|
Computer Forensic Software Tools Downloads
Listed below are software tools that
have been found to be useful in forensic examination of recovered
evidence.
This list is a living list and should
have new tools added as they become available and supersede older
tools, which should be removed.
Forensic
Software tools for Windows
Image and
Document Readers
Data Recovery/Investigation
Password Cracking
Network Investigation
Phone Investigation
PDA Investigation
Forensic LAB Tools
Forensic software tools for
Windows
|
Software |
Description |
Licence |
Homepage |
|
dd for
Windows |
dd but for
Windows. |
GPL |
Download Page |
|
Encase 4 |
EnCase 4 is
a complete forensic toolkit that covers much of the work
that the I&TM Forensic Analysts carry out.
Encase is
the Primary I&TM forensic tool |
Commercial |
Download Page |
|
FTK |
The
AccessData Forensic Toolkit (FTK) is another complete
forensic toolkit.
FTK is
recognized as one of the leading forensic tool to
perform e-mail analysis. |
Commercial |
Download Page |
|
MD5 |
Toast MD5
Hashing algorithm |
GPL |
Download Page |
|
ISOBuster |
IsoBuster is
a CD/DVD and (Disk) Image File data recovery tool, that
can read and extract files, tracks and sessions from CD-i,
VCD, SVCD, CD-ROM, CD-ROM XA, DVD, DVCD and others. It
also supports the following image file formats: *.DAO
(Duplicator), *.TAO (Duplicator), *.ISO (Nero, BlindRead,
Creator), *.BIN (CDRWin), *.IMG (CloneCD), *.CIF
(Creator), *.FCD (Uncompressed), *.NRG (Nero), *.GCD (Prassi),
*.P01 (Toast), *.C2D (WinOnCD), *.CUE (CDRWin), *.CIF (DiscJuggler),
*.CD (CD-i OptImage) and *.GI (Prassi PrimoDVD). The
program uses several retry-mechanisms to aid you in
getting the data, even if Windows is not able to do so.
Additional features include Mpg (*.dat) Extraction,
support for file system properties, CDText support and
much more. The vast majority of the features available
are free; however some advanced features like UDF
support are only available in a registered version. You
can choose at install time, which version to use. |
Shareware |
Download Page |
|
MD5 &
Hashing Utilities |
MD5 hashing
algorithm |
Shareware |
Download Page |
|
P2 Power Pack |
This product
currently contains the following items from Paraben
Forensics:
-
Case
Agent Companion v1.0;
-
Decryption Collection Enterprise v2.5;
-
E-mail
Examiner v4.01;
-
Forensic
Replicator v3.1;
-
Forensic
Sorter v1.0;
-
Network
E-mail Examiner v1.9;
-
PDA
Seizure v3.0.1.35;
-
Text
Searcher v1.0;
-
Chat
Examiner v1.0.
|
Commercial |
Download Page |
|
Paraben Case
Agent Companion |
Paraben’s
Case Agent Companion is designed to optimize both the
time of the examiner and the agent working the case.
Built in viewers for over 225 file formats and
compatible with Paraben’s P2. |
Commercial |
Download Page |
|
Paraben
Email Examiner |
Paraben's
E-mail Examiner is one of the most comprehensive e-mail
examination tools available. E-mail Examiner claims to
recover more active and deleted mail messages than the
leading competitor. |
Commercial |
Download Page |
|
Paraben
Network Email Examiner |
Network
E-mail Examiner allows the user to thoroughly examine a
variety of network e-mail archives. Network E-mail
Examiner is designed to work hand-in-hand with E-mail
Examiner and all output is compatible and can easily be
loaded for more complex tasks. |
Commercial |
Download Page |
|
Paraben
Forensic Replicator |
Replicate
exact copies of drives and media. Paraben’s Forensic
Replicator can acquire a wide range of electronic media
from a floppy to a hard disk. Forensic Replicator images
can be compressed and segmented and easily read into the
most popular forensic analysis programs. |
Commercial |
Download Page |
|
Paraben
Forensic Sorter |
Manage your
data effectively and efficiently. Forensic Sorter
classifies data into over 14 different categories,
recovers deleted files, and filters out common hashes (FOCH),
making examinations easier to manage, faster to process,
and easier to find what you’re looking for. |
Commercial |
Download Page |
|
Paraben
NetAnalysis |
Interrogates
internet cache and history with powerful searching,
filtering and evidence identification. |
Commercial |
Download Page |
|
Paraben Text
Searcher
|
Paraben's
Text Searcher is a fast, comprehensive, and feature-rich
text searching tool. |
Commercial |
Download Page |
|
SafeBack |
SafeBack is
used to create mirror-image (bit-stream) backup files of
hard disks or to make a mirror-image copy of an entire
hard disk drive or partition. |
Commercial |
Download Page |
|
SHA verify |
SHA verify
is a hashing program which will calculate the MD5 (128
bit), SHA1 (160 bit), SHA2 (256 bit), SHA2 (384 bit),
and SHA2 (512 bit) hashes of files.
A 2004
enhancement is that if you have a number of dd (flat)
images, it can perform the hashes on the entire set of
files and provides a single hash as if it was a single
file. This is useful for confirming the hash of a
physical drive against the set of dd files. |
Freeware |
Download Page |
|
UTK |
The Ultimate
Toolkit is the complete AccessData Software Kit.
This
contains the FTK, DNA and PRTK. |
Commercial |
Download Page |
|
WinHex |
WinHex is a
universal hexadecimal editor.
