Difference between revisions of "Tools"

From ForensicsWiki
Jump to: navigation, search
m (Other Tools)
m (Other Tools)
Line 342: Line 342:
 
; Live View
 
; Live View
 
: http://liveview.sourceforge.net/
 
: http://liveview.sourceforge.net/
: Live View is a graphical forensics tool that creates a [[VMware]] [[virtual machine] out of a dd disk image or physical disk.  
+
: Live View is a graphical forensics tool that creates a [[VMware]] [[virtual machine]] out of a dd disk image or physical disk.  
  
 
== Hex Editors ==
 
== Hex Editors ==

Revision as of 08:19, 13 March 2007

This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.

Note: This page has gotten too big and is being broken up. See:

Disk Analysis Tools

Linux-based Tools

LINReS, by NII Consulting Pvt. Ltd.
http://www.niiconsulting.com/innovation/linres.html
SMART, by ASR Data
http://www.asrdata.com

Macintosh-based Tools

Macintosh Forensic Software, by BlackBag Technologies, Inc.
http://www.blackbagtech.com/software_mfs.html
MacForensicsLab, by Subrosasoft
MacForensicLab-Subrosasoft

Windows-based Tools

BringBack by Tech Assist, Inc.
http://www.toolsthatwork.com/bringback.htm
EnCase, by Guidance Software
http://www.guidancesoftware.com/
FBI, by Nuix Pty Ltd
http://www.nuix.com.au
Forensic Toolkit (FTK), by AccessData
http://www.accessdata.com/products/ftk/
ILook Investigator, by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
http://www.ilook-forensics.org/
P2 Power Pack by Paraben
https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187
Safeback by NTI and Armor Forensics
http://www.forensics-intl.com/safeback.html
X-Ways Forensics by X-Ways AG
http://www.x-ways.net/forensics/index-m.html
Prodiscover by Techpathways
http://www.techpathways.com/ProDiscoverWindows.htm


Open Source Tools

AFFLIB
A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
Autopsy
http://www.sleuthkit.org/autopsy/desc.php
foremost
http://foremost.sf.net/
FTimes
http://ftimes.sourceforge.net/FTimes/index.shtml
FTimes is a system baselining and evidence collection tool.
gfzip
http://www.nongnu.org/gfzip/
gpart
http://www.stud.uni-hannover.de/user/76201/gpart/
Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
magicrescue
http://jbj.rapanden.dk/magicrescue/
The Open Computer Forensics Architecture
http://ocfa.sourceforge.net/
pyflag
http://pyflag.sourceforge.net/
Scalpel
http://www.digitalforensicssolutions.com/Scalpel/
scrounge-ntfs
http://memberwebs.com/nielsen/software/scrounge/
Sleuthkit
http://www.sleuthkit.org/
The Coroner's Toolkit (TCT)
http://www.porcupine.org/forensics/tct.html
Zeitline --- Forensic timeline editor
http://projects.cerias.purdue.edu/forensics/timeline.php
http://sourceforge.net/projects/zeitline/

NDA and scoped distribution tools

Enterprise Tools (Proactive Forensics)

P2 Enterprise Edition by Paraben
http://www.paraben-forensics.com/enterprise_forensics.html

Forensics Live CDs

FCCU Gnu/Linux Boot CD
A Live CD built on top of Knoppix with a lot of tools with forensic purpose.
It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.
Helix
A Live CD built on top of Knoppix with special tools for incident response and electronic discovey.
Its a hybrid CD which also contains a Cygwin environment for use on a running Windows system (w/o rebooting) including the sysinternal tools.
Knoppix STD
A Live CD built on top of Knoppix.
http://s-t-d.org/
THE FARMER'S BOOT CD
A Linux Live CD, designed and optimized for previewing data in a forensically sound manner. It contains a number of programs forensic practitioners can utilize to preview both Windows and Linux systems.
MacQuisition Boot CD
A forensic Live CD built for imaging Macintosh systems.
DEFT Linux
A Live CD built on top of Kubuntu with the best tools for Computer Forensic and incident response.
It is very easy to use with a lot of device driver. The first live CD with AFF and the brend new forensics tool.
http://www.stevelab.net/deft

