| 08/17/2023 |
DC3 EFDetect |
4.1.1 |
DC3 |
EFDetect is a tool for the detection of encrypted data. EFDetect recursively searches drives and directories for files in various encrypted formats. Supported formats include, but are not limited to: TrueCrypt, TCSteg, TCSTEG v2, DriveCrypt, Steganos, MS Office, PDF, 7-zip, ZIP, WinRAR, EFS, and Video Padlock |
| 04/03/2023 |
DC3 Advanced Carver |
unit test for 1.4 |
DC3 |
DC3 Advanced Carver (DC3AC) is an advanced file carving tool built for speed and accuracy. It uses advanced algorithms to recover files that other tools are not capable of recovering. the tool can carve complete files and repair partial files for multiple file types, such as archives, audio, databases, documents, free-form text, pictures, software and videos. DC3AC is modular, which allows file types to be toggled on or off for carving. The main use case is carving unallocated space, but DC3AC can also carve from memory dumps, page files, disk images and damaged files. To request previous versions of DC3 Advanced Carver, new features, or any other inquiries, email us at DC3.TSD@us.af.mil |
| 03/23/2023 |
DC3 Advanced Carver |
1.4.0 |
DC3 |
DC3 Advanced Carver (DC3AC) is an advanced file carving tool built for speed and accuracy. It uses advanced algorithms to recover files that other tools are not capable of recovering. the tool can carve complete files and repair partial files for multiple file types, such as archives, audio, databases, documents, free-form text, pictures, software and videos. DC3AC is modular, which allows file types to be toggled on or off for carving. The main use case is carving unallocated space, but DC3AC can also carve from memory dumps, page files, disk images and damaged files. To request previous versions of DC3 Advanced Carver, new features, or any other inquiries, email us at DC3.TSD@us.af.mil |
| 03/23/2023 |
EnCase |
22.3 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 03/23/2023 |
Autopsy |
4.19.3 |
Basis Technology Corporation & Brian Carrier |
Autopsy was developed by Basis Technology Corporation and Brian Carrier. Autopsy is a custom front-end application for The Sleuth Kit (TSK) which provides a user interface, as well as case management. TSK is a library and collection of UNIX and Windows based tools and utilities to allow for the forensic analysis of computer systems. Autopsy can be used to perform digital investigations and data extraction from images of mobile devices, Windows, Linux, and UNIX systems. |
| 04/15/2022 |
WxTCmd |
0.5.0.0 |
Eric Zimmerman |
This validation was conducted and provided by ArmyCID. |
| 04/15/2022 |
LogCollector |
13.03.10 |
YATEM |
This validation was conducted and provided by ArmyCID. |
| 04/26/2021 |
magnet Axiom |
4.10.0.23663 |
Magnet Forensics |
Magnet Axiom is a complete end-to-end digital forensics solution. It is made up of two components. AXIOM Process is used to acquire and process evidence, preparing it for an investigation. AXIOM Examine is used to conduct the actual analysis. magnet AXIOM can recover hundreds of types of digital artifacts from various sources. It also has the ability to link artifact evidence back to its source data. The developer considers this the next generation of its Internet Evidence Finder (IEF) product. |
| 04/26/2021 |
X-Ways Forensics & WinHex |
20 |
X-Ways Software Technology AG |
X-Ways was developed by X-Ways Software Technology AG. X-Ways is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. |
| 03/12/2021 |
Autopsy |
4.15.0 |
Basis Technology Corporation & Brian Carrier |
Autopsy was developed by Basis Technology Corporation and Brian Carrier. Autopsy is a custom front-end application for The Sleuth Kit (TSK) which provides a user interface, as well as case management. TSK is a library and collection of UNIX and Windows based tools and utilities to allow for the forensic analysis of computer systems. Autopsy can be used to perform digital investigations and data extraction from images of mobile devices, Windows, Linux, and UNIX systems. |
| 10/28/2020 |
T-VIP (FOUO) |
2.2.0.163 |
Pacific Northwest National Laboratory |
(FOUO) |
| 10/28/2020 |
File Locator Pro |
8.5 |
Mythicsoft Ltd |
File Locator Pro was developed by Mythicsoft Ltd. File Locator Pro is a search tool that provides multiple capabilities including indexing, regular expression searches, boolean searches, unicode support, exporting and reporting of searches. |
| 07/31/2020 |
EnCase |
8.11 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 05/29/2020 |
magnet Axiom |
3.9.0.18130 |
Magnet Forensics |
Magnet Axiom is a complete end-to-end digital forensics solution. It is made up of two components. AXIOM Process is used to acquire and process evidence, preparing it for an investigation. AXIOM Examine is used to conduct the actual analysis. magnet AXIOM can recover hundreds of types of digital artifacts from various sources. It also has the ability to link artifact evidence back to its source data. The developer considers this the next generation of its Internet Evidence Finder (IEF) product. |
| 05/29/2020 |
X-Ways Forensics |
19.9 |
X-Ways Software Technology AG |
X-Ways Forensics is an advanced work environment for computer forensic examiners. It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator. |
| 03/24/2020 |
Atola Insight Forensic |
4.15.1 |
Atola Technologies Inc. |
Atola Insight Forensic offers complex data retrieval functions along with utilities for manually accessing hard drives at the lowest level, wrapped in a very simple and efficient user interface. The system consists of the DiskSense hardware unit, Atola Insight Forensic software, and optional hardware extensions. The system can image data at a rate of up to 520 MB/s, and has the ability to work with both intact and damaged media. Other features include write blocker, in-depth hard drive diagnostics, extraction of unknown ATA passwords, hash calculation, support for several types of connection, file data recovery for several popular filesystems, data erasure capabilities, optional networking capabilities, and case management system. |
| 01/10/2020 |
TX1 |
2.2 |
Tableau |
This validation report is provided by ArmyCID. |
| 11/05/2019 |
magnet Axiom |
3.2.0.14471 |
Magnet Forensics |
Magnet Axiom is a complete end-to-end digital forensics solution. It is made up of two components. AXIOM Process is used to acquire and process evidence, preparing it for an investigation. AXIOM Examine is used to conduct the actual analysis. magnet AXIOM can recover hundreds of types of digital artifacts from various sources. It also has the ability to link artifact evidence back to its source data. The developer considers this the next generation of its Internet Evidence Finder (IEF) product. |
| 09/18/2019 |
Forensic Toolkit (FTK) Imager |
4.2.1.4 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 09/06/2019 |
