Secrets on Digital Forensics
On this article I will cover the hot topic of Digital Forensics. The interest is not limited to digital investigators or digital crime, it can be used in the private sector during internal corporate investigations. Digital can be categorized as computer forensics, mobile forensics, network forensics, forensic data analysis and database forensics.
Digital Forensic consist of three main parts acquisition or (cloning -imaging) of exhibits, analysis, and reporting. Each part has its own tool or dedicated device depending on who is going to make use of the results and the evidence they are looking for.
I have been using some of these tools since 2005 so I will make sure I cover all the important aspects in order to save you time and simplify the process of investigation or even recovering your own lost information.
Here is a sample of a PC that is customized and loaded with most of the tools that I will mention can be seen here.
Forensic tools guide index:
- All in one Tools
- Storage media acquisition
- Storage media analysis and reporting
- Windows Evidence Collection
- Data recovery
- Password recovery
- Extra utilities
- Network forensic
- Memory (RAM) forensic
- Mobile forensic
- Mobile extra utilities
- Dig the Web
All in one Tools:
- Belkasoft Evidence Center The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.
- CimSweep CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
- CIRTkit CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
- Cyber Triage Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further. .
- Digital Forensics Framework DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response.
- Doorman Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery’s TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness.
- Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location.
- Falcon Orchestrator by CrowdStrike is an extendable Windows-based application that provides workflow automation, case management and security response functionality.
- FIDO Fully Integrated Defense Operation (FIDO) by Netflix is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today’s security stack and the large number of alerts generated by them.
- GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent.
- Kolide is an agentless osquery web interface and remote api server. Kolide was designed to be extremely portable (a single binary) and performant while keeping the codebase simple. It replaces Envdb.
- Limacharlie an endpoint security platform. It is itself a collection of small projects all working together, and gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment allowing you to manage and push additional modules into memory to extend its functionality.
- MIG Mozilla Investigator (MIG) is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security.
- MozDef The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
- nightHawk the nightHawk Response Platform is an application built for asynchronus forensic data presentation using ElasticSearch as the backend. It’s designed to ingest Redline collections.
- Open Computer Forensics Architecture Open Computer Forensics Architecture (OCFA) is another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.
- Osquery with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the incident-response pack help you detect and respond to breaches.
- Redline provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
- The Sleuth Kit & Autopsy The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.
- TheHive TheHive is a scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
- X-Ways Forensics X-Ways is a forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.
- Zentral combines osquery’s powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients.
Storage media acquisition:
- Talon, Dossier, and Forensic Falcon cloning devices from Logicube with capture speed from 7GB/min to 23GB/min with wipe feature, captures to DD image files, and provides MD5 and SHA-256 Authentication.
- Solo-4 cloning device from ICS with capture speed of 12GB/min with USB3 and Firewire support.
- TD3 cloning device from Tableau with capture speed of 7GB/min with USB3 and Firewire support.
- Wiebetech Ditto cloning device from CRU with capture speed of 6.6GB/min with USB3 and Firewire support.
- Fred cloning device from Digital Intelligence if you are looking for multi drive acquisition device that allows you to install your own analysis tools and OS. They offer a portable version as well. An alternative product is Forensic RTX.
- Winhex is a software tool that allows to produce exact duplicates of disks/drives.
- FTK imager is a software that allows to mount and create images from different types of drives.
- Air is a GUI front-end to dd/dc3dd on Linux designed for easily creating forensic images.
- ImageUSB is a free utility which lets you clone or write an image concurrently to multiple USB Flash Drives.
- OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.
- Atola is an acquisition device that can acquire a usable image from damaged media.
- GetData Forensic Imager GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.
- Guymager Guymager is a free forensic imager for media acquisition on Linux.
- Magnet ACQUIRE ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.
Storage media analysis and reporting:
- EnCase from Guidence software is my preference for deep forensic analysis they also have a portable version. You can combine it with IEF (INTERNET EVIDENCE FINDER) for better Internet investigations.
- FTK Toolkit from Access Data is also a a tool that I recommend to have in your forensic Lab.
- E3 from Paraben can mount forensic images as a read-only local and physical disc and then explore the contents of the image with file explorer. You can easily view deleted data and unallocated space of the image.It can mount several images at a time. It supports most of the image formats including EnCasem, safeBack, PFR, FTK DD, WinImage, Raw images from Linux DD, and VMWare images. It supports both logical and physical image types..
