COMPUTER FORENSIC application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.

Lets clear with Digital Forensics (4n6):

Final copy

Screenshot_2 (2).jpg

For more:  Forensic Group

Disclaimer: This does not constitute a legal opinion and would not create an Attorney-Client relationship. This article is only for information and educational purposes and merely a possible interpretation of the law.

Some Computer Forensic Tools


SOME FORENSIC DISTRO’s: Caine, Deft, Sift, Kali

1.Disk tools and data capture
2.Email analysis
3.General tools
4.File and data analysis
5.Mac OS tools
6.Mobile devices
7.Data analysis suites
8.Internet analysis
9.Registry analysis
10.Application analysis


ISO, NIST, International Organization of Computer Evidence (IOCE), Scientific Working Group on Digital Evidence (SWGDE), Association Chief Police Officer (ACPO), NIJ, DSCI.


Few More Utilities: Source

1. Disk tools and data capture
Arsenal Image Mounter:
Mounts disk images as complete disks in Windows, giving access to Volume Shadow Copies, etc.

DumpIt :
Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive.

EnCase :
Create EnCase evidence files and EnCase logical evidence files

Encrypted Disk Detector :
Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes

EWF MetaEditor :
Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier)

FAT32 Format :
Enables large capacity disks to be formatted as FAT32

Forensics Acquisition of Websites :
Browser designed to forensically capture web pages

FTK Imager :
Imaging tool, disk viewer, and image mounter

Guymager :
Multi-threaded GUI imager under running under Linux

Live RAM Capturer :
Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds

NetworkMiner :
Network analysis tool. Detects OS, hostname and open ports of network hosts through packet sniffing/PCAP parsing

Nmap :
Utility for network discovery and security auditing

Magnet RAM :
Captures the physical memory of a suspect’s computer. Windows XP to Windows 10, and 2003, 2008, 2012. 32 & 64 bit

OSFClone :
Boot utility for CD/DVD or USB flash drives to create dd or AFF images/clones.

OSFMount :
Mounts a wide range of disk images. Also allows creation of RAM disks

Wireshark :
Network protocol capture and analysis

Disk2vhd :
Creates Virtual Hard Disks versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V VMs

2. Email analysis
EDB Viewer :
Open and view (not export) Outlook EDB files without an Exchange server

Mail Viewer :
Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files

MBOX Viewer :
View MBOX emails and attachments

OST Viewer  :
Open and view (not export) Outlook OST files without connecting to an Exchange server

PST Viewer  :
Open and view (not export) Outlook PST files without needing Outlook

  1. General tools

Agent Ransack :
Search multiple files using Boolean operators and Perl Regex

Computer Forensic Reference Data Sets :
Collated forensic images for training, practice, and validation

EvidenceMover :
Copies data between locations, with file comparison, verification, logging

FastCopy :
Self labeled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc.

File Signatures :
Table of file signatures

HexBrowser :
Identifies over 1000 file types by examining their signatures

HashMyFiles :
Calculate MD5 and SHA1 hashes

MobaLiveCD :
Run Linux live CDs from their ISO image without having to boot to them

Mouse Jiggler :
Automatically moves mouse pointer stopping screen saver, hibernation etc.

Notepad ++ :
Advanced Notepad replacement

Hash sets of ‘known’ (ignorable) files

Quick Hash :
A Linux & Windows GUI for individual and recursive SHA1 hashing of files

USB Write Blocker :
Enables software write-blocking of USB ports

Volix :
Application that simplifies the use of the Volatility Framework

Windows Forensic Environment :
Guide by Brett Shavers to creating and working with a Windows boot CD

  1. File and data analysis

Advanced Prefetch Analyser :
Reads Windows XP, Vista and Windows 7 prefetch files

analyzeMFT :
Parses the MFT from an NTFS file system allowing results to be analyzed with other tools

bstrings :
Find strings in binary data, including regular expression searching.

CapAnalysis :
PCAP viewer

Crowd Reponse :
Windows console application to aid gathering of system information for incident response and security engagements.

Crowd Inspect :
Details network processes, listing binaries associated with each process. Queries VirusTotal, other malware repositories & reputation services to produce “at-a-glance” state of the system

DCode :
Converts various data types to date/time values

Defraser :
Detects full and partial multimedia files in unallocated space

eCryptfs Parser :
Recursively parses headers of every eCryptfs file in the selected directory. Outputs encryption algorithm used, original file size, signature used, etc.

