analyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in a format that allows further analysis with other tools.

Autopsy is a graphical interface to the command line tools in The Sleuth Kit and allows one to view deleted and allocated files, perform keyword searches, and create timelines of file activity.

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a project of Digital Forensics
CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:

* an interoperable environment that supports the digital investigator during the four phases of the digital investigation
* a user friendly graphical interface

Cdrecord, now known as cdrtools, supports DVD-R and DVD-RW with all known DVD-writers on all UNIX-like OS and on Win32. Other optical media types are supported, as is multisession, and recently support for BluRay has been implemented (version 2.10). DVD writing support has been available in cdrecord since march 1998. Cdrecord writes DVD media similar to CD media. The readcd tool can be used to read the contents of a CD.

Clam AntiVirus is a GPL anti-virus toolkit for UNIX with a port for Windows. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software.

Description: GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. [Ed: This tool is similar to, but not the same as dd_rescue]

"Deeptoad" is a (python) library and a tool to clusterize similar files using fuzzy hashing techniques. This project is inspired by the well known tool ssdeep.

DFF is a simple but powerfull open source tool with a flexible module system written in C++ and Python. The aim is to provide an extensible framework by which additional features may be added to analyze and recover any kind of digital artifact

Latest developments and contributions available from http://tracker.digital-forensic.org
Documentation available from http://wiki.digital-forensic.org

A collection of file system and disk images that test the functionality of analysis tools.

e2salvage is a utility which tries to do in-place data recovery a from damaged ext2 file systems. Unlike e2fsck, it does not look for the data at particular places and it don't tend to believe the data it finds; thus it can handle much more damaged file system.

The enhanced loopback driver modifies the native loopback driver of the Linux kernel and adds functionality that can make the driver emulate a disk drive in some ways. Most important to us is providing automatic interpretation and mapping of partitions contained within an image file of a hard drive.

Fatback is a tool for undeleting files from FAT file systems.

faust is a perl script that helps to analyze files found after an intrusion or the compromising of a honeypot. Its goal is not to make the analysis, but to extract the pieces of information that _you_ will use afterward in your analysis.

FileSystem Investigator is a platform independent file system viewer and data extraction tool. It allows the user to: View the contents of the target file system in a forensically safe manner, bypassing the normal operating system mechanisms. Extract files and whole directory trees of files from the source filesystem.

Foremost is a Linux program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.

FTimes is a system baselining and evidence collection tool. The primary purpose of ftimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.

This article examines digital evidence reliability by first identifying and differentiating the two competing categories of software from which this evidence is derived: proprietary and Open Source. The next section explores the standards for software reliability in both the industrial marketplace and the legal arena. Specifically, the current standards are addressed in light of their value to industry and the law, as well as their respective historical origins This sets the stage for a reconciliation of standards for reliability as between industry and the courtroom.

Grep searches one or more input files for lines containing a match to a specified pattern. By default, grep prints the matching lines.

gTableauParm is similar to the Tableau Disk Monitor for Windows. It is a GTK front-end for tableau-parm, written in C++/Gtkmm. It shows Tableau-Bridges and attached Devices in a TreeView and shows the different information's about write-protection, DCO/HPA Status etc.

hachoir-parser is a package of most common file format parsers written using hachoir-core.

A Windows\Linux GUI for demonstrating the numerical enormity of large hash algorithms like MD5 (128 bits), SHA1 (160 bits), SHA256 (256 bits) and SHA512 (512 bits). It is designed for the delivery of demonstrations about hashing to non-technical audiences such as jury panels, lawyers, students, case officers and so on by converting the scientific notation of the algorithm to "The chance of two different files having the same X hash value is 1 in XX billion\trillion....".

KS - This is a keywords searching tool. sudo bash ks.sh for running it. It mounts a DD image file; It extracts all deleted files; slackspace; It makes a data carving on the freespace only; It indexes all by RECOLL. You need:
The Sleuthkit (last release)
Photorec
MD5Deep
RECOLL
It stores the index DB and the recoll.conf in the chosen output directory.
NEW file formats added and README.txt for the HowTo expand the search range.
Website:
http://scripts4cf.sourceforge.net/tools.html

Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.

Library and tools to access the Windows Shortcut File (LNK) Format.

Library and tooling to support the Microsoft Outlook Nickfile (NK2) format. The nickfile is used to store email address aliases.

LibPST provides functions in library form for accessing Outlook's Personal Folders. Included with this library is a program that will take a PST file and convert it to an mbox format.

Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.

lsof lists open file handles for running Unix processes.

Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it.

