free forensics tool

What are Digital Forensic Tools?

Digital Forensic Tools are software applications that help to preserve, identify, extract, and document computer evidence for law procedures. These tools help to make the digital forensic process simple and easy. These tools also provide complete reports for legal procedures.

Types of Computer Forensic Tools

Here are the main types of digital forensic tools:

• Disk Forensic Tools
• Network Forensic Tools
• Wireless Forensic Tools
• Database Forensic Tools
• Malware Forensic Tools
• Email Forensic Tools
• Memory Forensic Tools
• Mobile Phone Forensic Tools

1-autopsy

Autopsy is the premier end-to-end open source digital forensics platform. Built by Basis Technology with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs.

• Multi-User Cases: Collaborate with fellow examiners on large cases.
• Timeline Analysis: Displays system events in a graphical interface to help identify activity.
• Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
• Web Artifacts: Extracts web activity from common browsers to help identify user activity.
• Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
• LNK File Analysis: Identifies short cuts and accessed documents
• Email Analysis: Parses MBOX format messages, such as Thunderbird.
• EXIF: Extracts geo location and camera information from JPEG files.
• File Type Sorting: Group files by their type to find all images or documents.
• Media Playback: View videos and images in the application and not require an external viewer.
• Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
• Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit.
• Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
• Tags: Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
• Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
• File Type Detection based on signatures and extension mismatch detection.
• Interesting Files Module will flag files and folders based on name and path.
• Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.

Installation : download from https://www.autopsy.com/

2-FTK

FTK Imager Quickly assess electronic evidence by obtaining forensic images of computer data, without making changes to the original evidence, all with FTK Imager

As stated above, FTK is designed as an all-in-one digital forensics solution. Some of its major capabilities include:

• Email analysis

FTK provides an intuitive interface for email analysis for forensic professionals. This includes having the ability to parse emails for certain words, header analysis for source IP address, etc.

• File decryption

A central feature of FTK, file decryption is arguably the most common use of the software. Whether you want to crack passwords or decrypt entire files, FTK has an answer for it. You can retrieve passwords for over 100 applications with FTK.

• Data carving

FTK includes a robust data carving engine. Investigators have the option to search files based on size, data type, and even pixel size.

• Data visualization

Evidence visualization is an up-and-coming paradigm in computer forensics. Rather than analyzing textual data, forensic experts can now use various data visualization techniques to generate a more intuitive picture of a case. FTK empowers such users, with timeline construction, cluster graphs, and geolocation.

• Web viewer

One of the more recent additions to the suite, the FTK Web Viewer is a tool that accelerates case assessments by granting access of case files to attorneys in real time, while evidence is still being processed by FTK. It also allows for multi-case searching, which means that you don’t have to manually cross-reference evidence from different cases.

• Cerberus

Embracing the shift towards analytics, FTK has included a powerful automated malware detection feature called Cerberus. It uses machine intelligence to sniff malware on a computer, subsequently suggesting actions to deal with it if found.

• OCR

Another feature that borrows heavily from AI and computer vision, FTK’s Optical Character Recognition engine allows for fast conversion of images to readable text. Multi-language support is also included.

Installation : download from https://www.accessdata.com/product-download/ftk-imager-version-4-2-1

3-guymager

A forensic image (forensic copy) is a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders and unallocated, free and slack space. Forensic images include not only all the files visible to the operating system but also deleted files and pieces of files left in the slack and free space.  Forensic imaging is one element of computer forensics, which is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law.

Guymager is a free forensic imager for media acquisition. Its main features are:

• Easy user interface in different languages
• Runs under Linux
• Really fast, due to multi-threaded, pipelined design and multi-threaded data compression
• Makes full usage of multi-processor machines
• Generates flat (dd), EWF (E01) and AFF images, supports disk cloning
• Free of charges, completely open source

The latest version is 0.8.13. 

Installation Debian and Ubuntu

sudo apt-get update

sudo apt-get install guymager

3- CAINE

CAINE is a Ubuntu-based app that offers a complete forensic environment that provides a graphical interface. This tool can be integrated into existing software tools as a module. It automatically extracts a timeline from RAM.

The main objectives that CAINE aims to guarantee are the following:

• Its operation environment is designed to provide all the forensic tools that are required to perform digital forensic investigative processes like preservation, collection, examination, and analysis.
• It provides a user-friendly graphical user interface with user -friendly forensic tools.
• It can be booted from the removable media like flash drives or from an optical disk and run in memory.
• It can be easily installed onto a physical or a virtual system.
• In LIVE mode, CAINE can operate on data storage objects without having to boot up the operating system.

