201403 Guide to Free Forensic Audit Tools

8/11/2019 201403 Guide to Free Forensic Audit Tools

1/23

This is the AuditNet Standard Risk Control Audit Matix which incorporates formats

used by many audit organizations in their documentation working papers. There are

format templates for risk control, audit procedures, questionnaires and checklists.

There is a blank workpaper and a report summary that can in used by audit

organizations. AuditNet has prepared a monograph for guidance on preparing and

developing audit work programs, checklists, questionnaires and matrices. The

monograph is available to AuditNet subscribers. For more information go towww.auditnet.org


2/23

Audit Program Licensing Terms1. You accept that this product is intended for your

use, and you will not duplicate in any form or manner, electronic or otherwise, copies

of this product nor distribute this product to anyone else. 2. You recognize that the

product and its content are the sole property of AuditNet (the Publisher), and that we

have copyrighted the product. 3. You agree that the Publisher is not responsible for

any interruption of service or malfunction that is a consequence of the Internet, a

service provider, personal computer, browser or other software or hardwarecomponents. You accept that there is no guarantee that this product is totally error

free. You further understand and accept that the Publisher intends to provide reliable

information but does not guarantee the accuracy or completeness of any information,

and is not responsible for any results obtained from the use of such information. 4 This

license is effective until terminated, when the license or subscription period ends

without renewal, or when you destroy this product and any related documentation.

The Publisher may terminate your license without notice if you fail to comply with the

conditions set forth in this agreement, and may pursue any other legal recourse.


3/23

This template was purchased by AuditNet from a third party under a work for hire

agreement. However, while we have attempted to provide accurate information no

representation is made or warranty given as to the completeness or accuracy of the

template. In particular, you should be aware that the template may be incomplete,

may contain errors, or may have become out of date. While every reasonable

precaution has been taken in the preparation of this template, neither the author nor

AuditNet assumes responsibility for errors or omissions, or for damages resultingfrom the use of the information contained herein. The information contained in this

document is believed to be accurate. However, no guarantee is provided. Use this

information at your own risk.


4/23

Audit Program Licensing Terms1. You accept that this product is intended for your use,

and you will not duplicate in any form or manner, electronic or otherwise, copies of this

product nor distribute this product to anyone else. 2. You recognize that the product and its

content are the sole property of AuditNet (the Publisher), and that we have copyrighted

the product. 3. You agree that the Publisher is not responsible for any interruption of

service or malfunction that is a consequence of the Internet, a service provider, personal

computer, browser or other software or hardware components. You accept that there is noguarantee that this product is totally error free. You further understand and accept that the

Publisher intends to provide reliable information but does not guarantee the accuracy or

completeness of any information, and is not responsible for any results obtained from the

use of such information. 4 This license is effective until terminated, when the license or

subscription period ends without renewal, or when you destroy this product and any related

documentation. The Publisher may terminate your license without notice if you fail to

comply with the conditions set forth in this agreement, and may pursue any other legal

recourse.


5/23


6/23


7/23


8/23

Thank you for sharing your document(s) with AuditNet. You will receive the agreed upon compensation for

each working paper that we accept subject to answering the due diligence questions and certification

required by our attorney.

The audit working papers (programs or documents) you send must be original and current.You must

have either created the documents or have permission from whoever prepared them or from yourorganization to share. They must be in Word or Excel format (Excel preferred).

Based on advice from legal counsel, before we accept the material and process your payment we need to

perform due diligence on what you are sharing. You must answer these questions and your email response

will be considered an electronic si nature for ur oses of this statement.

Name:Organization:

Title of the Audit Working Paper(s)

a) Are you the author of the Materials (are the Materials original works that you created?

b) Please provide a brief explanation of the purpose of the working paper:

c) Please provide the audit objectives for the working paper:

By su mitting t e Materia s or ot er communication or content a ter receipt o t is notice, you grant

AuditNet permission to, on an irrevocable, perpetual, worldwide and royalty-free basis, reproduce,

distribute, display, perform, read, enhance, adapt, modify, create derivative works or use the Submitted

Materials and any other such communication or content on this site, on any other site and anywhere

throu hout the world in all media?

e)

Please provide the industry sector for your contribution. (i.e. life insurance, banking, energy etc.)

f) Please provide the functional area for your audit program.

g) Please provide several keywords to help categorize programs and facilitate searches.


