Lesson 5 of 6
In Progress

Forensic Tools

Following is a brief set of tool categorization that is generally available to forensic investigators:

High Level List of Forensic Tools
Hashing Tools
These are used to verify the integrity of a sequence of data bits. Two files with exactly the same bit patterns should hash to the same hash value using the same hashing algorithm, e.g. MD5, SHA-1, HMAC-MD5. On the other hand, if the hashes for the file do not match, then the user can conclude that the files are not the same.
Data Carving Tools
Sometimes data cannot be identified or extracted from its source because it has been either accidentally or intentionally removed from the file system. However in most cases the file is either available in the lost clusters, unallocated clusters or in slack space of the storage media. In order to extract this file we need to have the “File Header and File footer” which is invariably available in the file signature; the data between these two points is extracted and analyzed to validate the file.
Binary Search Tools
These tools are used to search patterns in binary format.
Imaging Tools
Imaging tools allows you to create a clone of the source data. These are largely divided into two sub-types: Bit Copy Tools: Copy data at the bit level to create an exact clone of the original without any regard for the underlying file system. File System Tools: Copies the entire file system of the original based on the underlying platform/file system.
Deep Retrieval Tools
Sophisticated data recovery tools that recover lost data by reading the disk at a low level.
Document Metadata Extraction Tools
Here are tools that will extract metadata from files. These tools help identify auxiliary information about the file instead of the contents.
Memory Imaging and Analysis Tools
The physical memory of computers can be imaged and analyzed using a variety of tools. These tools are OS specific as each operating system has a separate way of memory management. The main challenge remains to verify that the memory contents have been recreated correctly. Once memory image has been created, memory analysis tools are utilized to deduce meaningful information from the artifact.
Network Forensic Tools
Aimed at capturing the state of the network for both real-time and passive examination.
Steganography Tools
Steganography tools allow detecting and decrypting unnoticeable information patterns hidden within other objects, e.g. a message hidden within an image.
Internet History Tools
Allows recovery and reconstruction of deleted internet history.
Log management Tools (SIEM)
Security Incident Event Management tools manage an incident lifecycle end to end from reporting to remediation and serve as a reference point/knowledge base for effective incident handling and management.
Case Management System
Automates the steps and procedures which are critical to effective case handling through well-designed processes, supported by powerful and proven tools.
File Chain Navigation Tools
These tools reconstruct broken file chains to extract lost information.
File System Navigation Tools
The file system of a computer is where most files are stored and where most evidence is found. These tools facilitate navigation of file systems for compromised system.
Freeware and Opensource Forensics Tools
Digital Evidence Acquisition
dd – called GNU dd, is the oldest imaging tool dc3dd – patched version of GNU dd with added features for computer forensics. ddrescue – raw disk imaging tool that copies data from one file or block device to another, trying hard to rescue data in case of read errors. dcfldd – enhanced version of GNU dd
Media Management
libewf – library to access the Expert Witness Compression Format (EWF). It contains the following tools: ewfacquire, which writes storage media data from devices and files to EWF files.ewfacquirestream, which writes data from stdin to EWF files.ewfdebug; experimental tool does nothing at the moment.ewfexport, which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.ewfinfo, which shows the metadata in EWF files.ewfmount, which FUSE mounts EWF files.ewfrecover; special variant of ewfexport to create a new set of EWF files from a corrupt set.ewfverify, which verifies the storage media data in EWF files. The libewf package also contains the following bindings: ewf.net, bindings for .Netpyewf, bindings for Python afflib – Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata
Mounting Disk Images
mount – Tool used to mount disks
Hashing Tools
md5deep – suite of cross platform tools to compute and audit hashes for any number of input files. It supports also SHA-1, Tiger and Whirpool.
Disk Analysis
The Sleuth Kit – collection of UNIX-based command line tools that allow you to investigate a computer. Some of the tools included are: blkcat, blkls, blkcalc, icat, ils, istat. log2timeline – provide a framework to parse various log files and artifacts found on suspect systems. The tool contains timescanner and glog2timeline.
Artefacts Analysis
galleta and pasco – Internet Explorer Cookie Forensic Analysis Tool rifiuti – Recycle Bin Forensic Analysis Tool antiword – Application used to display text and graphics document in Microsoft Word exiftool – Perl library and a command-line tool that can be used for reading and writing metadata in files
Registry Analysis
recover_deleted_registry_keys.pl – recover unallocated keys and key slack from a registry hive regripper – extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems
RAM Analysis
Pdgmail – gmail memory forensics Pdymail – yahoo memory forensics
Data Carving
Foremost – recovering deleted files and served as the basis for the more modern Scalpel Magicresuce – scans a block device for file types it knows how to recover and calls an external program to extract them testdisk – Primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table) rapier – It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. scalpel – recovering deleted data originally based on foremost
Compression Tools
Rar – Tool usedto extract, open and compress rar files Bzip – Tool used to extract, open and compress bzip files p7zip – Port of 7za.exe for POSIX systems like Unix, MacOS X
PDF Analysis
pdfid.py – PDF forensics tool that will quickly provide you an overview of a PDF files potential threats pdfparser.py – It identifies the fundamental elements used in the analyzed file
GUI Forensics Analysis
Autopsy – Digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools
Password Crackers
john – Password cracker available also for Windows bkhive – dumps the syskey bootkey from Windows NT/2K/XP/Vista system hive samdump – dumps the Windows NT/2K/XP/Vista password hashes ophcrack – Ophcrack is a free Windows password cracker based on rainbow tables
Outguess – steganographic tool that allows the insertion of hidden information into the redundant bits of data sources StegSecret – detection of hidden information in different digital media
Other Utilities
Rdesktop – A Remote Desktop Protocol Client for accessing Windows Remote Desktop Services Sqlite – SQLite Database browser is a light GUI editor for SQLite databases, built on top of Qt dos2unix – utility to convert text files with DOS or MAC line breaks to Unix line breaks and vice versa