File System
analyzeMFT
analyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in a format that allows further analysis with other tools.
Autopsy Forensic Browser
Autopsy is a graphical interface to the command line tools in The Sleuth Kit and allows one to view deleted and allocated files, perform keyword searches, and create timelines of file activity.
disktype
The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to 'file', but gives much more details about the file system or partition table)
e2salvage
e2salvage is a utility which tries to do in-place data recovery a from damaged ext2 file systems. Unlike e2fsck, it does not look for the data at particular places and it don't tend to believe the data it finds; thus it can handle much more damaged file system.
Enhanced Linux Loopback
The enhanced loopback driver modifies the native loopback driver of the Linux kernel and adds functionality that can make the driver emulate a disk drive in some ways. Most important to us is providing automatic interpretation and mapping of partitions contained within an image file of a hard drive.
Explore2fs
Explore2fs allows you to view the contents of an Ext2FS partition from within Windows.
fatback
Fatback is a tool for undeleting files from FAT file systems.
File System Investigator
FileSystem Investigator is a platform independent file system viewer and data extraction tool. It allows the user to: View the contents of the target file system in a forensically safe manner, bypassing the normal operating system mechanisms. Extract files and whole directory trees of files from the source filesystem.
HashLibrarian
HashLibrarian is a Linux/Unix utility that is capable of hashing a single file or a directory recursively through multiple hashing algorithms. The fun doesn't stop there, HashLibrarian also places these hashes into a database, which it then encrypts with a user's GPG key and protects through hashing. Along with this functionality, HashLibrarian can also load these protected databases back into memory, verify their integrity, and then scan a directory, locating all matches. These matches can then be placed into an HTML formatted report with just a simple command-line option.
INDXParse
INDXParse parses NTFS INDX/$I30 files to extract file entry information, such as filenames and timestamps. The tool supports recovering entries from the slack space within the INDX structures. The tool outputs results to CSV or Bodyfile formats.
KS - keywords searcher
KS - This is a keywords searching tool. sudo bash ks.sh for running it. It mounts a DD image file; It extracts all deleted files; slackspace; It makes a data carving on the freespace only; It indexes all by RECOLL. You need:
The Sleuthkit (last release)
Photorec
MD5Deep
RECOLL
It stores the index DB and the recoll.conf in the chosen output directory.
NEW file formats added and README.txt for the HowTo expand the search range.
Website:
http://scripts4cf.sourceforge.net/tools.html
Linux Loopback
Loopback support in the Linux kernel allows a user to mount a file system image for forensic analysis. Images mounted via loopback can be mounted read-only.
NBTempo
NBTempo - This is a GUI (Graphical User Interface) Bash script for making files timelines and reporting them in CSV (electronic sheet) format. It needs TSK 3.2.1 and YAD (Yet Another Dialog).(TSK based)
PTK
PTK forensics is an alternative advanced framework for the TSK suite (The SleuthKit). Born as a free interface in order to improve the features already present in "Autopsy Forensic Browser" (the former TSK interface). PTK Forensics, now, is much more. In addition to providing the functions already present in Autopsy Forensic Browser it now implements numerous new essential forensic features.
pyflag
The tool is an acronym for "Forensic and Log Analysis GUI", written for analysis of various log file types and network traffic analysis but can also be used for forensic analysis of disk images includes support for the Volatility framework http://www2.opensourceforensics.org/node/15 and supports file carving to recover known file types.
Quick Hash
A Linux & Windows GUI to enable the rapid selection and subsequent MD5, SHA1, SHA256 or SHA512 hashing of files, either individually or recursively throughout a folder structure, single text strings and, when used on Linux, physical or logical disks. The tool was designed for practitioners wanting to easily hash files in Linux but without the understanding of command line tools like sha1sum. It is also available for Windows.
Selective File Dumper
Selective File Dumper is a forensics bash script for Linux systems that can retrieve/recover files based on their file extension with only one tool referenced (TSK).
TCTUTILS
A series of programs to add file name support and additional utilities to TCT.
The Coroner's Toolkit (TCT)
TCT is a collection of programs for the post-mortem analysis of a UNIX system after break-in.
The Sleuth Kit
A collection of command line tools and a C library for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.
