Difference between revisions of "Tools"

From ForensicsWiki
Jump to: navigation, search
m
Line 8: Line 8:
 
* [[:Category:Disk Imaging]]
 
* [[:Category:Disk Imaging]]
 
* [[:Category:Secure_deletion]]
 
* [[:Category:Secure_deletion]]
 
  
 
= Disk Analysis Tools =
 
= Disk Analysis Tools =
 
== Hard Drive Firmware and Diagnostics Tools ==
 
== Hard Drive Firmware and Diagnostics Tools ==
; [[PC-3000]], from [[DeepSpar Data Recovery Systems]]
+
; [[PC-3000]] from [[DeepSpar Data Recovery Systems]]
 
: http://www.deepspar.com/products-pc-3000-drive.html
 
: http://www.deepspar.com/products-pc-3000-drive.html
 
: http://www.pc-3000.com/
 
: http://www.pc-3000.com/
  
 
== Linux-based Tools ==
 
== Linux-based Tools ==
; [[LINReS]], by [[NII Consulting Pvt. Ltd.]]
+
; [[LINReS]] by [[NII Consulting Pvt. Ltd.]]
 
: http://www.niiconsulting.com/innovation/linres.html
 
: http://www.niiconsulting.com/innovation/linres.html
  
; [[SMART]], by [[ASR Data]]
+
; [[SMART]] by [[ASR Data]]
 
: http://www.asrdata.com
 
: http://www.asrdata.com
  
 
== Macintosh-based Tools ==
 
== Macintosh-based Tools ==
  
 
+
; [[Macintosh Forensic Software]] by [[BlackBag Technologies, Inc.]]
; [[Macintosh Forensic Software]], by [[BlackBag Technologies, Inc.]]
+
 
: http://www.blackbagtech.com/software_mfs.html
 
: http://www.blackbagtech.com/software_mfs.html
  
; [[MacForensicsLab]], by [[Subrosasoft]]
+
; [[MacForensicsLab]] by [[Subrosasoft]]
 
: [http://www.subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=39&products_id=114 MacForensicLab-Subrosasoft]
 
: [http://www.subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=39&products_id=114 MacForensicLab-Subrosasoft]
  
Line 40: Line 38:
 
; http://www.hotpepperinc.com/emd
 
; http://www.hotpepperinc.com/emd
  
; [[EnCase]], by [[Guidance Software]]
+
; [[EnCase]] by [[Guidance Software]]
 
: http://www.guidancesoftware.com/
 
: http://www.guidancesoftware.com/
  
; [[fbi (tool)|fbi]], by [[Nuix Pty Ltd]]
+
; [[fbi (tool)|fbi]] by [[Nuix Pty Ltd]]
 
: http://www.nuix.com
 
: http://www.nuix.com
  
; [[Forensic Toolkit]] ([[FTK]]), by [[AccessData]]
+
; [[Forensic Toolkit]] ([[FTK]]) by [[AccessData]]
 
: http://www.accessdata.com/products/ftk/
 
: http://www.accessdata.com/products/ftk/
  
; [[ILook Investigator]], by [[Elliot Spencer]] and [[Internal Revenue Service|U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation]] (IRS)
+
; [[ILook Investigator]] by [[Elliot Spencer]] and [[Internal Revenue Service|U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation]] (IRS)
 
: http://www.ilook-forensics.org/
 
: http://www.ilook-forensics.org/
  
Line 102: Line 100:
 
; [[pyflag]]
 
; [[pyflag]]
 
: http://www.pyflag.net/PyFlagWiki/
 
: http://www.pyflag.net/PyFlagWiki/
: web-based, database-backed forensic and log analysis GUI written in Python.
+
: Web-based, database-backed forensic and log analysis GUI written in Python.
  
 
; [[scrounge-ntfs]]
 
; [[scrounge-ntfs]]
Line 141: Line 139:
  
 
; [[SNARL]]
 
; [[SNARL]]
; A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
+
: A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
; http://sourceforge.net/projects/snarl/
+
: http://sourceforge.net/projects/snarl/
  
 
; [[Knoppix STD]]
 
; [[Knoppix STD]]
Line 149: Line 147:
  
 
; [[Penguin Sleuthkit]]
 
; [[Penguin Sleuthkit]]
; A Linux LiveCD that includes SleuthKit.
+
: A Linux LiveCD that includes SleuthKit.
; http://penguinsleuth.org/
+
: http://penguinsleuth.org/
  
 
; [[THE FARMER'S BOOT CD]]
 
; [[THE FARMER'S BOOT CD]]
Line 209: Line 207:
  
 
; hachoir-metadata: part of '''[[Hachoir]]''' project
 
; hachoir-metadata: part of '''[[Hachoir]]''' project
 
 
 
 
  
 
= Personal Digital Device Tools=
 
= Personal Digital Device Tools=
Line 230: Line 224:
 
; [[MOBILedit!]]
 
