FlashGet(网际快车) V3.7.0.1222 简体中文绿色版
During the 1980s, most digital forensic investigations consisted of "live analysis", examining digital media directly using non-specialist tools. In the 1990s, several freeware and other proprietary tools (both hardware and software) were created to allow investigations to take place without modifying media. This first set of tools mainly focused on computer forensics, although in recent years similar tools have evolved for the field of mobile device forensics.[1] This list includes notable examples of digital forensic tools.
Forensics-focused operating systems
[edit]Debian-based
[edit]- Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing, formerly known as BackTrack.[2]
- Parrot Security OS is a cloud-oriented Linux distribution based on Debian and designed to perform security and penetration tests, do forensic analysis, or act in anonymity. It uses the MATE Desktop Environment, Linux Kernel 4.6 or higher and it is available as a live lightweight installable ISO image for 32-bit, 64-bit and ARM processors with forensic options at boot, optimizations for programmers, and new custom pentesting tools.[citation needed]
Ubuntu-based
[edit]- CAINE Linux is an ubuntu-based live CD/DVD. CAINE stands for Computer Aided INvestigative Environment.
- PALADIN Linux is an ubuntu-based live CD/DVD. PALADIN is a non-persistent Xubuntu-based OS that comes preinstalled with a Toolkit of different forensic tools and applications.
Gentoo-based
[edit]- Pentoo
- Penetration Testing Overlay and Livecd is a live CD and Live USB designed for penetration testing and security assessment. Based on Gentoo Linux, Pentoo is provided both as 32-bit and 64-bit installable live CD. Pentoo also is available as an overlay for an existing Gentoo installation. It features packet injection patched Wi-Fi drivers, GPGPU cracking software, and many tools for penetration testing and security assessment. The Pentoo kernel includes grsecurity and PAX hardening and extra patches – with binaries compiled from a hardened toolchain with the latest nightly versions of some tools available.[3]
Computer forensics
[edit]| Name | Platform | License | Version | Description |
|---|---|---|---|---|
| Autopsy | Windows, macOS, Linux | Apache 2.0 | 4.21.0 | A digital forensics platform and GUI to The Sleuth Kit |
| Belkasoft Evidence Center X | Windows | proprietary | 2.7 | Multi-purpose tool for computer, mobile, memory and cloud forensics |
| Bulk_Extractor | Windows, MacOS and Linux | MIT | 2.1.1 | Extracts email addresses, URLs, and a variety of binary objects from unstructured data using recursive re-analysis. |
| COFEE | Windows | proprietary | n/a | A suite of tools for Windows developed by Microsoft |
| Digital Forensics Framework | Unix-like/Windows | GPL | 1.3 | Framework and user interfaces dedicated to digital forensics |
| Elcomsoft Premium Forensic Bundle | Windows, macOS | proprietary | 1435 | Set of tools for encrypted systems & data decryption and password recovery |
| EnCase | Windows | proprietary | 21.1 CE | Digital forensics suite created by Guidance Software |
| FTK | Windows | proprietary | 8.0 | Multi-purpose tool, FTK is a court-cited digital investigations platform built for speed, stability and ease of use. |
| IsoBuster | Windows | proprietary | 5.3 | Essential light weight tool to inspect any type data carrier, supporting a wide range of file systems, with advanced export functionality. |
| Magnet Axiom | Windows, macOS, Linux | proprietary | 9.2 | Magnet Axiom can recover and analyze digital evidence from Windows and Mac devices, Linux systems, and Chromebooks, all in one case file. |
| Netherlands Forensic Institute / Xiraf[4] / HANSKEN[5] | n/a | proprietary | n/a | Computer-forensic online service. |
| Open Computer Forensics Architecture | Linux | LGPL/GPL | 2.3.0 | Computer forensics framework for CF-Lab environment |
| PTK Forensics | LAMP | proprietary | 2.0 | GUI for The Sleuth Kit |
| The Coroner's Toolkit | Unix-like | IBM Public License | 1.19 | A suite of programs for Unix analysis |
| The Sleuth Kit | Unix-like/Windows | IPL, CPL, GPL | 4.12.0 | A library of tools for both Unix and Windows |
| Windows To Go | n/a | proprietary | n/a | Bootable operating system |
Memory forensics
[edit]Memory forensics tools are used to acquire or analyze a computer's volatile memory (RAM). They are often used in incident response situations to preserve evidence in memory that would be lost when a system is shut down, and to quickly detect stealthy malware by directly examining the operating system and other running software in memory.
| Name | Vendor or sponsor | Platform | License |
|---|---|---|---|
| Volatility | Volatile Systems | Windows and Linux | free (GPL) |
| WindowsSCOPE | BlueRISC | Windows | proprietary |
Mobile device forensics
[edit]Mobile forensics tools tend to consist of both a hardware and software component. Mobile phones come with a diverse range of connectors, the hardware devices support a number of different cables and perform the same role as a write blocker in computer devices.
| Name | Platform | License | Version | Description |
|---|---|---|---|---|
| Cellebrite UFED | Windows | proprietary | Hardware/software package, specializes in mobile forensic extraction | |
| Magnet Graykey | Windows, macOS, Linux | proprietary | 9.2 | Magnet Axiom/Graykey are a hardware/software package that can extract and analyze forensic evidence from mobile devices |
| MicroSystemation XRY/XACT[6] | Windows | proprietary | Hardware/software package, specializes in deleted data |
Software forensics
[edit]Software forensics is the science of analyzing software source code or binary code to determine whether intellectual property infringement or theft occurred. It is the centerpiece of lawsuits, trials, and settlements when companies are in dispute over issues involving software patents, copyrights, and trade secrets. Software forensics tools can compare code to determine correlation, a measure that can be used to guide a software forensics expert.
Other
[edit]| Name | Platform | License | Version | Description |
|---|---|---|---|---|
| DECAF | Windows | free | n/a | Tool which automatically executes a set of user defined actions on detecting Microsoft's COFEE tool |
| Evidence Eliminator | Windows | proprietary | 6.03 | Anti-forensics software, claims to delete files securely |
| HashKeeper | Windows | free | n/a | Database application for storing file hash signatures |
References
[edit]- ^ Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
- ^ "Kali Linux Has Been Released!". 12 March 2013. Archived from the original on 9 May 2013. Retrieved 18 March 2013.
- ^ "Pentoo 2015 – Security-Focused Livecd based on Gentoo". Archived from the original on 1 July 2018. Retrieved 1 July 2018.
- ^ Bhoedjang, R; et al. (February 2012). "Engineering an online computer forensic service". Digital Investigations. 9 (2): 96–108. doi:10.1016/j.diin.2012.10.001.
- ^ Huijbregts, J (2015). "Nieuwe forensische zoekmachine van NFI is 48 keer zo snel als voorganger". Tweakers. Retrieved 11 September 2018.
Named after the famous elephant Hansken, because of their tremendous memory
- ^ Mislan, Richard (2010). "Creating laboratories for undergraduate courses in mobile phone forensics". Proceedings of the 2010 ACM conference on Information technology education. ACM. pp. 111–116. doi:10.1145/1867651.1867680. ISBN 9781450303439. S2CID 15030269. Retrieved 29 November 2010.
Among the most popular tools are products named MicroSystemation GSM .XRY and .XACT, Cellebrite UFED, Susteen Secure View2, Paraben Device Seizure, Radio Tactics Aceso, Oxygen Phone Manager, and Compelson MobilEdit Forensic