Computer forensics: a selection of useful links

9 May 2023 5 minutes Author: Cyber Witcher

The science of researching evidence

In order to successfully investigate information security incidents, it is necessary to have practical skills in working with tools for the extraction of digital artifacts. This article will provide a list of useful links and tools for digital evidence collection. The main purpose of conducting such works is to use methods and means for preservation (immutability), collection and analysis of digital material evidence in order to reconstruct the events of the incident. The term “forensics” is an abbreviated form of “forensic science”, literally “forensic science”, that is, the science of examining evidence – exactly what is called criminology. The term “forensics” does not mean any criminology, but rather computer criminology. Some authors divide computer forensics and network forensics. The main area of application of forensics is the analysis and investigation of events in which computer information appears as an object of encroachment, a computer as a tool for committing a crime, as well as any digital evidence.

Various highly specialized utilities are used to fully collect and analyze information, which will be discussed below. I would like to warn you that during the execution of a criminal case, the presence of certain certificates and software compliances (FSTEC licenses) will most likely be considered. In this case, you will have to use combined methods of collecting and analyzing information, or write conclusions and a conclusion based on the data obtained from non-certified sources.

Network analysis

SiLK Tools

Traffic analysis tools to facilitate network security analysis.

CLICK HERE

Wireshark

The most famous network sniffer.

CLICK HERE

Real-time utilities

Grr 

GRR Rapid Response is a tool for incident investigation and analysis.

CLICK HERE

Mig 

Mozilla InvestiGator is a platform for investigating and analyzing incidents.

CLICK HERE

Work with images (creation, cloning)

Dc3dd

An improved version of the dd console utility.

CLICK HERE

Adulau/dcfldd

Another improved version of dd.

CLICK HERE

FTK Imager

Viewing and cloning media in a Windows environment.

CLICK HERE

Guymager

Viewing and cloning media in a Linux environment.

CLICK HERE

Data extraction

Bstrings

An improved version of the popular strings utility.

CLICK HERE

Bulk_extractor

Detection of emails, IP addresses, phones from files.

CLICK HERE

Floss

Uses advanced static analysis techniques to automatically deobfuscate data from malware binaries.

CLICK HERE

Photorec

A free data recovery program designed to recover lost files in the memory of a digital camera and more.

CLICK HERE

Artifacts of the Internet

Chrome-url-dumper

Extracting information from Google Chrome.

CLICK HERE

Hindsight

Analysis of the history of Google Chrome/Chromium.

CLICK HERE

Analysis of time intervals

Plaso 

Extraction and aggregation of timestamps.

CLICK HERE

Timesketch

Analysis of timesteps.

CLICK HERE

Converters

CyberChef

A multi-tool for encoding, decoding, compression and data analysis.

CLICK HERE

DateDecode

Converting binary data.

CLICK HERE

Working with RAM

InVtero.net 

A framework with a high speed of operation.

CLICK HERE

Volatility

A set of utilities for versatile analysis of physical memory images.

CLICK HERE

KeeFarce

Removing KeePass passwords from memory.

CLICK HERE

Rekall

RAM dump analysis written in python.

CLICK HERE

VolUtility 

Web interface for Volatility framework.

CLICK HERE

Frameworks

Dff

The Digital Forensics Framework is an open source platform for data mining and investigation.

CLICK HERE

PowerForensics

PowerForensics is a utility written in PowerShell, designed for examining hard drives.

CLICK HERE

The Sleuth Kit 

(TSK) is a C library and collection of command-line tools that allow you to examine disk images.

CLICK HERE

Windows artifacts (extraction of files, download histories, USB devices)

RecuperaBit

NTFS data recovery.

CLICK HERE

Python-ntfs

Analysis of NTFS data.

CLICK HERE

FastIR Collector

A large collector of information about the Windows system.

CLICK HERE

FRED

Cross-platform for the operating system Windows registry analyzer.

CLICK HERE

MFT-Parsers

Comparison sheet of MFT parsers (MFT – Master File Table).

CLICK HERE

MFTExtractor

MFT parser.

CLICK HERE

NTFS journal parser 

NTFS log parser.

CLICK HERE

NTFS USN Journal parser

USN log parser.

CLICK HERE

Hex editors

Hexinator

Windows version of Synalyze It.

CLICK HERE

HxD

Small and fast HEX editor.

CLICK HERE

IBored

Cross-platform HEX editor.

CLICK HERE

Synalyze It!

HEX editor in the template.

CLICK HERE

WxHex Editor

HEX editor with file comparison.

CLICK HERE

Analysis of files

O10 Editor Templates

Templates for editor 010.

CLICK HERE

HFSPlus Grammars

HFS+ components for Synalysis.

CLICK HERE

Sleuth Kit file system grammars 

Repositories for different file systems.

CLICK HERE

Synalyse It! Grammars

File components for Synalyze It!

CLICK HERE

WinHex Templates

File components for WinHex and X-Ways.

CLICK HERE

Processing disk images

Imagemounter

A command-line utility for quickly mounting disk images.

CLICK HERE

Libewf 

Libewf library and utilities for accessing and processing EWF, E01 formats.

CLICK HERE

Xmount 

Converting disk images. Very high quality and useful item.

CLICK HERE

Result

In order to conduct research and collect digital evidence, it is necessary to observe the principles of immutability, integrity, completeness of information and its reliability. For this, it is necessary to follow the recommendations for software and methods of conducting investigations.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.