McAfee is committed to your security and provides an assortment of free McAfee tools to help in your software development. Simply select a tool and download it for free. For more details, read the McAfee Software Free Tools
A lot’s and mostly useful to the extreme. Nice one guys!
http://www.mcafee.com/uk/downloads/free-tools/index.aspx
Name |
From |
Description |
|---|---|---|
| DCode | Digital Detective | Converts various data types to date/time values |
| iPhone Backup Browser | Rene Devichi | View unencrypted backups of iPad, iPod and iPhones |
| ChromeAnalysis | Foxton Software | Analysis of internet history data generated using Google Chrome |
| IEHistoryView | Nirsoft | Extracts recently visited Internet Explorer URLs |
Name |
From |
Description |
|---|---|---|
| Dropbox Decryptor* | Magnet Forensics | Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox |
| Google Maps Tile Investigator* | Magnet Forensics | Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context |
| KaZAlyser | Sanderson Forensics | Extracts various data from the KaZaA application |
| LiveContactsView | Nirsoft | View and export Windows Live Messenger contact details |
| SkypeLogView | Nirsoft | View Skype calls and chats |
Name |
From |
Description |
|---|---|---|
| ForensicUserInfo | Woanware | Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file |
| Process Monitor | Microsoft | Examine Windows processes and registry threads in real time |
| Registry Decoder | US National Institute of Justice, Digital Forensics Solutions | For the acquisition, analysis, and reporting of registry contents |
| RegRipper | Harlan Carvey | Registry data extraction and correlation tool |
| Regshot | Regshot | Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software |
| sbag | TZWorks | Extracts data from Shellbag entries |
| USB Device Forensics | Woanware | Details previously attached USB devices on exported registry hives |
| USB Historian | 4Discovery | Displays 20+ attributes relating to USB device use on Windows systems |
| USBDeview | Nirsoft | Details previously attached USB devices |
| User Assist Analysis | 4Discovery | Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys |
| UserAssist | Didier Stevens | Displays list of programs run, with run count and last run date and time |
| Windows Registry Recovery | MiTec | Extracts configuration settings and other information from the Registry |
Name |
From |
Description |
|---|---|---|
| Chrome Session Parser | CCL Forensics | Python module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”) |
| ChromeCacheView | Nirsoft | Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache |
| Cookie Cutter | Mike’s Forensic Tools | Extracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits. |
| Dumpzilla | Busindre | Runs in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information. |
| Facebook Profile Saver | Belkasoft | Captures information publicly available in Facebook profiles. |
| IECookiesView | Nirsoft | Extracts various details of Internet Explorer cookies |
| IEPassView | Nirsoft | Extract stored passwords from Internet Explorer versions 4 to 8 |
| MozillaCacheView | Nirsoft | Reads the cache folder of Firefox/Mozilla/Netscape Web browsers |
| MozillaCookieView | Nirsoft | Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers |
| MozillaHistoryView | Nirsoft | Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page |
| MyLastSearch | Nirsoft | Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace) |
| PasswordFox | Nirsoft | Extracts the user names and passwords stored by Mozilla Firefox Web browser |
| OperaCacheView | Nirsoft | Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache |
| OperaPassView | Nirsoft | Decrypts the content of the Opera Web browser password file, wand.dat |
| Web Historian | Mandiant | Reviews list of URLs stored in the history files of the most commonly used browsers |
| Web Page Saver* | Magnet Forensics | Takes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages |
Name |
From |
Description |
|---|---|---|
| BKF Viewer | SysTools | View contents of BKF (XP backup) files |
| E01 Viewer | SysTools | View E01 files to view messages within email EDB, PST and OST and search for file names |
| Microsoft PowerPoint 2007 Viewer | Microsoft | View PowerPoint presentations |
| Microsoft Visio 2010 Viewer | Microsoft | View Visio diagrams |
| VLC | VideoLAN | View most multimedia files and DVD, Audio CD, VCD, etc. |
Name |
From |
Description |
|---|---|---|
| Autopsy | Brian Carrier | Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below) |
| Backtrack | Backtrack | Penetration testing and security audit with forensic boot capability |
| Caine | Nanni Bassetti | Linux based live CD, featuring a number of analysis tools |
| Deft | Dr. Stefano Fratepietro and others | Linux based live CD, featuring a number of analysis tools |
| Digital Forensics Framework | ArxSys | Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items |
