Difference between pages "Tools" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Windows-based Tools)
 
(Deflate/Inflate)
 
Line 1: Line 1:
This is an '''overview of available tools''' for forensic [[investigator]]s. Please click on the name of any tool for more details.
+
{{Expand}}
  
'''Note: This page has gotten too big and is being broken up. See:'''
+
== LZ-based ==
  
* [[:Category:Disk Imaging]]
+
=== Deflate/Inflate ===
* [[Tools:Data Recovery]] (including file [[carving]])
+
Used in:
* [[Tools:File Analysis]]
+
* [[Gzip|gzip]]
* [[Tools:Document Metadata Extraction]]
+
* [[Tools:Memory Imaging]]
+
* [[Tools:Memory Analysis]]
+
* [[Tools:Network Forensics]]
+
* [[Tools:Logfile Analysis]]
+
* [[:Category:Anti-forensics tools]]
+
* [[:Category:Secure deletion]]
+
  
= Disk Analysis Tools =
+
=== LZNT1 ===
== Hard Drive Firmware and Diagnostics Tools ==
+
Used in:
; [[PC-3000]] from [[DeepSpar Data Recovery Systems]]
+
* [[NTFS]]
: http://www.deepspar.com/products-pc-3000-drive.html
+
* [[Windows SuperFetch Format]]
: http://www.pc-3000.com/
+
  
== Linux-based Tools ==
+
=== LZXPRESS ===
; [[LINReS]] by [[NII Consulting Pvt. Ltd.]]
+
Used in:
: http://www.niiconsulting.com/innovation/linres.html
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]
  
; [[SMART]] by [[ASR Data]]
+
=== LZXPRESS Huffman ===
: http://www.asrdata.com
+
Used in:
 +
* [[Windows SuperFetch Format]]
  
; [[Second Look: Linux Memory Forensics]] by [[Pikewerks Corporation]]
+
== External Links ==
: http://secondlookforensics.com/
+
* [http://en.wikipedia.org/wiki/Lempel-Ziv Wikipedia: Lempel-Ziv]
 +
* [http://www.coderforlife.com/microsoft-compression-formats/ Microsoft Compression Formats]
  
== Macintosh-based Tools ==
+
=== Deflate/Inflate ===
 +
* [http://en.wikipedia.org/wiki/DEFLATE Wikipedia: DEFLATE]
 +
* [https://tools.ietf.org/html/rfc1950 IETF: RFC1950 - ZLIB Compressed Data Format Specification]
 +
* [https://tools.ietf.org/html/rfc1951 IETF: RFC1951 - DEFLATE Compressed Data Format Specification]
  
; [[Macintosh Forensic Software]] by [[BlackBag Technologies, Inc.]]
+
=== LZ1 ===
: http://www.blackbagtech.com/software_mfs.html
+
* [http://andyh.org/LZ1.html LZ1]
 
+
; [[MacForensicsLab]] by [[Subrosasoft]]
+
: [http://www.subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=39&products_id=114 MacForensicLab-Subrosasoft]
+
 
+
; [[Mac Marshal]] by [[ATC-NY]]
+
: http://www.macmarshal.com/
+
 
+
== Windows-based Tools ==
+
 
+
; [[Blackthorn GPS Forensics]]
+
: http://www.blackthorngps.com
+
 
+
; [[BringBack]] by [[Tech Assist, Inc.]]
+
: http://www.toolsthatwork.com/bringback.htm
+
 
+
; Belkasoft Evidence Center by [[Belkasoft]]
+
; http://www.belkasoft.com
+
: This product makes it easy for an investigator to search, analyze and store digital evidence found in Instant Messenger histories, Internet Browser histories and Outlook mailboxes.
+
 
+
; [[CD/DVD Inspector]] by [[InfinaDyne]]
+
; http://www.infinadyne.com/cddvd_inspector.html
+
: This is the only forensic-qualified tool for examinination of optical media.  It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide.
+
 