9/23

h) Please ensure that you have removed (scrubbed) all confidential or proprietary information such as

company name, employee name, email addresses, social security numbers, etc.

Your name and email address will not be added to the Materials.

Certification

ere y cer i y a am e au or o e ma eria s s are or ave wri en permission rom e au or

and/or the organization that I work for in the form of a transfer of all rights or a license from the author

to grant use of the Materials to AuditNet. By submitting the Materials or other communication or content

after receipt of this notice, I hereby grant AuditNet permission to, on an irrevocable, perpetual,

worldwide and royalty-free basis, reproduce, distribute, display, perform, read, enhance, adapt, modify,

create derivative works or use the Submitted Materials and any other such communication or content on

this site on an other site and an where throu hout the world in all media.

Signed:

Inserting your name here electronically will serve as a valid representation of your signature and will be con

Date:

Price:

PayPal:

Payment Details if PayPal not an option:


10/23


11/23

GUIDE TO ALL MAJOR FORENSIC TOOLS

Yes

A detailed listing which takes the user by hyperlink to the site for each type of

available (online) forensic tools.

This Guide provides a complete description of all available free forensic tools

on the Internet.

All

IT & Non-IT - Resources

Forensic, Audit, Tools, Guide


12/23

Yes

idered binding

12/17/2013


13/23


14/23


15/23


16/23


17/23

DumpIt MoonSols Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive.

EnCase Forensic Imager Guidance Software Create EnCase evidence files and EnCase logical evidence files [direct download link]

Encrypted Disk Detector* Magnet Forensics Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes

FAT32 Format Ridgecrop Enables large capacity disks to be formatted as FAT32

FTK Imager* AccessData Imaging tool, disk viewer and image mounter

Guymager vogu00 Multi-threaded GUI imager under running under Linux

HotSwap Kazuyuki Nakayama Safely remove SATA disks similar to the Safely Remove Hardware icon in the notification area

LiveView CERT Allows examiner to boot dd images in VMware.

P2 Explorer Free Paraben Mount forensic images as read-only local logical and physical disks

Live RAM Capturer* Belkasoft Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds

OSFClone Passmark Software Boot utility for CD/DVD or USB flash drives to create dd or AFF images/clones.

OSFMount Passmark Software Mounts a wide range of disk images. Also allows creation of RAM disks

Tableau Imager* Tableau Imaging tool for use with Tableau imaging products

VHD Tool Microsoft Converts raw disk images to VHD format which are mountable in Windows Disk Management

EDB Viewer Lepide Software Open and view (not export) Outlook EDB files without an Exchange server

Mail Viewer MiTeC Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files

OST Viewer Lepide Software Open and view (not export) Outlook OST files without connecting to an Exchange server

AN AUDITOR'S GUIDE TO FREE FORENSIC TOOLS, ALL AVAILABLE ONLINE, BY NAME, VENDOR AND DESCRIPTION
http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/http://www1.guidancesoftware.com/Order-Forensic-Imager.aspxhttp://info.magnetforensics.com/encrypted-disk-detectorhttp://www.ridgecrop.demon.co.uk/index.htm?fat32format.htmhttp://www.accessdata.com/support/product-downloadshttp://guymager.sourceforge.net/http://mt-naka.com/hotswap/index_enu.htmhttp://www.sei.cmu.edu/digitalintelligence/tools/liveview/index.cfmhttp://www.paraben.com/p2-explorer.htmlhttp://forensic.belkasoft.com/en/ram-capturerhttp://www.osforensics.com/tools/create-disk-images.htmlhttp://www.osforensics.com/tools/mount-disk-images.htmlhttp://www.tableau.com/index.php?pageid=rev_history&product=tim&model=TSW-TIMhttp://archive.msdn.microsoft.com/vhdtoolhttp://www.nucleustechnologies.com/exchange-edb-viewer.htmlhttp://www.mitec.cz/mailview.htmlhttp://www.nucleustechnologies.com/ost-viewer.htmlhttp://www.nucleustechnologies.com/ost-viewer.htmlhttp://www.mitec.cz/mailview.htmlhttp://www.nucleustechnologies.com/exchange-edb-viewer.htmlhttp://archive.msdn.microsoft.com/vhdtoolhttp://www.tableau.com/index.php?pageid=rev_history&product=tim&model=TSW-TIMhttp://www.osforensics.com/tools/mount-disk-images.htmlhttp://www.osforensics.com/tools/create-disk-images.htmlhttp://forensic.belkasoft.com/en/ram-capturerhttp://www.paraben.com/p2-explorer.htmlhttp://www.sei.cmu.edu/digitalintelligence/tools/liveview/index.cfmhttp://mt-naka.com/hotswap/index_enu.htmhttp://guymager.sourceforge.net/http://www.accessdata.com/support/product-downloadshttp://www.ridgecrop.demon.co.uk/index.htm?fat32format.htmhttp://info.magnetforensics.com/encrypted-disk-detectorhttp://www1.guidancesoftware.com/Order-Forensic-Imager.aspxhttp://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/


