1-EnCase
EnCase is a commercial forensics platform. It offers support for evidence collection from over twenty-five different types of devices, including desktops, mobile devices and GPS. Within the tool, a forensic investigator can inspect the collected data and generate a wide range of reports based upon predefined templates.
Features:
- You can acquire data from numerous devices, including mobile phones, tablets, etc.
- It is one of the best mobile forensic tools that enables you to produce complete reports for maintaining evidence integrity.
- You can quickly search, identify, as well as prioritize evidence.
- Encase-forensic helps you to unlock encrypted evidence.
- It is one of the best digital forensics tools that automates the preparation of evidence.
- You can perform deep and triage (severity and priority of defects) analysis.
Link: https://www.guidancesoftware.com/encase-forensic
2-Mandiant RedLine
Mandiant RedLine is a popular tool for memory and file analysis. It collects information about running processes on a host, drivers from memory and gathers other data like meta data, registry data, tasks, services, network information and internet history to build a proper report.
- Thoroughly audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history.
- Analyse and view imported audit data, including the ability to filter results around a given timeframe using Redline’s Timeline
- Streamline memory analysis with a proven workflow for analysing malware based on relative priority.
- Perform Indicators of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.
Link https://www.fireeye.com/services/freeware/redline.html
3-Paraben Suite
The Paraben Corporation offers a number of forensics tools with a range of different licensing options. Paraben has capabilities in:
- Desktop forensics
- Email forensics
- Smartphone analysis
- Cloud analysis
- IoT forensics
- Triage and visualization
The E3:Universal offering provides all-in-one access, the E3:DS focuses on mobile devices and other license options break out computer forensics, email forensics and visualization functionality.
Link https://paraben.com/digital-forensic-tools-5/
4- Registry Recon
The Windows registry is a central hierarchical database intended to store information that is necessary to configure the system for one or more users, applications or hardware devices [2]. There are four main registry files: System, Software, Security and SAM registry. Each registry file contains different information under keywords. The structure of the Windows registry is similar to file system directories. Registry files are located at the “C:drive/windows/system32/config/” file path. Each registry contains lots of forensically valuable information.
Registry Recon is a popular commercial registry analysis tool. It extracts the registry information from the evidence and then rebuilds the registry representation. It can rebuild registries from both current and previous Windows installations.
Link https://arsenalrecon.com/
5-Volatility
Memory forensics is the process of capturing the running memory of a device and then analyzing the captured output for evidence of malicious software. Unlike hard-disk forensics where the file system of a device is cloned and every file on the disk can be recovered and analyzed, memory forensics focuses on the actual programs that were running on a device when the memory dump was captured.
Volatility is the memory forensics framework. It is used for incident response and malware analysis. With this tool, you can extract information from running processes, network sockets, network connection, DLLs and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files. This tool is available for free under GPL license.
Link https://www.volatilityfoundation.org/
6- Network Miner
Network Miner is a network traffic analysis tool with both free and commercial options. While many of the premium features are freely available with Wireshark, the free version can be a helpful tool for forensic investigations. It organizes information in a different way than Wireshark and automatically extracts certain types of files from a traffic capture.
NetworkMiner can extract files, emails and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network.
Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.
NetworkMiner Professional can be delivered either as an Electronic Software Download (ESD) or shipped physically on a USB flash drive. The product is exactly the same, regardless of delivery method. NetworkMiner is a portable application that doesn’t require any installation, which means that the USB version can be run directly from the USB flash drive. However, we recommend that you copy NetworkMiner to the local hard drive of your computer in order to achieve maximum performance.
Link https://www.netresec.com/?page=Networkminer
7- XRY
XRY is a collection of different commercial tools for mobile device forensics. XRY Logical is a suite of tools designed to interface with the mobile device operating system and extract the desired data. XRY Physical, on the other hand, uses physical recovery techniques to bypass the operating system, enabling analysis of locked devices.
- More data recovery from over 39,300 mobile devices and app profiles.
- Quickly refine extractions to data categories, apps or individual files within specified time ranges.
- Simultaneously extract and decode data from three phones at a time with a single license.
- Decode images with automated image recognition up to 20 times faster with Nvidia CUDA enabled GPUs.
- Support for the latest Android and iOS versions.
- Recover and decode Warrant Returns, Cloud Data and iCloud Backups.
- Secure your chain of evidence in a forensically sound file format with a complete audit log.
- Includes XRY Photon for acquiring unencrypted data from encrypted apps, when other methods don’t work.
- Market leading support for Chipsets like Exynos, Qualcomm, Kirin, MTK, Spreadtrum, Coolsand & Infineon.
- Retrieve more location data along with related timestamps from embedded files in both iOS and Android databases.
Leave a Reply