DC3 Validations


All DC3 Validations are UNCLASSIFIED//FOUO and for U.S. DoD and Federal law enforcement and counterintelligence (LE/CI) official use only. Authorized personnel with a CAC or PIV may access these validations through the DC3 Customer Portal. All others should contact DC3.XTInfo@us.af.mil.

 

Software Name  Versions  Vendor Abstract
Adobe Acrobat 8.1 Adobe Adobe Acrobat allows users to create and edit PDF documents. PDF has become the standard that the U.S. Government uses when distributing and archiving documents. Of its many features is allowing a user to redact a document of sensitive material and remove any metadata and other elements that they do not wish to be disseminated.
Aid4Mail 2.6 Fookes Software Ltd. Aid4Mail is a mail conversion application for migrating, searching, extracting, and archiving email messages. The tool supports many email client programs and formats, as well as webmail through Internet Message Access Protocol (IMAP).
AnalyzeMFT 1.7 David Kovar AnalyzeMFT is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in a format that allows further analysis with other tools.
APF 1.002 Digital Assembly APF was developed by Digital Assembly. APF is a Windows based tool used to carve picture files from a disk or disk image. The carving operations are accomplished using several methods. These include sequential carving of unallocated space, carving based on data left in system logs, using human expertise to recover fragmented files, and applying a proprietary method.
Apple SAN Process Validation   DC3/DCFL Apple SAN Process Validation was developed by the I&E group to document the way that evidence will be duplicated, and made ready for the later processing by a lab investigator. This process was created to define the way to label and track the evidence, as well as provide an archive of said evidence should it be required to reproduce in case of device failure or later reprocessing of the evidence.
Ariadne 2.1.7 DC3/DCFL Ariadne is used to automatically carve encoded and obfuscated code in supported file types.
AScan 5.0
4.1
3.5
3.0
2.0
DC3/DCCI AScan is a command line function that is used in the Windows environment to extract information from the files and data structures of FrostWire, Limewire, Bearshare, Ares Galaxy, VuzeAzueus, and unused space for artifacts of the products. The function of AScan is to collect and organize the information collected into an HTML document that will present the artifact information in an easy to read format.
Audit Viewer 1.4 Mandiant Corporation Audit Viewer runs on the Microsoft Windows operating system. Audit Viewer is used for viewing output files produced by Memoryze, and other tools that create raw memory dumps. Audit Viewer has a GUI that helps users select, view, and print bulky memory dumps. Data is divided and displayed in an easy-to-read format on the screen and on paper. The GUI Invokes Memoryze with a mouse click instead of command line.
Autopsy 2.2 Wietse Venema & Dan Farmer Autopsy is a graphical interface to utilities found in The Sleuth Kit (TSK). TSK is a collection of command line tools that allow the user to investigate a Windows or UNIX system by examining the hard disk contents. TSK shows the files, data units, and metadata of NTFS, FAT, EXTxFS, and UFS file system images in a read-only environment. This allows user to search for specific types of evidence based on keywords, MAC times, hash values, and file types.
Autopsy 3.1.2 Basis Technology Corp. 1.2 Autopsy was developed by Basis Technology Corp. Autopsy is a custom front-end application for TSK (The SleuthKit) which provides a user interface, as well as case management. TSK is a library and collection of Unix and Windows based tools and utilities to allow for the forensic analysis of computer systems. Autopsy can be used to perform digital investigations and data extraction from images of mobile devices, Windows, Linux, and Unix systems.
BinText 3.01 Foundstone BinText is designed to extract plain ASCII text, Unicode (double byte ANSI) text, and Resource strings from a file. BinText's capabilities include an advanced view mode and filtering options that helps prevent unwanted text from being listed. The gathered info can be searched and saved to a separate file as either a plain text file or in tabular form.
Black Bag Macintosh Forensic Suite 2.5 BlackBag Technologies, Inc. The Black Bag Macintosh Forensic Suite is a unique set of tools that provide forensic examiners with a flexible, open environment within which to perform their analysis. It is specifically designed for the Mac OS X operating system. Applications are designed to efficiently carve and copy the pertinent sectors of a target hard drive speeding the examiner's analysis time, while ensuring a thorough investigation of the drive.
BlackLight 2016 R3.1
2016r2.0 (Windows)
2014r4 (Mac OSX)
2012r2 (Mac OS)
BlackBag Technologies, Inc. BlackLight was developed by BlackBag Technologies, Inc. BlackLight is a tool used to help investigators conduct digital forensic investigations on Apple computers, iPods, iPhones, and iPads in a native Macintosh environment. BlackLight is designed for both novice and advanced users and offers a clean interface featuring easy navigation and powerful advanced options. The BlackLight graphical user interface (GUI) was specifically designed to give forensic examiners both robust capabilities and an intuitive and elegant user experience throughout all phases of a digital forensic investigation.
Blindside Stegextraction Tool 1 Blindside Blindside Stegextraction Tool is a Windows command line application created to identify bitmap files containing data that was hidden with the steganography program Blindside. Bs_break will determine a working password, if one was used, and extract the hidden data. The extracted data is decrypted and uncompressed. Bs_break produces a log in html format that can be opened in any web browser. The log contains the list of files found to contain hidden Blindside data and hypertext links to the extracted docs.
Bookmark Extractor 1 DC3/DCCI Bookmark Extractor is an EnCase EnScript designed to extract user selected bookmarks to a user specified file.
CacheBack 3.7.8
3.7.21
2.8.11
SiQuest Corporation CacheBack was developed by the SiQuest Corporation. CacheBack is a tool used for retrieving and displaying Internet browser records. The tool’s main feature is the ability to rebuild cached webpages and display them to the examiner, but there are many additional features.
CaptureBat 2 The Honeynet Project CaptureBat is a Windows based behavioral analysis tool designed to find out how software operates on a system without having the source code. This is accomplished by monitoring the system's registry, process, and file activities. CaptureBat is executed on a live system and monitors activity while running. Changes made to system are reported to user. CaptureBat has the ability to create copy of files that are deleted while running.
CD/DVD Inspector 4.1
4.0
InfinaDyne CD/DVD Inspector was developed by InfinaDyne. CD/DVD Inspector utilizes knowledge of how optical media works and how the file systems are constructed to dig out lost and hidden files that otherwise would not be available.
CDRoller 10.60.20 Digital Atlantic Corp. CDRoller was developed by Digital Atlantic Corp. CDRoller is a toolset for data recovery from optical discs (CD, DVD, Blu-ray), hard and flash drives, memory cards, and floppy disks.
Cert CC VMWare Tools 1.3 CERT/CC & VMWare, Inc. Cert CC VMWare Tools are used to obfuscate the virtual machine platform and prevent flaws from allowing detection by the malware.
Chat Examiner 1.0.2 Paraben Paraben's Chat Examiner v1.0.2 is a program designed to locate chat logs and create reports based on the chats it identifies.
Computer Online Forensic Evidence Extractor (COFEE) 1 Microsoft Corporation COFEE is a Windows based incident responder's toolkit for live analysis of a victim system. The software is loaded onto a responder's analysis machine. The live analysis configuration is created. The config. files and scripts to run on the victim machine are then loaded onto a USB thumb drive. COFEE contains report generation functionality to display the results of the scripts run on the victim machine.
Covert Forensic Imaging Device (CFID)   Teel Technologies CFID was designed as an inconspicuous solution for forward exploration and intelligence personnel to perform normal imaging and extraction functions. The tool was designed specifically for portable media such as USB and SD cards.
