E-Evidence Information Center - Other Forensic Tools

The Electronic Evidence Information Center

HOME

* THE *
Digital Forensics Biblio

What's New This Month!

Blogs and Wikis

Topic-Specific Resources

The Other 'Good Stuff'

Digital Forensic Books

Links to Links

About This Site

OTHER PROGRAMS AND UTILITIES
Many of these programs and utilities were designed for uses other than digital forensics, but may be useful none the less.

Active Partition Recovery [Demo available]
An easy to use DOS recovery and restoration program; for deleted partitions (FAT and NTFS)
Active Ports [Free]
Shows all open TCP/IP and UDP ports on Windows NT/2000/XP computers, and maps them to the owning application.
Active UNDELETE [Demo available]
Restores deleted files and directories
Active Uneraser for DOS [Demo available]
Data recovery (undelete) software for DOS; helps to recover deleted files on FAT16, FAT32 and NTFS partitions.
Advanced Attachments Processor [Demo available]
Designed to extract attachments from mail client message databases, and make an archive of the files extracted.
Advanced Email Extractor [Demo available]
Designed to extract e-mail addresses from web-pages on the Internet (using HTTP and HTTPS protocols) and from HTML and text files on local disks.
Advanced Mailbox Processor [Demo available]
The program is intended for extracting owner's names and e-mail addresses from the local files, and making e-mails list.
AFF is the Advanced Forensics Format
An extensible open format for the storage of disk images and related forensic information.
Afind [Free]
AFind lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will. Platform: Windows NT
AIM Password Decoder [Free]
Decrypt the login password for AOL Instant Messenger
AIR - Automated Image and Restore [Free]
A GUI front-end to dd/dcfldd designed for easily creating forensic bit images
Allin1 for sleuthkit
This tool should help you to make several time consuming tasks in Sleuthkit/autopsy in one row
A0L PW Extractor [Free]
This program will reveal all A0L passwords on your computer.
Autopsy Forensic Browser [Free]
HTML front end for TCT and TCTUtils. Has a file manager style interface; allows you to view the contents of a file as raw data or in ASCII, and allows you to generate reports.
Autostart Viewer [Free]
Allows you to see every autostart on your system, all on the one screen. In addition, it gives you complete control over the autostart references, and allows you to modify or delete them at will.
AVIPreview [Free]
A program which is capable of playing partially downloaded AVI movies.
Back2Life [Demo available]
Simple undelete utility for Windows
BadCopyPro [Demo available]
Data recovery software for floppy disk, CD, DVD, memory card, Zip disk, flash drive and other storage media.
Belkasoft Forensic IM Extractor [Demo available]
Supports various IMs: ICQ versions 99a up to ICQ5, MSN Messenger, Yahoo! Messenger, &RQ, Miranda. Supports deep ICQ analysis using different methods (with and without usage of index file) that allows user to extract even deleted and overwritten messages.
BinText [Free]
Finds Ascii, Unicode and Resource strings in a file.
BitForm Discover
Analysis and reporting of metadata and hidden information from document collections.
bmap [Free]
Among many other features, bmap can store data in slackspace on ext2 filesystems. Forensic examiners can use bmap to detect used slackspace and to recover the data.
Browser History Viewer [Free]
Allows you to examine the contents of web browser history files and export the data
BXDR
This utility will display the FULL sector count on a hard disk drive, including any ‘protected areas’ that utilities such as Safeback and Encase miss when imaging.
ByteBack [Demo available]
Data recovery and computer forensic software program designed to address media at the physical level
Cache Reader [Free]
Reads the index.dat file in the Temporary Internet Files (TIF) folder of Internet Explorer 5 or 6
Cache View [Shareware]
Opens cached files for viewing and copy or move them out of the cache. This will even reconstruct the names and directory paths of Web sites so you can view the HTML files. This supports all versions of Netscape, Mozilla (Gecko) and Internet Explorer.
CacheInf [Free]
Can be used to to view your browser's internet cache, and optionally delete it. Additionally, you can search the cache for file names and URLs, and save the search results to a comma separated value file.
CacheX for IE [Free]
CacheX lets you explore your browser's cache with a Windows-Explorer-like user interface. To view a file offline with your browser, simply double-click it.
Captain Nemo [Demo available]
Captain Nemo enables you to access any Novell, NT or Linux drive from your Windows computer without requiring a network setup.
Captive [Free]
The first free NTFS read/write filesystem for GNU/Linux
Catalogue [Demo available]
File Metadata Miner; a file cataloging utility that enables quick creation of HTML pages listing files and associated metadata, managing and updating document properties associated with such files
CD/DVD Inspector [Demo available on request]
This tool reads the ATIP (Absolute Time In Pre-Groove) of CDR (CD-Recordable) media; helps identify 'who' made the media; identifies most of the current CDR recorders.
CDRoller [Demo available]
Toolset for CD/DVD data recovery
chrootkit [Free]
chkrootkit is a tool to locally check for signs of a rootkit. It checks system binaries for rootkit modification.
CookieView [Free]
This is a simple little cookie viewer that was originally designed as an external viewer for EnCase™ to quickly decode cookies.
Coreography [Free]
Coreography is an open source utility for browsing memory images
Creed (Cisco Router Evidence Extraction Disk) - dd Image [Free]
This application will allow you to create/restore disk images, even non-pc format disks. This software was created by New Technologies Inc. Once you have downloaded the zip file, unzip it into its own directory. This is a DOS application, so no further installation is required.
Crucial ADS [Free]
Provides a GUI to allow you to find NTFS hidden data streams.
.dat viewer and manager [Free]
for Kazaa
DataGrab [Free to Law Enforcement]
A program for IRC (Internet Relay Chat) investigations.
If you would like to receive a copy, and you are a law enforcement agent, contact datagrab@aol.com or keith@search.org.
Davory [Demo available]
Davory undeletes files and recovers files from logically damaged or formatted drives; from the makers of WinHex
DBXanalyzer [Free]
Reads, analyses and manages email data files created by Microsoft Outlook Express 5 and 6.
DBXtract
DBXtract extracts all mail and news messages from individual dbx files
It requires the existence of the VB6 runtime dll, msvbvm60.dll. If you do not have that in your system directory, you can download it directly from Microsoft, by clicking HERE
DBXpress
DBXpress is a faster, more accurate, and more powerful version of DBXtract. It requires that the .NET Framework version 1.1 be installed on the user's computer.
DCFL-DD [Free]
An enhanced dd with MD5 hashing.
dd for Windows [Free]
Allows the flexible copying of data under in a win32 environment.
dd rescue [Free]
Copy data from one file or block device to another
Decode [Free]
Forensic Date & Time Decoder
DFSee [Demo available]
Display File Systems (DFSee) is a generic partition and filesystem utility. It supports partition-tables (FDISK, LVM), (V)FAT, FAT-32, HPFS and some NTFS and JFS.
Digital AudioRescue Professional [Shareware]
This program recovers lost data from multimedia devices including digital audio recorders, MP3 and WMA players, PDAs and mobile phones. This program supports recovery from hard drives, CompactFlash cards, IBM Microdrives, SmartMedia cards, MultiMedia cards, Secure Digital cards and Memory Sticks.
D.I.M. - Digital Investigation Manager
A software tool for managing Incident Response and Forensic Acquisition procedures
D.I.M. allows operations to be organized by case. Each case may contain an unlimited number of Hosts (Workstations, Servers, Laptops, PDAs, etc.). Items of evidence are associated with each host (Hard Disk, CD/DVD-ROM, Memory Card, Log File, Network Dump).
Directory Snoop [Demo available]
Directory Snoop is a forensic search, recovery, and wipe utility for Windows 95 - XP.
Disk Investigator [Free]
Disk Investigator helps you to discover all that is hidden on your computer hard disk.
DiskPatch [Demo available]
MBR, partition and boot sector repair, disk cloning, scan for errors and disk wipe.
Has a Forensic Mode
disktype [Demo available]
The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes.
DriveLook [Shareware]
DriveLook is a powerful forensic drive investigation and search tool.
dtSearch [Demo available]
Provides over two dozen indexed and unindexed text search options for all popular file types.
dumpautocomplete [Free]
Dump Firefox AutoComplete files into XML
e2recover [Free]
Ext2 undeletion tool
e2Salvage [Free]
This is a utility which can help rescue lost ext2 partitions
E-Mail Detective
Software tool that allows investigators to extract all email contents (including graphics) from America Online’s database stores on a user’s disk drive.
Eindeutig
A tool that parses Outlook Express DBX files
EMF Printer Spool File Viewer [Free]
The software can be used to view an EMF spool file.
Event Analysis and Reconstruction in Lisp (EARL)
This is experimental software for finite state machine event reconstruction
Event Log Explorer
Powerful tool for viewing, monitoring and analyzing events recorded in the Security, System, Application and other logs of MS Windows
Evidence Mover [Free]
Evidence Mover automates transferring evidentiary data from one location to another—verified 100-percent intact.
Evidence Talks forensic toolsets