Forensic Toolkit (FTK) |
7.1.0 |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 07/29/2019 |
Atola Forensic Imager |
4.12 (Windows 10) |
Atola Technology Inc. |
Atola is a combination of hardware/windows based application. The purpose of Atola is to image and hash case evidence drives to be used in the lab for examination. Atola provides a Windows environment tool, using hardware and software that delivers the logging and dd imaging type format files, which help the Defense Cyber Forensics Laboratory (DCFL) in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This version will provide the capability of creating multiple output streams to different devices, and/or files, and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the commands used to create the image, so it can be passed on to an examiner. |
| 07/29/2019 |
Atola Forensic Imager |
4.12 (Windows 7) |
Atola Technology Inc. |
Atola is a combination of hardware/windows based application. The purpose of Atola is to image and hash case evidence drives to be used in the lab for examination. Atola provides a Windows environment tool, using hardware and software that delivers the logging and dd imaging type format files, which help the Defense Cyber Forensics Laboratory (DCFL) in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This version will provide the capability of creating multiple output streams to different devices, and/or files, and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the commands used to create the image, so it can be passed on to an examiner. |
| 07/02/2019 |
Internet Evidence Finder (IEF) |
6.24.0.16088 |
Magnet Forensics |
Internet Evidence Finder (IEF) is a Windows-based digital forensic investigation suite. IEF is capable of searching a drive, cellphone image, memory dump, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited to emails, instant chat messages, and Internet Explorer InPrivate / Recovery URLs. IEF will display the results in a generated report. IEF can perform these searches across allocated space, unallocated space, slack space, volume shadow copies, hibernate files, and page files. |
| 06/27/2019 |
Falcon-Neo Forensic Imager |
2.1 |
LogiCube |
1.2 Falcon is a standalone imaging platform. The purpose of the Falcon is to image, hash and restore case evidence drives to be used in the lab for acquisition and image conversion. Falcon provides a network based connection to the desktop unit to allow for remote control of the setup and operation of the device. Falcon maintains logs of all tasks performed and is capable of connection to network storage to store and restore images. The logs are retrievable which helps the DC3 Cyber Forensics Laboratory (CFL) in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This version provides the capability of creating multiple output streams to different devices, and/or files, and allows for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the commands used to create the image, so it can be passed on to an examiner. |
| 06/27/2019 |
magnet Axiom |
2.8.0.12333 |
Magnet Forensics |
Magnet Axiom is a complete end-to-end digital forensics solution. It is made up of two components. AXIOM Process is used to acquire and process evidence, preparing it for an investigation. AXIOM Examine is used to conduct the actual analysis. magnet AXIOM can recover hundreds of types of digital artifacts from various sources. It also has the ability to link artifact evidence back to its source data. The developer considers this the next generation of its Internet Evidence Finder (IEF) product. |
| 06/11/2019 |
X-Ways Forensics & WinHex |
19.8 |
X-Ways Software Technology AG |
X-Ways was developed by X-Ways Software Technology AG. X-Ways is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. |
| 05/01/2019 |
XRY |
7.6 |
MSAB |
This validation report is provided by ArmyCID. |
| 05/01/2019 |
Rapid Hash Analysis |
Release Candidate (RC5) |
Digital Forensics and Research Branch (DFRB) |
This validation report is provided by ArmyCID. |
| 05/01/2019 |
E3 |
E3 |
Paraben |
This validation report is provided by ArmyCID. |
| 05/01/2019 |
ODIN |
v3 |
Samsung |
This validation report is provided by ArmyCID. |
| 05/01/2019 |
Imaging for Operations (IO) |
20170906 |
CipherTech Solutions |
IO was developed by Cipher Tech solutions. It is a zero-click forensic imaging tool that automatically enables a USB software write-block, detects changes to attached devices, and begins producing E01 images from connected target media without any user interaction. Furthermore, IO logs include device information such as device type, model, name, size, geometry, MD5 and SHA1 hashes, the hardware serial number, the volume serial number for each partition, and the device VID/PID. |
| 05/01/2019 |
BlackLight |
2018R3 |
Black Bag Technologies Inc. |
BlackLight is a cross-platform solution for conducting forensic investigations. BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. The tool runs on both Windows and Mac OSX. It can logically acquire Android and iPhone/iPad devices. BlackLight can analyze data from both PC, Mac, and mobile platforms within one interface. |
| 05/01/2019 |
Registry Explorer |
1.0.0.4 |
Eric Zimmerman |
This validation report is provided by ArmyCID. |
| 05/01/2019 |
Clonezilla |
July 16 2018 |
Steven Shiau, K.L. Huang, Ceasar Sun, Jazz Wang, Thomas Tsai, Jean-Francois, Louie Chen, Nagappan Al |
Clonezilla, based on DRBL, Partclone and udpcast, allows you to do bare metal backup and recovery. Two types of Clonezilla are available, Clonezilla live and Clonezilla SE (server edition). Clonezilla live is suitable for single machine backup and restore. While Clonezilla SE is for massive deployment, it can clone many (40 plus!) computers simultaneously. Clonezilla saves and restores only used blocks in the harddisk. This increases the clone efficiency. At the NCHC's Classroom C, Clonezilla SE was used to clone 41 computers simultaneously. It took only about 10 minutes to clone a 5.6 GBytes system image to all 41 computers via multicasting! |
| 05/01/2019 |
Redline |
1.20.1 |
Mandiant |
This validation report is provided by ArmyCID. |
| 05/01/2019 |
TX1 |
TX1 |
Tableau |
This validation report is provided by ArmyCID. |
| 05/01/2019 |
TD2 Forensic Duplicator |
4.01 |
Tableau |
This validation report is provided by ArmyCID. |
| 05/01/2019 |
SPEKTOR Drive |
6 |
Evidence Talks |
This validation report is provided by ArmyCID. |
| 05/01/2019 |
SoftBlock |
1.1.0 |
BlackBag Technologies |
This validation report was provided by ArmyCID. |
| 05/01/2019 |
ShellBags Explorer |
0.9.5.0 |
Eric Zimmerman |
This validation report is provided by ArmyCID. |
| 05/01/2019 |
RECON LAB |
1.07 |
SUMURI |
RECON LAB is a forensics suite that runs on Apple Mac computers. It supports Windows, Mac, iOS, Android and Google Takeout Automated Analysis. The tool also includes viewers for various file formats, as well as file system drivers for Mac, Windows, and Linux via an included license for Paragon's Mac Toolbox. |
