If you’ve ever had to understand someone else’s computer, and not just format it, then you’ve already done computer forensics, that is, forensics! With only one difference, that specialists in this field have much more tasks. They analyze traffic, system failures, user errors and various information security incidents, keep track of them and look for hidden data and other possible traces of hacking. The tasks of computer forensics specialists also include the detection of uncontrolled system changes and software failures, violations of access rules and non-compliance with “Information Security” policies or recommendations. In this article, we will look at utilities and links to useful resources that will help you learn more about the art of forensics. The word “Forensics” appeared in the Russian language from the English word Forensics, which means the science of researching evidence or, simply put, computer forensics.
Specialists in the field of forensics are indispensable when it is necessary to quickly detect and analyze IS incidents, for example, the hacking of a web server or the reasons for the leakage of confidential information, encryption of confidential data, etc. A separate topic is the investigation of targeted attacks, or APT. Their essence boils down to hacking target systems using various attack vectors, tools, sophisticated techniques and methods unknown until now. Should we say that forensics problems are traditionally present in CTF as well? Therefore, one cannot do without knowledge of at least basic investigative techniques. And some of the frequently used tools that are used on CTF, we will consider a little below.
Arsenal Image Mounter a utility for working with disk images in Windows, accessing partitions and volumes, etc.
DumpIt utility for creating a physical memory dump of Windows computers, 32/64 bit. Can work from a USB drive.
EnCase Forensic Imager a utility for creating EnCase evidence files.
Encrypted Disk Detector utility to detect TrueCrypt, PGP or Bitlocker encrypted volumes.
EWF MetaEditor utility for editing EWF metadata (E01).
FAT32 Format utility for formatting large capacity drives in FAT32.
Forensics Acquisition of Websites browser designed to capture web pages for investigations.
FTK Imager viewing and cloning media in a Windows environment.Guymager is a multi-threaded GUI utility for creating disk images under Linux.
Live RAM Capturer a RAM dump utility, particularly one protected by an anti-debugger or anti-dump system.
NetworkMiner network analysis tool to detect OS, hostname and open ports of network nodes using packet capture / PCAP analysis.
Magnet RAM Capture Utility for capturing RAM from Windows XP to Windows 10, Win Server 2003, 2008, 2012.
OSFClone live CD/DVD/USB utility for creating dd or AFF images.
OSFMount utility for monitoring disk images, also allows you to create RAM disks.
EDB Viewer a utility for viewing EDB Outlook files without an Exchange server.
Mail Viewer utility for viewing Outlook Express files, Windows Mail/Windows Live Mail, Mozilla Thunderbird message database and individual EML files.
MBOX Viewer a utility for viewing e-mails and attachments MBOX.OST Viewer a utility for viewing Outlook OST files without an Exchange server.
PST Viewer a utility for viewing Outlook PST files without an Exchange server.
analyzeMFT utility for parsing MFT from the NTFS file system, allowing you to analyze the results with other tools.
bstrings a binary data search utility, including regular expression searches.
CapAnalysis PCAP prosumer utility.
Crowd Response a Windows console application to help collect system information for incident response and security.
Crowd Inspect utility for obtaining information about network processes, listing the binaries associated with each process. Queries VirusTotal and other online malware analysis and reputation services.
DCode the utility converts various data types into date/time values.
Defraser a utility for detecting full and partial data about multimedia files in unallocated space.
eCryptfs Parser the utility recursively analyzes the headers of each eCryptfs file in the selected directory.
Encryption Analyzer utility for analysis of password-protected and encrypted files, analyzes the encryption complexity reports and decryption options for each file.
ExifTool a utility for reading and editing Exif data in a large number of file types.
File Identifier online file type analysis (over 2000).
Forensic Image Viewer utility for extracting data from images.
Link Parser a recursive folder analysis utility that extracts over 30 attributes from Windows .lnk (shortcut) files.
Memoryze analysis of RAM images, including analysis of “page” files.
MetaExtractor utility for extracting meta information from office documents and pdf.
Shadow Explorer utility for viewing and extracting files from shadow copies.
Audit an OS X audit and log output utility.
Disk Arbitrator blocks mounting of filesystems by supplementing the write blocker when disk arbitration is disabled.
FTK Imager CLI for Mac OS the console version for Mac OS of the FTK Imager utility.
IORegInfo utility for displaying information about devices connected to the computer (SATA, USB and FireWire, software RAID arrays). Can determine partition information, including sizes, types, and bus to which the device is connected.
mac_apt utility for working with E01, DD, DMG images.
Volafox a Mac OS X memory analysis utility.
iPBA2 an iOS backup analysis utility.
iPhone Analyzer Pad, iPod and iPhone file structure analysis utility.
ivMeta utility to extract phone model and software version as well as temporal and GPS data from iPhone videos.
Rubus utility to deconstruct Blackberry backup .ipd files.
SAFT extraction of SMS, call logs and contacts from Android devices.