ForensicSIM - Mobile Phone Forensics Tools
LoPe - An email processing engine [Demo available]
Forager - Document Forensics tool [Demo available]
Isol – email processing tool [Coming soon]

Evidor: The Evidence Collector
Evidor retrieves the context of keyword occurrences on computer media, in Windows swap/paging and hibernate files, unallocated space and slack space; from the makers of WinHex.
EXIF Reader [Free]
It analyzes and displays the shutter speed, flash condition, focal length, and other image information included in the Exif image format which is supported by almost all the latest digital cameras.
EXIF Image Viewer [Free]
Capable of reading EXIF information embedded in photos, as well as thumbnails.
EXIFRead [Free]
Utility that extracts image information from EXIF/JPG files
Explore2fs [Free]
The WIN32 explorer for Linux ex2fs partitions; reads ex2fs filesystems under NT 4.0 (and Windows 95). It is a seperate program - not a file system driver.
Extract 2.10 [Free]
This tools allow you to extract files from a disk image created using WinImage, FDFormat or compatible tools, running under MS-DOS, Windows 95, Windows 98 or the Windows NT console.
Fatback [Free]
Undelete files from FAT filesystems
faust [Free]
faust is a perl script that helps to analyze files found after an intrusion or the compromising of a honeypot
FavURLView - Favourite Viewer [Free]
This utility will decode Internet Shortcut (*.URL) files to allow you to compare the Shortcut Description with the actual link. It will also decode the Modified time and date.
FDTE - File Date & Time Extractor [Free]
This software hunts through binary files 'sniffing out' hidden, embedded 64 bit date & times.
File Disk [Free]
A virtual disk driver for Windows NT/2000/XP that uses one or more files to emulate physical disks. A console application is included that let you dynamically mount and unmount files.
File Investigator [Shareware]
Identify files by content not just their extensions. 1806 file formats supported.
File Juicer [Shareware]
Extracts images from binary files (for the Mac)
File Scavenger [Free]
File Scavenger is a Windows NT/2000/XP file undelete utility for NTFS volumes. Reformatted volumes or broken hardware/software RAID volumes can also be recovered.
Filesig.co.uk Software
Filesig Manager & Hash File are free to download from this site. Demo versions of Simple Caver & Disk Map are available on request.
FileSystem Investigator [Free]
A platform independent file system viewer and data extraction tool
FinalData [Demo available]
Data recovery for Windows NT 4.0 / Windows 2000 /Windows XP
FINALdBase 2.0 for Oracle (Unix) [Demo available]
Fast DB Recovery
FinalEmail [Demo available]
FINALeMAIL can recover the email database file and locates lost emails that do not have data location information associated with them
FINAL Photo Retriever [Demo available]
Recovers image files, video files, and audio files from hard disks and removable media.
FirstOnScene.vbs: The 10-second Forensic Data Gatherer [Free]
A script that runs in under 10 seconds and gathers forensic information from the target system using about 20 different freely-available tools.
FLAG - Forensic and Log Analysis GUI [Free]
FLAG was designed to simplify the process of log file analysis and forensic investigations. Often, when investigating a large case, a great deal of data needs to be analysed and correlated. Flag uses a database as a backend to assist in managing the large volumes of data.
Flash Retriever Forensic [Commercial]
Recovers pictures, movies and sounds from a variety of media
Floppy Image [Demo available]
Create image files of floppy disks and back (for backup, shipping or transfer). Save the image file compressed, uncompressed or as a self-extracting exe. Add descriptions to or convert your old image files.
Foremost [Free]
A linux program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.
Forensic Acquisition Utilities [Free]
This is a collection of utilities and libraries intended for forensic or forensic-related investigative use.
Forensic Analysis Toolkit (FATKit) [In development]
A new cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.
Forensic Internet Explorer – Beta [Free]
The software currently parses the “index.dat” file identifying host sites that have been visited.
Forensic Script [Zipped File]
Modified version of script from 'Forensic Analysis of a Live Linux System, Part One' by Mariusz Burdach [http://www.securityfocus.com/infocus/1769], as well as a server side script for netcat, and definition of what ports are used for what files.
Forensic Tools on the Mac (by M Dornseif) [Free]
Some patches to compile various forensic tools on the mac
Foundstone's Forensic Toolkit [Free]
This is a collection of tools to help examine NTFS for unauthorized activity.
FSDEXT2 [Free]
Using FSDEXT2, you can transparently mount Linux ext2fs partitions on Windows 9x.
FS-TST [Zipped file]
A software package developed to aid the testing of disk imaging tools typically used in forensic investigations. The package includes programs that use the interrupt 13h BIOS disk interface to initialize disk drives, detect changes in disk content, compare pairs of disks, and simulate bad sectors on a disk.
FTimes [Free]
FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.
ftrace [Free]
Fast Traceroute for Win32
Galleta [Free]
Reconstruction of a subject's Internet Explorer Cookie files.
GNU utilities for Win32 [Free]
Native Win32 ports of several GNU utilities.
Gemulator Explorer [Free]
Allows a Windows computer to read Atari ST and Apple Macintosh formatted disks.
GetDataBack for FAT & NTFS [Demos available]
Will recover your data if the hard drive's partition table, boot record, FAT/MTF or root directory are lost or damaged, data was lost due to a virus attack, the drive was formatted, fdisk has been run, a power failure has caused a system crash, files were lost due to a software failure, files were accidentally deleted.
gpart [Free]
A tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted. The guessed table can be written to a file or device.
GRAB [Free]