WinHex is
often used in forensic examinations |
Freeware |
Download Page |
Image and
Document Readers
|
Software |
Description
|
Software Licence |
Link |
|
ACDSee |
Fast photo viewer and
manager. Easily find, view, manage, print, edit and
share images. |
Commercial |
Download Page |
|
Adobe Reader |
PDF reader |
Freeware/ Commercial |
Download Page |
|
DecExt |
Recovers base 64 pictures |
Freeware/
Commercial |
Download Page
|
|
DivX Player |
The DivX codec lets you
playback any DivX video (including DivX VOD movies) |
Shareware/ Commercial |
Download Page
|
|
IrfanView |
IrfanView is a very fast,
small, compact and innovative FREEWARE (for
non-commercial use) graphic viewer for Windows
9x/ME/NT/2000/XP/2003. |
Freeware |
Download Page
|
|
MS Office |
Office Package from
Microsoft.
Microsoft also produces
viewers for those not having Windows installed. These
are useful to put on CDs and DVDs that accompany cases |
Commercial |
Download Page |
|
Quick Time |
The free QuickTime Player
is an easy-to-use application for playing, interacting
with or viewing video, audio, VR or graphics files. |
Shareware/ Commercial |
Download Page
|
|
Real Player |
Play back every major
media format in one Player, including DVDs. |
Shareware/ Commercial |
Download Page
|
Data Recovery/Investigation
|
Software |
Description |
Software Licence |
Link |
|
Active Partition Recovery |
A very small, easy to use
DOS Program (only 150k in size) using which you can:
-
Recover deleted partitions (FAT and NTFS)
-
Restore deleted FAT and NTFS Logical Drives
-
Create Drive Image - for backup purposes
-
Scan hard drives and detect deleted FAT and NTFS
partitions and/or Logical Drives
-
Preview files and folders on deleted partition or
drive, to recover proper data
-
Backup MBR (Master Boot Record), Partition Table,
Boot Sectors
-
Restore MBR, Partition Table and Boot Sectors from
backup if damaged
|
Commercial |
Download Page
|
|
Advanced Email Extractor |
Designed to extract
e-mail addresses from web-pages on the Internet (using
Download Page http and Download Page httpS protocols)
and from HTML and text files on local disks.
|
Commercial |
Download Page
|
|
Advanced Mailbox
Processor |
The program is intended
for extracting owner's names and e-mail addresses from
the local files, and making an e-mails list. |
Commercial |
Download Page
|
|
Afind |
Afind lists files by
their last access time without tampering the data the
way that right-clicking on file properties in Explorer
will. Afind allows you to search for access times
between certain time frames, coordinating this with
logon info provided from ntlast, you can to begin
to determine user activity even if file logging has not
been enabled. |
Commercial |
Download Page
|
|
AutoStart Viewer |
When you start Windows,
dozens of programs are already running – many of them
invisible and running in the background. This software
identifies what is running, why it is running and
determine if any are Trojans. AutoStart Viewer allows
you to see every AutoStart on your system, all on the
one screen. In addition, it gives you complete control
over the AutoStart references, and allows you to modify
or delete them at will. |
Freeware |
Download Page
|
|
CacheView |
Cache View is a viewer
for the Netscape Navigator, Mozilla and Internet
Explorer caches. You can open the cached files for
viewing, and copy or move them out of the cache. It will
even reconstruct the names and directory paths of the
files for you. Cache View extracts the following
information about cached files: URL, Size (in bytes),
MIME Type, Last modified date, Date the file was
downloaded, and the Expiry date. |
Shareware |
Download Page
|
|
Captain Nemo |
This product allows
connecting a drive containing the Unix/Linux (supports
only Ext2 Linux file system), NT or Novell operating
system directly to a Windows operating system machine
and accessing, viewing, printing and copying the files
as if they were on another Windows drive on the
computer.
The shareware version of Captain Nemo allows you to
mount and see all the files on your Novell, NT and Linux
drives.
If you want to copy the files to a Windows drive you
need to register the software. |
Commercial |
Download Page
|
|
CD
Roller |
Effectively retrieves the
data off the discs created by “drag and drop” CD/DVD
writing software, such as well-known Roxio (Adaptec) and
Ahead Nero software packages, CeQuadrat’s PacketCD,
Instant Write, B’s CliP and others. |
Commercial |
Download Page |
|
CD/DVD Inspector |
Professional software for
intensive analysis and extraction of data from CD-R,
CD-RW and DVD media. Tailored for professionals in data
recovery, forensics, and law enforcement. |
Commercial |
Download Page
|
|
CookieView – Cookie
Decoder |
This software was
originally written as an external viewer for Encase or
iLook. Either drag and drop a cookie onto the main
window or set it as an external viewer. The software
will decode the internal cookie data such as the date
and times, and it will split the data into separate
cookie records. |
Freeware |
Download Page
|
|
DbExtract |
Extracts mail messages
from Outlook Express 5 DBX files. It requires the
existence of the VB6 runtime dll, msvbvm60.dll. |
Shareware |
Download Page
|
|
DecExt |
Recovers base 64 pictures |
Freeware |
Download Page
|
|
Decode – Forensic Date/Time Decoder |
This utility was designed
to decode the various date/time values found embedded
within binary and other file types. |
Freeware |
Download Page
|
|
Digital Image Recovery |
No matter, if you deleted
images, videos or audio files from your media, formatted
the media, or pulled out the media during a write
process, the program reconstructs the corresponding data
automatically. |
Freeware |
Download
Page |
|
Directory Snoop |
Directory Snoop is a
cluster-level search tool that allows Windows users to
snoop through their FAT and NTFS formatted disk drives
to see what data may be hiding in the cracks. Use
Directory Snoop to recover deleted files you thought you
would never see again or permanently erase sensitive
files so that no one will know they ever existed.
