140 Herramientas Gratuitas para Análisis Forense - Informatica Forense
Contactenos: info@redlif.org

140 Herramientas Gratuitas para Análisis Forense

Hace unos días me encontré con un listado de herramientas forenses agrupadas para ser utilizadas en cada paso metodológico. Esta recopilación de la empresa inglesa  Forensic Control are IT, consta de 14o herramientas que  que podemos utilizarlas en alguno de nuestros trabajos. Siempre es importante conocer de su existencia nunca sabemos cuando podremos necesitarlas; ahora a probarlas y si es utilidad alguna de estas introducirlas en  nuestro arsenal.

Disk tools and data capture

Name

From

Description

Arsenal Image MounterArsenal ConsultingMounts disk images as complete disks in Windows, giving access to Volume Shadow Copies, etc.
DumpItMoonSolsGenerates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive.
EnCase Forensic ImagerGuidance SoftwareCreate EnCase evidence files and EnCase logical evidence files [direct download link]
Encrypted Disk DetectorMagnet ForensicsChecks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes
EWF MetaEditor4DiscoveryEdit EWF (E01) meta data, remove passwords (Encase v6 and earlier)
FAT32 FormatRidgecropEnables large capacity disks to be formatted as FAT32
Forensics Acquisition of WebsitesWeb Content Protection AssociationBrowser designed to forensically capture web pages
FTK ImagerAccessDataImaging tool, disk viewer and image mounter
Guymagervogu00Multi-threaded GUI imager under running under Linux
Live RAM CapturerBelkasoftExtracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds
NetworkMinerHjelmvikNetwork analysis tool. Detects OS, hostname and open ports of network hosts through packet sniffing/PCAP parsing
NmapNmapUtility for network discovery and security auditing
Magnet RAM CaptureMagnet ForensicsCaptures physical memory of a suspect’s computer. Windows XP to Windows 10, and 2003, 2008, 2012. 32 & 64 bit
OSFClonePassmark SoftwareBoot utility for CD/DVD or USB flash drives to create dd or AFF images/clones.
OSFMountPassmark SoftwareMounts a wide range of disk images. Also allows creation of RAM disks
WiresharkWiresharkNetwork protocol capture and analysis
Disk2vhdMicrosoftCreates Virtual Hard Disks versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V VMs

Email analysis

Name

From

Description

EDB ViewerLepide SoftwareOpen and view (not export) Outlook EDB files without an Exchange server
Mail ViewerMiTeCViewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files
MBOX ViewerSysToolsView MBOX emails and attachments
OST ViewerLepide SoftwareOpen and view (not export) Outlook OST files without connecting to an Exchange server
PST ViewerLepide SoftwareOpen and view (not export) Outlook PST files without needing Outlook

General

Name

From

Description

Agent RansackMythicsoftSearch multiple files using Boolean operators and Perl Regex
Computer Forensic Reference Data SetsNISTCollated forensic images for training, practice and validation
EvidenceMoverNuixCopies data between locations, with file comparison, verification, logging
FastCopyShirouzu HiroakiSelf labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc.
File SignaturesGary KesslerTable of file signatures
HexBrowserPeter FiskerstrandIdentifies over 1000 file types by examining their signatures
HashMyFilesNirsoftCalculate MD5 and SHA1 hashes
MobaLiveCDMobatekRun Linux live CDs from their ISO image without having to boot to them
Mouse JigglerArkane SystemsAutomatically moves mouse pointer stopping screen saver, hibernation etc.
Notepad ++Notepad ++Advanced Notepad replacement
NSRLNISTHash sets of ‘known’ (ignorable) files
Quick HashTed TechnologyA Linux & Windows GUI for individual and recursive SHA1 hashing of files
USB Write BlockerDSiEnables software write-blocking of USB ports
VolixFH AachenApplication that simplifies the use of the Volatility Framework
Windows Forensic EnvironmentTroy LarsonGuide by Brett Shavers to creating and working with a Windows boot CD