| 05/01/2019 |
PhotoRec |
7 |
CGsecurity |
Is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. |
| 04/30/2019 |
OnlineMD5 |
July 22 2018 |
OnlineMD5 |
This validations report was provided by ArmyCID. |
| 04/30/2019 |
NTFS Log Tracker |
1.41 |
Blue Angel |
This validation report is provided by ArmyCID. |
| 04/30/2019 |
JumpListsView |
1.1 |
Nirsoft |
This validation report was provided by ArmyCID |
| 04/30/2019 |
FullEventLogView |
1.2 |
Nirsoft |
This validation was provided by ArmyCID. |
| 04/30/2019 |
NetAnalysis with HstEx 4.4 |
2.8 |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 04/30/2019 |
MFTECmd |
0.2.9.1 |
Eric Zimmerman |
a command line MFT parser built. Validation report provided by ArmyCID |
| 04/30/2019 |
Forensic Falcon |
1.0 NEO |
Logicube |
The Falcon images and verifies the following formats: native or mirror copies, dd images, e01, ex01 and file-based copies. e01 and ex01 feature user-selectable compression levels and the Falcon supports SHA1, SHA256, or MD5 authentication. The Falcon can simultaneously perform multiple imaging tasks from one or two drives to multiple output drives in different formats. |
| 04/30/2019 |
Libesedb |
20170121 |
Open Source |
libesedb is a library to access the Extensible Storage Engine (ESE) Database File (EDB) format. Validation Provided by ArmyCID |
| 04/30/2019 |
HxD |
1.7.7.0 |
Mael horz |
HxD is a hex editor for windows. It also contains a disk editor and a memory editor. It's features include: standard hex-based editing, open and edit raw disk content, edit memory of active processes, calculate checksums, compare files, and shred files. |
| 04/30/2019 |
HashMyFiles |
2.23 |
Nirsoft |
Calculate MD5 and SHA1 hashes Windows 2000/XP/2003/Vista/Windows 7/Windows 8. |
| 04/30/2019 |
Forensic Toolkit (FTK) |
7 |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 04/30/2019 |
Forensic Toolkit (FTK) Imager |
4.2.0 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 04/30/2019 |
Emailchemy |
14.1.1 |
Weird Kid Software |
This validation was conducted and provided by ArmyCID. |
| 04/30/2019 |
DateDecoder |
1.2.1 |
Sanderson Forensics |
This validation was conducted and provided by ArmyCID. |
| 04/30/2019 |
magnet Axiom |
2.02 |
Magnet Forensics |
Magnet Axiom is a complete end-to-end digital forensics solution. It is made up of two components. AXIOM Process is used to acquire and process evidence, preparing it for an investigation. AXIOM Examine is used to conduct the actual analysis. magnet AXIOM can recover hundreds of types of digital artifacts from various sources. It also has the ability to link artifact evidence back to its source data. The developer considers this the next generation of its Internet Evidence Finder (IEF) product. |
| 04/26/2019 |
EnCase Forensic Imager |
8.08.00.140 |
Guidance Software |
EnCase Forensic Imager was developed by Guidance Software. EnCase Forensic Imager is a tool for data imaging and verification. EnCase Forensic Imager is able to create forensic images of evidence without making changes to the original evidence. This tool is also able to compute the MD5 and SHA1 hash values of the evidence. EnCase Forensic Imager is capable of wiping local disk drives and restoring evidence to a wiped disk drive. |
| 03/26/2019 |
X-Ways Forensics |
19.7 |
X-Ways Software Technology AG |
X-Ways Forensics is an advanced work environment for computer forensic examiners. It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator. |
| 03/26/2019 |
DC3DD |
7.2.647 on CYGWIN 2.11.2 on Windows 7 |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 03/26/2019 |
DC3DD |
7.2.647 on CYGWIN 2.11.2 on Windows 10 |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 03/26/2019 |
Forensic Toolkit (FTK) |
7 |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 03/18/2019 |
RECON Imager |
1.05 |
SUMURI |
RECON was developed by SUMURI. RECON is a bootable imaging utility for Intel-based Macintosh computers. RECON provides a software write-blocked environment for all internal and external media until imaging is initiated and a destination drive is selected. RECON supports both older and newer Macs, including Apple’s new APFS file system, FileVault2, Fusion drives, and Core Storage volumes. It is important to note that the RECON USB thumb drive comes with two separate bootable partitions in order to provide boot compatibility with a wider range of Mac systems. |
| 01/09/2019 |
BlackLight |
2018R3.1 on Windows 10 |
Black Bag Technologies Inc. |
BlackLight is a cross-platform solution for conducting forensic investigations. BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. The tool runs on both Windows and Mac OSX. It can logically acquire Android and iPhone/iPad devices. BlackLight can analyze data from both PC, Mac, and mobile platforms within one interface. |
| 01/09/2019 |
Forensic Toolkit (FTK) Imager |
4.2.0.13 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 12/04/2018 |
Autopsy |
4.8.0 |
Basis Technology Corporation & Brian Carrier |
Autopsy was developed by Basis Technology Corporation and Brian Carrier. Autopsy is a custom front-end application for The Sleuth Kit (TSK) which provides a user interface, as well as case management. TSK is a library and collection of UNIX and Windows based tools and utilities to allow for the forensic analysis of computer systems. Autopsy can be used to perform digital investigations and data extraction from images of mobile devices, Windows, Linux, and UNIX systems. |
| 12/04/2018 |
EnCase |
8.07.00.93 on Windows 10 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 12/04/2018 |
X-Ways Forensics |
19.6 |
X-Ways Software Technology AG |
X-Ways Forensics is an advanced work environment for computer forensic examiners. It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator. |
| 09/05/2018 |
magnet Axiom |
2.0.0.9322 |
Magnet Forensics |
Magnet Axiom is a complete end-to-end digital forensics solution. It is made up of two components. AXIOM Process is used to acquire and process evidence, preparing it for an investigation. AXIOM Examine is used to conduct the actual analysis. magnet AXIOM can recover hundreds of types of digital artifacts from various sources. It also has the ability to link artifact evidence back to its source data. The developer considers this the next generation of its Internet Evidence Finder (IEF) product. |
| 06/28/2018 |
DC3Nix |
3 |
DC3 |
DC3nix was developed by the Defense Cyber Crime Center (DC3). It is a live CD based tool on the Knoppix 7.6 distribution that runs on a USB drive. It allows law enforcement investigators in the field to preview a suspects computer before making a decision on whether to seize the computer. |
| 06/28/2018 |
BlackLight |
2018R1.1 on Windows 10 |
