Digital Forensics Links

A forensics examination requires more than tools. Documentation, preservation of evidence and the ability to interpret the tools and reach supportable conclusions are necessary to ensure the admissibility of evidence in a court of law. If you are not concerned about admissible evidence, then I wouldn’t call it “forensics.” Call it “root cause analysis.” Root cause analysis should be part of your Incident Response procedure. Digital Forensics and Incident Response have many tools in common. Digital Forensics and Incident Response have different procedures. SANS Digital Forensics SANS Investigate Forensic Toolkit (SIFT) Workstation SANS Windows Artifact Analysis [pdf]


See Digital Forensics Articles Links


Prepare Command line process auditing

Enterprise-class Incident Response Tools

  • TheHive – a purpose built case management system to facilitate the investigation of security incidents. Chris Sanders article about TheHive.
  • Demisto – case management
  • SCOT – Sandia Cyber Omni Tracker case management
  • Pro Discover (Technology Pathways)
  • EnCase Enterprise (Guidance)
  • MIR (Mandiant)
  • Access Data Enterprise (Access Data)
  • Triage ID (ADF Solutions)




  • You’ll need a binary editor. Consider Bless Hex Editor.
  • University of Massachusetts Recommended List of Tools for Incident Detection and Eradication [pdf]
  • DFIR Training searchable database of training
  • SIFT Workstation (SANS) a VMWare appliance pre-configured with tools for a forensic examination
  • SiLK, the System for Internet-Level Knowledge, is a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The SiLK tool suite supports the efficient collection, storage, and analysis of network flow data, enabling network security analysts to rapidly query large historical traffic data sets. SiLK is ideally suited for analyzing traffic on the backbone or border of a large, distributed enterprise or mid-sized ISP.
  • The ThreatHunting Project – Here you will find links to a number of different published hunting procedures. It my hope that this will give you some concrete starting points, or if you are an experienced hunter, help you find additional techniques to add to your repertoire.
  • Talon Enhanced imaging device
  • CellXtract mobile device data extraction
  • iPhone Forensics from Infosec Institute
  • Mobile or cell phone forensics from Oxygen Forensic® Passware® Analyst
  • Forensic Acquisition Utilities is a collection of utilities and libraries intended for forensic or forensic-related investigative use in a modern Microsoft Windows environment.
  • Digital Forensics utilities in the Forensics Wiki
  • The Open Source Digital Forensics site is a reference for the use of open source software in digital investigations (a.k.a. digital forensics, computer forensics, incident response). Open source tools may have a legal benefit over closed source tools because they have a documented procedure and allow the investigator to verify that a tool does what it claims.
  • DEFT Linux is a computer forensics live CD for Computer Forensics, Mobile Forensics, Network Forensics, Incident Response and Cyber Intelligence. DEFT 7 comprises:
    • a GNU/Linux based system optimized for Computer Forensics and Cyber Intelligence activities, installable or able to run in live mode;
    • DART (Digital Advanced Response Toolkit) is a graphical user interface that handles – in a save environment – the execution of “Incident Response” and Live Forensics tools.
  • Malware Forensic Field Guides: Toolbox list of digital forensics utilities
  • list of digital forensics utilities
  • list of digital forensics utilities
  • Forensic Control list of digital forensics utilities
  • GCK’s Cybercrime and Cyberforensics-related URLs Gary Kessler
  • Cromwell International list of digital forensics utilities
  • Digital Forensics links from Dave Dittrich (
  • Digital Forensics procedures and utilities from CERT
  • Digital Forensics procedures and utilities from
  • Digital Forensics procedures and utilities from Dave Kleiman
  • Open Digital Evidence Search and Seizure Architecture (ODESSA)  last updated 21 may 03
    • Open Data Duplicator (ODD):
      • a set of custom Linux boot disks, originally based on the Trinux security distribution, that allow an investigator to boot an Intel, PPC, or Sparc based computer system into a trusted environment.
      • a client and server application used to copy the contents of a file (or device) from one location to another, generally used to make a bit-image or forensic copy of a device.
      • ODD supports both local or remote transfers over a network. ODD supports the use of plugins, which are dynamically loaded at runtime and allows examination of the data (keyword search, hash, etc.) concurrent to the data transfer. At this time, only the source for the client and server applications has been posted.
    • Galleta, a tool for analyzing Internet Explorer cookies,
    • Pasco, a tool for analyzing the Microsoft Windows index.dat file,
    • Rifiuti, a tool for investigating the Microsoft Windows recycle bin info2 file. See rifiuti2 as well.
  • Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency[KLPD/Dutch]. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.
  • int for(ensic){blog;} Notes on computer forensics – international edition
  • CAINE Live CD Computer Aided INvestigative Environment (CAINE) is a GNU/Linux live distribution created by Giancarlo Giustini as a project of Digital Forensics for Interdepartment Center for Research on Security (CRIS), supported by the University of Modena and Reggio.
  • Many Digital Forensics or Incident Response and Penetration Testing tools have been implemented as part of Live CD Linux distributions. See Kali Linux, BackTrackMatriux, Helix, SMART Linux, F.I.R.E., Penguin Sleuth, PLAC, and Plan-B. Kali Linux, BackTrack and Matriux can also be implemented as your primary operating system.
  • Santoku Linux is crafted specifically for Mobile Forensics, Mobile Malware Analysis, and Mobile Security Testing.
  • Troy Larson’s instructions help build your own Live CD Windows Forensic Environment (FE) CD based upon Windows Pre-installation Environment (PE).
  • WindowsSCOPE applications include cyber defense, cyber attack detection, digital forensics, and memory forensics, memory behavior analysis for windows applications and reverse engineering activities, along with manual access and automated analysis.
  • log2timeline Root cause analysis. Review many Mac OS X or Windows artifacts to construct a sequence of events.
  • From QCC Information Security
    • CaseNotes is a lightweight application to allow forensic analysts and examiners of any discipline to securely record their contemporaneous notes electronically.
    • VideoTriage uses the VLC libraries to produce thumbnails of movie files.
    • FragView allows a recursive list of html, jpg and Flash files to be viewed in an adjacent pane without having to manually navigate to each one and open it. A great time saver, especially for previewing exported webmail fragments!
  • The Sleuth Kit (TSK) file system forensic analysis, with “how to” information in their Wiki
  • Tim Mugherini presents NTFS MFT Timelines and Malware Analysis
  • Tools used in Analysis of hidden data in NTFS file system Cheong Kai Wee
    • Tools used to hide data:
      • RunTime’s DiskExplorer for NTFS v2.31
      • Command window to create alternate data streams (ADS). That is, to hide the file “slacker.exe” in an alternate data stream (ADS) of abcd.txt, and call this hidden copy “hahaha”: type slacker.exe > h:\abcd.txt:hahaha
    • Tools used to find data:
      • chkdsk
      • Sleuth Kit 2.02
      • Foremost to carve executable files from unallocated disk space
      • comeforth 1.00
      • dd
      • hexedit
      • strings