+
; [[EMail Detective - Forensic Software Tool]] by [[Hot Pepper Technology, Inc]]
+
; http://www.hotpepperinc.com/emd
+
 
+
; [[EnCase]] by [[Guidance Software]]
+
: http://www.guidancesoftware.com/
+
 
+
; Facebook Forensic Toolkit (FFT) by [http://www.forensicswiki.org/wiki/Afentis_forensics Afentis Forensics]
+
; http://www.facebookforensics.com
+
: eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports.
+
 
+
; [[Forensic Toolkit]] ([[FTK]]) by [[AccessData]]
+
: http://www.accessdata.com/products/ftk/
+
 
+
; [[HBGary Responder Professional]]  - Windows Physical Memory Forensic Platform
+
:http://www.hbgary.com
+
 
+
; [[ILook Investigator]] by [[Elliot Spencer]] and [[Internal Revenue Service|U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation]] (IRS)
+
: http://www.ilook-forensics.org/
+
 
+
; [[Mercury Indexer]] by [[MicroForensics, Inc.]]
+
: http://www.MicroForensics.com/
+
 
+
; [[Nuix Desktop]] by [[Nuix Pty Ltd]]
+
: http://www.nuix.com
+
 
+
; [[OnLineDFS]] by [[Cyber Security Technologies]]
+
: http://www.cyberstc.com/
+
 
+
; [[OSForensics]] by [[PassMark Software Pty Ltd]]
+
: http://www.osforensics.com/
+
 
+
; [[P2 Power Pack]] by [[Paraben]]
+
: https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187
+
 
+
; [[Prodiscover]] by [[Techpathways]]
+
: http://www.techpathways.com/ProDiscoverWindows.htm
+
 
+
; [[Proof Finder]] by [[Nuix Pty Ltd]]
+
: http://www.prooffinder.com/
+
 
+
; [[Safeback]] by [[NTI]] and [[Armor Forensics]]
+
: http://www.forensics-intl.com/safeback.html
+
 
+
; [[X-Ways Forensics]] by [[X-Ways AG]]
+
: http://www.x-ways.net/forensics/index-m.html
+
 
+
; [[DateDecoder]] by [[Live-Forensics]]
+
: http://www.live-forensics.com/dl/DateDecoder.zip
+
: A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.
+
 
+
; [[RecycleReader]] by [[Live-Forensics]]
+
: http://www.live-forensics.com/dl/RecycleReader.zip
+
: A command line tool that outputs the contents of the recycle bin on XP, Vista and 7.
+
 
+
; [[Dstrings]] by [[Live-Forensics]]
+
: http://www.live-forensics.com/dl/Dstrings.zip
+
: A command line tool that searches for strings in a given file.  It has the ability to compare the output of those strings against a dictionary to either exclude the dictionary terms in the output or only output files that match the dictionary.  It also has the ability to search for IP Addresses and URLs/Email Addresses.
+
 
+
; [[Unique]] by [[Live-Forensics]]
+
: http://www.live-forensics.com/dl/Unique.zip
+
: A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options.
+
 
+
; [[HashUtil]] by [[Live-Forensics]]
+
: http://www.live-forensics.com/dl/HashUtil.zip
+
: HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes.  It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases.
+
 
+
; [http://www.windowsscope.com WindowsSCOPE Pro, Ultimate, Live]
+
: Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support.
+
: Software and hardware based acquisition with [http://www.windowsscope.com/index.php?option=com_virtuemart&Itemid=34 CaptureGUARD PCIe and ExpressCard]
+
: Hardware based acquisition of memory on a locked computer via [http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=30&category_id=1&option=com_virtuemart&Itemid=34 CaptureGUARD Gateway]
+
: [http://www.windowsscope.com  WindowsSCOPE] Live provides memory analysis of Windows computers on a network from Android phones and tablets.
+
 
+
== Open Source Tools ==
+
 
+
; [[AFFLIB]]
+
: A library for working with [[disk image]]s. Currently AFFLIB supports raw, [[AFF]], [[AFD]], and [[EnCase]] file formats. Work to support segmented raw, [[iLook]], and other formats is ongoing.
+
 
