| AScan |
5 |
01/25/2018 |
UNCLASSIFIED//FOUO |
YES |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| DC3 iPhone Analyzer |
2.0.753 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
DC3 iPhone Analyzer extracts all forensically relevant data from a physical image (or iTunes backup) of an iPhone, iPod Touch, or iPad. Extracted data includes, but is not limited to: call logs, contacts, text messages, emails, pictures, keyboard logs, and position data. |
| DC3 Triage |
2.0.0.275 |
01/25/2018 |
UNCLASSIFIED//FOUO |
YES |
DC3 Triage is a tool which provide agents with a fast, cursory view of pictures, movie videos, chat messages, emails, shared files, web history, web searches, system information, and other user information which have been extracted from a hard drive or mounted image. DC3 Triage is intended to be a user friendly interface, which will improve the overall processing of certain cases. With the assistance of the graphic user interface (GUI), the user can take a quick look at the media information on the drive, which allows the examiner to determine whether a full forensic investigation should occur. |
| DC3_CV |
3.0.0.259 |
01/25/2018 |
UNCLASSIFIED//FOUO |
YES |
DC3_CV is used to expedite the time an examiner spends sifting through large directories of image files. With DC3_CV, examiners can use pre-trained datasets or easily create custom datasets of a person of interest. Using these datasets, DC3_CV finds other lookalikes automatically and presents the findings in a built-in viewer. DC3_CV can be run via a graphical user interface or a command line. |
| DC3Carver |
5.7.3 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
Stegcarver is an easy to use carving tool adept at carving visual media. StegCarver can run 20 different types of files and carves each individially. |
| DFIT |
0.7 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
DFIT is a tool that leverages fuzzy hashing to look for files on a live computer which are either the same, or similar to, a given set of signature files. The tool uses a modified fuzzy hashing algorithm to create a necessity for less identical data to be in a file to conclude a match. |
| DMAT |
1.2.0.12 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
DMAT is a tool developed in C# to analyze memory images of 32-bit systems. The tool is a GUI front end to Volatility (command line memory analysis tool). The tool also generates automated HTML reports of artifacts it can extract from the memory snapshots. A regular expression feature is also included to allow examiners to save to disk unpacked/decrypted malware binaries which were running in memory. These de-obfuscated forms of malware are easier to malware analysts / reverse engineers to analyze, and save time when trying to manually unpack these specimens. |
| FatBack |
1.3 |
*Not Available |
UNCLASSIFIED//FOUO |
NO |
FatBack recovers deleted files from FAT12, FAT16, and FAT32 file systems. Unlike other recovery tools it runs on Linux and provides a powerful interactive mode similar to a Unix shell. Deleted files can be recovered recursively to another drive with simple one command line statements. FatBack creates a nested directory structure similar to the SUBJECT drive. Other features include logging, recovery of long file names, and recovery of hidden partitions. |
| FED - File Extension Dump |
1.2 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
FED is a software tool designed for cyber-investigative field use. It can search a specified drive and copy all files that match extensions chosen by the user to another device. |
| File Signature Translation Utility |
1 |
*Not Available |
UNCLASSIFIED//FOUO |
NO |
File Signature Translation Utility converts file signature text files to and from various formats, such that a file signature baseline can be created and maintained by FileSig Manager. |
| GPX Data Converter |
1 |
*Not Available |
UNCLASSIFIED//FOUO |
NO |
The Garmin Nuvi GPS receiver stores its way-point and track-point data in a .gpx file format. This format is a standardized XML file format that is not compatible with common mapping tools like Microsoft MapPoint 2009. GPX Data Converter allows the user to convert a .gpx file to a .txt or .tab file that can be used with common mapping software. |
| HumanDetect |
1 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
HumanDetect was designed and developed to reduce the amount of time required for examiners to conduct forensic image analysis, provide intelligent data reduction capabilities, run case data in an automated fashion while indexing images, categorize and sort images based on the presence of people, and output an XML file for further examination as part of the FDE process. |
| IPFind |
0.6 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
IPFind is a command-line tool that recursively locates all instances of Internet Protocol (IP) addresses within a target logical directory. It can generate a CSV or XML file detailing its findings. |