18/23

PST Viewer Lepide Software Open and view (not export) Outlook PST files without needing Outlook

Agent Ransack Mythicsoft Search multiple files using Boolean operators and Perl Regex

CaseNotes Lite Blackthorn Contemporaneous notes recorder

Computer Forensic Reference

Data Sets NIST Collated forensic images for training, practice and validation

EvidenceMover* Nuix Copies data between locations, with file comparison, verification, logging

FastCopy Shirouzu Hiroaki Self labelled fastest copy/delete Windows software. Can verify with SHA-1, etc.

File Signatures Gary Kessler Table of file signatures

HashMyFiles Nirsoft Calculate MD5 and SHA1 hashes

MobaLiveCD Mobatek Run Linux live CDs from their ISO image without having to boot to them

Mouse Jiggler Arkane Systems Automatically moves mouse pointer stopping screen saver, hibernation etc.

Notepad ++ Notepad ++ Advanced Notepad replacement

NSRL NIST Hash sets of known (ignorable) files

Quick Hash Ted Technology A Linux & Windows GUI for individual and recursive SHA1 hashing of files

USB Write Blocker DSi Enables software write-blocking of USB ports

USB Write Blocker Scurit Multi-Secteurs Software write blocker for Windows XP through to Windows 8

Windows Forensic Environment Troy Larson Guide by Brett Shavers to creating and working with a Windows boot CD

Advanced Prefetch Analyser Allan Hay Reads Windows XP,Vista and Windows 7 prefetch files
http://www.nucleustechnologies.com/pst-viewer.htmlhttp://www.mythicsoft.com/page.aspx?type=agentransack&page=homehttp://www.blackthorn.com/casenotes-download/http://www.cfreds.nist.gov/http://www.cfreds.nist.gov/http://www.nuix.com/Nuix-evidence-moverhttp://ipmsg.org/tools/fastcopy.html.enhttp://www.garykessler.net/library/file_sigs.htmlhttp://www.nirsoft.net/utils/hash_my_files.htmlhttp://mobalivecd-en.mobatek.net/http://mousejiggler.codeplex.com/http://notepad-plus-plus.org/http://www.nsrl.nist.gov/Downloads.htmhttp://sourceforge.net/projects/quickhash/http://dsicovery.com/dsicovery-software/usb-write-blocker/http://www.securitemulti-secteurs.ca/teacuteleacutechargements.htmlhttp://winfe.wordpress.com/http://www.ash368.com/http://www.ash368.com/http://winfe.wordpress.com/http://www.securitemulti-secteurs.ca/teacuteleacutechargements.htmlhttp://dsicovery.com/dsicovery-software/usb-write-blocker/http://sourceforge.net/projects/quickhash/http://www.nsrl.nist.gov/Downloads.htmhttp://notepad-plus-plus.org/http://mousejiggler.codeplex.com/http://mobalivecd-en.mobatek.net/http://www.nirsoft.net/utils/hash_my_files.htmlhttp://www.garykessler.net/library/file_sigs.htmlhttp://ipmsg.org/tools/fastcopy.html.enhttp://www.nuix.com/Nuix-evidence-moverhttp://www.cfreds.nist.gov/http://www.cfreds.nist.gov/http://www.blackthorn.com/casenotes-download/http://www.mythicsoft.com/page.aspx?type=agentransack&page=homehttp://www.nucleustechnologies.com/pst-viewer.html


19/23

analyzeMFT David Kovar Parses the MFT from an NTFS file system allowing results to be analyzed with other tools

Defraser Various Detects full and partial multimedia files in unallocated space

eCryptfs Parser Ted TechnologyRecursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size,

signature used, etc.

