Computer Forensics PORTAL
Computer Forensics Tools
Don't know which tools to use?
We're gonna show how.
1. Digital Forensics Framework
Digital Forensics Framework is another popular platform dedicated to digital forensics. The tool is open source and comes under GPL License. It can be used either by professionals or non-experts without any trouble. It can be used for digital chain of custody, to access the remote or local devices, forensics of Windows or Linux OS, recovery hidden of deleted files, quick search for files’ meta data, and various other things.
The Digital Forensics Framework (DFF) is a digital forensic investigation tool and a development platform that allows you to collect, preserve and reveal digital evidence. Amongst others, DFF’s features include the ability to read RAW, EWF and AFF forensic file formats, access local and remote devices, analyse registry, mailbox and file system data and recover hidden and deleted files.
When you launch DFF, you first need to load an evidence file (i.e. a forensic image you acquired previously) or open a device ready for analysis. You can then process the evidence file or device against one of the in-built modules to begin analysing data.
2. Open Computer Forensics Architecture
Open Computer Forensics Architecture (OCFA) is another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.
It was built by the Dutch National Police Agency for automating digital forensics process. It is available to download under GPL license.
3. SANS Investigative Forensics Toolkit – SIFT
SANS Investigative Forensics Toolkit or SIFT is a multi-purpose forensic operating system which comes with all the necessary tools used in the digital forensic process. It is built on Ubuntu with many tools related to digital forensics. Earlier this year, SIFT 3.0 was released. It comes for free or charge and contains free open-source forensic tools.
In a previous post at resource.infosecinstitute.com, we already covered SIFT in detail. You can read those posts about SIFT to know more about this digital forensics platform.
4. Bulk Extractor
Bulk Extractor is also an important and popular digital forensics tool. It scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools. It is basically used by intelligence and law enforcement agencies in solving cyber crimes.
Bulk Extractor is a computer forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extracted information is output to a series of text files (which can be reviewed manually or analysed using other forensics tools or scripts).
Bulk_extractor comes as a command-line tool or a GUI tool. In the example above I set the bulk extractor tool to extract information from a forensics image I took earlier and output the results to a folder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above.
Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc. You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found (i.e. if you were analysing the disk manually using a hex editor for example, you would jump to this hexadecimal value to view the data).
5. HELIX3
HELIX3 is a live CD-based digital forensic suite created to be used in incident response. It comes with many open source digital forensics tools including hex editors, data carving and password cracking tools. If you want the free version, you can go for Helix3 2009R1. After this release, this project was overtaken by a commercial vendor. So, you need to pay for most recent version of the tool.
This tool can collect data from physical memory, network connections, user accounts, executing processes and services, scheduled jobs, Windows Fegistry, chat logs, screen captures, SAM files, applications, drivers, environment variables and Internet history. Then it analyzes and reviews the data to generate the complied results based on reports.
6. ProDiscover Basic
A simple digital forensic investigation tool that allows you to image, analyse and report on evidence found on a drive. Once you add a forensic image you can view the data by content or by looking at the clusters that hold the data. You can also search for data using the Search node based on the criteria you specify.
7. FTK Imager
Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information.It can for example locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.
The toolkit also includes a standalone disk imaging program called FTK Imager. The FTK Imager is a simple but concise tool. It saves an image of a hard disk in one file or in segments that may be later on reconstructed. It calculates MD5 hash values and confirms the integrity of the data before closing the files. The result is an image files that can be saved in several formats including, DD raw.
8. CAINE
CAINE (Computer Aided Investigative Environment) is the Linux distro created for digital forensics. It offers an environment to integrate existing software tools as software modules in a user friendly manner. This tool is open source. When you boot into the CAINE Linux environment, you can launch the digital forensic tools from the CAINE interface or from each tool’s shortcut in the ‘Forensic Tools’ folder on the applications menu bar.
9. WIRESHARK
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.
Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user interface, and using pcap to capture packets; it runs on Linux, OS X, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.
Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.
Wireshark lets the user put network interface controllers that support promiscuous mode into that mode, so they can see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily sufficient to see all network traffic. Port mirroring or various network taps extend capture to any point on the network. Simple passive taps are extremely resistant to tampering.
10. NetSleuth
NetSleuth is a network forensics analysis tool that identifies devices on your network. It operates in ‘live’ mode (where it will actively capture network packets and interpret device information) or in ‘offline’ mode where it will process a PCAP file that you import.
Note: At the time of writing, NetSleuth is in BETA. It is not recommended that you run this in a production environment. It made this list because it promises to be a handy addition to your forensic toolkit. The author of this tool is currently asking for feedback from the community so now is your chance to contribute!
When you launch NetSleuth, you can either initiate a ‘live’ analysis from the Live Capture tab, or load a PCAP file from the Offline Analysis tab. Once NetSleuth has identified at least one device, you can double click on it to open the Device Information window.
11. ProDiscover Basic
ProDiscover Forensic is a powerful computer security tool that enables computer professionals to locate all of the data on a computer disk and at the same time protect evidence and create quality evidentiary reports for use in legal proceedings. By using industry-best practices and a least-destructive methodology approach, ProDiscover Forensic allows the examination of files without altering valuable metadata such as last-time accessed. ProDiscover Forensic can recover deleted files, examine slack space, access Windows Alternate Data Streams, and dynamically allow a preview, search, and image-capture of the Hardware Protected Area (HPA) of the disk utilizing its own pioneered technology. It is not possible to hide data from ProDiscover Forensic because it reads the disk at the sector level.