| Kazaa DatView & DBBView |
2.1 |
*Not Available |
UNCLASSIFIED//FOUO |
YES |
These two tools extract and decode information from Kazaa .dat and .dbb files. Dat files contain information about partially downloaded files. DBB files contain information about completed downloads. |
| Meta-X Image Metadata Extractor |
3 |
01/26/2018 |
UNCLASSIFIED//FOUO |
NO |
Extracts metadata from image files, including JPEG, GIF, BMP, TIF, and more. Metadata can include information such as: author, digital camera, editing software, and timestamps. |
| Modified mkisofs |
1.12.1 |
*Not Available |
UNCLASSIFIED//FOUO |
NO |
MKISOFS is a UNIX program for mastering CDROM images. In the standard version of MKISOFS if you tell MKISOFS to make an image file out of 4gb of data it will produce a single 4gb image. This is not desirable because that image will not fit onto a standard CDROM. This enhanced version of MKISOFS has the ability to take the 4gb file system and produce multiple smaller images that are ready to be burned to CDs. |
| PCAPFAST |
2.0.783 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
PCAPFAST is designed to process data contained in packet capture (PCAP) files conforming to the libpcap format. The tool provides examiners and analysts with reports of, and capability to, query the network traffic captured. This capability is provided through three distinct tools. PCAPIndex processes the PCAP file and extracts all data into a SQLite database. PCAPReport produces standard reports from the SQLite database detailing the sessions and associated data found within the network stream. PCAPExtract provides for custom queries against the SQLite database to perform more refined analysis of data within the network stream. PCAPFAST 2.0 will only process IPv4 packets. |
| PDFinder |
1 |
01/25/2018 |
UNCLASSIFIED//FOUO |
YES |
PDFinder is designed to read and display information about artifacts contained in Adobe PDF files. The tool scans a given file or directory and identifies PDFs. It then scans the individual PDF files and outputs a report based on the metadata of any artifacts it finds. |
| REcat |
1.0.6 |
01/25/2018 |
UNCLASSIFIED//FOUO |
YES |
REcat is a command line tool for manipulating network sockets. It was developed as a replacement for the netcat socket utility currently being used in Intrusions and Information Assurance (I2A). Netcat is used to send data over TCP or UDP connections. Netcat also has additional utility that is not of immediate interest to I2A, and therefore was not included in the current release of REcat. REcat was designed to provide the same basic transmission functionality, while facilitating reverse engineering tasks. |
| Shadow Volume Link Manager |
1 |
01/25/2018 |
UNCLASSIFIED//FOUO |
YES |
Shadow Volume Link Manager is a software tool for finding and making available the data that is maintained by the Microsoft Volume Shadow Copy Service as found in Windows Vista and Windows 7. Shadow volumes are an ideal location to hide data. Shadow Volume Link Manager is a software tool that is able to create symbolic links to shadow volumes in order to access the data contained within them. Ordinarily, shadow volumes are inaccessible, but Shadow Volume Link Manager aims to automate the linking process. |
| StegCarver |
5.7.3 |
01/25/2018 |
UNCLASSIFIED//FOUO |
YES |
Stegcarver is an easy to use carving tool adept at carving visual media. StegCarver can run 20 different types of files and carves each individially. |
| Video Validator |
2.1 |
01/25/2018 |
UNCLASSIFIED//FOUO |
YES |
DCCI Video Validator was developed by the Department of Defense Cyber Crime Institute (DCCI). Video Validator is a tool used mainly to quickly verify whether or not video fragments obtained by data carving techniques are able to be played. Video Validator can run as a standalone application or it can be run from within DCCI_StegCarver. Video Validator is capable of creating thumbnail storyboards for any validated videos. |
| Yahoo! IMLook |
2.1 |
01/25/2018 |
UNCLASSIFIED//FOUO |
YES |
IMLook v2.1 is a software program that decrypts the Yahoo Messenger instant messaging client's log files. The files created during a chat session cannot be opened with local Windows programs because of their special file format and encryption for security protection. Contact lists, passwords and credentials are just some of the information saved during instant message conversations. IMLook 2.1 can open and read the files making the contents available for viewing or exporting. |
| DC3 Advanced Carver Presentation |
1.4 |
04/03/2023 |
UNCLASSIFIED//FOUO |
NO |
A presentation on DC3 Advanced Carver explaining what the tool does, the basics of file carving, specific examples of content DC3AC can recover, then finally a demo of the tool. |
| DC3 Flyby |
1.0.1 |
07/21/2022 |
UNCLASSIFIED//FOUO |
NO |
A GUI application for visualizing geoJSON files produced by DC3 Droneparser. Provides GPS track visualization and playback on an interactable map. |