| Forensic Scanner | Harlan Carvey | Automates ‘repetitive tasks of data collection’. Fuller description here |
| Paladin* | Sumuri | Ubuntu based live boot CD for imaging and analysis |
| SIFT* | SANS | VMware Appliance pre-configured with multiple tools allowing digital forensic examinations |
| The Sleuth Kit | Brian Carrier | Collection of UNIX-based command line file and volume system forensic analysis tools |
| Ubuntu guide | How-To Geek | Guide to using an Unbuntu live disk to recover partitions, carve files, etc. |
| Volatility Framework | Volatile Systems | Collection of tools for the extraction of artefacts from RAM |
Name |
From |
Description |
|---|---|---|
| iPBA2 | Mario Piccinelli | Explore iOS backups |
| iPhone Analyzer | Leo Crawford, Mat Proud | Explore the internal file structure of Pad, iPod and iPhones |
| ivMeta | Robin Wood | Extracts phone model and software version and created date and GPS data from iPhone videos. |
| Rubus* | CCL Forensics | Deconstructs Blackberry .ipd backup files |
| SAFT | SignalSEC Corp | Obtain SMS Messages, call logs and contacts from Android devices |
| WhatsApp Forensics | Zena Forensics | Extract WhatApp messages from iOS and Android backups |
Name |
From |
Description |
|---|---|---|
| Audit | Twocanoes Software | Audit Preference Pane and Log Reader for OS X |
| ChainBreaker | Kyeongsik Lee | Parses keychain structure, extracting user’s confidential information such as application account/password, encrypted volume password (e.g. filevault), etc |
| Disk Arbitrator | Aaron Burghardt | Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration |
| Epoch Converter* | Blackbag Technologies | Converts epoch times to local time and UTC |
| FTK Imager CLI for Mac OS* | AccessData | Command line Mac OS version of AccessData’s FTK Imager |
| IORegInfo | Blackbag Technologies | Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected |
| Mac Memory Reader | Cyber Marshal | Command-line utility to capture physical RAM from Mac OS systems |
| PMAP Info* | Blackbag Technologies | Displays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors |
| Volafox | Kyeongsik Lee | Memory forensic toolkit for Mac OS X |
Name |
From |
Description |
|---|---|---|
| Advanced Prefetch Analyser | Allan Hay | Reads Windows XP,Vista and Windows 7 prefetch files |
| analyzeMFT | David Kovar | Parses the MFT from an NTFS file system allowing results to be analysed with other tools |
| CapAnalysis | Evolka | PCAP viewer |
| CrowdResponse | CrowdStrike | Directory enumeration, file hashes, certificate details, detailed process listing and YARA module to scan process memory & associated binaries. |
| CrowdInspect | CrowdStrike | Details network processes, listing binaries associated with each process. Queries VirusTotal, other malware repositories & reputation services to produce “at-a-glance” state of the system |
| Defraser | Various | Detects full and partial multimedia files in unallocated space |
| eCryptfs Parser | Ted Technology | Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size, signature used, etc. |
| Encryption Analyzer | Passware | Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file |
| ExifTool | Phil Harvey | Read, write and edit Exif data in a large number of file types |
| Forensic Image Viewer | Sanderson Forensics | View various picture formats, image enhancer, extraction of embedded Exif, GPS data |
| Ghiro | Alessandro Tanasi | In-depth analysis of image (picture) files |
| Highlighter | Mandiant | Examine log files using text, graphic or histogram views |
| Link Parser | 4Discovery | Recursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files |
| LiveContactsView | Nirsoft | View and export Windows Live Messenger contact details |
| PlatformAuditProbe* | AppliedAlgo | Command Line Windows forensic/ incident response tool that collects many artefacts. Manual |
| RSA Netwitness Investigator* | EMC | Network packet capture and analysis |
| Memoryze | Mandiant | Acquire and/or analyse RAM images, including the page file on live systems |
| MetaExtractor | 4Discovery | Recursively parses folders to extract meta data from MS Office, OpenOffice and PDF files |
| MFTview | Sanderson Forensics | Displays and decodes contents of an extracted MFT file |
| NetSleuth | NetGrab | Network monitoring tool, with covert “silent port scanning” |
| PictureBox | Mike’s Forensic Tools | Lists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format |
| PsTools | Microsoft | Suite of command-line Windows utilities |
| Shadow Explorer | Shadow Explorer | Browse and extract files from shadow copies |
| Simple File Parser | Chris Mayhew | GUI tool for parsing .lnk files, prefetch and jump list artefacts |
| SQLite Manager | Mrinal Kant, Tarakant Tripathy | Firefox add-on enabling viewing of any SQLite database |
| Strings | Microsoft | Command-line tool for text searches |
| Structured Storage Viewer | MiTec | View and manage MS OLE Structured Storage based files |
