Acquisition Tools

Title: Forensic Acquisition Utilities Author: George Garner
Description: A collection of Windows tools such as ‘dd.exe’, ‘md5sum.exe’, ‘wipe.exe’, and ‘nc.exe’. The version of ‘dd’ in this package can also image memory contents in addition to disks.
Website: http://users.erols.com/gmgarner/forensics/
Source: http://users.erols.com/gmgarner/forensics/

Title: FTimes     Author: Klayton Monroe
Description: FTimes is a system baselining and evidence collection tool. The primary purpose of ftimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.
Website: http://ftimes.sourceforge.net/FTimes/index.shtml
Source: http://sourceforge.net/project/showfiles.php?group_id=41134

Title: liveview     Author: CERT
Description: Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to “boot up” the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because
Website: http://liveview.sourceforge.net/

Title: netcat     Author: hobbit
Description: Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It can be used on a trusted server to save data from a suspect system and can be used on the suspect system to send the output of tools to the server instead of writing to the suspect disk.
Website: http://www.atstake.com/research/tools/network_utilities/
Source: http://www.atstake.com/research/tools/network_utilities/

Title: pdd     Author: Joe Grand
Description: pdd (Palm dd) is a Windows-based tool for memory imaging and forensic acquisition of data from the Palm OS family of PDAs. pdd will preserve the crime scene by obtaining a bit-for-bit image or “snapshot” of the Palm device’s memory contents. Such data can be used by forensic investigators, incident response teams, and criminal and civil prosecutors.
Website: [no longer exists]
Source: [local copy]

Title: ProDiscover DFT     Author: Technology Pathways LLC
Description: ProDiscover DFT offers forensics examiners a completely integrated Windows application for the collection, analysis, management and reporting of computer disk evidence at an affordable price.
Website: www.techpathways.com
Source: www.techpathways.com (Requires the purchase of an Enterprise License)

Title: psloggedon     Author: Mark Russinovich (sysinternals.com)
Description: PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one.
Website: http://www.sysinternals.com/ntw2k/freeware/psloggedon.shtml
Source: http://www.sysinternals.com/ntw2k/freeware/psloggedon.shtml

Title: TULP2G     Author: Netherlands Forensic Institute (NFI)
Description: TULP2G is a forensic software framework developed to make it easy to extract and decode data from digital devices. Besides the framework, it is distributed along with several plug-ins to read data from digital devices (at this point, mobile phones and SIM cards).
Website: http://sourceforge.net/projects/tulp2g/
Source: http://sourceforge.net/project/showfiles.php?group_id=119389

Title: UnxUtils     Author: Karl Syring
Description: Ports of GNU tools, including ‘dd’, that do not need special DLLs.
Website: http://unxutils.sourceforge.net
Source: http://unxutils.sourceforge.net (via CVS)

Title: Webjob     Author: Klayton Monroe
Description: WebJob downloads a program over HTTP/HTTPS and executes it in one unified operation. The output, if any, may be directed to stdout/stderr or a Web resource. WebJob may be useful in incident response and intrusion analysis as it provides a mechanism to run known good diagnostic programs on a potentially compromised system.
Website: http://webjob.sourceforge.net/WebJob/index.shtml
Source: http://sourceforge.net/project/showfiles.php?group_id=40788

Media Management Analysis Tools

Title: TestDisk Author: Christophe Grenier
Description: Tool to check and undelete partition. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3, Linux SWAP (version 1 and 2), NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, and ReiserFS.
Website: http://www.cgsecurity.org/testdisk.html
Source: http://www.cgsecurity.org/testdisk.html

File System Analysis Tools

Title:Explore2fs     Author: John Newbigin
Description: Explore2fs allows you to view the contents of an Ext2FS partition from within Windows.
Website: http://uranus.it.swin.edu.au/~jn/linux/explore2fs.htm
Source: http://uranus.it.swin.edu.au/~jn/linux/explore2fs.htm

Title: ProDiscover DFT     Author: Technology Pathways LLC
Description: ProDiscover DFT offers forensics examiners a completely integrated Windows application for the collection, analysis, management and reporting of computer disk evidence at an affordable price.
Website: www.techpathways.com
Source: www.techpathways.com (Requires the purchase of an Enterprise License)

Application Analysis Tools

Title:Event Log Parser     Author:Jamie French
Description: A PHP script to parse through Windows event logs.
Website: http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html
Source: http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html

Title: Galleta     Author: Keith Jones
Description: Galleta, the Spanish word meaning “cookie”, was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/galleta.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152412

Title: libpff     Author: Joachim Metz
Description: The libpff package contains a shared library and tooling to analyse Microsoft Outlook Personal Folder Files (PAB, PST and OST). PFF files are used to store e-mails, appointments, contacts, notes, tasks, etc. libpff provides:

* pffexport to export PFF items
* pffinfo to provide basic information about PFF files
* pffrecover to recover and export PFF items

Website: http://libpff.sourceforge.net

Title: md5deep     Author: Jesse Kornblum
Description: md5deep is an MD5 program that can compute recursively, compare hashes with a database, and estimates the time to completion.
Website: http://md5deep.sourceforge.net/
Source: http://md5deep.sourceforge.net/

Title: MD5summer     Author: Luke Pascoe
Description: MD5summer is an application for Microsoft Windows 9x, NT, ME, 2000 and XP which generates and verifies md5 checksums. Its output file is compatible with the output of the Linux GNU MD5Sum and it will also read Linux generated files.
Website: http://www.md5summer.org/
Source: http://www.md5summer.org/download.html

Title: Outport     Author: chief1ic
Description: Outport provides a means of migrating information from Microsoft Outlook to Ximian Evolution and several standard data formats.
Website: http://outport.sourceforge.net/
Source: http://outport.sourceforge.net/

Title: Pasco     Author: Keith Jones
Description: Pasco, the latin word meaning “browse”, was developed to examine the contents of Internet Explorer’s cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/pasco.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152387

Title: ProDiscover DFT     Author: Technology Pathways LLC
Description: ProDiscover DFT offers forensics examiners a completely integrated Windows application for the collection, analysis, management and reporting of computer disk evidence at an affordable price.
Website: www.techpathways.com
Source: www.techpathways.com (Requires the purchase of an Enterprise License)

Title: RegRipper     Author: Harlan Carvey
Description: The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems.
Website: http://windowsir.blogspot.com/2008/04/updated-regripper.html

Title: Rifiuti     Author: Keith Jones
Description: Rifiuti, the Italian word meaning “trash”, was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/rifiuti.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152410

Network Analysis Tools

Title: Network Miner     Author: Erik Hjelmvik
Description: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
Website: http://networkminer.sourceforge.net/

Analysis Frameworks
Title: DFF (Digital Forensics Framework)     Author: Solal Jacob
Description: DFF is multi-platform and open-source, user and developers oriented, provide many features and is very modular. Our goal is to provide a real framework to the forensic community, so people can use only one tool during the analysis.
Website: http://www.digital-forensic.org

Title:  LibForensics      Author: Michael Murr
Description: LibForensics is a Python framework for developing computer forensics applications. LibForensics also includes a series of demo tools that use the framework to extract information from various types of evidence/artifacts.
Website: http://www.libforensics.com