Disk tools and data capture

Name From Description

Generates physical memory dump of Windows machines, 32 bits 64 bit.

DumpIt MoonSols Can run from a USB flash drive.

EnCase Forensic Create EnCase evidence files and EnCase logical evidence files [direct
Imager Guidance Software download link]

Encrypted Disk Checks local physical drives on a system for TrueCrypt, PGP, or
Detector Magnet Forensics Bitlocker encrypted volumes

EWF MetaEditor 4Discovery Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier)

FAT32 Format Ridgecrop Enables large capacity disks to be formatted as FAT32

Forensics
Acquisition of Web Content Protection
Websites Association Browser designed to forensically capture web pages

FTK Imager AccessData Imaging tool, disk viewer and image mounter

Guymager vogu00 Multi-threaded GUI imager under running under Linux

Extracts RAM dump including that protected by an anti-debugging or

Live RAM Capturer Belkasoft anti-dumping system. 32 and 64 bit builds

Network analysis tool. Detects OS, hostname and open ports of network
NetworkMiner Hjelmvik hosts through packet sniffing/PCAP parsing

Nmap Nmap Utility for network discovery and security auditing

Magnet RAM Captures physical memory of a suspect’s computer. Windows XP to

Capture Magnet Forensics Windows 10, and 2003, 2008, 2012. 32 & 64 bit

Boot utility for CD/DVD or USB flash drives to create dd or AFF

OSFClone Passmark Software images/clones.

OSFMount Passmark Software Mounts a wide range of disk images. Also allows creation of RAM disks

Wireshark Wireshark Network protocol capture and analysis

Creates Virtual Hard Disks versions of physical disks for use in

Disk2vhd Microsoft Microsoft Virtual PC or Microsoft Hyper-V VMs
Email analysis

Name From Description

EDB Viewer Lepide Software Open and view (not export) Outlook EDB files without an Exchange server

Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla

Mail Viewer MiTeC Thunderbird message databases and single EML files

MBOX Viewer SysTools View MBOX emails and attachments

Open and view (not export) Outlook OST files without connecting to an
OST Viewer Lepide Software Exchange server

PST Viewer Lepide Software Open and view (not export) Outlook PST files without needing Outlook

General

Name From Description

Agent Ransack Mythicsoft Search multiple files using Boolean operators and Perl Regex

Computer Forensic
Reference Data
Sets NIST Collated forensic images for training, practice and validation

EvidenceMover Nuix Copies data between locations, with file comparison, verification, logging

Self labelled ‘fastest’ copy/delete Windows software. Can verify with

FastCopy Shirouzu Hiroaki SHA-1, etc.

File Signatures Gary Kessler Table of file signatures

HexBrowser Peter Fiskerstrand Identifies over 1000 file types by examining their signatures

HashMyFiles Nirsoft Calculate MD5 and SHA1 hashes

MobaLiveCD Mobatek Run Linux live CDs from their ISO image without having to boot to them

Mouse Jiggler Arkane Systems Automatically moves mouse pointer stopping screen saver, hibernation etc.

Notepad ++ Notepad ++ Advanced Notepad replacement

 Name From Description

NSRL NIST Hash sets of ‘known’ (ignorable) files

A Linux & Windows GUI for individual and recursive SHA1 hashing of
Quick Hash Ted Technology files

USB Write Blocker DSi Enables software write-blocking of USB ports

USB Write Blocker Sécurité Multi-Secteurs Software write blocker for Windows XP through to Windows 8

Volix FH Aachen Application that simplifies the use of the Volatility Framework

Windows Forensic
Environment Troy Larson Guide by Brett Shavers to creating and working with a Windows boot CD

File and data analysis

Name From Description

Advanced Prefetch
Analyser Allan Hay Reads Windows XP,Vista and Windows 7 prefetch files

Parses the MFT from an NTFS file system allowing results to be analysed
analyzeMFT David Kovar with other tools

CapAnalysis Evolka PCAP viewer

Windows console application to aid gathering of system information for

Crowd Reponse CrowdStike incident response and security engagements.

Details network processes, listing binaries associated with each process.

Queries VirusTotal, other malware repositories & reputation services to
Crowd Inspect CrowdStrike produce “at-a-glance” state of the system

DCode Digital Detective Converts various data types to date/time values

Defraser Various Detects full and partial multimedia files in unallocated space

Recursively parses headers of every eCryptfs file in selected directory.

eCryptfs Parser Ted Technology Outputs encryption algorithm used, original file size, signature used, etc.

