has moved to this site, For information, please join the Google Group forensicswiki-reborn

Difference between revisions of "Tools"

From Forensics Wiki
Jump to navigation Jump to search
Line 287: Line 287:
:  A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
:  A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
;Serial Port Analyzer
: The tool to analyze serial port and  device activity.
; Computer Forensics Toolkit
; Computer Forensics Toolkit
Line 299: Line 303:
; Serial and USB ports sharing
: Share and access serial and USB ports over Ethernet
; Microsoft Virtual PC
; Microsoft Virtual PC

Revision as of 08:26, 2 February 2016

This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.

Note: This page has gotten too big and is being broken up. See:

Disk Analysis Tools

Hard Drive Firmware and Diagnostics Tools

PC-3000 from DeepSpar Data Recovery Systems

Linux-based Tools

LINReS by NII Consulting Pvt. Ltd.
Second Look: Linux Memory Forensics by Pikewerks Corporation

Macintosh-based Tools

Macintosh Forensic Software by BlackBag Technologies, Inc.
MacForensicsLab by Subrosasoft
Mac Marshal by ATC-NY
Recon for MAC OS X by Sumuri, LLC.

Windows-based Tools

Blackthorn GPS Forensics
BringBack by Tech Assist, Inc.
Belkasoft Evidence Center by Belkasoft
This product makes it easy for an investigator to search, analyze and store digital evidence found in Instant Messenger histories, Internet Browser histories and Outlook mailboxes.
CD/DVD Inspector by InfinaDyne
This is the only forensic-qualified tool for examinination of optical media. It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide.
EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc
EnCase by Guidance Software
Facebook Forensic Toolkit (FFT) by Afentis_forensics
eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports.
Forensic Explorer (FEX) by GetData Forensics
Forensic Toolkit (FTK) by AccessData
HBGary Responder Professional - Windows Physical Memory Forensic Platform
ILook Investigator by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
Internet Evidence Finder (IEF) by Magnet Forensics
Mercury Indexer by MicroForensics, Inc.
Nuix Desktop by Nuix Pty Ltd
OnLineDFS by Cyber Security Technologies
OSForensics by PassMark Software Pty Ltd
P2 Power Pack by Paraben
Prodiscover by Techpathways
Proof Finder by Nuix Pty Ltd
Safeback by NTI and Armor Forensics
X-Ways Forensics by X-Ways AG
DateDecoder by Live-Forensics
A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.
RecycleReader by Live-Forensics
A command line tool that outputs the contents of the recycle bin on XP, Vista and 7.
Dstrings by Live-Forensics
A command line tool that searches for strings in a given file. It has the ability to compare the output of those strings against a dictionary to either exclude the dictionary terms in the output or only output files that match the dictionary. It also has the ability to search for IP Addresses and URLs/Email Addresses.
Unique by Live-Forensics
A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options.
HashUtil by Live-Forensics
HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes. It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases.
WindowsSCOPE Pro, Ultimate, Live
Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support.
Software and hardware based acquisition with CaptureGUARD PCIe and ExpressCard
Hardware based acquisition of memory on a locked computer via CaptureGUARD Gateway
WindowsSCOPE Live provides memory analysis of Windows computers on a network from Android phones and tablets.
MailXaminer by SysTools
Forensic & eDiscovery Tool to find digital email evidences from multiple email platform through its powerful Search mechanism.
Twitter Forensic Toolkit (TFT) by Afentis_forensics
eDiscovery toolkit to identify relevant Tweets, clone full profiles, download all tweets/media, data mine across comments, and generate expert reports.
YouTube Forensic Toolkit (YFT) by Afentis_forensics
eDiscovery toolkit to identify relevant online media, download/convert videos, data mine across comments, and generate expert reports.

Open Source Tools

A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
Bulk Extractor
Bulk Extractor provides digital media triage by extracting Features from digital media.
Bulk Extractor Viewer
Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using Bulk Extractor.
Digital Forensics Framework (DFF)
DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis.
Linux based file carving program
FTimes is a system baselining and evidence collection tool.
Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
A tool for finding previously identified blocks of data in media such as disk images.
The Open Computer Forensics Architecture
Paladin Forensic Suite (Sumuri, LLC.)
Simplifies various forensics tasks in a forensically sound manner via the PALADIN Toolbox.
Web-based, database-backed forensic and log analysis GUI written in Python.
Linux and Windows file carving program originally based on foremost.
The Coroner's Toolkit (TCT)

NDA and scoped distribution tools

Enterprise Tools (Proactive Forensics)

LiveWire Investigator 2008 by WetStone Technologies
P2 Enterprise Edition by Paraben

Forensics Live CDs

Kali Linux
BackTrack Linux

See: Forensics Live CDs

Personal Digital Device Tools

GPS Forensics

Blackthorn GPS Forensics

PDA Forensics

Cellebrite UFED
Paraben PDA Seizure
Paraben PDA Seizure Toolbox

Cell Phone Forensics

Cellebrite UFED
DataPilot Secure View
Fernico ZRT
LogiCube CellDEK
Oxygen Forensic Suite 2010
Paraben's Device Seizure and Paraben's Device Seizure Toolbox
Serial Port Monitoring

SIM Card Forensics

Cellebrite UFED
Paraben's SIM Card Seizure

Preservation Tools

Paraben StrongHold Bag
Paraben StrongHold Tent

Other Tools

Chat Sniper
A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
Serial Port Analyzer
The tool to analyze serial port and device activity.
Computer Forensics Toolkit
This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
Live View
Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
Parallels VM
Serial and USB ports sharing
Share and access serial and USB ports over Ethernet
Microsoft Virtual PC
VMware Player
A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
VMware Server
The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
Recon for MAC OS X
RECON for Mac OS X is simply the fastest way to conduct Mac Forensics, automates what an experienced examiner would need weeks to accomplish in minutes, now includes PALADIN 6 which comes with a full featured Forensic Suite, bootable forensic imager, a software write-blocker and so much more.

Hex Editors

KDE's new cross-platform hex editor with features such as signature-matching
A hex editor for Apple OS X
Hex Workshop
A hex editor from BreakPoint Software, Inc.
ReclaiMe Pro
The built-in disk editor visualizes most known partition and filesystem objects: boot sectors, superblocks, partition headers in structured view. Low-level data editing for extra leverage.
Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
A Multi-OS supported, open sourced, hex and disk editor.
Live-Forensics software that reads windows files at specified offset and length and outputs results to the console.

Telephone Scanners/War Dialers

PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.
SecureLogix is currently offering no-cost downloads of our award-winning TeleSweep Secure® modem-vulnerability scanner. This free modem scanning software can be used to dial a batch of corporate phone numbers and report on the number of modems connected to these corporate lines. *** Registration is required for obtaining a license key *** Still free however.
WarVOX is a free, open-source VOIP-based war dialing tool for exploring, classifying, and auditing phone systems.
Additional Software Names and Links (Jackpot!)