I've seen requests in several listservs for listings of free tools that people use during examinations, and most often, the response is something akin to "contact me off list". In my mind, that kind of defeats the purpose of the listserv...why not just close it down and move everyone to Craigslist?
Regardless, I thought that this would be a good way to start and even maintain a list of free tools (or at least some that have trials/demos available) that can/have been used during computer forensic examinations on Windows systems. I'll start by providing tools that I use, as well as links to other tools, and from there, I will expand the list as I receive information (ie, comments, emails, etc.)
General Tools
Perl - 'nuff said; mostly for creating my own tools
Strings/BinText
LiveView
Acquisition
FTK Imager - great for opening raw (ie, dd) images, .EOx files, .vmdk files, etc - even allows you to "acquire" other formats to raw/dd. Also great for selected file extraction from the image, when you don't need everything
dd - George M. Garner Jr's FAU
dcfldd - another CLI imaging tool, available for the Windows platform
Tableau TIM - coming Q4, 2009
Raptor - bootable Linux CD that can be used for imaging (this will likely open up a whole flurry of similar emails, so let's just use this one as a placeholder for all bootable Linux CDs...)
Image Mounting
IMDisk - great free tool for mounting Windows images on Windows systems, in read-only mode
VDKWin - another free tool
P2Explorer - from Paraben; free, requires registration
Image Analysis
TSK Tools - I've used mmls and fls mostly, but blkls is extremely useful, as well
ProDiscover, Basic Edition - Not a full suite, but very useful
AntiVirus Scanners (ClamWinPortable, SysClean, Malwarebytes)
Timeline Creation Tools (TSK tools, pasco, Perl scripts, etc.) - Perl scripts available from the Win4n6 Yahoo Group
Internet Evidence Finder (JADSoftware) - also, check out the Encrypted Disk Detector
Carving - foremost, scalpel, PhotoRec
DiskDigger - from Dmitry Brant; also check out NTFSWalker
File/Document Metadata
Structured Storage Extractor - view contents of structured storage/OLE files; this used to mean just MS Office (pre-2007) documents, but on Windows 7, this now means Sticky Notes, etc.
OffVis (fact sheet) -
Office 2007 document metadata (script) - look for cat_open_xml.pl; other tools available, as well
Skype Extractor -
PDF Tools - from Didier Stevens; some of Didier's tools have been incorporated into the VirusTotal site
MSI files - InstEd
Working with Email
Email Conversion Tools - may not be free
AvTech - Perl script
Emailchemy - from Weird Kid Software; demo available
Mail-Cure - free, described here
Aid4Mail - free trial available
Intella - from Vound Software; doesn't require that Outlook be installed; trial available
File Hashing
MD5Deep - also allows for other hashing algorithms
SSDeep - fuzzy hashing; is also incorporated into VirusTotal
Registry Analysis
RegRipper - includes rip, ripXP, and regslack
MiTeC Registry File Viewer
Didier Stevens' UserAssist
Pwdump7 or SAMInside - great way to get password hashes for cracking
Archive/Compression Utilities
IZArc
PeaZip
Other utilities
ExtractNow
Memory Collection/Analysis
Windd - 1.3, for x86 and x64 now available
MDD - ManTech's memory imaging tool; 32-bit, has the 4GB limit
Nigilant32 - from Matt Shannon, F-Response; Windows 2000/XP only
Volatility - XP SP 2&3 only
Memoryze - from Mandiant
Packet Analysis
NetworkMiner
WireShark
NetWitness Investigator
Tools for extracting files from streams - not all of the tools listed run on Windows
Browser Analysis
SQLite Spy (for Firefox 3 analysis)
Misc
U3 Launcher Log parser
Other Mandiant Tools (Highlighter, Web Historian, etc.)
