Revision as of 16:08, 20 December 2007 by Cmihai (Added SNARL FreeBSD forensics LiveCD and Penguin Sleuthkit)
This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.
Note: This page has gotten too big and is being broken up. See:
- Tools:Data Recovery (including file carving)
- Category:Disk Imaging
- Tools:File Analysis
- Tools:Memory Imaging
- 1 Disk Analysis Tools
- 2 Enterprise Tools (Proactive Forensics)
- 3 Forensics Live CDs
- 4 Metadata Extraction Tools
- 5 Personal Digital Device Tools
- 6 Other Tools
- 7 Telephone Scanners/War Dialers
Disk Analysis Tools
Hard Drive Firmware and Diagnostics Tools
- PC-3000, from DeepSpar Data Recovery Systems
- Macintosh Forensic Software, by BlackBag Technologies, Inc.
- EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc
- ILook Investigator, by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
- P2 Power Pack by Paraben
Open Source Tools
- A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
- Linux and Windows file carving program originally based on foremost.
- FTimes is a system baselining and evidence collection tool.
- Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
- web-based, database-backed forensic and log analysis GUI written in Python.
- Zeitline --- Forensic timeline editor
- A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
NDA and scoped distribution tools
Enterprise Tools (Proactive Forensics)
Forensics Live CDs
- FCCU Gnu/Linux Boot CD
- A Live CD built on top of Knoppix with a lot of tools with forensic purpose.
- It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.
- A Live CD built on top of Knoppix with special tools for incident response and electronic discovery.
- Its a hybrid CD which also contains a Cygwin environment for use on a running Windows system (w/o rebooting) including the Sysinternals tools.
- A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
- [[Penguin Sleuthkit]
- A Linux LiveCD that includes SleuthKit.
- THE FARMER'S BOOT CD
- A Linux Live CD, designed and optimized for previewing data in a forensically sound manner. It contains a number of programs forensic practitioners can utilize to preview both Windows and Linux systems.
- DEFT Linux
- A Live CD built on top of Xubuntu with the best tools for computer forensics and incident response.
- It is very easy to use with a lot of device drivers. The first live CD with AFF and dhash.
- Recovery Is Possible
- A Linux Live CD with a number of recovery applications such as TestDisk, PhotoRec etc.
- Ubuntu-rescue-remix is a live cd that provides the data recovery expert with an environment equipped with the best free-libre, open source data recovery and forensics tools available. Since many of those libraries and tools are part of the Ubuntu Installer, it makes sense to remix Ubuntu into a lightweight and powerful environment for data recovery. This project was formerly known as Rescubuntu.
Metadata Extraction Tools
- Extracts metadata from various Microsoft Word files (doc). Can also convert doc files to other formats such as HTML or plain text.
- pdfinfo (part of the xpdf package) displays some metadata of PDF files.
- part of Hachoir project
Personal Digital Device Tools
Cell Phone Forensics
- DataPilot Secure View
- GSM .XRY
- Fernico ZRT
- LogiCube CellDEK
- Oxygen PM II
- Paraben Device Seizure
- Paraben Device Seizure Toolbox
- Serial Port Monitoring
SIM Card Forensics
- VMware Player
- A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
- VMware Server
- The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
- Computer Forensics Toolkit
- This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
- Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
- Live View
- Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
- Microsoft Virtual PC
- The Onion Router (TOR)
- Network anonymizer designed to make traffic analysis difficult.
- Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
Telephone Scanners/War Dialers
- PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.