Free Tools
I've seen requests in several listservs for listings of free tools that people use during examinations, and most often, the response is something akin to "contact me off list". In my mind, that kind of defeats the purpose of the listserv...why not just close it down and move everyone to Craigslist?
Regardless, I thought that this would be a good way to start and even maintain a list of free tools (or at least some that have trials/demos available) that can/have been used during computer forensic examinations on Windows systems. I'll start by providing tools that I use, as well as links to other tools, and from there, I will expand the list as I receive information (ie, comments, emails, etc.)
General Tools
Perl - 'nuff said; mostly for creating my own tools
Strings/BinText
LiveView
Acquisition
FTK Imager - great for opening raw (ie, dd) images, .EOx files, .vmdk files, etc - even allows you to "acquire" other formats to raw/dd. Also great for selected file extraction from the image, when you don't need everything
dd - George M. Garner Jr's FAU
dcfldd - another CLI imaging tool, available for the Windows platform
Tableau TIM - coming Q4, 2009
Raptor - bootable Linux CD that can be used for imaging (this will likely open up a whole flurry of similar emails, so let's just use this one as a placeholder for all bootable Linux CDs...)
Image Mounting
IMDisk - great free tool for mounting Windows images on Windows systems, in read-only mode
VDKWin - another free tool
P2Explorer - from Paraben; free, requires registration
Image Analysis
TSK Tools - I've used mmls and fls mostly, but blkls is extremely useful, as well
ProDiscover, Basic Edition - Not a full suite, but very useful
AntiVirus Scanners (ClamWinPortable, SysClean, Malwarebytes)
Timeline Creation Tools (TSK tools, pasco, Perl scripts, etc.) - Perl scripts available from the Win4n6 Yahoo Group
Internet Evidence Finder (JADSoftware) - also, check out the Encrypted Disk Detector
Carving - foremost, scalpel, PhotoRec
DiskDigger - from Dmitry Brant; also check out NTFSWalker
File/Document Metadata
Structured Storage Extractor - view contents of structured storage/OLE files; this used to mean just MS Office (pre-2007) documents, but on Windows 7, this now means Sticky Notes, etc.
OffVis (fact sheet) -
Office 2007 document metadata (script) - look for cat_open_xml.pl; other tools available, as well
Skype Extractor -
PDF Tools - from Didier Stevens; some of Didier's tools have been incorporated into the VirusTotal site
MSI files - InstEd
Working with Email
Email Conversion Tools - may not be free
AvTech - Perl script
Emailchemy - from Weird Kid Software; demo available
Mail-Cure - free, described here
Aid4Mail - free trial available
Intella - from Vound Software; doesn't require that Outlook be installed; trial available
File Hashing
MD5Deep - also allows for other hashing algorithms
SSDeep - fuzzy hashing; is also incorporated into VirusTotal
Registry Analysis
RegRipper - includes rip, ripXP, and regslack
MiTeC Registry File Viewer
Didier Stevens' UserAssist
Pwdump7 or SAMInside - great way to get password hashes for cracking
Archive/Compression Utilities
IZArc
PeaZip
Other utilities
ExtractNow
Memory Collection/Analysis
Windd - 1.3, for x86 and x64 now available
MDD - ManTech's memory imaging tool; 32-bit, has the 4GB limit
Nigilant32 - from Matt Shannon, F-Response; Windows 2000/XP only
Volatility - XP SP 2&3 only
Memoryze - from Mandiant
Packet Analysis
NetworkMiner
WireShark
NetWitness Investigator
Tools for extracting files from streams - not all of the tools listed run on Windows
Browser Analysis
SQLite Spy (for Firefox 3 analysis)
Misc
U3 Launcher Log parser
Other Mandiant Tools (Highlighter, Web Historian, etc.)
MIR-ROR - read about it here; great tool from Russ McRee (read Russ's ISSA toolsmith write-ups on other tools)
ShadowExplorer (Dan Mares' VSS)
SMPlayer - "for troublesome videos"
Evidence Mover
Windows Search Index Extractor - Extract information in the Windows Desktop Search database (ie, windows.edb file)
Sites
Various thumbnail cache extractor applications can be found here.
NirSoft has a variety of free and useful utilities available.
RedWolf Computer Forensics - various parsing tools
VirusTotal
Any you'd like to add? Comment, or email me.
