Archive

Archive for the ‘Computer Forensic Tools’ Category

List of Computer Forensics Tools

May 2nd, 2011 Comments off

Computer Forensics Tools

what is computer forensics?

Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information. With these useful forensics tools we can finish this work shortly and accurately.

A) List of tools for computer forensics

1. SANS Investigative Forensics Toolkit – SIFT (GPL V2.0)
Multi-purpose forensic operating system
computer-forensics.sans.org

2. EnCase (Windows, commercial, V6.18)
Multi-purpose forensic tool
www.guidancesoftware.com

3. FTK (Windows, commercial, V3.2)
Multi-purpose tool, commonly used to index acquired media.
accessdata.com/products/forensic-investigation/ftk

4. PTK Forensics (LAMP, free/commercial, V2.0)
GUI for The Sleuth Kit
sourceforge.net/projects/ptk-forensics/

5. The Coroner’s Toolkit (Unix-like, IBM Public License, V1.19)
A suite of programs for Unix analysis
www.porcupine.org/forensics/tct.html

6. COFEE (Windows,Proprietary)
A suite of tools for Windows developed by Microsoft, only available to law enforcement
cofee.nw3c.org

7. The Sleuth Kit (Unix-like/Windows, IPL, CPL, GPL, V3.1.1)
A library of tools for both Unix and Windows
www.sleuthkit.org

8. Categoriser 4 Pictures (Windows, Free, V4.0.2)
Image categorisation tool develop, available to law enforcement

9. Paraben P2 Commander (Windows, Commercial)
General purpose forensic tool

10. Open Computer Forensics Architecture (Linux, LGPL/GPL, 2.3.0)
Computer forensics framework for CF-Lab environment

11. SafeBack (commercial, V3.0)
Digital media (evidence) acquisition and backup

12. Forensic Assistant (Windows, commercial, V1.2)
User activity analyzer(E-mail, IM, Docs, Browsers), plus set of forensics tools

B) Tools for Mobile device forensics

Mobile forensics tools tend to consist of both a hardware and software component.

1. Cellebrite Mobile Forensics (Windows, Commercial)
Univarsal Forensics Extraction Device – Hardware and Software

2. Radio Tactics Aceso (Windows, Commercial)
“All-in-one” unit with a touch screen

3. Paraben Device Seizure (Windows, Commercial)
Hardware/Software package

4. MicroSystemation .XRY/.XACT (Windows, Commercial)
Hardware/Software package, specialises in deleted data

5. Oxygen Phone Manager (Commercial)

C) Other computer forensics tools

1. HashKeeper (Windows, free)
Database application for storing file hash signatures

2. Evidence Eliminator (Windows, commercial, V6.03)
Anti-forensics software, claims to delete files securely

3. DECAF (Windows, free)
Tool which automatically executes a set of user defined actions on detecting MS’s COFEE tool

Computer Forensic Tool: F-Response

March 16th, 2011 Comments off

F-Response Enterprise EditionF-Response is an easy to use, vendor neutral, patent-pending software utility that enables an investigator to conduct live forensics, Data Recovery, and eDiscovery over an IP network using their tool(s) of choice.

F-Response Main Features:

  • F-Response is a single executable (“exe”) that requires no drivers or installation components;
  • F-Response does not require a reboot, therefore mission critical servers can be reviewed with F-Response without an adverse impact on operations;
  • F-Response works with all RAID disks, physical drives, logical volumes, and physical memory (32 & 64 bit);
  • F-Response works with all Computer Forensics, eDiscovery and Data Recovery software packages, simply put, if your package reads from a hard drive, it will work with F-Response;
  • All F-Response software includes unlimited installations for a period of one (1) year from the date of purchase, software will cease to function at the end of the license duration unless renewed;
  • F-Response Enterprise Edition includes a license for F-Response Consultant and Field Kit Edition;

F-Response Enterprise Edition Mission Guides:

  • [NEW]Using the F-Response Accelerator (CE and EE Only)
  • [NEW]Leverage manual connections along with F-Response Consultant or Enterprise for a large scale collection
  • [NEW]Connect to Android (ARM) target(s) disk using F-Response Enterprise Edition
  • [NEW]Deploy F-Response Target code without the use of the F-Response Enterprise Management Console
  • Connect to a remote Linux target(s) disk using F-Response Enterprise Edition
  • Connect to a remote Apple target(s) disk using F-Response Enterprise Edition
  • Connect to a remote Windows target(s) disk using F-Response Enterprise Edition
  • Connect to the F-Response Boot CDROM using F-Response Enterprise Edition
  • Programming the F-Response Enterprise COM Object

F-Response Mission Guides were designed to simplify the process of using F-Response software in new and unfamiliar scenarios. Mission guides offer a possible solution to your task, working with you each step of the way through instruction that is direct and to the point.  Much smaller than a manual, Mission Guides give you the exact information you need to get you connected and underway as fast as possible.

