Forensic investigations are always challenging as you may gather all the information you could for the evidence and mitigation plan. Here are some of the computer forensic investigator tools you would need. Most of them are free!Whether it’s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. As such, they all provide the ability to bring back in-depth information about what’s “under the hood” of a system. Autopsyis a GUI-based open source digital forensic program to analyze hard drives and smart phones effectively.
Autospy is used by thousands of users worldwide to investigate what actually happened in the computer.2. Encrypted Disk Detectorcan be helpful to check encrypted physical drives.
It supports TrueCrypt, PGP, Bitlocker, Safeboot encrypted volumes.3. Wiresharkis a network capture and analyzer tool to see what’s happening in your network. Wireshark will be handy to investigate network related incident.4. Magnet RAM CaptureYou can use to capture the physical memory of a computer and analyze artifacts in memory.It supports Windows operating system.5. Network MinerAn interesting network forensic analyzer for Windows, Linux & MAC OS X to detect OS, hostname, sessions and open ports through packet sniffing or by PCAP file. Provide extracted artifacts in an intuitive user interface.6.
NMAP(Network Mapper) is one of the most popular networks and security auditing tools. NMAP is supported on most of the operating systems including Windows, Linux, Solaris, MAC OS, HP-UX etc. It’s open source so free.7. RAM Captureris a free tool to dump the data from computer’s volatile memory.
It’s compatible with Windows OS. Memory dumps may contain encrypted volume’s password and login credentials for webmails and social network services.8. Forensic InvestigatorIf you are using Splunk then will be a very handy tool. It’s Splunk app and has many tools combined.9. FAW(Forensics Acquisition of Websites) is to acquire web pages for forensic investigation which has the following features. Capture the entire or partial page.
Capture all types of image. Capture HTML source code of the web page. Integrate with Wireshark10. HashMyFileswill help you to calculate the MD5 and SHA1 hashes. It works on almost all latest Windows OS.11. USB Write BlockerView the USB drives content without leaving the fingerprint, changes to metadata and timestamps. Use Windows registry to write-block USB devices.12.
Crowd Responseby Crowd Strike is a windows application to gather system information for incident response and security engagements. You can view the results in XML, CSV, TSV or HTML with help of CRConvert. It runs on 32 or 64 bit of Windows XP above.Crowd Strike has some other nice tools for investigation. Totrtilla – anonymously route TCP/IP and DNS traffic through TOR.
Shellshock Scanner – scan your network for shellshock vulnerability. Heartbleed scanner – scan your network for OpenSSL13.
NFI Defraserforensic tool may help you to detect full and partial multimedia files in the data streams.14. ExifToolhelps you to read, write and edit meta information for a number of file types. It can read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc.15. Toolsleygot more than 10 useful tools for investigation.
File signature verifier. File identifier. Hash & Validate. Binary inspector.
Encode text. Data URI generator. Password generator16.
SIFT(SANS investigative forensic toolkit) workstation is freely available as Ubuntu 14.04. SIFT is a suite of forensic tools you need and one of the most popular open source incident response platform.17.
DumpzillaExtract all interesting information from Firefox, Iceweasel and Seamonkey browser to be analyzed with.18. Browser HistoryFoxton has two free interesting tools. Browser history capturer – capture web browser (chrome, firefox, IE & edge) history on Windows OS. Browser history viewer – extract ana analyze internet activity history from most of the modern browsers. Results are shown in the interactive graph and historical data can be filtered.19. ForensicUserInfoExtract the following information with. RID.
LM/NT Hash. Password reset/Account expiry date.
Login count/fail date. Groups.
Best Open Source Forensic Software Free
Profile path20. Kali Linuxis one of the most popular platforms for penetration testing but it has forensic capability too.21.
Paladinforensic suite – the world’s most popular Linux forensic suite is a modified Linux distro based on Ubuntu available in 32 and 64 bit.22. Sleuth Kitis a collection of command line tools to investigate and analyze volume and file systems to find the evidence.23. CAINECAINE ( Computer Aided Investigate Environment) is Linux distro that offers the complete forensic platform which has more than 80 tools for you to analyze, investigate and create an actionable report.24. Volatilityis the memory forensics framework. It used for incident response and malware analysis.
With this tool, you can extract information from running processes, network sockets, network connection, DLLs and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files.
This tool is available for free under GPL license.25. WindowSCOPEis another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory.26. The Coroner’s Toolkitor TCT is also a good digital forensic analysis tool. It runs under several Unix-related operating systems. It can be used to aid analysis of computer disasters and data recovery.27.
Bulk Extractoris also an important and popular digital forensics tool. It scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools. It is basically used by intelligence and law enforcement agencies in solving cyber crimes.28. Oxygen Forensic SuiteIf you are investigating a case that requires you to gather evidence from a mobile phone to support your case, is a tool that will help you achieve this.29. Free Hex Editor Neois a basic hex editor that was designed to handle very large files.
While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. Database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.30. Xplicois an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g.
HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.