  • AFind, part of the Foundstone Forensic Toolkit™, lists files by their last access time without tampering with the data the way right-clicking on file properties in Explorer will. To determine user activity even if file logging has not been enabled, use ntlast or psloglist or WEvtUtil to determine log in and log off times and AFind to search for file access times between the time frames. Windows Vista disables recording last access time with the following registry entry: HKEY_LOCAL-MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\ ”NtfsDisableLastAccessUpdate”=1
  • Audit Viewer from Mandiant is an open source tool that allows users to examine the results of Memoryze’s analysis. Audit Viewer allows the incident responder or forensic analyst to quickly view complex XML output in an easily readable format. Using familiar grouping of data and search capabilities, Audit Viewer makes memory analysis quicker and more intuitive. (Mandiant Community Resources Software Downloads)
  • The Autopsy Forensic Browser is an HTML-based graphical interface to The Sleuth Kit and standard UNIX utilities. Autopsy automates many of the tasks required during a digital forensic analysis using the TASK collection of powerful command line tools as a foundation. Since this graphical interface is separate from the file system tools, an investigator can still use a command line interface if Autopsy cannot accomplish the desired outcome.
  • BinText, part of the Foundstone Forensic Toolkit™, is a small and fast text extractor which can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional “advanced” view mode. Its filtering helps prevent unwanted text from being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format.
  • Drive Prophet from Guardian is an Information Collection tool that gives you instant access to dozens of critical reports about a targeted computer and it’s users. User Information, Internet History, USB Device History, Pictures and Graphics Reports, Operating System Information, Computer Usage History, Windows Thumbs.db and Vista.Thumbs reports, User Activity, Installed Applications, Documents No installation required. Runs from the provided USB Stick. Save reports on the Drive Prophet USB drive for portability. Frequent updates to stay abreast of Internet browser changes.
  • From TZWorks LLC (for Windows, Linux and Mac OS X; 32-bit and 64-bit)
    • Artifact Analysis Windows Prefetch Parser (pf) Windows ‘index.dat’ Parser (id) Windows LNK Parsing Utility (lp) Windows USB Storage Parser (usp) Windows Jump List Parser (jmp)
    • Registry and Event Log Analysis Yet Another Registry Utility (yaru) Windows Event Log Viewer (evtx_view) Windows ShellBag Parser (sbag) Computer Account Forensic Artifact Extractor (cafae) Windows Event Log Parser (evtwalk) Windows AppCompatibility Cache Utility (wacu)
    • NTFS Filesystem Analysis Windows Journal Parser (jp) NTFS Directory Enumerator (ntfsdir) NTFS File Copy Utility (ntfscopy) Windows $MFT and NTFS Metadata Extractor Tool (ntfswalk) Windows INDX Slack Parser (wisp) Graphical Engine for NTFS Analysis (gena)
    • Network Support Utilities DNS Query Utility (dqu) Packet Capture ICMP Carver (pic) Network Xfer Client/Server Utility (nx)
    • Portable Executable Utilities Windows Portable Executable Viewer (pe_view) Portable Executable Scanner (pescan)
    • Miscellaneous Tools Volume Shadow Snapshot Enumerator (vssenum) Windows Symbol Fetch Utility (sf)
  • From RedWolf Computer Forensics:
    • CSC_Parser Parse the Client side cache Directory and restore the files
    • gmail-offline-parser Parse the Gmail Offline folder and display the emails
    • Internet-History Parse the IE files (cookies, index.dat, history) and display reports
    • Internet-Parser Parse Flock, Chrome, and Firefox browsers and display reports
    • Itunes-parser Parse an Itunes library and determine Email address songs were registered to
    • Prefetch-Parser Parse the prefetch files and display information
    • Skype-Parser Parse Skype Logs
    • Apache-Log-Parser Parse Apache logs and report on them
    • IIS-Log-Parser Parse IIS Logs and report on them
    • Vista-thumbcache-parser Parse the Vista thumbcache files
    • Thumbnail_html Read a directory of graphics and create a webpage to display them plus display EXIF info
    • Date-Time Pick a time and convert to a new time zone
    • Recycle-Bin Parse the Recycle bin and output information on it.
    • Office-metadata-parser Parse Microsoft office documents and report on it.
    • Temporal Analysis For MFT Ripper Time line analysis for MFT Ripper – Works with Free version – working on making it work with paid version of MFT Ripper
  • From Mike’s Forensic Tools:
    • MFT Runtime – Following recent requests for CPS, this software quickly totals up the runtime of either individual video clips or a collection of video clips held in recursive folders. Exports to a detailed report.
    • MFT PictureBox – Will recursively read directories and extract EXIF data out of any JPGs they contain. This info is displayed in a sortable grid for quick side by side comparison of the data, for example Camera Make, date taken or location. Exports to Excel as well as Google Earth if GPS EXIF data is found.
    • MFT MSN – resolves email address to Microsoft Messenger/Live ID and vice versa. Allows you to really find out who is talking to whom.
    • MFT Hex Chomper – parses through a block of raw HEX to find any valid dates in a specified range. Many time and date formats applied on selection.
    • MFT Switch-a-Roo – is a simple text replacement tool, it removed the dots from unicode text, allows custom replacements and decodes URL and HTML encoding.
    • MFT Stampede – is a quick time and date converter, instead of having to work out the type of date you want to convert just copy in the HEX or the string and Stampede will work it out for you, as long as it is valid of course.
    • MFT Simple NA – a cut down viewer to allow quick and simple access to NetAnalysis Workspaces. Allow the viewer to remove surplus entries such as iecompat and ietld and many others, so the viewer can focus on the evidential entries.
    • MFT Runtime – software for cataloging movies, creating an individual running total for each the movies that is totalled up to give a full account of the runtimes.
    • MFT Cookie Monster – a listing tool that parses Cookie.plists from Apple iPhones to give a printable/end user readable account of Internet history.
    • MFT PictureBox – when pointed at a folder of images, this allows the viewer to see EXIF data of the images side by side to quickly establish any links or patterns across the images.
  • From Sanderson Forensics
    • Reconnoitre. Forensic Image Viewer (FIV) is a tool for processing and reporting of still images (JPG’s, PNG’s, GIf’s etc.)
    • SQLite Forensic Toolkit, Forensic Browser for SQLite discovers deleted records and more.
    • SkypeAlyzer
    • LinkAlyzer
    • VidReport
    • RevEnge
  • Windows Secret Explorer – Protected Storage Explorer and Computer Forensics Tool
  • ZZEE ZZEE Art Directory Print
  • CnW Recovery Digital Forensics tools
  • woanware Digital Forensics tools
  • Cain & Abel password recovery toolkit for Windows
  • The Coroner’s Toolkit (TCT) ( or is an open source forensic toolkit for gathering and analyzing forensic data on a Unix system.
  • DCode decode the various date/time values found embedded within binary and other file types
  • dd command line utility for disk imaging and restoration
  • Live View (developed by CERT, Software Engineering Institute) is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk.
  • DiskExplorer for NTFS NTFS file system examination
  • EnCase from Guidance Software digital forensics software
  • The F-Response tool by Agile enables the Incident Handler/Investigator to use all the customary tools their familiar with, but enables them to be used over the network. By using the F-Secure Tool, you can “see” the remote memory and attached disk(s) as if they were connected to your local forensic machine. This enables you to use your traditional tools to image, view and analyze the remote disk(s).
  • A live acquisition:

mdd.exe -o image-name

netstat -nao



  • Memory Analysis Q-Cert Workshop by Matthew Geiger [pdf]
  • mdd (no longer publicly distributed through Mantech) dump memory. Do not overwrite evidence when creating the memory image. Write it to your own device. (ERROR: Vista 64-bit and above require a signed driver file)

mdd.exe -o image-name

  • Winen (EnCase) dump memory
  • MoonSols DumpIt is a fusion of win32dd and win64dd in one executable.
  • MoonSols Windows Memory Toolkit had been designed to deal with Microsoft Windows hibernation file (from Microsoft Windows XP to Microsoft Windows 7 in both 32-bits and 64-bits (x64) Editions), Microsoft full memory crashdump (in both 32-bits and 64-bits (x64) Editions), and raw memory dump files (from memory acquisition tools like win32dd or win64dd, or Virtualization application like VMWare). Moreover, MoonSols Windows Memory Toolkit also contains new version of win32dd and win64dd.
  • Forensic Acquisition Utilities (FAU) by George M. Garner Jr., includes:
    • a Windows-based dd command that can dump memory: dd.exe if=\\.\physicalmemory of=f:\win2khost-physicalmemory.dd bs=4096
    • Volume_dump.exe: An original utility to dump volume information and drive information and USN journals.
    • FMData.exe: An original utility to collect files system metadata, to produce and verify security catalogs (cryptographic hash sets) using one or more cryptographic hash algorithms and to verify system binaries using the system file checker (SFC) API.
    • Wipe.exe: An original utility to sterilize media prior to forensic duplication.
    • Nc.exe: A completely new implementation of the popular Netcat utility inspired by the original version created by Hobbit.
    • Zlib.dll: The latest version of Jean-loup Gailly and Mark Adler’s Zlib (currently version 1.2.3).
    • Bzip2.dll: The latest version of J. Seward’s bzip2 library (currently 1.0.4).
    • Boost_regex-vc80-mt-1_34_1.dll: Boost’s regular expression library.
    • Fauerror_xxx.dll: A series of dynamic link libraries (dll’s) that contain the localized language strings for Forensic Acquisition Utilities (FAU) output. There is one dll for each locale supported by the FAU.
  • KntTools and KnTList (George Garner) memory acquisition and analysis suite
  • PTFinder by Andreas Schuster
  • Volatility by AAron Walters and Nick Pedroni Jr.
  • Windows Memory Forensic Toolkit by Mariusz Burdach
  • Memory tools by Harlan Carvey
  • Memparser by Chris Betz
  • Win32dd (Matthieu Suiche) dump memory
  • Free Security Tools from HBGary
    • Responder™ Community Edition provides the most thorough and comprehensive memory analysis capability in the industry. Responder™ Community Edition virtually rebuilds all the underlying data structures up to 6 gigabytes of RAM. This includes all physical to virtual address mappings, recreates the object manager, exposes all objects, and enables investigators to perform a complete and comprehensive computer investigation.
    • AcroScrub provides enterprise network administrators a quick and easy way to discover which users and end-node computers in their organization are potentially susceptible to a PDF-based spearphishing attack. AcroScrub scans without using agents, and utilizes built-in Windows networking to scan for old and vulnerable installations of Adobe Acrobat Reader.
    • Fastdump is the industry’s most forensically sound Windows™ memory dumping utility. Fastdump has a memory footprint that is far less than other tools such as Helix/DD. All required code is statically linked so no additional DLL’s are loaded. The final executable size is only 80K.
    • Flypaper is an invaluable tool in your fight against malware. Most malware is designed into two or three stage deployment. First, a dropper program will launch a second program, and then delete itself. The second program may take additional steps, such as injecting DLL’s into other processes, loading a rootkit, etc. These steps are taken quickly, and it can be difficult for an analyst to capture all of the binaries used in the deployment. HBGary Flypaper solves this problem for the analyst.
    • FingerPrint is the industry’s first tool that will allow individuals to track a piece of malware based upon compile time, programming language used, language & compiler version, etc. This can be used for developer attribution and strain indentification. Fingerprint is open-source so you can extend the matching capabilities.
    • The FGET tool forensically extracts files from raw NTFS volumes on remote windows systems in your domain. This tool works over the network and can extract any file (including those that are locked and in-use) in a forensically sound manner, without altering target filetimes or attributes. In particular, the tool can be used to extract files that are critical to timeline reconstruction.
  • F-Response (Agile, v2, creates possibility to use any imaging tool) dump memory
  • Forensic Toolkit (FTK) from AccessData digital forensics software, now with malware analysis
  • FTK Imager from Access Data. Creating the image is free. Using FTK Imager [swf] (from Edmonds Community College).
  • Freeware (including forensics), online tools, PHP scripts, articles
  • Intella Mail system forensics
  • read Instant Messenger (IM) logs
  • IsoBuster CD examination utility
  • LADS command line utility to find NTFS alternate data stream files
  • Maresware suite, Linux Computer Forensics, validation tools and others
  • Memoryze from Mandiant is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.
    1. Dump memory of a compromised machine (or several).
    2. Analyze the dump using Memorzye with Audit Viewer (Full Audit).
    3. Build your IOC.
    4. Use IOCFinder with the IOC you have created against the Memorzye\AuditViewer directory.