Linux program for image acquisition (from the creators of Helix)
Hard Disk Copy [Free]
Hard Disk Sector Backup/Copy Utility
Hard Drive Mechanic Deluxe [Demo available]
Hard drive repair utility
HD95Copy [Shareware]
This program copies a hard drive to an image file on a network server, another hard disk, or any medium you can access using a logical drive letter. The hard disk is copied sector by sector, so long filenames and hidden files and directories are backed up, too. It also supports removable media.
HD98Copy [Shareware]
Same description as above; documentation in German and English
HFS Utilities [Free]
HFS is the "Hierarchical File System," the native volume format used on modern Macintosh computers. hfsutils is the name of a comprehensive software package being developed to permit manipulation of HFS volumes from UNIX and other systems.
History Inspector [Free]
Reads the Internet Explorer 5 or 6 history database (index.dat) file and presents it as a synoptical table. It furthermore supports browsing of links, adding to Favorites, copying URLs, adding your own notes, searching/replacing text items as well as printing.
HTTrack Website Copier [Free]
It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer.
Hurricane Search (formerly WinGrep) [Demo available]
Hurricane Search has a powerful interface; displays the results of the search in a hierarchical tree of the files that contain a match.
IE Forensic Tool [Demo available]
This program will generate an easy to read report showing all of the cookies, as well as the history, of locations visited during web browsing of the current user.
IECacheList (Lite - Free, or Pro - Commercial)
Display the contents of Internet Explorer's index.dat files, including 'lost' and hidden content
IECookiesView [Free]
IECookiesView is a small utility that displays the details of all cookies that Internet Explorer stores on your computer.
IEhist [Free]
Dumps Internet Explorer history from index.dat files into delimited files suitable for import into other tools.
IEHistoryView [Free]
This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited in the last few days.
(IRCR) Incident Response Collection Report [Free]
The Incident Response Collection Report (IRCR) is similar to The Coroner's Toolkit (TCT) by Dan Farmer & Wietse Venema. This program is a collection of tools that gathers and/or analyzes forensic data on a Microsoft Windows system.
Index Dat Spy [Free]
exposes the contents of any index.dat file - even if the file is currently in use by Windows. It translates a great deal of binary data - i.e. internal computer information - into a more human-readable form.
Index Reader [Shareware]
Index.dat Suite [Free]
Index.dat Suite allows you not only to delete the index.dat files, temporary internet files, temp files, cookies and history, but it also allows you to view the index.dat files on your system
Inforenz Forager® [Demo available]
A software tool for computer forensics investigators to analyse the hidden history of computer files.
Innovision USB WriteBlocker [Free]
The utility is for examining USB Devices in Windows
Inquire [Free]
Inquire is a simple Windows utility that scans the SCSI bus for hard disk drives and returns certain Vendor related information; Vendor, Product, Firmware Revision, Serial Number
Internet Cache Explorer [FreeToPay-Ware]
A utility to view the content of your browser's cache. It comes with many additional features, like a search function that you can use to find URLs or text within visited pages as well as an option to save complete web pages (including images and all) for later use.
IrfanView [Free]
Very fast 32-bit graphic viewer. Many supported file formats. Great for setting as an External Viewer for forensic analysis.
IsoBuster [Shareware]
IsoBuster is a CD/DVD and (Disk) Image File data recovery tool, that can read and extract files, tracks and sessions from CD-i, VCD, SVCD, CD-ROM, CD-ROM XA, DVD, DVCD and others. It also supports the following image file formats: *.DAO (Duplicator), *.TAO (Duplicator), *.ISO (Nero, BlindRead, Creator), *.BIN (CDRWin), *.IMG (CloneCD), *.CIF (Creator), *.FCD (Uncompressed), *.NRG (Nero), *.GCD (Prassi), *.P01 (Toast), *.C2D (WinOnCD), *.CUE (CDRWin), *.CIF (DiscJuggler), *.CD (CD-i OptImage) and *.GI (Prassi PrimoDVD).
JAFAT - Archive of Forensic Analysis Tools [Free]
Macintosh and Windows Tools
Currently, tools that can be used to obtain the Safari browsing and download history from a MacOSX system, a link parser, a cookie tool, and 'dunpster dive'?
JPEG Dump [Free]
Dumps Smart Media or Compact Flash To An Image File; Scans File and Recovers Erased JPEG files
Karen's Power Tools [Free]
Variety of utilities
KaZAlyser [Commercial]
KaZaA/Morpheus database viewer
KnTTools™ with KnTList™
Tool for the acquisition of physical memory evidence from select Microsoft Windows™ operating systems.
kregedit
a KDE utility for viewing native Windows registry files; is similar to the regedt32 utility that can be found on most Windows platforms. Only the NT registry format (NT4/2000/XP) is supported.
LADS [Free]
LADS lists the name and size of every alternate data stream (ADS) it finds in the specified directory (with or without subdirectories).
LDE [Free]
LDE is a disk editor for linux, originally written to help recover deleted files: it is 100 percent free under the Gnu public license.
LibPST [Free]
LibPST, part of the ol2mbox project, provides functions in library form for accessing Outlook's Personal Folders. Included with this library is "readpst" to convert a PST file to mbox format.
LINReS [Free]
LINReS is a Live Response script designed to run on suspect/compromised Linux systems system with a minimal impact on the system
LISA (Legal Imager and reaSsembly Application) [Free to Law Enforcement]
LISA is a DOS-based disk-imaging tool, suitable for taking images of hard disk drives for the purpose of forensic analysis.
Live View [Free]
A Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk.
Lookout
Lookout is lightning-fast search for your email, files, and desktop works with Microsoft Outlook
M2CFG USB WriteBlock [Free]