Data Extraction & Naming Tool (DENT) 0 Idaho National Laboratory DENT is designed to offer fast, flexible, and customizable file carving for multiple file systems. The function is to copy files from the target file system, which are of interest to the end-user based on the plug-ins selected, and organize the files collected into a defined area with a structure to make the output easier to index and view.
DatView 2.1 DC3/DCCI DatView is designed to decode .dat files created by KaZaA and/or KaZaAlite. KaZaA and KaZaAlite are publicly available programs that enable peer-to-peer file exchanges.
DBAN 2.2.6 Darik Horn DBAN was developed by Darik Horn, and Boot And Nuke is a registered trademark of GEEP EDS LLC. DBAN is a boot disk that completely wipes a hard drive or selected partition. Six wiping methods are available: 1) Quick Erase, 2) RCMP TSSIT OPS-II, 3) DoD Short, 4) DoD 5220.22-M, 5) Guttman Wipe, and 6) PRNG Stream. DBAN claims to prevent or thoroughly hinder all known techniques of hard disk forensic analysis.
DbbView 2.1 DC3/DCCI DbbView is designed to decode .dat files created by KaZaA and/or KaZaAlite. KaZaA and KaZaAlite are publicly available programs that enable peer-to-peer file exchanges.
DBXtract 3.7 Stephen L. Cochran DBXtract is a free stand alone utility that is designed to extract email messages out of corrupt Outlook Express databases (.dbx) and turn them into individual .eml files. It may also be able to recover email that has been permanently deleted from the Deleted Items.dbx.
DC3 Computer Vision (CV) 3.0
3.0 (Windows 7)
DC3/DCCI DC3 Computer Vision (CV) is a DC3-developed, special purpose tool used to expedite the time an examiner spends sifting through large directories of image files. With DC3 Computer Vision (CV), examiners can use pre-trained datasets or easily create custom datasets from pictures they have of persons of interest. Using these datasets, DC3 Computer Vision (CV) finds other look-alikes automatically and presents findings in a built-in viewer. DC3 Computer Vision (CV) can be run either in a Graphical User Interface (GUI) or from a command line.
DC3 Forensic File Mount 1.0 (Windows 10)
1.0 (Windows 7)
DC3 DC3FFM was developed by DC3. The tool is an NFS server based around the SleuthKit (v4.1.3). DC3FFM allows the examiner to mount any file system supported by TSK, ext3, ext4, hfs , file systems that cannot be mounted on a Windows system any other way. Every partition on the target drive image is allowed to be mounted, so if the examiner wants to look at the MFT or Linux Swap space they are able.
DC3 Triage 2.0.0.274
1.0.0.189
DC3/DCCI DC3 Triage was developed by the Defense Cyber Crime Center (DC3), DC3 Cyber Crime Institute (DCCI). DC3 Triage integrates Drive Prophet from Guardian Digital Forensics, as well as StegCarver, VideoValidator, HumanDetect, and Ascan from DCCI. It implements a capability to quickly evaluate folders or disk image (dd type) files for items of interest in an investigation.
DC3_StegCarver 5.7
5.0
4.9
DC3/DCCI DC3_StegCarver is a special purpose carving tool designed to carve key file types out of data inadvertently appended to image files, but can also be used to carve data from any directory of files; including files representing free space, swap (paging) files, memory dumps, slack space, and dd images.
DC3_StegCarver Viewer 1.0.3161 DC3/DCCI DC3_StegCarver Viewer tool is used to expedite the time an examiner spends sifting through file carving results.
DC3DD 7.2.641
7.2.629
7.2.627
7.2.626
7.1.604
7.0.0
6.12.4
6.12.2
DC3/DCCI DC3DD is a command line function used in the Linux , Mac OS and Windows environments. The purpose of DC3DD is to image and hash case evidence drives to be used in the lab for examination. The creation of DC3DD provides a Linux , Mac OS and Windows environments tool that delivers the logging and specific data formats that help the LAB in their efforts to provide automatically generated byte counts and sector counts while properly handling bad sectors when encountered. This new version will provide the capability of creating multiple output streams to different devices and or files and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the command used to create the image to be passed on to an examiner for examination. The multithread enhancement will allow DC3DD to take advantage of multiprocessor platforms to reduce the time it takes to perform the requested functions.
DC3OSS 2c_20141017 DC3/DCCI DC3OSS was developed by the Defense Cyber Crime Center (DC3). It is a live CD based tool on the Knoppix 7.0 distribution. DC3OSS allows law enforcement investigators in the field to preview a suspect’s computer before making a decision on whether to seize the computer.
DCCI_Video Validator 2.0
1.0
DC3/DCCI DCCI_Video Validator tool is used mainly to quickly verify whether or not video fragments obtained by data carving techniques are able to be played. The tool can run as a standalone application or can be run from within DCCI_StegCarver. DCCI_Video Validator is capable of creating thumbnail storyboards for any validated videos.
Decode 2.07 Digital Detective Group, Ltd. Decode was developed by Digital Detective. Decode was designed to decode the various date/time values found embedded within binary and other file types. It supports various Windows, Unix and HFS date/time formats and will allow you to specify the offset from GMT.
DITTO DX Forensic Field Station Firmware 2016Dec05A DITTO The hand-held Ditto DX Forensic Field Station is used by a technician in creating local, remote, or networked disk clones and images, including logical imaging of user-selectable lists of files and folders. It can also configure and manage via network or on the unit. The Ditto DX also helps log user activity and maintains chain of custody while using forensic (write-blocked) methods. An easy-to-use web browser interface supports remote operation via network or VPN, providing access to Ditto DX configuration, user administration and user rights, as well as direct operation of Ditto DX cloning and imaging operations.
DITTO Forensic Field Station Firmware 2016Dec05A DITTO The hand-held Ditto Forensic Field Station is used by a technician in creating local, remote, or networked disk clones and images, including logical imaging of user-selectable lists of files and folders. It also configures and manages via network or on the unit. The Ditto also helps log user activity and maintains chain of custody while using forensic (write-blocked) methods. An easy-to-use web browser interface supports remote operation via network or VPN, providing access to Ditto configuration, user administration and user rights, as well as direct operation of Ditto cloning and imaging operations.
Dell Latitude E6220 laptop hardware E6220 Dell The Dell Latitude E6220 laptop hardware testing detailed in this validation report is intended to determine whether the specific requirements, as outlined in Section 3.0, are satisfied.  The testing is limited to validating features and capabilities as identified by the requesting party.  This report does not imply or constitute an endorsement by the Defense Cyber Crime Center (DC3), the Defense Cyber Crime Institute (DCCI), or the United States Government.
Distributed Network Attack (DNA) 3.3 AccessData DNA allows the user to recover passwords and gain access to critical info in computer files. DNA provides password-cracking modules for most industry standard apps. The function is similar to that of Password Recovery Toolkit (PRTK), but utilizes the processing power of many computers to recover passwords.
DumpIt 1.3.2.20110401 Matthieu Suiche & MoonSols DumpIt is a command line based tool for either 32-bit or 64-bit systems that allows the user to acquire an image of the system's memory. Raw (dd-style) memory dump files can be generated for the current system's memory.
EFDetect 1.8
1.3
DC3/DCCI EFDetect was developed by the Defense Cyber Crime Institute. Using algorithms developed by DCCI, DCCI_EFDetect recursively searches drives and directories for TrueCrypt, TCSteg, TCSTEG v2, DriveCrypt, Steganos, MS Office, PDF, 7-zip, PKzip, Winrar, EFS, and Video Padlock files that appear to be encrypted or password protected. To minimize false positives users are able to update the excludeList.txt file, which is distributed with the executable, with information identifying files that are known to create false hits.
