Difference between pages "Incident Response" and "Tools"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Kill Chain)
 
 
Line 1: Line 1:
{{Expand}}
+
This is an '''overview of available tools''' for forensic [[investigator]]s. Please click on the name of any tool for more details.
  
Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.  
+
'''Note: This page has gotten too big and is being broken up. See:'''
  
== Tools ==
+
* [[:Category:Disk Imaging]]
 +
* [[Tools:Data Recovery]] (including file [[carving]])
 +
* [[Tools:File Analysis]]
 +
* [[Tools:Document Metadata Extraction]]
 +
* [[Tools:Memory Imaging]]
 +
* [[Tools:Memory Analysis]]
 +
* [[Tools:Network Forensics]]
 +
* [[Tools:Logfile Analysis]]
 +
* [[:Category:Anti-forensics tools]]
 +
* [[:Category:Secure deletion]]
  
Incident response tools can be grouped into three categories. The first category is '''Individual Tools'''. These are programs designed to probe parts of the operating system and gather useful and/or volatile data. The tools are self-contained, useful, discrete, and do not create a large footprint on the victim system.  
+
= Disk Analysis Tools =
 +
== Hard Drive Firmware and Diagnostics Tools ==
 +
; [[PC-3000]] from [[DeepSpar Data Recovery Systems]]
 +
: http://www.deepspar.com/products-pc-3000-drive.html
 +
: http://www.pc-3000.com/
  
Standalone tools have been combined to create '''Script Based Tools'''. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools allow the user to pick and choose which standalone tools will be used in a given examination.
+
== Linux-based Tools ==
 +
; [[LINReS]] by [[NII Consulting Pvt. Ltd.]]
 +
: http://www.niiconsulting.com/innovation/linres.html
  
The final category of tools are '''Agent Based Tools'''. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.
+
; [[SMART]] by [[ASR Data]]
 +
: http://www.asrdata.com
  
== See Also ==
+
; [[Second Look: Linux Memory Forensics]] by [[Pikewerks Corporation]]
* Obsolete: [[List of Script Based Incident Response Tools]]
+
: http://secondlookforensics.com/
  
== External Links ==
+
== Macintosh-based Tools ==
* [http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders], by [[Jesse Kornblum]], DFRWS 2002
+
* [https://labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf Journey to the Centre of the Breach], by Ben Downton, June 2, 2010
+
* [http://blog.handlerdiaries.com/?p=325 Keeping Focus During an Incident], by jackcr, January 17, 2014
+
  
=== Emergency Response ===
+
; [[Macintosh Forensic Software]] by [[BlackBag Technologies, Inc.]]
* [http://www.mdchhs.com/sites/default/files/JEM-9-5-02-CHHS.pdf Addressing emergency response provider fatigue in emergency response preparedness, management, policy making, and research], Clark J. Lee, JD, September 2011
+
: http://www.blackbagtech.com/software_mfs.html
  
=== Kill Chain ===
+
; [[MacForensicsLab]] by [[Subrosasoft]]
* [http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains], by Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, March 2011
+
: [http://www.subrosasoft.com/OSXSoftware/index.php?main_page=product_info&cPath=39&products_id=114 MacForensicLab-Subrosasoft]
* [http://www.emc.com/collateral/hardware/solution-overview/h11154-stalking-the-kill-chain-so.pdf Stalking the kill chain], by RSA
+
* [http://blog.cassidiancybersecurity.com/post/2014/04/APT-Kill-chain-Part-1-%3A-Definition-Reconnaissance-phase APT Kill chain - Part 1 : Definition], by Cedric Pernet, April 28, 2014
+
* [http://blog.cassidiancybersecurity.com/post/2014/04/APT-Kill-chain-Part-2-%3A-Global-view APT Kill chain - Part 2 : Global view], by Cedric Pernet, May 7, 2014
+
* [http://blog.cassidiancybersecurity.com/post/2014/05/APT-Kill-chain-Part-3-%3A-Reconnaissance APT Kill chain - Part 3: Reconnaissance], by Cedric Pernet, May 23, 2014
+
  