Supported media include local hard drives, floppy disks,
Zip disks, MO disks, and flashcard devices. |
Commercial
|
Download Page
|
|
DIRV |
A filter for the DIR /S
command. Dirv is a program for those who still use DIR
/S to obtain a recursive directory list of all the files
on a system. The DIR /S program produces an output that
is difficult to import into a database for additional
processing. Dirv takes outputs generated on either
Windows NT or WIN9X file systems and converts the output
to records which are one line in length and contain the
appropriate path and filename merged. |
Freeware |
Download Page
|
|
DiskCat |
Catalogues all files on
disks. DiskCat is short for “disk cataloguer”. It
creates a listing (catalogue) of all files and/or
directories on a hard or floppy disk. With its many
options, the operation can be customized to your needs.
It is especially useful for forensic purposes and for
file maintenance. Output is a fixed length record and
database compatible (for further analysis/sorting.) |
Freeware |
Download Page
|
|
DriveLook |
DriveLook is a powerful
forensic drive investigation and search tool. DriveLook
scans a drive or a partition of a drive for text strings
and stores these in a table. After completion of the
scan you can browse this table and view the locations
where the words had been found. The search function
allows you to do fast inquiries for combinations of
words. The program enables you to index a hard drive for
all text that ever was written to it, browse a list of
all words stored on the drive, search for words or
combinations of words, view the location of words in a
disk editor, switch between several views, such as hex
and text view, use physical drives or logical drives as
an input, use image files as an input, access remote
drives over serial cable or TCP/IP. |
Shaireware |
Download Page
|
|
Exifer |
Exifer is a shareware for
recovering and displaying the metadata (EXIF/IPTC) of
pictures taken by digital cameras. |
Freeware |
Download Page
|
|
FavURLView – Favourite Viewer |
This utility will decode
Internet Shortcut (*.URL) files to allow you to compare
the Shortcut Description with the actual link. It will
also decode the Modified time and date. |
Freeware |
Download Page
|
|
FDTE
– File Date time Extractor |
This software hunts
through binary files ‘sniffing out’ hidden, embedded 64
bit date & times.
This type of stored date
is very popular in many Microsoft applications (e.g.
Word and Excel). |
Freeware |
Download Page
|
|
Final Email |
For message recovery in
Outlook Express, Eudora, and Netscape Mail; scans the
email database file and locates lost emails that do not
have data location information associated with them |
Commercial |
Download Page
|
|
Galleta |
Many computer crime
investigations require the reconstruction of a subject’s
Internet Explorer Cookie files. Galleta will parse the
information in a Cookie file and output the results in a
field delimited manner so that it may be imported into
your favourite spreadsheet program. Galleta is built to
work on multiple platforms and will execute on Windows,
Mac OS X, Linux, and *BSD platforms. |
Commercial |
Download Page
|
|
Gargoyle Forensic Pro |
Gargoyle quickly and
easily determines whether malware is present on a system
under investigation.
The Forensic Pro Edition
is designed for forensic investigators, examiners, law
enforcement personnel, private investigators, and
forensic lab use.
The Forensic Pro version
includes all the malware datasets, travelling license,
dataset creator, dataset converter, a single-user
license of Mount Image Pro™ allowing forensic image
investigations and other tools including a USB thumb
drive for covert investigations and a 1-year
subscription to the Digital Evidence Time Stamping
service |
Commercial |
Download Page
|
|
Handle |
Handle is a utility that
displays information about open handles for any process
in the system. You can use it to see the programs that
have a file open, or to see the object types and names
of all the handles of a program. |
Freeware |
Download Page
|
|
History Inspector for
Internet Explorer |
History Reader reads all
information in the complete history database and
presents you a list, either in chronological or
alphabetical order. |
Shareware |
Download Page
|
|
HPA |
HPA is a 16 bit program
designed to work only on IDE drives. When run, HPA will
identify: the drive’s manufacturer; serial number; total
number of sectors on the drive; and, if the drive is
Host Protected Area (HPA) capable, it will identify the
number of sectors set aside in the HPA. HPA is very
useful on a forensic boot disk because it can capture
key information about any IDE drives in the system. The
resulting information can be sent to an output log file
for future reference. |
Freeware |
Download Page
|
|
HTTrack Website Copier |
It allows you to download
a World Wide Web site from the Internet to a local
directory, building recursively all directories, getting
HTML, images, and other files from the server to your
computer. HTTrack arranges the original site's relative
link-structure. Simply open a page of the "mirrored"
website in your browser, and you can browse the site
from link to link, as if you were viewing it online. |
GPL |
Download Page |
|
Inquire |
A Windows based
application that issues a SCSI Inquiry command and lists
any hard disk drives found along with model number,
product revision level and serial number (ESN). |
Freeware |
Download Page
|
|
Jpegdump.zip |
Dumps Smart Media or
Compact Flash To An Image File; Scans File and Recovers
Erased JPEG files |
Freeware |
Download Page
|
|
KaZAlyzer |
KaZAlyser is the
successor to the popular P2Pview KaZaA/Morpheus database
viewer. KaZAlyser provides significant enhancements to
the investigation process. KaZAlyser provides the
following functions: List all database entries in a
tabular form, Display the file integrity tag, Allow the
investigator to tag and comment each record, Identify
files that appear (from title, keywords etc.) to be
Child Pornography, Identify files that have a known
Child Pornography hash value, Identify all
graphics/movie files, Sort by individual columns, Export
the content of a database to a CSV file, Produce reports
based on above. KaZAlyser can open one or more database
files from any FastTrack based installation, such as
KaZaA, iMesh and Grokster, and display the contents in a
tabular form. Once loaded into KaZAlyser filters can be
applied to the database entries to limit the display to
particular records such as ‘all graphics files’ or
‘identify known Child Pornography’. |
Commercial |
Download Page
|
|
LADS (List Alternate Data
Streams) |
This program lists all
alternate data streams of an NTFS directory. Of course
it shows the ADS of encrypted files, even when these
files were encrypted with another copy of Windows 2000.