- X-Ways Forensics from X-Ways is a good software product.
- Santoku is a Linux distribution specializes in Mobile Forensic, Malware, and Security.
- Masterkey is a Linux distribution specializes in incident response and computer forensics.
- Parrot is a Linux distribution specializes in cloud pentesting and IoT security in mind. It includes a full portable laboratory for security and digital forensics experts.
- DEFT is a Live CD built on top of Xubuntu with tools for computer forensics and incident response.
- CAINE is (Computer Aided Investigative Environment) is an Italian GNU/Linux live distribution based on Ubuntu and created as a project of Digital Forensics and contain many forensics tools.
- ADIA The Appliance for Digital Investigation and Analysis (ADIA) is a VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.
- NST – Network Security Toolkit Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.
- PALADIN PALADIN is a modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included.
- Security Onion Security Onion is a special Linux distro aimed at network security monitoring featuring advanced analysis tools.
- SIFT from SANS is free powerful tool based on Ubuntu OS or Vmware image click here for the tool login details.
- Autopsy is free Open Source, cost effective digital forensics essential tool the interface is simple and easy to use.
- The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.
- Forensic Assistant is a russian forensic examination software tool with many features it can find and analyze important forensic information in the programs, logs and files.
- DFF (Digital Forensics Framework) is a free and Open Source computer forensics software built on top of a dedicated Application Programming Interface (API).
- OCFA (Open Computer Forensics Architecture) is a free and Open Source computer forensics modular to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.
- PlainSight is a CD based Knoppix which is a Linux distribution. Some of its uses include viewing Internet histories, data carving, checking USB device usage, memory dumps extracting password hashes, information gathering, examining Windows firewall configuration, seeing recent documents, and other useful tasks. For using this too, you only need to boot from the CD and the follow the instructions.
- ProDiscover from Techpathways is a computer security tool that enables computer professionals to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports for use in legal proceedings.
- Microsoft COFEE is computer online forensic evidence extractor tool that fits on a USB drive and automates the execution of commands for data extraction and related documentation.
- Nuix Investigator is engineered to index, triage, identify, analyze and bring to the surface critical evidence across entire data sets, regardless of the geographical location, repository, file type or size.
- Intella® TEAM from Vound enables multiple individuals to review evidence independently and simultaneously, with one case administrator.
- Bulk Extractor from Digital Corpora scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools. It is basically used by intelligence and law enforcement agencies in solving cyber crimes.
- The Coroner’s Toolkit from Digital Corpora runs under several Unix-related operating systems. It can be used to aid analysis of computer disasters and data recovery.
- Ghiro is a fully automated tool designed to run forensics analysis over a massive amount of images, just using an user friendly and fancy web application.
- Cold Disk Quick Response uses a streamlined list of parsers to quickly analyze a forenisic image file (dd, E01, .vmdk, etc) and output nine reports.
- Live Response Collection The Live Response collection by BriMor Labs is an automated tool that collects volatile data from Windows, OSX, and *nix based operating systems.
Windows Evidence Collection:
- AChoir Achoir is a framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows.
- Binaryforay list of free tools for win forensics (http://binaryforay.blogspot.co.il/).
- Crowd Response Crowd Response by CrowdStrike is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.
- FastIR Collector FastIR Collector is a tool that collects different artefacts on live Windows systems and records the results in csv files. With the analyses of these artefacts, an early compromise can be detected.
- FECT Fast Evidence Collector Toolkit (FECT) is a light incident response toolkit to collect evidences on a suspicious Windows computer. Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler.
- Fibratus tool for exploration and tracing of the Windows kernel.
- IOC Finder IOC Finder is a free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only.
- Fidelis ThreatScanner Fidelis ThreatScanner is a free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only.
- LOKI Loki is a free IR scanner for scanning endpoint with yara rules and other indicators(IOCs)
- PowerForensics Live disk forensics platform, using PowerShell.
- PSRecon PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
- RegRipper Regripper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
- TRIAGE-IR Triage-IR is a IR collector for Windows.
- Recover My Files from Get Data has an easy to use interface and will recover files from crushed disk or formatted once.
- EaSeus Data Recovery from EaSeus will recover files for you it has read only option as well.