Black Bag Technologies Inc. |
BlackLight is a cross-platform solution for conducting forensic investigations. BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. The tool runs on both Windows and Mac OSX. It can logically acquire Android and iPhone/iPad devices. BlackLight can analyze data from both PC, Mac, and mobile platforms within one interface. |
| 06/28/2018 |
BlackLight |
2018R1 on Windows 10 |
Black Bag Technologies Inc. |
BlackLight is a cross-platform solution for conducting forensic investigations. BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. The tool runs on both Windows and Mac OSX. It can logically acquire Android and iPhone/iPad devices. BlackLight can analyze data from both PC, Mac, and mobile platforms within one interface. |
| 04/23/2018 |
Forensic Toolkit (FTK) |
6.4 |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 04/23/2018 |
BlackLight |
2017 R1.1 for Windows |
Black Bag Technologies Inc. |
BlackLight is a cross-platform solution for conducting forensic investigations. BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. The tool runs on both Windows and Mac OSX. It can logically acquire Android and iPhone/iPad devices. BlackLight can analyze data from both PC, Mac, and mobile platforms within one interface. |
| 01/17/2018 |
CDRoller |
10.60.20 |
Digital Atlantic Corp. |
CDRoller is a toolset for data recovery from optical discs (CD, DVD, Blu-ray), hard and flash drives, memory cards, and floppy disks. |
| 01/17/2018 |
BlackLight |
2016 R3.1 |
Black Bag Technologies Inc. |
BlackLight is a cross-platform solution for conducting forensic investigations. BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. The tool runs on both Windows and Mac OSX. It can logically acquire Android and iPhone/iPad devices. BlackLight can analyze data from both PC, Mac, and mobile platforms within one interface. |
| 01/17/2018 |
Forensic Toolkit (FTK) Imager |
4.1.1 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 01/17/2018 |
DC3 EFDetect |
1.8.0 |
DC3 |
EFDetect is a tool for the detection of encrypted data. EFDetect recursively searches drives and directories for files in various encrypted formats. Supported formats include, but are not limited to: TrueCrypt, TCSteg, TCSTEG v2, DriveCrypt, Steganos, MS Office, PDF, 7-zip, ZIP, WinRAR, EFS, and Video Padlock |
| 01/17/2018 |
Imaging for Operations (IO) |
20170829 |
CipherTech Solutions |
IO was developed by Cipher Tech solutions. It is a zero-click forensic imaging tool that automatically enables a USB software write-block, detects changes to attached devices, and begins producing E01 images from connected target media without any user interaction. Furthermore, IO logs include device information such as device type, model, name, size, geometry, MD5 and SHA1 hashes, the hardware serial number, the volume serial number for each partition, and the device VID/PID. |
| 10/26/2017 |
WriteBlocker |
USB 3.0, Driver 1.1.0.4 |
WiebeTech |
Write-block support is provided via WiebeTechs proprietary write-block technology which offers easy, read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. Each bay offers independent dual FireWire 800 (400 compatible), single USB2, and eSATA ports. |
| 10/26/2017 |
Forensic Toolkit (FTK) |
6.2.1 |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 10/26/2017 |
UltraDock WriteBlocker |
5.5 |
WiebeTech |
The UltraDock was developed by WiebeTech. Write-block support is provided via WiebeTechs proprietary writeBlock technology which offers easy read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. |
| 10/19/2017 |
PeStudio |
8.51 |
Winitor |
This validation was conducted and provided by ArmyCID. |
| 10/19/2017 |
Log Parser Lizard |
4.0.7 |
Lizard Labs |
This validation was conducted and provided by ArmyCID. |
| 10/19/2017 |
DiskSense Forensic Unit (ADFU) |
4.3.1 |
Atola |
This validation was conducted and provided by ArmyCID. |
| 10/19/2017 |
Log Parser Studio |
2.2 |
Microsoft |
This validation was conducted and provided by ArmyCID. |
| 10/19/2017 |
WinPrefetchView |
1.3 |
Nirsoft |
This validation was conducted and provided by ArmyCID. |
| 10/19/2017 |
WinFE Boot Disk |
10.0.1586 DualBoot V1 |
Microsoft Corporation |
WinFE was developed by Troy Larson at Microsoft. The current version utilized in this validation was put together on a USB thumbdrive by the Federal Law Enforcement Training Centers (FLETC). WinFE is based on the Windows Pre-Installation (WinPE) environment with a slight modification to the registry which prevents mounting of any storage medium, including the source drive, as well as write-blocking any storage medium when mounted by default (read-only). This creates a forensically sound environment when booting into and/or acquiring evidence from a windows based tablet. |
| 10/19/2017 |
Volatility Framework (TVF) |
2.4 |
Volatility Foundation |
The Volatility Framework is a completely open collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The Volatility Framework provides a wide range of extraction capabilities. |
| 10/19/2017 |
T6es Forensic SAS Bridge |
T6es |
Tableau |
This validation was conducted and provided by ArmyCID. |
| 10/19/2017 |
Magnet Acquire |
2.0.0.0699 |
Magnet |
Magnet Acquire allows examiners to quickly acquire forensic images from personal computers and mobile devices. These include hard drives, removable devices, and both iOS and Android based devices. It performs activity logging and documentation, allowing the examiner to see which acquisition methods were used and how data was extracted in a particular acquisition. |
| 10/19/2017 |
WriteProtect DESKTOP |
v1.0u1rc02 |
Logicube |
This validation was conducted and provided by ArmyCID. |
| 10/19/2017 |
Write Protect Bay |
1.01 |
Logicube |
This validation was conducted and provided by ArmyCID. |
| 10/19/2017 |
Quick Hash |
2.6.7 |
tedtechnology |
This validation was conducted and provided by ArmyCID. |
| 10/19/2017 |
Forensic Falcon |
3 |
Logicube |
The Falcon images and verifies the following formats: native or mirror copies, dd images, e01, ex01 and file-based copies. e01 and ex01 feature user-selectable compression levels and the Falcon supports SHA1, SHA256, or MD5 authentication. The Falcon can simultaneously perform multiple imaging tasks from one or two drives to multiple output drives in different formats. |
| 10/19/2017 |
Analyze Digital Investigator (DI) |
16.2.2 |
Griffeye |
Most investigative tools havent kept pace with the increasing volume of image and video files. In some cases, this can result in a manual review of millions of files and it almost always increases caseload and turnaround times. Analyze Digital Investigator (DI) reverses that trend. Thanks to a rich toolset of technologies with automated processes to categorize and filter out non-pertinent material, Analyze DI helps you work faster and better. Note that the validation might be for one of the other additions of this software, not the pro version as listed in the abstract. |
