Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Digital forensics (sometimes known as digital forensic science) is a branch of forensic science
encompassing the recovery and investigation of material found in digital devices, often in relation
to computer crime. The term digital forensics was originally used as a synonym for computer
forensics but has expanded to cover investigation of all devices capable of storing digital data. With
roots in the personal computing revolution of the late 1970s and early 80s, the discipline evolved in
a haphazard manner during the 1990s, and it was not until the early 21st century that national
policies emerged.
Digital forensics investigations have a variety of applications. The most common is to support or
refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts.
Forensics may also feature in the private sector; such as during internal corporate investigations or
intrusion investigation (a specialist probe into the nature and extent of an unauthorized network
intrusion).
The technical aspect of an investigation is divided into several sub-branches, relating to the type of
digital devices involved; computer forensics, network forensics, forensic data analysis and mobile
device forensics. The typical forensic process encompasses the seizure, forensic imaging
(acquisition) and analysis of digital media and the production of a report into collected evidence.
As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence
to specific suspects, confirm alibis or statements, determine intent, identify sources (for example, in
copyright cases), or authenticate documents. Investigations are much broader in scope than other
areas of forensic analysis (where the usual aim is to provide answers to a series of simpler
questions) often involving complex time-lines or hypotheses.
Autopsy
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other
digital forensics tools. It can be used by law enforcement, military, and corporate examiners to
investigate what happened on a computer. You can even use it to recover photos from your cameras
memory card.
Autopsy Features:
Timeline Analysis: Displays system events in a graphical interface to help identify activity.
Keyword Search: Text extraction and index searched modules enable you to find files that mention
specific terms and find regular expression patterns.
Web Artifacts: Extracts web activity from common browsers to help identify user activity.
Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
LNK File Analysis: Identifies short cuts and accessed documents
Email Analysis: Parses MBOX format messages, such as Thunderbird.
EXIF: Extracts geo location and camera information from JPEG files.
File Type Sorting: Group files by their type to find all images or documents.
Media Playback: View videos and images in the application and not require an external viewer.
Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
Robust File System Analysis: Support for common file systems, including NTFS, FAT12, FAT16,
FAT32, HFS+, ISO9660 (CD-ROM), Ext2, Ext3, and UFS from The Sleuth Kit.
Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom
hashsets in HashKeeper, md5sum, and EnCase formats.
Tags: Tag files with arbitrary tag names, such as bookmark or suspicious, and add comments.
Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in
many languages (Arabic, Chinese, Japanese, etc.).
Source && Download
Best Digital Forensics Tools: autopsy download
TOP
Deft
DEFT (acronym for Digital Evidence & Forensics Toolkit) is a distribution made for Computer
Forensics, with the purpose of running live on systems without tampering or corrupting devices
(hard disks, pendrives, etc) connected to the PC where the boot process takes place.
The system is based on GNU Linux, it can run live (via DVDROM or USB pendrive), installed or
run as a Virtual Appliance on VMware or Virtualbox. Distro employs LXDE as desktop
environment and WINE for executing Windows tools under Linux. It features a comfortable mount
manager for device management.
DEFT is paired with DART (acronym for Digital Advanced Response Toolkit), a Forensics System
which can be run on Windows and contains the best tools for Forensics and Incident Response.
DART features a GUI with logging and integrity check for the instruments here contained.
Besides all this, the DEFT staff is devoted to implementing and developing applications which are
released to Law Enforcement Officers, such as Autopsy 3 for Linux.
System is currently employed in several places and by several people such as:
Military
Government Officers
Law Enforcement
Investigators
Expert Witnesses
IT Auditors
Universities
Individuals
Source && Download
Best Digital Forensics Tools: deft download
TOP
The Volatility Framework
The Volatility Framework is a completely open collection of tools, implemented in Python under the
GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM)
samples.
The Volatility Framework is a completely open collection of tools,implemented in Python under the
GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM)
samples.The extraction techniques are performed completely independent of the system being
investigated but offer visibilty into the runtime state of the system. The framework is intended to
introduce people to the techniques and complexities associated with extracting digital artifacts from
volatile memory samples and provide a platform for further work into this exciting area of research.
already very familiar to you. It also uses the popular Gnome desktop, so the graphical user
interface is one many users already use.
Architecture
OCFA consists of a back end for the Linux platform, it uses a PostgreSQL database for data storage,
a custom Content-addressable storageor CarvFS based data repository and a Lucene index. The
front end for OCFA has not been made publicly available due to licensing issues.
The framework integrates with other open source forensic tools and includes modules for The
Sleuth Kit, Scalpel, Photorec, libmagic, GNU Privacy Guard, objdump, exiftags, zip, 7-zip, tar,
gzip, bzip2, rar, antiword, qemu-img, and mbx2mbox. OCFA is extensible in C++ or Java.
Source && Download
Best Digital Forensics Tools: ocfa download
TOP
CAINE
CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution
created as a project of Digital Forensics
Currently the project manager is Nanni Bassetti.