    Then you can run IOCFinder on multiple machines to collect the information and run it again against the Audit directory.

  • MiTeC Windows Registry Analyzer
  • Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tools.
  • Paraben Forensics
  • Passmark OSForensics
  • Passware password recovery software
  • Process Dumper (pd) and Memory Parser (mmp) Tobias Klein research and tools for memory analysis
  • Registrar Registry Manager from Resplendence Windows registry viewer
  • RegistryReport RegistryReport doesn’t process the Registry files of the running operating system. To get information from the running system, use SystemReport. With the application RegistryViewer you can view raw Registry files like in the Windows Registry editor.
  • RegRipper Harlan Carvey’s RegRipper
  • RegViewer
  • Registry Viewer from AccessData
  • Restore Point Analyzer from Mandiant
  • Revelation password recovery software
  • Scalpel data carving software Scalpel is a (free) file carver that reads a database of header and footer definitions (signatures) and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.
  • sha_verify command line utility to compute MD5/SHA hashes
  • Simple Carver inexpensive data carving and file recovery software
  • Simple Carver Windows Search Index Extractor is a tool designed to extract information contained within the Windows Desktop Search database (windows.edb) file. The windows.edb file can contain names, usernames, email messages, email addresses, documents, spreadsheet information and file property information stored by the Windows Indexing Search service.
  • Simple Carver vidpreview This is a free tool for batch previewing video files, it creates a html summary page of upto 25 frames per video. Usage: Copy out all videos from a case, point this tool at the export folder, and leave to work away. When complete review html pages. There are no limitations to this version and you are welcome to distribute to anyone who might find this a useful addition to the toolkit.
  • Skypex carve Skype chats from memory dumps (program requires Python)
  • Sleuth Kit (TSK) & Autopsy: Digital Investigation Tools for Linux, Unix, and Windows TSK is a C library and a collection of command line tools (based on code from The Coroner’s Toolkit (TCT)). Autopsy is a graphical interface to TSK.
  • Techpathways ProDiscover Investigator, Forensics, Incident Response, Other tools
  • TrID identifies file types from their binary signatures. Given a carved file, what application created it?
  • Vere Software
  • Windows File Analyzer Analyze Thumbs.db, the Prefetch folder, shortcut files, Index.Dat files, Info2 (Recycle Bin) files
  • Windows Forensic Toolkit™ (WFT) from Fool Moon Software is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system. WFT is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound manner.
  • Windows Incident Response (IR) and Computer Forensics (CF) Tools Harlan Carvey
  • WinHex from X-Ways digital forensics & data recovery software, hex editor & disk editor
  • Shadow Analyser from UK computer forensics firm Disklabs speeds up the forensic analysis of ‘Volume Shadow Copies’ (VSC) of suspect Windows computers.
  • Reconnoitre is a forensic application designed to make working with files within a Volume Shadow Copy as easy as working with a file in any image.
  • CnW Recovery carver
  • PhotoRec carves txt, html, doc, asf, avi, jpg, tiff, png, rm, mpg, mp4, midi, mov, plist, mkv, vlc, mp3, pdf, java, xml, zip, rar, cab, csv, elf, riff, torrent, exe, dll, sys files from free space
  • DataLifter v2.0 ($ 140.00) with File Extractor for carving files using signatures you can specify
  • ISOBuster v1.5 ($ 25.95) CD and DVD recovery
  • Quick View Plus 8
  • BadCopy Pro Data recovery
  • Elcomsoft Application password cracking
  • iOS Forensic Toolkit from Elcomsoft enables access to protected file system dumps extracted from supported Apple devices even if the original device passcode is unknown.
  • iPhone users can back up the content of their device (including contacts, pictures, call logs, email, accounts and passwords, text messages, calendars, appointments, organizer information and Web browsing history including URLs of recently visited sites) to their local computer or to cloud storage maintained by Apple (iCloud). Various sources quote the service has as many as 125 million users as of April 2012.Elcomsoft Phone Password Breakerenables (forensic) access to password-protected backups for smartphones and portable devices based on RIM BlackBerry and Apple iOS platforms. The password recovery tool supports all Blackberry smartphones as well as Apple devices running iOS including iPhone, iPad and iPod Touch devices of all generations released to date, including the iPhone 4S and iOS 5.ElcomSoft updated its Phone Password Breaker with the ability to retrieve user data from iCloud. No lengthy attacks and no physical access to an iPhone device are required: the data is downloaded directly onto the investigators’ computers from Apple remote storage facilities in plain, unencrypted form. Backups to multiple devices registered with the same Apple ID can be effortlessly retrieved. Investigators need to know the user’s original Apple ID and password (or guess the password) in order to gain access to online backups.
  • Facebook Password Extractor (FPE) from Elcomsoft
  • EnCase 4.0 duplication and analysis of media
  • ICS-IQ
  • MaresWare
  • Metadata Assistant
  • Multi Password Recovery (MPR) Application password cracking
  • ProDiscover
  • SnagIT
  • WhereIsIP
  • WinImage
  • BinText
  • Coroner’s Toolkit
  • elfcmp
  • Faust
  • Fenris
  • FileMon
  • Foremost
  • getattach
  • Gpart
  • Keyfinder
  • LSOF
  • LordPE
  • mac-robber
  • Magic Rescue
  • mboxgrep
  • md5deep
  • memfetch
  • memdump
  • Oxygen Phone Manager II
  • PEiD
  • ProcDump32
  • procshow
  • PyFlag
  • readpst
  • RegMon
  • Regshot
  • sdd
  • Sleuthkit
  • TDImon
  • Dropbox Reader is a suite of command-line tools for parsing configuration and cache files associated with the Dropbox cloud storage software. These Python tools can run on Windows, Macintosh, and Linux systems.
  • Google Maps Tile Investigator (GMTI) recovers tile files left behind on a computer. Investigators can gain insight into a person’s location searches in Google Maps.
  • Belkasoft Evidence Center can detect and retrieve instant messenger communications and chat histories, social networking and webmail communications, multi-user online game chats, Web browsing history, peer-to-peer file transfers and online file exchange in 240+ formats.
  • Internet Evidence Finder (IEF) is used for the recovery of Internet-related data from computer hard drives and live memory. IEF recovers over 200 different artifact types including social networking communications, instant messenger chats, web browser history, webmail, cloud files, P2P file sharing apps, and pictures and videos.
  • The National Technical Assistance Centre (NTAC) offers Nevis, their encryption-detection software, free of charge to all UK Law Enforcement and Government Departments. Nevis runs over seized media to flag any encrypted files or encryption-related files, outputting a report to allow investigators to quickly identify any files of interest. Nevis is available as a stand-alone Java application and an EnCase 6 EnScript (beta version) with plans for EnCase 7 in the pipeline. If you would like to use Nevis please email for details and download link.