There is the /S switch to walk through subdirectories
recursively and the /A switch to show the total of all
bytes. |
Freeware |
Download Page
|
|
ListDLLs |
ListDLLs is able to show
you the full path names of loaded modules – not just
their base names. In addition, ListDLLs will flag loaded
DLLs that have different version numbers than their
corresponding on-disk files (which occurs when the file
is updated after a program loads the DLL), and can tell
you which DLLs were relocated because they are not
loaded at their base address. |
Freeware |
Download Page
|
|
Mailbag Assistant
|
An effective
investigation tool for law enforcement. Mailbag
Assistant supports Outlook Express, Eudora, Netscape,
Mozilla, Pegasus, The Bat!, Forte Agent, Calypso,
PocoMail, FoxMail, Juno 3.x, Unix mail (Pine, Elm, mbox,
etc.), and EML message files. |
Commercial |
Download Page
|
|
MBXtract
|
Extracts mail messages
from Outlook Express 4 DBX files. |
Freeware |
Download Page
|
|
Metadata Assistant |
The Metadata Assistant
will analyze Word/Excel/PowerPoint 97, 2000, 2002 (XP)
and 2003 documents to determine what metadata (hidden
information) a client might see, display its findings
then offer the ability to clean the document by
selecting a variety of options; |
Commercial |
Download Page
|
|
Mod Com |
Mod com is a program that
will alter the operating system files on a floppy boot
disk so that when booted it will not alter anything on
the C: drive. This is what is done manually in the basic
forensic classes when you alter boot disks to keep from
accessing the C: drive. This program creates a
forensically sound boot disk. |
Freeware |
Download Page
|
|
NTLast |
Security audit tool for
Windows NT. NTLast is specifically targeted for serious
security and IIS administration. Scheduled review of
your NT event logs is critical for your network. A
server breach can be uncovered by regular system
auditing. Identifying and tracking who has gained access
to your system, then documenting the details is now made
easier with NTLast. This tool is able to quickly report
on the status of IIS users, as well as filter out web
server logons from console logons. |
Freeware |
Download Page
|
|
OmniQuad Investigator |
It can reconstruct the
usage history of the analyzed workstation, presenting
you with a log of past actions for inspection - clearly
and concisely. (Windows95/98/ME/NT/2000/XP) |
Commercial |
Download Page
|
|
Outlook Recovery
|
A data recovery program
for corrupted Microsoft Outlook Personal Storage Files
(.pst). |
Commercial |
Download Page
|
|
Pasco |
An Internet Explorer
activity forensic analysis tool. Many computer crime
investigations require the reconstruction of a subject's
internet activity. Pasco, the Latin word meaning
"browse", was developed to examine the contents of
Internet Explorer's cache files. Pasco will parse the
information in an index.dat file and output the results
in a field delimited manner so that it may be imported
into your favourite spreadsheet program. Pasco is built
to work on multiple platforms and will execute on
Windows, Mac OS X, Linux, and *BSD platforms. |
Freeware |
Download Page
|
|
PC Inspector™ File
Recovery |
A data recovery program
that supports the FAT 12/16/32 and NTFS file systems.
Some of the features in PC INSPECTOR™ File Recovery 3.x:
·
Finds partitions automatically, even if the boot sector
or FAT has been erased or damaged (does not work with
the NTFS file system)
·
Recovers files with the original time and date stamp
·
Supports the saving of recovered files on network drives
·
Recovers files, even when a header entry is no longer
available. |
Commercial |
Download Page
|
|
PC Inspector™ Smart
Recovery |
A data recovery program
for Flash Card™, Smart Media™, SONY Memory Stick™, IBM™
Micro Drive, Multimedia Card, Secure Digital Card or any
other data carrier for digital cameras. |
Commercial
|
Download Page
|
|
Pictuate |
Pictuate examines files
one by one very quickly and sorts the image files so the
user can determine whether or not the images are
pornographic. The applications for this technology are
wide ranging. Any time you need to audit the contents of
a computer drive to determine if the contents are in
violation of policy or the law, Pictuate is the tool to
use. |
Commercial |
Download Page
|
|
Process Explorer |
Process Explorer shows
you information about which handles and DLLs processes
have opened or loaded. The Process Explorer display
consists of two sub-windows. The top window always shows
a list of the currently active processes, including the
names of their owning accounts, whereas the information
displayed in the bottom window depends on the mode that
Process Explorer is in: if it is in handle mode you’ll
see the handles that the process selected in the top
window has opened; if Process Explorer is in DLL mode
you’ll see the DLLs and memory-mapped files that the
process has loaded. Process Explorer also has a powerful
search capability that will quickly show you which
processes have particular handles opened or DLLs loaded.
The unique capabilities of Process Explorer make it
useful for tracking down DLL-version problems or handle
leaks, and provide insight into the way Windows and
applications work. |
Freeware |
Download Page
|
|
Protected Storage
Explorer |
Protected Storage
Explorer is a powerful tool that allows you to view all
sorts of saved data from the Protected Storage Service,
including passwords for e-mail accounts in Microsoft
Outlook, Microsoft Outlook Express, MSN Messenger, saved
Internet Explorer form data (phone numbers, credit card
numbers, web email, search engine queries…), user names
and passwords on Web pages, and cached logon credentials
of sites that require authentication (including FTP
sites.) |
Freeware |
Download Page
|
|
R-Mail |
A tool designed to
recover accidentally deleted e-mail messages and
recovery damaged *.dbx files where MS Outlook Express
stores folders with e-mail messages. The new e-mail data
recovery technology IntelligentRebuild allows R-Mail
users to quickly reconstruct damaged *.dbx files created
by Outlook Express and easily restore the lost messages.