It works on any file system, but on very fragmented file systems it can only recover the first chunk of each file. Practical experience shows that chunks of 30-50MB are not uncommon.

md5sum computes a 128-bit checksum (or fingerprint or message-digest) for each specified file.
Documentation: http://www.gnu.org/software/coreutils/manual/coreutils.html#md5sum-invoc...

sha1sum computes a 160-bit checksum for each specified file. The usage and options of this command are precisely the same as for md5sum.
Documentation: http://www.gnu.org/software/coreutils/manual/coreutils.html#sha1sum-invo...

NBTempo - This is a GUI (Graphical User Interface) Bash script for making files timelines and reporting them in CSV (electronic sheet) format. It needs TSK 3.2.1 and YAD (Yet Another Dialog).(TSK based)

The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency [KLPD/Dutch]. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.

This paper addresses open source digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, it must be reliable and relevant. The reliability is tested by applying Daubert guidelines. This paper examines the guidelines and shows that open source tools may more clearly and comprehensively meet the guidelines than closed source tools would.

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.

EDRM – the Electronic Discovery Reference Model – was created in 2005 by George Socha and Tom Gelbmann. Since 2005, over 300 e-discovery experts, vendors and end-users from more than 125 organizations have worked together to address the lack of standards and guidelines in the electronic discovery (e-discovery) market.

The EDRM reference model provides a common, flexible and extensible framework for the development, selection, evaluation and use of electronic discovery products and services. The completed model was placed in the public domain in May 2006.

The tool is an acronym for "Forensic and Log Analysis GUI", written for analysis of various log file types and network traffic analysis but can also be used for forensic analysis of disk images includes support for the Volatility framework http://www2.opensourceforensics.org/node/15 and supports file carving to recover known file types.

python-registry is a pure Python module for reading from Windows Registry files (NTUSER.DAT, userdiff, etc.). It exposes a high level interface analogous to the MSDN APIs, and a low level interface for working with the internal structure of the Registry.

It's possible to resolve the file name starting from the carved file name generated by the Foremost tool and save it, it generates an HTML report. It's possible to resolve the file name starting from the offset of a "grep" keywords search. The tool identifies automatically the change of the partition and, if the keyword is contained into the slack space, saves the sector/cluster/block where it is. (TSK based)

RegLookup is an small command line utility for reading and querying Windows NT/2K/XP registries. RegLookup is released under the GNU GPL, and is implemented in ANSI C.

Regutils is a collection of programs that can assist in the installation of windows 9x software on diskless clients. The basic procedure is to take a snap shot of a system before and after a piece of software is installed and then look at what changed.

ReviveIT (revit) is a file recovery tool (carver). It contains a proof of concept of the Smart Carving method introduced at the 2006 DFRWS forensic (carving) challenge. And was refined for the 2007 DFRWS forensic (carving) challenge.

Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

Rootkit scanner is scanning tool to ensure you for about 99.9% you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like: MD5 hash compare, Look for default files used by rootkits, Wrong file permissions for binaries, Look for suspected strings in LKM and KLD modules, Look for hidden files, Optional scan within plaintext and binary files.

Parses the Safari binary History.plist file and prints the results in TAB delimited format

Description: 'sdd' is a replacement for a program called 'dd'. sdd is much faster than dd in cases where input block size (ibs) is not equal to the output block size (obs). Statistics are more easily understood than those from 'dd'.Timing available, -time option will print transfer speed Timing & Statistics available at any time with SIGQUIT (^\) Can seek on input and output Fast null input Fast null output. Support for the RMT (Remote Tape Server) protocol makes remote I/O fast and easy.

SMTPCAT will read a pcap file and attempt to identify all smtp conversations and print info about them in the following format:
a. [INDEX] (Sender IP) --> (SMTP Server IP)
b. [INDEX] (Sender e-mail) --> (Receiver e-mail) (Date)
c. [INDEX] (SUBJECT)
d. [INDEX] (AuthSMTP Passwd) <-- this is outputted only with the –p option

tableau-parm is an small command line utility designed to interact with Tableau forensic write blockers. It performs functions similar to the Tableau Disk Monitor, except that it operates under Linux.

tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis

A series of programs to add file name support and additional utilities to TCT.

TCT is a collection of programs for the post-mortem analysis of a UNIX system after break-in.

A collection of command line tools and a C library for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.

Tool to extract, recover and undelete e-mail messages from Outlook Express .dbx files.

Vinetto is a forensics tool to examine Thumbs.db files. It is a command line python script that works on Linux, Mac OS X and Cygwin(win32)

WebJob downloads a program over HTTP/HTTPS and executes it in one unified operation. The output, if any, may be directed to stdout/stderr or a Web resource. WebJob may be useful in incident response and intrusion analysis as it provides a mechanism to run known good diagnostic programs on a potentially compromised system.

xmount allows you to convert on-the-fly between multiple input and output hard disk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file.