Email Detective 4.0.3 Hot Pepper Technology Email Detective allows investigators to extract the email contents from AOL's database stores on a user's computer disk drive. A comprehensive report is produced for the forensic investigator detailing all messages and photos retrieved.
EnCase 7.10.05.12 (Windows 10)
7.10.05.12 (Windows 7)
7.09.02
7.08
7.06
7.05.02.03
6.19.7
6.18.0.59
6.15.0.82
6.13.0.43
6.11
Guidance Software EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities.
Epilog 1.3.0 CCL Forensics Epilog was developed by CCL Forensics. It is able to parse SQLite database files, WAL files, and Journal files in order to recover deleted entries, reconstruct portions of malformed databases and to determine the sequence database events occurred in when running within WAL mode.
eSATA Ultra Dock write blocker   WiebeTech eSATA Ultra Dock write blocker uses support via WiebeTech's proprietary write-block technology that offers easy read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTech's write-block technology is compatible with forensic acquisition and analysis software.
Falcon Forensic Imaging Station 3.2.48-logicube-ng.16 Logicube The Falcon was developed by Logicube.  The Falcon images and verifies the following formats: native or mirror copies, dd images, e01, ex01, AND file-based copies.  e01 and ex01 feature user-selectable compression levels and the Falcon supports SHA1, SHA256, or MD5 authentication.  The Falcon can simultaneously perform multiple imaging tasks from one or two drives to multiple output drives in different formats.
Fast Disk Acquisition System (FDAS) 1.5 CyanLine FDAS gives the digital forensic examiner the ability to extract a forensically sound image in 'dd' format at a faster rate than would be possible with conventional techniques.
FastDump Pro 2 HB Gary, Inc. FastDump Pro software is a standalone, Windows based, executable program driven from a command prompt. When running the program, the current run state is collected by copying data from RAM to the local disk or external media. The output data is a standard binary formatted file or a proprietary formatted HPAK file.
FDE 4.1.0.1092
4.1.0.1065
4.1.0.1061
3.0.0.999/1004
3.0.0.968
3.0.0.935
2.1
2.0
DC3/DCCI FDE was developed by DCCI. FDE was created to provide a triage function for DCFL and submitting case agents. The Carver EnScript carves out all graphics, movies, chat, email with graphic attachments, web cache, and web searches from the disk images in a case. The DCFL Frontend is then run to generate thumbnails and Human and Real scores. These files, and the Case Agent (Thinstall) Frontend, are sent to the case agent for review. After tagging files of interest, an XML file is sent back to DCFL and imported into the EnCase v7.09.02 case file with the Importer EnScript, which creates bookmarks for the files of interest.
FDPro 2 HB Gary, Inc. FDPro was developed by HB Gary, Inc. The software is a standalone, Windows based, executable program driven from a command prompt. When running the program, the current run state of its host is collected by copying data from RAM to the local disk or external media.
File Buddy 9.0.1 Skytag Software File Buddy was developed by Skytag Software as a file management suite for the Macintosh Operating System, OS X. The main function of File Buddy is to manage a large volume of files and folders using a set of tools.
FMAV Command Line 1 DC3/DCCI FMAV Command Line is used to scan a selected directory or media device for the presence of malicious software. It utilizes a preconfigured virtual machine with several antivirus suites installed to perform the scan. Available in both a GUI and command line mode, this validation only pertains to the command line mode.
Forensic Box 1.44 Unknown Forensic Box can open and read files created during a chat session on Windows Live Messenger, making the contents available for viewing or exporting. Files include Contact lists, passwords and credentials.
Forensic Labdock   WiebeTech Forensic Labdock write-block support is provided via WiebeTechs proprietary write-block technology. This offers easy read-only access to suspect hard drives through high speed FireWire 800 400 compatible or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software.
Forensic Recovery of Evidence Device (FRED)     FRED (Forensic Recovery of Evidence Device) is a desk-top computer constructed with a number of removable bays of different types, as well as built-in write blockers to accommodate add on devices where needed.
Forensic Explorer 1.0
1.6.1
3.6.8
GetData Forensics Pty Ltd. Forensic Explorer is a Windows-based digital forensic investigation suite created by GetData Forensics Pty Ltd.  It provides imaging, analysis, and reporting capabilities.
FRED Operational Test     The purpose of this study and testing is to investigate the discrepancy in the count of images extracted by an EnCase EnScript when executed on an HP xw8200 workstation versus the SuperFRED machine. This discrepancy was first reported by an examiner working on the Focused Data Extraction (FDE) project in DCFL. In all cases reported, the EnScript operating on the SuperFRED consistently reported a smaller number of images than the HP xw8200.
Forensic Toolkit (FTK) 6.0.1.30
5.4
4.0.1 (Dell T7500S)
3.2
1.81.5
1.81
AccessData FTK was developed by Access Data. It is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking, and reporting capabilities.
Forensic Toolkit (FTK) Imager 4.1.1
3.4.3
3.4.2.2
3.4.0.1
3.1.2.0
3.1.1 (Ubuntu 64-bit)
3.1.1 (Mac OSX)
3.1.0.1514
3.0.0.1443
2.6.1.6.2
2.5.4
AccessData FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence.
Gargoyle Investigator Forensic Pro   WetStone Technologies Gargoyle Investigator Forensic Pro is used to collect and organize the information regarding the contents of a suspect's computer or image of suspect's computer. Gargoyle maps detected files to associated weapons, and classifies them into a category of malware when found.
Genpmk (BackTrack 3) 1 Max Moser, Mati Aharoni, Martin J. Muench & others Genpmk creates a rainbow table from plaintext passphrases. Another Backtrack utility, coWPAtty, must be executed to prove that the rainbow table was created correctly. It performs a brute force attack utilizing rainbow tables to recover the password of a WPA-secured network.
GMER 1.0.15.14966 Przemyslaw Gmerek GMER was developed by Przemyslaw Gmerek. GMER scans live systems for hidden processes, hidden threads, hidden services, hidden files, hidden alternate data streams, hidden registry keys, drivers hooking SSDT (System Service Descriptor Table), drivers hooking IDT (Interrupt Descriptor Table), drivers hooking IRP (I/O Request Packet) calls, and inline hooks.
GTKhash 0.7.0 0.7.0 Tristan Heaven GTKhash was developed by Tristan Heaven.  GTKhash is a GTK+ utility for computing message digests or checksums.  It supports a number of hashing functions including MD5, MD6, SHA1, SHA256, SHA512, RIPEMD, TIGER, and WHIRLPOOL.  GTKhash can be run against individual files or against a group of files (allowing for a batch hashing job).
Guymager 0.7.3 0.7.3 Guy Voncken Guymager was developed by Guy Voncken.  Guymager is a free forensic imager for media acquisition. Guymager runs under Linux and utilizes multi-processor and multi-threaded capabilities for operations, such as data compression.  Guymager can create flat dd image files, EnCase E01 image files, AFF image files, or clone a hard disk.  Guymager can also perform hash verification of evidence.
Hashcalc 2.02 SlavaSoft, Inc. HashCalc is a utility that allows users to compute message digests, checksums and HMACs for files, as well as for text and hex strings. It offers a choice of 11 different hash and checksum algorithms for calculations.
Hashdeep 4.3
4.1
3.9.2
Jesse Kornblum Hashdeep performs hashing of files and physical devices and is capable of employing a number of different hashing algorithms. The hashdeep executable is the same as the md5deep executable (their hash values are the same).
