Memory Collection/Analysis
FTK Imager - Includes the ability to collect memory
DumpIt - Great utility for dumping Windows memory; 32- & 64-bit versions in one EXE!
Volatility - 'nuff said! (Google Code project home)
Mandiant RedLine
HBGary Responder CE
MemProcFS - memory process file system
BinaryDefense/YaraMemoryScanner
Don't want to collect your own memory?
NIST memory images
List from ForensicsWiki
"Federal" Trojan sample
HoneyNet "Banking Troubles" Challenge
Network Capture/Analysis Tools
WireShark - Excellent free tool for capturing and analyzing network packet captures
NetworkMiner - Network forensic analysis tool
Netwitness Investigator - free edition of the tool; supports 25 simultaneous 1GB captures.
Network Appliance Forensic Toolkit (NAFT) by Didier Stevens - Python-based, can extract packets from Windows memory. If you're using 32-bit Python and your input file is greater than 512MB, split it into chunks.
Don't want to collect your own memory?
NIST memory images
List from ForensicsWiki
"Federal" Trojan sample
HoneyNet "Banking Troubles" Challenge
Network Capture/Analysis Tools
WireShark - Excellent free tool for capturing and analyzing network packet captures
NetworkMiner - Network forensic analysis tool
Netwitness Investigator - free edition of the tool; supports 25 simultaneous 1GB captures.
Network Appliance Forensic Toolkit (NAFT) by Didier Stevens - Python-based, can extract packets from Windows memory. If you're using 32-bit Python and your input file is greater than 512MB, split it into chunks.
Pcap_Parser_Analyzer
Sample Images
Digital Corpora - Simson Garfinkel's site with test images and scenarios
Hacking Case from NIST (CFReDs)
Lance Mueller's Practical examples - Lance no longer maintains the site, but the site itself will remain; Practical #1 is an excellent example to use.
Interesting image and scenario from InfoSecShortTakes
Carving
PhotoRec - from the site: "...designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data..."
Scalpel - v2.0; excellent carver that (like others) is file system independent. You can also create custom .conf file entries.
ParseRS/RipRS - John Moan's tools for recovering IE Travelog/RecoveryStore pages.
Image Mounting
OSFMount
ImDisk - Installs as a Control Panel applet
FTK Imager
vhdtool - use this tool to convert a raw/dd image file to a .vhd file, which you can mount using the Disk Management tool in Win7
raw2vmdk - Java utility convert a raw/dd image to .vmdk
LiveView - Java utility for creating VMWare support files for a raw/dd image; you can then boot the image (if you're not LE, consider using ntpasswd below to 'zero out' the Administrator password so that you can log in...)
VirtualBox - Oracle's free virtualization framework that can run a wide range of guest OS's, including OS/2, Amiga, Android, etc., as well as Linux and Windows.
File System Artifact Tools
analyzeMFT - David Kovar's Python tool for parsing the MFT
MFT Extractor (hmft.exe) - Extract the MFT for parsing with other tools
Sample Images
Digital Corpora - Simson Garfinkel's site with test images and scenarios
Hacking Case from NIST (CFReDs)
Lance Mueller's Practical examples - Lance no longer maintains the site, but the site itself will remain; Practical #1 is an excellent example to use.
Interesting image and scenario from InfoSecShortTakes
Carving
PhotoRec - from the site: "...designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data..."
Scalpel - v2.0; excellent carver that (like others) is file system independent. You can also create custom .conf file entries.
ParseRS/RipRS - John Moan's tools for recovering IE Travelog/RecoveryStore pages.
Image Mounting
OSFMount
ImDisk - Installs as a Control Panel applet
FTK Imager
vhdtool - use this tool to convert a raw/dd image file to a .vhd file, which you can mount using the Disk Management tool in Win7
raw2vmdk - Java utility convert a raw/dd image to .vmdk
LiveView - Java utility for creating VMWare support files for a raw/dd image; you can then boot the image (if you're not LE, consider using ntpasswd below to 'zero out' the Administrator password so that you can log in...)
VirtualBox - Oracle's free virtualization framework that can run a wide range of guest OS's, including OS/2, Amiga, Android, etc., as well as Linux and Windows.
File System Artifact Tools
analyzeMFT - David Kovar's Python tool for parsing the MFT
MFT Extractor (hmft.exe) - Extract the MFT for parsing with other tools
ntfstool
INDXParse - Tool for parsing index/$I30 files
Joachim Schicht's MFT Tools (mft2csv, LogFileParser, etc.)
File Analysis
PDF Tools from Didier Stevens
PDFStreamDumper - description of use here;
SWF Mastah - Python script to make extracting SWF streams from PDF files easier
Windows Event Log Analysis
Analysis Frameworks
OSForensics - Features listed here; file searches, hash lists, rainbow tables. Primarily intended to work on live systems, but you can mount an image as a volume and run it against that.
