Tools

From ForensicsWiki
Revision as of 21:44, 1 November 2010 by Rmislan (Talk | contribs)

Jump to: navigation, search

This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.

Note: This page has gotten too big and is being broken up. See:

Disk Analysis Tools

Hard Drive Firmware and Diagnostics Tools

PC-3000 from DeepSpar Data Recovery Systems
http://www.deepspar.com/products-pc-3000-drive.html
http://www.pc-3000.com/

Linux-based Tools

LINReS by NII Consulting Pvt. Ltd.
http://www.niiconsulting.com/innovation/linres.html
SMART by ASR Data
http://www.asrdata.com

Macintosh-based Tools

Macintosh Forensic Software by BlackBag Technologies, Inc.
http://www.blackbagtech.com/software_mfs.html
MacForensicsLab by Subrosasoft
MacForensicLab-Subrosasoft
Mac Marshal by ATC-NY
http://www.macmarshal.com/

Windows-based Tools

Blackthorn GPS Forensics
http://www.blackthorngps.com
BringBack by Tech Assist, Inc.
http://www.toolsthatwork.com/bringback.htm
EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc
http://www.hotpepperinc.com/emd
EnCase by Guidance Software
http://www.guidancesoftware.com/
fbi by Nuix Pty Ltd
http://www.nuix.com
Forensic Toolkit (FTK) by AccessData
http://www.accessdata.com/products/ftk/
HBGary Responder Professional - Windows Physical Memory Forensic Platform
http://www.hbgary.com
ILook Investigator by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
http://www.ilook-forensics.org/
Mercury Indexer by MicroForensics, Inc.
http://www.MicroForensics.com/
OnLineDFS by Cyber Security Technologies
http://www.cyberstc.com/
P2 Power Pack by Paraben
https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187
Prodiscover by Techpathways
http://www.techpathways.com/ProDiscoverWindows.htm
Safeback by NTI and Armor Forensics
http://www.forensics-intl.com/safeback.html
X-Ways Forensics by X-Ways AG
http://www.x-ways.net/forensics/index-m.html
DateDecoder by Live-Forensics
http://www.live-forensics.com/dl/DateDecoder.zip
A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.
RecycleReader by Live-Forensics
http://www.live-forensics.com/dl/RecycleReader.zip
A command line tool that outputs the contents of the recycle bin on XP, Vista and Seven.

Open Source Tools

AFFLIB
A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
Autopsy
http://www.sleuthkit.org/autopsy/desc.php
Digital Forensics Framework (DFF)
DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://www.digital-forensic.org
foremost
http://foremost.sf.net/
Linux based file carving program
FTimes
http://ftimes.sourceforge.net/FTimes/index.shtml
FTimes is a system baselining and evidence collection tool.
gfzip
http://www.nongnu.org/gfzip/
gpart
http://www.stud.uni-hannover.de/user/76201/gpart/
Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
Hachoir
A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
magicrescue
http://jbj.rapanden.dk/magicrescue/
The Open Computer Forensics Architecture
http://ocfa.sourceforge.net/
pyflag
http://www.pyflag.net/PyFlagWiki/
Web-based, database-backed forensic and log analysis GUI written in Python.
Scalpel
http://www.digitalforensicssolutions.com/Scalpel/
Linux and Windows file carving program originally based on foremost.
scrounge-ntfs
http://memberwebs.com/nielsen/software/scrounge/
Sleuthkit
http://www.sleuthkit.org/
The Coroner's Toolkit (TCT)
http://www.porcupine.org/forensics/tct.html

NDA and scoped distribution tools

Enterprise Tools (Proactive Forensics)

LiveWire Investigator 2008 by WetStone Technologies
http://www.wetstonetech.com/f/livewire2008.html
P2 Enterprise Edition by Paraben
http://www.paraben-forensics.com/enterprise_forensics.html

