File and data analysis
Name |
From |
Description |
|---|---|---|
| Advanced Prefetch Analyser | Allan Hay | Reads Windows XP,Vista and Windows 7 prefetch files |
| analyzeMFT | David Kovar | Parses the MFT from an NTFS file system allowing results to be analysed with other tools |
| CapAnalysis | Evolka | PCAP viewer |
| CrowdResponse | CrowdStrike | Directory enumeration, file hashes, certificate details, detailed process listing and YARA module to scan process memory & associated binaries. |
| CrowdInspect | CrowdStrike | Details network processes, listing binaries associated with each process. Queries VirusTotal, other malware repositories & reputation services to produce “at-a-glance” state of the system |
| Defraser | Various | Detects full and partial multimedia files in unallocated space |
| eCryptfs Parser | Ted Technology | Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size, signature used, etc. |
| Encryption Analyzer | Passware | Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file |
| ExifTool | Phil Harvey | Read, write and edit Exif data in a large number of file types |
| Forensic Image Viewer | Sanderson Forensics | View various picture formats, image enhancer, extraction of embedded Exif, GPS data |
| Ghiro | Alessandro Tanasi | In-depth analysis of image (picture) files |
| Highlighter | Mandiant | Examine log files using text, graphic or histogram views |
| Link Parser | 4Discovery | Recursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files |
| LiveContactsView | Nirsoft | View and export Windows Live Messenger contact details |
| PlatformAuditProbe* | AppliedAlgo | Command Line Windows forensic/ incident response tool that collects many artefacts. Manual |
| RSA Netwitness Investigator* | EMC | Network packet capture and analysis |
| Memoryze | Mandiant | Acquire and/or analyse RAM images, including the page file on live systems |
| MetaExtractor | 4Discovery | Recursively parses folders to extract meta data from MS Office, OpenOffice and PDF files |
| MFTview | Sanderson Forensics | Displays and decodes contents of an extracted MFT file |
| NetSleuth | NetGrab | Network monitoring tool, with covert “silent port scanning” |
| PictureBox | Mike’s Forensic Tools | Lists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format |
| PsTools | Microsoft | Suite of command-line Windows utilities |
| Shadow Explorer | Shadow Explorer | Browse and extract files from shadow copies |
| Simple File Parser | Chris Mayhew | GUI tool for parsing .lnk files, prefetch and jump list artefacts |
| SQLite Manager | Mrinal Kant, Tarakant Tripathy | Firefox add-on enabling viewing of any SQLite database |
| Strings | Microsoft | Command-line tool for text searches |
| Structured Storage Viewer | MiTec | View and manage MS OLE Structured Storage based files |
| Switch-a-Roo | Mike’s Forensic Tools | Text replacement/converter/decoder for when dealing with URL encoding, etc |
| Windows File Analyzer | MiTeC | Analyse thumbs.db, Prefetch, INFO2 and .lnk files |
| Xplico | Gianluca Costa & Andrea De Franceschi | Network forensics analysis tool |