=== Incident Lifecycle ===
+
; [[Mac Marshal]] by [[ATC-NY]]
* [http://www.itsmsolutions.com/newsletters/DITYvol5iss7.htm Expanding the Expanded Incident Lifecycle], by Janet Kuhn, February 18, 2009
+
: http://www.macmarshal.com/
* [https://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/workflows/incident-lifecycle Incident lifecycle], by [[ENISA]]
+
  
=== Intrusion Analysis ===
+
== Windows-based Tools ==
* [http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf The Diamond Model of Intrusion Analysis], by Sergio Caltagirone, Andrew Pendergast, Christopher Betz
+
  
=== Product related ===
+
; [[Blackthorn GPS Forensics]]
* [http://middleware.internet2.edu/idtrust/2009/papers/05-khurana-palantir.pdf Palantir: A Framework for Collaborative Incident Response and Investigation], Himanshu Khurana, Jim Basney, Mehedi Bakht, Mike Freemon, Von Welch, Randy Butler, April 2009
+
: http://www.blackthorngps.com
  
== Tools ==
+
; [[BringBack]] by [[Tech Assist, Inc.]]
=== Individual Tools ===
+
: http://www.toolsthatwork.com/bringback.htm
* [http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx Sysinternals Suite]
+
  
=== Script Based Tools ===
+
; Belkasoft Evidence Center by [[Belkasoft]]
* [[First Responder's Evidence Disk|First Responder's Evidence Disk (FRED)]]
+
; http://www.belkasoft.com
* [[COFEE|Microsoft COFEE]]
+
: This product makes it easy for an investigator to search, analyze and store digital evidence found in Instant Messenger histories, Internet Browser histories and Outlook mailboxes.
* [[Windows Forensic Toolchest|Windows Forensic Toolchest (WFT)]]
+
* [[Regimented Potential Incident Examination Report|RAPIER]]
+
  
=== Agent Based Tools ===
+
; [[CD/DVD Inspector]] by [[InfinaDyne]]
* [[GRR]]
+
; http://www.infinadyne.com/cddvd_inspector.html
* [[First Response|Mandiant First Response]]
+
: This is the only forensic-qualified tool for examinination of optical media.  It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide.
  
== Books ==
+
; [[EMail Detective - Forensic Software Tool]] by [[Hot Pepper Technology, Inc]]
There are several books available that discuss incident response. For [[Windows]], ''[http://www.windows-ir.com/ Windows Forensics and Incident Recovery]'' by [[Harlan Carvey]] is an excellent introduction to possible scenarios and how to respond to them.
+
; http://www.hotpepperinc.com/emd
  
[[Category:Incident Response]]
+
; [[EnCase]] by [[Guidance Software]]
 +
: http://www.guidancesoftware.com/
 +
 
 +
; Facebook Forensic Toolkit (FFT) by [[Afentis_forensics]]
 +
; http://www.facebookforensics.com
 +
: eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports.
 +
 
 +
; [[Forensic Toolkit]] ([[FTK]]) by [[AccessData]]
 +
: http://www.accessdata.com/products/ftk/
 +
 
 +
; [[HBGary Responder Professional]]  - Windows Physical Memory Forensic Platform
 +
:http://www.hbgary.com
 +
 
 +
; [[ILook Investigator]] by [[Elliot Spencer]] and [[Internal Revenue Service|U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation]] (IRS)
 +
: http://www.ilook-forensics.org/
 +
 
 +
; [[Mercury Indexer]] by [[MicroForensics, Inc.]]
 +
: http://www.MicroForensics.com/
 +
 
 +
; [[Nuix Desktop]] by [[Nuix Pty Ltd]]
 +
: http://www.nuix.com
 +
 
 +
; [[OnLineDFS]] by [[Cyber Security Technologies]]
 +
: http://www.cyberstc.com/
 +
 
