Disk tools and data capture
Name |
From |
Description |
---|---|---|
DumpIt | MoonSols | Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive. |
EnCase Forensic Imager | Guidance Software | Create EnCase evidence files and EnCase logical evidence files [direct download link] |
Encrypted Disk Detector* | Magnet Forensics | Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes |
EWF MetaEditor | 4Discovery | Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier) |
FAT32 Format | Ridgecrop | Enables large capacity disks to be formatted as FAT32 |
Forensics Acquisition of Websites | Web Content Protection Association | Browser designed to forensically capture web pages |
FTK Imager* | AccessData | Imaging tool, disk viewer and image mounter |
Guymager | vogu00 | Multi-threaded GUI imager under running under Linux |
HotSwap | Kazuyuki Nakayama | Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area |
LiveView | CERT | Allows examiner to boot dd images in VMware. |
NetworkMiner | Hjelmvik | Network analysis tool. Detects OS, hostname and open ports of network hosts through packet sniffing/PCAP parsing |
Nmap | Nmap | Utility for network discovery and security auditing |
P2 Explorer Free | Paraben | Mount forensic images as read-only local logical and physical disks |
Live RAM Capturer* | Belkasoft | Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds |
OSFClone | Passmark Software | Boot utility for CD/DVD or USB flash drives to create dd or AFF images/clones. |
OSFMount | Passmark Software | Mounts a wide range of disk images. Also allows creation of RAM disks |
Tableau Imager* | Tableau | Imaging tool for use with Tableau imaging products |
Wireshark | Wireshark | Network protocol capture and analysis |
VHD Tool | Microsoft | Converts raw disk images to VHD format which are mountable in Windows Disk Management |