My investigation related tools are listed on this page.
Tools that can be used to help preserve the state of a system
A hardware expansion card that can reliably acquire the volatile memory of a live system to removable storage. The hardware device directly accesses memory and does not require software to be loaded, which will overwrite possible evidence. This work has been conducted with Joe Grand.
Tools that can be used to search for digital evidence
Autopsy Forensic Browser
An HTML-based front-end graphical interface to The Sleuth Kit (see below). Autopsy allows an investigator to examine a file system image from a "file manager"-like interface, view unallocated space and data structures, make timelines of file activity, and conduct keyword searches.
A forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. The output can be used with The Sleuth Kit (see below) to create timelines of file activity.
The Sleuth Kit
A collection of UNIX-based command line tools that allow an investigator to view the files and deleted content in NTFS, FAT, FFS, EXT2FS, and EXT3FS file system images. The tools also allow the investigator to perform hash database lookups and sort files based on their structure. The Autopsy browser (see above) can be used with TSK to automate many of the functions.
An add-on to The Coroner's Toolkit that provides file name analysis and mapping between file system layers. It is no longer supported (see The Sleuth Kit above).
Copyright © 2005-2009 by Brian Carrier