The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations. National Institute of Justice funded this work in part through an interagency agreement with the NIST Office of Law Enforcement Standards.

[Purpose]
This tool provides the user with a gui frontend (designed in perl) for the popular program, dd. The frontend has been designed to allow for the same functionality as using dd via command line or terminal.

[Features]
-Local/Remote imaging.
-Netcat/Cryptcat ready.
-MD5, SHA1, and other hash methods are provided.
-GUI based directories.
-DD command line argument options.
-Summary Reports.
-Imaging completion status display.

[OS Support]
-Windows XP to 7
-Variants of Linux
-OSX versions with dd.

DOWNLOAD LOCATION: http://ddgui.myftp.org/ddgui.zip

DEFT Linux v5 is an Italian project that is based on Kernel 2.6.31 and uses the LXDE desktop environment and thunar file manager in conjunction with best free and open source applications dedicated to incident response and computer forensics. In addition, DEFT Extra 2.0 (Computer Forensic GUI) comes with the best freeware Windows Computer Forensic tools.

DEFT is meant to be used by:

* police
* investigators
* system administrator
* individuals who need to use forensic tools to recover data

DigitalCorpora.org is a website of digital corpora for use in computer forensics research. Some of the corpora on this website are freely available, while others are only available to researchers under special arrangement.

Images include

* Cell Phone Dumps
* Disk Images
* Files
* Scenarios

eCryptfs Parser is a GUI for Linux and Windows that recursively parses the headers of every eCryptfs file found in a given directory. It will tell you what encryption algorithm was used, the original filesize of the file before it was encrypted, the private signature used etc.

Explore2fs allows you to view the contents of an Ext2FS partition from within Windows.

A collection of Windows tools such as 'dd.exe', 'md5sum.exe', 'wipe.exe', and 'nc.exe'. The version of 'dd' in this package can also image memory contents in addition to disks.

Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

Step by step instructions on how to start a full payload packet capture on a Cisco ASA.

INDXParse parses NTFS INDX/$I30 files to extract file entry information, such as filenames and timestamps. The tool supports recovering entries from the slack space within the INDX structures. The tool outputs results to CSV or Bodyfile formats.

Library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.

Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.

Library and tools for reading FileVault2 Drive Encryption (FVDE) encrypted volumes.

Library and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.

The libpff package contains a shared library and tools to analyze Microsoft Outlook Personal Folder Files (PFF). PFF files such as PAB, PST and OST files, are used to store e-mails, appointments, contacts, notes, tasks, etc. libpff provides: pffexport to export PFF items, pffinfo to provide basic information about PFF files and pffexport -m recover to recover and export PFF items

Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.

MD5summer is an application for Microsoft Windows 9x, NT, ME, 2000 and XP which generates and verifies md5 checksums. Its output file is compatible with the output of the Linux GNU MD5Sum and it will also read Linux generated files.

NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet). It also includes a live mode, silently identifying hosts and devices without needing to send any packets or put the network adapters into promiscuous mode ("silent portscanning").

As a new tool, the authors are keen to receive feedback and improve the tool for the forensic community.

nxlog is a modular, multi-threaded, high-performance log management solution with multi-platform support. In concept, it is similar to syslog-ng or rsyslog, but is not limited to Unix/syslog only. It can collect logs from files in various formats, receive logs from the network remotely over UDP, TCP, or TLS/SSL on all supported platforms. It supports platform-specific sources such as the Windows Eventlog, Linux kernel logs, Android device logs, local syslog, etc. Writing and reading logs to/from databases is also supported for many database servers.

This paper addresses open source digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, it must be reliable and relevant. The reliability is tested by applying Daubert guidelines. This paper examines the guidelines and shows that open source tools may more clearly and comprehensively meet the guidelines than closed source tools would.

Outport provides a means of migrating information from Microsoft Outlook to Ximian Evolution and several standard data formats.

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.

EDRM – the Electronic Discovery Reference Model – was created in 2005 by George Socha and Tom Gelbmann. Since 2005, over 300 e-discovery experts, vendors and end-users from more than 125 organizations have worked together to address the lack of standards and guidelines in the electronic discovery (e-discovery) market.

The EDRM reference model provides a common, flexible and extensible framework for the development, selection, evaluation and use of electronic discovery products and services. The completed model was placed in the public domain in May 2006.

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 9 testing modules:

A Linux & Windows GUI to enable the rapid selection and subsequent MD5, SHA1, SHA256 or SHA512 hashing of files, either individually or recursively throughout a folder structure, single text strings and, when used on Linux, physical or logical disks. The tool was designed for practitioners wanting to easily hash files in Linux but without the understanding of command line tools like sha1sum. It is also available for Windows.

RFIDIOt is an open source python library for exploring RFID devices!

shellbags.py is a cross-platform Windows Registry shellbag parser written in the Python programming language. The tool processes Registry hive files and produces output in the Bodyfile format. Shellbags.py supports shellbags from Windows XP and greater operating systems.

This is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
In addition to packet capture it can be used to read back a capture file. It is able to decode layer 2 through to layer 4 protocols, and some higher layer protocols as well. Decoded packets may be displayed in raw or ASCII.

Perhaps the most powerful feature is the inclusion of an extremely powerful filtering language called the "Berkley Packet Filter" BPF.

The disktype File System Sampler is a collection of disk images with various file systems. Its purpose is to aid in the testing and development of the disktype program.

An approach to track or identify, the sender of an email through the use of social engineering and a remotely hosted image.

Tool to extract, recover and undelete e-mail messages from Outlook Express .dbx files.

Volatility is an extensible memory forensics tool using python. Volatility comes with a number of standard plugins. The plugins use various techniques to extract artifacts from volatile memory (RAM) samples, these include:
- Running processes
- Open network sockets
- Open network connections
- DLLs loaded for each process
- Open files for each process
Volatility also has support for extracting artificats from Windows Hibernation files and Windows crash dump files.

To view further documentation and follow latest developments visit http://code.google.com/p/volatility/

Webscavator is a visualisation suite for the analysis of internet history. It accepts CSV files from Net Analysis, Web Historian and may other browser log parsers, and produces images and graphs to display the data. Webscavator is web based, and is written in Python and Javascript.