CAINE offers a complete forensic environment that is organized to integrate existing software tools
as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:
an interoperable environment that supports the digital investigator during the four phases of the
digital investigation
a user friendly graphical interface
user friendly tools
C.A.I.N.E. represents fully the spirit of the Open Source philosophy, because the project is
completely open, everyone could take the legacy of the previous developer or project manager. The
distro is open source, the Windows side (Wintaylor) is open source and, the last but not the least, the
distro is installable, so giving the opportunity to rebuild it in a new brand version, so giving a long
life to this project
Source && Download
Best Digital Forensics Tools: caine Download
TOP
X-Ways Forensics
X-Ways Forensics is an advanced work environment for computer forensic examiners and our
flagship product. Runs under Windows XP/2003/Vista/2008/7/8/8.1*, 32 Bit/64 Bit,
standard/PE/FE. Compared to its competitors, X-Ways Forensics is more efficient to use after a
while, often runs faster, is not as resource-hungry, finds deleted files and search hits that the
competitors will miss, offers many features that the others lack, , is made by a German company,
and it comes at a fraction of the cost! X-Ways Forensics is fully portable, runs off a USB stick on
any given Windows system without installation. Unlike competing software, does not require you to
set up an Oracle database that makes you wonder whether you can still load your case tomorrow.
Downloads and installs within seconds (just a few MB in size, not GB). Unlike with competing
software, you are free to use your licenses for teaching and may sell your licenses to someone else.
X-Ways Forensics is based on the WinHex hex and disk editor and part of an efficient workflow
model where computer forensic examiners share data and collaborate with investigators that use XWays Investigator.
Key Features:
Disk imaging and cloning
Ability to read file system structures inside various image files
It supports most of the file systems including FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2,
Ext3, Ext4, Next3, CDFS/ISO9660/Joliet, UDF
Automatic detection of deleted or lost hard disk partition
Various data recovery techniques and powerful file carving
Bulk hash calculation
Viewing and editing binary data structures using templates
Easy detection of and access NTFS ADS
Well maintained file header
Automated activity logging
Data authenticity
Complete case management
Memory and RAM analysis
Gallery view for pictures
Internal viewer for Windows registry file
Automated registry report
Extracts metadata from various file types
Ability to extract emails from various available email clients.
And many more..
Source && Download
Best Digital Forensics Tools: X-way
TOP
HELIX3
Helix3 Enterprise is an easy to use cyber security solution integrated into your network giving you
visibility across your entire infrastructure revealing malicious activities such as Internet abuse, data
sharing and harassment. H3E also allows you to isolate and respond to incidents or threats quickly
and without user detection through a central administration tool.
Helix3 Enterprise allows you to quickly Detect, Identify, Analyze, Preserve and Report giving you
the evidence to reveal the truth and protect your business. This tool can collect data from physical
memory, network connections, user accounts, executing processes and services, scheduled jobs,
Windows Registry, chat logs, screen captures, SAM files, applications, drivers, environment
variables and Internet history.
Easy to Use
Quick Implementation
Review Employee Internet Usage
Capture Screen Shots and Key Logging
e-Discovery Across the Entire Network
Sophisticated Computer Forensic Capabilities
Reporting
Capabilities
A summary of the tools contained in TSK can be found on the TSK Tool Overview page. Currently,
TSK supports the following file systems:
EXT2, EXT3, EXT4
FAT, exFAT
HFS
ISO 9660
NTFS
UFS 1, UFS 2
YAFFS2
The toolkit has the ability to securely examine raw disks, multiple file systems, and evidence
formats. It places strict guidelines on how evidence is examined (read-only), verifying that the
evidence has not changed.
Features
Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, ;
Port Independent Protocol Identification (PIPI) for each application protocol;
Multithreading;
Output data and information in SQLite database or Mysql database and/or files;
At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and
the pcap containing the data reassembled;
Realtime elaboration (depends on the number of flows, the types of protocols and by the
performance of computer -RAM, CPU, HD access time, -);
TCP reassembly with ACK verification for any packet or soft ACK verification;
Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external
DNS server;
No size limit on data entry or the number of files entrance (the only limit is HD size);
IPv4 and IPv6 support;
Modularity. Each Xplico component is modular. The input interface, the protocol decoder
(Dissector) and the output interface (dispatcher) are all modules;
The ability to easily create any kind of dispatcher with which to organize the data extracted in the
most appropriate and useful to you;
Source && Download
Best Digital Forensics Tools: xplico download
TOP
Oxygen Forensic Suite
Oxygen Forensic Suite 2014 is a mobile forensic software for logical analysis of cell phones,
smartphones and PDAs developed by Oxygen Software. The suite can extract device information,
contacts, calendar events, SMS messages, event logs, and files. In addition, the vendor claims the
suite can extract metadata related to the above. As of December 2014 the suite supported more than
8,400 devices, including Nokia, Apple iPhone series, Apple iPod Touch, Apple iPad, Vertu, Sony
Ericsson, Samsung, Motorola, Blackberry, Panasonic, Siemens, HTC, HP, E-Ten, Gigabyte, i-Mate,
Chinese (Mediatek) Phones and other mobile phones. The suite also supports devices running
Symbian OS, Windows Mobile 5/6, Microsoft Windows Phone 8 and Android OS devices.