The messages are recovered in the .eml format and can be
simply imported into Outlook Express mail and news
bases. |
Commercial |
Download Page
|
|
R-Undelete |
A file undelete solution
for FAT, NTFS, NTFS5, and Ext2FS file systems.
R-Undelete can undelete files on any valid logical disks
visible by the host OS. It cannot however undelete files
on damaged or deleted volumes or in the case of hard
drive repartitioning |
Commercial |
Download Page |
|
Registry Information
Extractor |
This is a test release of
a software utility that is in development and under
testing. It is a Windows 95/98/ME system.dat registry
information extractor. It will be updated to extract a
lot more information from the registry, including NT, 2K
and XP support. At present it will only extract
system.dat information from Windows 95/95 and ME. It can
extract the following information: Registered Owner,
Registered Organization, Windows Version, Windows
Version Number, Windows Installed Date & the Computer
Name. RIE can also be used as a File Viewer from within
EnCase. |
Freeware |
Download Page
|
|
RegMon |
Regmon
is a Registry monitoring utility that will show you
which applications are accessing your Registry, which
keys they are accessing, and the Registry data that they
are reading and writing – all in real-time. This
advanced utility takes you one step beyond what static
Registry tools can do, to let you see and understand
exactly how programs use the Registry. With static tools
you might be able to see what Registry values and keys
changed. With Regmon you’ll see how the values and keys
changed. |
Freeware |
Download Page
|
|
Rifiuti |
A Recycle Bin Forensic
Analysis Tool. Rifiuti, the Italian word meaning
"trash", was developed to examine the contents of the
INFO2 file in the Recycle Bin. Rifiuti will parse the
information in an INFO2 file and output the results in a
field delimited manner so that it may be imported into
your favourite spreadsheet program. Rifiuti is built to
work on multiple platforms and will execute on Windows,
Mac OS X, Linux, and *BSD platforms. |
Freeware |
Download Page
|
|
ShoWin |
Show information about
Windows. Reveal passwords etc. ShoWin displays useful
information about windows by dragging a cursor over
them. Perhaps one of the most popular uses of this
program is to display hidden password editbox fields
(text behind the asterisks *****). This will work in
many programs although Microsoft has changed the way
things work in some of their applications, most notably
MS Office products and Windows 2000. ShoWin will not
work in these cases. Neither will it work for password
entry boxes on web pages, at least with most web
browsers. Additional features include the ability to
enable windows that have been disabled, unhide hidden
windows (try the program with the include invisibles
option set and see how many windows you have on your
desktop that you didn't know about!) and force windows
to stay on top or be placed below others. |
Freeware |
Download Page
|
|
SnapView HTML Viewer |
Quick and easy way to
examine recovered HTML pages from unallocated space.
This little viewer is built on the same technology as
used by Internet Explorer. It can load up pages very
quickly. You can also toggle between page and source
view by pressing F9. It not only supports HTML but a
number of other formats. It can also use any Internet
Explorer plug-ins, already available within the
operating system, giving it quite a large selection of
supported file formats. The following is not the full
list, but a flavour of the file formats possibly
available: HTML, JPEG, GIF, ICO, Flash Move, Adobe
Acrobat, Office Documents such as Word, Excel,
PowerPoint, Bitmap, PNG, ART etc. |
Freeware |
Download Page
|
|
Stealer |
This utility will extract
the machine name, username and the net username along
with any dial-up user accounts and passwords. It will
also identify any passwords and usernames for secure web
sites and any password protected shared folders on a
network. Much of this information is stored within the
*.PWL file. This has to be run on a restored drive if
you are using it to identify information on a seized
computer. One law enforcement agency used it to gain
access to encrypted data as the password for the
encrypted material had been duplicated. Might save you
weeks of waiting if you are contemplating a brute force
attack. NOTE: Will only work on Win9* and ME Systems.
|
Freeware |
Download Page
|
|
StegDetect |
StegDetect is an
automated tool for detecting steganographic content in
images. It is capable of detecting several different
steganographic methods to embed hidden information in
JPEG images. Currently, the detectable schemes are jsteg,
jphide (Unix and Windows), invisible secrets, and
outguess 01.3b. |
Commercial |
Download Page
|
|
StegHide |
StegHide is a
steganography program which embeds a secret message in a
cover file by replacing some of the least significant
bits of the cover file with bits of the secret message.
After that, the secret message is imperceptible and can
only be extracted with the correct pass phrase.
Features: support for JPEG, BMP, WAV and AU files
encryption of plain data before embedding (blowfish
encryption algorithm) pseudo-random distribution of
hidden bits in stego file embedding of a crc32 checksum
of the plain data. |
GPL |
Download Page
|
|
Stego Suite 4.1 |
The Stego Suite™ is the
most advanced software bundle available for the
investigation, detection, analysis, and recovery
of digital steganography. Stego Suite 4.1 includes Stego
Watch, an automated steganography investigation scanning
software package, 9 steganography detection algorithms
covering all common digital image file types and audio
wav files, Stego Analyst, a visual image analysis
package for in-depth digital image and audio file
analysis, and Stego Break, an automated steganography
cracking tool. |
Commercial |
Download Page |
|
Tex2Hex |
This utility will convert
ASCII characters to Hexadecimal Values.