Igor Mikhailov is a digital forensic analyst of the digital forensic laboratory at Group-IB and the picture below shows how one of his business cards looked like. These are hardware keys of forensic tools that the digital forensic analyst used conducting forensic examinations. The cost only of these products exceeds tens of thousands of dollars and there are other free and commercial software products.
Which tool is better to use for examination? Especially for our readers, Igor Mikhailov decided to give his review of the best software and hardware solutions for computer forensics.
The concept of usage of this equipment assumes that a digital forensic analyst extracts data in the field with the help of Cellebrite UFED Touch 2 and then in the laboratory analyzes them using the UFED Physical Analyzer. The laboratory version of the product is two independent software products - UFED 4PC and UFED Physical Analyzer - installed on the digital forensic analyst's computer. As for today, this complex provides data extraction from as many mobile devices as possible. Some of the data may be lost by the UFED Physical Analyzer program during the analysis. This is due to the old bags that were sort of fixed in new versions of the program but they occur.
That is why we recommend to check that the data analysis conducted by the UFED Physical Analyzer was done completely.MSAB XRY / MSAB XRY Field is an analogue of Cellebrite products developed by the Swedish company Micro Systemation. Unlike the Cellebrite paradigm, Micro Systemation suggests that in most cases their products will be used on desktop computers or laptops. The product is supplied with the brand USB-hub that has recognizable appearance, a set of adapters, and data-cables for connecting different mobile devices. The company also offers hardware products MSAB XRY Field and MSAB XRY Kiosk, which are designed for data extraction from mobile devices.
The products have form of tablet and kiosk. The practice has shown that these products are good for data extraction from obsolescent mobile devices.From a certain moment, hardware tools for chip-off (method of data extraction directly from a mobile device's memory chip) designed by the Polish company Rusolut became popular. Using the device, we can extract data from damaged mobile devices or from mobile devices locked with the PIN-code or picture password. Rusolut provides a several sets of adapters for data extraction from certain mobile device models. For example, a set of adapters for data extraction from memory chips that are usually used in 'Chinese mobile phones'. However, the widespread use of user data encryption in top models by the mobile device manufacturers has led to the fact that this solution is gradually losing relevance. It is possible to extract data from the memory chip, but it will be encrypted and its decryption is a sophisticated problem.
Following the development of mobile forensics, you can see that the mobile devices analysis programs developed in parallel with the functionality of mobile devices. Earlier a digital forensic analyst or a person who ordered the investigation could get only data from the phone book, SMS, MMS, calls, graphic and video files, now the digital forensic analyst is asked to extract more data.
In addition to the above mentioned, as a rule, you need to extract:. data from messengers;. emails;. browsers history;. geolocation data;. deleted files and other deleted information/records.And this list is constantly expanding.
All of these types of artifacts can be extracted with the software described below.« Oxygen Software» is one of the best programs for data extracted from mobile device analysis. You should use this program if you want to extract maximum data from a mobile device. Integrated viewers of SQLite databases and plist-files allow you to manually examine specific SQLite databases and plist-files as thoroughly as you need.Initially, the program was developed for use on computers, so using it on a netbook or tablet (devices with a screen size of 13 inches or less) will be uncomfortable.A feature of the program is the tight binding of the paths, where the files are located, of application database. All applications that are installed on smartphones store their data in one or several files – databases. These databases are located in particular catalogues. If the location of database is changed after update of the application then the 'Oxygen Software' will not be able to find the database (as the files of the particular application have to be located by the specified path and nowhere else) and consequently will not extract its data.
That is why the examination of the databases will have to be done manually via 'Oxygen Software' file browser and auxiliary utilities.The results of a study of a mobile device in the Oxygen Forensic Suite program. The trend of recent years is 'fusion' of the programs functionality.
The manufacturers that originally develop programs for mobile forensics introduce the functionality of hard drives examinations in their products. The manufacturers of forensics products that are specialized on hard drives examination add the functionality of mobile devices examination. Both types of manufacturers add the functionality of data extraction from cloud storages, etc. As a result, we have 'multifunctional programs' with the help of which we can conduct examination of mobile devices, hard drives, extract data from cloud storages, and analyze the data extracted from all these sources.In our list of the best programs for mobile forensics such programs take two places: Magnet AXIOM - the program of the Canadian company Magnet Forensics, and Belkasoft Evidence Center – the solution of Belkasoft.
These programs with their functionality are inferior in data extraction comparing with the software and hardware tools described above, but they are good for data analysis and can be used for ultimate different types of artefacts extraction control. Both programs are actively developing and rapidly gaining their functionality in mobile devices examination.AXIOM program's window of evidence source of mobile data. Tableau T35U – a hardware write-blocker by the Tableau Company that allows to safely connect the examined hard drives to the researcher's computer via USB3 bus. This write-blocker has sockets that allow to connect hard drives via IDE and SATA interfaces (if you have adapters you can also connect hard drives with other interfaces). The feature of the write-blocker is an ability to emulate 'read-write' operations. It is useful for hard drives examination that contain malicious software.Wiebitech Forensic UltraDock v5 - a hardware write-blocker by the CRU Company.