+
; [[Autopsy]]
+
: http://www.sleuthkit.org/autopsy/desc.php
+
 
+
; [[Bulk Extractor]]
+
: https://github.com/simsong/bulk_extractor/wiki
+
: Bulk Extractor provides digital media triage by extracting Features from digital media.
+
 
+
; [[Bulk Extractor Viewer]]
+
: https://github.com/simsong/bulk_extractor/wiki/BEViewer
+
: Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using [[Bulk Extractor]].
+
 
+
; [[Digital Forensics Framework]] (DFF)
+
: DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://www.digital-forensic.org
+
 
+
; [[foremost]]
+
: http://foremost.sf.net/
+
: [[Linux]] based file carving program
+
 
+
; [[FTimes]]
+
: http://ftimes.sourceforge.net/FTimes/index.shtml
+
: FTimes is a system baselining and evidence collection tool.
+
 
+
; [[gfzip]]
+
: http://www.nongnu.org/gfzip/
+
 
+
; [[gpart]]
+
: http://www.stud.uni-hannover.de/user/76201/gpart/
+
: Tries to ''guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted''.
+
 
+
; [[Hachoir]]
+
: A generic framework for binary file manipulation, it supports [[FAT12]], [[FAT16]], [[FAT32]], [[ext2|ext2/ext3]], Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
+
 
+
; [[magicrescue]]
+
: http://jbj.rapanden.dk/magicrescue/
+
 
+
; The [[Open Computer Forensics Architecture]]
+
: http://ocfa.sourceforge.net/
+
 
+
; [[pyflag]]
+
: http://code.google.com/p/pyflag/
+
: Web-based, database-backed forensic and log analysis GUI written in Python.
+
 
+
; [[Scalpel]]
+
: http://www.digitalforensicssolutions.com/Scalpel/
+
: [[Linux]] and [[Windows]] file carving program originally based on [[foremost]].
+
 
+
; [[scrounge-ntfs]]
+
: http://memberwebs.com/nielsen/software/scrounge/
+
 
+
; [[Sleuthkit]]
+
: http://www.sleuthkit.org/
+
 
+
; [[The Coroner's Toolkit]] ([[TCT]])
+
: http://www.porcupine.org/forensics/tct.html
+
 
+
== [[NDA]] and [[scoped distribution]] tools ==
+
 
+
= Enterprise Tools (Proactive Forensics)=
+
 
+
; [[LiveWire Investigator 2008]] by [[WetStone Technologies]]
+
: http://www.wetstonetech.com/f/livewire2008.html
+
 
+
; [[P2 Enterprise Edition]] by [[Paraben]]
+
: http://www.paraben-forensics.com/enterprise_forensics.html
+
 
+
= Forensics Live CDs =
+
; [[Kali Linux]]
+
: [http://www.kali.org/ http://www.kali.org/]
+
 
+
; [[KNOPPIX]]
+
: [http://www.knopper.net/knoppix/index-en.html http://www.knopper.net/knoppix/index-en.html]
+
 
+
; [[BackTrack Linux]]
+
: [http://www.backtrack-linux.org/ http://www.backtrack-linux.org/]
+
 
+
See: [[:Category:Live CD|Forensics Live CDs]]
+
 
+
= Personal Digital Device Tools=
+
 
+
== GPS Forensics ==
+
 
+
; [[Blackthorn GPS Forensics]]
+
; [[.XRY]]
+
 
+
== PDA Forensics ==
+
; [[Cellebrite UFED]]
+
; [[.XRY]]
+
; [[Paraben PDA Seizure]]
+
; [[Paraben PDA Seizure Toolbox]]
+
; [[PDD]]
+
 