Hashdeep for Ubuntu 4.3 Jesse Kornblum Hashdeep performs hashing of files and physical devices and is capable of employing a number of different hashing algorithms.
HashTab 5.0.0.19
3.0
2.3
Cody Batt HashTab was developed by Cody Batt. HashTab provides OS extensions to calculate file hashes. HashTab supports many hash algorithms including MD5, SHA1, SHA2, RipeMD, HAVAL, and Whirlpool.
hdiutil   Apple Inc. hdiutil is a command-line tool developed by Apple Inc. as a part of the OS X operating system. The purpose of this tool is to create and manipulate disk image files using the disk image framework.
hfsdebug 4.32 Amit Singh hfsdebug is an OSX-based tool made for exploring HFS+ internals, more so than as a debugger in the typical sense in that it cannot make any changes to the volume being examined.
HVM and SCARF   DC3/DCCI (HVM) and NSA (SCARF) The purpose of this study was to evaluate two tools that provided automated malware analysis for examiners in DCFL. The two tools being evaluated were the Heuristics Virtual Machine (HVM) and Scan Computer and Report Findings (SCARF). Each of these tools employed the same virtual machine technology but in two different fashions.
Icarus Image String Searching Tool 1 Chris Richardson The purpose of this study is to satisfy the requirements as stated on the 500 - Language Identifier and Translator requirements document. The 500 level challenge seeks to develop a Graphical User Interface (GUI) tool that runs from external media to search for text and perform language translations to produce documents that contain offensive terms. The tool locates and exports files identified as containing keywords from a canned source and/or entered by the operator. The tool should allow the user to select the input and translated languages.
IISP Heuristics VM   DC3/DCCI The Heuristics VM is windows-based virtual machine developed by DCCI. This VM is loaded onto the examiner machine with ten anti-virus applications installed. The function of this VM is to run the anti-virus applications against a piece of media with suspected malware.
ILook 8.0.19 IRS - Criminal Investigation Division Electronic Crimes Program ILook 8.0.19 is a Windows based digital forensic analysis tool developed by the Internal Revenue Service (IRS) Criminal Investigation Division Electronic Crimes Program (CI). IRS and Perlustro, LP have combined efforts to further develop ILook as an electronic investigative tool. ILook has many features, including the ability to analyze multiple platforms, view various file formats, acquire images, hash images, and parse emails and attachments. ILook is capable of analyzing various file formats.
ILook Prefetch Parser   Perlustro, Inc. IPP was developed to parse the prefetch folder within the ILook forensic suite.
Image MASSter Solo-4 4 Intelligent Computer Solutions (ICS) Image MASSter Solo is a versatile, light weight, portable, high speed acquisition device. Using the on the fly hashing capabilities, the transferred data can be guaranteed to be an exact replica of the Suspect's data without modification, re-arrangement or corruption. Provides Native interface support for SAS, S-ATA, and External USB drives, in addition to supporting PATA, including ATA compatible solid state and flash devices.
Image String Searching Tool 1 Northrop Grumman The purpose of this study is to satisfy the requirements as stated on the 500 - Language Identifier and Translator requirements document. The 500 level challenge seeks to develop a Graphical User Interface (GUI) tool that runs from external media to search for text and perform language translations to produce documents that contain offensive terms. The tool should locate and export files identified as containing keywords from a canned source and/or entered by the operator. The tool should allow the user to select the input and translated languages.
Imaging for Operations (IO) 20170829.0 CipherTech Solutions IO was developed by Cipher Tech solutions. It is a zero-click forensic imaging tool that automatically enables a USB software write-block, detects changes to attached devices, and begins producing E01 images from connected target media without any user interaction. Furthermore, IO logs include device information such as device type, model, name, size, geometry, MD5 and SHA1 hashes, the hardware serial number, the volume serial number for each partition, and the device VID/PID.
IMLook 2.1 DC3 IMLook is used to decrypt and display Yahoo! Messenger chat logs.
Intel Xeon   Apple Inc. Hardware validation of the 3.00GHz Mac Pro (Early 2008) Intel Xeon CPU X5472
Internet Evidence Finder (IEF) 3.6.0 JADsoftware IEF is a Windows-based digital forensic investigation suite created by Magnet Forensics. IEF is a tool capable of searching a drive, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited, to emails, instant chat messages and Internet Explorer InPrivate/Recovery URLs. IEF will display the results in a generated report.
Internet Evidence Finder (IEF) 3.5.1
3.6.0
5.8.00777
6.2.1
6.4.0333
6.7.0.0450
6.7.0.0450 (Revised)
Magnet Forensics IEF is a Windows-based digital forensic investigation suite created by Magnet Forensics. IEF is a tool capable of searching a drive, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited, to emails, instant chat messages and Internet Explorer InPrivate/Recovery URLs. IEF will display the results in a generated report.
Internet Evidence Finder (IEF) Frontline 1.0.0.0147 Magnet Forensics Frontline was developed by Magnet Forensics. It is a tool capable of searching a Windows computer for various types of Internet artifacts and image files. These include, but are not limited to, chat messages, web browser history, and image files. Frontline will display the results in a generated report.
iPhone Analyzer 1.0.0 DC3/DCCI iPhoneAnalyzer was developed by the Defense Cyber Crime Institute. iPhoneAnalyzer is a command-line Perl application to automate the analysis of Apple iPhone, iPod Touch, and iPad devices.
Ipod Slurp 1.5 N/A Ipod Slurp is used to copy certain file types from a target machine to a USB drive.
IPP Automation 3.1
3.2
DC3/DCCI IPP Automation EnScript was developed by DCCI. This tool was written to automate and standardize the initial procedures and protocols that are conducted at the beginning of each MC&S case.
ISO Buster 2.4 www.isobuster.com ISO Buster v2.4 is a CD/DVD data recovery tool that can read CD and DVD images created in different formats (ISO, NRG, etc.) by various commercial applications.
JPCAP 0.01.17 Patrick Charles JPCAP is designed to passively monitor and capture network activity. The tool is used in live network captures or pre-captured environments (in pcap format). JPCAP provides visual data, as well as textual info, for packets captured.
Kasemanager 1.1.3.4 HTCI Labs Kasemanager takes the xml reports generated by tools commonly used to image cellular devices from companies such as Cellebrite, XRY, and Susteen. It identifies common elements and links from those disparate reports, and outputs its findings into a single report.
Keith's iPod Photo Reader 2 Keith Wiley KIPR is an OS X based tool that provides access to the .ithmb photo library. The .ithmb files store copies of the full size images that are displayed directly on the iPod because the full size images would not display correctly on the iPod. These files are found in the /Photos/Thumbs directory of an iPod Photo that has been synced to contain a photo library.
Live View 0.6 LE CERT, Software Engineering Institute Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a physical disk, a singe raw disk image, or a series of split disk images. This allows the forensic examiner to boot up the image or disk and gain an interactive, user-level perspective of the environment without modifying the underlying image or disk. Evaluation is needed to ensure that this software can function as advertised and preserve the forensic integrity of the media used in the testing procedure.
Log2Timeline 1.5.1 Kristinn Gudjonsson Log2Timeline was developed by The Plaso Project (kiddaland). Log2timeline is a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on a suspects system (and supporting systems, such as network equipment) and produce a timeline that can be analyzed by forensic investigators.
Log2Timeline 1.1.0 The Plaso Project (kiddaland) Log2Timeline was developed by The Plaso Project (kiddaland). Log2timeline is a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on a suspects system (and supporting systems, such as network equipment) and produce a timeline that can be analyzed by forensic investigators.