The purpose of Oxygen Forensic Suite is to apply advanced data recovery algorithms in order to
gather a significant amount of information from the target digital storage media, which can then be
used in creating a legal evidence set.
Source && Download
Best Digital Forensics Tools: oxygen download
TOP
PlainSight
PlainSight is a versatile computer forensics environment that allows inexperienced forensic
practitioners perform common tasks using powerful open source tools. Team have taken the best
open source forensic/security tools, customised them, and combined them with an intuitive user
interface to create an incredibly powerful forensic environment.
Features
EnCase contains tools for several areas of the digital forensic process; acquisition, analysis and
reporting. The software also includes a scripting facility called EnScript with various APIs for
interacting with evidence.
Mobile forensics
As of EnCase V7, Mobile Phone Analysis is possible with the addition some add-ons available from
Guidance Software.
Features
Intuitive and efficient workflow
Resurrection of Windows Registries long since forgotten
Access to enormous amounts of deleted Registry data
Unique keys and values shown by default in historical fashion
Seamless access to all instances of keys and values
Windows restore point and volume shadow copy support
Ability to view keys (and their values) at particular points in time
TOP
XRY
XRY is a software application designed to run on the Windows operating system which allows you
to perform a secure forensic extraction of data from a wide variety of mobile devices, such as
smartphones, gps navigation units, 3G modems, portable music players and the latest tablet
processors such as the iPad.
Extracting data from mobile / cell phones is a specialist skill and not the same as recovering
information from computers. Most mobile devices dont share the same operating systems and are
proprietary embedded devices which have unique configurations and operating systems. What does
that mean in terms of getting data out of them? Well in simple terms, it means it is very difficult to
do.
XRY has been designed and developed to make that process a lot easier for you, with support for
over 13,000 different mobile device profiles and over 500 smartphone app versions. We supply a
complete solution to get you what you need and the software guides you through the process step by
step to make it as easy as possible.
Source && Download
Best Digital Forensics Tools: xry download
TOP
Mandiant RedLine
Redline lets you analyze a potentially compromised Windows operating system (OS) memory and
file structure to find signs of malicious activity.
With Redline, you can:
Collect run processes, files, registry data, and memory images
View imported data, including narrowing and filtering results around a given timeframe using
Redlines
TimeWrinkle and TimeCrunch features.
Identify processes more likely worth investigating based on their Redline Malware Risk Index
(MRI) score.
Perform Indicators of Compromise (IOC) analysis.
Use whitelists to filter out known valid data based on MD5 hash values.
Besides mounting forensic images as local drives, P2 eXplorer can be used to mount Parabens
Forensic Containers. These encrypted storage containers can be used to share evidence from P2
Commander. Simply export pertinent evidence into a Forensic Container and anyone can review the
evidence using P2 eXplorer. You can also use P2 eXplorer and Forensic Containers to minimize
evidence storage. By exporting only significant evidence from a case, you can reduce your long
term storage needs. Since P2 eXplorer is free, you can share your evidence with anyone you want.
Features:
Mounts images as physical disks
Mounts Parabens Forensic Replicator images (PFR)
Mounts compressed & encrypted PFR images
Mounts EnCase images
Mounts SafeBack 1, 2 and 3 images
Mounts SMART images
Mounts FTK DD and FTK EnCase images
Mounts WinImage non-compressed images
Mounts RAW images from Linux DD & other tools
Mounts Parabens Forensic Containers created in P2 Commander and Deployable P2 Commander
Mounts vmWare static and dynamic disk images
Mounts vmWare snapshots
VirtualPC static and dynamic disk images
VirtualPC snapshots
VirtualBox images (VDI)
Auto-detects image format
Supports both logical and physical images types
MD5 hash verification
Shell support for easy mounting/unmounting
Write-protection for preserving evidence
MD5 checksum verification
Mount several images at a time
bulk_extractor is distinguished from other forensic tools by its speed and thoroughness. Because it
ignores file system structure, bulk_extractor can process different parts of the disk in parallel. In
practice, the program splits the disk up into 16MiByte pages and processes one page on each
available core. This means that 24-core machines process a disk roughly 24 times faster than a 1core machine. bulk_extractor is also thorough. Thats because bulk_extractor automatically detects,
decompresses, and recursively re-processes compressed data that is compressed with a variety of
algorithms. Our testing has shown that there is a significant amount of compressed data in the
unallocated regions of file systems that is missed by most forensic tools that are commonly in use
today.
Another advantage of ignoring file systems is that bulk_extractor can be used to process any digital
media. We have used the program to process hard drives, SSDs, optical media, camera cards, cell
phones, network packet dumps, and other kinds of digital information.