MIR-ROR - read about it here; great tool from Russ McRee (read Russ's ISSA toolsmith write-ups on other tools)
ShadowExplorer (Dan Mares' VSS)
SMPlayer - "for troublesome videos"
Evidence Mover
Windows Search Index Extractor - Extract information in the Windows Desktop Search database (ie, windows.edb file)
Sites
Various thumbnail cache extractor applications can be found here.
NirSoft has a variety of free and useful utilities available.
RedWolf Computer Forensics - various parsing tools
VirusTotal
Any you'd like to add? Comment, or email me.
Addendum:
Prefetch Parser
Fox Analysis - browser analysis
MiTeC Windows Registry Recovery
MiTeC Windows Registry Analyzer (associated guide)
DigestIT 2004 MD5 Hash
21 comments:
Great list of tools. I am just starting out in Computer Forensics and this is a big help. Thanks for posting this Harlan.
Joe
Good list Harlan. If you are looking for a pre-built environment with these tools ready to go out of the box.
Majority of these tools built into the SANS Investigative Forensic Toolkit: https://computer-forensics2.sans.org/community/downloads/
# ssdeep & md5deep (Hashing Tools)
# Foremost/Scalpel (File Carving)
# WireShark (Network Forensics)
# HexEditor
# Vinetto (thumbs.db examination)
# Pasco (IE Web History examination)
# Rifiuti (Recycle Bin examination)
# Volatility Framework (Memory Analysis)
# DFLabs PTK (GUI Front-End for Sleuthkit)
# Autopsy (GUI Front-End for Sleuthkit)
# The Sleuth Kit (File system Analysis Tools)
#cregripper.pl and plugins Registry Forensic Carver
# regslack.pl Registry slack
# deleted.pl Registry deleted key examination
# regtime.pl Registry timelime creator – now with sleuthkit bodyfile output
#nwindata.pl Windows Time
# Mandiant Auditviewer AuditViewer to parse and examine memory via GUI
Awesome list Harlan, thanks for posting it.
I didn't even know that ProDiscover had a free version! I'm grabbing that one now to look at it.
Tom
Another wonderful timeline tool Log2Timeline can be found at http://log2timeline.net
--Rob
Some others I thought of:
dcfldd - Imaging with hashing
LiveView - Convert DD images to VMWare bootable images
VMWare Player - Free but I think you need a VMWare account
Forensic CaseNotes - For keeping your case notes - hashes entries as you enter them
DCode - Nice little utility for converting Data to Date/Time values.
MFT Ripper - Dumps MFT file to a CSV file. You have to email the author for this, but he has a free version
IfranView - Free Image Viewer/Converter
Ok that's enough for now...I'm sure I have more at home. :)
Tom
FoprensicBox for MSN and Windows Live.
Advanced Prefetch Analyzer (an update is in the works). Also Didier's tool.
SQLite Spy - handy for FireFox 3
Evidence Mover from Microforensics.
ExtractNow for extracting files from multiple archives at once.
SMPlayer for troublesome videos.
ClamWinPortable and SysClean for AV scanning from a thumb.
VSS from Dan Mares for mounting shadow volumes.
There are a lot of good tools that are not free, but not expensive, either. The list could grow if you put a <$100 or even <$50 limit on cost. BTW, IrfanView is not free for use in a commercial or government environment, but I think that a license was around $10.00.
Jimmy,
Any chance of getting links to any of those tools?
Thanks!
Don't forget the Princeton tools:
http://citp.princeton.edu/memory/code/
Thanks Harlan. This has always been one of my peeves about the lists as well.
Raptor - bootable Linux CD that can be used for imaging (this will likely open up a whole flurry of similar emails, so let's just use this one as a placeholder for all bootable Linux CDs...)
Raptor in not a forensically sound distro - it recovers file systems during boot sequence, activates swap partitions and does not provide a way to mount a file system in real read-only manner.
Regarding Raptor:
It does provide a way to mount a file system in read-only.
But it doesn't include the HPA when imaging into raw (dcfldd)
Regarding the Anonymous comment about Raptor. Please test or research a tool before making any comments.