Images (pictures)

  • IrfanView and Plugins (specifically, the EXIF plugin) a graphics viewer which can reveal JPEG details
  • Adroit Photo Forensics 2010 find and reassemble fragmented photos
  • Tag Examiner from EvGator can be used to search for images that contain GPS coordinates (geo-tags) embedded by the device that took the image. The metadata is contained in the Exchangeable Image File (EXIF) metadata format. EviGator is targeting the tool forensic investigators who need to quickly review large numbers of images to identify those relevant to a case. When images are found to contain geo-tags, the tool will display a map of the recovered coordinates.
stegoarchive list of steganography tools
JPHide and JPSeek steganography
SuperStorm Hide any file inside any picture, audio, video or executable file, and more!
WetStone Gargoyle STEG analysis tool
Gargoyle STEG analysis tool
Info Stego Hide information (watermark, copyright mark) in a file
S-Tools free, hide information in .bmp, .gif and .wav files
JSteg free, hide information in .jpg files
Puff hides information in a number of file formats using different types of encryption
Invisible Secrets hides information in .jpg, .png, .html and .wav files
JPHS STEG analysis tool
Camouflage STEG analysis tool
Stego Suite STEG analysis tools
CameraShy free, scan the Internet for hidden data
Gifshuffle command line tool to hide information in .gif files
Church of the Swimming Elephant Steganography tools

Digital Forensics Duplication

First choice: a hardware device, such as Hardcopy or Logicube. Next choice: FTK Imager or DD. There are a lot of imaging tools on the market and many/most are free to use. Specifically, both the Encase and FTK imaging tools are free to use. Make two passes over the subject drive. The first pass is to capture the image and calculate a series of hashes. (We do a hash for every 2 GB segment.) Then run a second pass over the subject drive to verify each of the 2 GB hashes. We have found failures on the second pass numerous times that were caused with issues with our capture computer (ie. bad cables/ram/ide controller). Effectively every time we do a two-pass capture we are performing a self test of our capture computer. On those occasions that the subject drive has failures we can feel assured that our equipment is not causing the issue. That is, anytime we experience problems with a capture we capture another drive. If the second capture succeeds we know our equipment is good. If it fails we know we have a issue with our equipment.

For drives smaller than 128GB you can use diskstat from the sleuthkit (free) to verify that the HPA was opened up. With drives bigger than 128GB the LBA is normally printed on the paper label and from /sys/block/hdx/size (IIRC) you can verify that Linux sees all the sectors. If the HPA was not opened, you can use setmax ( to open up the HPA. I’ve never tested setmax with a >128GB drive, so don’t be surprised if it does not work.

Virtual Machines

CyLR: Live Response Collection tool by Alan Orlikoski and Jason Yegge or F-Response / X-Ways.