Encryption Scans a computer for password-protected & encrypted files, reports

Analyzer Passware encryption complexity and decryption options for each file
 Name From Description

ExifTool Phil Harvey Read, write and edit Exif data in a large number of file types

Drag and drop web-browser JavaScript tool for identification of over 2000
File Identifier Toolsley.com file types

Forensic Image View various picture formats, image enhancer, extraction of embedded
Viewer Sanderson Forensics Exif, GPS data

Identifies similar pictures that are no longer identical due to image

Forpix Martin Rojak manipulation

Ghiro Alessandro Tanasi In-depth analysis of image (picture) files

Highlighter Mandiant Examine log files using text, graphic or histogram views

Recursively parses folders extracting 30+ attributes from Windows .lnk

Link Parser 4Discovery (shortcut) files

LiveContactsView Nirsoft View and export Windows Live Messenger contact details

PlatformAuditProb Command Line Windows forensic/ incident response tool that collects
e AppliedAlgo many artefacts. Manual

RSA Netwitness
Investigator EMC Network packet capture and analysis

Acquire and/or analyse RAM images, including the page file on live
Memoryze Mandiant systems

Recursively parses folders to extract meta data from MS Office,

MetaExtractor 4Discovery OpenOffice and PDF files

MFTview Sanderson Forensics Displays and decodes contents of an extracted MFT file

Lists EXIF, and where available, GPS data for all photographs present in a
PictureBox Mike’s Forensic Tools directory. Export data to .xls or Google Earth KML format

PsTools Microsoft Suite of command-line Windows utilities

Shadow Explorer Shadow Explorer Browse and extract files from shadow copies

Mrinal Kant, Tarakant

SQLite Manager Tripathy Firefox add-on enabling viewing of any SQLite database

Strings Microsoft Command-line tool for text searches

 Name From Description

Structured Storage
Viewer MiTec View and manage MS OLE Structured Storage based files

Text replacement/converter/decoder for when dealing with URL encoding,

Switch-a-Roo Mike’s Forensic Tools etc

Windows File
Analyzer MiTeC Analyse thumbs.db, Prefetch, INFO2 and .lnk files

Gianluca Costa &

Xplico Andrea De Franceschi Network forensics analysis tool

Mac OS tools

Name From Description

Audit Twocanoes Software Audit Preference Pane and Log Reader for OS X

Parses keychain structure, extracting user’s confidential information such as

application account/password, encrypted volume password (e.g. filevault),
ChainBreaker Kyeongsik Lee etc

Blocks the mounting of file systems, complimenting a write blocker in

Disk Arbitrator Aaron Burghardt disabling disk arbitration

Blackbag
Epoch Converter Technologies Converts epoch times to local time and UTC

FTK Imager CLI

for Mac OS AccessData Command line Mac OS version of AccessData’s FTK Imager

Lists items connected to the computer (e.g., SATA, USB and FireWire
Blackbag Drives, software RAID sets). Can locate partition information, including
IORegInfo Technologies sizes, types, and the bus to which the device is connected

Blackbag Displays the physical partitioning of the specified device. Can be used to
PMAP Info Technologies map out all the drive information, accounting for all used sectors

Volafox Kyeongsik Lee Memory forensic toolkit for Mac OS X

Mobile devices

Name From Description

iPBA2 Mario Piccinelli Explore iOS backups

Leo Crawford, Mat

iPhone Analyzer Proud Explore the internal file structure of Pad, iPod and iPhones

Extracts phone model and software version and created date and GPS data
ivMeta Robin Wood from iPhone videos.

Parses physical flash dumps and Nokia PM records to find details of

Last SIM Details Dan Roe previously inserted SIM cards.

Rubus CCL Forensics Deconstructs Blackberry .ipd backup files

SAFT SignalSEC Corp Obtain SMS Messages, call logs and contacts from Android devices

Data analysis suites

Name From Description

Graphical interface to the command line digital investigation analysis tools

Autopsy Brian Carrier in The Sleuth Kit (see below)

Backtrack Backtrack Penetration testing and security audit with forensic boot capability

Caine Nanni Bassetti Linux based live CD, featuring a number of analysis tools

Dr. Stefano Fratepietro

Deft and others Linux based live CD, featuring a number of analysis tools

Digital Forensics Analyses volumes, file systems, user and applications data, extracting
Framework ArxSys metadata, deleted and hidden items

Forensic Scanner Harlan Carvey Automates ‘repetitive tasks of data collection’. Fuller description here

Paladin Sumuri Ubuntu based live boot CD for imaging and analysis

VMware Appliance pre-configured with multiple tools allowing digital

SIFT SANS forensic examinations
 Name From Description

Collection of UNIX-based command line file and volume system forensic

The Sleuth Kit Brian Carrier analysis tools

Volatility
Framework Volatile Systems Collection of tools for the extraction of artefacts from RAM

File viewers

Name From Description

BKF Viewer SysTools View contents of BKF (XP backup) files

View E01 files to view messages within email EDB, PST and OST and
E01 Viewer SysTools search for file names

Microsoft
PowerPoint 2007
Viewer Microsoft View PowerPoint presentations

Microsoft Visio 2010

Viewer Microsoft View Visio diagrams

VLC VideoLAN View most multimedia files and DVD, Audio CD, VCD, etc.

