Friday, October 23, 2009

Free Tools

I've seen requests in several listservs for listings of free tools that people use during examinations, and most often, the response is something akin to "contact me off list". In my mind, that kind of defeats the purpose of the listserv...why not just close it down and move everyone to Craigslist?

Regardless, I thought that this would be a good way to start and even maintain a list of free tools (or at least some that have trials/demos available) that can/have been used during computer forensic examinations on Windows systems. I'll start by providing tools that I use, as well as links to other tools, and from there, I will expand the list as I receive information (ie, comments, emails, etc.)

General Tools
Perl - 'nuff said; mostly for creating my own tools
Strings/BinText
LiveView

Acquisition
FTK Imager - great for opening raw (ie, dd) images, .EOx files, .vmdk files, etc - even allows you to "acquire" other formats to raw/dd. Also great for selected file extraction from the image, when you don't need everything
dd - George M. Garner Jr's FAU
dcfldd - another CLI imaging tool, available for the Windows platform
Tableau TIM - coming Q4, 2009
Raptor - bootable Linux CD that can be used for imaging (this will likely open up a whole flurry of similar emails, so let's just use this one as a placeholder for all bootable Linux CDs...)

Image Mounting
IMDisk - great free tool for mounting Windows images on Windows systems, in read-only mode
VDKWin - another free tool
P2Explorer - from Paraben; free, requires registration

Image Analysis
TSK Tools - I've used mmls and fls mostly, but blkls is extremely useful, as well
ProDiscover, Basic Edition - Not a full suite, but very useful
AntiVirus Scanners (ClamWinPortable, SysClean, Malwarebytes)
Timeline Creation Tools (TSK tools, pasco, Perl scripts, etc.) - Perl scripts available from the Win4n6 Yahoo Group
Internet Evidence Finder (JADSoftware) - also, check out the Encrypted Disk Detector
Carving - foremost, scalpel, PhotoRec
DiskDigger - from Dmitry Brant; also check out NTFSWalker

File/Document Metadata
Structured Storage Extractor - view contents of structured storage/OLE files; this used to mean just MS Office (pre-2007) documents, but on Windows 7, this now means Sticky Notes, etc.
OffVis (fact sheet) -
Office 2007 document metadata (script) - look for cat_open_xml.pl; other tools available, as well
Skype Extractor -
PDF Tools - from Didier Stevens; some of Didier's tools have been incorporated into the VirusTotal site
MSI files - InstEd

Working with Email
Email Conversion Tools - may not be free
AvTech - Perl script
Emailchemy - from Weird Kid Software; demo available
Mail-Cure - free, described here
Aid4Mail - free trial available
Intella - from Vound Software; doesn't require that Outlook be installed; trial available

File Hashing
MD5Deep - also allows for other hashing algorithms
SSDeep - fuzzy hashing; is also incorporated into VirusTotal

Registry Analysis
RegRipper - includes rip, ripXP, and regslack
MiTeC Registry File Viewer
Didier Stevens' UserAssist
Pwdump7 or SAMInside - great way to get password hashes for cracking

Archive/Compression Utilities
IZArc
PeaZip
Other utilities
ExtractNow

Memory Collection/Analysis
Windd - 1.3, for x86 and x64 now available
MDD - ManTech's memory imaging tool; 32-bit, has the 4GB limit
Nigilant32 - from Matt Shannon, F-Response; Windows 2000/XP only
Volatility - XP SP 2&3 only
Memoryze - from Mandiant

Packet Analysis
NetworkMiner
WireShark
NetWitness Investigator
Tools for extracting files from streams - not all of the tools listed run on Windows

Browser Analysis
SQLite Spy (for Firefox 3 analysis)

Misc
U3 Launcher Log parser
Other Mandiant Tools (Highlighter, Web Historian, etc.)
MIR-ROR - read about it here; great tool from Russ McRee (read Russ's ISSA toolsmith write-ups on other tools)
ShadowExplorer (Dan Mares' VSS)
SMPlayer - "for troublesome videos"
Evidence Mover
Windows Search Index Extractor - Extract information in the Windows Desktop Search database (ie, windows.edb file)

Sites
Various thumbnail cache extractor applications can be found here.
NirSoft has a variety of free and useful utilities available.
RedWolf Computer Forensics - various parsing tools
VirusTotal

Any you'd like to add? Comment, or email me.