The utility takes advantage of the Windows XP Service Pack 2 ability to toggle write protection on/off USB devices.
M2CFG Yahoo! Email/Text Parser [Free-beta]
Normally, Yahoo! will return the contents of each screen name as one text file. This file contains all email content and base64 attachments as plain text. This application will separate each individual email along with its respective attachment(s).
MACMatch [Free]
MACMatch lets you search for files by their last write, last access or creation time without changing any of these times.
MacOpener 2000
Allows access to Mac formatted disks and files from a Windows PC. MacOpener 2000 lets you get to Mac disks form the Windows desktop. You can also format disks as Mac disks.
mac-robber
Collects data from allocated files in a mounted file system. The data can be used by the mactime tool in The Sleuth Kit to make a timeline of file activity.
Magic Rescue [Free]
Scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition
Mailbag Assistant [Demo available]
An effective investigation tool for law enforcement. Mailbag Assistant supports Outlook Express, Eudora, Netscape, Mozilla, Pegasus, The Bat!, Forte Agent, Calypso, PocoMail, FoxMail, Juno 3.x, Unix mail (Pine, Elm, mbox, etc.), and EML message files.
MailMeter Forensic
Email Management and Investigative solution for organizations that need to perform in-depth forensic analysis and evidentiary discovery on corporate email data
MBXtract [Free]
Extracts mail messages from Outlook Express 4 DBX files.
md5deep [Free]
Computes MD5 message digests on an arbitrary number of files.
md5summer [Free]
MD5summer is an application for Microsoft Windows 9x, NT, ME, 2000 and XP which generates and verifies md5 checksums.
MD5 & Hashing Utilities [Free]
Calculate the 128Bit - MD5 Hash of any file or block of text.
Media Merge/PC [Demo available]
In order to do forensic analysis on data from a tape, first it is essential to read the tape. MediaMerge/PC will allow the user to read a tape in any format and also look at any part of the tape in an unprocessed mode. Often with an investigation, tapes may be obtained but no knowledge of how they were written. With MM/PC, provided a compatible tape drive is available, the raw data may always be read, and the chances are extremely high that the logical tape format will automatically be detected and the files restored just as on the host system.
memdump [Free]
A utility that dumps main memory (/dev/mem) of Solaris/BSD/Linux systems
memfetch [Free]
memfetch is a handy utility for dumping the memory of a running process (either immediately or on fault). It is a quite valuable addition to the shell command armory of an average hacker, helping you recover information that would otherwise be lost, and making it easier to check the integrity or internals of a running process.
Metadata Assistant
The Metadata Assistant will analyze Word 97, 2000, and 2002 documents to determine what metadata (hidden information) a client might see, display its findings then offer the ability to clean the document by selecting a variety of options
MiTeC Tools [Free]
Utilities include MiTeC EXIF Reader, MiTeC Windows Registry Recovery & MiTeC Portable Executable Reader, among others.
Mount Image Pro [Demo available]
Can mount disk drive images as logical drive letters under Windows, without requiring 'restoration' of the image
Mtools [Free]
Mtools is a collection of utilities to access MS-DOS disks from Unix without mounting them. It supports Win 95 style long file names, OS/2 Xdf disks and 2m disks (store up to 1992k on a high density 3 1/2 disk).
NASA Tools [Free]
Fatback and Enhanced Loopback
NCFS Software Write-block XP [Free]
NetAnalysis - Forensic Internet History Analyser [Demo available]
The forensic examination and analysis of user activity on the Internet. It can also extract Internet History from Unallocated Space.
NetIntercept - Network Forensics Analysis Tool [Demo available]
Capture, Analyze and Discover the Network Traffic.
With the NetIntercept forensic view you can easily uncover malicious activity. Search connections by several customizable criterias.
Nigilant32 [Free]
An incident response tool designed to capture as much information as possible from a running system with the smallest potential impact.
NirSoft [Free]
NirSoft web site provides a unique collection of small and useful freeware utilities
ntpasswd [Free]
Offline NT Password & Registry Editor. An image disk to boot in order to recover (reset) password by modifying the crypted password in the registry's SAM file. You'll need rawrite to create the boot disk ou with any unix dd if=bootdisk.bin of=/dev/fd0 bs=1024.
ntreg [Free]
This is a file system driver for linux, which understands the NT registry file format. With it, you can take registry files from NT, e.g., SAM, SECURITY, etc., and mount them on linux. Currently, it's read-only, though I may add read-write capability in the future.
ODESSA [Free]
The Open Digital Evidence Search and Seizure Architecture is a cross-platform framework for performing Computer Forensics and Incident Response.
OE-Mail Recovery [Demo available]
Outlook Express Mail Recovery
Offline Registry Parser [from Harlan Carvey]
A Perl script that parses the raw Registry files in binary mode, and prints out the data, to include LastWrite times
Omniquad Detective [Demo available]
It can reconstruct the usage history of the analyzed workstation, presenting you with a log of past actions for inspection - clearly and concisely. (Windows95/98/ME/NT/2000/XP)
Online Digital Forensic Suite (OnlineDFS)
OnLineDFS applies digital forensics technology to the investigation of live, running computer systems.
Ontrack PowerControls [Demo available]
Tool for copying and searching mailbox data directly from Microsoft Exchange Server backups, un-mounted databases (.edb), and Information Store files.
OST to PST
A tool that will create a PST from an orphaned OST file.
Outindex E-Discovery & Compliance
Pulls emails from Microsoft Outlook PST files and puts them in databases, like ORACLE, SQL Server, etc.
OutlookExpressRecovery [Demo available]
