Secrets on Digital Forensics

The little secret on Digital Forensics

On this article I will cover the hot topic of Digital Forensics. The interest is not limited to digital investigators or digital crime, it can be used in the private sector during internal corporate investigations. Digital can be categorized as computer forensics, mobile forensics, network forensics, forensic data analysis and database forensics.

Digital Forensic consist of three main parts acquisition or (cloning -imaging) of exhibits, analysis, and reporting. Each part has its own tool or dedicated device depending on who is going to make use of the results and the evidence they are looking for.
I have been using some of these tools since 2005 so I will make sure I cover all the important aspects in order to save you time and simplify the process of investigation or even recovering your own lost information.

Here is a sample of a PC that is customized and loaded with most of the tools that I will mention can be seen here.


Forensic tools guide index:



Storage media acquisition:

  • Talon, Dossier, and Forensic Falcon cloning devices from Logicube with capture speed from 7GB/min to 23GB/min with wipe feature, captures to DD image files, and provides MD5 and SHA-256 Authentication.
  • Solo-4 cloning device from ICS with capture speed of 12GB/min with USB3 and Firewire support.
  • TD3 cloning device from Tableau with capture speed of 7GB/min with USB3 and Firewire support.
  • Wiebetech Ditto cloning device from CRU with capture speed of 6.6GB/min with USB3 and Firewire support.
  • Fred cloning device from Digital Intelligence if you are looking for multi drive acquisition device that allows you to install your own analysis tools and OS. They offer a portable version as well. An alternative product is Forensic RTX.
  • Winhex is a software tool that allows to produce exact duplicates of disks/drives.
  • FTK imager is a software that allows to mount and create images from different types of drives.
  • Air is a GUI front-end to dd/dc3dd on Linux designed for easily creating forensic images.
  • ImageUSB is a free utility which lets you clone or write an image concurrently to multiple USB Flash Drives.
  • OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.
  • Atola is an acquisition device that can acquire a usable image from damaged media.

Comparison between Falcon and TD3 can be found here.
Comparison between Falcon and Solo4 can be found here.
Comparison between Falcon and Wiebetech Ditto can be found here.

If you need write blockers then go for CRU Wiebetech or Tableau they have a good range of them.



Storage media analysis and reporting:

  • EnCase from Guidence software is my preference for deep forensic analysis they also have a portable version. You can combine it with IEF (INTERNET EVIDENCE FINDER) for better Internet investigations.
  • FTK Toolkit from Access Data is also a a tool that I recommend to have in your forensic Lab.
  • E3 from Paraben can mount forensic images as a read-only local and physical disc and then explore the contents of the image with file explorer. You can easily view deleted data and unallocated space of the image.It can mount several images at a time. It supports most of the image formats including EnCasem, safeBack, PFR, FTK DD, WinImage, Raw images from Linux DD, and VMWare images. It supports both logical and physical image types..
  • X-Ways Forensics from X-Ways is a good software product.
  • Santoku is a Linux distribution specializes in Mobile Forensic, Malware, and Security.
  • Masterkey is a Linux distribution specializes in incident response and computer forensics.
  • Parrot is a Linux distribution specializes in cloud pentesting and IoT security in mind. It includes a full portable laboratory for security and digital forensics experts.
  • DEFT is a Live CD built on top of Xubuntu with tools for computer forensics and incident response.
  • CAINE is (Computer Aided Investigative Environment) is an Italian GNU/Linux live distribution based on Ubuntu and created as a project of Digital Forensics and contain many forensics tools.
  • SIFT from SANS is free powerful tool based on Ubuntu OS or Vmware image click here for the tool login details.
  • Autopsy is free Open Source, cost effective digital forensics essential tool the interface is simple and easy to use.
  • The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.
  • Forensic Assistant is a russian forensic examination software tool with many features it can find and analyze important forensic information in the programs, logs and files.
  • DFF (Digital Forensics Framework) is a free and Open Source computer forensics software built on top of a dedicated Application Programming Interface (API).
  • OCFA (Open Computer Forensics Architecture) is a free and Open Source computer forensics modular to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.
  • PlainSight is a CD based Knoppix which is a Linux distribution. Some of its uses include viewing Internet histories, data carving, checking USB device usage, memory dumps extracting password hashes, information gathering, examining Windows firewall configuration, seeing recent documents, and other useful tasks. For using this too, you only need to boot from the CD and the follow the instructions.
  • ProDiscover from Techpathways is a computer security tool that enables computer professionals to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports for use in legal proceedings.
  • Microsoft COFEE is computer online forensic evidence extractor tool that fits on a USB drive and automates the execution of commands for data extraction and related documentation.
  • Nuix Investigator is engineered to index, triage, identify, analyze and bring to the surface critical evidence across entire data sets, regardless of the geographical location, repository, file type or size.
  • Intella® TEAM from Vound enables multiple individuals to review evidence independently and simultaneously, with one case administrator.
  • Bulk Extractor from Digital Corpora scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools. It is basically used by intelligence and law enforcement agencies in solving cyber crimes.
  • The Coroner’s Toolkit from Digital Corpora runs under several Unix-related operating systems. It can be used to aid analysis of computer disasters and data recovery.
  • Ghiro is a fully automated tool designed to run forensics analysis over a massive amount of images, just using an user friendly and fancy web application. .