The functionality of the product is comparable to the functionality of Tableau T35U. This write-blocker can be paired with the digital forensic analyst's computer via great amount of interfaces (in addition to USB3, it can be connected via eSATA and FireWire interfaces).
If you connect a hard drive to this write-blocker, access to which is limited by the ATA password, a message about limitation will appear on the display of the write-blocker. In addition, when a hard drive with a hidden area DCO (Device Configuration Overlay) is connected, this zone will be automatically unlocked so that a digital forensic analyst can copy the data in it.Both write-blockers use the USB3 bus connection as the main, which provides comfortable working conditions for the digital forensic analyst during cloning and analyzing process of data storage device. Old stuff for non-routine proceduresFifteen years ago, the undisputed leaders of computer forensics were Encase Forensics and AccessData FTK. Their functionality complemented each other and allowed to extract the maximum number of different types of artifacts from the examined devices.
Nowadays, these projects are outsiders of the market. The current functionality of Encase Forensics is not up to the requirements of the modern software for examination of computers and servers running Windows OS. The use of Encase Forensics remains relevant in 'non-routine' cases: when you need to examine computers running Mac OS or a server running Linux OS or extract data from rare file formats. The undisputed leader in computer forensics is Magnet Axiom. The program not only gradually develops, but also includes functional entire segments: examination of mobile devices, data extraction from cloud storages, examination of devices running MacOS, etc.
The program has user-friendly and functional interface that can be used for investigations related to the computers or mobile devices security.The analogue of Magnet AXIOM is Belkasoft Evidence Center. Belkasoft Evidence Center allows to extract and analyze data from mobile devices, cloud storages and hard drives. The program allows, during examination of hard drives, to detect encrypted files and partitions, extract files by a specified extension, data from web-browsers, chats and information about cloud services, geolocation data, e-mails, social networks and payment systems data, thumbnails, system files, system logs, etc. It has flexible customizable functionality for deleted data extraction.Advantages of the program:. a wide range of artifacts that can be extracted from various data storages;. decent built-in SQLite database viewer;. data collection from remote computers and servers;.
integrated functionality of checking detected files via VirusTotal.The basic configuration of the program has a moderate price. Other modules that extend the functionality of Belkasoft Evidence Center can be purchased separately. In addition to the basic configuration, it is strongly recommended to buy the 'File Systems' module, without which it is not convenient to work with the examined data storages.As for disadvantages of the program: the interface of the program is not user-friendly and it is not obvious how to conduct separate actions. It takes training how to use the program to work in it efficiently.The main Belkasoft Evidence Center window that shows the statistics of the forensic artifacts detected during examination of a specific device.
X-Ways Forensics conquers the digital forensics market step-by step. This program is a Swiss Army knife of computer forensics. Multi-functional, accurate, reliable and compact. A feature of the program is the high speed of data processing (comparing with other programs in this category) and the optimal functionality that covers the basic needs of a digital forensic analyst in computer forensics. Nowadays, there is only one leader of such products in the digital forensics market – ACELab.
Mobile Forensic Tools
The company produces hardware tools for analysis, diagnostics and recovery of hard drives (PC-3000 Express, PC-3000 Portable, PC-3000 UDMA, PC-3000 SAS), SSD drives (PC-3000 SSD complex), USB flash drives (PC-3000 Flash complex), RAID (PC-3000 Express RAID complexes, PC-3000 UDMA RAID, PC-3000 SAS RAID). The leadership of ACELab on the hardware tools market is determined by the high quality of the products mentioned above and the price policy, which create obstacles to the competitors who want to enter the market. Despite the fact that there is a large number of various recovery programs, both commercial and free, it is hard to find a program that would correctly and fully recover different types of files in different file systems. Nowadays, there are only two programs with approximately the same functionality, which satisfy the requirements: R-Studio and UFS Explorer. Other thousands of programs for data recovery either underperform in functionality comparing with above mentioned programs or significantly inferior to them.
Autopsy is a convenient tool for analysis of the computers running Windows OS and mobile devices running Android operating system. It has a graphical interface. The tool can be used for investigation of computer-related cases.Photorec is one of the best free programs for data recovery. It is a good substitution to the commercial analogues.Eric Zimmerman Tools is a set of free tools, each of which allows to examine a specific Windows artefact. As practice has shown, Eric Zimmerman Tools increases efficiency of digital forensic analyst's performance in the field. Nowadays, these tools are available as a set of programs - Kroll Artifact Parser and Extractor (KAPE). SIFT is a Linux distribution developed and supported by commercial organization SANS Institute, which specializes in cyber security training and incident response.
SIFT contains a large number of current versions of free programs that can be used both to extract data from various sources and to analyze them. SIFT is used for trainings that the company conducts and it constantly updates. The convenience of work is determined by the specific tool, located in this distribution, with which a digital forensic analyst works.Kali Linux is a unique Linux distribution, which is used by digital forensic analysts both for conducting a security audit and for conducting investigations.
In 2017, 'Packt Publishing' published a book by Shiva V. N Parasram 'Digital Forensics with Kali Linux'. The book gives tips on how to conduct coping, examination and analysis of computers, storages, copies of RAM data and network traffic with the help of tools included in this set.