Encryption Analyzer PasswareScans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each

file

ExifTool Phil Harvey Read, write and edit Exif data in a large number of file types

Forensic Image Viewer Sanderson Forensics View various picture formats, image enhancer, extraction of embedded Exif, GPS data

Highlighter Mandiant Examine log files using text, graphic or histogram views

LiveContactsView Nirsoft View and export Windows Live Messenger contact details

RSA Netwitness Investigator* EMC Network packet capture and analysis

Memoryze Mandiant Acquire and/or analyze RAM images, including the page file on live systems

MFTview Sanderson Forensics Displays and decodes contents of an extracted MFT file

NetSleuth NetGrab Network monitoring tool, with covert silent port scanning

PictureBox Mikes Forensic ToolsLists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML

format

PsTools Microsoft Suite of command-line Windows utilities

Shadow Explorer Shadow Explorer Browse and extract files from shadow copies

Simple File Parser Chris Mayhew GUI tool for parsing .lnk files, prefetch and jump list artefacts

SQLite Manager Mrinal Kant, Tarakant Tripathy Firefox add-on enabling viewing of any SQLite database

Strings Microsoft Command-line tool for text searches

Structured Storage Viewer MiTec View and manage MS OLE Structured Storage based files
https://github.com/dkovar/analyzeMFThttp://sourceforge.net/projects/defraser/http://sourceforge.net/projects/ecryptfs-p/http://www.lostpassword.com/encryption-analyzer.htmhttp://www.sno.phy.queensu.ca/~phil/exiftool/http://www.sandersonforensics.com/forum/list.php?category/46-Free-Softwarehttp://www.mandiant.com/products/free_software/highlighter/http://www.nirsoft.net/utils/live_messenger_contacts.htmlhttp://www.emc.com/security/rsa-netwitness.htmhttp://www.mandiant.com/products/free_software/memoryze/http://www.sandersonforensics.com/forum/list.php?category/46-Free-Softwarehttp://www.netgrab.co.uk/http://www.mikesforensictools.co.uk/MFTPB.htmlhttp://technet.microsoft.com/en-us/sysinternals/bb896649.aspxhttp://www.shadowexplorer.com/http://simplefileparser.blogspot.co.uk/https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/http://technet.microsoft.com/en-gb/sysinternals/bb897439.aspxhttp://www.mitec.cz/ssv.htmlhttp://www.mitec.cz/ssv.htmlhttp://technet.microsoft.com/en-gb/sysinternals/bb897439.aspxhttps://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/http://simplefileparser.blogspot.co.uk/http://www.shadowexplorer.com/http://technet.microsoft.com/en-us/sysinternals/bb896649.aspxhttp://www.mikesforensictools.co.uk/MFTPB.htmlhttp://www.netgrab.co.uk/http://www.sandersonforensics.com/forum/list.php?category/46-Free-Softwarehttp://www.mandiant.com/products/free_software/memoryze/http://www.emc.com/security/rsa-netwitness.htmhttp://www.nirsoft.net/utils/live_messenger_contacts.htmlhttp://www.mandiant.com/products/free_software/highlighter/http://www.sandersonforensics.com/forum/list.php?category/46-Free-Softwarehttp://www.sno.phy.queensu.ca/~phil/exiftool/http://www.lostpassword.com/encryption-analyzer.htmhttp://sourceforge.net/projects/ecryptfs-p/http://sourceforge.net/projects/defraser/https://github.com/dkovar/analyzeMFT


20/23

Switch-a-Roo Mikes Forensic Tools Text replacement/converter/decoder for when dealing with URL encoding, etc