Data recovery program for corrupted Microsoft Outlook Express folders (.dbx)
OutlookRecovery [Demo available]
A data recovery program for corrupted Microsoft Outlook Personal Storage Files (.pst).
PC Inspector™ File Recovery [Free]
A data recovery program that supports the FAT 12/16/32 and NTFS file systems.
PC Inspector™ Smart Recovery [Free]
A data recovery program for Flash Card™, Smart Media™, SONY Memory Stick™, IBM™ Micro Drive, Multimedia Card, Secure Digital Card or any other data carrier for digital cameras.
pdd [Free]
pdd (Palm dd) is a Windows-based tool for memory imaging and forensic acquisition of data from the Palm OS family of PDAs. pdd will preserve the crime scene by obtaining a bit-for-bit image or "snapshot" of the Palm device's memory contents.
As of January 2003, pdd will no longer be updated or supported. Version 1.11, available with source code, will remain free for use as defined in the included license.
PFC Viewer [Free]
PFC Viewer is a Java application developed to view and export the contents of the AOL Filing Cabinet, also known as the Personal Filing Cabinet.
Paragon Ext2FS Anywhere [Demo available]
Designed to mount Linux partitions under Windows operating systems as normal logical drives with appropriate drive letter.
Partition Image [Free]
A Linux/UNIX utility which saves partitions in many formats to an image file.
Pasco [Free]
An Internet Explorer activity forensic analysis tool.
PenguinBackup [Free]
The PalmPilot single-floppy backup system
PERKEO++ [Demo available]
A data scanner capable of locating pornography on any type of digital media
Photo Rescue [Demo available]
An unrm for compact flash in Digital Cameras.
PhotoRec [Free]
A file data recovery software designed to recover lost pictures (Photo Recovery) from digital camera memory
Picalo [Free]
Data Analysis and Fraud Detection, a collaborative, open-source effort to produce a data analysis application suitable for auditors, fraud examiners, data miners, and other data analysts. Windows, Mac & Unix/Linux versions
Pictuate
Finds and analyzes images for pornographic content; scans computer disks to find all image files, then scores those images as to their content. The results are sorted in descending order and viewed in a panel of thumbnail images. The user sees the images most likely to be pornographic (a target image) first and progresses to less likely candidates in subsequent panels.
Pinpoint Labs Free Tools
Pinpoint FileMatch, Pinpoint Hash, Pinpoint Metaviewer
Private Eyec [Free]
displays the entire contents of an area on your PC referred to as "protected storage"
Process Dumper & Memory Parser [Free]
Process Dumper is able to make a dump of a running process in a forensical manner.
Memory Parser (MMP) is able to parse the meta information stored within process dumps made with Process Dumper (pd) and extract the different process mappings to disk
Process Viewer for Windows [Free]
PrcView is a process viewer utility that displays detailed information about processes running under Windows.
procshow [Free]
Displays information from running process
Protected Storage Explorer [Free]
Protected storage viewer is a freeware utility which allows you to view the protected storage in Windows 2000, Windows XP and Windows 2003 in an 'explorer style' fashion.
PTfinder Collection [Free]
A collection of PTfinders for Windows 2000, Windows XP (should be good for XP SP1 too), Windows XP SP2 and Windows Server 2003 (courtesy of Andreas Schuster)
PurgeIE [Shareware]
This versatile program allows you either to manage your cookies and cache files in a logical manner or, for complete privacy, to eliminate them altogether, complete with all references, tracks, trails and strays.
PyFlag [Free]
PyFlag is the Python implementation of Flag - a complete rewrite of FLAG in the much more robust python programming language. Many additional improvements were made.
R-Drive Image [Demo available]
Provides disk image file creation for backup or duplication purposes. Disk image file contains exact, byte-by-byte copy of a hard drive, partition or logical disk
R-Linux [Free]
A FREE file recovery utility for the Ext2FS partitions used in the Linux OS and several Unix. Host OS: Win9x/ME/NT/2000/XP. Recovered data can be written to any disk visible by the host OS. R-Linux also can create DISK IMAGES that can be later processed by more powerful R-Studio.
R-Mail [Demo available]
A tool designed for undelete accidentally deleted e-mail messages and recovery damaged *.dbx files where MS Outlook Express stores folders with e-mail messages. The new e-mail data recovery technology IntelligentRebuild allows R-Mail users to quickly reconstruct damaged *.dbx files created by Outlook Express and easily restore the lost messages. The messages are recovered in the .eml format and can be simply imported into Outlook Express mail and news bases.
R-Studio [Trialware]
Data recovery and undelete software supports FAT12/16/32, NTFS, NTFS5 (created or updated by Win2000), Ext2FS (Linux) file systems and recovers files both on local logical and physical disks and disks on remote computers over the networks, even if their partition structures are damaged or deleted.
R-Undelete [Demo available]
A file undelete solution for FAT, NTFS, NTFS5, and Ext2FS file systems. R-Undelete can undelete files on any valid logical disks visible by the host OS. It cannot however undelete files on damaged or deleted volumes or in the case of hard drive repartitioning.
R-Word [Demo available]
MS Word Document Recovery Software
RAID Reconstructor [Demo available]
Recover Data From A Broken RAID Level 5 or 0 Array
rda - Remote Data Acquisition utility [Free]
Alternate site
A command line Linux tool to remotely acquire data (like disk cloning or disk/partition imaging) and verify the transfer using md5 and/or crc32 checksums. The program is both the server and the client.
Recover CHK Files [Free]
Renames .chk files to have the correct extension
Recover [Free]
Recover is a utility which automates some steps of recovering deleted files on an ext2 filesystem.
RPM built on Red Hat Linux 8.0 (thanks to Thomas Rude)