CDQR: Cold Disk Quick Response tool by Alan Orlikoski

CyLR: CDQR Forensics Virtual Machine (CCF-VM) by Alan Orlikoski

For VMware, pause/suspend the VM. Collect memory by copying the .vmem/.vmss file(s). With vCenter, find the VM, go to Properties and find where the storage is located (datastore, snapshots, etc). Files are there. If you paused, use imageinfo to verify and Volatility to process the .vmem file. To process a suspended VM in Volatility or Rekall, you may need to convert the vmss file along with the vmem file to raw using (or another tool such as bin2dmp.exe, etc). See also

Google Rapid Response (GRR –

Web Browser Utilities

See Web Browser Forensics.

Mobile Digital Forensics

Windows Registry keys


Effect Registry key Setting
formatting and ejecting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "allocatedasd"="2"
CD Burning Policy HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoCDBurning"=dword:00000001
RDP Connections HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client Keys indicate remote desktops connected to
Disable last access time HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\ ”NtfsDisableLastAccessUpdate”=dword:00000001
Disable administrative shares HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters "AutoShareServer"=dword:00000000 "AutoShareWks"=dword:00000000
Disable USB drives HKLM\SYSTEM\CurrentControlSet\Services\UsbStor "Start"=dword:00000004
Self-issued (stand alone) EFS certificate HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\EFS\CurrentKeys\CertificateHash Module 5 p 26

Digital Forensics Lab Equipment

search for “Hank Wolfe” a Tech Station, gives easy acccess to PCI slots so you can add and remove cards and easy access to hard drives. Disk Imaging Hardware Device – Solo III Forensics Software – FTK EditPad Pro for logs self sealing anti-static evidence bags for hard drives and other small electronics. or for forensic supplies Corporate Security Supply Ltd 800-563-5566 Secur-Pak evidence bags

Digital Forensics Kit

  • David Kovar’s Digital Media Collections Kit
  • Chain of custody documents
  • Evidence bags
  • anti-static bags for acquired disk drives
  • camera
  • bound log book with numbered pages
  • paper clips (eject disks)
  • laptop with imaging and live view software
  • engagement documents in soft copy
  • assortment of write blockers
  • external disk drive(s)
  • assorted tools including 80 piece security bit screwdriver kit
  • reading glasses, magnifying glass
  • business cards, notepad, sticky notes, pens, pencils, markers
  • surge-protected power strip

Forensic Examination of Computers and Digital and Electronic Media

IACIS® has established the following as a guide for forensic computer and digital evidence examinations. All computer and digital media examinations are different: The examiner must consider the totality of the circumstances as he/she proceeds. So, then, not all components here may be needed in every situation, and examiners may need to adjust to unusual or unexpected conditions in the field. Cases involving computers and other electronic devices are borderless. Multiple jurisdictions and agencies may be involved in investigative and analytical activities, and each agency or jurisdiction may employ specific procedures. This document, then, is not intended to supercede or conflict with jurisdiction or agency policies or procedures. Rather it is a foundation document that outlines general principles. Guide for Forensic Examinations Computer system components and other electronic devices (including digital and electronic media) are items of evidence just like any other items of evidence. As such it is incumbent upon the examiner to follow agency procedures for documenting the receipt and handling of the items. The computer system and/or the media should be examined physically and an inventory of hardware components noted. Documentation should include a physical description and detailed notation of any irregularities, peculiarities, identifying markings, and numberings. When examining a computer the system date and time should be collected, preferably from the BIOS setup. The date and time should be compared to a reliable known time source and any differences noted. If the BIOS setup information is accessible then drive parameters and boot order should be noted. Depending on the BIOS other information such as system serial numbers, component serial numbers, hardware component hashes, etc. should be noted. Examination of media should be conducted in a forensically sound examination environment. A forensically sound examination environment is one which is completely under the control of the examiner: No actions are taken without the examiner permitting them to happen; and when the examiner permits or causes an action he/she can predict with reasonable certainty what the outcome of the action will be. Examiners may choose to employ a forensically sound operating system. The use of physical write-blocking devices or software write-blocking devices may be used in operating system environments that are not forensically sound. Conducting an examination on the original evidence media should be avoided. Rather, examinations should be conducted on a forensic copy of the original evidence, or via forensic evidence files. Properly prepared media should be used when making forensic copies to insure no commingling of data from different cases. Properly prepared media is that which has been completely overwritten with a known character. Regardless of whether the examiner performs a direct device–to-device copy of the media or creates forensic evidence copies for examination or restoration, the copy process should be forensically sound. Examination of the media should be completed logically and systematically by starting where the data of evidentiary value is most likely to be found. These locations will vary depending on the nature and scope of the case. Examples of items to be noted might include:

  • If the media is a hard drive the number and type of partitions should be noted.
  • If the media is an optical disc then the number of sessions should be noted.
  • File systems on the media should be noted.
  • A full directory listing should be made to include folder structure, filenames, date/time stamps, logical file sizes, etc..
  • Installed operating systems should be noted.
  • User created files should be examined using native applications, file viewers, or hex viewers. This includes such files as text documents, spreadsheets, databases, financial data, electronic mail, digital photographs, sound and other multimedia files, etc..
  • Operating system files and application created files should be examined, if present. This would include, but is not limited to: Boot files, registry files, swap files, temporary files, cache files, history files, log files, etc..
  • Installed applications should be noted.
  • File hash comparisons may be used to exclude or include files for examination.
  • Unused and unallocated space on each volume should be examined for previously deleted data, deleted folders, slack space data, intentionally placed data. Previously deleted filenames of apparent evidentiary value should be noted. Files may be automatically carved out of the unallocated portion of the unused space based upon known file headers.
  • Keyword searches may be conducted to identify files or areas of the drive that might contain data of evidentiary value and to narrow the examination scope.
  • The system area of the volume (i.e. FAT, MFT, etc.) should be examined and any irregularities or peculiarities noted.
  • Examination of areas of the media that are not normally accessible such as extra tracks or sectors on a floppy disk, or a host-protected area on a hard drive may be required.
  • To facilitate examination of data, user settings, device and software functionality, etc. the computer may be booted using either a copy of the boot drive or by using a protected device on the original device to determined functionality of the hardware and/or software.
  • The forensic software used during the examination should be noted by its version and should be used in accordance with the vendors licensing agreement. The software should also be properly tested and validated for its forensic use by the examiner or the examiner’s agency.
  • At the conclusion of the examination process sufficient notation of any discovered material of an apparent incriminating or exculpatory evidentiary nature should be made.