 Installation https://www.caine-live.net/

4- Wireshark

Wireshark is a tool that analyzes a network packet. It can be used to for network testing and troubleshooting. This tool helps you to check different traffic going through your computer system. Wireshark was started with the intention of developing a tool for closely analyzing network packets. It was started by Gerald Combez in 1997. Its initial name was Ethereal. It was initially released in July 1998 as version 0.2.0. Due to the support it got from the developer community, it grew rapidly and was released as version 1.0 in 2008, almost two years after it was renamed to Wireshark.

Packet Monitor: This segment visually shows the packets flowing inside the network. There are color codes for each type of packet. The packets are shown with the following information : 
1. Source address 
2. Destination address 
3. Packet type 
4. Hex dump of the packet 
5. Contents of the packet in text 
6. Source port(if applicable) 
7. Destination port(if applicable)

Import from a capture file: This feature lets you import packets dump from a capture file to analyse further. There are many formats supported by Wireshark, some of them are:

• pcapng
• libpcap
• Oracle snoop and atmsnoop
• Finisar (previously Shomiti) Surveyor captures
• Microsoft Network Monitor captures
• Novell LANalyzer captures
• AIX iptrace captures
• Cinco Networks NetXray captures
• Network Associates Windows-based Sniffer and Sniffer Pro captures
• Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
• AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures
• RADCOM’s WAN/LAN Analyzer captures
• Network Instruments Observer version 9 captures
• Lucent/Ascend router debug output
• HP-UX’s nettl
• Toshiba’s ISDN routers dump output
• ISDN4BSD i4btrace utility
• Traces from the EyeSDN USB S0
• IPLog format from the Cisco Secure Intrusion Detection System
• the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
• the text output from the DBS Etherwatch VMS utility
• Visual Networks’ Visual UpTime traffic capture
• the output from CoSine L2 debug
• the output from Accellent’s 5Views LAN agents
• Endace Measurement Systems’ ERF format captures
• Linux Bluez Bluetooth stack hcidump -w traces
• Catapult DCT2000 .out files
• Gammu generated text output from Nokia DCT3 phones in Netmonitor mode
• IBM Series (OS/400) Comm traces (ASCII & UNICODE)
• Juniper Netscreen snoop captures
• Symbian OS btsnoop captures
• Tamosoft CommView captures
• Textronix K12xx 32bit .rf5 format captures
• Textronix K12 text file format captures
• Apple PacketLogger captures
• Captures from Aethra Telecommunications’ PC108 software

Export to a capture file: Wireshark lets you save the results as a capture file to continue working on them at later point of time. The supported formats are: 

• pcapng (*.pcapng)
• libpcap, tcpdump and various other tools using tcpdump’s capture format (*.pcap, *.cap, *.dmp)
• Accellent 5Views (*.5vw)
• HP-UX’s nettl (*.TRC0, *.TRC1)
• Microsoft Network Monitor – NetMon (*.cap)
• Network Associates Sniffer – DOS (*.cap, *.enc, *.trc, *fdc, *.syc)
• Network Associates Sniffer – Windows (*.cap)
• Network Instruments Observer version 9 (*.bfr)
• Novell LANalyzer (*.tr1)
• Oracle (previously Sun) snoop (*.snoop, *.cap)
• Visual Networks Visual UpTime traffic (*.*)

Installation   https://www.wireshark.org/

5- Bulk Extractor

Bulk Extractor is also an important and popular digital forensics tool. It scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools. It is basically used by intelligence and law enforcement agencies in solving cybercrimes.

• Discover other tools that can not be found, such as e-mail addresses, URLs, and credit card numbers, as it can handle compressed data (such as ZIP, PDF, and GZIP files) as well as incomplete or partially corrupted data. It can extract JPEG files, office documents and other types of files from fragments of compressed data, and can automatically detect and extract encrypted RAR files.
• Build a list of words based on all the words found in the data, or even data in compressed files that are not allocated space. These word lists can be used for password cracking.
• multithreaded; fast time
• After the analysis, create a histogram that displays the e-mail address, URL, domain name, search keywords, and other types of information.

bulk_extractor can analyze disk images, files, or file directories and extract useful information without analyzing the file system or file system structure. The input is split into pages and processed by one or more scanners. The results are stored in the feature file and can be easily checked, parsed, or processed using other automation tools. bulk_extractor also creates a histogram of the features it finds.

Installation   https://github.com/simsong/bulk_extractor/wiki

6- forensics Registry analysis (fred ) csi linux tool

The Windows registry serves as a database of configuration information for the OS and the applications running on it. For this reason, it can contain a great deal of useful information used in forensic analysis.

The Windows registry is a central hierarchical database intended to store information that is necessary to configure the system for one or more users, applications or hardware devices [2]. There are four main registry files: System, Software, Security and SAM registry. Each registry file contains different information under keywords. The structure of the Windows registry is similar to file system directories. Registry files are located at the “C:drive/windows/system32/config/”  file path. Each registry contains lots of forensically valuable information.