Encryption Analyzer :
Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file

ExifTool :
Read, write and edit Exif data in a large number of file types

File Identifier :
Drag and drop web-browser JavaScript tool for identification of over 2000 file types

Forensic Image Viewer :
View various picture formats, image enhancer, extraction of embedded Exif, GPS data

Ghiro :
In-depth analysis of image (picture) files

Highlighter :
Examine log files using text, graphic or histogram views

Link Parser :
Recursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files

LiveContactsView :
View and export Windows Live Messenger contact details

PECmd :
Prefetch Explorer

PlatformAuditProbe :
Command Line Windows forensic/ incident response tool that collects many artifacts. Manual

RSA Netwitness Investigator :
Network packet capture and analysis!freeware

Memoryze :
Acquire and/or analyze RAM images, including the page file on live systems

MetaExtractor :
Recursively parses folders to extract meta data from MS Office, OpenOffice and PDF files

MFTview :
Displays and decodes contents of an extracted MFT file

PictureBox :
Lists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format

PsTools :
Suite of command-line Windows utilities

Shadow Explorer :
Browse and extract files from shadow copies

SQLite Manager :
Firefox add-on enabling viewing of any SQLite

Strings :
Command-line tool for text searches

Structured Storage Viewer :
View and manage MS OLE Structured Storage based files

Switch-a-Roo :
Text replacement/converter/decoder for when dealing with URL encoding, etc

Windows File Analyzer :
Analyse thumbs.db, Prefetch, INFO2 and .lnk files

Xplico :
Network forensics analysis tool

5. Mac OS tools
Audit : Audit Preference Pane and Log Reader for OS X

ChainBreaker :
Parses keychain structure, extracting user’s confidential information such as application account/password, encrypted volume password (e.g. filevault), etc

Disk Arbitrator :
Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration

Epoch Converter :
Converts epoch times to local time and UTC

FTK Imager CLI for Mac OS :
Command line Mac OS version of AccessData’s FTK Imager

IORegInfo :
Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected

PMAP Info :
Displays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors

Volafox :
Memory forensic toolkit for Mac OS X

  1. Mobile devices

iPBA2 :
Explore iOS backups

iPhone Analyzer :
Explore the internal file structure of Pad, iPod, and iPhones

ivMeta :
Extracts phone model and software version and created date and GPS data from iPhone videos.

Last SIM Details :
Parses physical flash dumps and Nokia PM records to find details of previously inserted SIM cards.

Rubus :
Deconstructs Blackberry .ipd backup files

Obtain SMS Messages, call logs and contacts from Android devices

  1. Data analysis suites

Autopsy :
Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below)

Backtrack :
Penetration testing and security audit with forensic boot capability

Caine :
Linux based live CD, featuring a number of analysis tools

Deft :
Linux based live CD, featuring a number of analysis tools

Digital Forensics Framework :
Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items

Forensic Scanner :
Automates ‘repetitive tasks of data collection’. Fuller description here

Paladin :
Ubuntu based live boot CD for imaging and analysis

VMware Appliance pre-configured with multiple tools allowing digital forensic examinations

The Sleuth Kit :
Collection of UNIX-based command line file and volume system forensic analysis tools

Volatility Framework :
Collection of tools for the extraction of artefacts from RAM

  1. Internet analysis

MozillaHistoryView :
Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page

MyLastSearch :
Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace)

PasswordFox :
Extracts the user names and passwords stored by Mozilla Firefox Web browser

OperaCacheView :
Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache

OperaPassView :
Decrypts the content of the Opera Web browser password file, wand.dat

Web Historian :
Reviews list of URLs stored in the history files of the most commonly used browsers

Web Page Saver :
Takes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages

  1. Registry analysis

AppCompatCache Parser :
Dumps list of shimcache entries showing which executables were run and their modification dates. Further details.

ForensicUserInfo :
Extracts user information from the SAM, SOFTWARE, and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file

Process Monitor :
Examine Windows processes and registry threads in real time

RECmd :
Command line access to offline Registry hives. Supports simple & regular expression searches as well as searching by last write timestamp. Further details.

Registry Decoder :
For the acquisition, analysis, and reporting of registry contents

Registry Explorer :
Offline Registry viewer. Provides deleted artifact recovery, value slack support, and robust searching. Further details.

RegRipper :
Registry data extraction and correlation tool

Regshot :
Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software

ShellBags Explorer  :
Presents visual representation of what a user’s directory structure looked like. Additionally, exposes various timestamps (e.g., first explored, last explored for a given folder. Further details.

USB Device Forensics :
Details previously attached USB devices on exported registry hives

USB Historian :
Displays 20+ attributes relating to USB device use on Windows systems

USBDeview :
Details previously attached USB devices

User Assist Analysis :
Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys

UserAssist :
Displays list of programs run, with run count and last run date and time

Windows Registry Recovery :
Extracts configuration settings and other information from the Registry

  1. Application analysis

Dropbox Decryptor :
Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox

Google Maps Tile Investigator :
Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context

KaZAlyser :
Extracts various data from the KaZaA application

LiveContactsView :
View and export Windows Live Messenger contact details

SkypeLogView :
View Skype calls and chats

Src: Wikipedia, Cybrary, Forensictool

Scientific Standard Procedures + Tools + Intelligence = Forensics

-D3 4n6

3 Comments Add yours

  1. RIYAD AMIN says:

    very helpful. thank you very much


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.