| 10/19/2017 |
Forensic Toolkit (FTK) |
6.1 |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 09/29/2017 |
EnCase |
8.01 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 09/29/2017 |
DC3 Advanced Carver |
1.0.1 |
DC3 |
DC3 Advanced Carver (DC3AC) is an advanced file carving tool built for speed and accuracy. It uses advanced algorithms to recover files that other tools are not capable of recovering. the tool can carve complete files and repair partial files for multiple file types, such as archives, audio, databases, documents, free-form text, pictures, software and videos. DC3AC is modular, which allows file types to be toggled on or off for carving. The main use case is carving unallocated space, but DC3AC can also carve from memory dumps, page files, disk images and damaged files. To request previous versions of DC3 Advanced Carver, new features, or any other inquiries, email us at DC3.TSD@us.af.mil |
| 09/29/2017 |
USB 3.0 Dock with write protection |
1 |
Coolgear |
This validation was conducted and provided by ArmyCID. |
| 09/29/2017 |
BrowsingHistoryView |
1.71 |
Nirsoft |
BrowsingHistoryView is a utility that reads the history data of 4 different Web browsers (Internet Explorer, Mozilla Firefox, Google Chrome, and Safari) and displays the history from all browsers in one table. The browsing history table includes the following information: Visited URL, Title, Visit Time, Visit Count, Web browser and User Profile. BrowsingHistoryView allows you to watch the browsing history of all user profiles in a running system, as well as to get the browsing history from external hard drive. The browsing history can be exported into csv/tab-delimited/html/xml file from the user interface or from the command-line without displaying any user interface. |
| 09/29/2017 |
magnet Axiom |
1 |
Magnet Forensics |
Magnet Axiom is a complete end-to-end digital forensics solution. It is made up of two components. AXIOM Process is used to acquire and process evidence, preparing it for an investigation. AXIOM Examine is used to conduct the actual analysis. magnet AXIOM can recover hundreds of types of digital artifacts from various sources. It also has the ability to link artifact evidence back to its source data. The developer considers this the next generation of its Internet Evidence Finder (IEF) product. |
| 09/29/2017 |
Arsenal Image Mounter |
1.0.019 |
Arsenal Recon |
Arsenal Image Mounter mounts forensic images in various formats as disks within Windows. The tool utilizes a virtual SCSI adaptor, so Windows treats these as real SCSI disks. This allows for the use of disk-specific features such as integration with Disk Manager and access to volume shadow copies. Arsenal Image Mounter supports images in various formats, and it can mount disks formatted with any filesystem for which a filesystem driver is installed in Windows. |
| 09/13/2017 |
magnet Axiom |
1.0.9.3568 |
Magnet Forensics |
Magnet Axiom is a complete end-to-end digital forensics solution. It is made up of two components. AXIOM Process is used to acquire and process evidence, preparing it for an investigation. AXIOM Examine is used to conduct the actual analysis. magnet AXIOM can recover hundreds of types of digital artifacts from various sources. It also has the ability to link artifact evidence back to its source data. The developer considers this the next generation of its Internet Evidence Finder (IEF) product. |
| 09/13/2017 |
CD/DVD Inspector |
5.1.1 |
InfinaDyne |
CD/DVD Inspector analyzes CDs, DVDs, and Blu Ray (BD) disks to identify sessions and files, characterize the media, and produce reports of the results. It has been tailored for professionals in data recovery, forensics, and law enforcement. CD/DVD Inspector reads all major CD and DVD filesystem formats including ISO-9660, Joliet, UDF, HSG, HFS and HFS . When the disc being examined contains more than a single filesystem, all filesystems found are displayed. |
| 09/13/2017 |
Atola Forensic Imager |
4.8 on Windows 7 |
Atola Technology Inc. |
Atola is a combination of hardware/windows based application. The purpose of Atola is to image and hash case evidence drives to be used in the lab for examination. Atola provides a Windows environment tool, using hardware and software that delivers the logging and dd imaging type format files, which help the Defense Cyber Forensics Laboratory (DCFL) in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This version will provide the capability of creating multiple output streams to different devices, and/or files, and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the commands used to create the image, so it can be passed on to an examiner. |
| 09/13/2017 |
Atola Forensic Imager |
4.8 on Windows 10 |
Atola Technology Inc. |
Atola is a combination of hardware/windows based application. The purpose of Atola is to image and hash case evidence drives to be used in the lab for examination. Atola provides a Windows environment tool, using hardware and software that delivers the logging and dd imaging type format files, which help the Defense Cyber Forensics Laboratory (DCFL) in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This version will provide the capability of creating multiple output streams to different devices, and/or files, and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the commands used to create the image, so it can be passed on to an examiner. |
| 09/13/2017 |
X-Ways Forensics |
19.1 x64 |
X-Ways Software Technology AG |
X-Ways Forensics is an advanced work environment for computer forensic examiners. It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator. |
| 09/13/2017 |
SuperImager Plus Desktop Pro Imaging System |
Gen2 |
MediaClone |
The main application used on the SuperImager hardware platform unit, executing on a Linux OS, with various hardware configurations is a full suite Forensic Imaging application that allows the user to Forensically Image and capture data from many sources (Suspect - digital storage media, or network folders) and saves them to many targets (Evidence drives or network folders). The application includes many features: Restore images (From DD, E01 formats) back to its original structure, supporting DoD and Security Erase operation, verify Hash calculation and authentication, The application supports multi session operations with enhancing E01 compression operations via special multiple threading calculations. The application supports special handling: Bad sector handling, HPA/DCO special areas. |
| 06/13/2017 |
Forensic Toolkit (FTK) Imager |
3.4.3 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 06/13/2017 |
Internet Evidence Finder (IEF) |
6.8.0.2163 |
Magnet Forensics |