Forensics Live CDs

BackTrack
A Live CD built on top of Ubuntu (early version are built on top of Slackware). Latest "pre-release" has "forensics mode".
http://remote-exploit.org/backtrack.html
CAINE Live CD
A forensic Live CD built on top of Ubuntu.
http://caine-live.net
DEFT Linux
A Live CD built on top of Xubuntu with the best tools for computer forensics and incident response.
It's a very light and fast live system created for the Computer Forensics specialists.
The first live CD with AFF, dhash and Xplico.
http://www.deftlinux.net
THE FARMER'S BOOT CD
A Linux Live CD, designed and optimized for previewing data in a forensically sound manner. It contains a number of programs forensic practitioners can utilize to preview both Windows and Linux systems.
FCCU Gnu/Linux Boot CD
A Live CD built on top of Debian Live with a lot of tools with forensic purpose.
http://www.lnx4n6.be
grml
A forensic Live CD built on top of Debian.
http://grml.org
Helix3 (Helix3 Pro)
A Live CD built on top of Ubuntu with special tools for incident response and electronic discovery.
http://e-fense.com
MacQuisition Boot CD
A forensic Live CD built for imaging Macintosh systems.
Masterkey Linux
A Linux Live CD built on top of Slackware featuring a wide variety of free and open source tools, focused on both Incident Response and Computer Forensic Examination.
http://masterkeylinux.com
PlainSight
A forensic Live CD built on top of Knoppix.
http://www.plainsight.info
Recovery Is Possible
A Linux Live CD with a number of recovery applications such as TestDisk, PhotoRec, etc.
http://www.tux.org/pub/people/kent-robotti/looplinux/rip/
SAFE Boot Disk
The first and only commercially available forensically sound Windows Boot disk.
Includes built-in driver support, access to the NTFS file system and built-in software write blocking.
http://www.forensicsoft.com/catalog/product.php
SMART Linux
Two Live CDs built on top of Slackware and Ubuntu. Includes SMART and other forensic tools.
http://asrdata2.com
SPADA
A forensic Live CD built on top of Knoppix.
http://spada-cd.info

Out of date Live CDs

Knoppix STD
A Live CD built on top of Knoppix.
http://s-t-d.org/
Penguin Sleuthkit
A Linux Live CD that includes SleuthKit.
http://penguinsleuth.org/
SNARL
A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
http://sourceforge.net/projects/snarl/

Personal Digital Device Tools

GPS Forensics

Blackthorn GPS Forensics

PDA Forensics

Cellebrite UFED
Paraben PDA Seizure
Paraben PDA Seizure Toolbox
PDD

Cell Phone Forensics

BitPIM
Cellebrite UFED
DataPilot Secure View
GSM .XRY
Fernico ZRT
ForensicMobile
LogiCube CellDEK
MOBILedit!
Oxygen Forensic Suite 2010
http://www.oxygen-forensic.com
Paraben's Device Seizure and Paraben's Device Seizure Toolbox
http://www.paraben-forensics.com/handheld_forensics.html
Serial Port Monitoring
TULP2G

SIM Card Forensics

Cellebrite UFED
ForensicSIM
Paraben's SIM Card Seizure
http://www.paraben-forensics.com/handheld_forensics.html
SIMCon

Preservation Tools

Paraben StrongHold Bag
Paraben StrongHold Tent

Other Tools

Chat Sniper
http://www.alexbarnett.com/chatsniper.htm
A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
Computer Forensics Toolkit
http://computer-forensics.privacyresources.org
This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
Live View
http://liveview.sourceforge.net/
Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
Parallels VM
http://www.parallels.com/
http://en.wikipedia.org/wiki/Parallels_Workstation
Microsoft Virtual PC
http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx
http://en.wikipedia.org/wiki/Virtual_PC
VMware Player
http://www.vmware.com/products/player/
http://en.wikipedia.org/wiki/VMware#VMware_Workstation
A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
VMware Server
http://www.vmware.com/products/server/
The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
Webtracer
http://www.forensictracer.com
Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)

Hex Editors

biew
http://biew.sourceforge.net/en/biew.html
Okteta
KDE's new cross-platform hex editor with features such as signature-matching
http://utils.kde.org/projects/okteta/
hexdump
...
HexFiend
A hex editor for Apple OS X
http://ridiculousfish.com/hexfiend/
Hex Workshop
A hex editor from BreakPoint Software, Inc.
http://www.bpsoft.com
khexedit
http://docs.kde.org/stable/en/kdeutils/khexedit/index.html
WinHex
Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
http://www.x-ways.net/winhex
xxd
...
HexReader
Live-Forensics software that reads windows files at specified offset and length and outputs results to the console.
http://www.live-forensics.com/dl/HexReader.zip

Telephone Scanners/War Dialers

PhoneSweep
http://www.sandstorm.net/products/phonesweep/
PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.