; [[MOBILedit!]]
 
; [[Oxygen PM II]]
 
; [[Oxygen PM II]]
; [[Paraben's Device Seizure]]
+
; [[Paraben's Device Seizure]] and [[Paraben's Device Seizure Toolbox]]
http://www.paraben-forensics.com/handheld_forensics.html
+
: http://www.paraben-forensics.com/handheld_forensics.html
; [[Paraben's Device Seizure Toolbox]]
+
http://www.paraben-forensics.com/handheld_forensics.html
+
 
; [[Serial Port Monitoring]]
 
; [[Serial Port Monitoring]]
 
; [[TULP2G]]
 
; [[TULP2G]]
Line 240: Line 232:
 
; [[ForensicSIM]]
 
; [[ForensicSIM]]
 
; [[Paraben's SIM Card Seizure]]
 
; [[Paraben's SIM Card Seizure]]
http://www.paraben-forensics.com/handheld_forensics.html
+
: http://www.paraben-forensics.com/handheld_forensics.html
 
; [[SIMCon]]
 
; [[SIMCon]]
  
Line 246: Line 238:
 
; [[Paraben StrongHold Bag]]
 
; [[Paraben StrongHold Bag]]
 
; [[Paraben StrongHold Tent]]
 
; [[Paraben StrongHold Tent]]
 
  
 
= Other Tools =
 
= Other Tools =

Revision as of 15:07, 18 July 2008

This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.

Note: This page has gotten too big and is being broken up. See:

Disk Analysis Tools

Hard Drive Firmware and Diagnostics Tools

PC-3000 from DeepSpar Data Recovery Systems
http://www.deepspar.com/products-pc-3000-drive.html
http://www.pc-3000.com/

Linux-based Tools

LINReS by NII Consulting Pvt. Ltd.
http://www.niiconsulting.com/innovation/linres.html
SMART by ASR Data
http://www.asrdata.com

Macintosh-based Tools

Macintosh Forensic Software by BlackBag Technologies, Inc.
http://www.blackbagtech.com/software_mfs.html
MacForensicsLab by Subrosasoft
MacForensicLab-Subrosasoft

Windows-based Tools

BringBack by Tech Assist, Inc.
http://www.toolsthatwork.com/bringback.htm
EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc
http://www.hotpepperinc.com/emd
EnCase by Guidance Software
http://www.guidancesoftware.com/
fbi by Nuix Pty Ltd
http://www.nuix.com
Forensic Toolkit (FTK) by AccessData
http://www.accessdata.com/products/ftk/
ILook Investigator by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
http://www.ilook-forensics.org/
OnLineDFS by Cyber Security Technologies
http://www.cyberstc.com/
P2 Power Pack by Paraben
https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187
Safeback by NTI and Armor Forensics
http://www.forensics-intl.com/safeback.html
X-Ways Forensics by X-Ways AG
http://www.x-ways.net/forensics/index-m.html
Prodiscover by Techpathways
http://www.techpathways.com/ProDiscoverWindows.htm

Open Source Tools

AFFLIB
A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
Autopsy
http://www.sleuthkit.org/autopsy/desc.php
foremost
http://foremost.sf.net/
Linux based file carving program
Scalpel
http://www.digitalforensicssolutions.com/Scalpel/
Linux and Windows file carving program originally based on foremost.
FTimes
http://ftimes.sourceforge.net/FTimes/index.shtml
FTimes is a system baselining and evidence collection tool.
gfzip
http://www.nongnu.org/gfzip/
gpart
http://www.stud.uni-hannover.de/user/76201/gpart/
Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
magicrescue
http://jbj.rapanden.dk/magicrescue/
The Open Computer Forensics Architecture
http://ocfa.sourceforge.net/
pyflag
http://www.pyflag.net/PyFlagWiki/
Web-based, database-backed forensic and log analysis GUI written in Python.
scrounge-ntfs
http://memberwebs.com/nielsen/software/scrounge/
Sleuthkit
http://www.sleuthkit.org/
The Coroner's Toolkit (TCT)
http://www.porcupine.org/forensics/tct.html
Zeitline --- Forensic timeline editor
http://projects.cerias.purdue.edu/forensics/timeline.php
http://sourceforge.net/projects/zeitline/
Hachoir
A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).

