File and data analysis
Name |
From |
Description |
---|---|---|
Advanced Prefetch Analyser | Allan Hay | Reads Windows XP,Vista and Windows 7 prefetch files |
analyzeMFT | David Kovar | Parses the MFT from an NTFS file system allowing results to be analysed with other tools |
CapAnalysis | Evolka | PCAP viewer |
CrowdResponse | CrowdStrike | Directory enumeration, file hashes, certificate details, detailed process listing and YARA module to scan process memory & associated binaries. |
CrowdInspect | CrowdStrike | Details network processes, listing binaries associated with each process. Queries VirusTotal, other malware repositories & reputation services to produce “at-a-glance” state of the system |
Defraser | Various | Detects full and partial multimedia files in unallocated space |
eCryptfs Parser | Ted Technology | Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size, signature used, etc. |
Encryption Analyzer | Passware | Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file |
ExifTool | Phil Harvey | Read, write and edit Exif data in a large number of file types |
Forensic Image Viewer | Sanderson Forensics | View various picture formats, image enhancer, extraction of embedded Exif, GPS data |
Ghiro | Alessandro Tanasi | In-depth analysis of image (picture) files |
Highlighter | Mandiant | Examine log files using text, graphic or histogram views |
Link Parser | 4Discovery | Recursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files |
LiveContactsView | Nirsoft | View and export Windows Live Messenger contact details |
PlatformAuditProbe* | AppliedAlgo | Command Line Windows forensic/ incident response tool that collects many artefacts. Manual |
RSA Netwitness Investigator* | EMC | Network packet capture and analysis |
Memoryze | Mandiant | Acquire and/or analyse RAM images, including the page file on live systems |
MetaExtractor | 4Discovery | Recursively parses folders to extract meta data from MS Office, OpenOffice and PDF files |
MFTview | Sanderson Forensics | Displays and decodes contents of an extracted MFT file |
NetSleuth | NetGrab | Network monitoring tool, with covert “silent port scanning” |
PictureBox | Mike’s Forensic Tools | Lists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format |
PsTools | Microsoft | Suite of command-line Windows utilities |
Shadow Explorer | Shadow Explorer | Browse and extract files from shadow copies |
Simple File Parser | Chris Mayhew | GUI tool for parsing .lnk files, prefetch and jump list artefacts |
SQLite Manager | Mrinal Kant, Tarakant Tripathy | Firefox add-on enabling viewing of any SQLite database |
Strings | Microsoft | Command-line tool for text searches |
Structured Storage Viewer | MiTec | View and manage MS OLE Structured Storage based files |
Switch-a-Roo | Mike’s Forensic Tools | Text replacement/converter/decoder for when dealing with URL encoding, etc |
Windows File Analyzer | MiTeC | Analyse thumbs.db, Prefetch, INFO2 and .lnk files |
Xplico | Gianluca Costa & Andrea De Franceschi | Network forensics analysis tool |