Difference between revisions of "Tools"

From ForensicsWiki
Jump to: navigation, search
(Linux-based Tools: Macintosh Forensic Software.)
(Forensics Live CDs)
Line 176: Line 176:
  
 
; [[FCCU Gnu/Linux Boot CD]]
 
; [[FCCU Gnu/Linux Boot CD]]
: Also a LiveCD built on top of [[Knoppix]] with a lot of tools with forensic purpose.
+
: Also a Live CD built on top of [[Knoppix]] with a lot of tools with forensic purpose.
 
: It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.
 
: It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.
  
 
; [[Helix]]
 
; [[Helix]]
: A LiveCD built on top of [[Knoppix]].
+
: A Live CD built on top of [[Knoppix]] with special tools for incident response and electronic discovey.
: Also contains a Cygwin environment for use on a running Windows system (w/o rebooting).
+
: Its a hybrid CD which also contains a [[Cygwin]] environment for use on a running Windows system (w/o rebooting) including the sysinternal tools.
  
 
; [[Knoppix STD]]
 
; [[Knoppix STD]]
: A LiveCD built on top of [[Knoppix]].
+
: A Live CD built on top of [[Knoppix]].
 
: http://s-t-d.org/
 
: http://s-t-d.org/
  
 
; [[FARMER DUDE Live CD]]
 
; [[FARMER DUDE Live CD]]
: ???
+
: A Linux [[Live CD]]
: http://www.crazytrain.com/
+
: http://www.forensicbootcd.com/
  
 
; [[MacQuisition Boot CD]]
 
; [[MacQuisition Boot CD]]

Revision as of 01:06, 12 April 2006

This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.

Disk Imaging Tools

Note: We're trying to use the same tool template for all devices. Please use this if possible.


Hardware imagers

Imaging Memory

At CanSec West 05, Michael Becher, Maximillian Dornseif, and Christian N. Klein discussed an exploit which uses DMA to read arbitrary memory locations of a firewire-enabled system. The paper lists more details. The exploit is run on an iPod running Linux. This can be used to grab screen contents.

In theory, this could be used with the ... to send through an exploit code that would cause the system to dump the contents of its hard drive back to the iPod.

Unix-based imagers

Adepto
http://www.e-fense.com/helix/
aimage
Part of the AFF system, aimage can create either a raw file or an AFF file. It can optionally compress and calculate MD5 or SHA-1 hash residues while the data is being copied.
dcfldd
A version of dd created by the Digital Computer Forensics Laboratory. dcfldd is an enhanced version of GNU dd with features useful for forensics and security, such as calculating MD5 or SHA-1 hashes on the fly and faster disk wiping.
dd
A program that converts and copies files, is one of the oldest Unix programs. I can copy data from any Unix "file" (including a raw partition) to any other Unix "file" (including a disk file or a raw partition). This is one of the oldest of the imaging tools, and produces raw image files. Extended into dcfldd.
GNU ddrescue
http://www.gnu.org/software/ddrescue/ddrescue.html
dd_rescue
http://www.garloff.de/kurt/linux/ddrescue/
A tool similar to dd, but unlike dd it will continue reading the next sector, if it stumbles over bad sectors it cannot read.
iLook IXimager
The primary imaging tool for iLook. It is Linux based and produces compressed authenticatable image files that may only be read in the iLook analysis tool.
MacQuisition Boot CD
Provides software to safely image Macintosh drives.
sdd
Another dd-like tool. It is supposed to be faster in certain situations.

Windows-based imagers

AccessData
Their ultimate tool lets you "READ, ACQUIRE, DECRYPT, ANALYZE and REPORT (R.A.D.A.R.)."
ASR
A tool for imaging and analyzing disks.
DIBS
Can image and convert many file formats. Also builds mobile toolkit.
EnCase
Can image with out dongle plugged in. Only images to E0* file.
FTK Imager by AccessData
Can image and convert many image formats. Including E0* and dd. Also a free tool.
Ghost
FTK can read forensic, uncompressed Ghost images.
iLook
The IRS's set of forensic tools and utilities. iLook V8 can image in Windows.
Paraben
A complete set of tools for Windows (and handheld) products.
ProDiscovery
Images and searches FAT12, FAT16, FAT32 and all NTFS files.
Wetstone
Gargoyle investigator scans for illicit data and steganographic images.
X-Ways Forensics
Has some limited imaging capabilities. The output is raw format.
X-Ways Replica
Performs hard disk cloning and imaging. The output is raw format.

Data Recovery Tools

BringBack
http://www.toolsthatwork.com/
BringBack(tm) offers easy to use, inexpensive, and highly successful data recovery for Windows(tm) & Linux (ext2) operating systems and digital images stored on memory cards, etc.
ByteBack Data Recovery Investigative Suite v4.0
http://www.toolsthatwork.com
Now with UDMA, ATA & SATA support, memory management and greater ease and control of Partition and MBR manipulations, ByteBack continues to uphold it's viability as the computer forensics and recovery application of professionals.
RAID Reconstructor
Runtime Software's RAID Reconstructor will reconstruct RAID Level 0 (Striping) and RAID Level 5 drives. People who have used it, love it.
Salvation Data
http://www.salvationdata.com
Claims to have a program that can read the "bad blocks" of Maxtor drives with proprietary commands.

