Name From Description DCode Digital Detective Converts various data types to date/time values iPhone Backup Browser Rene Devichi View unencrypted backups of iPad, iPod and iPhones ChromeAnalysis Foxton Software Analysis of internet history data generated using Google Chrome IEHistoryView Nirsoft Extracts recently visited Internet Explorer URLs

Continue reading Other forensic software old!

Application analysis Name From Description Dropbox Decryptor* Magnet Forensics Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox Google Maps Tile Investigator* Magnet Forensics Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context KaZAlyser Sanderson Forensics Extracts various data from the KaZaA application LiveContactsView Nirsoft View and export Windows Live Messenger contact details SkypeLogView Nirsoft View Skype calls and chats

Continue reading Application analysis

Registry analysis Name From Description ForensicUserInfo Woanware Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file Process Monitor Microsoft Examine Windows processes and registry threads in real time Registry Decoder US National Institute of Justice, Digital Forensics Solutions For the acquisition, analysis, and reporting of registry contents RegRipper Harlan Carvey Registry data extraction and correlation tool Regshot Regshot Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software sbag TZWorks Extracts data from Shellbag entries USB Device Forensics Woanware Details previously attached USB devices on …

Continue reading Registry analysis

Internet analysis Name From Description Chrome Session Parser CCL Forensics Python module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”) ChromeCacheView Nirsoft Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache Cookie Cutter Mike’s Forensic Tools Extracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits. Dumpzilla Busindre Runs in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information. Facebook Profile …

Continue reading Internet analysis

File viewers Name From Description BKF Viewer SysTools View contents of BKF (XP backup) files E01 Viewer SysTools View E01 files to view messages within email EDB, PST and OST and search for file names Microsoft PowerPoint 2007 Viewer Microsoft View PowerPoint presentations Microsoft Visio 2010 Viewer Microsoft View Visio diagrams VLC VideoLAN View most multimedia files and DVD, Audio CD, VCD, etc.

Continue reading File viewers

Data analysis suites Name From Description Autopsy Brian Carrier Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below) Backtrack Backtrack Penetration testing and security audit with forensic boot capability Caine Nanni Bassetti Linux based live CD, featuring a number of analysis tools Deft Dr. Stefano Fratepietro and others Linux based live CD, featuring a number of analysis tools Digital Forensics Framework ArxSys Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items Forensic Scanner Harlan Carvey Automates ‘repetitive tasks of data collection’. Fuller description here Paladin* Sumuri Ubuntu based live …

Continue reading Data analysis suites

Mobile devices Name From Description iPBA2 Mario Piccinelli Explore iOS backups iPhone Analyzer Leo Crawford, Mat Proud Explore the internal file structure of Pad, iPod and iPhones ivMeta Robin Wood Extracts phone model and software version and created date and GPS data from iPhone videos. Rubus* CCL Forensics Deconstructs Blackberry .ipd backup files SAFT SignalSEC Corp Obtain SMS Messages, call logs and contacts from Android devices WhatsApp Forensics Zena Forensics Extract WhatApp messages from iOS and Android backups

Continue reading Mobile devices

Mac OS tools Name From Description Audit Twocanoes Software Audit Preference Pane and Log Reader for OS X ChainBreaker Kyeongsik Lee Parses keychain structure, extracting user’s confidential information such as application account/password, encrypted volume password (e.g. filevault), etc Disk Arbitrator Aaron Burghardt Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration Epoch Converter* Blackbag Technologies Converts epoch times to local time and UTC FTK Imager CLI for Mac OS* AccessData Command line Mac OS version of AccessData’s FTK Imager IORegInfo Blackbag Technologies Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software …

Continue reading Mac OS tools

File and data analysis Name From Description Advanced Prefetch Analyser Allan Hay Reads Windows XP,Vista and Windows 7 prefetch files analyzeMFT David Kovar Parses the MFT from an NTFS file system allowing results to be analysed with other tools CapAnalysis Evolka PCAP viewer CrowdResponse CrowdStrike Directory enumeration, file hashes, certificate details, detailed process listing and YARA module to scan process memory & associated binaries. CrowdInspect CrowdStrike Details network processes, listing binaries associated with each process. Queries VirusTotal, other malware repositories & reputation services to produce “at-a-glance” state of the system Defraser Various Detects full and partial multimedia files in unallocated …

Continue reading File and data analysis

Name From Description Agent Ransack Mythicsoft Search multiple files using Boolean operators and Perl Regex CaseNotes Lite Blackthorn Contemporaneous notes recorder Computer Forensic Reference Data Sets NIST Collated forensic images for training, practice and validation EvidenceMover* Nuix Copies data between locations, with file comparison, verification, logging FastCopy Shirouzu Hiroaki Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc. File Signatures Gary Kessler Table of file signatures HexBrowser Peter Fiskerstrand Identifies over 1000 file types by examining their signatures HashMyFiles Nirsoft Calculate MD5 and SHA1 hashes MobaLiveCD Mobatek Run Linux live CDs from their ISO image without having to …

Continue reading General Forensic utilities

Email analysis Name From Description EDB Viewer Lepide Software Open and view (not export) Outlook EDB files without an Exchange server Mail Viewer MiTeC Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files MBOX Viewer SysTools View MBOX emails and attachments OST Viewer Lepide Software Open and view (not export) Outlook OST files without connecting to an Exchange server PST Viewer Lepide Software Open and view (not export) Outlook PST files without needing Outlook

Continue reading Email analysis

Disk tools and data capture Name From Description DumpIt MoonSols Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive. EnCase Forensic Imager Guidance Software Create EnCase evidence files and EnCase logical evidence files [direct download link] Encrypted Disk Detector* Magnet Forensics Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes EWF MetaEditor 4Discovery Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier) FAT32 Format Ridgecrop Enables large capacity disks to be formatted as FAT32 Forensics Acquisition of Websites Web Content Protection Association Browser designed …

Continue reading Disk tools and data capture

Here are 20 of the best free tools that will help you conduct a digital forensic investigation.   01 SANS SIFT The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more. When you first boot into the SIFT …

Continue reading 20 forensic tools