| DC3 Drone Parser |
1.3.2 |
07/19/2022 |
UNCLASSIFIED//FOUO |
NO |
DC3 Drone Parser is a tool allowing users to parse, analyze and visualize data from various types of devices including unmanned aerial vehicles (drones) and GPS enabled video devices including Go Pros and various dash cams. The tool recognizes and parses various file formats used by device manufacturers and outputs engineering data in spreadsheets as well as kml and geojson for mapping. Included in the installer is the DC3 Geo Playback software which allows the user to play the flight/path on a map using play/pause and scrubbing controls. Users are presented with information including exact location, speed and height of the device under examination as well as various pieces of metadata that could be of interest. |
| TextSearch |
1 |
11/01/2021 |
UNCLASSIFIED//FOUO |
NO |
The Portable Text Search utility is a localized bulk document text search capability originally for the DC3-AG in support of an MCIO investigation. This utility can provide a launching point for identifying whether document sets include target keywords or content and may require additional investigation. The utility generates a local Lucene-based index of a directory tree containing documents of interest and then allows searching that index with a text document containing a list of key words or phrases. The output identifies the number of hits each of those words or phrases might have had against the index. The search terms can be modified or refined and resubmitted without requiring re-indexing operations. A default GUI implementation is included for advanced inspection of the index. Additional information or expansion on current or future capabilities is available upon request. |
| Discord Parser - Windows - MacOS - Linux |
1.1 |
05/05/2021 |
UNCLASSIFIED//FOUO |
NO |
Windows/MacOS/Linux Discord Parser - tool used for the extraction and analysis of data associated with the Windows version of the Discord app, which is a relatively common voice and text chat application used by gamers and enthusiasts. The tool extracts chat history including all stored message content, date and time stamps, and recipient identifiers. It will also pull information like the signed-in user's ID and registered email address. Recently, visualization was improved to display chats in HTML format in addition to the existing CVS format. Version 1.1 now supports MacOS and Linux! |
| Discord Parser - Android |
1 |
01/26/2021 |
UNCLASSIFIED//FOUO |
NO |
Android Discord Parser - tool used for the extraction and analysis of data associated with the Android version of the Discord app, which is a relatively common voice and text chat application used by gamers and enthusiasts. The tool extracts chat history including all stored message content, date and time stamps, and recipient identifiers. It will also pull information like the signed-in user's ID and registered email address. Recently, visualization was improved to display chats in HTML format in addition to the existing CVS format. |
| Discord Parser - iOS |
1 |
11/08/2020 |
UNCLASSIFIED//FOUO |
NO |
iOS Discord Parser - tool used for the extraction and analysis of data associated with the iOS version of the Discord app, which is a relatively common voice and text chat application used by gamers and enthusiasts. The tool extracts chat history including all stored message content, date and time stamps, and recipient identifiers. It will also pull information like the signed-in user's ID and registered email address. Recently, visualization was improved to display chats in HTML format in addition to the existing CVS format. |
| Automated Loss of Control |
1 |
01/20/2020 |
UNCLASSIFIED//FOUO |
NO |
ALoC is a tool that assists forensic examiners in investigating “loss of control” cases, wherein compromised media needs to be analyzed for the presence of classified information. ALoC processes media to automatically produce a report of all files found, indexing them by type, and identifying files that appear to contain classified data, recognizing and filtering files by hash, and scanning inside files for classification markings. The questionable files can be viewed from within the application, with automated highlighting of relevant text to ease manual inspection. Further, text is extracted from images and video using optical character recognition (OCR), enhancing the resulting images and or video frames and performing multiple OCR passes against them for greater reliability of detection. ALoC also incorporates DC3 Advanced Carver (DC3AC), which enables ALoC to extract files from unallocated space and perform the same scans on them as on every other file. ALoC shifts much of the burden of mass file review from manual, time intensive examination to automated triggers and cues to accelerate and enhance digital forensic examinations. |
| DC3 PWDextr |
201310 |
01/26/2018 |
UNCLASSIFIED//FOUO |
NO |
