dial a batch of corporate phone numbers and report on the number of modems connected to these corporate lines. *** Registration is required for obtaining a license key *** Still free however.
WarVox
https://github.com/rapid7/warvox
WarVOX is a free, open-source VOIP-based war dialing tool for exploring, classifying, and auditing phone systems.
Additional Software Names and Links (Jackpot!)
http://www.wyae.de/software/paw/