 +
; [[OSForensics]] by [[PassMark Software Pty Ltd]]
 +
: http://www.osforensics.com/
 +
 
 +
; [[P2 Power Pack]] by [[Paraben]]
 +
: https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187
 +
 
 +
; [[Prodiscover]] by [[Techpathways]]
 +
: http://www.techpathways.com/ProDiscoverWindows.htm
 +
 
 +
; [[Proof Finder]] by [[Nuix Pty Ltd]]
 +
: http://www.prooffinder.com/
 +
 
 +
; [[Safeback]] by [[NTI]] and [[Armor Forensics]]
 +
: http://www.forensics-intl.com/safeback.html
 +
 
 +
; [[X-Ways Forensics]] by [[X-Ways AG]]
 +
: http://www.x-ways.net/forensics/index-m.html
 +
 
 +
; [[DateDecoder]] by [[Live-Forensics]]
 +
: http://www.live-forensics.com/dl/DateDecoder.zip
 +
: A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.
 +
 
 +
; [[RecycleReader]] by [[Live-Forensics]]
 +
: http://www.live-forensics.com/dl/RecycleReader.zip
 +
: A command line tool that outputs the contents of the recycle bin on XP, Vista and 7.
 +
 
 +
; [[Dstrings]] by [[Live-Forensics]]
 +
: http://www.live-forensics.com/dl/Dstrings.zip
 +
: A command line tool that searches for strings in a given file.  It has the ability to compare the output of those strings against a dictionary to either exclude the dictionary terms in the output or only output files that match the dictionary.  It also has the ability to search for IP Addresses and URLs/Email Addresses.
 +
 
 +
; [[Unique]] by [[Live-Forensics]]
 +
: http://www.live-forensics.com/dl/Unique.zip
 +
: A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options.
 +
 
 +
; [[HashUtil]] by [[Live-Forensics]]
 +
: http://www.live-forensics.com/dl/HashUtil.zip
 +
: HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes.  It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases.
 +
 
 +
; [http://www.windowsscope.com WindowsSCOPE Pro, Ultimate, Live]
 +
: Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support.
 +
: Software and hardware based acquisition with [http://www.windowsscope.com/index.php?option=com_virtuemart&Itemid=34 CaptureGUARD PCIe and ExpressCard]
 +
: Hardware based acquisition of memory on a locked computer via [http://www.windowsscope.com/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=30&category_id=1&option=com_virtuemart&Itemid=34 CaptureGUARD Gateway]
 +
: [http://www.windowsscope.com  WindowsSCOPE] Live provides memory analysis of Windows computers on a network from Android phones and tablets.
 +
 
 +
== Open Source Tools ==
 +
 
 +
; [[AFFLIB]]
 +
: A library for working with [[disk image]]s. Currently AFFLIB supports raw, [[AFF]], [[AFD]], and [[EnCase]] file formats. Work to support segmented raw, [[iLook]], and other formats is ongoing.
 +
 
 +
; [[Autopsy]]
 +
: http://www.sleuthkit.org/autopsy/desc.php
 +
 
 +
; [[Bulk Extractor]]
 +
: https://github.com/simsong/bulk_extractor/wiki
 +
: Bulk Extractor provides digital media triage by extracting Features from digital media.
 +
 
 +
; [[Bulk Extractor Viewer]]
 +
: https://github.com/simsong/bulk_extractor/wiki/BEViewer
 +
: Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using [[Bulk Extractor]].
 +
 
 +
; [[Digital Forensics Framework]] (DFF)
 +
: DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://www.digital-forensic.org
 +
 
 +
; [[foremost]]
 +
: http://foremost.sf.net/
 +
: [[Linux]] based file carving program
 +
 
 +
; [[FTimes]]
 +
: http://ftimes.sourceforge.net/FTimes/index.shtml
 +
: FTimes is a system baselining and evidence collection tool.
 +
 