Addendum:
Prefetch Parser
Fox Analysis - browser analysis
MiTeC Windows Registry Recovery
MiTeC Windows Registry Analyzer (associated guide)
DigestIT 2004 MD5 Hash
Regardless, I thought that this would be a good way to start and even maintain a list of free tools (or at least some that have trials/demos available) that can/have been used during computer forensic examinations on Windows systems. I'll start by providing tools that I use, as well as links to other tools, and from there, I will expand the list as I receive information (ie, comments, emails, etc.)
General Tools
Perl - 'nuff said; mostly for creating my own tools
Strings/BinText
LiveView
Acquisition
FTK Imager - great for opening raw (ie, dd) images, .EOx files, .vmdk files, etc - even allows you to "acquire" other formats to raw/dd. Also great for selected file extraction from the image, when you don't need everything
dd - George M. Garner Jr's FAU
dcfldd - another CLI imaging tool, available for the Windows platform
Tableau TIM - coming Q4, 2009
Raptor - bootable Linux CD that can be used for imaging (this will likely open up a whole flurry of similar emails, so let's just use this one as a placeholder for all bootable Linux CDs...)
Image Mounting
IMDisk - great free tool for mounting Windows images on Windows systems, in read-only mode
VDKWin - another free tool
P2Explorer - from Paraben; free, requires registration
Image Analysis
TSK Tools - I've used mmls and fls mostly, but blkls is extremely useful, as well
ProDiscover, Basic Edition - Not a full suite, but very useful
AntiVirus Scanners (ClamWinPortable, SysClean, Malwarebytes)
Timeline Creation Tools (TSK tools, pasco, Perl scripts, etc.) - Perl scripts available from the Win4n6 Yahoo Group
Internet Evidence Finder (JADSoftware) - also, check out the Encrypted Disk Detector
Carving - foremost, scalpel, PhotoRec
DiskDigger - from Dmitry Brant; also check out NTFSWalker
File/Document Metadata
Structured Storage Extractor - view contents of structured storage/OLE files; this used to mean just MS Office (pre-2007) documents, but on Windows 7, this now means Sticky Notes, etc.
OffVis (fact sheet) -
Office 2007 document metadata (script) - look for cat_open_xml.pl; other tools available, as well
Skype Extractor -
PDF Tools - from Didier Stevens; some of Didier's tools have been incorporated into the VirusTotal site
MSI files - InstEd
Working with Email
Email Conversion Tools - may not be free
AvTech - Perl script
Emailchemy - from Weird Kid Software; demo available
Mail-Cure - free, described here
Aid4Mail - free trial available
Intella - from Vound Software; doesn't require that Outlook be installed; trial available
File Hashing
MD5Deep - also allows for other hashing algorithms
SSDeep - fuzzy hashing; is also incorporated into VirusTotal
Registry Analysis
RegRipper - includes rip, ripXP, and regslack
MiTeC Registry File Viewer
Didier Stevens' UserAssist
Pwdump7 or SAMInside - great way to get password hashes for cracking
Archive/Compression Utilities
IZArc
PeaZip
Other utilities
ExtractNow
Memory Collection/Analysis
Windd - 1.3, for x86 and x64 now available
MDD - ManTech's memory imaging tool; 32-bit, has the 4GB limit
Nigilant32 - from Matt Shannon, F-Response; Windows 2000/XP only
Volatility - XP SP 2&3 only
Memoryze - from Mandiant
Packet Analysis
NetworkMiner
WireShark
NetWitness Investigator
Tools for extracting files from streams - not all of the tools listed run on Windows
Browser Analysis
SQLite Spy (for Firefox 3 analysis)
Misc
U3 Launcher Log parser
Other Mandiant Tools (Highlighter, Web Historian, etc.)
MIR-ROR - read about it here; great tool from Russ McRee (read Russ's ISSA toolsmith write-ups on other tools)
ShadowExplorer (Dan Mares' VSS)
SMPlayer - "for troublesome videos"
Evidence Mover
Windows Search Index Extractor - Extract information in the Windows Desktop Search database (ie, windows.edb file)
Sites
Various thumbnail cache extractor applications can be found here.
NirSoft has a variety of free and useful utilities available.
RedWolf Computer Forensics - various parsing tools
VirusTotal
Any you'd like to add? Comment, or email me.
Addendum:
Prefetch Parser
Fox Analysis - browser analysis
MiTeC Windows Registry Recovery
MiTeC Windows Registry Analyzer (associated guide)
DigestIT 2004 MD5 Hash