Recover4all [Demo available]
After downloading run the self extracting .exe file and choose "unzip". You should not save anything to the drive where your deleted files are, in order to prevent the deleted files from becoming overwritten. If your deleted files are for instance on C:, do not install any software at all and also do not download anything to C: (download Recover4all™ for instance to A:). Recover4all™ does not require installation and can be run directly from a floppy disk.
Red Cliff Web Historian
Web Historian assists users in reviewing Web sites (URLs) that are stored in the history files of the most commonly used browsers including: Microsoft's Internet Explorer, Mozilla, Firefox, Netscape, Opera and Safari. Red Cliff Web Historian is designed primarily as a tool for computer forensic examiners.
Regdat & RegdatXP [Demos available]
Displays the contents of copies of the Win9x/Me registry files System.dat, Classes.dat, and User.dat; displays the contents in a Regedit like interface. You can search for keys and values and export them. Also functions to compare the file with the current Registry are provided as well as tools to edit the file.
RegTools [Free]
RegDACL - Permissions Manager for Registry keys.
RegOwner - Ownership Manager for Registry keys.
RegAudit - Audit Manager for Registry keys.
RegLast - A program to list or query the Last Write Time of Registry keys.
Regviewer [Free]
GTK 2.2 based GUI Windows registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform.
Resource Hacker [Free]
A freeware utility to view, modify, rename, add, delete and extract resources in 32bit Windows executables and resource files (*.res).
Resplendent Registrar [Demo available]
A tool for reviewing the registry (NT/2000/Win9x/ME). It searches the registry extremely fast, and presents the search results in a very usable fashion.
Restorer2000 [Demo available]
A powerful data recovery software that can undelete files deleted accidentally in NTFS partitions, and can even recover data from formatted or corrupted drives.
Revisionist [Free]
MS Word document metadata analysis system
RIE - Registry Information Extractor [Free]
This is a test release of a software utility that is in development and under testing. It is a Windows 95/98/ME system.dat registry information extractor. It will be updated to extract a lot more information from the registry, including NT, 2K and XP support. At present it will only extract system.dat information from Windows 95/95 and ME. It can extract Registered Owner, Registered Organization, Windows Version, Windows Version Number, Windows Installed Date, Current Set Time Zone & the Computer Name.
Rifiuti [Free]
A Recycle Bin Forensic Analysis Tool.
RKDetect [Free]
An anomaly detection tool which can find services hidden by generic Windows rootkits, like Hacker Defender.
RootkitRevealer [Free]
An advanced patent-pending root kit detection utility; runs on Windows NT 4 and higher files.
Scalpel: A Frugal, High Performance File Carver
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files.
sdd [Free]
A replacement for a 'dd'.
SecCheck [Free]
A Windows forensic tool which aids in the detection and removal of malicious applications, backdoors, trojans, worms, and viruses.
SecReport - Click 'Toolbox' [Free]
It is a small suite of two command-line tools for collecting security-related information from Windows-based system (SecReport) and comparing any two reports either from any two systems or from same system after some time (Delta).
SecretExplorer [Demo available]
Explore Protected Storage (View, Analyze, Edit, Import and Export); Retrieve AutoComplete passwords and data; Recover various Internet Passwords; Transfer Internet passwords and settings from one computer to another
Secure Hash Signature Generator
The "Secure Hash Signature Generator" creates signatures that are unique to the data stored on a disk drive. These signatures are used to verify intentional or accidental tampering with the drive image.
ShoWin [Free]
Show information about Windows. Reveal passwords etc.
Sleuthkit/Autopsy Foremost patch (by P. Bakker) [Free]
Allows the integration of Foremeost into Autopsy, along with the option to edit the configuration file.
Sleuthkit/Autopsy Searchtools patch (by P. Bakker) [Free]
Provides indexed searching capabilities for Sleuthkit/Autopsy tools
Sleuthkit Windows Executables [Free]
Microsoft Windows executables for The Sleuth Kit; full source code and documentation can be downloaded.
SMART [Demo available]
An installable distribution of Linux designed for Data Forensics and Incident Response
SMART has been designed to run on most 2.4.x - 2.6.x linux kernels.
SNIFFER (File Extraction Application) [Free to Law Enforcement]
SNIFFER is a DOS-based tool suitable to extracting files from the free space of computer hard disks, from a series of disk image files or directly from the hard disk device.
SomarSoft Utilities [Free]
DumpSec - a security auditing program for Microsoft Windows® NT/2000
DumpEvt - a Windows NT program to dump the event log in a format suitable for importing into a database
DumpReg - a program for Windows NT and Windows 95 that dumps the registry
Spam CSI [Free]
An Email Forensic Analysis Tool
Spider [Free]
Spider shows all of the URLs and cookies stored in the index.dat file, and will then allow the user to remove them.
ssdeep [Free]
The utility works like md5deep to create a short text signature for each input file. The signatures can be used to match other files against the original. Unlike MD5 or SHA-1, however, this algorithm can match two input files even if they are not exactly the same. Files match if they have significant homologies, or the same sequences of bytes in the same order.