 +
; [[gfzip]]
 +
: http://www.nongnu.org/gfzip/
 +
 
 +
; [[gpart]]
 +
: http://www.stud.uni-hannover.de/user/76201/gpart/
 +
: Tries to ''guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted''.
 +
 
 +
; [[Hachoir]]
 +
: A generic framework for binary file manipulation, it supports [[FAT12]], [[FAT16]], [[FAT32]], [[ext2|ext2/ext3]], Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
 +
 
 +
; [[magicrescue]]
 +
: http://jbj.rapanden.dk/magicrescue/
 +
 
 +
; The [[Open Computer Forensics Architecture]]
 +
: http://ocfa.sourceforge.net/
 +
 
 +
; [[pyflag]]
 +
: http://code.google.com/p/pyflag/
 +
: Web-based, database-backed forensic and log analysis GUI written in Python.
 +
 
 +
; [[Scalpel]]
 +
: http://www.digitalforensicssolutions.com/Scalpel/
 +
: [[Linux]] and [[Windows]] file carving program originally based on [[foremost]].
 +
 
 +
; [[scrounge-ntfs]]
 +
: http://memberwebs.com/nielsen/software/scrounge/
 +
 
 +
; [[Sleuthkit]]
 +
: http://www.sleuthkit.org/
 +
 
 +
; [[The Coroner's Toolkit]] ([[TCT]])
 +
: http://www.porcupine.org/forensics/tct.html
 +
 
 +
== [[NDA]] and [[scoped distribution]] tools ==
 +
 
 +
= Enterprise Tools (Proactive Forensics)=
 +
 
 +
; [[LiveWire Investigator 2008]] by [[WetStone Technologies]]
 +
: http://www.wetstonetech.com/f/livewire2008.html
 +
 
 +
; [[P2 Enterprise Edition]] by [[Paraben]]
 +
: http://www.paraben-forensics.com/enterprise_forensics.html
 +
 
 +
= Forensics Live CDs =
 +
; [[Kali Linux]]
 +
: [http://www.kali.org/ http://www.kali.org/]
 +
 
 +
; [[KNOPPIX]]
 +
: [http://www.knopper.net/knoppix/index-en.html http://www.knopper.net/knoppix/index-en.html]
 +
 
 +
; [[BackTrack Linux]]
 +
: [http://www.backtrack-linux.org/ http://www.backtrack-linux.org/]
 +
 
 +
See: [[:Category:Live CD|Forensics Live CDs]]
 +
 
 +
= Personal Digital Device Tools=
 +
 
 +
== GPS Forensics ==
 +
 
 +
; [[Blackthorn GPS Forensics]]
 +
; [[.XRY]]
 +
 
 +
== PDA Forensics ==
 +
; [[Cellebrite UFED]]
 +
; [[.XRY]]
 +
; [[Paraben PDA Seizure]]
 +
; [[Paraben PDA Seizure Toolbox]]
 +
; [[PDD]]
 +
 
 +
== Cell Phone Forensics ==
 +
; [[BitPIM]]
 +
; [[Cellebrite UFED]]
 +
; [[DataPilot Secure View]]
 +
; [[.XRY]]
 +
: http://www.msab.com/index
 +
; [[Fernico ZRT]]
 +
; [[ForensicMobile]]
 +
; [[LogiCube CellDEK]]
 +
; [[MOBILedit!]]
 +
; [[Oxygen Forensic Suite 2010]]
 +
: http://www.oxygen-forensic.com
 +
; [[Paraben's Device Seizure]] and [[Paraben's Device Seizure Toolbox]]
 +
: http://www.paraben-forensics.com/handheld_forensics.html
 +
; [[Serial Port Monitoring]]
 +
; [[TULP2G]]
 +
 
 +
== SIM Card Forensics ==
 +
; [[Cellebrite UFED]]
 +
; [[.XRY]]
 +
; [[ForensicSIM]]
 +
; [[Paraben's SIM Card Seizure]]
 +
: http://www.paraben-forensics.com/handheld_forensics.html
 +
; [[SIMCon]]
 +
 