| Switch-a-Roo | Mike’s Forensic Tools | Text replacement/converter/decoder for when dealing with URL encoding, etc |
| Windows File Analyzer | MiTeC | Analyse thumbs.db, Prefetch, INFO2 and .lnk files |
| Xplico | Gianluca Costa & Andrea De Franceschi | Network forensics analysis tool |
Name |
From |
Description |
|---|---|---|
| Agent Ransack | Mythicsoft | Search multiple files using Boolean operators and Perl Regex |
| CaseNotes Lite | Blackthorn | Contemporaneous notes recorder |
| Computer Forensic Reference Data Sets | NIST | Collated forensic images for training, practice and validation |
| EvidenceMover* | Nuix | Copies data between locations, with file comparison, verification, logging |
| FastCopy | Shirouzu Hiroaki | Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc. |
| File Signatures | Gary Kessler | Table of file signatures |
| HexBrowser | Peter Fiskerstrand | Identifies over 1000 file types by examining their signatures |
| HashMyFiles | Nirsoft | Calculate MD5 and SHA1 hashes |
| MobaLiveCD | Mobatek | Run Linux live CDs from their ISO image without having to boot to them |
| Mouse Jiggler | Arkane Systems | Automatically moves mouse pointer stopping screen saver, hibernation etc. |
| Notepad ++ | Notepad ++ | Advanced Notepad replacement |
| NSRL | NIST | Hash sets of ‘known’ (ignorable) files |
| Quick Hash | Ted Technology | A Linux & Windows GUI for individual and recursive SHA1 hashing of files |
| USB Write Blocker | DSi | Enables software write-blocking of USB ports |
| USB Write Blocker | Sécurité Multi-Secteurs | Software write blocker for Windows XP through to Windows 8 |
| Windows Forensic Environment | Troy Larson | Guide by Brett Shavers to creating and working with a Windows boot CD |
Name |
From |
Description |
|---|---|---|
| EDB Viewer | Lepide Software | Open and view (not export) Outlook EDB files without an Exchange server |
| Mail Viewer | MiTeC | Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files |
| MBOX Viewer | SysTools | View MBOX emails and attachments |
| OST Viewer | Lepide Software | Open and view (not export) Outlook OST files without connecting to an Exchange server |
| PST Viewer | Lepide Software | Open and view (not export) Outlook PST files without needing Outlook |
Name |
From |
Description |
|---|---|---|
| DumpIt | MoonSols | Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive. |
| EnCase Forensic Imager | Guidance Software | Create EnCase evidence files and EnCase logical evidence files [direct download link] |
| Encrypted Disk Detector* | Magnet Forensics | Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes |
| EWF MetaEditor | 4Discovery | Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier) |
| FAT32 Format | Ridgecrop | Enables large capacity disks to be formatted as FAT32 |
| Forensics Acquisition of Websites | Web Content Protection Association | Browser designed to forensically capture web pages |
| FTK Imager* | AccessData | Imaging tool, disk viewer and image mounter |
| Guymager | vogu00 | Multi-threaded GUI imager under running under Linux |
| HotSwap | Kazuyuki Nakayama | Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area |
| LiveView | CERT | Allows examiner to boot dd images in VMware. |
| NetworkMiner | Hjelmvik | Network analysis tool. Detects OS, hostname and open ports of network hosts through packet sniffing/PCAP parsing |
| Nmap | Nmap | Utility for network discovery and security auditing |
| P2 Explorer Free | Paraben | Mount forensic images as read-only local logical and physical disks |
| Live RAM Capturer* | Belkasoft | Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds |
| OSFClone | Passmark Software | Boot utility for CD/DVD or USB flash drives to create dd or AFF images/clones. |
| OSFMount | Passmark Software | Mounts a wide range of disk images. Also allows creation of RAM disks |
| Tableau Imager* | Tableau | Imaging tool for use with Tableau imaging products |
| Wireshark | Wireshark | Network protocol capture and analysis |
| VHD Tool | Microsoft | Converts raw disk images to VHD format which are mountable in Windows Disk Management |
Here are 20 of the best free tools that will help you conduct a digital forensic investigation.
The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.
When you first boot into the SIFT environment, I suggest you explore the documentation on the desktop to help you become accustomed to what tools are available and how to use them. There is also a good explanation of where to find evidence on a system. Use the top menu bar to open a tool, or launch it manually from a terminal window.
ProDiscover Basic is a simple digital forensic investigation tool that allows you to image, analyse and report on evidence found on a drive. Once you add a forensic image you can view the data by content or by looking at the clusters that hold the data. You can also search for data using the Search node based on the criteria you specify.