Logorrhea 1.3.1 Spiny Software Logorrhea was developed by Spiny Software as an OSX-based tool used to organize, browse and search logs created by the OSX-based iChat application. iChat is an instant messenger application, similar to AIM, used to communicate with other users via the Internet.
Mac Marshal Field Edition 3 Architecture Technology Corporation Mac Marshal is used to aid in the automated analysis of disk images from Apple Mac hardware. Mac OS X and common applications on the Mac platform provide an abundance of information about the user's activities in configuration files, caches, and logs. Mac Marshal automatically determines what operating systems are installed on the disk image, either as dual-boot setups or virtual machines, and analyzes OS X forensically-relevant data.
Mac OS X Enscripts   Guidance Software Guidance Software's EnCase Forensic has a community of EnScript developers that have developed various extensions (EnScripts) to the EnCase application. The specific EnScripts tested in this validation are HFS Journal Parser developed by Teru Yamazaki, Mac OS X Binary Cookie File Parser developed by Simon Key, and Mac OS X Log Entry Finder developed by Simon Key.
MacForensicsLab 2.5 Subrosasoft MFL is a complete suite of forensics and analysis tools in one cohesive package, combining the power of many individual functions into one application to provide a single solution for law enforcement professionals.
MalScanner 0.5 Frank Boldewin MalScanner was developed by Frank Boldewin. OfficeMalScanner v0.5 is an MS Office forensic tool which scans for malicious traces, shell code heuristics, PE-files, or embedded OLE streams.
MC&S IPP Automation EnScript Revision 76   DC3/DCCI MC&S IPP Automation Enscript was written to automate and standardize the initial procedures and protocols that are conducted at the beginning of each MC&S case.
MD5 2.6 Gnu General Public License MD5 is a Macintosh utility that creates and compares MD5 checksums. It can compare files as well as a file with a checksum-string. Evaluation is needed to ensure that this software can function on the Macintosh platform without altering the media used in the testing procedure.
MD5 Compare 1 JADsoftware MD5 Compare was developed by JADsoftware. MD5 Compare is a tool which can be used to compare MD5 hash values of files. This is useful in a scenario where a user has obtained hash values of files from a particular system and wishes to compare them against some known set of hash values of interest. MD5 Compare requires text files containing hash values as input; one hash value per line. The interface of the tool has labeled sections discerning which files will be searched, and which files will they be compared against. MD5 Compare generates output files containing all of the matches, if any were found.
MD5Deep   Jesse Kornblum MD5Deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. Md5deep is able to recursively examine an entire directory tree.
MD5Deep/Hashdeep  3.7 Jesse Kornblum MD5Deep was developed by Jesse Kornblum. MD5deep is a set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. MD5 through its hashdeep component is able to match and audit hashsets. With traditional matching programs, they report if an input file matched one in a set of knowns, or if the input file did not match. It is hard to get a complete sense of the state of the input files compared to the set of knowns.
MD5Sum 2 Ulrich Drepper MD5Sum is a standalone command-line utility that uses the well-known MD5 hash algorithm to generate MD5 hash values of data files and to check MD5 hash values of data files that have known MD5 hash values.
md5summer 1.2.0.11 Luke Pascoe md5summer is an application for Microsoft Windows 9x, NT, ME, 2000 and XP which generates and verifies md5 checksums. Its output file is compatible with the output of the Linux GNU MD5Sum and it will also read Linux generated files.
Memoryze 1.4 Mandiant Corporation Memoryze is a computer forensics memory acquisition software program. It collects memory info in two modes of operation: either collects info about programs and processes and the resources they use while system is running, or extracts memory artifacts from memory dump files created by other memory acquisition tools and from previous executions of Memoryze.
Metadata Assistant 2.12.214 Payne Consulting Group, Inc. Metadata Assistant is designed to identify, or clean, metadata on Microsoft utilities such as Word, Excel, and PowerPoint, as well Adobe PDF docs.
MFL Importer 1108.31 Paul B. Ciaccio MFL Importer was developed by Paul B. Ciaccio. MFL Importer is a MS Access database with code that creates separate file lists from a large number of media items in one instance. It dynamically creates one or more MS Access tables (file lists) at one time, depending on how many evidence media items are home-plated or blue-checked in EnCase. It does not interpret, parse, or decipher data from the file list.
MFT Reader 1.0.0.1 4&6 Tech MFT Reader does not alter parsed data.
MIP 2.44 GetData MIP was developed by GetData. MIP is a utility to mount disk drive images as logical drive letters under Windows, and provides read-only access to the contents of an image file. This tool supports the following image types: EnCase, SMART, Raw, and ISO.
MiTec EXE Explorer 1.3.0.0 Michal Mutl Mi Tec EXE Explorer is used to parse executable files and report a variety of information about them, such as sections, strings, header data, exports, imports, resources, and a hex view of the contents.
Mount Image Pro 2.6 GetData Mount Image Pro v2.6 will mount EnCase evidence files, Unix/Linux dd images, SMART images, and ISO (CD/DVD images) computer forensic images as a drive letter on Windows systems in a read-only “forensically sound” environment.
Multi-File List Importer 11.8.31 Paul B. Ciaccio Multi-File List Importer is a MS Access database with code that creates separate file lists from a large number of media items in one instance. It dynamically creates one or more MS Access tables (file lists) at one time, depending on how many evidence media items are home-plated or blue-checked in EnCase. It does not interpret, parse, or decipher data from the fils list.
NetAnalysis with HstEx 1.36 Digital Detective NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily.
NetAnalysis with HstEx 1.37 Digital Detective NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily.
NetAnalysis with HstEx 1.37.0030 Digital Detective NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily.
NetAnalysis with HstEx 1.37g Digital Detective NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily.
NetAnalysis with HstEx 3.10 1.56 Digital Detective NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily.
NetAnalysis with HstEx 3.6 1.52 Digital Detective NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily.
NetAnalysis with HstEx 3.7 1.53 Digital Detective NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily.
NetAnalysis with HstEx 3.8 1.54 Digital Detective NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily.
NetAnalysis with HstEx 4 2 Digital Detective NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily.
NetAnalysis with HstEx 4.4 2.4 Digital Detective NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily.
NetClean Analyze DI 12.3.1 NetClean NetClean Analyze is specially designed for law enforcement agencies working in digital media investigations related to crimes against children. The software aims to improve the quality of work and to minimize workload by enabling the categorization and identification of images and videos of child exploitation.
NetWitness Investigator 8.0.31 NetWitness Corporation NetWitness Investigator is a Windows-based software application that provides free-form contextual analysis of terabytes of raw data captured and reconstructed by the NetWitness NextGen infrastructure.
Network Miner 0.91 Erik Hjelmvik Network Miner is a Network Forensic Analysis Tool (NFAT) for Windows which can detect the OS, hostname, and open ports of network hosts through packet sniffing or by parsing a PCAP file. It can extract transmitted files from network traffic.
Nuix 7.0.1 Nuix Nuix was developed by Nuix. It is a tool capable of indexing, searching, categorizing, displaying, and extracting the contents of disk images and other container files.
OfficeMalScanner 0.5 Frank Boldewin OfficeMalScanner is a MS Office forensic tool which scans for malicious traces, shell code heuristics, PE-files, or embedded OLE streams. Found files are extracted to a disk. Supports disassembly and hex view, as well as an easy brute force mode to detect encrypted files.