 +
== Preservation Tools ==
 +
; [[Paraben StrongHold Bag]]
 +
; [[Paraben StrongHold Tent]]
 +
 
 +
= Other Tools =
 +
; Chat Sniper
 +
: http://www.alexbarnett.com/chatsniper.htm
 +
:  A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
 +
 
 +
; Computer Forensics Toolkit
 +
: http://computer-forensics.privacyresources.org
 +
: This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
 +
 
 +
; Live View
 +
: http://liveview.sourceforge.net/
 +
: Live View is a graphical forensics tool that creates a [[VMware]] [[virtual machine]] out of a dd disk image or physical disk.
 +
 
 +
; Parallels VM
 +
: http://www.parallels.com/
 +
: http://en.wikipedia.org/wiki/Parallels_Workstation
 +
 
 +
; Microsoft Virtual PC
 +
: http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
 +
: http://en.wikipedia.org/wiki/Virtual_PC
 +
 
 +
; [[VMware]] Player
 +
: http://www.vmware.com/products/player/
 +
: http://en.wikipedia.org/wiki/VMware#VMware_Workstation
 +
: A free player for [[VMware]] [[virtual machine]]s that will allow them to "play" on either [[Windows]] or [[Linux]]-based systems.
 +
 
 +
; [[VMware]] Server
 +
: http://www.vmware.com/products/server/
 +
: The free server product, for setting up/configuring/running [[VMware]] [[virtual machine]].Important difference being that it can run 'headless', i.e. everything in background.
 +
 
 +
; Webtracer
 +
: http://www.forensictracer.com
 +
: Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
 +
 
 +
== Hex Editors ==
 +
 
 +
; [[biew]]
 +
: http://biew.sourceforge.net/en/biew.html
 +
 
 +
; [[Okteta]]
 +
: KDE's new cross-platform hex editor with features such as signature-matching
 +
: http://utils.kde.org/projects/okteta/
 +
 
 +
; [[hexdump]]
 +
: ...
 +
 
 +
; [[HexFiend]]
 +
: A hex editor for Apple OS X
 +
: http://ridiculousfish.com/hexfiend/
 +
 
 +
; [[Hex Workshop]]
 +
: A hex editor from [[BreakPoint Software, Inc.]]
 +
: http://www.bpsoft.com
 +
 
 +
; [[khexedit]]
 +
: http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
 +
 
 +
; [[WinHex]]
 +
: Computer forensics software, data recovery software, hex editor, and disk editor from [[X-Ways]].
 +
: http://www.x-ways.net/winhex
 +
 
 +
; [[wxHexEditor]]
 +
: A Multi-OS supported, open sourced, hex and disk editor.
 +
: http://www.wxhexeditor.org
 +
 
 +
; [[xxd]]
 +
: ...
 +
 
 +
; [[HexReader]]
 +
: [[Live-Forensics]] software that reads windows files at specified offset and length and outputs results to the console.
 +
: http://www.live-forensics.com/dl/HexReader.zip
 +
 
 +
= Telephone Scanners/War Dialers =
 +
 
 +
;PhoneSweep
 +
:http://www.sandstorm.net/products/phonesweep/
 +
:PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.

Revision as of 16:22, 26 May 2014

This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.