Sufficient documentation should be made of all standard procedures and processes initiated as well as detailed notation of any variations made to the standard procedures. Any output of the recovered data should be properly marked with appropriate identifiers in accordance with policies from the examiner’s agency.


  • Does the file contain _PID_GUID? That’s the MAC address of the (orginator?) (last editor?)

How can you determine the actual date of defragging of a recently defragged Win XP system? Look for the write date on the associated pre-fetch file. (E.g., C:\WINDOWS\Prefetch\ was created and modified Yesterday, October 07, 2006, 8:05:10 AM). To determine if user initiated and not system initiated look for the write date on LNK file associated with disk defrag utility. (No defrag*.lnk file found.) I did not initiate a defrag yesterday, so this should indicate a System initiated defrag. The date and times on the pre-fetch files are generally a good indication of the last time an application has been run (and in fact, you can even determine the number of times something has been run by parsing the prefetch file). However, you need to be very careful surrounding the defrag process in Windows XP and using the prefetch dates as the prefetch process itself uses Window’s own defrag.exe to manage and optimize the prefetch startup process. In essence, a plain vanilla install of Windows XP will exhibit the running of the defrag process independent of the user running it. One of my partners was involved in a case wherein another expert incorrectly interpreted the prefetch information with respect to defragging of a computer because of this exact automated process. A better test is to ascertain the modified date of the layout.ini and determine if it matches (or is within a minute or two) of the defrag.exe prefetch file. From the testing that we have conducted, when XP goes through the optimization process and as a result runs the defrag process automatically, the modified date of the layout.ini and the modified date of the corresponding defrag application will be the same. On the other hand, when these dates are not the same, the date on the corresponding prefetch file will give you the date/time that the process was user initiated. What’s in your field kit? suggested items from The Official EnCE EnCase Certified Examiner Study Guide (Copyright C 2006 by Wiley Publishing, Inc., Indianapolis, IN). The list is from Chapter 3 – First Response: Deciding What to Take With You Before You Leave (pp. 82, 83). Of course, since it is a study guide for EnCase, the list only mentions Guidance Software’s tools specifically. With the discussions lately about the hassles of traveling with your tools, I thought some of you might find this list interesting. Your goal in creating your list will be to replicate your lab function on a smaller scale for portability and field use. Here are some suggested items as a starting point for you to use to create your own lists:

  • Toolkits. A computer field technician service kit is a nice start. Include cable ties. Consider also a set of the star head attachments for the hard-to-open devices.
  • Portable lighting, flashlights, batteries, and a magnifying glass
  • Latex gloves
  • Small first aid kit
  • PC reference guide
  • Digital camera to capture live data on screens and the state of the scene. Include a ruler!
  • Extension cords, surge protectors, multistrip receptacles, and uninterrupted power supplies (UPSs)
  • Hub or switch and network cables for setting up a small network in the field. You may want to create a small gigabit network if you have a team and are acquiring several systems in the field. You could send all your images to one large storage device, keeping all your images in one place and sharing other resources as needed.
  • Network cross-over cables and spare network interface cards (NICs) for network cable acquisition or field intelligence module (FIM) acquisition.
  • Spare internal floppy drive — if direct DOS acquisition must be made from a suspect computer, it may or may not have a working floppy drive from which to boot.
  • EnCase network bootable floppies and CDs loaded with version of EnCase to match versions on portable acquisition computer(s). Have images of the same and extra blank floppies and CDs to make more in the field as needed.
  • Storage hard drives on which to place images, wiped and formatted
  • Guidance Software’s FastBloc hardware write-blocking device. Include an IDE-SATA bridge for attaching SATA drives to FastBloc as well as a 2.5 notebook hard drive adapter.
  • Portable field imaging computer (laptop, custom briefcase model, small form factor unit, etc.). Include all adapter cards, cables, power supplies, peripherals, system disks, spare keyboard and mouse, and so forth needed for your unit. Have all necessary software loaded and an updated OS with patches, updated antivirus protection, and synch time with the time standard before going in the field. Don’t rely on one field imaging computer. Carry a backup unit!
  • EnCase manuals on disk; keep a current set of manuals downloaded and loaded on your field units.
  • Cables, cables, and more cables! Pack power supply cables, IDE 80 wire cables, SCSI cables, SATA cables, Molex power cables, floppy disk cable, and so forth. A good set of USB and FireWire cables with the “multiple personality” plugs for either end is a good thing to pack.
  • Adapters: IDE to SATA, USB to SATA, SCSI 50-pin to 68-pin, SCSI 68-pin to 80-pin, Toshiba Portege 1.8 drive to 3.5-inch IDE (Apple iPods)…
  • Tags, labels, bags, antistatic bags, evidence tape, and indelible ink markers.
  • Field logbook or notebook, pens, and pencils.
  • Anything special required for the upcoming job.
  • Pack your dongles!

Data Recovery

ProDiscover’s ZeroView will show you if whole disk encryption is active on a drive and if so, you would not want to shut down the OS, but instead, image it while it is still running with a program like ProDiscover. This new process for first responders (of checking for whole disk encryption) will become standard soon and our current idea of shutting down the PC and imaging back at the lab will have to be examined.