- R-Studio from R-Tools Technology is a multi platform tool to recover deleted files.
- Restorer Ultimate from BitMart is the tool to use if you are having difficulties with NTFS partitions.
- Phoenix Windows Data Recovery from Stellar is designed to recover photos, videos, and other multimedia files.
- PhotoRecovery from LC Technology is designed to recover images, movies and sound files from all types of digital media.
- Disk Drill from 508 Software is light and multi platform file recovery software.
- Fred SC from Digital Intelligence is a dedicated super machine to brute force passwords you can combine it with ElcomSoft Distributed Password Recovery Elcom has a range of password recovery products including Truecrypt and PGP disk.
- Passware Kit Forensic from Passware can recover passwords from different type of files and disks.
- Hashkil is free open source tool that supports GPU power to recover passwords.
- Hashcat is Multi OS, and Hash free open source with the ability work in an distributed environment to recover passwords.
- Truecrack is free open source tool specialized on recovering Truecrypt containers.
- Dropbox-decryptor from Magnet Forensics is a free tool that will decrypt the Dropbox filecache.dbx file which is an encrypted SQLite database.
- Cain & Abel from Massimiliano allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary.
- Access Data PRTK gives you the ability to recover passwords from well-known applications.
- Nitsoft Password Tools has many password viewers including Chrome, Opera and VNC.
- ExifTool is free multi OS that can extract many different meta/exif data formats from more than 300 file types.
- PhotoME is a powerful tool to show and edit the meta/exif data of image files.
- Xnview is a powerful image viewer that can also read exif data from image files.
- RegRipper is an open source tool for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
- Windows Registry Recovery allows to read files containing Windows registry hives.
- Recon is Registry Analyze data tool whether it’s live, backed up, or even deleted.
- ForensicUserInfo is a tool that allows you to import registry files and then extracts the user information from the various files and then decrypts the LM/NT hashes from the SAM file.
- PrefetchForensics is an application to extract information from Windows Prefetch files.
- USB Historian parses USB information, primarily from the Windows registry, to give you a list of all USB drives that were plugged into the machine.
- USBDeviceForensics is an application to extract numerous bits of information regarding USB devices.
- Chrome and Fox Analasis is a software tool for extracting, viewing and analysing Internet history from the Chrome and Firefox web browsers.
- NetAnalysis is a leading software for the extraction and analysis of data from Internet browsers.
- Nitsoft Forensics has multiple browsers forensics tools including Opera.
- Dumpzilla is multi OS forensic tool for Firefox web browsers.
- SQLite Expert is powerful administration tool for your SQLite databases which enables analysis of Skype logs, Firefox logs and other SQlite artifacts.
- SQLite Recovery display all of sqlite databases alongside each other allowing the investigator to gain an overview of the type and content of all of them on the suspects computer.
- VLC video player that plays just about every possible video format there is.
- Notepad++ an extended free version of note pad that allows conversion and viewing of hex, ascii, UTF and many others forms of data.
- DigitalCorpora provides disk images, memory dumps, and network packet captures to be used for forensics education.
- OSFMount allows you to mount local disk image files (bit-for-bit copies of a disk partition) in Windows with a drive letter.
- HxD hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-use and performance in mind and can handle large files without issue. Features include searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files, generation of statistics and more.
- DSi USB Write Blocker DSi USB Write Blocker is a software-based write blocker that prevents write access to USB devices.
- LastActivityView llows you to view what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer, an application or system crash or a user performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file.
- Cortex Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.
- Crits a web-based tool which combines an analytic engine with a cyber threat database.
- Fenrir Fenrir is a simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI.
- Fileintel Pull intelligence per file hash.
- Hindsight Internet history forensics for Google Chrome/Chromium.
- Hostintel Pull intelligence per host.
- Kansa Kansa is a modular incident response framework in Powershell.
- rastrea2r allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X.
- RaQet RaQet is an unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.
- Stalk Collect forensic data about MySQL when problems occur.
- Elcomsoft Cloud eXplorer a commandline utility to acquire forensic data from cloud services.
- Stenographer Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It’s ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic.
- traceroute-circl traceroute-circl is an extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Responce Center Luxembourg.
- X-Ray 2.0 A Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors.
- To wipe data (secure delete selective files) go for Bcwipe (Commercial). A free alternative of it is Eraser.