Note: This page has gotten too big and is being broken up. See:

Disk Analysis Tools

Hard Drive Firmware and Diagnostics Tools

PC-3000 from DeepSpar Data Recovery Systems
http://www.deepspar.com/products-pc-3000-drive.html
http://www.pc-3000.com/

Linux-based Tools

LINReS by NII Consulting Pvt. Ltd.
http://www.niiconsulting.com/innovation/linres.html
SMART by ASR Data
http://www.asrdata.com
Second Look: Linux Memory Forensics by Pikewerks Corporation
http://secondlookforensics.com/

Macintosh-based Tools

Macintosh Forensic Software by BlackBag Technologies, Inc.
http://www.blackbagtech.com/software_mfs.html
MacForensicsLab by Subrosasoft
MacForensicLab-Subrosasoft
Mac Marshal by ATC-NY
http://www.macmarshal.com/

Windows-based Tools

Blackthorn GPS Forensics
http://www.blackthorngps.com
BringBack by Tech Assist, Inc.
http://www.toolsthatwork.com/bringback.htm
Belkasoft Evidence Center by Belkasoft
http://www.belkasoft.com
This product makes it easy for an investigator to search, analyze and store digital evidence found in Instant Messenger histories, Internet Browser histories and Outlook mailboxes.
CD/DVD Inspector by InfinaDyne
http://www.infinadyne.com/cddvd_inspector.html
This is the only forensic-qualified tool for examinination of optical media. It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide.
EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc
http://www.hotpepperinc.com/emd
EnCase by Guidance Software
http://www.guidancesoftware.com/
Facebook Forensic Toolkit (FFT) by Afentis_forensics
http://www.facebookforensics.com
eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports.
Forensic Toolkit (FTK) by AccessData
http://www.accessdata.com/products/ftk/
HBGary Responder Professional - Windows Physical Memory Forensic Platform
http://www.hbgary.com
ILook Investigator by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
http://www.ilook-forensics.org/
Mercury Indexer by MicroForensics, Inc.
http://www.MicroForensics.com/
Nuix Desktop by Nuix Pty Ltd
http://www.nuix.com
OnLineDFS by Cyber Security Technologies
http://www.cyberstc.com/
OSForensics by PassMark Software Pty Ltd
http://www.osforensics.com/
P2 Power Pack by Paraben
https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187
Prodiscover by Techpathways
http://www.techpathways.com/ProDiscoverWindows.htm
Proof Finder by Nuix Pty Ltd
http://www.prooffinder.com/
Safeback by NTI and Armor Forensics
http://www.forensics-intl.com/safeback.html
X-Ways Forensics by X-Ways AG
http://www.x-ways.net/forensics/index-m.html
DateDecoder by Live-Forensics
http://www.live-forensics.com/dl/DateDecoder.zip
A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.
RecycleReader by Live-Forensics
http://www.live-forensics.com/dl/RecycleReader.zip
A command line tool that outputs the contents of the recycle bin on XP, Vista and 7.
Dstrings by Live-Forensics
http://www.live-forensics.com/dl/Dstrings.zip
A command line tool that searches for strings in a given file. It has the ability to compare the output of those strings against a dictionary to either exclude the dictionary terms in the output or only output files that match the dictionary. It also has the ability to search for IP Addresses and URLs/Email Addresses.
Unique by Live-Forensics
http://www.live-forensics.com/dl/Unique.zip
A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options.
HashUtil by Live-Forensics
http://www.live-forensics.com/dl/HashUtil.zip
HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes. It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases.
WindowsSCOPE Pro, Ultimate, Live
Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support.
Software and hardware based acquisition with CaptureGUARD PCIe and ExpressCard
Hardware based acquisition of memory on a locked computer via CaptureGUARD Gateway
WindowsSCOPE Live provides memory analysis of Windows computers on a network from Android phones and tablets.