OffVis 1.1.0.0 Microsoft Corporation OffVis is an Office binary file format visualization tool. It was released to help IT pros, security researchers, and malware protection vendors better understand the binary file formats to deconstruct attacks and understand the vulnerabilities Microsoft fixes for protection purposes. The tool has a GUI to generically browse around and show the bytes on disk with the hierarchical view of the file as Office parses it. OffVis can generically detect a handful of publicly-exploited vulnerabilities as it reads the file.
OmniOutliner 3.7.2 Omni Group OmniOutliner is an OS X based tool used to create, view, and edit documents. Plist files are system files used within the OS X operating system to organize data.
OSF Mount 1.5 PassMark Software OSF Mount was developed by PassMark Software. It is a Windows tool designed to mount image files as volumes within Windows. 
P2P Marshal 4.0.0 Architecture Technology Corporation P2P Marshal is designed to detect the activity and installation of peer to peer software on a computer or hard drive image.
P2P Scan   DC3/DCCI P2P Scan is a command line function that is used in the Windows environment to extract info from the files and data structures of Limewire/Bearshare/Ares Galaxy, which are artifacts of the products. The function of this tool is to collect/organize the info collected into an HTML document that will present the artifact information in an easy to read format.
Pandora 2.4.0 Carnegie Mellon University Pandora will unpack many packed files automatically with no intervention from the user. Some of the more complicated packing tools require user input in interactive mode.
Password Recovery Toolkit (PRTK) 6.4
6.3.3
AccessData PRTK is a password recovery program for standalone computer operations. This tool is used for extracting the contents of forensic examination case files with unknown passwords.
PCAPFAST 2.0.771 DC3/DCCI PCAPFAST was developed by the Defense Cyber Crime Institute (DCCI), and is designed to process data contained in packet capture (PCAP) files conforming to the libpcap format. The tool provides examiners and analysts with reports of, and capability to, query the network traffic captured. This capability is provided through three distinct tools: 1) PCAPIndex, 2) PCAPReport, and 3) PCAPExtract. PCAPIndex processes the PCAP file and extracts all data into a SQLite database.
pdfid.py 0.11 Didier Stevens pdfid was developed by Didier Stevens. It Does not alter parsed data. It is able to create a neutralized version of potentially dangerous PDFs
PDFinder 1 DC3/DCCI PDFinder was developed by the Defense Cyber Crime Institute (DCCI). This Windows based tool is designed to read and display information about artifacts contained in Adobe PDF files. The tool scans a given file or directory and identifies PDFs inside, and then scans the individual PDF files and outputs a report based on the metadata of any artifacts contained inside.
pdf-parser.py 0.3.7 Didier Stevens pdf-parser was developed by Didier Stevens.  It does not alter the parsed data. It is able to determine if JavaScript objects are contained in a PDF.
pdftk 1.44 PDF Labs (Sid Seward) pdftk is used to manipulate PDF files without requiring Adobe Acrobat.
PLE 2.2 Apple Inc. PLE is an OS X based tool that is bundled with the Apple Developer Tools. PLE is used to view and edit plist files. Plist files are system files within the OS X operating system used to organize data.
Prefetch Analyzer 0.92 TZWorks LLC Prefetch Analyzer was developed by TZWorks LLC. Prefetch Analyzer is a command line version Windows prefetch parser.  Originally inspired by the chapter on 'prefetch analysis,' as well as the Perl script sample given in the book on Windows Forensic Analysis by Harlan Carvey, Prefetch Analyzer was another tool created for eventual inclusion into a computer forensic toolkit.
ProDiscover 7.1.0.3
7.0.0.8
Technology Pathways, LLC ProDiscover was developed by Technology Pathways, LLC. ProDiscover is a tool used for analyzing digital evidence such as image files and physical disks. For this validation, the focus will be on evidence that contains one or more shadow volumes. ProDiscover advertises the ability to detect and image shadow volumes and the ability to export files, hash files, and compare the contents of shadow volumes.
ProxyStrike 2.2 Edge-Security ProxyStrike is an active Web Application Proxy, a tool designed to find vulnerabilities while browsing an application.
PST Viewer Pro 7.5.46 Encryptomatic LLC PST Viewer Pro was developed by Encryptomatic LLC and is a Windows software tool for managing emails. It does not require Microsoft Outlook to be installed (and was not installed for this validation). The tool should read, search and export emails formatted as MSG, OST, EML and PST.
REcat 1.0.6 DC3/DCCI REcat is a command line tool for manipulating network sockets. The tool was developed as a replacement for the netcat socket utility currently being used in Intrusions and Information Assurance. The tool is used to send data over TCP or UDP connections. REcat is designed to provide the same basic transmission functionality, which facilitating reverse engineering tasks.
Recovery for Outlook 3.2 Recoveronix Ltd. Recovery for Outlook was developed by Recoveronix Ltd. This tool is used to recover and/or extract information out of Outlook file types (OST or PST). More specifically it is used to convert an OST file into a PST file. It should be noted that this validation did not test the tools ability to actually recover OST files but rather its ability to convert OST to PST.
Redax 4.53 Appligent Appligent's Redax is a plug-in for Adobe Acrobat versions 6, 7 and 8. It allows redaction of text, images and line art using a number of markup methods which include manual drawing of boxes, word lists, pattern matching, templates, or full page redaction. It also automatically removes metadata from documents upon redaction.
rEFit 1.1 Christoph Pfisterer rEFit is designed to run on a bootable compact disk and gives user access to info in the basic input-output system of an Intel based Macintosh operating system.
RegDat 1.3 Henry Ulbrich RegDat, developed by Henry Ulbrich, is designed to maintain the Windows 98 registries on desktops and remote networked computers. RegDat is designed to search for keys and values and export them. Functions to compare the file with the current Registry are provided as well as tools to edit the file as a tool for viewing Windows operating system registry entries.
RegDatXP 1.41 Henry Ulbrich RegDatXP, a program developed by Henry Ulbrich, is designed to maintain the Windows registries on desktops and remote networked computers. RegDatXP is designed to search for keys and values and export them.
Registry Browser 3.1.1 Lock and Code Registry Browser was developed by Lock and Code. It is a tool capable of searching Windows registry information from a copy of a computer’s Windows folder.
Registry Browser 3 Forensic Computer Examination Unit, Queensland Police Service in conjunction with the Cyber Support Unit, Australian Crime Commission The Forensic Computer Examination Unit, Queensland Police Service (QPS) in conjunction with the Cyber Support Unit, Australian Crime Commission (ACC) developed Registry Browser version 3.00 as a tool for viewing Windows operating system registry entries. It allows the user to view registry entries of foreign machines, search them, and create reports of important keys.
Registry Ripper 2.02 Harlan Carvey Registry Ripper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT family of operating systems. Registry Ripper displays the extracted information in a text file for easy viewing.
Registry Viewer 1.7.4.2
1.6.3.34
1.6.3
1.5.4.44
AccessData Registry Viewer was developed by Access Data. Registry Viewer allows the user to view and analyze the contents of the registry entries on MS Windows operating systems. In addition, it allows the user to create a report containing information related to the different registry keys.
RegShot 1.8.2 TiANWEi, tulipfan, Belogorokhov Youri RegShot is a small, free, and open-source registry which compares utility, and allows the user to quickly take a snapshot of your registry and then compare it with a second one. Changes report can be produced in text or HTML format and contains list of all modifications that have taken place between snapshot1 and snapshot2. The user can specify folders to be scanned for changes.
RemoteDll 1.3 Talekar Nagareshwar RemoteDll v1.3 is a Windows application developed by Talekar Nagareshwar. RemoteDll allows a user to inject or remove DLLs into or from running processes.