Windows File Analyzer MiTeC Analyse thumbs.db, Prefetch, INFO2 and .lnk files

Audit Twocanoes Software Audit Preference Pane and Log Reader for OS X

Disk Arbitrator Aaron Burghardt Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration

Epoch Converter* Blackbag Technologies Converts epoch times to local time and UTC

FTK Imager CLI for Mac OS* AccessData Command line Mac OS version of AccessDatas FTK Imager

IORegInfo Blackbag TechnologiesLists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition

information, including sizes, types, and the bus to which the device is connected

Mac Memory Reader Cyber Marshal Command-line utility to capture physical RAM from Mac OS systems

PMAP Info* Blackbag TechnologiesDisplays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all

used sectors

iPhone Analyzer Leo Crawford, Mat Proud Explore the internal file structure of Pad, iPod and iPhones

ivMeta Robin Wood Extracts phone model and software version and created date and GPS data from iPhone videos.

Rubus* CCL Forensics Deconstructs Blackberry .ipd backup files

SAFT SignalSEC Corp Obtain SMS Messages, call logs and contacts from Android devices

WhatsApp Forensics Zena Forensics Extract WhatApp messages from iOS and Android backups

Autopsy Brian Carrier Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below)

Backtrack Backtrack Penetration testing and security audit with forensic boot capability
http://www.mikesforensictools.co.uk/MFTSAR.htmlhttp://www.mitec.cz/wfa.htmlhttps://github.com/twocanoes/audithttps://github.com/aburgh/Disk-Arbitratorhttps://www.blackbagtech.com/resources/freetools/epochconverter.htmlhttp://accessdata.com/support/adownloadshttps://www.blackbagtech.com/resources/freetools/ioreg-info.htmlhttp://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-readerhttps://www.blackbagtech.com/resources/freetools/pmap-info.htmlhttp://sourceforge.net/projects/iphoneanalyzer/http://www.csitech.co.uk/ivmeta-iphone-metadata/http://www.cclgroupltd.com/Buy-Software/rubus-ipd-de-constructor-utility.htmlhttp://www.signalsec.com/saft/http://blog.digital-forensics.it/2012/05/whatsapp-forensics.htmlhttp://www.sleuthkit.org/autopsy/http://www.backtrack-linux.org/http://www.backtrack-linux.org/http://www.sleuthkit.org/autopsy/http://blog.digital-forensics.it/2012/05/whatsapp-forensics.htmlhttp://www.signalsec.com/saft/http://www.cclgroupltd.com/Buy-Software/rubus-ipd-de-constructor-utility.htmlhttp://www.csitech.co.uk/ivmeta-iphone-metadata/http://sourceforge.net/projects/iphoneanalyzer/https://www.blackbagtech.com/resources/freetools/pmap-info.htmlhttp://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-readerhttps://www.blackbagtech.com/resources/freetools/ioreg-info.htmlhttp://accessdata.com/support/adownloadshttps://www.blackbagtech.com/resources/freetools/epochconverter.htmlhttps://github.com/aburgh/Disk-Arbitratorhttps://github.com/twocanoes/audithttp://www.mitec.cz/wfa.htmlhttp://www.mikesforensictools.co.uk/MFTSAR.html


21/23

Caine Nanni Bassetti Linux based live CD, featuring a number of analysis tools

Deft Dr. Stefano Fratepietro and others Linux based live CD, featuring a number of analysis tools

Digital Forensics Framework ArxSys Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items

Forensic Scanner Harlan Carvey Automates repetitive tasks of data collection. Fuller description here

Paladin* Sumuri Ubuntu based live boot CD for imaging and analysis

SIFT* SANS VMware Appliance pre-configured with multiple tools allowing digital forensic examinations

The Sleuth Kit Brian Carrier Collection of UNIX-based command line file and volume system forensic analysis tools

Ubuntu guide How-To Geek Guide to using an Unbuntu live disk to recover partitions, carve files, etc.

Volatility Framework Volatile Systems Collection of tools for the extraction of artefacts from RAM

Microsoft PowerPoint 2007

Viewer Microsoft View PowerPoint presentations

Microsoft Visio 2010 Viewer Microsoft View Visio diagrams

VLC VideoLAN View most multimedia files and DVD, Audio CD, VCD, etc.