Computer Forensic Tool: EnCase Forensic

March 14th, 2011 Comments off

Computer Forensic Tool: EnCase ForensicEnCase Forensic is for forensic practitioners who need to conduct efficient, forensically sounds data collection and investigations using a repeatable and defensible process. EnCase Forensic lets examiners acquire data from a wide variety of devices, unearth potential evidence with disk level forensic analysis, and craft comprehensive reports on their findings, all while maintaining the integrity of their evidence.

How EnCase® Forensic Works:

1) Obtain Forensically Sound Acquisitions
EnCase® Forensic produces an exact binary duplicate of the original drive or media, then verifies it by generating MD5 hash values for related image files and assigning CRC values to the data. These checks and balances reveal when evidence has been tampered with or altered, helping to keep all digital evidence forensically sound for use in court proceedings.

2) Save Valuable Time with Advanced Productivity Features
Examiners can preview data while drives or other media are being acquired. Once the image files are created, examiners can search and analyze multiple drives or other media simultaneously. EnCase Forensic also features a case indexer. This powerful tool builds a complete index in multiple languages, allowing for fast and easy queries. Indices can also be chained together to find keywords common to other investigations. This Unicode-supported index contains personal documents, deleted files, file system artifacts, file slack, swap files, unallocated space, emails and web pages. In addition, EnCase has extensive file system support, giving organizations the ability to analyze all types of data.

3) Customize EnCase® Forensic with EnScript® Programming
EnCase forensic features EnScript® programming capabilities. EnScript, an object-oriented
programming language similar to Java or C++, allows users create to custom programs to help
them automate time-consuming investigative tasks, such as searching and analyzing specific
document types or other labor-intensive processes and procedures. This power can be harnessed by any level of investigator by using one of Forensics tools, such as the “Case Developer” or one of the numerous built-in filters and conditions.

4) Provide Actionable Data, Report on it, and Move on to the Next Case
Once investigators have bookmarked relevant data, they can create a report suitable for
presentation in court, to management or to another legal authority. Data can also be exported in multiple file formats for review.

EnCase Forensic is trusted by corporations, law enforcement, and government. EnCase Forensic is fast, powerful, forensically sound, and proven in courts worldwide.

EnCase Forensic Related Links:

Website: http://www.guidancesoftware.com/forensic.htm
Resource: EnCase® Forensic for Law Enforcement (PDF)

Computer Forensic Tool: Encase Forensic

December 1st, 2008 Comments off

encase-forensicEnCase Forensic is the industry standard in computer forensic investigation technology. With an intuitive GUI, superior analytics, enhanced email/Internet support and a powerful scripting engine, EnCase provides investigators with a single tool, capable of conducting large-scale and complex investigations from beginning to end. Law enforcement officers, government/corporate investigators and consultants around the world benefit from the power of EnCase Forensic in a way that far exceeds any other forensic solution.

-Acquire data in a forensically sound manner using software with an unparalleled record in courts worldwide.

-Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool.

-Save days, if not weeks, of analysis time by automating complex and routine tasks with prebuilt EnScript® modules, such as Initialized Case and Event Log analysis.

-Find information despite efforts to hide, cloak or delete.

-Easily manage large volumes of computer evidence, viewing all relevant files, including “deleted” files, file slack and unallocated space.

-Transfer evidence files directly to law enforcement or legal representatives as necessary.

-Review options allow non-investigators, such as attorneys, to review evidence with ease.

-Reporting options enable quick report preparation.

Computer Forensic Tool: MacLockpick

November 26th, 2008 Comments off

MacLockpickMacLockPick™ is a valuable tool for law enforcement professionals to perform live forensics on Mac OS X systems. The solution is based on a USB Flash drive that can be inserted into a suspect’s Mac OS X computer that is running (or sleeping). Once the software is run it will extract data from the Apple Keychain and system settings in order to provide the examiner fast access to the suspect’s critical information with as little interaction or trace as possible. And also this is the only professional tool which can be use to extract the extensive encrypt information under the close-down condition of computer.