Perl – ’nuff said; mostly for creating my own tools
Acquisition
FTK Imager – great for opening raw (ie, dd) images, .EOx files, .vmdk files, etc – even allows you to “acquire” other formats to raw/dd. Also great for selected file extraction from the image, when you don’t need everything
dd – George M. Garner Jr’s FAU
dcfldd – another CLI imaging tool, available for the Windows platform
Tableau TIM – coming Q4, 2009
Raptor – bootable Linux CD that can be used for imaging (this will likely open up a whole flurry of similar emails, so let’s just use this one as a placeholder for all bootable Linux CDs…)
Image Mounting
IMDisk – great free tool for mounting Windows images on Windows systems, in read-only mode
VDKWin – another free tool
P2Explorer – from Paraben; free, requires registration
Image Analysis
TSK Tools – I’ve used mmls and fls mostly, but blkls is extremely useful, as well
ProDiscover, Basic Edition – Not a full suite, but very useful
AntiVirus Scanners (ClamWinPortable, SysClean, Malwarebytes)
Timeline Creation Tools (TSK tools, pasco, Perl scripts, etc.) – Perl scripts available from the Win4n6 Yahoo Group
Encrypted Disk Detector and Webpage saver ( Jad Software )
Carving – foremost, scalpel, PhotoRec
DiskDigger – from Dmitry Brant; also check out NTFSWalker
File/Document Metadata
Structured Storage Extractor – view contents of structured storage/OLE files; this used to mean just MS Office (pre-2007) documents, but on Windows 7, this now means Sticky Notes, etc.
OffVis (fact sheet) -
Office 2007 document metadata (script) – look forcat_open_xml.pl; other tools available, as well
Skype Extractor -
PDF Tools – from Didier Stevens; some of Didier’s tools have been incorporated into the VirusTotal site
MSI files – InstEd
Working with Email
Email Conversion Tools – may not be free
AvTech – Perl script
Emailchemy – from Weird Kid Software; demo available
Mail-Cure – free, described here
Aid4Mail – free trial available
Intella - from Vound Software; doesn’t require that Outlook be installed; trial available.
Thunderbird ( will allow you import several formats of emails such as eml and mbox )
Mailviewer allows you to import microsoft Outlook Express .dbx, eml and TB store.
File Hashing
MD5Deep – also allows for other hashing algorithms
SSDeep – fuzzy hashing; is also incorporated into VirusTotal
Registry Analysis
RegRipper – includes rip, ripXP, and regslack
MiTeC Registry File Viewer
Didier Stevens’ UserAssist
Pwdump7 or SAMInside – great way to get password hashes for cracking
Archive/Compression Utilities
IZArc
PeaZip
Other utilities
ExtractNow
Memory Collection/Analysis
Windd – 1.3, for x86 and x64 now available
MDD – ManTech’s memory imaging tool; 32-bit, has the 4GB limit
Nigilant32 – from Matt Shannon, F-Response; Windows 2000/XP only
Volatility – XP SP 2&3 only
Memoryze – from Mandiant
Packet Analysis
NetworkMiner
WireShark
NetWitness Investigator
Tools for extracting files from streams – not all of the tools listed run on Windows
Browser Analysis
SQLite Spy (for Firefox 3 analysis)
Misc
U3 Launcher Analysis ( Tip )
Other Mandiant Tools (Highlighter, Web Historian, etc.)
MIR-ROR – read about it here; great tool from Russ McRee (read Russ’s ISSA toolsmith write-ups on other tools)
ShadowExplorer (Dan Mares’ VSS)
SMPlayer – “for troublesome videos”
Evidence Mover
Windows Search Index Extractor – Extract information in the Windows Desktop Search database (ie, windows.edb file)
Sites
Various thumbnail cache extractor applications can be found here.
NirSoft has a variety of free and useful utilities available.
RedWolf Computer Forensics – various parsing tools
VirusTotal
Any you’d like to add? Comment, or email me.
Addendum:
Prefetch Parser
Fox Analysis - browser analysis
MiTeC Windows Registry Recovery
MiTeC Windows Registry Analyzer (associated guide)
DigestIT 2004 MD5 Hash
Posted by Keydet89 at 6:43 AM
Powered by 