A selection of free computer forensics tools

While taking the computer forensics course at the CHFI v9 course, we were shown in practice how and what real computer forensics do.

In order to successfully investigate information security incidents, it is necessary to have practical skills in using the tools to extract digital artefacts. This article will provide a list of useful links and tools for digital evidence collection.

The main purpose of this work is to use methods and tools to preserve (preserve), collect and analyze digital evidence in order to reconstruct the events of the incident.

The term “forensics” is an abbreviated form of “forensic science”, literally “forensic science”, i.e. the science of evidence research – exactly what is called forensics in Russian.

The Russian term “forensics” means not all forensics, but computer forensics.

Some authors separate computer forensics from network forensic.

The main scope of application of the formulas is the analysis and investigation of events involving computer information as the object of abuse, the computer as a weapon of crime, and any digital evidence.

Various highly specialized tools are used to fully collect and analyse information, which will be discussed below.

I would like to warn you that in the course of work on the conclusion of a criminal case, it will most likely be considered the presence of certain certificates and conformity of the software.

In this case, it will be necessary to use combined methods of information collection and analysis, or to write conclusions and conclusions based on the data obtained from non-certified sources.

This article provides free tools for investigating information security incidents.

Disk tools and data collection

  • Arsenal Image Mounter utility for working with disk images in Windows, access to partitions and volumes, etc.
  • DumpIt utility for creating physical memory dump of Windows computers, 32/64 bits. It can work from a USB-drive.
  • EnCase Forensic Imager is a utility for creating evidence files for EnCase.
  • Encrypted Disk Detector utility for detecting encrypted volumes of TrueCrypt, PGP or Bitlocker.
  • EWF MetaEditor is a utility for editing EWF metadata (E01).
  • FAT32 Format utility for formatting large capacity disks in FAT32.
  • Forensics Acquisition of Websites is a browser designed to capture web pages for investigation.
  • FTK Imager view and clone data media in a Windows environment.
  • Guymager is a multi-threaded utility with GUI for creating disk images under Linux.
  • Live RAM Capturer is a utility used to extract the RAM dump, including one protected by an anti-debugging or anti-dumping system.
  • NetworkMiner is a network analysis tool for detecting OS, hostname and open ports of network nodes by means of packet capture / PCAP analysis.
  • Magnet RAM Capture utility for RAM capture from Windows XP to Windows 10, Win Server 2003, 2008, 2012.
  • OSFClone live CD/DVD/USB utility to create dd or AFF images.
  • OSFMount is a utility for monitoring disk images and also allows you to create RAM disks.

E-mail analysis

  • EDB Viewer utility for viewing EDB Outlook files without Exchange server.
  • Mail Viewer is a utility for viewing Outlook Express files, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and individual EML files.
  • MBOX Viewer is a utility for viewing e-mails and MBOX attachments.
  • OST Viewer is a utility for viewing OST Outlook files without Exchange server.
  • PST Viewer is a utility for viewing PST Outlook files without Exchange server.

File and data analysis

  • analyzeMFT MFT parsing utility from the NTFS file system, allowing you to analyze the results with other tools.
  • bstrings binary data search utility, including regular expression search.
  • CapAnalysis PCAP viewer utility.
  • Crowd Response is a Windows console application to help collect system information for incident response and security.
  • Crowd Inspect is a utility for obtaining information about network processes, listing binary files associated with each process. Creates requests to VirusTotal and other online malware analysis tools and reputation services.
  • DCode converts different types of data into date/time values.
  • Defraser utility for detecting full and partial data about media files in unallocated space.
  • eCryptfs Parser utility recursively analyzes the headers of each eCryptfs file in the selected directory.
  • Encryption Analyzer utility for analyzing password-protected and encrypted files, analyzes the complexity of encrypting reports and decryption options for each file.
  • ExifTool utility for reading and editing Exif data in a large number of file types.
  • File Identifier online file type analysis (over 2000).
  • Forensic Image Viewer is a utility for extracting data from images.
  • Link Parser is a recursive folder analysis tool that extracts more than 30 attributes from Windows .lnk (shortcut) files.
  • Memoryze analysis of RAM images, including “page” file analysis.
  • MetaExtractor is a utility for notification of meta-information from office documents and pdf.
  • Shadow Explorer is a utility for viewing and extracting files from shadow copies.

Tools for Mac OS

  • Audit utility to output the audit and OS X logs.
  • Disk Arbitrator blocks the mounting of file systems by adding a write-protect to the drive’s arbitration disablement.
  • FTK Imager CLI for Mac OS is a console version of FTK Imager for Mac OS.
  • IORegInfo utility for displaying information on devices connected to the computer (SATA, USB and FireWire, software RAID-arrays). It can determine the partition information, including the size, types and bus to which the device is connected.
  • mac_apt is a utility for working with E01, DD, DMG images.
  • Volafox is a utility for memory analysis in Mac OS X.