Raptor is forensically sound. At no time does it mount or touch any attached devices without the approval of the user.
If anyone has any questions or concerns feel free to contact me directly - swhalen@forwarddiscovery.com.
Don't forget PsTools
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx
joeware
http://www.joeware.net/index2.htm
good domain tools
Here are links to most of the tols that I mentioned:
Advanced Prefetch Analyzer by Allan Hay (an update is in the works).
UserAssist by Didier Stevens (http://blog.didierstevens.com/programs/userassist/)
SQLite Spy - handy for FireFox 3 (http://www.yunqa.de/delphi/doku.php/products/sqlitespy/index)
Evidence Mover from Microforensics. (http://www.microforensics.com/pages/downloads.php) Site is down at the moment.
ExtractNow for extracting files from multiple archives at once. (http://www.extractnow.com/)
SMPlayer for troublesome videos.(http://smplayer.sourceforge.net/downloads.php?tr_lang=en)
ClamWinPortable for AV scanning from a thumb.(http://portableapps.com/apps/utilities/clamwin_portable)
SysClean for AV scanning from a thumb (http://www.trendmicro.com/download/sysclean.asp)
VSS from Dan Mares for mounting shadow volumes. (http://www.dmares.com/index.htm)
Great list of software ! Thanks for taking the time to post this valuable information !
ReviveIt: A tool for carving data from NTFS-compressed images at:
http://sourceforge.net/projects/revit/
Caine (Computer Aided INvestigative Environment) at:
http://www.caine-live.net/
Not, strictly, a tool but a collection of images used to support eDiscovery training and research (Digital Corpora) at:
http://digitalcorpora.org/
Sean,
Thanks. I'm not as familiar with Caine as you are...how are you using it in the forensic examination of Windows systems?
Thanks!
Hi Harlan:
I use Caine pretty much as I used to use Helix before it became a commercial product. I like the fact that it is simple to build a bootable USB version which I will sometimes use for triage purposes especially when the discovery order precludes me from making complete forensic images.
The problem is often the judge's limited understanding of the digital forensic process and an increased emphasis on privacy precluding what are perceived as "fishing expeditions".
With Caine I can often gather enough evidence to warrant a more complete examination, or eliminate the need to do so.
There are other Linux distros offering a similar set of tools, and I'm not crazy about Ubuntu, which is not my favorite Linux distribution, but for ease of use, Caine is one of the best.
Sean
*Very* useful list; thanks for putting it together.
Minor error: the link for dcfldd links back to this blog post; target should be http://dcfldd.sourceforge.net/
Here's my list of tools:
Chaosreader: http://chaosreader.sourceforge.net/
Eindeutig: http://sourceforge.net/projects/fast/files/Eindeutig/
FileAlyzer: http://www.safer-networking.org/en/filealyzer/index.html
Galleta: http://sourceforge.net/projects/fast/files/Galleta/
OfficeMalScanner: http://www.reconstructer.org/code/OfficeMalScanner.zip
RunAlyzer: http://www.safer-networking.org/en/runalyzer/index.html
Stegdetect: http://www.outguess.org/download.php
TrID: http://mark0.net/soft-trid-e.html
Windows Forensic Toolchest (WFT): http://www.foolmoon.net/security/wft/
chkrootkit: http://www.chkrootkit.org/
dumphive: (no URL found)
pdftk: http://www.accesspdf.com/pdftk/
And here's a list of very useful misc sites:
Wepawet: http://wepawet.cs.ucsb.edu/
jsunpack: http://jsunpack.jeek.org/dec/go
Anubis: http://anubis.iseclab.org/
Cheers, Stefan.
Great list of tools from everyone!
Baremetal Software http://baremetalsoft.com/
Produces:
baretail and baregrep
Both great tools
baretail is a great version of tail for windows systems
Dave
Post a Comment