Revision as of 11:08, 20 December 2007 by Cmihai
This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.
Note: This page has gotten too big and is being broken up. See:
- Tools:Data Recovery (including file carving)
- Category:Disk Imaging
- Tools:File Analysis
- Tools:Memory Imaging
- 1 Disk Analysis Tools
- 2 Enterprise Tools (Proactive Forensics)
- 3 Forensics Live CDs
- 4 Metadata Extraction Tools
- 5 Personal Digital Device Tools
- 6 Other Tools
- 7 Telephone Scanners/War Dialers
Disk Analysis Tools
Hard Drive Firmware and Diagnostics Tools
- PC-3000, from DeepSpar Data Recovery Systems
- Macintosh Forensic Software, by BlackBag Technologies, Inc.
- EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc
- ILook Investigator, by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
- P2 Power Pack by Paraben
Open Source Tools
- A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
- Linux and Windows file carving program originally based on foremost.
- FTimes is a system baselining and evidence collection tool.
- Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
- web-based, database-backed forensic and log analysis GUI written in Python.
- Zeitline --- Forensic timeline editor
- A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
NDA and scoped distribution tools
Enterprise Tools (Proactive Forensics)
Forensics Live CDs
- FCCU Gnu/Linux Boot CD
- A Live CD built on top of Knoppix with a lot of tools with forensic purpose.
- It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.
- A Live CD built on top of Knoppix with special tools for incident response and electronic discovery.
- Its a hybrid CD which also contains a Cygwin environment for use on a running Windows system (w/o rebooting) including the Sysinternals tools.
- A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
- [[Penguin Sleuthkit]
- A Linux LiveCD that includes SleuthKit.
- THE FARMER'S BOOT CD
- A Linux Live CD, designed and optimized for previewing data in a forensically sound manner. It contains a number of programs forensic practitioners can utilize to preview both Windows and Linux systems.
- DEFT Linux
- A Live CD built on top of Xubuntu with the best tools for computer forensics and incident response.
- It is very easy to use with a lot of device drivers. The first live CD with AFF and dhash.
- Recovery Is Possible
- A Linux Live CD with a number of recovery applications such as TestDisk, PhotoRec etc.
- Ubuntu-rescue-remix is a live cd that provides the data recovery expert with an environment equipped with the best free-libre, open source data recovery and forensics tools available. Since many of those libraries and tools are part of the Ubuntu Installer, it makes sense to remix Ubuntu into a lightweight and powerful environment for data recovery. This project was formerly known as Rescubuntu.
Metadata Extraction Tools
- Extracts metadata from various Microsoft Word files (doc). Can also convert doc files to other formats such as HTML or plain text.
- pdfinfo (part of the xpdf package) displays some metadata of PDF files.
- part of Hachoir project
Personal Digital Device Tools
Cell Phone Forensics
- DataPilot Secure View
- GSM .XRY
- Fernico ZRT
- LogiCube CellDEK
- Oxygen PM II
- Paraben Device Seizure
- Paraben Device Seizure Toolbox
- Serial Port Monitoring
SIM Card Forensics
- VMware Player
- A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
- VMware Server
- The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
- Computer Forensics Toolkit
- This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
- Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
- Live View
- Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
- Microsoft Virtual PC
- The Onion Router (TOR)
- Network anonymizer designed to make traffic analysis difficult.
- Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
Telephone Scanners/War Dialers
- PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.