There are a lot of free forensic tools available on the internet. It can be a challange to find the right tool at the right moment. This is a list of some great tools:
Tip: ForensiCopy, the free Forensic File Copier.
| Stage: Evidence collection | Purpose: Live capture (System memory) |
| Name | |
| [Moonsol] – Windows Memory Toolkit | |
| Description | |
| Generates a dump of the system memory. | |
| Website | |
| http://www.moonsols.com/windows-memory-toolkit/ | |
| Stage: Evidence collection | Purpose: Live capture (System memory) |
| Name | |
| [Belkasoft] – Live RAM Capturer | |
| Description | |
| Special tool to generate a dump of the system memory. Also works on systems with anti-debugging and anti-dumping protection. | |
| Website | |
| http://forensic.belkasoft.com/en/ram-capturer | |
| Stage: Evidence collection | Purpose: Live capture (System memory) |
| Name | |
| [Mandiant] – Memoryze | |
| Description | |
| Creates a image of the complete system memory also has the possibility to analyse this image. | |
| Website | |
| http://www.mandiant.com/resources/download/memoryze/ | |
| Stage: Evidence collection | Purpose: Data Storrage (HDD/SSD/USB) |
| Name | |
| [Guidance] – EnCase® Forensic Imager | |
| Description | |
| The forensic imager of Guidance (creators of Encase). | |
| Website | |
| http://www.guidancesoftware.com/Order-Forensic-Imager.aspx | |
| Stage: Evidence collection | Purpose: Data Storrage (HDD/SSD/USB) |
| Name | |
| [AccessData] – FTK Imager | |
| Description | |
| The forensic imager of AccessData (creators of FTK). | |
| Website | |
| http://www.accessdata.com/support/product-downloads | |
| Stage: Evidence collection | Purpose: Data Storrage (HDD/SSD/USB) |
| Name | |
| Guymager | |
| Description | |
| A forensic imager for Linux. Supports dd, EWF and AFF images. (only works in linux) | |
| Website | |
| http://guymager.sourceforge.net/ | |
| Stage: Evidence collection | Purpose: Duplication |
| Name | |
| [nuix] – Evidence Mover | |
| Description | |
| Forensic file mover, use this to move evidence files from one location to an other while maintaining the chain of custody. | |
| Website | |
| http://www.nuix.com/Nuix-evidence-mover | |
| Stage: Evidence collection | Purpose: Hash |
| Name | |
| [NirSoft] – HashMyFiles | |
| Description | |
| Great tool to calculate the hash value of several files at once. | |
| Website | |
| http://www.nirsoft.net/utils/hash_my_files.html | |
| Stage: Evidence collection | Purpose: Overige |
| Name | |
| MouseJiggle | |
| Description | |
| Avoid a system to go “idle”, this tool makes small mouse movements which avoids the system going in stand-by, locking down or running programs designed to run when the system is idle. |
|
| Website | |
| http://mousejiggler.codeplex.com/ | |
| Stage: Investigation | Purpose: Encryption |
| Name | |
| [MAGNET] – Encrypted disk detector | |
| Description | |
| This command-line tool checks the disk for encrypted data. It detects TrueCrypt, PGP and Bitlocker disks. | |
| Website | |
| http://info.magnetforensics.com/encrypted-disk-detector | |
| Stage: Investigation | Purpose: Image Mounting |
| Name | |
| [MAGNET] – Encrypted disk detector | |
| Description | |
| Tool to mount a image as a drive within windows. (read-only or read-write). | |
| Website | |
| http://www.osforensics.com/tools/mount-disk-images.html | |
| Stage: Investigation | Purpose: Image Mounting |
| Name | |
| [Paraben] – P2 eXplorer | |
| Description | |
| Comprehensive tool to mount a image as a drive. |
|
| Website | |
| http://www.paraben.com/p2-explorer.html | |
| Stage: Investigation | Purpose: E-Mail |
| Name | |
| [KERNEL] – Exchange EDB Viewer | |
| Description | |
| Tool to open, read and analyse EDB files without the need of a Exchange server. | |
| Website | |
| http://www.nucleustechnologies.com/download-exchange-edb-viewer.php | |