This is particularly
useful when searching using software that can accept Hex
Values as search criteria. |
Freeware |
Download Page
|
|
True Time |
True time is a program
that will ask the user for the correct date and time,
and obtain the system date and time from the system
BIOS. This output can be redirected to a file for
retention in forensic investigations. Excellent addition
to a forensic boot disk. |
Freeware |
Download Page
|
|
WebDate |
This utility was
originally designed so I could establish how Microsoft
Internet Explorer stored date & time values inside
index.dat files. Type or paste into the main window, the
URL of a website or individual file and it will return
the Last Modified date & time of that site, web page or
individual file. |
Freeware |
Download Page
|
Password Cracking
|
Software |
Description
|
Software Licence |
Link |
|
Accent Access Password Recovery 2.01 |
Software to recover
forgotten or lost passwords for Microsoft Access
documents |
Shareware |
Download Page |
|
Accent Excel Password Recovery 2.10 |
Software to recover
forgotten or lost passwords to open for Microsoft Excel
documents |
Shareware |
Download Page |
|
Accent Money Password Recovery 2.00 beta |
Software to recover
forgotten or lost passwords for Microsoft Money
documents |
Shareware |
Download Page |
|
Accent Office Password Recovery 2.11 |
If you have lost or
forgotten a password for opening a Microsoft Office
document (Access, Excel, and Word) or a password for
saving changes to a Microsoft Word document, you can use
this software. It will help you! To search for a
password more effectively, the software offers you to
choose one of the three ways: a dictionary-based attack,
a brute force attack or a brute force attack with a
mask. |
Shareware |
Download Page |
|
Accent Word Password Recovery 2.10 |
Software to recover
forgotten or lost passwords to open and passwords to
modify for Microsoft Word documents |
Shareware |
Download Page |
|
AIM
Password Decoder |
This utility was designed
to decrypt the login password for AOL Instant Messenger
version 4. Please note, version 5 of AIM has a different
encryption method so this software will not work on that
version. |
Freeware |
Download Page |
|
APDFPRP |
PDF cracker |
Sharware |
Download Page |
|
ASP |
Zip Cracker |
Shareware |
Download Page |
|
CMOS Recovery Tools |
CMOS password recovery
tools Works with the following BIOSes – ACER/IBM BIOS –
AMI BIOS – AMI WinBIOS 2.5 – Award 4.5x/4.6x – Compaq
(1992) – Compaq (New version) – IBM (PS/2, Activa,
Thinkpad) – Packard Bell – Phoenix 1.00.09.AC0 (1994),
a486 1.03, 1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06 rev
1.13.1107 – Phoenix 4 release 6 (User) – Gateway Solo –
Phoenix 4.0 release 6 – Toshiba – Zenith AMI. |
GPL |
Download Page
|
|
DNA Manager |
Distributed Network
Password Cracker from Access Data. Harnesses the power
of all PCs on a network to crack passwords |
Commercial |
Download Page |
|
MS Access Database
Cracker |
This utility was designed
to decrypt the master password stored in a Microsoft
Access database. There are two utilities in the zip for
decoding Access 95, 97, 2000 and XP. |
Freeware |
Download Page
|
|
NT SAMs |
Linux Boot Disk, that
accesses the Windows Partition then Resets Account
Passwords by exploiting that SAM File |
GPL |
Download Page
|
|
Paraben Decryption
Collection |
Paraben's Decryption
Collection is an advanced password recovery suite.
Recover more passwords in a shorter amount of time.
Everyone needs as many tools as possible in their
toolbox. The demo version will recover the first two
characters of your password. This Enterprise edition now
has EFS support, 2003 Server support, and Lotus Notes
support along with support for everything included in
our Standard Edition. It also includes QuickBooks 2003
support and Peachtree 2004 support. |
Commercial |
Download Page
|
|
PRTK |
Password Recovery Toolkit
from Access Data |
Commercial |
Download Page |
|
SagePass |
Retrieves the password
from Sage Sterling, Line 100 and Instant accounting. |
Freeware |
Download Page
|
Network Investigation
|
Software |
Description
|
Software Link |
Link |
|
Active Ports |
Shows all open TCP/IP and
UDP ports on Windows NT/2000/XP computers, and maps them
to the owning application. |
Freeware |
Download Page
|
|
Creed (Cisco Router
Evidence Extraction Disk) - Raw Image (Freeware)
|
This application will
allow you to create/restore disk images, even non-pc
format disks. This software was created by New
Technologies Inc. Once you have downloaded the zip file,
unzip it into its own directory. This is a DOS
application, so no further installation is required. |
Freeware |
Download Page |
|
Ethereal |
Ethereal is a network
packet analyzer. A network packet analyzer will try to
capture network packets and tries to display that packet
data as detailed as possible. Data can be captured “off
the wire” from a live network connection, or read from a
capture file. It runs on all popular computing
platforms, including Unix, Linux, and Windows. Live data
can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE
802.11, Classical IP over ATM, and loopback interfaces
(at least on some platforms; not all of those types are
supported on all platforms). |
GPL |
Download Page |
|
Eventlog |
The text output from NT
eventlogs is not easily manipulated or evaluated and is
difficult to import into databases. Eventlog will take
the output of an NT security eventlog and reformat it to
single lines, so it contains pipes for importing into a
database or spreadsheet. |
Freeware |
Download Page
|
|
FavURLView |
This utility will decode
Internet Shortcut (*.URL) files to allow you to compare
the Shortcut Description with the actual link. It will
also decode the Modified time and date. The software can
be run as an External Viewer within Encase, iLook or any
forensic application that supports external viewers. It
has also been designed to accept data from Encase by
sending data via the command line. |
Freeware |
Download Page
|
|
Open Ports |
DiamondCS OpenPorts is a
CLI (command line interface/console) tool that allows
you to see all open TCP and UDP ports on your system,
including the owner process. Using advanced
port-to-process mapping technology developed for Port
Explorer, OpenPorts is powerful, accurate, and reliable,
and results can be displayed in five different styles,
allowing for easy interpretation by both scripts and
human eyes. |
Commercial |
Download Page
|
|
Port Explorer |
Port Explorer allows you
to see all the open ports on your system and what
programs own them (called Port to Process mapping).
