Category:Computer Forensics

From SecurityForest

Description

Computer Forensics and Incident Response utilize many similar techniques, and tools can often work in both categories. However, for organizational purposes, put tools that are to be used to investigate an on-going activity, or to gather volatile data from a currently running computer, into the Incident Response category. Put tools that are used to create, or work with, images of hard drives or other data volumes, in Computer Forensics.

Tools

EnCase : Forensic and Incident Response Suite

This Windows forensics tool is currently the leading forensics tool by law-enforcement agencies around the world. There are currently three versions available: EnCase Enterprise Edition, EnCase Forensic Edition, and EnCase Law Enforcement. EEE utlizes a desktop-based client to perform investigations remotely. EFE and ELE perform acquisitions and analyses of systems on a host-by-host basis. EnCase version 5 adds the ability to view contents of various email formats, Internet browser cache, and browser history activities.

http://www.guidancesoftware.com/

Forensic Tool Kit : Forensic Investigation Suite

FTK is a Windows forensics tool integrating QuickView Plus and dtSearch, allowing an investigator to preview files within FTK, and index and rapidly query the data on a suspect hard disk. FTK's customizable filters allow you to sort through thousands of files to quickly find the evidence you need. FTK is much stronger at e-mail analysis than is EnCase.

http://accessdata.com/Product04_Overview.htm?ProductNum=04

Sleuth Kit : The Sleuth Kit (TSK)

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The focus of the tools is the file system and TSK supports FAT, Ext2/3, NTFS, and UFS file systems. Originally based on The Coroner's Toolkit.

http://www.sleuthkit.org/sleuthkit/

Autopsy : Autopsy Forensic Browser

The Autopsy Forensic Browser is a graphical interface to the command line digital forensic analysis tools in The Sleuth Kit. Together, The Sleuth Kit and Autopsy provide many of the same features as commercial digital forensics tools for the analysis of Windows and UNIX file systems (NTFS, FAT, FFS, EXT2FS, and EXT3FS).

http://www.sleuthkit.org/autopsy/

PyFLAG : Forensic Log Analysis GUI

FLAG was designed to simplify the process of log file analysis and forensic investigations. Often, when investigating a large case, a great deal of data needs to be analysed and correlated. Flag uses a database as a backend to assist in managing the large volumes of data. This allows flag to remain responsive and expedite data manipulation operations.

PyFlag is the Python implementation of Flag - a complete rewrite of FLAG in the much more robust python programming language. Many additional improvements were made.

http://pyflag.sourceforge.net/

SMART : The Next Generation Data Forensic Tool

SMART provides a GUI for Linux-based systems that aids the processes of a forensic investigation from start to finish, including imaging devices, partitions, file-systems, files, etc. SMART also allows for indexed searching of acquired data.

http://www.asrdata.com/SMART/

P2/P3 : Paraben's P2/P3 Examination Process

Paraben provides two suites of products, called P2 and P3. The P2 Examination Technology includes all of our tools, each taking a different role in the examination. P3 includes P2, as well as all of Paraben's other software and hardware products. Their products include Email Examiner, Network Email Examiner, Chat Examiner, Cell Seizure, PDA Seizure, Forensic Sorter, Text Searcher, Case Agent Companion, and NetAnalysis.

http://www.paraben.com/

ProDiscover : Technology Pathways ProDiscover

Family provides affordable solutions for: incident response, corporate policy compliance investigation, check for policy violations or conduct internal investigations remotely through your company's network, improve your productivity and insure compliance in any civil discovery action and computer forensics. Find all the data, even in hidden HPA section, Alternate Data Streams or slack space. Create hash signatures for all files and compare them to the information from the National Drug Intelligence "Hashkeeper"database. Automatically generate reports and "evidentiary quality" information that will hold up in court.

http://www.techpathways.com/