Computer Forensics - many ways to examine data

Main goal: Finding of facts or prior use, but avoid data contamination

Possible restrictions: Physical access (but can be done by using remote access software also), respect of legal requirements (e.g. constitutional law, regulations, moral aspects)

See also technical reasons why it can fail at the end of this page.

Forensic tools to examine networks

netcat - Network utility to read (and write!) data across network connections (TCP/IP related, and unfortunately meanwhile outdated)

A windows version of netcat can be downloaded also.

Socat - A (network) relay for bidirectional data transfer

A windows version of socat can be downloaded also.

TCPREPLAY - A set of tools e.g. to replay tcpdump files (Linux and Windows)

Not to forget Ethereal and it's successor, WireShark, and also some associated tools like Netdude.

These are based on pcap/winpcap, a driver to capture network data, see http://www.winpcap.org/ or your man pages of pcap (Packet Capture library)

Forensic tools to examine storage devices (e.g. harddisks)

Forensic acquisition utilities - a set of tools, similar to UNIX utilities, but for Windows)

ProDiscover for Windows - inspects at sector level, GUI based, commercial

EnCase Forensic Windows based, commercial tool, often used

Forensic Toolkit FTK - an integrated computer forensics solution, e.g. for analyzing an image, commercial

SMART from ASR Data, also bootable, Linux based, very sophisticated, commercial

TestDisk - free console based tool, really good also to recover JPGs from formatted flash memory, small and handy

WinDD (saves a complete memory dump) or a very small command line DD for Windows (locally mirrored) or here at moonsols.com.

X-Ways Forensics - commercial forensic tool, can also dump memory, see also Winhex ... a hex editor to examine storage devices/images

Paraben forensic tools - Commercial Handheld and Hard drive forensics

RegRipper - member of a set of tools, e.g. to examine and save a Registry database, done from a Live Linux CD

DD enhanced dcfldd, a Linux enhanced DD e.g. with hash creation

Air Imager - Automated Image and Restore, GUI based Linux tool

TCT Coroners' Toolkit - Memory dumper for UNIX based systems

The sleuth kit - a library of tools to investigate volume and file system data

Enhanced loopback - loopback driver to "emulate" a harddisk with an image file (Linux)

Memory / RAM forensics tools

Memoryze Memory Forensics Tool (article about it here)

Volatility for the extraction of digital artifacts from volatile memory (RAM) samples, also included (and other tools as well) in a complete vmware appliance named "SIFT" = SANS Investigate Forensic Toolkit

FastDump a free tool from HBGary, Inc.

Live RAM Capturer from Belkasoft

WMFT - Windows Memory Forensic Toolkit (a collection of tools)

WindowsScope a commercial tool for memory forensics

Professional equipment (expensive, but very effective and safe)

Forensic Talon - Harddisk duplication

CPR TOOLS Psiclone - also for harddisk duplication

Very useful: Helix 3 - a Linux based forensic software kit

Anti forensic tools

All kind of wiping tools (for storage devices like harddisks)

Encryption (fully or partial, e.g. with PGP or Truecrypt)

Steganography (hiding data in pictures or music files)

Some weaker tools like tools for deletion of traces like browser history, temp folders etc. (not really effective)

Used ATA (user and master) password (but can be erased by special equipment, often stored in EEPROMs)

peter.dassow@NOSPAM.z80.eu (remove NOSPAM. for a proper mail address)