Addendum:
Prefetch Parser
Fox Analysis - browser analysis
MiTeC Windows Registry Recovery
MiTeC Windows Registry Analyzer (associated guide)
DigestIT 2004 MD5 Hash

21 comments:

Joe Garcia said...

Great list of tools. I am just starting out in Computer Forensics and this is a big help. Thanks for posting this Harlan.

Joe

Rob Lee said...

Good list Harlan. If you are looking for a pre-built environment with these tools ready to go out of the box.

Majority of these tools built into the SANS Investigative Forensic Toolkit: https://computer-forensics2.sans.org/community/downloads/

# ssdeep & md5deep (Hashing Tools)
# Foremost/Scalpel (File Carving)
# WireShark (Network Forensics)
# HexEditor
# Vinetto (thumbs.db examination)
# Pasco (IE Web History examination)
# Rifiuti (Recycle Bin examination)
# Volatility Framework (Memory Analysis)
# DFLabs PTK (GUI Front-End for Sleuthkit)
# Autopsy (GUI Front-End for Sleuthkit)
# The Sleuth Kit (File system Analysis Tools)
#cregripper.pl and plugins Registry Forensic Carver
# regslack.pl Registry slack
# deleted.pl Registry deleted key examination
# regtime.pl Registry timelime creator – now with sleuthkit bodyfile output
#nwindata.pl Windows Time
# Mandiant Auditviewer AuditViewer to parse and examine memory via GUI

cdtdelta said...

Awesome list Harlan, thanks for posting it.

I didn't even know that ProDiscover had a free version! I'm grabbing that one now to look at it.

Tom

Rob Lee said...

Another wonderful timeline tool Log2Timeline can be found at http://log2timeline.net

--Rob

cdtdelta said...

Some others I thought of:

dcfldd - Imaging with hashing

LiveView - Convert DD images to VMWare bootable images

VMWare Player - Free but I think you need a VMWare account

Forensic CaseNotes - For keeping your case notes - hashes entries as you enter them

DCode - Nice little utility for converting Data to Date/Time values.

MFT Ripper - Dumps MFT file to a CSV file. You have to email the author for this, but he has a free version

IfranView - Free Image Viewer/Converter

Ok that's enough for now...I'm sure I have more at home. :)

Tom

Jimmy_Weg said...

FoprensicBox for MSN and Windows Live.

Advanced Prefetch Analyzer (an update is in the works). Also Didier's tool.

SQLite Spy - handy for FireFox 3

Evidence Mover from Microforensics.

ExtractNow for extracting files from multiple archives at once.

SMPlayer for troublesome videos.

ClamWinPortable and SysClean for AV scanning from a thumb.

VSS from Dan Mares for mounting shadow volumes.

There are a lot of good tools that are not free, but not expensive, either. The list could grow if you put a <$100 or even <$50 limit on cost. BTW, IrfanView is not free for use in a commercial or government environment, but I think that a license was around $10.00.

Keydet89 said...

Jimmy,

Any chance of getting links to any of those tools?

Thanks!

Sean McLinden said...

Don't forget the Princeton tools:

http://citp.princeton.edu/memory/code/

Rob said...

Thanks Harlan. This has always been one of my peeves about the lists as well.

Anonymous said...

Raptor - bootable Linux CD that can be used for imaging (this will likely open up a whole flurry of similar emails, so let's just use this one as a placeholder for all bootable Linux CDs...)

Raptor in not a forensically sound distro - it recovers file systems during boot sequence, activates swap partitions and does not provide a way to mount a file system in real read-only manner.

ele said...

Regarding Raptor:

It does provide a way to mount a file system in read-only.

But it doesn't include the HPA when imaging into raw (dcfldd)

Steve Whalen, CFCE said...

