I'm sure that this will spawn an interest in developing a solid list of FOSS forensics tools. I've added a few to the list.
Originally posted on keydet89's "Windows Incident Response Blog."
Just giving credit where credit is due. Thank Keydet89.
General Tools
Perl - 'nuff said; mostly for creating my own tools
Strings/BinText
LiveView
Live CD's
Helix
CAINE
DEFT
DRAFT
BackTrack 4
Acquisition
FTK Imager - great for opening raw (ie, dd) images, .EOx files, .vmdk files, etc - even allows you to "acquire" other formats to raw/dd. Also great for selected file extraction from the image, when you don't need everything
dd - George M. Garner Jr's FAU
dcfldd - another CLI imaging tool, available for the Windows platform
Tableau TIM - coming Q4, 2009
Raptor - bootable Linux CD that can be used for imaging (this will likely open up a whole flurry of similar emails, so let's just use this one as a placeholder for all bootable Linux CDs…)
Image Mounting
IMDisk - great free tool for mounting Windows images on Windows systems, in read-only mode
VDKWin - another free tool
P2Explorer - from Paraben; free, requires registration
Image Analysis
TSK Tools - I've used mmls and fls mostly, but blkls is extremely useful, as well
PTK GUI for TSK.
Autopsy
ProDiscover, Basic Edition - Not a full suite, but very useful
AntiVirus Scanners (ClamWinPortable, SysClean, Malwarebytes)
Timeline Creation Tools (TSK tools, pasco, Perl scripts, etc.) - Perl scripts available from the Win4n6 Yahoo Group
Internet Evidence Finder (JADSoftware) - also, check out the Encrypted Disk Detector
Carving - foremost, scalpel, PhotoRec
DiskDigger - from Dmitry Brant; also check out NTFSWalker
File/Document Metadata
Structured Storage Extractor - view contents of structured storage/OLE files; this used to mean just MS Office (pre-2007) documents, but on Windows 7, this now means Sticky Notes, etc.
OffVis (fact sheet) -
Office 2007 document metadata (script) - look for cat_open_xml.pl; other tools available, as well
Skype Extractor -
PDF Tools - from Didier Stevens; some of Didier's tools have been incorporated into the VirusTotal site
MSI files - InstEd
Working with Email
Email Conversion Tools - may not be free
AvTech - Perl script
Emailchemy - from Weird Kid Software; demo available
Mail-Cure - free, described here
Aid4Mail - free trial available
Intella - from Vound Software; doesn't require that Outlook be installed; trial available
File Hashing
MD5Deep - also allows for other hashing algorithms
SSDeep - fuzzy hashing; is also incorporated into VirusTotal
Registry Analysis
RegRipper - includes rip, ripXP, and regslack
MiTeC Registry File Viewer
Didier Stevens' UserAssist
Pwdump7 or SAMInside - great way to get password hashes for cracking
Archive/Compression Utilities
IZArc
PeaZip
Other utilities
ExtractNow
Memory Collection/Analysis
Windd - 1.3, for x86 and x64 now available
MDD - ManTech's memory imaging tool; 32-bit, has the 4GB limit
Nigilant32 - from Matt Shannon, F-Response; Windows 2000/XP only
Volatility - XP SP 2&3 only
Memoryze - from Mandiant
Packet Analysis
NetworkMiner
WireShark
NetWitness Investigator
Tools for extracting files from streams - not all of the tools listed run on Windows
Browser Analysis
SQLite Spy (for Firefox 3 analysis)
Misc
U3 Launcher Log parser
Other Mandiant Tools (Highlighter, Web Historian, etc.)
MIR-ROR - read about it here; great tool from Russ McRee (read Russ's ISSA toolsmith write-ups on other tools)
ShadowExplorer (Dan Mares' VSS)
SMPlayer - "for troublesome videos"
Evidence Mover
Windows Search Index Extractor - Extract information in the Windows Desktop Search database (ie, windows.edb file)
Sites
Various thumbnail cache extractor applications can be found here.
NirSoft has a variety of free and useful utilities available.
RedWolf Computer Forensics - various parsing tools
VirusTotal
Diskdigger is one of my most used tools. When examing camera data it is interesting to see what pictures are on there but most of the time the pictures that have been deleted are far more interesting.
Diskdigger allows you to retrieve those deleted images and altough it is not really fast, it earned a place in my forensics toolkit.
http//
Whith memory cards increasing there is a wealth of deleted information to be found that has not yet been overwritten.
Greetings,
If you really want a list of FOSS tools, I'd drop the ones that are paid but have a demo available. For example, Intella is a very nice tool, but it is about $2,300 if you decide to really use it - hardly FOSS.
-David
The "free" in Free and Open Source Software doesn't mean free as in beer. You can charge and still be FOSS.
Greetings,
Good point. I'd still eliminate Intella. The wikipedia entry for FOSS is
"Free and open source software, also F/OSS, FOSS, or FLOSS (free/libre/open source software) is software that is liberally licensed to grant the right of users to study, change, and improve its design through the availability of its source code. This approach has gained both momentum and acceptance as the potential benefits have been increasingly recognized by both individuals and corporate players.[1][2]
Newcomers to the subject can be confused by the term "free".[citation needed] In the context of free and open source software, "free" is intended to refer to the freedom to copy and re-use the software, rather than to the price of the software. The Free Software Foundation, an organization that advocates for free software, suggests that to understand the concept, one should "think of free as in free speech, not as in free beer".[3]"
Intella cannot be freely distributed and its source code is not available for review. It is very clearly a commercial product.
-David