Along with this ability it also has many tools including
a packet sniffer, bandwidth throttling and country
detection to name just a few. Port Explorer has an
intuitive GUI that allows you to quickly see all the
network activity your computer is involved in, and
thanks to its ease of use is allowing people everywhere
to do advanced network activities. |
Commercial |
Download Page
|
|
Putty |
PuTTY is a free
implementation of Telnet and SSH for Win32 and Unix
platforms, along with an
xterm
terminal emulator. |
Freeware |
Download Page
|
|
Spector CNE |
You can record everything
your employees do online, including instant messages,
chats, emails sent and received, web sites visited,
applications launched, files downloaded and keystrokes
typed. |
Commercial |
Download Page
|
|
WinDump
|
Tool to dump traffic on a
network. Tcpdump prints out the headers of packets on a
network interface that match the Boolean expression. It
can also be run with the -w flag, which causes it to
save the packet data to a file for later analysis,
and/or with the -b flag, which causes it to read from a
saved packet file rather than to read packets from a
network interface. In all cases, only packets that match
expression will be processed by Tcpdump. |
Freeware |
Download Page |
|
Tcpflow |
Tcpflow is a program that
captures data transmitted as part of TCP connections
(flows), and stores the data in a way that is convenient
for protocol analysis or debugging. A program like 'Tcpdump'
shows a summary of packets seen on the wire, but usually
doesn't store the data that's actually being
transmitted. In contrast, Tcpflow reconstructs the
actual data streams and stores each flow in a separate
file for later analysis. Tcpflow understands sequence
numbers and will correctly reconstruct data streams
regardless of retransmissions or out-of-order delivery.
However, it currently does not understand IP fragments;
flows containing IP fragments will not be recorded
properly |
Freeware |
Download Page
|
|
Tcptrace |
Tool for analysis of TCP
dump files. It can take as input the files produced by
several popular packet-capture programs, including
Tcpdump, snoop, etherpeek, HP Net Metrix, and WinDump.
Tcptrace can produce several different types of output
containing information on each connection seen, such as
elapsed time, bytes and segments sent and received,
retransmissions, round trip times, window
advertisements, throughput, and more. It can also
produce a number of graphs for further analysis. |
Freeware |
Download Page
|
|
WinPcap 3.1 |
This file is needed for
some network investigation tools |
Freeware |
Download Page |
Phone Investigation
|
Software |
Notes
|
Software Licence |
Link |
|
Chip-it |
Another program to strip
out phone numbers from a variety of mobile phones –
Freeware |
Freeware |
Download Page
|
|
Oxygen |
A forensic analysis tool
for analyzing mobile phones. The software does not
change any data on the phone and does not write data to
the phone. Oxygen requires a Windows OS. |
Freeware |
Download Page
|
|
Paraben Cell Seizure |
Cell phone forensics is
not to be compared with traditional bit stream
forensics. Cell phone data storage is proprietary, based
on the manufacturer, model, and system. Paraben's Cell
Seizure was designed to allow forensic acquisition of
user entered data and portions of unallocated storage on
some devices. Each device is unique and should be dealt
with caution as each phone has unique considerations.
Continual advances will be made to Paraben's Cell
Seizure in reference to acquiring of proprietary data.
Paraben's Cell Seizure currently supports certain models
of Nokia, Sony-Ericcson, Motorola, & Siemens. Paraben's
Cell Seizure also supports GSM SIM cards with use of a
SIM card reader (which can be found in Cell Seizure
Toolbox). |
Commercial |
Download Page
|
|
PDU spy |
Another mobile phone
examination program. The site has a number of
interesting recovery programs and useful bits for
investigating phones – Freeware. |
Freeware |
Download Page |
|
Phonebase |
PhoneBase 2, the new, low
cost mobile phone analysis system from Envisage Systems,
now gives law enforcement agencies worldwide the
capability to deliver a full report on the contents of
SIM cards and phone memories, typically lists of phone
numbers and associated names, recently made calls and
text messages – within minutes. |
Commercial |
Download Page |
|
SIM Manager |
Recovers phone numbers,
SMS messages from a range of phones |
Commercial |
Download Page
|
|
SIM Scan |
Another tool that allows
investigation of SIM cards – freeware. |
Commercial |
Download Page |
|
SIMCon |
Forensic imaging and
analysis of SIM cards, including recovery of deleted
items. Free to Law Enforcement |
Commercial |
Download Page |
|
UndeleteSMS |
A tool that can recover
deleted SMS messages from a GSM SIM card. |
Freeware |
Download Page
|
PDA Investigation
|
Software |
Description |
Software Licence |
Link |
|
Paraben PDA Seizure |
The only forensic tool
designed to capture data and report on data from a PDA.