Internet analysis

Name From Description

Browser History Captures history from Firefox, Chrome and Internet Explorer web
Capturer Foxton Software browsers running on a Windows computer

Browser History Extract, view and analyse internet history from Firefox, Chrome and
Viewer Foxton Software Internet Explorer web browsers

Chrome Session Python module for performing off-line parsing of Chrome session files
Parser CCL Forensics (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”)
 Name From Description

Reads the cache folder of Google Chrome Web browser, and displays the
ChromeCacheView Nirsoft list of all files currently stored in the cache

Extracts embedded data held within Google Analytics cookies. Shows

Cookie Cutter Mike’s Forensic Tools search terms used as well as dates of and the number of visits.

Runs in Python 3.x, extracting forensic information from Firefox,

Dumpzilla Busindre Iceweasel and Seamonkey browsers. See manual for more information.

Facebook Profile
Saver Belkasoft Captures information publicly available in Facebook profiles.

IECookiesView Nirsoft Extracts various details of Internet Explorer cookies

IEPassView Nirsoft Extract stored passwords from Internet Explorer versions 4 to 8

MozillaCacheView Nirsoft Reads the cache folder of Firefox/Mozilla/Netscape Web browsers

MozillaCookieView Nirsoft Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers

Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and

MozillaHistoryView Nirsoft displays the list of all visited Web page

Extracts search queries made with popular search engines (Google, Yahoo
MyLastSearch Nirsoft and MSN) and social networking sites (Twitter, Facebook, MySpace)

Extracts the user names and passwords stored by Mozilla Firefox Web
PasswordFox Nirsoft browser

Reads the cache folder of Opera Web browser, and displays the list of all
OperaCacheView Nirsoft files currently stored in the cache

OperaPassView Nirsoft Decrypts the content of the Opera Web browser password file, wand.dat

Reviews list of URLs stored in the history files of the most commonly
Web Historian Mandiant used browsers

Takes list of URLs saving scrolling captures of each page. Produces

Web Page Saver Magnet Forensics HTML report file containing the saved pages
Registry analysis

Name From Description

Extracts user information from the SAM, SOFTWARE and SYSTEM hives
ForensicUserInfo Woanware files and decrypts the LM/NT hashes from the SAM file

Process Monitor Microsoft Examine Windows processes and registry threads in real time

US National Institute of
Justice, Digital
Registry Decoder Forensics Solutions For the acquisition, analysis, and reporting of registry contents

RegRipper Harlan Carvey Registry data extraction and correlation tool

Takes snapshots of the registry allowing comparisons e.g., show registry

Regshot Regshot changes after installing software

sbag TZWorks Extracts data from Shellbag entries

USB Device
Forensics Woanware Details previously attached USB devices on exported registry hives

USB Historian 4Discovery Displays 20+ attributes relating to USB device use on Windows systems

USBDeview Nirsoft Details previously attached USB devices

User Assist Extracts SID, User Names, Indexes, Application Names, Run Counts,
Analysis 4Discovery Session, and Last Run Time Attributes from UserAssist keys

UserAssist Didier Stevens Displays list of programs run, with run count and last run date and time

Windows Registry
Recovery MiTec Extracts configuration settings and other information from the Registry

Application analysis

Name From Description

Dropbox Decrypts the Dropbox filecache.dbx file which stores information about files
Decryptor Magnet Forensics that have been synced to the cloud using Dropbox

Google Maps Tile Magnet Forensics Takes x,y,z coordinates found in a tile filename and downloads surrounding
 Name From Description

Investigator tiles providing more context

KaZAlyser Sanderson Forensics Extracts various data from the KaZaA application

LiveContactsView Nirsoft View and export Windows Live Messenger contact details

SkypeLogView Nirsoft View Skype calls and chats

For Reference

Name From Description

Safely remove SATA disks similar to the “Safely Remove Hardware” icon
HotSwap Kazuyuki Nakayama in the notification area

iPhone Backup
Browser Rene Devichi View unencrypted backups of iPad, iPod and iPhones

IEHistoryView Nirsoft Extracts recently visited Internet Explorer URLs

LiveView CERT Allows examiner to boot dd images in VMware.

Ubuntu guide How-To Geek Guide to using an Unbuntu live disk to recover partitions, carve files, etc.

WhatsApp
Forensics Zena Forensics Extract WhatApp messages from iOS and Android backups