Retrospective 1.2b3 Joakim Nygard Retrospective is an OS X based tool used to search through the web cache created by the Safari web browser.
Safe Block   Forensic Soft Incorporated Safe Block is a software-based write blocker with facilitates the quick and safe acquisition and/or analysis of any disk or flash storage media attached directly to a Windows workstation. It is proven to be safe.
Safe Boot Disk   Forensic Soft Incorporated Boot disk (CD or USB), with a USB dongle, boots a computer to a forensically sound (write blocked) version of Windows, that serves as a platform for all popular Windows forensics tools.
SCAMM   CIFA The Counterintelligence Field Activity (CIFA) developed the SCAMM system as an in house process that uses a series of software and hardware to effectively protect data while personnel are deployed.
SC-Viewer 1.0.3161 DC3/DCCI SC-Viewer was developed by the Defense Cyber Crime Institute (DCCI). The tool is used to expedite the time an examiner spends sifting through file carving results.
Shadow Miner 1 DC3/DCCI Shadow Miner is intended to help forensic examiners access the data that is maintained within a Microsoft Vista Shadow Volume. This is accomplished by creating a virtual machine from the 'dd' image of an evidence drive using Live View and Vmware Workstation. Once the VM is created, Shadow Miner can be run from the CD/DVD drive within the VM to identify shadow volumes.
Shadow Scanner 64-bit 1.0.3 EKL Software Shadow Scanner is used to quickly identify changed or deleted files which are present on a particular partition's shadow volumes relative to the current state of the partition. This reduces the number of files that need to be analyzed and will point the examiner in the right direction, showing files that were intentionally changed or deleted. It is capable of exporting any of these files.
Shadow Volume Link Manager 1 DC3/DCCI Shadow Volume Link Manager is a tool that is able to create symbolic links to shadow volumes in order to access the data contained within them. Ordinarily, shadow volumes are inaccessible, but Shadow Volume Link Manager aims to automate the linking process.
Skype Log Parser 1.7 RedWolf Computer Forensics Skype Log Parser is used to read Skype user profiles and generate reports about them. The reports include information about the profile, a list of contacts, chat records, file transfers, SMS messages, and voicemails.
SkypeLogView 1.36 Nir Sofer SkypeLogView is used to read Skype user profiles and report on activity such as calls, chats, file transfers, and SMS messages. It is able to export the information to an HTML file.
Sleuth Kit 3.0.0 Wietse Venema and Dan Farmer The Sleuth Kit (TSK) uses code from the file system analysis tools of The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The code was modified for platform independence.
SMT ArchivER 3.0.3.6 System Management Technologies, Inc. SMT ArchivER v.3.0.3.6 for Outlook 2003+ is a plug-in for Microsoft Outlook that allows the user to archive items in a PST or OST file to another format such as RTF, TXT, HTML, or MSG. It can also remove attachments and embedded objects.
SnapView 2.1.02 Digital Detective Group, Ltd. Digital Detective has developed SnapView as a means of viewing and navigating through web pages and web page fragments on a file system.
Solo-4 4 Intelligent Computer Solutions (ICS) Solo-4 was developed by Intelligent Computer Solutions and is a versatile, light weight, portable, high speed data acquisition device.  Using the unit's on the fly hashing capabilities, the transferred data can be guaranteed to be an exact replica of the Suspect's data without modification, re-arrangement, or corruption.  The unit provides Native interface support for SAS, S-ATA, and External USB drives; in addition to supporting P-ATA, including ATA compatible solid state and flash devices.  This tool provides flexible Capture mode formats including Segmented File and Mirror image formats.  The unit is capable of capturing two Suspect drives simultaneously.  The unit's advanced touch screen user interface provides ease of use.  
SQLite Database Browser 1.3 Mauricio Piacentini SQLite DB is a freeware, public domain, open source visual tool used to create, design, and edit database files compatible with SQLite. SQLite DB is intended to be used for users and developers that want to create databases, edit, and search data using familiar spreadsheet-like interface without the need to learn complicated SQL commands.
Sqliteman 1.2.1 Peter Vanek Sqliteman is a tool with a GUI which writes databases with Sqlite3 technology. Sqliteman can also open previously created databases as well as tune SQL statements, manage table's views and triggers, administrate a database space, and index statistics.
StegCarver 5.7
5.0
4.9
DC3/DCCI StegCarver was developed by the Department of Defense Cyber Crime Institute. StegCarver is a special purpose carving tool. StegCarver was written to carve key file types out of data inadvertently appended to image files, but can also be used to carve data from any directory of files; including files representing free space, swap (paging) files, memory dumps, slack space, and dd images.
Bs_break 1 Blindside Blindside StegExtraction Tool (known as Bs_break) is a Windows command line application created to identify bitmap files containing data that was hidden with the steganography program Blindside. It will determine a working password, if one was used, and extract the hidden data. The extracted data is decrypted and uncompressed. Bs_break produces a log in html format that can be opened in any web browser.
StegRTS 3.1 Backbone Security StegRTS was developed by Backbone Security. StegRTS is capable of capturing and scanning network traffic in real-time for the presence of steganography applications and their signatures.
STRIKE 1.6 IDEAL Corp. STRIKE provides operators with a portable, automated system, to quickly extract data and analyze info, in-field in real-time, from captured digital devices and media.
Tableau T8 USB WriteBlocker Firmware Update   Tableau Tableau T8 USB WriteBlocker offers easy read-only access to suspect USB MASS Storage Devices. It is compatible with Single Storage Devices having Multiple mountable Volumes (multiple LUNs). It is compatible with forensic acquisition and analysis software.
Tableau TK8-R2 1 Tableau The T8R2 was developed by Tableau.  Write-block support is provided via Tableau's proprietary write-block technology which offers easy read-only access to suspect USB devices through high speed FireWire 800 (400 compatible) or USB2 interfaces.  Tableau's write-block technology is compatible with forensic acquisition and analysis software
TCDetect 1.4 DC3/DCCI TCDetect was developed by the Defense Cyber Crime Institute. TCDetect recursively searches drives and directories for files that appear to be TrueCrypt container volumes. The tool also searches for TrueCrypt volumes that have been embedded in MP4, MOV, and 3GP videos using the TCSteg Python script.
The Covert Forensic Imaging Device (CFID) 2 SEG dist. By TEELtechnologies CFID offers easy read-only access to suspect USB MASS Storage Devices. It is compatible with Single Storage Devices having Multiple mountable Volumes (multiple LUNs). It is compatible with forensic acquisition and analysis software.
The Tableau TD3 Forensic Imaging Device   Tableau The Tableau TD3 Forensic duplicator has many of the functions traditionally found in general purpose IT-oriented hard disk duplicators. The TD3 provides features and functions that serve the specialized needs of forensic practice.
Timeline EnScript 1.7.4 Geoffrey Black Timeline EnScript gathers file information on all or selected files/folders and presents it in a timeline view. The user can select the timeframe to check and output either HTML or tab-delimited text format. The script checks Created, Modified, and Accessed times and puts files in order according to these fields.
TimeMachineDiff.sh 1.4.1 DC3/DCITA TimeMachineDiff.sh allows users to automatically back up an entire system in Mac OS X v.10.5 and Mac OS V 10.6 or later. It keeps an up-to-date copy of all files on the Mac, and users can go back in time and restore the Mac to how it looked in the past. The tool is a BASH script which provides a method for quickly determining the file differences between OS X Time Machine images.