DC3 PWDextr is a DCCI-developed special purpose tool designed to extract clear text logon passwords from RAM dumps. It displays logon passwords from all user accounts that were active when the RAM dump was taken. PWDextr is able to extract logon passwords from 32-bit system architectures running the Windows XP operating system and from 64-bit architectures running the Windows 7 operating system. |
| DC3 Video Creator |
201307 |
01/26/2018 |
UNCLASSIFIED//FOUO |
NO |
DC3 Video Creator is a DCCI-developed special purpose tool designed to create AVI videos/video fragments from jpeg files that have been extracted from suspect media by forensic carving tools. It creates the videos and video fragments by initially searching through log folders created by forensic file carving tools looking for jpeg files that appear to be scenes carved from motion jpeg videos and then constructing one or more AVI videos using the jpeg scenes. The AVI files created by DCCI_Video Creator can be viewed with SMplayer. |
| DC3 3G Playlist |
201307 |
01/26/2018 |
UNCLASSIFIED//FOUO |
NO |
DC3 3GPlaylist, when run against a folder containing 3GP videos carved by DC3 StegCarver, will attempt to improve the playability of carved files by extracting hidden video fragments from those containing two or more concatenated 3GP video fragments. The program produces either a standard playlist, which simply provides a log containing all playable videos that were uncovered in the order that they were uncovered, or an organized playlist, which attempts to organize the extracted 3GP video fragments by subject matter. |
| DC3 Foreign Language Detect |
20180126 |
01/26/2018 |
UNCLASSIFIED//FOUO |
NO |
Foreign Language Detect (FLD) is a tool for detection of foreign languages. It supports several common languages. |
| DC3 FormatDetect |
2.5 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
FormatDetect recursively searches drives and directories for specific character string formats. It can also search unstructured data sets such as dd images and RAM dumps. The formats it searches for include phone numbers, credit card numbers, social security numbers, IP addresses, inverted IP addresses, URLs (to include web search terms), inverted URLs, full format international passport numbers, email addresses, and inverted email addresses. (Note: inverted strings are those that have been obfuscated by XORing them with 0xFF.) When parsing RAM dumps, DCCI_FormatDetect not only extracts IP addresses that can be identified using regular expressions, but it also extracts binary IP addresses from all TCP/IP packets that were resident in RAM when the dump was taken. Additionally, when parsing Windows RAM dumps, the hibernation file, or the paging file, DCCI_FormatDetect will sometimes be able to extract Limewire version 4 and version 5 search terms. |
| DC3 Drive Bomb |
1.1 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
Drive BOMB is a boot CD containing an application to ATA SECURE ERASE or ATA ENHANCED ERASE all ATA hard drives attached to a computer. Drive BOMB is additionally equipped with the ability to verify the erasure of a drive and sign that drive to prevent accidental, unnecessary re-wiping. |
| DC3OSS |
2C_20141017 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
DC3 OSS was developed by the Defense Cyber Crime Center (DC3). It is a live CD based tool on the Knoppix 7.0 distribution. It allows law enforcement investigators in the field to preview a suspects computer before making a decision on whether to seize the computer. |
| DC3 Computer Vision (CV) |
3.0.0.259 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
DC3_CV is used to expedite the time an examiner spends sifting through large directories of image files. With DC3_CV, examiners can use pre-trained datasets or easily create custom datasets of a person of interest. Using these datasets, DC3_CV finds other lookalikes automatically and presents the findings in a built-in viewer. DC3_CV can be run via a graphical user interface or a command line. |
| DC3 On-Scene Triage Tool - OTT |
1 |
01/25/2018 |
UNCLASSIFIED//FOUO |
NO |
On-scene Triage Tool (OTT) is a software tool to perform on-scene triage inspections of live computers in order to determine potential relevancy before seizing and submitting a computer to the Defense Cyber Forensics Laboratory (DCFL) by organizations requesting analysis. Case agents currently seize all computers at a crime scene because they have no reliable method for determining what is relevant versus irrelevant. So, OTT provides Case Agents with the ability to obtain limited information from a live computer. Specifically, OTT processing includes keyword searching, and information about graphics and video files on the system (JPEG, MPEG, AVI, GIF, TIF, PNG, BMP, MOV, FLV, WMV, MP4, RM and 3GP files, not including e-mail attachments, chat attachments and deleted files). An overarching principle of OTT is to minimize any changes that are made on the target system while acquiring information from a live computer needed to support triage decisions. |