Data recovery:

  • Recover My Files from Get Data has an easy to use interface and will recover files from crushed disk or formatted once.
  • EaSeus Data Recovery from EaSeus will recover files for you it has read only option as well.
  • R-Studio from R-Tools Technology is a multi platform tool to recover deleted files.
  • Restorer Ultimate from BitMart is the tool to use if you are having difficulties with NTFS partitions.
  • Phoenix Windows Data Recovery from Stellar is designed to recover photos, videos, and other multimedia files.
  • PhotoRecovery from LC Technology is designed to recover images, movies and sound files from all types of digital media.
  • Disk Drill from 508 Software is light and multi platform file recovery software.



Password recovery:

  • Fred SC from Digital Intelligence is a dedicated super machine to brute force passwords you can combine it with ElcomSoft Distributed Password Recovery Elcom has a range of password recovery products including Truecrypt and PGP disk.
  • Passware Kit Forensic from Passware can recover passwords from different type of files and disks.
  • Hashkil is free open source tool that supports GPU power to recover passwords.
  • Hashcat is Multi OS, and Hash free open source with the ability work in an distributed environment to recover passwords.
  • Truecrack is free open source tool specialized on recovering Truecrypt containers.
  • Dropbox-decryptor from Magnet Forensics is a free tool that will decrypt the Dropbox filecache.dbx file which is an encrypted SQLite database.
  • Cain & Abel from Massimiliano allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary.
  • Access Data PRTK gives you the ability to recover passwords from well-known applications.
  • Nitsoft Password Tools has many password viewers including Chrome, Opera and VNC.



Extra utilities:

  • ExifTool is free multi OS that can extract many different meta/exif data formats from more than 300 file types.
  • PhotoME is a powerful tool to show and edit the meta/exif data of image files.
  • Xnview is a powerful image viewer that can also read exif data from image files.
  • RegRipper is an open source tool for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
  • Windows Registry Recovery allows to read files containing Windows registry hives.
  • Recon is Registry Analyze data tool whether it’s live, backed up, or even deleted.
  • ForensicUserInfo is a tool that allows you to import registry files and then extracts the user information from the various files and then decrypts the LM/NT hashes from the SAM file.
  • PrefetchForensics is an application to extract information from Windows Prefetch files.
  • USB Historian parses USB information, primarily from the Windows registry, to give you a list of all USB drives that were plugged into the machine.
  • USBDeviceForensics is an application to extract numerous bits of information regarding USB devices.
  • Chrome and Fox Analasis is a software tool for extracting, viewing and analysing Internet history from the Chrome and Firefox web browsers.
  • NetAnalysis is a leading software for the extraction and analysis of data from Internet browsers.
  • Nitsoft Forensics has multiple browsers forensics tools including Opera.
  • Dumpzilla is multi OS forensic tool for Firefox web browsers.
  • SQLite Expert is powerful administration tool for your SQLite databases which enables analysis of Skype logs, Firefox logs and other SQlite artifacts.
  • SQLite Recovery display all of sqlite databases alongside each other allowing the investigator to gain an overview of the type and content of all of them on the suspects computer.
  • VLC video player that plays just about every possible video format there is.
  • Notepad++ an extended free version of note pad that allows conversion and viewing of hex, ascii, UTF and many others forms of data.
  • DigitalCorpora provides disk images, memory dumps, and network packet captures to be used for forensics education.
  • OSFMount allows you to mount local disk image files (bit-for-bit copies of a disk partition) in Windows with a drive letter.
  • HxD hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-use and performance in mind and can handle large files without issue. Features include searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files, generation of statistics and more.
  • DSi USB Write Blocker DSi USB Write Blocker is a software-based write blocker that prevents write access to USB devices.
  • LastActivityView llows you to view what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer, an application or system crash or a user performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file.
  • To wipe data (secure delete selective files) go for Bcwipe (Commercial). A free alternative of it is Eraser.
  • To wipe data (secure delete entire harddisk) go for Dban (Free). A commercial alternative of it is Blancco wiper.


Digital Forensics.

Digital Forensics.



Network forensic:

  • Decision Group has variety of network forensic tools including E-Detective, Wireless-Detective, HTTPS/SSL, VoIP-Detective, and Introduction of Forensics Investigation Toolkit.
  • NetSleuth from netgrab is a free network monitoring and forensics analysis tool.
  • NetDetector from NIKSU offers advanced forensics, providing the deepest extraction of content from network packets.
  • NetworkMiner from NETRESEC multi OS collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network.
  • Helix3 Enterprise from e-Fense was developed by computer forensic experts and its an easy to use cyber security solution integrated into your network giving you visibility across your entire infrastructure revealing malicious activities.
  • CNE Investigator from SpectorSoft automatically records all computer activity, creating a record that can be used as evidence in civil and criminal litigation.
  • xplico from Gianluca Costa is an open source network forensic analysis tool. It is basically used to extract useful data from applications which use Internet and network protocols. It supports most of the popular protocols including HTTP, IMAP, POP, SMTP, SIP, TCP, UDP, TCP and others. Output data of the tool is stored in SQLite database of MySQL database. It also supports IPv4 and IPv6 both.



Memory (RAM) forensic:

  • Memoryze from Mandiant is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.
  • Digital DNA from HBGary identifies and analyzes the most advanced malware threats in physical memory, including those used against global organizations for theft of intellectual property, business intelligence, customer records, and classified information.
  • Second Look from Raytheon Pikewerks is memory forensics software providing powerful, easy-to-use memory acquisition and analysis capabilities for Linux systems.
  • WindowsSCOPE provides memory acquisition and access to locked computers (access live memory and encrypted disks without needing password).
  • volafox is Memory Analysis Toolkit’ is developed on python 2.x.
  • Volatility provides extraction of digital artifacts from volatile memory (RAM) samples.
  • Redline tool for memory and file analysis. It collects information about running processes on a host, drivers from memory and gathers other data like meta data, registry data, tasks, services, network information and Internet history to build a proper report.



Mobile forensic:

  • UFED Touch Ultimate device from Cellebrite can perform extraction, decoding, analysis and reporting of mobile data. It performs physical, logical, file system and password extraction of all data (even if deleted) from the widest range of devices including legacy and feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets.
  • XRY device from Micro Systemation is complete with all the necessary hardware for recovering data from mobile devices in a forensically secure manner. They also have field version of the product.
  • CellXtract and CellXtract-TNT from Logicube rovides fast and thorough forensic data extraction from mobile devices.
  • Elcomsoft IOS Forensic device from Elcomsoft perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices including passwords, encryption keys, and decrypting the file system image running any version of iOS. They also provide a strong phone password breaker EPPB.
  • secureview3 device from Susteen is mobile forensic kit that provides 3 specific processes for examination: acquire, analyze, and report.
  • Paraben from software, to hardware Paraben covers the complete range of needs of any investigator, whether at the forensic or detective level.
  • FoneLab software tool from Aiseesoft retrieve and export 8 types of data including WhatsApp, IMessages, Notes, contacts and more from iOS devices.
  • MOBILedit Forensic software tool from Compelson extracts all content and generates a forensic report ready for courtroom presentation.
  • Oxygen Forensic software and hardware tool from Oxygen Forensics offers logical analysis of cell phones, smartphones and tablets. Using advanced proprietary protocols.
  • MPE+ software tool from accessdata is a stand-alone mobile forensics software solution that is also available on a preconfigured touch-screen tablet for on-scene mobile forensics triage.
  • SAFT software tool is a free and easy-to-use mobile forensics application developed by SignalSEC security researchers.
  • Lantern software tool is mobile forensics that supports IOS, OSX, and Android.
  • BlackBerry Backup Extractor software tool that can recover any file from a BBDM backup, along with saved games, debug information and data that might otherwise be inaccessible.



Mobile extra utilities:

  • MyPhoneExplorer is software tool from Fjsoft that can extract information from Android and Sony Ericsson phones.
  • MobileGo is software tool from Wondershare that can extract information from Android and Iphone.
  • HiSuite is software tool from Huawei that can manage and extract information from Android phones.
  • I-Funbox is a software tool that can manage files on iPhone/iPad just like Windows Explorer and can be used to extract some information from the device.
  • IPhone Backup Extractor is a software tool that can extract files (contacts, pictures, call histories, MMS, SMS, video, voicemail, calendar entries, notes, app files and saved games) from the backups iTunes automatically makes of your iPhone, iPad or iPod Touch. Another good alternative is iBackupBot.
  • WhatsApp Pocket is software tool from Fireebok that allows you to extract WhatsApp messages from your iPhone to computer.
  • WhatsApp Xtract is a tool from xda-dev that allows you to extract WhatsApp messages from your iPhone to computer.
  • Android Injector is a tool from Harmony Hollow that allows you to install apps (Trojans) on your Android powered phone or device without having to get them through the Google Play Store.



Dig the web:

  • Copernic Agent is software tool from Copernic that can send your queries to several search engines and aggregate the results for you.
  • Dogpile web search engine that can search multiple search engines at once.
  • smart-search-engine web search engine that can search social networks as well.
  • social-searcher web search engine that is specialised in social networks searches.
  • Keyhole web search engine that can search social networks and provides social analytics in real-time.
  • Social Mention web search engine that is specialised in social networks searches with sentiments features.
  • Sysomos Heartbeat is a commercial web application to monitor keywords on social networks.
  • Synthesio is another commercial web application to monitor keywords on social networks.
  • Datasift previously was running TweetMeme is another commercial web application to monitor keywords on social networks.
  • Gnip is another commercial web application to monitor keywords on social networks.
  • Buzzsumo is another commercial web application to monitor keywords and links engagements on social networks.
  • Addictomatic searches the best live sites on the web for the latest news, blog posts, videos and images.
  • Shy Girl from EEDS can be used to extract information based on domain name.

For social engineering I recommend Maltego and SET. If you have a great tool that is not listed above feel free to leave a message on this blog or contact me directly.



Digiprove sealCopyright protected by Digiprove © 2013-2016 Eagle Eye Digital Solutions
Amazing people have subscribed to our newsletter — and you’re amazing too!
We hate spam. Your email address will not be sold or shared with anyone else.
The following two tabs change content below.
Warith Al Maawali
W. AL Maawali is the Founder and Chief Editor of Eagle Eye Digital Solutions from the Sultanate of Oman with over 20 years experience in Security and Digital Forensics. He is also the Founder of
Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.



    Informative commentary – I loved the info , Does anyone know where my company can obtain a sample Canada TBS/SCT 330-23e copy to type on ?

  2. Nice Post thanks for sharing info…

commentJoin the Discussion

Pin It on Pinterest