When you launch ProDiscover Basic you first need to create or load a project and add evidence from the ‘Add’ node. You can then use the ‘Content View’ or ‘Cluster View’ nodes to analyse the data and the Tools menu to perform actions against the data. Click the ‘Report’ node to view important information about the project.
Volatility is a memory forensics framework for incident response and malware analysis that allows you to extract digital artefacts from volatile memory (RAM) dumps. Using Volatility you can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more.
If you are using the standalone Windows executable version of Volatility, simply place volatility-2.1.standalone.exe into a folder and open a command prompt window. From the command prompt, navigate to the location of the executable file and type “volatility-2.1.standalone.exe –f <FILENAME> –profile=<PROFILENAME> <PLUGINNAME>” without quotes – FILENAME would be the name of the memory dump file you wish to analyse, PROFILENAME would be the machine the memory dump was taken on and PLUGINNAME would be the name of the plugin you wish to use to extract information.
Note: In the example above I am using the ‘connscan’ plugin to search the physical memory dump for TCP connection information.
The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems. Autopsy is essentially a GUI that sits on top of The Sleuth Kit. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality.
Note: You can use The Sleuth Kit if you are running a Linux box and Autopsy if you are running a Windows box.
When you launch Autopsy, you can choose to create a new case or load an existing one. If you choose to create a new case you will need to load a forensic image or a local disk to start your analysis. Once the analysis process is complete, use the nodes on the left hand pane to choose which results to view.
FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. Using FTK Imager you can also create SHA1 or MD5 hashes of files, export files and folders from forensic images to disk, review and recover files that were deleted from the Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer.
Note: There is a portable version of FTK Imager that will allow you to run it from a USB disk.
When you launch FTK Imager, go to ‘File > Add Evidence Item…’ to load a piece of evidence for review. To create a forensic image, go to ‘File > Create Disk Image…’ and choose which source you wish to forensically image.
dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive.
Note: dd is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.
Tip: A modified version of dd is available from http://sourceforge.net/projects/dc3dd/ – dc3dd includes additional features that were added specifically for digital forensic acquisition tasks.
To use dd, simply open a terminal window and type dd followed by a set of command parameters (which command parameters will obviously depend on what you want to do). The basic dd syntax for forensically wiping a drive is:
dd if=/dev/zero of=/dev/sdb1 bs=1024
where if = input file, of = output file, bs = byte size
Note: Replace /dev/sdb1 with the drive name of the drive you want to forensically wipe and 1024 with the size of the byte blocks you want to write out.
The basic dd syntax for creating a forensic image of a drive is:
dd if=/dev/sdb1 of=/home/andrew/newimage.dd bs=512 conv=noerror,sync
where if = input file (or in this case drive), of = output file, bs = byte size, conv = conversion options
Tip: For additional usage info, from a terminal window, type “man dd” without quotes to bring up the help manual for the dd command.
CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of digital forensic tools. Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more.
When you boot into the CAINE Linux environment, you can launch the digital forensic tools from the CAINE interface (shortcut on the desktop) or from each tool’s shortcut in the ‘Forensic Tools’ folder on the applications menu bar.
If you are investigating a case that requires you to gather evidence from a mobile phone to support your case, Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this. Features include the ability to gather Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts, Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Task information. It also comes with a file browser which allows you to access and analyse user photos, videos, documents and device databases.
When you launch Oxygen Forensic Suite, hit the ‘Connect new device’ button on the top menu bar to launch the Oxygen Forensic Extractor wizard that guides you through selecting the device and type of information you wish to extract.
Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.
Use ‘File > Open’ to load a file into Hex Editor Neo. The data will appear in the middle window where you can begin to navigate through the hex manually or press CTRL + F to run a search.
bulk_extractor is a computer forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extracted information is output to a series of text files (which can be reviewed manually or analysed using other forensics tools or scripts).
Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc. You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found (i.e. if you were analysing the disk manually using a hex editor for example, you would jump to this hexadecimal value to view the data).
Bulk_extractor comes as a command-line tool or a GUI tool. In the example above I set the bulk extractor tool to extract information from a forensics image I took earlier and output the results to a folder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above.
DEFT is another Linux Live CD which bundles some of the most popular free and open source computer forensic tools available. It aims to help with Incident Response, Cyber Intelligence and Computer Forensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing.
When you boot using DEFT, you are asked whether you wish to load the live environment or install DEFT to disk. If you load the live environment you can use the shortcuts on the application menu bar to launch the required tools.
Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.