Paraben’s NetAnalysis for AOL history files, cache viewing, Internet history files, identify Google searches, cookie and URL decoder. NetAnalysis lets you rebuild a page automatically if you’re exporting from the Internet Explorer cache. Go to the Docs and settings folder, look through the profiles, and to 3 separate folders export: Cookies, Temporary Internet Files, History. Then open up NA and and select from the File menu: Open All History from Folder. If you find something of interest, and there is a corresponding cache folder, double click it and it will rebuild the page.

e-fense’s Helix no need for write block device with this Live Linux CD

R-Studio Data Recovery data recovery and undelete

GetDataBack Drivelook recovery

Active@ File Recovery data recovery and undelete

Active@ UNDELETE data recovery and undelete

EasyRecovery Professional data recovery and undelete

Handy Recovery data recovery and undelete

R-Linux Data Recovery data recovery and undelete

FCCU GNU/Linux Forensic Boot CD 11.0

MacOS X Forensics Sumuri Macintosh (and iOS devices, such as iPhone and iPad) Forensics Brian Carrier, author of “File System Forensic Analysis” Utilities Undelete: Recovers deleted files from disks (shareware) Unstoppable Copier: Recovers data from scratched or damaged disks (freeware) Boot Builder: Allows you to create, modify, import/export boot sectors (freeware) Disk Image: Creates and restores images of disks to files (freeware) Disk Wipe: Securely wipes (erases) data from disks (freeware) Raw Copy Performs sector by sector disk transfer with data recovery (freeware) Sector Editor: Displays, edits, exports and prints disks at a sector level (freeware)

Pinpoint FileMatch FileMatch is a utility that scans for duplicates of a specified file in ultra-rapid fashion. In a recent test, FileMatch was able to locate two copies of a specified file in 58Gb of allocated space in just 28 seconds! For litigation support professionals and legal teams alike, this means that matching a file from one production set to its corresponding file in another is only moments away! Beyond litigation, this little tool is a must-download for Law Enforcement as well as any investigator needing to do a “Search and Destroy” for specific files.

Pinpoint Hash Forensic examiners often need to quickly obtain the hash values for potential evidence files for reports or to verify their results. This tool integrates into the “Send To” functionality of the Windows Explorer shell. Just right-click on a file and send to Hash, the program does the rest. Say goodbye to the days of having to open a hashing program, then browse out to a file from the dialog box.

Pinpoint Metaviewer Metadata stored in Microsoft Office documents is crucial, need-to-know information for both forensic investigators and for litigation support professionals. Getting access to this data for a single, unprocessed file, however, can be quite cumbersome. We’ve had to import files into a large program or launch an Office document to see the metadata, and we thought there should be a better way. So we made Metaviewer. Metaviewer is a utility that integrates into the Windows Explorer “Send To” menu to provide ready access to Office metadata and hash values instantly. It’s free, so download and enjoy.

Pinpoint Safecopy Safecopy is a much-anticipated graphic user interface (GUI) that sits atop Microsoft’s popular Robocopy utility. Safecopy is easy to use for everyone. Whether you need to keep a file’s timestamps intact during copy, you need full-scale backups, or you need to remove the security settings from files as they’re copied so that they can be moved into a production environment, Safecopy is your solution.

Forensic Analysis of an XP MS-DOS Startup Disk

Boot records, FATs and directories

detailed analysis of Boot records, FATs and directories

Disk Repair for Fun and Profit

freewarefind utilities

Forensic Analysis on a System by Richard Hayler (page 27)

Criminal Investigations in an Automated Environment by Cmdr. Dave Pettinari

911cd Utilities to collect to create an emergency recovery CD


Tortuga Software Downloads undelete, data carving utilities Date/time decoder Interpreting volume serial numbers (At format, date and time are used to generate the volume serial number. Can the volume serial number be used to learn when format occurred?)

dzzie amateur FAT12 file system analysis

dzzie free custom FAT12 parsing and analysis tool Disk Investigator, close to a freeware DiskEdit. There’s “Tools”, “Search Disk” (to search for text or hexadecimal strings). But you have AccessData Forensic Toolkit, which is more efficient. Suppose you wanted to create a text file out of sector 225. Pick the sector number (lower left corner). Use the “View cluster” button. BUG: This not sector 225. This is sector 224. Use the right arrow button to reach the correct sector. Use “Add this cluster” to read the cluster into memory. Since this is the only cluster you’re interested in, use “Save to disk”. You are prompted for a destination and file name. I don’t know how to carve a text file with AccessData Forensic Toolkit. A text file has no header, so Scalpel and Forensic Toolkit doesn’t carve it out. BCWIPE: Secure delete, erase swapfile, erase deleted file space BestCrypt

Email Digital Forensics tools

Evidence Analyzer: Email Edition is designed to independently read and interpret the data contained in the most commonly used email formats used today on both the desktop as well as the server.

E-mail Examiner

Liability Insurance liability insurance. E&O insurance for $915 a year

InsuranceTek Inc liability insurance Vicki Boser InsuranceTek Inc Office: 425-357-1555 * Fax: 425-357-1551 13300 Bothell-Everett Hwy #6129 Mill Creek WA 98012

Building a compromise assessment toolkit

What sources and artifact types will you be working with?

  • Active DNS
  • Passive DNS
  • Endpoint/Server Memory
  • Endpoint/Server Paging File
  • Endpoint Hiberfil.SYS
  • Endpoint/Server Disk/Filesystem
  • Packet Capture
  • IP-Flow Records
  • Rastrea2r Collecting & Hunting for Indicators of Compromise (IOC)
  • Google Rapid Response an incident response framework focused on remote live forensics
  • Raqet remote acquisition and triage

page_brute page file acquisition

DumpIt & Hibr2Bin hibernation file acquisition

Kafka event logs to a LaaS (Logging-as-a Service)

Kinesis Streams event logs to a LaaS (Logging-as-a Service)


nightHawkResponse ingest a Mandiant Redline “collections” file and give flexibility in search/stack and tagging.


4 Responses to Digital Forensics Links

  1. […] Don’t forget that you may wish to search unallocated disk space for deleted web cache information. See Digital Forensics Links. […]