Chrome Session Parser CCL ForensicsPython module for performing off-line parsing of Chrome session files (Current Session, Last Session, Current Tabs,

Last Tabs)

ChromeCacheView Nirsoft Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache

Cookie Cutter Mikes Forensic ToolsExtracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number

of visits.

Dumpzilla BusindreRuns in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more

information.

Facebook Profile Saver Belkasoft Captures information publicly available in Facebook profiles.
http://www.caine-live.net/http://www.deftlinux.net/http://www.digital-forensic.org/https://github.com/appliedsec/forensicscannerhttp://www.sumuri.com/http://computer-forensics.sans.org/community/downloads/http://www.sleuthkit.org/sleuthkit/http://www.howtogeek.com/howto/15761/recover-data-like-a-forensics-expert-using-an-ubuntu-live-cd/https://www.volatilesystems.com/default/volatilityhttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6http://www.microsoft.com/download/en/details.aspx?id=21701http://www.videolan.org/https://code.google.com/p/ccl-ssns/http://www.nirsoft.net/utils/chrome_cache_view.htmlhttp://www.mikesforensictools.co.uk/MFTCookie.htmlhttp://www.dumpzilla.org/http://forensic.belkasoft.com/en/facebook_profile_saverhttp://forensic.belkasoft.com/en/facebook_profile_saverhttp://www.dumpzilla.org/http://www.mikesforensictools.co.uk/MFTCookie.htmlhttp://www.nirsoft.net/utils/chrome_cache_view.htmlhttps://code.google.com/p/ccl-ssns/http://www.videolan.org/http://www.microsoft.com/download/en/details.aspx?id=21701http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6https://www.volatilesystems.com/default/volatilityhttp://www.howtogeek.com/howto/15761/recover-data-like-a-forensics-expert-using-an-ubuntu-live-cd/http://www.sleuthkit.org/sleuthkit/http://computer-forensics.sans.org/community/downloads/http://www.sumuri.com/https://github.com/appliedsec/forensicscannerhttp://www.digital-forensic.org/http://www.deftlinux.net/http://www.caine-live.net/


22/23

IECookiesView Nirsoft Extracts various details of Internet Explorer cookies

IEPassView Nirsoft Extract stored passwords from Internet Explorer versions 4 to 8

MozillaCacheView Nirsoft Reads the cache folder of Firefox/Mozilla/Netscape Web browsers

MozillaCookieView Nirsoft Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers

MozillaHistoryView Nirsoft Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page

MyLastSearch NirsoftExtracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter,

Facebook, MySpace)

PasswordFox Nirsoft Extracts the user names and passwords stored by Mozilla Firefox Web browser

OperaCacheView Nirsoft Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache

OperaPassView Nirsoft Decrypts the content of the Opera Web browser password file, wand.dat

Web Historian Mandiant Reviews list of URLs stored in the history files of the most commonly used browsers

Web Page Saver* Magnet Forensics Takes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages

ForensicUserInfo WoanwareExtracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM

file

Process Monitor Microsoft Examine Windows processes and registry threads in real time