Total Outlook Converter Pro 3.1.0 Softplicity, Inc. (CoolUtils.com) Total Outlook Converter Pro was developed by Softplicity, Inc. (CoolUtils.com) and is a Windows software tool for managing emails. For PST and OST, it should read, filter, create reports and export emails, in batch, to DOCX, PDF, HTML, XHTML, EML, TXT, TIFF and JPG.
Trident Pro 6.11.35.1914 Wave Software Trident Pro uses dtSearch from dtSearch Corporation to provide email de-duplication, keyword matching and exclusion, file de-duplication and NSRL matching, and file keyword matching/exclusion. The tool operates with Microsoft PST and/or OST files and Lotus Notes NSF (additional module required) files to process items in these files.
TriForce ANJP NTFS Journal Parser 3.11.07 G-C Partners, LLC ANJP was developed by G-C Partners, LLC. ANJP reads NTFS MFT, Journal, and Log file information to detect when files were created, removed, or changed and if certain anti-forensic techniques were employed on a system to attempt to hide files.
ue2f 1 Linux Open Source ue2f is a Linux Open Source command line tool that resides on FBI_CART Linux Boot CD Version 5.3 (Sept 2009). It is used to recover erased (deleted) files from EXT2 volumes. Recovered files will be directed to an EXT2, FAT32, or NTFS partition from the source EXT2 volume.
Ultradock 5
IV
WiebeTech The UltraDock v5 was developed by WiebeTech. Write-block support is provided via WiebeTech's proprietary write-block technology which offers easy, read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTech's write-block technology is compatible with forensic acquisition and analysis software.
USB WriteBlocker   WiebeTech The USB WriteBlocker offers easy read-only access for suspect USB MASS Storage Devices. It is compatible with Single Storage Devices with Multiple mountable Volumes (multiple LUNs). WiebeTechs write-block technology is also compatible with forensic acquisition and analysis software.
USB WriteBlocker   Tableau The USB WriteBlocker offers easy read-only access to suspect USB MASS Storage Devices. It is compatible with Single Storage Devices having Multiple mountable Volumes (multiple LUNs). Tableau's write-block technology is compatible with forensic acquisition and analysis software.
USBDeview 2.35 NirSoft Freeware USBDeview was developed by NirSoft Freeware. The tool is a small utility that lists all current and previously connected USB devices from a Windows machine. This information is extracted from either a live system or via an exported SYSTEM registry file.
VCF to CSV 1 DC3/DCCI VCF to CSV was developed by DCCI. It is a Perl script designed to extract data from VCF files and store specific fields into CSV files.
VFC-2 2.13.4.16 MD5 Limited The purpose of this project is to validate Virtual Forensic Computing 2.13.4.16, hereinafter referred to as, VFC-2.  VCF-2 was developed by MD5 Limited.  It provides the ability to mount physical discs and image files as virtual machines using software such as VMWare Workstation.
Video Validator 1.0
2.0
DC3/DCCI Video Validator was developed by the Department of Defense Cyber Crime Institute DCCI. Video Validator is a tool used mainly to quickly verify whether or not video fragments obtained by data carving techniques are able to be played.
VidReport 1.2.14 Sanderson Forensics Sanderson Forensics developed VidReport v1214 as a forensic investigation tool for the processing and reporting of video files.
Virtual Forensic Computing (VFC) 3.14.5.12 MD5 Limited VFC-3 was developed by MD5 Limited.  It provides the ability to load raw disk image files and disk image files, which are mounted using tools such as FTK Imager, as virtual machines using software such as VMWare Player.
VistaStumbler 2 Anonymous Source VistaStumbler was developed by people who choose to remain anonymous. The tool is a wireless network detection software application. It is available free-of-charge from www.suriv.be. VistaStumbler runs on the Windows Vista operating system.
VMWare Disk Mount 5.5 VMWare Inc. The tests and procedures contained herein apply to VMware Disk Mount, developed by the VMware Inc. Disk Mount utility is designed to allow the mounting of an unused virtual disk as a separate drive without needing to connect to the virtual disk from within a virtual machine. It is also able to mount specific volumes of a virtual disk if the disk is partitioned.
VSS Examiner EnScript 2.3.0
1.3.0
Guidance Software VSS Examiner was developed by Guidance Software. It is an EnScript designed to locate files contained within volume shadow copies that do not exist elsewhere within a case.
WiebeTech RTX 220-QJp Writeblocker 1 WiebeTech Write-block support is provided via Wiebetech's proprietary write-block technology which offers easy, read-only access to suspect hard drives through high speed FireWire 800, USB2, or eSATA interfaces. It is compatible with forensic acquisition and analysis software. Each bay offers independent dual FireWire 800, single USB2, and eSATA ports. It includes Hard drive enclosure.
WiebeTech USB Writeblocker 1 WiebeTech Write-block support is provided via Wiebetech's proprietary write-block technology which offers easy, read-only access to suspect hard drives through high speed FireWire 800, USB2, or eSATA interfaces. It is compatible with forensic acquisition and analysis software. Each bay offers independent dual FireWire 800, single USB2, and eSATA ports. It includes Hard drive enclosure.
Wi-Fi Investigator WFIH-01 Digital Certainty Wi-Fi Investigator was developed by Digital Certainty. The Digital Certainty Wi-Fi Investigator is a handheld tool which identifies the specific physical location of any type of device communicating with a Wi-Fi (802.11b/g) signal.
Win32dd/Win64dd 1.3.1.20100417 Matthieu Suiche & MoonSols Win32dd/Win64dd was developed by Matthieu Suiche and MoonSols. Win32dd/Win64dd is a command line based tool for either 32-bit or 64-bit systems, which allows the user to acquire an image of the systems memory. Raw dd-style and crash dump formats are supported and there are different methods for specifying memory content.
Windows Journal Parser 0.96 TZWorks LLC 1.2 Journal Parser was developed by TZWorks LLC. It is able to parse NTFS Journal Files and output the results into XML, CSV and plaintext formats.
Windows Mobile Forensics (WinMoFo) 2.2.17736 DelMar IT, LLC WinMoFo was developed by DelMar IT, LLC. WinMoFo advertises the ability to logically extract all digital evidence from a target device. This evidence includes, the device phone number, call history, SMS history, email, appointments, contacts, tasks, and files found on the file system.
WinHex 16.3
15.3
14.7
X-Ways Software Technology AG WinHex was developed by X-Ways Software Technology AG. WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security.
Wireshark 1.0.4 Gerald Combs Wireshark, formally know as Ethereal, is a network packet analyzer developed originally by Gerald Combs. A network packet analyzer will attempt to capture network packets and display various types of packet data information. Wireshark is able to capture live packet data from a network interface and display the captured packet information.
Xplorer360 beta 0.9 360GameSaves.com Xplorer360 is a Windows-based tool used to access the hard drives used within the Xbox360 game console. Xplorer360 has the capability to view all partitions and file systems on the hard drive.
X-Ways 18.5
18.0
16.3
15.6
X-Ways Software Technology AG X-Ways was developed by X-Ways Software Technology AG. X-Ways is an advanced work environment for computer forensic examiners. It runs under Windows 2000, XP, 2003, Vista, 2008, 7, and both 32 Bit and 64 Bit. The tool is based on the WinHex hex disk editor, and can natively process FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, CDFS/ISO9660/Joliet, and UDF data storage formats.
X-Ways to EnCase, FTK and iLook   Guidance Software, X-Ways Software Technology AG, and AccessData This study examined the similarities and differences between the following tools: XWays, EnCase, FTK and ILook. These tools are used by examiners in the acquisition and analysis of a suspect’s drive during a digital forensic examination.