Once you’ve installed Xplico, access the web interface by navigating to http://<IPADDRESS>:9876 and logging in with a normal user account. The first thing you need to do is create a case and add a new session. When you create a new session you can either load a PCAP file (acquired from Wireshark for example) or start a live capture. Once the session has finished decoding, use the navigation menu on the left hand side to view the results.
I briefly touched on LastActivityView when pointing out the NirSoft suite of tools in my Top 10 Free System Troubleshooting Tools for SysAdmins article. LastActivityView allows you to view what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer, an application or system crash or a user performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file. This tool is useful when you need to prove that a user (or account) performed an action he or she said they didn’t.
When you launch LastActivityView, it will immediately start displaying a list of actions taken on the machine it is being run on. Sort by action time or use the search button to start investigating what actions were taken on the machine.
The Digital Forensics Framework (DFF) is a digital forensic investigation tool and a development platform that allows you to collect, preserve and reveal digital evidence. Amongst others, DFF’s features include the ability to read RAW, EWF and AFF forensic file formats, access local and remote devices, analyse registry, mailbox and file system data and recover hidden and deleted files.
When you launch DFF, you first need to load an evidence file (i.e. a forensic image you acquired previously) or open a device ready for analysis. You can then process the evidence file or device against one of the in-built modules to begin analysing data.
RedLine offers the ability to perform memory and file analysis of a specific host. It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile.
When you launch RedLine, you will be given a choice to Collect Data or Analyze Data. Unless you already have a memory dump file available, you’ll need to create a collector to gather data from the machine and let that process run through to completion. Once you have a memory dump file to hand you can begin your analysis.
PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to perform digital forensic tasks such as viewing internet histories, data carving, USB device usage information gathering, examining physical memory dumps, extracting password hashes, and more.
When you boot into PlainSight, a window pops up asking you to select whether you want to perform a scan, load a file or run the wizard. Enter a selection to begin the data extraction and analysis process.
HxD is one of my personal favourites. It is a user-friendly hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-use and performance in mind and can handle large files without issue. Features include searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files, generation of statistics and more.
From the HxD interface start your analysis by opening a file from ‘File > Open’, loading a disk from ‘Extras > Open disk…’ or loading a RAM process from ‘Extras > Open RAM…’.
HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors to data carving software to password cracking utilities, and more.
Note: The HELIX3 version you need is 2009R1. This version was the last free version available before HELIX was taken over by a commercial vendor. HELIX3 2009R1 is still valid today and makes for a useful addition to your digital forensics toolkit.
When you boot using HELIX3, you are asked whether you want to load the GUI environment or install HELIX3 to disk. If you choose to load the GUI environment directly (recommended), a Linux-based screen will appear giving you the option to run the graphical version of the bundled tools.
NetSleuth is a network forensics analysis tool that identifies devices on your network. It operates in ‘live’ mode (where it will actively capture network packets and interpret device information) or in ‘offline’ mode where it will process a PCAP file that you import.
Note: At the time of writing, NetSleuth is in BETA. It is not recommended that you run this in a production environment. It made this list because it promises to be a handy addition to your forensic toolkit. The author of this tool is currently asking for feedback from the community so now is your chance to contribute!
When you launch NetSleuth, you can either initiate a ‘live’ analysis from the Live Capture tab, or load a PCAP file from the Offline Analysis tab. Once NetSleuth has identified at least one device, you can double click on it to open the Device Information window.
P2 eXplorer is a forensic image mounting tool that allows you to mount a forensic image as a physical disk and view the contents of that image in Windows Explorer or load it into an external forensic analysis tool. P2 eXplorer supports images in RAW, DD, IMG, EX01, SMART and SafeBack format, amongst others.
When you launch P2 eXplorer, choose an available drive letter to mount the image to and click ‘File > Mount Image…’ to choose the image to mount. Once the image has been mounted, double click on the associated drive letter to view the contents of that image in Windows Explorer.
Tip: In Top 20 Free Disk Tools for SysAdmins I mentioned another image mounting tool called OSFMount. OSFMount is very similar to P2 eXplorer but also supports the mounting of VMWare files and the creation of RAM disks. Part of the OSFMount family is a digital forensics suite called OSForensics – the freeware version of this application is available for personal, educational or home use to allow you to experiment and become acquainted with digital forensics concepts.
In addition to the lot above check the following guides.
The guides are a beginner course on how to begin with digital forensic .
http://www.usainvestigators.com/a-beginners-guide-to-digital-forensics-infographic/
http://computer-forensics.safemode.org/
https://forensiccontrol.com/resources/beginners-guide-computer-forensics/
