Revision as of 04:07, 22 September 2012 by Tmyroadctfig ('fbi' is now called Nuix Desktop, add proof finder)
This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.
Note: This page has gotten too big and is being broken up. See:
- Category:Disk Imaging
- Tools:Data Recovery (including file carving)
- Tools:File Analysis
- Tools:Document Metadata Extraction
- Tools:Memory Imaging
- Tools:Memory Analysis
- Tools:Network Forensics
- Tools:Logfile Analysis
- Category:Anti-forensics tools
- Category:Secure deletion
- 1 Disk Analysis Tools
- 2 Enterprise Tools (Proactive Forensics)
- 3 Forensics Live CDs
- 4 Personal Digital Device Tools
- 5 Other Tools
- 6 Telephone Scanners/War Dialers
Disk Analysis Tools
Hard Drive Firmware and Diagnostics Tools
- PC-3000 from DeepSpar Data Recovery Systems
- Macintosh Forensic Software by BlackBag Technologies, Inc.
- Belkasoft Evidence Center by Belkasoft
- This product makes it easy for an investigator to search, analyze and store digital evidence found in Instant Messenger histories, Internet Browser histories and Outlook mailboxes.
- CD/DVD Inspector by InfinaDyne
- This is the only forensic-qualified tool for examinination of optical media. It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide.
- EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc
- ILook Investigator by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
- P2 Power Pack by Paraben
- DateDecoder by Live-Forensics
- A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.
- RecycleReader by Live-Forensics
- A command line tool that outputs the contents of the recycle bin on XP, Vista and 7.
- Dstrings by Live-Forensics
- A command line tool that searches for strings in a given file. It has the ability to compare the output of those strings against a dictionary to either exclude the dictionary terms in the output or only output files that match the dictionary. It also has the ability to search for IP Addresses and URLs/Email Addresses.
- Unique by Live-Forensics
- A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options.
- HashUtil by Live-Forensics
- HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes. It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases.
- WindowsSCOPE Pro, Ultimate, Live
- Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support.
- Software and hardware based acquisition with CaptureGUARD PCIe and ExpressCard
- Hardware based acquisition of memory on a locked computer via CaptureGUARD Gateway
- WindowsSCOPE Live provides memory analysis of Windows computers on a network from Android phones and tablets.
Open Source Tools
- A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
- Bulk Extractor
- Bulk Extractor provides digital media triage by extracting Features from digital media.
- Bulk Extractor Viewer
- Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using Bulk Extractor.
- Digital Forensics Framework (DFF)
- DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://www.digital-forensic.org
- FTimes is a system baselining and evidence collection tool.
- Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
- A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
- Web-based, database-backed forensic and log analysis GUI written in Python.
- Linux and Windows file carving program originally based on foremost.
NDA and scoped distribution tools
Enterprise Tools (Proactive Forensics)
Forensics Live CDs
See: Forensics Live CDs
Personal Digital Device Tools
Cell Phone Forensics
- Cellebrite UFED
- DataPilot Secure View
- Fernico ZRT
- LogiCube CellDEK
- Oxygen Forensic Suite 2010
- Paraben's Device Seizure and Paraben's Device Seizure Toolbox
- Serial Port Monitoring
SIM Card Forensics
- Cellebrite UFED
- Paraben's SIM Card Seizure
- Chat Sniper
- A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
- Computer Forensics Toolkit
- This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
- Live View
- Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
- Microsoft Virtual PC
- VMware Player
- A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
- VMware Server
- The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
- Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
- KDE's new cross-platform hex editor with features such as signature-matching
- Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
- Live-Forensics software that reads windows files at specified offset and length and outputs results to the console.
Telephone Scanners/War Dialers
- PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.