For years Digital Forensics has played a significant role in the security domain. Being an integral part of the process, various tools have been developed over the years to make the forensic investigator’s work easier. Since most people are aware of tools such as EnCase, The Sleuth Kit, Caine, etc. that are used in the day-to-day practice, for a change, let’s talk about the lesser known tools that have been around for quite a while now.
Below is a list of 10 digital forensic tools that can be used by budding Digital Forensics Analysts/Enthusiasts. Although there are a number of tools out there that can do the same tasks as the tools mention below help perform, however, these tools are as good or even better than their alternatives. I would encourage anyone who’s interested in Digital Forensics to give these tools a try at least once.
- COFFEE: Computer Online Forensic Evidence Extractor or COFFEE is a forensic toolkit developed by Microsoft. Containing more than 150 tools, many cases have been cited to have used this tool to solve cases of child pornography, etc. The Interpol and National White-Collar Crime Center have been licensed by Microsoft to be the sole US domestic distributor of COFFEE. They are also working with the mentioned organizations to provide the tool, free of cost, to cybercrime units of 187 countries.
- Belkasoft Live Ram Capturer: It is a small tool that allows the user to extract the contents of a systems volatile memory, even if the memory is protected by an active-debugging or anti-dumping system. It is available in two builds, 32-bit and 64-bit. The reason to have separate builds was to keep the footprint to a minimum. The tool is free to download and is compatible with Windows XP, Vista, 7, 8, 10. It also works with Windows Server 2003 and 2008. It can be downloaded from https://belkasoft.com/get?product=ram
- Volafox: Volafox is an open-source toolkit for Mac OSX and BSD Operating Systems. Coded in Python, it allows the user to investigate security incidents and find information for malware and any other malicious program on the system. It can also help get additional information such as Boot information, Network socket listing, Task listing, Process listing, Kernel Extensions listing, Mounted filesystems, etc. It can be downloaded from https://github.com/n0fate/volafox
- The Coroner’s Toolkit: More popularly known as TCT, it is a collection of free security programs which help in Digital Forensic analysis. It can be used with various UNIX based operating systems such as OpenBSD, FreeBSD, BSD/OS, Linux, HP-UX, SunOS/Solaris. It can be employed for data recovery as well. The authors of the tool, Dan Farmer, and Wietse Venema consider The Sleuth Kit as its official successor. It can be downloaded from http://www.porcupine.org/forensics/tct.html
- HashKeeper: It uses MD5 signature algorithm to establish unique identifiers for files that are “good” and for files that are “bad.” The primary function of HashKeeper was to reduce the time required by the forensic examiner to examine data. The examiner can define the file to be good or bad and need not repeat the analysis. It cross-references the good files stored in the database with the good file marked by the examiner in the system, and if there is a match, the examiner can be satisfied that the file is good, thus saving time. It was available for free for all Law Enforcement agencies, Military and Government Agencies throughout the world.
- CodeSuite: Created by SAFE Corporation, is a collection of patented tools used for comparing source code, highlight trade secret theft, measure intellectual property, detect plagiarism, pinpoint copyright infringement, etc. It can also be used as a version control tool. It is a free Windows-based tool that can be downloaded from http://www.safe-corp.com/downloads_software.htm
- RegRipper: Created by Harian Carvey, it is an open-source tool which is coded in Perl. RegRipper is used as a Windows Registry data extraction tool. It has a GUI as well as a CLI program. The GUI tools allow selecting a hive to parse, an output file, and a profile (list of plugins) to run against the hive. A log file is also created once the operation is started. It can be downloaded from https://github.com/keydet89/RegRipper2.8
WindowsScope Cyber Forensics: It is a memory forensics and reverse engineering tool for Windows OS. It is used to analyze and acquire volatile memory. One of its primary functions is to detect and reverse engineer rootkits and malware. It also includes advanced search functions such as to find previously visited URLs, credit cards, login credentials, etc. Its one-year license is $7,699, and its perpetual license can be obtained for $16,299. It can be found at http://www.windowsscope.com/product/windowsscope-cyber-forensics/
Ethical Hacking Training – Resources (InfoSec)
- Registry Recon: It allows users to see how the current and former installations of Windows have changed the registry over time. It is the only tool available that can rebuild registries from both active and older installations of Windows. It was originally designed to address two major problems – recovering as much registry information as possible (from a piece of evidence) and to rebuild it in a way that the user can see how the registry changed over time. Being an aid software, more information can be found at https://arsenalrecon.com/purchase/
- XRY: It is a forensic software used to analyze and recover information from devices such as smartphones, mobile phones, GPS navigation, tablets, computers. Created by MSAB, it is a commercial tool that allows for both logical as well as physical examinations. It works for Android, iPhone and Blackberry devices. It is mostly used by the Military and Government Agencies. More information can be found at https://www.msab.com/products/xry/