AIR (Automated Image & Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.

The GNU Binutils are a collection of binary tools. For forensics, these are used for binary analysis, including 'strings'.
On Ubuntu this includes the following utils:-
size
objdump
ar
strings
ranlib
objcopy
addr2line
readelf
nm
strip
c++filt
as
gprof
ld

CDFS is a file system for Linux systems that `exports' all tracks and boot images on a CD as normal files. These files can then be mounted (e.g. for ISO and boot images), copied, played (audio and VideoCD tracks).

chkrootkit is a tool to locally check for signs of a rootkit.

The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations. National Institute of Justice funded this work in part through an interagency agreement with the NIST Office of Law Enforcement Standards.

[Purpose]
This tool provides the user with a gui frontend (designed in perl) for the popular program, dd. The frontend has been designed to allow for the same functionality as using dd via command line or terminal.

[Features]
-Local/Remote imaging.
-Netcat/Cryptcat ready.
-MD5, SHA1, and other hash methods are provided.
-GUI based directories.
-DD command line argument options.
-Summary Reports.
-Imaging completion status display.

[OS Support]
-Windows XP to 7
-Variants of Linux
-OSX versions with dd.

DOWNLOAD LOCATION: http://ddgui.myftp.org/ddgui.zip

Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd). There are several differences. dd_rescue does not provide character conversions. dd_rescue does not abort on errors on the input file, unless you specify a maximum error number. Then dd_rescue will abort when this number is reached. dd_rescue does not truncate the output file, unless asked to. You can tell dd_rescue to start from the end of a file and move backwards. It uses two block sizes, a large (soft) block size and a small (hard) block size.

DEFT Linux v5 is an Italian project that is based on Kernel 2.6.31 and uses the LXDE desktop environment and thunar file manager in conjunction with best free and open source applications dedicated to incident response and computer forensics. In addition, DEFT Extra 2.0 (Computer Forensic GUI) comes with the best freeware Windows Computer Forensic tools.

DEFT is meant to be used by:

* police
* investigators
* system administrator
* individuals who need to use forensic tools to recover data

Very fast tool for compute and verify MD5, SHA1 and SFV hash, with a GUI and a useful progress bar.

The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to 'file', but gives much more details about the file system or partition table)

eCryptfs Parser is a GUI for Linux and Windows that recursively parses the headers of every eCryptfs file found in a given directory. It will tell you what encryption algorithm was used, the original filesize of the file before it was encrypted, the private signature used etc.

A PHP script to parse Windows event logs.

The FCCU GNU/Linux Forensic boot CD-Rom was created by the Belgian Federal Computer Crime Unit (FCCU) to assist in the forensic analysis of computers. It is based on version 4.02 of the KNOPPIX Live CD and contains open source forensic utilities.

File Ripper is a file extractor based on header recognition. It can be used to recover files from unfragmented disk images where filesystem information has been lost or otherwise corrupted, or the files have been inadvertently deleted. It detects and extracts PNG, HTML, GIF, ZIP, LBM, PBM, ANM, BAT, BAS, RTF, HLP, WAV, WRI, JPG, ARJ, DOS EXE, ANS, ZZT, FRM, text BAS, BMP, MZB, FLI, MSP, DOC, MZX, GDM, IT, S3M, SAV, BRD, LZH/LHA, MOD, XM, VOC, SVX, ABM, Quetzal, and certain obscure bulletin board system formats.

The find program searches a directory tree to find a file or group of files. It traverses the directory tree and reports all occurrences of a file matching the user's specifications. The find program includes very powerful searching capability.

The Forensic Hash Database is a project to combine the various hashsum sources like Dan Farmer's FUCK baseline collection, The NIST National Software Reference Library (NSRL), Known Goods Database, and Hashkeeper into a single meta RDBMS (relational database management system).

Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.

Appears to be no longer developed, however is still available for most Linux distrubutions e.g. Ubuntu, installs version 0.1h-11, n.b. Beta version.

GrokEVT is a collection of scripts built for reading Windows NT/2K/XP/2K3 event log files.

guymager is a forensic imager for media acquisition. Its main features are:
* Easy user interface in different languages
* Runs under Linux
* Really fast, due to multi-threaded design, multi-threaded data compression
* Makes full usage of multi-processor machines
* Generates flat (dd), EWF (E01) and AFF images

HashLibrarian is a Linux/Unix utility that is capable of hashing a single file or a directory recursively through multiple hashing algorithms. The fun doesn't stop there, HashLibrarian also places these hashes into a database, which it then encrypts with a user's GPG key and protects through hashing. Along with this functionality, HashLibrarian can also load these protected databases back into memory, verify their integrity, and then scan a directory, locating all matches. These matches can then be placed into an HTML formatted report with just a simple command-line option.

A Windows\Linux GUI for demonstrating the numerical enormity of large hash algorithms like MD5 (128 bits), SHA1 (160 bits), SHA256 (256 bits) and SHA512 (512 bits). It is designed for the delivery of demonstrations about hashing to non-technical audiences such as jury panels, lawyers, students, case officers and so on by converting the scientific notation of the algorithm to "The chance of two different files having the same X hash value is 1 in XX billion\trillion....".

KS - This is a keywords searching tool. sudo bash ks.sh for running it. It mounts a DD image file; It extracts all deleted files; slackspace; It makes a data carving on the freespace only; It indexes all by RECOLL. You need:
The Sleuthkit (last release)
Photorec
MD5Deep
RECOLL
It stores the index DB and the recoll.conf in the chosen output directory.
NEW file formats added and README.txt for the HowTo expand the search range.
Website:
http://scripts4cf.sourceforge.net/tools.html

Library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.

Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.