- To wipe data (secure delete entire harddisk) go for Dban (Free). A commercial alternative of it is Blancco wiper.
- FIR Fast Incident Response (FIR) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike.
- RTIR Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.
- SCOT Sandia Cyber Omni Tracker (SCOT) is an Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user.
- threat_note A lightweight investigation notebook that allows security researchers the ability to register and retrieve indicators related to their research.
- FastIR Collector Linux FastIR for Linux collects different artefacts on live Linux and records the results in csv files.
- Lorg a tool for advanced HTTPD logfile security analysis and forensics.
- Knockknock Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX.
- OSX Auditor OSX Auditor is a free Mac OS X computer forensics tool.
- OSX Collector An OSX Auditor offshoot for live response.
- Microsoft User Mode Process Dumper The User Mode Process Dumper (userdump) dumps any running Win32 processes memory image on the fly.
- PMDump PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process.
- Highlighter Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise.
- Plaso a Python-based backend engine for the tool log2timeline.
- Timesketch open source tool for collaborative forensic timeline analysis.
- Demisto IR video resources Video Resources for Incident Response and Forensics Tools.
- The Future of Incident Response Presented by Bruce Schneier at OWASP AppSecUSA 2015.
# Incident Management
# Linux Evidence Collection
# Log Analysis Tools
# OSX Evidence Collection
# Process Dump Tools
# Timeline tools
- Decision Group has variety of network forensic tools including E-Detective, Wireless-Detective, HTTPS/SSL, VoIP-Detective, and Introduction of Forensics Investigation Toolkit.
- NetSleuth from netgrab is a free network monitoring and forensics analysis tool.
- NetDetector from NIKSU offers advanced forensics, providing the deepest extraction of content from network packets.
- NetworkMiner from NETRESEC multi OS collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network.
- Helix3 Enterprise from e-Fense was developed by computer forensic experts and its an easy to use cyber security solution integrated into your network giving you visibility across your entire infrastructure revealing malicious activities.
- CNE Investigator from SpectorSoft automatically records all computer activity, creating a record that can be used as evidence in civil and criminal litigation.
- xplico from Gianluca Costa is an open source network forensic analysis tool. It is basically used to extract useful data from applications which use Internet and network protocols. It supports most of the popular protocols including HTTP, IMAP, POP, SMTP, SIP, TCP, UDP, TCP and others. Output data of the tool is stored in SQLite database of MySQL database. It also supports IPv4 and IPv6 both.
Memory (RAM) forensic:
- Memoryze from Mandiant is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.
- Digital DNA from HBGary identifies and analyzes the most advanced malware threats in physical memory, including those used against global organizations for theft of intellectual property, business intelligence, customer records, and classified information.
- Second Look from Raytheon Pikewerks is memory forensics software providing powerful, easy-to-use memory acquisition and analysis capabilities for Linux systems.
- WindowsSCOPE provides memory acquisition and access to locked computers (access live memory and encrypted disks without needing password).
- volafox is Memory Analysis Toolkit’ is developed on python 2.x.
- Volatility provides extraction of digital artifacts from volatile memory (RAM) samples.
- Redline tool for memory and file analysis. It collects information about running processes on a host, drivers from memory and gathers other data like meta data, registry data, tasks, services, network information and Internet history to build a proper report.
- Evolve Web interface for the Volatility Memory Forensics Framework.
- inVtero.net Advanced memory analysis for Windows x64 with nested hypervisor support.
- KnTList Computer memory analysis tools.
- LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices.
- Rekall Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples.
- Responder PRO Responder PRO is the industry standard physical memory and automated malware analysis solution.
- VolatilityBot VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation.
- Belkasoft Live RAM Capturer A tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system.
- Linux Memory Grabber A script for dumping Linux memory and creating Volatility profiles.
- Magnet RAM Capture Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.
- OSForensics OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done.
- UFED Touch Ultimate device from Cellebrite can perform extraction, decoding, analysis and reporting of mobile data. It performs physical, logical, file system and password extraction of all data (even if deleted) from the widest range of devices including legacy and feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets.
- XRY device from Micro Systemation is complete with all the necessary hardware for recovering data from mobile devices in a forensically secure manner. They also have field version of the product.
- CellXtract and CellXtract-TNT from Logicube rovides fast and thorough forensic data extraction from mobile devices.
