Top Ten Free Computer Forensic/eDiscovery Software
- 05/06/2018
- Posted by: Alistair Ewing
- Categories: Computer Forensics, Software, Uncategorized
Compiled here is the Top Ten of FREE Computer Forensic/eDiscovery software picks for 2018. Sometimes you do not need to spend £1000’s to get the job done. Paid software has its place but sometimes when you want one particular function only or to test out a hypothesis. So get downloading and examining using the software! Please email me at expert@compute-forensics.com with any suggestions for 2019. Contact us should you have an enquiry! Written by Alistair Ewing
1) Autopsy developed by Brian Carrier, Basis Technology, Dan Farmer and Wietse Venema
Autopsy is The Sleuth Kit’s shiny Windows front-end offering. The features are impressive for a free program; some stand up there with the paid for forensic tools Encase, FTK, X-ways and more recently Nuix Investigator. The suite of tools includes:
- Data Recovery using photorec as a carver module
- Indexing for Keyword Searching The program creates a text index for instantaneous keyword searches.
- Known Hash Set Filtering Do you have hash (SHA1/MD5) fingerprints for known noise files or known contraband files? These can be filtered in or out without having to examine the data yourself manually.
- Media Metadata EXIF metadata can be examined, sorted and filtered to find what device was used to make a recording or file, when and sometimes where using geotags.
- Timeline Analysis Autopsy draws file MAC times (created, modified etc.) from files, website visits and other data such as GPS and EXIF. The program is also beginning to support ‘plaso’ files generated using log2timeline although the author states on their website that this time of writing this is in a BETA stage.
- Website Records Supports parsing of current browser records including Firefox, Chrome and Internet Explorer.
Autopsy doesn’t have all the bells and whistles as some of the paid-for software, but don’t underestimate the tool’s features. Many of the features aren’t immediately apparent to the uninitiated, but this program has progressed by leaps and bounds.
I tested Autopsy 4.6.0 on a 1gb test image in the industry standard E01 format. The scanning engine quickly discovered signature mismatches (when someone tries to mask a file by changing its extension), file encryption, attached USB devices, web browsing history and more. The GUI interface is not unlike the functional but dated Encase v6 layout. (See Below). You may be a student or a ninja, in any case give Autopsy a whirl.
2) Caine by Nanni Bassetti
Caine is a 64bit bootable Linux suite of tools that can be used to forensically image Mac’s and Windows Machines, triage machines without writing to the disk inside and perform partial and full analysis of forensic images and disks. Caine is loaded with Windows executable tools as well for use on a live system if a computer is discovered in a switched-on state and triage or unencrypted image is desired for acquisition. My personal experience is that Caine images most disks without error and has Veracrypt installed so you can package the forensic copies onto an encrypted disk as to remain compliant with your client’s data protection rules. The ISO can be downloaded from the website. The ISO can be made USB bootable by using UNETBOOTIN or Rufus. A must for any examiner’s toolkit.
3) RegRipper by Harlan Carvey
Forged using python and operated user-side with an easy to use GUI frontend, Regripper parses registry hives (or even a mounted forensic image with a mod) and outputs the humanly readable data as a text file that can be searched using Notepad++ or similar. Want to find a user’s SID code, the Windows installation dates or MRU (most recently used/viewed items) fast? Then use RR.
4) Arsenal Image Mounter by Arsenal Recon
The function of mounting a forensic image in Windows is nothing new but AIM is especially proficient. FTK imager has a built-in image mounter, but this one is a little more advanced, and disks are seen in Windows where others have failed due to it’s faked SCSI driver. Arsenal mounts in many different and rarer image formats and even fakes disk serial number if required if mounting errors occur. *FREE for non-commercial use
5) Nirsoft Tools by Nir Sofer
A full suite of analysis tools for Windows artefacts. For forensic analysis, objects may have to be exported out, or examination must take place to a blocked mounted forensic image visible in Windows.
6) PhotoRec Christopher Grenier
Whether its a deleted Microsoft email PST item or a lost Encase E01 file, photorec is a data recovery tool that seems to perform well compared to the rest. The list of carvers preloaded is formidable, and the speed is swift. The carving can be completed on a mounted forensic image as to protect the integrity and only on the volumes free space to save time.
7) Log2timeline maintained by Kristinn Gudjonsson
This parser is the no one supertimeline tool and can be used in an advanced forensic analysis to extract event times from 1000’s of log/database filetypes and place them into one plaso file output or CSV spreadsheet for analysis natively or using a graphical program. Most paid for or built-in timeline tools just take into account MAC times and can’t parse as many file, registry or database types as log2timeline. If you need to put together times, user actions and other artefacts in one place then log2timeline is the tool of choice.
8) FTK Imager by AccessData
Imager needs no introduction. Imager does what it says on the tin and more! FTK imager has little-known eDiscovery uses as the software can image by SID owner, create directory listings and image logically to an AD1 format by folder location. Additionally, the tool includes a hex viewer. In incident response, the suite can be used to collect volatile memory as well as a live registry.
9) ddrescue GUI by Hamish McIntyre-Bhatty
This Linux GUI tool that simply put “copies data from one file or block device (hard disc, cd-rom, etc) to another, trying to rescue the good parts first in case of read errors.” ddrescue also produces a map file so you can go back to reimage the old parts of the disk that didn’t copy the first time in order to get a full transversal. It won’t only create an image filled 0s on the parts it can’t read as most imaging tools do. *Available on Caine
10) Acquire by Magnet Forensics
To get this hidden gem, you will have to register on Magnets website. Aquire has the imaging functions you find typically in FTK imager and others. MA shines when collecting from smartphones such as Apple and Android devices (forget about Blackberry!) The program will also take a full physical image of rooted android devices and output the data in an agnostic format. The items are best examined using Magnet’s Axiom or IEF.
In real cases these tools require specialist training, don’t hesitate to contact us should you have an enquiry!