Regarding the Anonymous comment about Raptor. Please test or research a tool before making any comments.

Raptor is forensically sound. At no time does it mount or touch any attached devices without the approval of the user.

If anyone has any questions or concerns feel free to contact me directly - swhalen@forwarddiscovery.com.

Anonymous said...

Don't forget PsTools
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

joeware
http://www.joeware.net/index2.htm
good domain tools

Jimmy_Weg said...

Here are links to most of the tols that I mentioned:

Advanced Prefetch Analyzer by Allan Hay (an update is in the works).
UserAssist by Didier Stevens (http://blog.didierstevens.com/programs/userassist/)
SQLite Spy - handy for FireFox 3 (http://www.yunqa.de/delphi/doku.php/products/sqlitespy/index)
Evidence Mover from Microforensics. (http://www.microforensics.com/pages/downloads.php) Site is down at the moment.
ExtractNow for extracting files from multiple archives at once. (http://www.extractnow.com/)
SMPlayer for troublesome videos.(http://smplayer.sourceforge.net/downloads.php?tr_lang=en)
ClamWinPortable for AV scanning from a thumb.(http://portableapps.com/apps/utilities/clamwin_portable)
SysClean for AV scanning from a thumb (http://www.trendmicro.com/download/sysclean.asp)
VSS from Dan Mares for mounting shadow volumes. (http://www.dmares.com/index.htm)

Kevin DeLong said...

Great list of software ! Thanks for taking the time to post this valuable information !

Sean McLinden said...

ReviveIt: A tool for carving data from NTFS-compressed images at:

http://sourceforge.net/projects/revit/

Caine (Computer Aided INvestigative Environment) at:

http://www.caine-live.net/

Not, strictly, a tool but a collection of images used to support eDiscovery training and research (Digital Corpora) at:

http://digitalcorpora.org/

Keydet89 said...

Sean,

Thanks. I'm not as familiar with Caine as you are...how are you using it in the forensic examination of Windows systems?

Thanks!

Sean McLinden said...

Hi Harlan:

I use Caine pretty much as I used to use Helix before it became a commercial product. I like the fact that it is simple to build a bootable USB version which I will sometimes use for triage purposes especially when the discovery order precludes me from making complete forensic images.

The problem is often the judge's limited understanding of the digital forensic process and an increased emphasis on privacy precluding what are perceived as "fishing expeditions".

With Caine I can often gather enough evidence to warrant a more complete examination, or eliminate the need to do so.

There are other Linux distros offering a similar set of tools, and I'm not crazy about Ubuntu, which is not my favorite Linux distribution, but for ease of use, Caine is one of the best.

Sean

Anonymous said...

*Very* useful list; thanks for putting it together.

Minor error: the link for dcfldd links back to this blog post; target should be http://dcfldd.sourceforge.net/

Stefan said...

Here's my list of tools:

Chaosreader: http://chaosreader.sourceforge.net/
Eindeutig: http://sourceforge.net/projects/fast/files/Eindeutig/
FileAlyzer: http://www.safer-networking.org/en/filealyzer/index.html
Galleta: http://sourceforge.net/projects/fast/files/Galleta/
OfficeMalScanner: http://www.reconstructer.org/code/OfficeMalScanner.zip
RunAlyzer: http://www.safer-networking.org/en/runalyzer/index.html
Stegdetect: http://www.outguess.org/download.php
TrID: http://mark0.net/soft-trid-e.html
Windows Forensic Toolchest (WFT): http://www.foolmoon.net/security/wft/
chkrootkit: http://www.chkrootkit.org/
dumphive: (no URL found)
pdftk: http://www.accesspdf.com/pdftk/

And here's a list of very useful misc sites:

Wepawet: http://wepawet.cs.ucsb.edu/
jsunpack: http://jsunpack.jeek.org/dec/go
Anubis: http://anubis.iseclab.org/

Cheers, Stefan.

dnardoni said...

Great list of tools from everyone!

Baremetal Software http://baremetalsoft.com/

Produces:
baretail and baregrep

Both great tools

baretail is a great version of tail for windows systems

Dave