Library and tools for reading FileVault2 Drive Encryption (FVDE) encrypted volumes.

Library and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.

The libpff package contains a shared library and tools to analyze Microsoft Outlook Personal Folder Files (PFF). PFF files such as PAB, PST and OST files, are used to store e-mails, appointments, contacts, notes, tasks, etc. libpff provides: pffexport to export PFF items, pffinfo to provide basic information about PFF files and pffexport -m recover to recover and export PFF items

Library and tools to support the Volume Shadow Snapshot (VSS) format.

Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.

lsof lists open file handles for running Unix processes.

Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it.

It works on any file system, but on very fragmented file systems it can only recover the first chunk of each file. Practical experience shows that chunks of 30-50MB are not uncommon.

md5sum computes a 128-bit checksum (or fingerprint or message-digest) for each specified file.
Documentation: http://www.gnu.org/software/coreutils/manual/coreutils.html#md5sum-invoc...

sha1sum computes a 160-bit checksum for each specified file. The usage and options of this command are precisely the same as for md5sum.
Documentation: http://www.gnu.org/software/coreutils/manual/coreutils.html#sha1sum-invo...

NBTempo - This is a GUI (Graphical User Interface) Bash script for making files timelines and reporting them in CSV (electronic sheet) format. It needs TSK 3.2.1 and YAD (Yet Another Dialog).(TSK based)

nxlog is a modular, multi-threaded, high-performance log management solution with multi-platform support. In concept, it is similar to syslog-ng or rsyslog, but is not limited to Unix/syslog only. It can collect logs from files in various formats, receive logs from the network remotely over UDP, TCP, or TLS/SSL on all supported platforms. It supports platform-specific sources such as the Windows Eventlog, Linux kernel logs, Android device logs, local syslog, etc. Writing and reading logs to/from databases is also supported for many database servers.

An open-source manual for computer forensics covering methodology, process and delving into technical standard operating procedures.

Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

PlainSight is a versatile computer forensics tool that allows both experienced and inexperienced forensic practitioners perform common tasks using powerful open source tools.

PTK forensics is an alternative advanced framework for the TSK suite (The SleuthKit). Born as a free interface in order to improve the features already present in "Autopsy Forensic Browser" (the former TSK interface). PTK Forensics, now, is much more. In addition to providing the functions already present in Autopsy Forensic Browser it now implements numerous new essential forensic features.

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 9 testing modules:

A Linux & Windows GUI to enable the rapid selection and subsequent MD5, SHA1, SHA256 or SHA512 hashing of files, either individually or recursively throughout a folder structure, single text strings and, when used on Linux, physical or logical disks. The tool was designed for practitioners wanting to easily hash files in Linux but without the understanding of command line tools like sha1sum. It is also available for Windows.

Description: rda is a command line Linux tool to remotely acquire data (like disk cloning or disk/partition imaging) and verify the transfer using md5 and/or crc32 checksums. The program is both the server and the client.

The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems.

Harlan Carvey has written a number of extremely useful tools, and his blog is an extremely useful resource. e.g.
http://windowsir.blogspot.com/2008/04/updated-regripper.html

It is also worth noting that regripper has its own dedicated forum. Additionally regripper can be harnessed together with Moyix's tool to parse registry information from Volatility.

RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems.

RFIDIOt is an open source python library for exploring RFID devices!

As its name indicates, rifiuti2 is a rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. Analysis of Windows Recycle Bin is usually carried out during Windows computer forensics. Quoting from original Foundstone page:

Parses the Safari XML Downloads.plist file and prints the results in TAB delimited format.

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel resulted from a complete rewrite of foremost 0.69, a popular open source file carver, to enhance performance and decrease memory usage.

Selective File Dumper is a forensics bash script for Linux systems that can retrieve/recover files based on their file extension with only one tool referenced (TSK).

A program for computing 'fuzzy hashes'. These can be used to identify files which are similar but not identical. The hashes are signatures, like MD5 hashes, but match non-identical files.

This is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
In addition to packet capture it can be used to read back a capture file. It is able to decode layer 2 through to layer 4 protocols, and some higher layer protocols as well. Decoded packets may be displayed in raw or ASCII.

Perhaps the most powerful feature is the inclusion of an extremely powerful filtering language called the "Berkley Packet Filter" BPF.

tcpreplay is a BSD-style licensed tool to replay saved tcpdump files at arbitrary speeds. It provides a variety of features for replaying traffic for both passive sniffer devices as well as inline devices such as routers, firewalls, and the new class of inline IDS's.

Tool to check and undelete partition. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3/EXT4, Linux SWAP (version 1 and 2), Linux Logical Volume Manager (LVM), Linux Raid, Linux LUKS, NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, and ReiserFS.

Operating System support is comprehensive, with precompiled binaries available for many popular types.

The disktype File System Sampler is a collection of disk images with various file systems. Its purpose is to aid in the testing and development of the disktype program.

An approach to track or identify, the sender of an email through the use of social engineering and a remotely hosted image.

Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hiding technique.

Volatility is an extensible memory forensics tool using python. Volatility comes with a number of standard plugins. The plugins use various techniques to extract artifacts from volatile memory (RAM) samples, these include:
- Running processes
- Open network sockets
- Open network connections
- DLLs loaded for each process
- Open files for each process
Volatility also has support for extracting artificats from Windows Hibernation files and Windows crash dump files.

To view further documentation and follow latest developments visit http://code.google.com/p/volatility/

Wireshark® is the world's most popular network protocol analyzer. It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology.

The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract from a network capture (pcap file or real-time acquisition) all application data content. For example, Xplico is able to extract all emails carried by the POP and SMTP protocols and all content carried by HTTP protocols from a pcap file.