Internet Evidence Finder (IEF) is a Windows-based digital forensic investigation suite. IEF is capable of searching a drive, cellphone image, memory dump, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited to emails, instant chat messages, and Internet Explorer InPrivate / Recovery URLs. IEF will display the results in a generated report. IEF can perform these searches across allocated space, unallocated space, slack space, volume shadow copies, hibernate files, and page files. |
| 04/27/2017 |
BlackLight |
2016r2.0 (Windows) |
Black Bag Technologies Inc. |
BlackLight is a cross-platform solution for conducting forensic investigations. BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. The tool runs on both Windows and Mac OSX. It can logically acquire Android and iPhone/iPad devices. BlackLight can analyze data from both PC, Mac, and mobile platforms within one interface. |
| 04/27/2017 |
Nuix |
7.0.1 |
Nuix |
Nuix was developed by Nuix. It is a tool capable of indexing, searching, categorizing, displaying, and extracting the contents of disk images and other container files. |
| 04/27/2017 |
DITTO DX Forensic Field Station Firmware |
2016Dec05A |
DITTO |
The hand-held Ditto DX Forensic Field Station is used by a technician in creating local, remote, or networked disk clones and images, including logical imaging of user-selectable lists of files and folders. It can also configure and manage via network or on the unit. The Ditto DX also helps log user activity and maintains chain of custody while using forensic (write-blocked) methods. An easy-to-use web browser interface supports remote operation via network or VPN, providing access to Ditto DX configuration, user administration and user rights, as well as direct operation of Ditto DX cloning and imaging operations. |
| 04/27/2017 |
DITTO Forensic Field Station Firmware |
2016Dec05A |
DITTO |
The hand-held Ditto Forensic Field Station is used by a technician in creating local, remote, or networked disk clones and images, including logical imaging of user-selectable lists of files and folders. It also configures and manages via network or on the unit. The Ditto also helps log user activity and maintains chain of custody while using forensic (write-blocked) methods. An easy-to-use web browser interface supports remote operation via network or VPN, providing access to Ditto configuration, user administration and user rights, as well as direct operation of Ditto cloning and imaging operations. |
| 04/27/2017 |
Log2Timeline |
1.5.1 |
Kristinn Gudjonsson |
Log2Timeline was developed by The Plaso Project (kiddaland). Log2timeline is a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on a suspects system (and supporting systems, such as network equipment) and produce a timeline that can be analyzed by forensic investigators. |
| 02/09/2017 |
Internet Evidence Finder (IEF) |
6.7.0.0450 (Revised) |
Magnet Forensics |
Internet Evidence Finder (IEF) is a Windows-based digital forensic investigation suite. IEF is capable of searching a drive, cellphone image, memory dump, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited to emails, instant chat messages, and Internet Explorer InPrivate / Recovery URLs. IEF will display the results in a generated report. IEF can perform these searches across allocated space, unallocated space, slack space, volume shadow copies, hibernate files, and page files. |
| 02/09/2017 |
Forensic Explorer |
3.6.8 |
GetData Forensics Pty Ltd. |
Forensic Explorer is a Windows-based digital forensic investigation suite. It provides imaging, analysis, and reporting capabilities. |
| 02/09/2017 |
NetAnalysis with HstEx 4.4 |
2.4 |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 01/23/2017 |
EnCase |
7.10.05.11 (Windows 10) |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 01/23/2017 |
EnCase |
7.10.05.11 (Windows 7) |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 12/02/2016 |
Registry Browser |
3.11 |
Lock and Code |
Registry Browser was developed by Lock and Code. It is a tool capable of searching Windows registry information from a copy of a computers Windows folder. |
| 12/02/2016 |
Forensic Toolkit (FTK) |
6.0.1.30 |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 12/02/2016 |
T3458is Forensic Bridge Firmware Update |
7.15 |
Tableau |
The T3458is was developed by Tableau. Write-block support is provided via Tableaus proprietary write-block technology which offers easy read-only access to suspect devices through high speed FireWire 800 (400 compatible) or Sata interfaces. Tableaus write-block technology is compatible with forensic acquisition and analysis software. |
| 12/02/2016 |
Atola Forensic Imager |
4.6 (Windows 10) |
Atola Technology Inc. |
Atola is a combination of hardware/windows based application. The purpose of Atola is to image and hash case evidence drives to be used in the lab for examination. Atola provides a Windows environment tool, using hardware and software that delivers the logging and dd imaging type format files, which help the Defense Cyber Forensics Laboratory (DCFL) in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This version will provide the capability of creating multiple output streams to different devices, and/or files, and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the commands used to create the image, so it can be passed on to an examiner. |
| 12/02/2016 |
Atola Forensic Imager |
4.6 (Windows 7) |
Atola Technology Inc. |
Atola is a combination of hardware/windows based application. The purpose of Atola is to image and hash case evidence drives to be used in the lab for examination. Atola provides a Windows environment tool, using hardware and software that delivers the logging and dd imaging type format files, which help the Defense Cyber Forensics Laboratory (DCFL) in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This version will provide the capability of creating multiple output streams to different devices, and/or files, and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the commands used to create the image, so it can be passed on to an examiner. |
| 10/13/2016 |
DC3 Forensic File Mount |
1.0 (Windows 10) |
DC3 |
DC3FFM was developed by DC3. The tool is an NFS server based around the SleuthKit (v4.1.3). DC3FFM allows the examiner to mount any file system supported by TSK, ext3, ext4, hfs , file systems that cannot be mounted on a Windows system any other way. Every partition on the target drive image is allowed to be mounted, so if the examiner wants to look at the MFT or Linux Swap space they are able. |
| 10/13/2016 |
DC3 Forensic File Mount |
1.0 (Windows 7) |
DC3 |
DC3FFM was developed by DC3. The tool is an NFS server based around the SleuthKit (v4.1.3). DC3FFM allows the examiner to mount any file system supported by TSK, ext3, ext4, hfs , file systems that cannot be mounted on a Windows system any other way. Every partition on the target drive image is allowed to be mounted, so if the examiner wants to look at the MFT or Linux Swap space they are able. |