| Stage: Investigation | Purpose: E-Mail |
| Name | |
| [MiTeC] – Mail Viewer | |
| Description | |
| Tool to open,read and analyse e-mail messages from “Outlook Express”, “Windows (live) mail”, “Mozilla thunderbird” and EML files. |
|
| Website | |
| http://www.mitec.cz/mailview.html | |
| Stage: Investigation | Purpose: E-Mail |
| Name | |
| [KERNEL] – OST Viewer | |
| Description | |
| Tool to open and read Outlook OST files. | |
| Website | |
| http://www.nucleustechnologies.com/ost-viewer.html | |
| Stage: Investigation | Purpose: E-Mail |
| Name | |
| [KERNEL] – PST Viewer | |
| Description | |
| Tool to open and read Outlook PST files. | |
| Website | |
| http://www.nucleustechnologies.com/pst-viewer.html | |
| Stage: Investigation | Purpose: Search |
| Name | |
| [Mythicsoft] – Agent Ransack | |
| Description | |
| Comprehensive search tool. Supports Boolean and regular expressions. |
|
| Website | |
| http://www.mythicsoft.com/page.aspx?type=agentransack&page=home | |
| Stage: Investigation | Purpose: Prefetch |
| Name | |
| [ash368] – Advanced prefetch analyser (APFA) | |
| Description | |
| Great tool to analyse the prefetch files on a system for evidence. |
|
| Website | |
| http://www.ash368.com/# | |
| Stage: Investigation | Purpose: Time/Date |
| Name | |
| [Digital Detective Group] – DCode | |
| Description | |
| Quick tool to convert time and date between several formats. | |
| Website | |
| http://www.digital-detective.co.uk/downloads.asp | |
| Stage: Investigation | Purpose: Writeblock |
| Name | |
| [Dsicovery] – USB Write Blocker | |
| Description | |
| Software USB write blocker. Note!: This is a software write blocker. It does not replace a hardware write blocker but is a last resort option if you are unable to use a real hardware write blocker. |
|
| Website | |
| http://dsicovery.com/dsicovery-software/usb-write-blocker/ | |
| Stage: Investigation | Purpose: Media |
| Name | |
| [NFI] – Defraser | |
| Description | |
| This tool analyses a datastream (e.g. a image) and shows (partial) mediafiles. | |
| Website | |
| http://sourceforge.net/projects/defraser/ | |
| Stage: Investigation | Purpose: Encryption |
| Name | |
| [Lostpassword] – Encryption analyzer | |
| Description | |
| Looks for encrypted files and is able to decrypt some files. |
|
| Website | |
| http://www.lostpassword.com/encryption-analyzer.htm | |
| Stage: Investigation | Purpose: Media |
| Name | |
| [Sanderson] – Forensic Image Viewer | |
| Description | |
| Great forensic image viewer. Shows a lot of information about the image including the thumbnail and EXIF data. Is also able to open damaged images. | |
| Website | |
| http://sandersonforensics.com/forum/content.php?123-Forensic-Image-Viewer | |
| Stage: Investigation | Purpose: Logfiles |
| Name | |
| [Mandiant] – Highlighter | |
| Description | |
| A essential tool when analyzing logfiles. | |
| Website | |
| http://www.mandiant.com/resources/download/highlighter/ | |
| Stage: Investigation | Purpose: Images |
| Name | |
| MFT Picturebox | |
| Description | |
| Generates a overview of all images within a folder. Also shows the EXIF data. | |
| Website | |
| http://www.mikesforensictools.co.uk/MFTPB.html | |
| Stage: Investigation | Purpose: Shadow copy |
| Name | |
| ShadowExplorer | |
| Description | |
| Browse shadow copies. | |
| Website | |
| http://www.shadowexplorer.com/ | |
| Stage: Investigation | Purpose: Decoding |
| Name | |
| MFT Shiwtch-a-roo | |
| Description | |
| Simple tool to replace / convert / decode text. | |
| Website | |
| http://www.mikesforensictools.co.uk/MFTSAR.html | |
| Stage: Investigation | Purpose: System files |
| Name | |
| [mitec] Windows File Analyzer | |
| Description | |
| Analyses important system files. | |
| Website | |
| http://www.mitec.cz/wfa.html | |
© 2014 Nick Raedts
English
Nederlands