+
== Cell Phone Forensics ==
+
; [[BitPIM]]
+
; [[Cellebrite UFED]]
+
; [[DataPilot Secure View]]
+
; [[.XRY]]
+
: http://www.msab.com/index
+
; [[Fernico ZRT]]
+
; [[ForensicMobile]]
+
; [[LogiCube CellDEK]]
+
; [[MOBILedit!]]
+
; [[Oxygen Forensic Suite 2010]]
+
: http://www.oxygen-forensic.com
+
; [[Paraben's Device Seizure]] and [[Paraben's Device Seizure Toolbox]]
+
: http://www.paraben-forensics.com/handheld_forensics.html
+
; [[Serial Port Monitoring]]
+
; [[TULP2G]]
+
 
+
== SIM Card Forensics ==
+
; [[Cellebrite UFED]]
+
; [[.XRY]]
+
; [[ForensicSIM]]
+
; [[Paraben's SIM Card Seizure]]
+
: http://www.paraben-forensics.com/handheld_forensics.html
+
; [[SIMCon]]
+
 
+
== Preservation Tools ==
+
; [[Paraben StrongHold Bag]]
+
; [[Paraben StrongHold Tent]]
+
 
+
= Other Tools =
+
; Chat Sniper
+
: http://www.alexbarnett.com/chatsniper.htm
+
:  A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
+
 
+
; Computer Forensics Toolkit
+
: http://computer-forensics.privacyresources.org
+
: This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
+
 
+
; Live View
+
: http://liveview.sourceforge.net/
+
: Live View is a graphical forensics tool that creates a [[VMware]] [[virtual machine]] out of a dd disk image or physical disk.
+
 
+
; Parallels VM
+
: http://www.parallels.com/
+
: http://en.wikipedia.org/wiki/Parallels_Workstation
+
 
+
; Microsoft Virtual PC
+
: http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
+
: http://en.wikipedia.org/wiki/Virtual_PC
+
 
+
; [[VMware]] Player
+
: http://www.vmware.com/products/player/
+
: http://en.wikipedia.org/wiki/VMware#VMware_Workstation
+
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.
+
 
+
; [[VMware]] Server
+
: http://www.vmware.com/products/server/
+
: The free server product, for setting up/configuring/running [[VMware]] [[virtual machine]].Important difference being that it can run 'headless', i.e. everything in background.
+
 
+
; Webtracer
+
: http://www.forensictracer.com
+
: Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
+
 
+
== Hex Editors ==
+
 
+
; [[biew]]
+
: http://biew.sourceforge.net/en/biew.html
+
 
+
; [[Okteta]]
+
: KDE's new cross-platform hex editor with features such as signature-matching
+
: http://utils.kde.org/projects/okteta/
+
 
+
; [[hexdump]]
+
: ...
+
 
+
; [[HexFiend]]
+
: A hex editor for Apple OS X
+
: http://ridiculousfish.com/hexfiend/
+
 
+
; [[Hex Workshop]]
+
: A hex editor from [[BreakPoint Software, Inc.]]
+
: http://www.bpsoft.com
+
 
+
; [[khexedit]]
+
: http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
+
 
+
; [[WinHex]]
+
: Computer forensics software, data recovery software, hex editor, and disk editor from [[X-Ways]].
+
: http://www.x-ways.net/winhex
+
 
+
; [[wxHexEditor]]
+
: A Multi-OS supported, open sourced, hex and disk editor.
+
: http://www.wxhexeditor.org
+
 
+
; [[xxd]]
+
: ...
+
 
+
; [[HexReader]]
+
: [[Live-Forensics]] software that reads windows files at specified offset and length and outputs results to the console.
+
: http://www.live-forensics.com/dl/HexReader.zip
+
 
+
= Telephone Scanners/War Dialers =
+
 
+
;PhoneSweep
+
:http://www.sandstorm.net/products/phonesweep/
+
:PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.
+

Revision as of 08:56, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

LZ-based

Deflate/Inflate

Used in:

LZNT1

Used in:

LZXPRESS

Used in:

LZXPRESS Huffman

Used in:

External Links

Deflate/Inflate

LZ1