File and data analysis

Name

From

Description

Advanced Prefetch AnalyserAllan HayReads Windows XP,Vista and Windows 7 prefetch files
analyzeMFTDavid KovarParses the MFT from an NTFS file system allowing results to be analysed with other tools
bstringsEric ZimmermanFind strings in binary data, including regular expression searching.
CapAnalysisEvolkaPCAP viewer
Crowd ReponseCrowdStikeWindows console application to aid gathering of system information for incident response and security engagements.
Crowd InspectCrowdStrikeDetails network processes, listing binaries associated with each process. Queries VirusTotal, other malware repositories & reputation services to produce “at-a-glance” state of the system
DCodeDigital DetectiveConverts various data types to date/time values
DefraserVariousDetects full and partial multimedia files in unallocated space
eCryptfs ParserTed TechnologyRecursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size, signature used, etc.
Encryption AnalyzerPasswareScans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file
ExifToolPhil HarveyRead, write and edit Exif data in a large number of file types
File IdentifierToolsley.comDrag and drop web-browser JavaScript tool for identification of over 2000 file types
Forensic Image ViewerSanderson ForensicsView various picture formats, image enhancer, extraction of embedded Exif, GPS data
GhiroAlessandro TanasiIn-depth analysis of image (picture) files
HighlighterMandiantExamine log files using text, graphic or histogram views
Link Parser4DiscoveryRecursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files
LiveContactsViewNirsoftView and export Windows Live Messenger contact details
PECmdEric ZimmermanPrefetch Explorer
PlatformAuditProbeAppliedAlgoCommand Line Windows forensic/ incident response tool that collects many artefacts. Manual
RSA Netwitness InvestigatorEMCNetwork packet capture and analysis
MemoryzeMandiantAcquire and/or analyse RAM images, including the page file on live systems
MetaExtractor4DiscoveryRecursively parses folders to extract meta data from MS Office, OpenOffice and PDF files
MFTviewSanderson ForensicsDisplays and decodes contents of an extracted MFT file
PictureBoxMike’s Forensic ToolsLists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format
PsToolsMicrosoftSuite of command-line Windows utilities
Shadow ExplorerShadow ExplorerBrowse and extract files from shadow copies
SQLite ManagerMrinal Kant, Tarakant TripathyFirefox add-on enabling viewing of any SQLite database
StringsMicrosoftCommand-line tool for text searches
Structured Storage ViewerMiTecView and manage MS OLE Structured Storage based files
Switch-a-RooMike’s Forensic ToolsText replacement/converter/decoder for when dealing with URL encoding, etc
Windows File AnalyzerMiTeCAnalyse thumbs.db, Prefetch, INFO2 and .lnk files
XplicoGianluca Costa & Andrea De FranceschiNetwork forensics analysis tool

Mac OS tools

Name

From

Description

AuditTwocanoes SoftwareAudit Preference Pane and Log Reader for OS X
ChainBreakerKyeongsik LeeParses keychain structure, extracting user’s confidential information such as application account/password, encrypted volume password (e.g. filevault), etc
Disk ArbitratorAaron BurghardtBlocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration
Epoch ConverterBlackbag TechnologiesConverts epoch times to local time and UTC
FTK Imager CLI for Mac OSAccessDataCommand line Mac OS version of AccessData’s FTK Imager
IORegInfoBlackbag TechnologiesLists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected
PMAP InfoBlackbag TechnologiesDisplays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors
VolafoxKyeongsik LeeMemory forensic toolkit for Mac OS X

Mobile devices

Name

From

Description

iPBA2Mario PiccinelliExplore iOS backups
iPhone AnalyzerLeo Crawford, Mat ProudExplore the internal file structure of Pad, iPod and iPhones
ivMetaRobin WoodExtracts phone model and software version and created date and GPS data from iPhone videos.
Last SIM DetailsDan RoeParses physical flash dumps and Nokia PM records to find details of previously inserted SIM cards.
RubusCCL ForensicsDeconstructs Blackberry .ipd backup files
SAFTSignalSEC CorpObtain SMS Messages, call logs and contacts from Android devices

Data analysis suites

Name

From

Description

AutopsyBrian CarrierGraphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below)
BacktrackBacktrackPenetration testing and security audit with forensic boot capability
CaineNanni BassettiLinux based live CD, featuring a number of analysis tools
DeftDr. Stefano Fratepietro and othersLinux based live CD, featuring a number of analysis tools
Digital Forensics FrameworkArxSysAnalyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items
Forensic ScannerHarlan CarveyAutomates ‘repetitive tasks of data collection’. Fuller description here
PaladinSumuriUbuntu based live boot CD for imaging and analysis
SIFTSANSVMware Appliance pre-configured with multiple tools allowing digital forensic examinations
The Sleuth KitBrian CarrierCollection of UNIX-based command line file and volume system forensic analysis tools
Volatility FrameworkVolatile SystemsCollection of tools for the extraction of artefacts from RAM

File viewers

Name

From

Description

BKF ViewerSysToolsView (not save or export from) contents of BKF backup files
DXL ViewerSysToolsView (not save or export) Loutus Notes DXL file emails and attachments
E01 ViewerSysToolsView (not save or export from) E01 files & view messages within EDB, PST & OST files
MDF ViewerSysToolsView (not save or export) MS SQL MDF files
MSG ViewerSysToolsView (not save or export) MSG file emails and attachments
OLM ViewerSysToolsView (not save or export) OLM file emails and attachments
Microsoft PowerPoint 2007 ViewerMicrosoftView PowerPoint presentations
Microsoft Visio 2010 ViewerMicrosoftView Visio diagrams
VLCVideoLANView most multimedia files and DVD, Audio CD, VCD, etc.