Open Source Tools

AFFLIB
A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
Autopsy
http://www.sleuthkit.org/autopsy/desc.php
Bulk Extractor
https://github.com/simsong/bulk_extractor/wiki
Bulk Extractor provides digital media triage by extracting Features from digital media.
Bulk Extractor Viewer
https://github.com/simsong/bulk_extractor/wiki/BEViewer
Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using Bulk Extractor.
Digital Forensics Framework (DFF)
DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://www.digital-forensic.org
foremost
http://foremost.sf.net/
Linux based file carving program
FTimes
http://ftimes.sourceforge.net/FTimes/index.shtml
FTimes is a system baselining and evidence collection tool.
gfzip
http://www.nongnu.org/gfzip/
gpart
http://www.stud.uni-hannover.de/user/76201/gpart/
Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
Hachoir
A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
magicrescue
http://jbj.rapanden.dk/magicrescue/
The Open Computer Forensics Architecture
http://ocfa.sourceforge.net/
pyflag
http://code.google.com/p/pyflag/
Web-based, database-backed forensic and log analysis GUI written in Python.
Scalpel
http://www.digitalforensicssolutions.com/Scalpel/
Linux and Windows file carving program originally based on foremost.
scrounge-ntfs
http://memberwebs.com/nielsen/software/scrounge/
Sleuthkit
http://www.sleuthkit.org/
The Coroner's Toolkit (TCT)
http://www.porcupine.org/forensics/tct.html

NDA and scoped distribution tools

Enterprise Tools (Proactive Forensics)

LiveWire Investigator 2008 by WetStone Technologies
http://www.wetstonetech.com/f/livewire2008.html
P2 Enterprise Edition by Paraben
http://www.paraben-forensics.com/enterprise_forensics.html

Forensics Live CDs

Kali Linux
http://www.kali.org/
KNOPPIX
http://www.knopper.net/knoppix/index-en.html
BackTrack Linux
http://www.backtrack-linux.org/

See: Forensics Live CDs

Personal Digital Device Tools

GPS Forensics

Blackthorn GPS Forensics
.XRY

PDA Forensics

Cellebrite UFED
.XRY
Paraben PDA Seizure
Paraben PDA Seizure Toolbox
PDD

Cell Phone Forensics

BitPIM
Cellebrite UFED
DataPilot Secure View
.XRY
http://www.msab.com/index
Fernico ZRT
ForensicMobile
LogiCube CellDEK
MOBILedit!
Oxygen Forensic Suite 2010
http://www.oxygen-forensic.com
Paraben's Device Seizure and Paraben's Device Seizure Toolbox
http://www.paraben-forensics.com/handheld_forensics.html
Serial Port Monitoring
TULP2G

SIM Card Forensics

Cellebrite UFED
.XRY
ForensicSIM
Paraben's SIM Card Seizure
http://www.paraben-forensics.com/handheld_forensics.html
SIMCon

Preservation Tools

Paraben StrongHold Bag
Paraben StrongHold Tent

Other Tools

Chat Sniper
http://www.alexbarnett.com/chatsniper.htm
A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
Computer Forensics Toolkit
http://computer-forensics.privacyresources.org
This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
Live View
http://liveview.sourceforge.net/
Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
Parallels VM
http://www.parallels.com/
http://en.wikipedia.org/wiki/Parallels_Workstation
Microsoft Virtual PC
http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
http://en.wikipedia.org/wiki/Virtual_PC
VMware Player
http://www.vmware.com/products/player/
http://en.wikipedia.org/wiki/VMware#VMware_Workstation
A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
VMware Server
http://www.vmware.com/products/server/
The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
Webtracer
http://www.forensictracer.com
Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)

Hex Editors

biew
http://biew.sourceforge.net/en/biew.html
Okteta
KDE's new cross-platform hex editor with features such as signature-matching
http://utils.kde.org/projects/okteta/
hexdump
...
HexFiend
A hex editor for Apple OS X
http://ridiculousfish.com/hexfiend/
Hex Workshop
A hex editor from BreakPoint Software, Inc.
http://www.bpsoft.com
khexedit
http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
WinHex
Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
http://www.x-ways.net/winhex
wxHexEditor
A Multi-OS supported, open sourced, hex and disk editor.
http://www.wxhexeditor.org
xxd
...
HexReader
Live-Forensics software that reads windows files at specified offset and length and outputs results to the console.
http://www.live-forensics.com/dl/HexReader.zip

Telephone Scanners/War Dialers

PhoneSweep
http://www.sandstorm.net/products/phonesweep/
PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.