Disk Analysis Tools

Linux-based Tools

SMART, by ASR Data
http://www.asrdata.com

Macintosh-based Tools

Macintosh Forensic Software, by BlackBag Technologies, Inc.
http://www.blackbagtech.com/software_mfs.html

Windows-based Tools

BringBack by Tech Assist, Inc.
http://www.toolsthatwork.com/bringback.htm
EnCase, by Guidance Software
http://www.guidancesoftware.com/
Forensic Toolkit (FTK), by AccessData
http://www.accessdata.com/products/ftk/
ILook Investigator, by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
http://www.ilook-forensics.org/
Safeback by NTI and Armor Forensics
http://www.forensics-intl.com/safeback.html
X-Ways Forensics by X-Ways AG
http://www.x-ways.net/forensics/index-m.html

Open Source Tools

AFFLIB
A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
Autopsy
http://www.sleuthkit.org/autopsy/desc.php
foremost
http://foremost.sf.net/
gfzip
http://www.nongnu.org/gfzip/
gpart
http://www.stud.uni-hannover.de/user/76201/gpart/
Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
magicrescue
http://jbj.rapanden.dk/magicrescue/
pyflag
http://pyflag.sourceforge.net/
Scalpel
http://www.digitalforensicssolutions.com/Scalpel/
scrounge-ntfs
http://memberwebs.com/nielsen/software/scrounge/
Sleuthkit
http://www.sleuthkit.org/
The Coroner's Toolkit (TCT)
http://www.porcupine.org/forensics/tct.html
Zeitline
http://projects.cerias.purdue.edu/forensics/timeline.php
http://sourceforge.net/projects/zeitline/

Forensics Live CDs

FCCU Gnu/Linux Boot CD
Also a Live CD built on top of Knoppix with a lot of tools with forensic purpose.
It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.
Helix
A Live CD built on top of Knoppix with special tools for incident response and electronic discovey.
Its a hybrid CD which also contains a Cygwin environment for use on a running Windows system (w/o rebooting) including the sysinternal tools.
Knoppix STD
A Live CD built on top of Knoppix.
http://s-t-d.org/
FARMER DUDE Live CD
A Linux Live CD
http://www.forensicbootcd.com/
MacQuisition Boot CD
A forensic Live CD built for imaging Macintosh systems.

Metadata Extraction Tools

antiword
http://www.winfield.demon.nl/
catdoc
http://www.45.free.net/~vitus/software/catdoc/
jhead
http://www.sentex.net/~mwandel/jhead/
Displays or modifies Exif data in JPEG files.
laola
http://user.cs.tu-berlin.de/~schwartz/pmh/index.html
vinetto
http://vinetto.sourceforge.net/
Examines Thumbs.db files.
word2x
http://word2x.sourceforge.net/
wvWare
http://wvware.sourceforge.net/
Extracts metadata from various Microsoft Word files (doc). Can also convert doc files to other formats such as HTML or plain text.
xpdf
http://www.foolabs.com/xpdf/
pdfinfo (part of the xpdf package) displays some metadata of PDF files.
Metadata Assistant
http://www.payneconsulting.com/products/metadataent/

File Analysis Tools

file
The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.
ldd
...
ltrace
...
strace
...
strings
Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.

Network Forensics Tools

chkrootkit
...
cryptcat
...
netcat
...
netflow/flowtools
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
http://www.splintered.net/sw/flow-tools/
rkhunter
...
Sguil
http://sguil.sourceforge.net/
Snort
http://www.snort.org/
Tcpdump
http://www.tcpdump.org
tcpextract
http://tcpxtract.sourceforge.net/
tcpflow
http://www.circlemud.org/~jelson/software/tcpflow/

Anti-forensics Tools

Ontrack Data Eraser
...
Slacker
A tool to hide files within the slack space of the NTFS file system.
http://www.metasploit.com/projects/antiforensics/slacker.exe
Timestomp
A tool that allows one to modify all four NTFS timestamp (MACE) values.
http://www.metasploit.com/projects/antiforensics/timestomp.exe

Securely deleting data

CyberScrub cyberCide
This program securely erases all data from drives or partitions.
http://www.cyberscrub.com/products/cybercide/index.php
CyberScrub Privacy Suite
This program securely erases selected data, wipes free space, powerful scheduling capabilities.
http://www.cyberscrub.com/products/privacysuite/index.php
Darik's Boot and Nuke (DBAN)
This is a bootable disk that securely wipes any hard disk it can detect.
http://dban.sourceforge.net/
shred
Part of GNU coreutils.
wipe
http://abaababa.ouvaton.org/wipe/

See also

Other Tools

VMware Player
http://www.vmware.com/products/player/
A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
VMware Server
http://www.vmware.com/products/server/
The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.

Hex Editors

biew
http://biew.sourceforge.net/en/biew.html
hexdump
...
khexedit
http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
xxd
...