Currently I am developing Forensic software for purchase on my website. I thought I would share the information about what they can do and how they do it.
The first is Imager
Imager Creates a bit-stream image by providing a GUI for the DoD version of DD.
Imager can imaged an hash devices at the Physical and logical level aswell as provide information on the size of the partition and the format of the filesystem. Using a linux driver one can even image and carve linux paritions within windows See site for details on how to use that driver.
The program has a demo on the site which can be downloaed and tried aswell as a options for activating the full version.
Next is the Carver
This Application interfaces into scalpel The colors are off because I changed my Windows Theme…. Basically you can select a file type and it will save a config file full of headers and footers then launch scalpel v 1.54 to carve out the files created in the image above. It also Hashes the output so that it can be used to sort benign files and to log as evidence. The carver supports all bitstream images and all raw format images.
The program has a demo on the site which can be downloaed and tried aswell as a options for activating the full version.
Third is the MD5 Database This program is designed to remove benign files by incorporating md5 hash compairison. currently there are 14,000,000 hashes currently to compair within the NSRL NIST databases and the hashes that I have accumulated for Operating Systems
This program is also availible for download on my site, currenlty i am adding new features to improve the speed of the application (with this one you start it and check back in an hour)
Microsoft
Windows 95
Windows 98
Windows ME
Windows 2000
Windows XP
Windows Vista
Apple
OS X 10.1
Mac Leopard
Linux
Fedora 8 32bit
Ubunto 7.10
Kubunto 6.06
Suse 10.1
Currently I am working on a Live analysis application to help with Obtaining images while the system is live to avoid the risk of the device of bieng encrypted. It also has the ability of imaging physical ram to use for later processing aswell as provides sector and cluster information about the physical devices.
Ryan,
Interesting tools, I've mentioned the carver tool to folks I work with and I'm interested in writing up a HowTo document for it's use.
A couple of things from your site
"Orion Live Analysis (name pending) - Utility to be ran from a flash drive to capture physical memory and take screen shots to be saved to the flash drive. (note this will slightly alter the registry as Windows XP keeps track of all usb devices."
Two things…first, ALL versions of Windows keep track of USB devices connected to the system. Second, I'd like to see more info about how you're going to capture Physical Memory.
"As well as a live imaging Kit ( even if the OS is still running it will image the device)"
How will this be different from something like FTK Imager Lite?
Thanks…