Internet analysis

Name

From

Description

Browser History CapturerFoxton SoftwareCaptures history from Firefox, Chrome, Internet Explorer and Edge web browsers running on Windows computers
Browser History ViewerFoxton SoftwareExtract, view and analyse internet history from Firefox, Chrome, Internet Explorer and Edge web browsers
Chrome Session ParserCCL ForensicsPython module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”)
ChromeCacheViewNirsoftReads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
Cookie CutterMike’s Forensic ToolsExtracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits.
DumpzillaBusindreRuns in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information.
Facebook Profile SaverBelkasoftCaptures information publicly available in Facebook profiles.
IECookiesViewNirsoftExtracts various details of Internet Explorer cookies
IEPassViewNirsoftExtract stored passwords from Internet Explorer versions 4 to 8
MozillaCacheViewNirsoftReads the cache folder of Firefox/Mozilla/Netscape Web browsers
MozillaCookieViewNirsoftParses the cookie folder of Firefox/Mozilla/Netscape Web browsers
MozillaHistoryViewNirsoftReads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page
MyLastSearchNirsoftExtracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace)
PasswordFoxNirsoftExtracts the user names and passwords stored by Mozilla Firefox Web browser
OperaCacheViewNirsoftReads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache
OperaPassViewNirsoftDecrypts the content of the Opera Web browser password file, wand.dat
Web HistorianMandiantReviews list of URLs stored in the history files of the most commonly used browsers
Web Page SaverMagnet ForensicsTakes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages

Registry analysis

Name

From

Description

AppCompatCache ParserEric ZimmermanDumps list of shimcache entries showing which executables were run and their modification dates. Further details.
ForensicUserInfoWoanwareExtracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file
Process MonitorMicrosoftExamine Windows processes and registry threads in real time
RECmdEric ZimmermanCommand line access to offline Registry hives. Supports simple & regular expression searches as well as searching by last write timestamp. Further details.
Registry DecoderUS National Institute of Justice, Digital Forensics SolutionsFor the acquisition, analysis, and reporting of registry contents
Registry ExplorerEric ZimmermanOffline Registry viewer. Provides deleted artefact recovery, value slack support, and robust searching. Further details.
RegRipperHarlan CarveyRegistry data extraction and correlation tool
RegshotRegshotTakes snapshots of the registry allowing comparisons e.g., show registry changes after installing software
ShellBags ExplorerEric ZimmermanPresents visual representation of what a user’s directory structure looked like. Additionally exposes various timestamps (e.g., first explored, last explored for a given folder. Further details.
USB Device ForensicsWoanwareDetails previously attached USB devices on exported registry hives
USB Historian4DiscoveryDisplays 20+ attributes relating to USB device use on Windows systems
USBDeviewNirsoftDetails previously attached USB devices
User Assist Analysis4DiscoveryExtracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys
UserAssistDidier StevensDisplays list of programs run, with run count and last run date and time
Windows Registry RecoveryMiTecExtracts configuration settings and other information from the Registry

Application analysis

Name

From

Description

Dropbox DecryptorMagnet ForensicsDecrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox
Google Maps Tile InvestigatorMagnet ForensicsTakes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context
KaZAlyserSanderson ForensicsExtracts various data from the KaZaA application
LiveContactsViewNirsoftView and export Windows Live Messenger contact details
SkypeLogViewNirsoftView Skype calls and chats

For Reference

Name

From

Description

HotSwapKazuyuki NakayamaSafely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area
iPhone Backup BrowserRene DevichiView unencrypted backups of iPad, iPod and iPhones
IEHistoryViewNirsoftExtracts recently visited Internet Explorer URLs
LiveViewCERTAllows examiner to boot dd images in VMware.
Ubuntu guideHow-To GeekGuide to using an Unbuntu live disk to recover partitions, carve files, etc.
WhatsApp ForensicsZena ForensicsExtract WhatApp messages from iOS and Android backups

La entrada 140 Herramientas Gratuitas para Análisis Forense aparece primero en Un Investigador Digital Forense.

También te puede interesar Certificacion en Informatica Forense"
También te puede interesar Curso analisis de malware"
También te puede interesar Curso de informatica forense"
REDLIF 2017. Todos Los Derechos Reservados.
X