NDA and scoped distribution tools

Enterprise Tools (Proactive Forensics)

P2 Enterprise Edition by Paraben
http://www.paraben-forensics.com/enterprise_forensics.html
LiveWire Investigator 2008 by WetStone Technologies
http://www.wetstonetech.com/f/livewire2008.html

Forensics Live CDs

FCCU Gnu/Linux Boot CD
A Live CD built on top of Knoppix with a lot of tools with forensic purpose.
It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.
Helix
A Live CD built on top of Knoppix with special tools for incident response and electronic discovery.
Its a hybrid CD which also contains a Cygwin environment for use on a running Windows system (w/o rebooting) including the Sysinternals tools.
SNARL
A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
http://sourceforge.net/projects/snarl/
Knoppix STD
A Live CD built on top of Knoppix.
http://s-t-d.org/
Penguin Sleuthkit
A Linux LiveCD that includes SleuthKit.
http://penguinsleuth.org/
THE FARMER'S BOOT CD
A Linux Live CD, designed and optimized for previewing data in a forensically sound manner. It contains a number of programs forensic practitioners can utilize to preview both Windows and Linux systems.
MacQuisition Boot CD
A forensic Live CD built for imaging Macintosh systems.
DEFT Linux
A Live CD built on top of Xubuntu with the best tools for computer forensics and incident response.
It is very easy to use with a lot of device drivers. The first live CD with AFF and dhash.
http://deft.yourside.it
Recovery Is Possible
A Linux Live CD with a number of recovery applications such as TestDisk, PhotoRec etc.
http://www.tux.org/pub/people/kent-robotti/looplinux/rip/
Ubuntu-Rescue-Remix
Ubuntu-rescue-remix is a live cd that provides the data recovery expert with an environment equipped with the best free-libre, open source data recovery and forensics tools available. Since many of those libraries and tools are part of the Ubuntu Installer, it makes sense to remix Ubuntu into a lightweight and powerful environment for data recovery. This project was formerly known as Rescubuntu.
http://ubuntu-rescue-remix.org/
Stagos FSE
Stagos FSE aims to be a computer forensic framework based on Ubuntu Liunx. It can read various filesystems, including NTFS and EnCase images.
http://stagos.mrp-bpp.net/

Metadata Extraction Tools

antiword
http://www.winfield.demon.nl/
catdoc
http://www.45.free.net/~vitus/software/catdoc/
jhead
http://www.sentex.net/~mwandel/jhead/
Displays or modifies Exif data in JPEG files.
laola
http://user.cs.tu-berlin.de/~schwartz/pmh/index.html
vinetto
http://vinetto.sourceforge.net/
Examines Thumbs.db files.
word2x
http://word2x.sourceforge.net/
wvWare
http://wvware.sourceforge.net/
Extracts metadata from various Microsoft Word files (doc). Can also convert doc files to other formats such as HTML or plain text.
xpdf
http://www.foolabs.com/xpdf/
pdfinfo (part of the xpdf package) displays some metadata of PDF files.
Metadata Assistant
http://www.payneconsulting.com/products/metadataent/
hachoir-metadata
part of Hachoir project

Personal Digital Device Tools

PDA Forensics

Paraben PDA Seizure
Paraben PDA Seizure Toolbox
PDD

Cell Phone Forensics

BitPIM
DataPilot Secure View
GSM .XRY
Fernico ZRT
ForensicMobile
LogiCube CellDEK
MOBILedit!
Oxygen PM II
Paraben's Device Seizure and Paraben's Device Seizure Toolbox
http://www.paraben-forensics.com/handheld_forensics.html
Serial Port Monitoring
TULP2G

SIM Card Forensics

ForensicSIM
Paraben's SIM Card Seizure
http://www.paraben-forensics.com/handheld_forensics.html
SIMCon

Preservation Tools

Paraben StrongHold Bag
Paraben StrongHold Tent

Other Tools

VMware Player
http://www.vmware.com/products/player/
http://en.wikipedia.org/wiki/VMware#VMware_Workstation
A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
VMware Server
http://www.vmware.com/products/server/
The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
Computer Forensics Toolkit
http://computer-forensics.privacyresources.org
This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
Webtracer
http://www.forensictracer.com
Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
Live View
http://liveview.sourceforge.net/
Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
Parallels VM
http://www.parallels.com/
http://en.wikipedia.org/wiki/Parallels_Workstation
Microsoft Virtual PC
http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
http://en.wikipedia.org/wiki/Virtual_PC
The Onion Router (TOR)
http://tor.eff.org/
http://en.wikipedia.org/wiki/Tor_(anonymity_network)
Network anonymizer designed to make traffic analysis difficult.

Hex Editors

biew
http://biew.sourceforge.net/en/biew.html
hexdump
...
HexFiend
A hex editor for Apple OS X
http://ridiculousfish.com/hexfiend/
Hex Workshop
A hex editor from BreakPoint Software, Inc.
http://www.bpsoft.com
khexedit
http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
WinHex
Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
http://www.x-ways.net/winhex
xxd
...

Telephone Scanners/War Dialers

PhoneSweep
http://www.sandstorm.net/products/phonesweep/
PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.