Registry DecoderUS National Institute of Justice, Digital Forensics

Solutions For the acquisition, analysis, and reporting of registry contents

RegRipper Harlan Carvey Registry data extraction and correlation tool

Regshot Regshot Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software

sbag TZWorks Extracts data from Shellbag entries

USB Device Forensics Woanware Details previously attached USB devices on exported registry hives
http://www.nirsoft.net/utils/iecookies.htmlhttp://www.nirsoft.net/utils/internet_explorer_password.htmlhttp://www.nirsoft.net/utils/mozilla_cache_viewer.htmlhttp://www.nirsoft.net/utils/mzcv.htmlhttp://www.nirsoft.net/utils/mozilla_history_view.htmlhttp://www.nirsoft.net/utils/my_last_search.htmlhttp://www.nirsoft.net/utils/passwordfox.htmlhttp://www.nirsoft.net/utils/opera_cache_view.htmlhttp://www.nirsoft.net/utils/opera_password_recovery.htmlhttp://www.mandiant.com/resources/download/web-historianhttp://info.magnetforensics.com/web-page-saverhttp://www.woanware.co.uk/forensics/forensicuserinfo.htmlhttp://technet.microsoft.com/en-us/sysinternals/bb896645.aspxhttp://www.digitalforensicssolutions.com/registrydecoder/http://regripper.wordpress.com/http://sourceforge.net/projects/regshot/files/https://www.tzworks.net/prototype_page.php?proto_id=14http://www.woanware.co.uk/forensics/usbdeviceforensics.htmlhttp://www.woanware.co.uk/forensics/usbdeviceforensics.htmlhttps://www.tzworks.net/prototype_page.php?proto_id=14http://sourceforge.net/projects/regshot/files/http://regripper.wordpress.com/http://www.digitalforensicssolutions.com/registrydecoder/http://technet.microsoft.com/en-us/sysinternals/bb896645.aspxhttp://www.woanware.co.uk/forensics/forensicuserinfo.htmlhttp://info.magnetforensics.com/web-page-saverhttp://www.mandiant.com/resources/download/web-historianhttp://www.nirsoft.net/utils/opera_password_recovery.htmlhttp://www.nirsoft.net/utils/opera_cache_view.htmlhttp://www.nirsoft.net/utils/passwordfox.htmlhttp://www.nirsoft.net/utils/my_last_search.htmlhttp://www.nirsoft.net/utils/mozilla_history_view.htmlhttp://www.nirsoft.net/utils/mzcv.htmlhttp://www.nirsoft.net/utils/mozilla_cache_viewer.htmlhttp://www.nirsoft.net/utils/internet_explorer_password.htmlhttp://www.nirsoft.net/utils/iecookies.html


23/23

USBDeview Nirsoft Details previously attached USB devices

UserAssist Didier Stevens Displays list of programs run, with run count and last run date and time

Windows Registry Recovery MiTec Extracts configuration settings and other information from the Registry

Dropbox Decryptor* Magnet Forensics

Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using

Dropbox

Google Maps Tile Investigator* Magnet Forensics Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context

KaZAlyser Sanderson Forensics Extracts various data from the KaZaA application

LiveContactsView Nirsoft View and export Windows Live Messenger contact details

SkypeLogView Nirsoft View Skype calls and chats

DCode Digital Detective Converts various data types to date/time values

iPhone Backup Browser Rene Devichi View unencrypted backups of iPad, iPod and iPhones

ChromeAnalysis Foxton Software Analysis of internet history data generated using Google Chrome

IEHistoryView Nirsoft Extracts recently visited Internet Explorer URLs

*Entries marked with a star indicate

that registration is required before

downloading
http://www.nirsoft.net/utils/usb_devices_view.htmlhttp://blog.didierstevens.com/programs/userassist/http://www.mitec.cz/wrr.htmlhttp://info.magnetforensics.com/dropbox-decryptorhttp://info.magnetforensics.com/google-maps-tile-investigatorhttp://www.sandersonforensics.com/forum/list.php?category/46-Free-Softwarehttp://www.nirsoft.net/utils/live_messenger_contacts.htmlhttp://www.nirsoft.net/utils/skype_log_view.htmlhttp://www.digital-detective.co.uk/downloads.asphttp://code.google.com/p/iphonebackupbrowser/http://forensic-software.co.uk/Downloads/Default.aspxhttp://www.nirsoft.net/utils/iehv.htmlhttp://www.nirsoft.net/utils/iehv.htmlhttp://forensic-software.co.uk/Downloads/Default.aspxhttp://code.google.com/p/iphonebackupbrowser/http://www.digital-detective.co.uk/downloads.asphttp://www.nirsoft.net/utils/skype_log_view.htmlhttp://www.nirsoft.net/utils/live_messenger_contacts.htmlhttp://www.sandersonforensics.com/forum/list.php?category/46-Free-Softwarehttp://info.magnetforensics.com/google-maps-tile-investigatorhttp://info.magnetforensics.com/dropbox-decryptorhttp://www.mitec.cz/wrr.htmlhttp://blog.didierstevens.com/programs/userassist/http://www.nirsoft.net/utils/usb_devices_view.html

201403 Guide to Free Forensic Audit Tools

Documents

Transcript of 201403 Guide to Free Forensic Audit Tools