| 09/02/2016 |
NetAnalysis with HstEx 4 |
2 |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 09/02/2016 |
X-Ways Forensics & WinHex |
18 |
X-Ways Software Technology AG |
X-Ways was developed by X-Ways Software Technology AG. X-Ways is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. |
| 09/02/2016 |
WriteBlocker |
FRTX 400H-QJ |
WiebeTech |
Write-block support is provided via WiebeTechs proprietary write-block technology which offers easy, read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. Each bay offers independent dual FireWire 800 (400 compatible), single USB2, and eSATA ports. |
| 09/02/2016 |
DC3 VCF to CSV |
1 20140108 |
DC3 |
VCF to CSV was developed by DCCI. It is a Perl script designed to extract data from VCF files and store specific fields into CSV files. |
| 09/02/2016 |
UltraDock WriteBlocker |
5 |
WiebeTech |
The UltraDock was developed by WiebeTech. Write-block support is provided via WiebeTechs proprietary writeBlock technology which offers easy read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. |
| 09/02/2016 |
Registry Viewer (RV) |
1.5.2 |
AccessData |
Registry Viewer was developed by Access Data. Registry Viewer allows the user to view and analyze the contents of the registry entries on MS Windows operating systems. In addition, it allows the user to create a report containing information related to the different registry keys. |
| 09/02/2016 |
ProDiscover IR (VSC Capability) |
6.11.0.0 |
Technology Pathways LLC |
ProDiscover was developed by Technology Pathways, LLC. ProDiscover is a tool used for analyzing digital evidence such as image files and physical disks. For this validation, the focus will be on evidence that contains one or more shadow volumes. ProDiscover advertises the ability to detect and image shadow volumes and the ability to export files, hash files, and compare the contents of shadow volumes. |
| 09/02/2016 |
MD5Deep / HashDeep |
3.6 |
Jesse Kornblum |
MD5Deep was developed by Jesse Kornblum. MD5deep is a set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. MD5 through its hashdeep component is able to match and audit hashsets. With traditional matching programs, they report if an input file matched one in a set of knowns, or if the input file did not match. It is hard to get a complete sense of the state of the input files compared to the set of knowns. It is possible to have matched files, missing files, files that have moved in the set, and to find new files not in the set. Hashdeep can report all of these conditions. The tool can even spot hash collisions, when an input file matches a known file in one hash algorithm, but not in others. The results are displayed in an audit report. |
| 09/02/2016 |
DC3 IMLook |
2.1 20090223 |
DC3 |
IMLook was developed by the Defense Cyber Crime Institute (DCCI). IMLook is a tool used to decrypt and display Yahoo! Messenger chat logs. |
| 09/02/2016 |
Image MASSter Solo-4 |
4.11.22.0 |
Intelligent Computer Solutions (ICS) |
Image MASSter Solo is a versatile, light weight, portable, high speed acquisition device. Using the on the fly hashing capabilities, the transferred data can be guaranteed to be an exact replica of the Suspects data without modification, re-arrangement or corruption. Provides Native interface support for SAS, S-ATA, and External USB drives, in addition to supporting PATA, including ATA compatible solid state and flash devices. |
| 09/02/2016 |
Image MASSter Solo-4 |
4.3.4.3 |
Intelligent Computer Solutions (ICS) |
Image MASSter Solo is a versatile, light weight, portable, high speed acquisition device. Using the on the fly hashing capabilities, the transferred data can be guaranteed to be an exact replica of the Suspects data without modification, re-arrangement or corruption. Provides Native interface support for SAS, S-ATA, and External USB drives, in addition to supporting PATA, including ATA compatible solid state and flash devices. |
| 09/02/2016 |
Internet Evidence Finder (IEF) |
6.4.0333 |
Magnet Forensics |
Internet Evidence Finder (IEF) is a Windows-based digital forensic investigation suite. IEF is capable of searching a drive, cellphone image, memory dump, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited to emails, instant chat messages, and Internet Explorer InPrivate / Recovery URLs. IEF will display the results in a generated report. IEF can perform these searches across allocated space, unallocated space, slack space, volume shadow copies, hibernate files, and page files. |
| 09/02/2016 |
Internet Evidence Finder (IEF) |
3.6.0 |
Magnet Forensics |
Internet Evidence Finder (IEF) is a Windows-based digital forensic investigation suite. IEF is capable of searching a drive, cellphone image, memory dump, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited to emails, instant chat messages, and Internet Explorer InPrivate / Recovery URLs. IEF will display the results in a generated report. IEF can perform these searches across allocated space, unallocated space, slack space, volume shadow copies, hibernate files, and page files. |
| 09/02/2016 |
HashTab |
3 |
Cody Batt |
HashTab was developed by Cody Batt. HashTab provides OS extensions to calculate file hashes. HashTab supports many hash algorithms including MD5, SHA1, SHA2, RipeMD, HAVAL, and Whirlpool. The tool provides an easy way to verify file integrity and authenticity. |
| 09/02/2016 |
HashTab |
3 |
Cody Batt |
HashTab was developed by Cody Batt. HashTab provides OS extensions to calculate file hashes. HashTab supports many hash algorithms including MD5, SHA1, SHA2, RipeMD, HAVAL, and Whirlpool. The tool provides an easy way to verify file integrity and authenticity. |
| 09/02/2016 |
Forensic Explorer |
1 |
GetData Forensics Pty Ltd. |
Forensic Explorer is a Windows-based digital forensic investigation suite. It provides imaging, analysis, and reporting capabilities. |
| 09/02/2016 |
EnCase |
6.18.0.59 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 09/02/2016 |
DC3 Video Validator |
2 |
DC3 |
DCCI Video Validator was developed by the Department of Defense Cyber Crime Institute (DCCI). Video Validator is a tool used mainly to quickly verify whether or not video fragments obtained by data carving techniques are able to be played. Video Validator can run as a standalone application or it can be run from within DCCI_StegCarver. Video Validator is capable of creating thumbnail storyboards for any validated videos. |
| 09/02/2016 |
DC3 Video Validator |
1 |
DC3 |
DCCI Video Validator was developed by the Department of Defense Cyber Crime Institute (DCCI). Video Validator is a tool used mainly to quickly verify whether or not video fragments obtained by data carving techniques are able to be played. Video Validator can run as a standalone application or it can be run from within DCCI_StegCarver. Video Validator is capable of creating thumbnail storyboards for any validated videos. |