- Elcomsoft IOS Forensic device from Elcomsoft perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices including passwords, encryption keys, and decrypting the file system image running any version of iOS. They also provide a strong phone password breaker EPPB.
- secureview3 device from Susteen is mobile forensic kit that provides 3 specific processes for examination: acquire, analyze, and report.
- Paraben from software, to hardware Paraben covers the complete range of needs of any investigator, whether at the forensic or detective level.
- FoneLab software tool from Aiseesoft retrieve and export 8 types of data including WhatsApp, IMessages, Notes, contacts and more from iOS devices.
- MOBILedit Forensic software tool from Compelson extracts all content and generates a forensic report ready for courtroom presentation.
- Oxygen Forensic software and hardware tool from Oxygen Forensics offers logical analysis of cell phones, smartphones and tablets. Using advanced proprietary protocols.
- MPE+ software tool from accessdata is a stand-alone mobile forensics software solution that is also available on a preconfigured touch-screen tablet for on-scene mobile forensics triage.
- SAFT software tool is a free and easy-to-use mobile forensics application developed by SignalSEC security researchers.
- Lantern software tool is mobile forensics that supports IOS, OSX, and Android.
- BlackBerry Backup Extractor software tool that can recover any file from a BBDM backup, along with saved games, debug information and data that might otherwise be inaccessible.
Mobile extra utilities:
- MyPhoneExplorer is software tool from Fjsoft that can extract information from Android and Sony Ericsson phones.
- MobileGo is software tool from Wondershare that can extract information from Android and Iphone.
- HiSuite is software tool from Huawei that can manage and extract information from Android phones.
- I-Funbox is a software tool that can manage files on iPhone/iPad just like Windows Explorer and can be used to extract some information from the device.
- IPhone Backup Extractor is a software tool that can extract files (contacts, pictures, call histories, MMS, SMS, video, voicemail, calendar entries, notes, app files and saved games) from the backups iTunes automatically makes of your iPhone, iPad or iPod Touch. Another good alternative is iBackupBot.
- WhatsApp Pocket is software tool from Fireebok that allows you to extract WhatsApp messages from your iPhone to computer.
- Syncios is software tool from Anvsoft Inc that allows you to extract WhatsApp messages from your iPhone to computer.
- Enigma Recovery is software tool that allows you to extract WhatsApp messages and many other things from your iPhone to computer (Best choice).
- EaseUS iOS is software tool that allows you to extract WhatsApp messages and many other things from your iPhone to computer.
- Phone Rescue is software tool that allows you to extract WhatsApp messages and many other things from your iPhone to computer.
- Dr.fone is software tool that allows you to extract WhatsApp messages and many other things from your iPhone to computer.
- WhatsApp Xtract is a tool from xda-dev that allows you to extract WhatsApp messages from your iPhone to computer.
- Android Injector is a tool from Harmony Hollow that allows you to install apps (Trojans) on your Android powered phone or device without having to get them through the Google Play Store.
Dig the web:
- Copernic Agent is software tool from Copernic that can send your queries to several search engines and aggregate the results for you.
- Dogpile web search engine that can search multiple search engines at once.
- social-searcher web search engine that is specialised in social networks searches.
- Keyhole web search engine that can search social networks and provides social analytics in real-time.
- Social Mention web search engine that is specialised in social networks searches with sentiments features.
- Sysomos Heartbeat is a commercial web application to monitor keywords on social networks.
- Synthesio is another commercial web application to monitor keywords on social networks.
- Datasift previously was running TweetMeme is another commercial web application to monitor keywords on social networks.
- Gnip is another commercial web application to monitor keywords on social networks.
- Buzzsumo is another commercial web application to monitor keywords and links engagements on social networks.
- Shy Girl from EEDS can be used to extract information based on domain name.
Please read the ACPO guideline it has most of the instructions you need as a forensic expert.
For social engineering I recommend Maltego and SET. If you have a great tool that is not listed above feel free to leave a message on this blog or contact me directly.
Latest posts by Warith Al Maawali (see all)
- Apple iOS Mail Client leaking highly sensitive information - December 27, 2019
- Validating VPN nodes - November 3, 2019
- Migrating from php 5.6 to 7.3 - November 1, 2019
- Linux Kodachi 8.26 The Secure OS - October 20, 2013
- Migrating from Vbulletin to Burning board - March 27, 2016