DFF - FOSS digital analysis framework; be sure to read and follow the blog.
ProDiscover Basic Edition - Free, limited version of ProDiscover; you'll need to scroll down (also be sure to check out ZeroView)
SANS SIFT Workstation - SANS Forensic Appliance
Autopsy - As of Aug 2011, Windows only version (in beta) is a complete rewrite, using Java.
Registry Analysis
RegRipper - Get it here (RR.zip), includes regslack; also, more info here...
Registry Decoder
Shellbag Forensics (w/ a Python script and bodyfile format output)
INDXParse - Tool for parsing index/$I30 files
Joachim Schicht's MFT Tools (mft2csv, LogFileParser, etc.)
File Analysis
PDF Tools from Didier Stevens
PDFStreamDumper - description of use here;
SWF Mastah - Python script to make extracting SWF streams from PDF files easier
Windows Event Log Analysis
APT-Hunter - Threat Hunting Tool for Windows Event Logs (write-up)
Analysis Frameworks
OSForensics - Features listed here; file searches, hash lists, rainbow tables. Primarily intended to work on live systems, but you can mount an image as a volume and run it against that.
DFF - FOSS digital analysis framework; be sure to read and follow the blog.
ProDiscover Basic Edition - Free, limited version of ProDiscover; you'll need to scroll down (also be sure to check out ZeroView)
SANS SIFT Workstation - SANS Forensic Appliance
Autopsy - As of Aug 2011, Windows only version (in beta) is a complete rewrite, using Java.
Registry Analysis
RegRipper - Get it here (RR.zip), includes regslack; also, more info here...
Registry Decoder
Shellbag Forensics (w/ a Python script and bodyfile format output)
regtools
Digital Forensics Stream blog post: Including Shellbags Data in Timelines
Chad's Shellbags analysis article (w/ link to TZWorks sbag.exe)
Password Recovery
Now and again, there's a need to change or crack Windows passwords; for LE, often just knowing if an account had a password or not is enough.
Ntpwedit - allows you to change a Windows password; based on Nordahl's tool
Ntpasswd - Nordahl's tool; includes option for a CD/USB bootdisk to change a Windows password
pwdump7 - dump password hashes
SAMInside - password hash cracker
OphCrack - password hash cracker
L0phtcrack - no introduction necessary (15 day trial)
Phones/Phone Backup Files
I wanted to include a section to address FOSS tools for accessing mobile devices/phones, as well as backups of these devices that you might find on a Windows system.
iPhone
iPhoneBrowser - Access the iPhone file system from a Windows GUI
iPhone Analyzer -
iPhoneBackupExtractor - includes a free download for extracting files from an iPhone backup
iPhone Backup Browser -
*You can also use the information in this article (even more info is available from this AppleExaminer article), and use SQLite or SQLite Browser to access information in the db files; for working with plists, consider plutil.exe (installed with iTunes) for converting plists. Also consider this article from Linux Sleuthing that describes parsing the iPhone SMS database.
iTwin -
This SlideShare presentation talks about using open source tools to analyze iOS devices.
BlackBerry
ForensicsWiki BlackBerry Forensics page (watch out for these common pitfalls)
Blackberry Desktop Manager software
There is some additional information at Eric Huber's blog, via an interview with Shafik Punja.
Blackberry.com IPD file format
ElcomSoft BlackBerry Explorer -for pay, but has a limited trial version (read/parse IPD/BBB files)
Get additional information from a BB (after backup) using JavaLoader (NOT a forensic tool)
Bye Nary blog post - What's in an IPD?
Other possible solutions (untested):
Reincubate Labs - Blackberry Backup Extractor
MagicBerry IPD parser
Android
If you're interested in seeing if there's any location information available in an Android phone, check out android-locdump.
While not specific to Windows, check out this Wiki page at the HoneyNet site for a VirtualBox VM you can download to do Android malware RE.
eEvidence.info site for mobile forensics
Cellular.Sherlock - lots of great info available on mobile forensics
Other
Digital Forensics Stream blog post: Including Shellbags Data in Timelines
Chad's Shellbags analysis article (w/ link to TZWorks sbag.exe)
Password Recovery
Now and again, there's a need to change or crack Windows passwords; for LE, often just knowing if an account had a password or not is enough.