Metadata Extraction Tools

antiword
http://www.winfield.demon.nl/
catdoc
http://www.45.free.net/~vitus/software/catdoc/
jhead
http://www.sentex.net/~mwandel/jhead/
Displays or modifies Exif data in JPEG files.
laola
http://user.cs.tu-berlin.de/~schwartz/pmh/index.html
vinetto
http://vinetto.sourceforge.net/
Examines Thumbs.db files.
word2x
http://word2x.sourceforge.net/
wvWare
http://wvware.sourceforge.net/
Extracts metadata from various Microsoft Word files (doc). Can also convert doc files to other formats such as HTML or plain text.
xpdf
http://www.foolabs.com/xpdf/
pdfinfo (part of the xpdf package) displays some metadata of PDF files.
Metadata Assistant
http://www.payneconsulting.com/products/metadataent/

File Analysis Tools

Open Source Tools

file
The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.
ldd
...
ltrace
...
strace
...
strings
Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.
Galleta
Parses cookie files. http://www.foundstone.com/resources/proddesc/galleta.htm
The Open Computer Forensics Architecture
http://ocfa.sourceforge.net/
Pasco
Parses 'index.dat files. http://www.foundstone.com/resources/proddesc/pasco.htm
Rifiuti
Examines the INFO2 file in the Recycle Bin http://www.foundstone.com/resources/proddesc/rifiuti.htm
yim2text
Extracts the 'encrypted' info in yahoo instant messenger log files. http://www.1vs0.com/tools.html

NDA and scoped distribution tools

Network Forensics Tools

chkrootkit
...
cryptcat
...
netcat
...
netflow/flowtools
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
http://www.splintered.net/sw/flow-tools/
NetIntercept
http://www.sandstorm.net/products/netintercept
NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
rkhunter
...
Sguil
http://sguil.sourceforge.net/
Snort
http://www.snort.org/
Tcpdump
http://www.tcpdump.org
tcpextract
http://tcpxtract.sourceforge.net/
tcpflow
http://www.circlemud.org/~jelson/software/tcpflow/
truewitness
http://www.nature-soft.com/forensic.html

Linux/open-source. Based in India.

etherpeek
http://www.wildpackets.com/products/etherpeek/overview

Anti-forensics Tools

Slacker
A tool to hide files within the slack space of the NTFS file system.
http://www.metasploit.com/projects/antiforensics/slacker.exe
Timestomp
A tool that allows one to modify all four NTFS timestamp (MACE) values.
http://www.metasploit.com/projects/antiforensics/timestomp.exe

Securely deleting data

BCWipe
Secure data deletion tools for Windows and Unix-like operating systems.
CyberScrub cyberCide
This program securely erases all data from drives or partitions.
http://www.cyberscrub.com/products/cybercide/index.php
CyberScrub Privacy Suite
This program securely erases selected data, wipes free space, powerful scheduling capabilities.
http://www.cyberscrub.com/products/privacysuite/index.php
Darik's Boot and Nuke (DBAN)
This is a bootable disk that securely wipes any hard disk it can detect.
http://dban.sourceforge.net/
Eraser
Offers several patterns for wiping data including Peter Gutmann's and the US DoD 5200.28-STD standard.
http://www.heidi.ie/eraser
Ontrack Data Eraser
...
shred
Part of GNU coreutils.
wipe
http://abaababa.ouvaton.org/wipe/
Lenovo SDD
http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-56394

See also

Personal Digital Device Tools

PDA Forensics

Paraben PDA Seizure
Paraben PDA Seizure Toolbox
PDD

Cell Phone Forensics

BitPIM
DataPilot Secure View
GSM .XRY
ForensicMobile
LogiCube CellDEK
MOBILedit!
Oxygen PM II
Paraben Device Seizure
Paraben Device Seizure Toolbox
Serial Port Monitoring
TULP2G

SIM Card Forensics

ForensicSIM
Paraben Device Seizure
SIMCon

Preservation Tools

Paraben StrongHold Bag
Paraben StrongHold Tent


Other Tools

VMware Player
http://www.vmware.com/products/player/
A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
VMware Server
http://www.vmware.com/products/server/
The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
Computer Forensics Toolkit
http://computer-forensics.privacyresources.org
This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
Webtracer
http://www.forensictracer.com
Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
Live View
http://liveview.sourceforge.net/
Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.

Hex Editors

biew
http://biew.sourceforge.net/en/biew.html
hexdump
...
Hex Workshop
A hex editor from BreakPoint Software, Inc.
http://www.bpsoft.com
khexedit
http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
WinHex
Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
http://www.x-ways.net/winhex
xxd
...

Telephone Scanners/War Dialers

PhoneSweep
http://www.sandstorm.net/products/phonesweep/
PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.