As an examiner you know better than anyone that the
difference between making a case and losing a case is
hard evidence. And with more bad guys going high tech,
obtaining that evidence is becoming more difficult than
ever. Paraben's PDA Seizure is a comprehensive tool that
allows PDA data to be acquired, viewed, and reported on,
all within a Windows environment. Now with USB support. |
Commercial |
Download Page
|
|
Pilot-Link |
Used to get contents of
ROM and RAM from Palms. Additionally pilot-xfer
allows acquisition |
Freeware |
Download Page |
|
POSE |
Emulator for Palms that
runs on the desktop. Behaves exactly as the palm would
do when a palm image is loaded into it |
Freeware |
Download Page
|
Lab Tools
|
Software |
Description |
Software Licence |
Link |
|
BCWipe |
Disk Wiper (DoD – 7 pass
wipe tool) |
Commercial |
Download Page
|
|
Black Bag Macintosh
Forensic Software |
BlackBag offers customers
a suite of forensic solutions, as well as a Macintosh
Boot CD, which boots any systems capable of running OS X |
Commercial |
Download Page |
|
CyberGuard |
Detects malware and other
hostile processes. Has the ability to import hash sets
and detect ‘notable files’. Used to detect suspicious
software for defeating the ‘Trojan Defence’. |
Commercial |
Download Page |
|
Declasfy |
Wipe drives according to
DOD specifications. Drive wiping with Declasfy can serve
many purposes where information security is a concern.
For example: preparing drives for internal reuse;
securing private information prior to retirement or
donation of a drive; securing private information for
compliance with HIPAA and other regulatory requirements. |
Freeware |
Download Page
|
|
Disable |
Will disable the keyboard
of a computer. Best used on a boot disk for evidence
protection. Often called an evidence disk. |
Freeware |
Download Page
|
|
FS-TST |
A software package
developed to aid the testing of disk imaging tools
typically used in forensic investigations. The package
includes programs that use the interrupt 13h BIOS disk
interface to initialize disk drives, detect changes in
disk content, compare pairs of disks, and simulate bad
sectors on a disk. |
|
Download Page
|
|
Ghost |
Symantec’s Norton Ghost 9.0
provides advanced backup and recovery. |
Commercial |
Download Page
|
|
Mac Emulator |
Mac Emulator For Window
XP |
Commercial |
Download Page |
|
MAK_HTML |
A program from Dane Mares
to link all files in a folder to an Iindex.htm file that
can be used to ‘browse’ the identified files. |
Freeware |
Download Page
|
|
MD5Deep |
Computes MD5 message
digests on an arbitrary number of files. |
Freeware |
Download Page
|
|
Media Merge/PC |
In order to do forensic
analysis on data from a tape, first it is essential to
read the tape. MediaMerge/PC will allow the user to read
a tape in any format and also look at any part of the
tape in an unprocessed mode. Often with an
investigation, tapes may be obtained but no knowledge of
how they were written. With MM/PC, provided a compatible
tape drive is available, the raw data may always be
read, and the chances are extremely high that the
logical tape format will automatically be detected and
the files restored just as on the host system. |
Commercial |
Download Page
|
|
Mount Image Pro |
Mount Image Pro™ is a
tool for Computer Forensics investigations. It enables
the mounting of EnCase, Unix DD or SMART forensic images
as a drive letter on your file system.
|
Commercial |
Download Page
|
|
Nero Express |
Software for burning CDs
and DVDs |
Commercial |
Download Page |
|
Partition Magic |
Quick formatting and
management of partitions on a hard drive |
Commercial |
Download Page |
|
SMART |
Active SMART is a the
hard disk drive monitoring and failure prediction
software. It uses S.M.A.R.T. technology to monitor the
health status of hard disk drives, prevents data loss
and predicts possible drive fail. |
Shareware |
Download Page
|
|
Sterilize |
Sterilize was created
with the primary purpose of providing forensic examiners
with a cost effective way of sterilizing the media to be
used for working / examination copies. |
Freeware |
Download Page |
|
Symantec |
AV program |
Commercial |
Download Page
|
|
TapeCat |
TapeCat is a Windows
based Tape Forensics package designed from the ground up
with Forensics in mind. TapeCat has support for several
backup packages. TapeCat has the following
functionality: * Create a FAT formatted image file and
extract the content of an archive tape directly into the
image file for subsequent direct import into forensic
investigation tools such as Encase or ILook; * Extract
the contents of an archive tape to disk (i.e. restore)
maintaining file dates and times; * Display a catalogue
of all volumes on a given tape (supported formats only);
* Supports out of sequence backup tapes (NTBackup and
Backup Exec only); * Raw dump the contents of a tape to
disk; * Duplicate tape to tape; * Duplicate via hard
disk; * Maintains a forensic log of all activity. |
Commercial |
Download Page
|
|
Unique |
Eliminate duplicate
records in a file. This program will take a sorted input
file and copy records to the output for which it finds a
unique occurrence of the sort key. The program passes
the input file, and when it finds a new/unique sort key
in a record it copies that record to the output, and
disregards all subsequent records that contain that same
sort key. Therefore, only a single record per sort key
is copied to the output file. |
Commercial |
Download Page |
|
VNC |
Remote access and viewing
tool |
Freeware |
Download Page |
|
Windows NT/2000 Incident
Response Tools |
This program is a
collection of tools that gathers and/or analyzes
forensic data on a Microsoft Windows system. You can
think of this as a snapshot of the system in the past.
Like TCT, most of the tools are oriented towards data
collection rather than analysis.
The idea of IRCR is that
anyone could run the tool and send the output to a
skilled Windows forensic security person for further
analysis. |
Commercial |
Download Page |
|
WinRAR |
Compression tool |
Shareware |
Download Page |
|
WinZip |
Compression tool |
Shareware |
Download Page |
|
Wipe |
Wipe is a secure file
wiping utility. It is based on work by Peter Gutmann. |
Freeware |
Download Page |
|
