 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Tools
My investigation related tools are listed on this page.
Preservation Tools
Tools that can be used to help preserve the state of a system
Tribble
Joe's website
A hardware expansion card that can reliably acquire the volatile memory of a live system to removable storage. The hardware device directly accesses memory and does not require software to be loaded, which will overwrite possible evidence. This work has been conducted with Joe Grand.
Search Tools
Tools that can be used to search for digital evidence
Autopsy Forensic Browser
www.sleuthkit.org
An HTML-based front-end graphical interface to The Sleuth Kit (see below). Autopsy allows an investigator to examine a file system image from a "file manager"-like interface, view unallocated space and data structures, make timelines of file activity, and conduct keyword searches.
mac-robber
www.sleuthkit.org
A forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. The output can be used with The Sleuth Kit (see below) to create timelines of file activity.
The Sleuth Kit
www.sleuthkit.org
A collection of UNIX-based command line tools that allow an investigator to view the files and deleted content in NTFS, FAT, FFS, EXT2FS, and EXT3FS file system images. The tools also allow the investigator to perform hash database lookups and sort files based on their structure. The Autopsy browser (see above) can be used with TSK to automate many of the functions.
TCT-utils
tctutils-1.01.tar.gz
An add-on to The Coroner's Toolkit that provides file name analysis and mapping between file system layers. It is no longer supported (see The Sleuth Kit above).