Stealer [Free]
Find Cached Passwords and User Login Details
This utility will extract the machine name, the username and the net username along with any dialup user accounts and passwords. It will also identify any passwords and usernames for secure web sites. This has to be run on a restored drive if you are using it as it to identify information on a seized computer. NOTE: Will only work on Win9* and ME Systems. In Win2K and NT and XP it will only show the Username logged on.
StegAlyzerAS [Demo available]
StegAlyzerAS is a digital forensic analysis tool designed to extend the scope of traditional digital forensic examinations by by allowing the examiner to scan suspect media for artifacts of steganography applications.
StegAlyzerSS [Demo available]
StegAlyzerSS is a digital forensic analysis tool designed to extend the scope of traditional digital forensic examinations by giving the examiner a tool to scan files on suspect media for unique hexadecimal byte patterns that represent the signatures of known steganography applications left in carrier files when those applications are used to append or embed hidden information.
Stellar Phoenix FAT [Demo available]
FAT recovery utility which need not be installed prior to a data loss, provides easy recovery after partition table, boot sector and root directory are corrupt and result in data loss. Disk Recovery Software supports DOS, Windows'95/98, Windows ME, Windows NT FAT), Windows 2000(FAT). Supports all variants of FAT file system - FAT12, FAT16, FAT32, VFAT and NTFAT, Windows 2000(FAT), Windows XP(FAT).
Stellar Phoenix Novell [Demo available]
Recovers vital data from corrupt volume(s) of a crashed Server. Phoenix is easy and simple to use, and very robust for all kinds of hard drives. Stellar Phoenix for Novell NetWare enables you to access the Data when the volume(s) cannot be mounted. Phoenix - Novell Data Recovery Software can recover Data to another drive after cases of corrupt volume(s), missing volumes, deleted files ,allocation errors & partition loss.
Stellar Phoenix NTFS [Demo available]
Helps you in recovering your all important data after disk crash due to accidental format, virus problems, software malfunction, file/directory deletion or even a sabotage! Stellar Phoenix NT Data Recovery software examines your in accessible hard drive and shows you the data that is present in the hard disk. Simple disk recovery process requires you to only select listed files & directories and copy to a working drive.
Sterilize [Free]
Sterilize was created with the primary purpose of providing forensic examiners with a cost effective way of sterilizing the media to be used for working / examination copies.
Stream Explorer [Free]
A utility that reveals alternate file streams with Windows NT 4.0, 2000, XP, or 2003.
STG Cache Audit [Free]
STG Cache Audit is an advanced cache, cookie and history viewer that allows you to investigate web surfing habits on a local machine.
STrace for NT [Free]
Strace for NT is a debugging/investigation utility for examining the NT system calls made by a process. It is meant to be used like the strace (or truss) on linux and other unix OSes.
Streams [Free]
Reveals NTFS alternate streams
Strings [Free]
Search for ANSI and UNICODE strings in binary images
SuperDIR [Free]
Handy for grabbing a listing of all files and directories (FAT only) and dumping the results in a database. It will calculate a CRC32 for every file. Very fast.
SuperSCAB [LE only]
Seized Computer Analysis Boot
Swapper [Free]
Swapper is a small tool written in C that swaps all the bytes present in a file per pair. This is required for forensic research of disks for a large number of mobile phones and of copiers.
TAFT - The ATA Forensics Tool [Free]
TAFT is an ATA (IDE) forensics tool that communicates directly with the ATA controller. It can retrieve various information about a hard disk, as well as look at and change the HPA and DCO settings.
TaFWeb Whois [Free]
TaFWeb Whois is probably the most comprehensive "whois" tool available at present. It can, of course, also handle IP numbers as well as domain names.
TapeCat
TapeCat is a Windows based Tape Forensics package
TASK
The [at]stake Sleuth Kit (TASK) is an open source forensic toolkit for a complete analysis of Microsoft and UNIX file systems.
Brian Carrier's TASK data forensic program in RPM format
TCTUtils [Free]
An enhancement to TCT above. TCTUtils can list directory inode contents, find the inode that is using a given block, and allows you to view inode and block details in various formats.
TestDisk [Free]
TestDisk - Tool to check and undelete partition
Text2Hex [Free]
This utility will convert Ascii characters to Hexadecimal Values. This is particularly useful when searching using software that can accept Hex Values as search criteria.
ThumbsDisplay [Demo available]
Displays all thumbnail images with original file name and timestamp.
ThumbsPlus [Demo available]
A great viewer for graphic files. Use it to view thumbnail images of all your graphics, crop, edit, batch conversion, and more.
TNEF [Free]
Provides a way to unpack Microsoft MS-TNEF MIME attachments.files.
Tree Browser (TB) / KDE Tree Browser (KTB) [Free]
Used in displaying the file hierarchy
TULP2G [Free]
TULP2G is a .NET based forensic software framework for extracting and decoding data stored in electronic devices.
UDP Cast [Free]
