By: Nihad Hassan
September 29, 2020
Top 12 Computer Forensics Tools
By: Nihad Hassan
September 29, 2020
Top 12 Computer Forensics Tools
Each year, millions of people enter the internet era by using different computing devices like laptops, tablets, and smartphones in today's digital age. The rapid expansion of digital society results in shifting a great number of crimes from the traditional routes to the digital crime discipline.
Computer forensics (also known as digital forensics) is a branch of forensics science that applies various investigative techniques to solve digital crimes. Jason Jordaan, a principal forensic scientist at DFIRLABS, defines computer forensics as "the identification, preservation, examination, and analysis of digital evidence, using scientifically accepted and validated process, and the ultimate presentation of that evidence in a court of law to answer some legal question."
This post will discuss the most prominent digital forensics programs used by computer forensics detectives to investigate digital evidence and solve cyber-crime cases.
1. Autopsy (https://www.sleuthkit.org/autopsy)
Autopsy (see Figure 1) is a graphical user interface (GUI) program that allows easy access to command-line tools and the C library, included in the Sleuth Kit and other digital forensics tools. The tools included in the Sleuth Kit and other digital forensics tools will allow Autopsy to automate much of the forensics analysis tasks required in most investigations, such as recovering deleted files, analyzing the Windows registry, investigating e-mail messages, investigating unallocated disk space.
2. Volatility (https://www.volatilityfoundation.org)
This is a popular tool for analyzing RAM forensic images. It is a free, open-source, and a cross-platform program written in python. Its development is now supported by a nonprofit organization known as the Volatility Foundation. Volatility (see Figure 2) comes already installed with many Linux security distributions like Kali; however, this tool is also supported on Windows machines (a standalone portable application).
3. Magnet RAM Capture (https://www.magnetforensics.com/resources/magnet-ram-capture)
This is a free Windows program for capturing RAM. It supports 32 and 64 bit Windows systems, including XP, Vista, 7, 8, 10, 2003, 2008, and 2012. Magnet (see Figure 3) stores collected data using the raw data format.
4. Belkasoft Live RAM Capturer (https://belkasoft.com/ram-capturer)
Another tool for capturing RAM is Belkasoft Live RAM Capturer (see Figure 4). This is a free tool that is small and can run from a USB thumb drive. It can capture RAM's entire contents, even when protected by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit versions are available to minimize the tool's footprint as much as possible.
5. Wireshark (https://www.wireshark.org)
Wireshark (see Figure 5) is the most popular –and powerful- tool for analyzing network traffic. It can inspect all network packets, including the individual one. Also, packet captures derived from other sources can be reviewed in this comfortable and intuitive GUI.
6. Febooti Hash and CRC (https://www.febooti.com/products/filetweak/members/hash-and-crc)
Febooti (see Figure 6) is a free cryptographic hash value calculator that you can use to calculate file cryptographic checksums in different formats such as (CRC32, MD2, MD4, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320, WHIRLPOOL, and Tiger-192). Install this tool on your Windows PC, right-click over the file whose hash you want to calculate, select Properties, and go to the Hash/CRC tab. Hashing is an important concept in the digital forensic field; actually, you must calculate any digital evidence hash value (whether it is a hard disk image or a single file) you acquire during your investigation to prove that the acquired data (i.e., the digital evidence) has not been tampered with.
7. Nirsoft (https://www.nirsoft.net)
Nirsoft (see Figure 7) provides a unique collection of small and useful freeware utilities. Many of them can be used in digital forensics, such as password recovery tools, Windows OS tools, browser tools, and network tools.
8. ExifTool (https://exiftool.org)
ExifTool (see Figure 8) can be used to view and edit the metadata for several file types, such as EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP, and ID3, as well as the maker notes of popular digital cameras manufacturers.
9. Registry Recon (https://arsenalrecon.com)
Registry Recon, from ARSENAL RECON, collects active, backed-up, and even deleted Windows Registry hives from forensic images. It can also rebuild the Windows registry from previous Windows installations.
10. Free Hex Editor Neo (https://www.hhdsoftware.com/free-hex-editor)
Free Hex Editor Neo (see Figure 10) allows you to view, modify, and analyze hexadecimal data in extra-large files and disks to identify and retrieve information (fragments of deleted files) can't normally be accessed by the operating system.
11. Arsenal Image Mounter (https://arsenalrecon.com/products)
Arsenal Image Mounter (see Figure 11) is a free, open-source program. It can mount a forensic image as complete disks in Windows (real SCSI disks), allowing investigators to browse image contents as if they were browsing any directory of files. While the free version can mount any forensic image, the paid one supports more rich features such as Volume Shadow Copy mounting and the ability to save disk images with fully-decrypted BitLocker volumes.
This tool supports forensic images in Raw and EnCase file format, and it also supports all file systems used by the Windows OS like NTFS and FAT32.
12. Redline (https://www.fireeye.com/services/freeware/redline.html)
FireEye gives the forensics community two popular free forensic tools to conduct digital forensics investigations:
Memoryze: This is a physical memory imaging and analysis command-line tool. In addition to capturing RAM images, it possesses the ability to perform advanced analysis of live memory while the computer is still running. Memoryze can also analyze memory image files, whether they were acquired using it or any other forensic software (e.g., DD-format).
Redline (see Figure 12): This is a Windows program for conducting a memory investigation of malicious artifacts in Windows physical memory.
Thus, this is a list of 12 popular computer forensics tools to help you with your cyber forensic investigations. Most of these tools are free, and even the commercial products offer a limited functionality version for free use.