Ntpwedit - allows you to change a Windows password; based on Nordahl's tool
Ntpasswd - Nordahl's tool; includes option for a CD/USB bootdisk to change a Windows password
pwdump7 - dump password hashes
SAMInside - password hash cracker
OphCrack - password hash cracker
L0phtcrack - no introduction necessary (15 day trial)
Phones/Phone Backup Files
I wanted to include a section to address FOSS tools for accessing mobile devices/phones, as well as backups of these devices that you might find on a Windows system.
iPhone
iPhoneBrowser - Access the iPhone file system from a Windows GUI
iPhone Analyzer -
iPhoneBackupExtractor - includes a free download for extracting files from an iPhone backup
iPhone Backup Browser -
*You can also use the information in this article (even more info is available from this AppleExaminer article), and use SQLite or SQLite Browser to access information in the db files; for working with plists, consider plutil.exe (installed with iTunes) for converting plists. Also consider this article from Linux Sleuthing that describes parsing the iPhone SMS database.
iTwin -
This SlideShare presentation talks about using open source tools to analyze iOS devices.
BlackBerry
ForensicsWiki BlackBerry Forensics page (watch out for these common pitfalls)
Blackberry Desktop Manager software
There is some additional information at Eric Huber's blog, via an interview with Shafik Punja.
Blackberry.com IPD file format
ElcomSoft BlackBerry Explorer -for pay, but has a limited trial version (read/parse IPD/BBB files)
Get additional information from a BB (after backup) using JavaLoader (NOT a forensic tool)
Bye Nary blog post - What's in an IPD?
Other possible solutions (untested):
Reincubate Labs - Blackberry Backup Extractor
MagicBerry IPD parser
Android
If you're interested in seeing if there's any location information available in an Android phone, check out android-locdump.
While not specific to Windows, check out this Wiki page at the HoneyNet site for a VirtualBox VM you can download to do Android malware RE.
eEvidence.info site for mobile forensics
Cellular.Sherlock - lots of great info available on mobile forensics
Other
gajos112 - lots of different tools (including RegRipper plugins) from gajos112
PE Analysis Tools
HBGary Fingerprint - Analysis/comparison tool, extensible via C#
CFF Explorer - Understands .NET files, extensible via scripting
TZWorks pe_view and pescan
PEiD - discontinued, but good tool
PEView
PE Analysis Tools
HBGary Fingerprint - Analysis/comparison tool, extensible via C#
CFF Explorer - Understands .NET files, extensible via scripting
TZWorks pe_view and pescan
PEiD - discontinued, but good tool
PEView
biodiff - write-up by Willi Ballenthin
Metadata tools
Phil Harvey's EXIFTool
Zena Forensics EXIF Summarizer - Python script
Word 2007 metadata - read_open_xml.pl
Other tools
Wifi WAP geolocation using macl.pl
VMDK Forensic Artifact Extractor (vfae.exe) - extract files from a VMDK
Jesse updated md5deep to include Win PE file identification (miss identify)
Browser Analysis
Sean Cavanaugh's paper on Safari cache.db analysis (refers to the Forensics from the Sausage Factory blog posts)
Firefox
Kristinn's SANS blog write-up regarding FF3+ history (ff3histview.pl)
MozillaZine: Contents of user's profile folder
ForensicsWiki: FF3 History File format
Write-up on F3e
Chrome
Hindsight Chrome history parser
Sites
These are some sites that include a number of useful tools:
TZWorks - lots of great tools including a shellbag parser
NirSoft - another site with a lot of great tools
Tools I've written and provided with my books (WRF tools, timeline tools, etc.)
WoanWare - Lots of great free utilities, including some for browser analysis
OpenSourceForensics - site with a number of *nix/Windows tools listed
pyDetective - Site containing Python scripts for DF analysis
ForensicCtrl - Free forensic tool list
MalwareHunters Free Tools
My Forensic Tools (from the UK): Some interesting free tools
BethLogic Code site
Metadata tools
Phil Harvey's EXIFTool
Zena Forensics EXIF Summarizer - Python script
Word 2007 metadata - read_open_xml.pl
Other tools
Wifi WAP geolocation using macl.pl
VMDK Forensic Artifact Extractor (vfae.exe) - extract files from a VMDK
Jesse updated md5deep to include Win PE file identification (miss identify)
Browser Analysis
Sean Cavanaugh's paper on Safari cache.db analysis (refers to the Forensics from the Sausage Factory blog posts)
Firefox
Kristinn's SANS blog write-up regarding FF3+ history (ff3histview.pl)
MozillaZine: Contents of user's profile folder
ForensicsWiki: FF3 History File format
Write-up on F3e
Chrome
Hindsight Chrome history parser
Sites
These are some sites that include a number of useful tools:
TZWorks - lots of great tools including a shellbag parser
NirSoft - another site with a lot of great tools
Tools I've written and provided with my books (WRF tools, timeline tools, etc.)
WoanWare - Lots of great free utilities, including some for browser analysis
OpenSourceForensics - site with a number of *nix/Windows tools listed
pyDetective - Site containing Python scripts for DF analysis
ForensicCtrl - Free forensic tool list
MalwareHunters Free Tools
My Forensic Tools (from the UK): Some interesting free tools
BethLogic Code site