A Netcat substitute
Unhide [Free] Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
URLSearch [Shareware]
UrlSearch extracts web addresses and other text strings from local and remote files. Results can be edited and exported in various ways. Web addresses can be sorted by domains and exported to your browser's bookmarks (Netscape, MSIE, or Opera). UrlSearch can also be used as a Download agent and can view history and cookie files, edit 'Typed Urls', and calculate hit rates.
USB Blocker
This application was designed to meet the needs of write blocking USB devices.
UTF-8 output patch for task-1.60/sleuthkit-1.6x [Free]
The patch allows one to view foreign characters in the file names and such of an NTFS image. The Sleuth Kit code converts the Unicode NTFS file system structures into ASCII. The patch changes that behavior, but it doesn't change the keyword searching ability. That is still done with 'strings' and 'grep', which do not easily support Unicode.
VFC - Virtual Forensic Computing [Demo available]
Rapidly boot a forensic image of a suspects computer; or boot a physical write blocked hard drive.
Viesoft Forensic Scan [Demo available]
Viesoft Forensic Scan is an Index.DAT scanner and Directory Profiler used to create HTML reports.
vinetto [Free]
A console program to extract thumbnail images and their metadata from those thumbs.db files generated under Microsoft Windows. Vinetto works under cygwin or Linux.
Vision [Free]
Vision reports all open TCP and UDP ports and maps them to the owning process or application.
Web Cache Illuminator [Shareware]
Creates a meaningful list that not only displays all the file names in the cache, but, displays the title given by the web page`s creator.
WebDate [Free]
Find the Last Modified Date of a Web Site
Type in the URL into the text box and hit the Get Date/Time button. After a few seconds the date will be returned from the web site. However, it is not possible to get the date / time for every web page.
Webtracer [Free & Professional versions]
A professional forensics tool used to determine identities on the internet. It will help you discover the owner of a website, the location of a server, the sender of an e-mail etc.
WhatFormat [Shareware]
WhatFormat is a file analyzer that looks at the first bytes of a file for signatures (magic numbers), and makes a guess of the format this file may have.
Win32 Analyzer [Free]
This script uses various Windows and 3rd Party tools to provide an effective forensic snapshot of your computer.
Win32 First Responder's Analyzer Tookit [Free - from Archive.org]
Win32 Analyzer Toolkit is a self-extracting exe meant for floppy, highlighting the use of simple scripts on Windows32 platforms to perform basic security tasks.
This script uses various Windows and 3rd Party tools to provide an effective forensic snapshot of your computer.
WinOra [Free]
Tool to convert installation times used in Windows registries
Windows Forensic Toolchest (WFT) [Free]
Provides automated incident response on a Windows system, and collects security-relevant information from the system
Windows Forensics and Incident Recovery tools [Free]
This project is the home of the Forensic Server Project, including it's components and other, additional tools that may be created and used for Incident Response and Computer Forensic activities on Windows systems.
Windows memory forensic toolkit (WMFT)
A collection of proof-of-concept tools. WMFT can be helpful during forensic analysis of physical memory images gathered from compromised Windows machines
WinGREP [Shareware]
Windows Grep is a tool for searching files for text strings that you specify.
WinImage [Shareware]
Because Windows lacks (natively) the DD command, this provides another way to make disk images from a floppy (or vice versa). It has a few other great features that enhance its functionality.
Wininterrogate [Free]
Winterrogate recourses directory structure obtaining the following information according to filemask: File Name, Complete Path, Directory, File Size, Creation Time, Last Access Time, Last Write Time, and MD5 Checksum. Extra information Gathered on *.DLL, *.VBX, *.DRV, *.EXE, *.OCX, *.BIN, *.SCR includes CompanyName, FileDescription, FileVersion, InternalName, LegalCopyright, OriginalFilename, ProductName, ProductVersion, Comments, LegalTrademarks, PrivateBuild, and SpecialBuild.
X-Ways Trace [Demo available]
A computer forensics tool that allows to track and examine the web browsing activity that took place on a certain computer.
X1 Search
Search and instantly find information, preview it in its native format and take action on it immediately regardless of type or location.
XANALYS Forensic Analyzer
Extends the Power of EnCase; automatically examines an EnCase file
XnView [Free]
Multimedia viewer, browser and converter
Yahoo Message Archive Decoder [Demo available]
Access Yahoo! Messenger archive files (.dat files) and present them in a readable format
ZefrJPG [Free]
Recovery of JPG files lost to the Love Letter worm or its variants on FAT or NTFS file systems (thanks to Robert Green @ http://personal.atl.bellsouth.net/~lasrpro)
Zeitline [Free]
A Forensic Timeline Editor
Zero Assumption Digital Image Recovery [Free]
Zero Assumption Digital Image Recovery is a freeware data recovery tool, specifically designed to work with digital images. It allows you to recover digital photos accidentally deleted from digital camera memory.
ZeroView
A first responders tool to detect whole disk encryption (from Technology Pathways)

© 2007-2009 All rights reserved