| 09/02/2016 |
DC3 EFDetect |
1.3 |
DC3 |
EFDetect is a tool for the detection of encrypted data. EFDetect recursively searches drives and directories for files in various encrypted formats. Supported formats include, but are not limited to: TrueCrypt, TCSteg, TCSTEG v2, DriveCrypt, Steganos, MS Office, PDF, 7-zip, ZIP, WinRAR, EFS, and Video Padlock |
| 09/02/2016 |
DC3DD |
7.2.641 (Windows 7 & Ubuntu 12.4LTS) |
Jesse Kornblum |
DC3DD is a command line function used in the Linux , Mac OS and Windows environments. The purpose of dc3dd is to image and hash case evidence drives to be used in the lab for examination. The creation of dc3dd provides a Linux , Mac OS and Windows environments tool that delivers the logging and specific data formats that help the LAB in their efforts to provide automatically generated byte counts and sector counts while properly handling bad sectors when encountered. This new version will provide the capability of creating multiple output streams to different devices and or files and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the command used to create the image to be passed on to an examiner for examination. The multithread enhancement will allow dc3dd to take advantage of multiprocessor platforms to reduce the time it takes to perform the requested functions. |
| 09/02/2016 |
DC3 Computer Vision (CV) |
3 |
DC3 |
DC3_CV is used to expedite the time an examiner spends sifting through large directories of image files. With DC3_CV, examiners can use pre-trained datasets or easily create custom datasets of a person of interest. Using these datasets, DC3_CV finds other lookalikes automatically and presents the findings in a built-in viewer. DC3_CV can be run via a graphical user interface or a command line. |
| 09/02/2016 |
CD/DVD Inspector |
4.1 |
InfinaDyne |
CD/DVD Inspector analyzes CDs, DVDs, and Blu Ray (BD) disks to identify sessions and files, characterize the media, and produce reports of the results. It has been tailored for professionals in data recovery, forensics, and law enforcement. CD/DVD Inspector reads all major CD and DVD filesystem formats including ISO-9660, Joliet, UDF, HSG, HFS and HFS . When the disc being examined contains more than a single filesystem, all filesystems found are displayed. |
| 09/02/2016 |
Autopsy |
2.24 |
Basis Technology Corporation & Brian Carrier |
Autopsy was developed by Basis Technology Corporation and Brian Carrier. Autopsy is a custom front-end application for The Sleuth Kit (TSK) which provides a user interface, as well as case management. TSK is a library and collection of UNIX and Windows based tools and utilities to allow for the forensic analysis of computer systems. Autopsy can be used to perform digital investigations and data extraction from images of mobile devices, Windows, Linux, and UNIX systems. |
| 09/02/2016 |
DC3 AScan |
3.5 (Windows 7 Dell Precision T7500) |
DC3 |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| 09/02/2016 |
DC3 AScan |
2.3 |
DC3 |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| 09/02/2016 |
Atola Hardware/Software |
Windows 10 |
Atola Technology Inc. |
Atola is a combination of hardware/windows based application. The purpose of Atola is to image and hash case evidence drives to be used in the lab for examination. Atola provides a Windows environment tool, using hardware and software that delivers the logging and dd imaging type format files, which help the Defense Cyber Forensics Laboratory (DCFL) in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This version will provide the capability of creating multiple output streams to different devices, and/or files, and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the commands used to create the image, so it can be passed on to an examiner. |
| 09/02/2016 |
Atola Forensic Imager |
4.5 (Windows 7) |
Atola Technology Inc. |
Atola is a combination of hardware/windows based application. The purpose of Atola is to image and hash case evidence drives to be used in the lab for examination. Atola provides a Windows environment tool, using hardware and software that delivers the logging and dd imaging type format files, which help the Defense Cyber Forensics Laboratory (DCFL) in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This version will provide the capability of creating multiple output streams to different devices, and/or files, and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the commands used to create the image, so it can be passed on to an examiner. |
| 09/02/2016 |
Atola Forensic Imager |
4.5 (Windows 10) |
Atola Technology Inc. |
Atola is a combination of hardware/windows based application. The purpose of Atola is to image and hash case evidence drives to be used in the lab for examination. Atola provides a Windows environment tool, using hardware and software that delivers the logging and dd imaging type format files, which help the Defense Cyber Forensics Laboratory (DCFL) in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This version will provide the capability of creating multiple output streams to different devices, and/or files, and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the commands used to create the image, so it can be passed on to an examiner. |
| 09/02/2016 |
DC3 AScan |
5.0 (Windows 10) |
DC3 |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| 09/02/2016 |
DC3DD |
7.2.646 (CYGWIN 2.5.0) |
Jesse Kornblum |
DC3DD is a command line function used in the Linux , Mac OS and Windows environments. The purpose of dc3dd is to image and hash case evidence drives to be used in the lab for examination. The creation of dc3dd provides a Linux , Mac OS and Windows environments tool that delivers the logging and specific data formats that help the LAB in their efforts to provide automatically generated byte counts and sector counts while properly handling bad sectors when encountered. This new version will provide the capability of creating multiple output streams to different devices and or files and allow for the automatic hashing of the resultant images if desired. The log also contains all the information needed to be able to recreate the images, maintaining a listing of the settings and the command used to create the image to be passed on to an examiner for examination. The multithread enhancement will allow dc3dd to take advantage of multiprocessor platforms to reduce the time it takes to perform the requested functions. |
| 09/02/2016 |
DC3 AScan |
5.1 (Windows 10) |
DC3 |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| 09/02/2016 |
DC3 AScan |
5.1 |
DC3 |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| 09/02/2016 |
X-Ways Forensics |
18.7 (x64) |
X-Ways Software Technology AG |
X-Ways Forensics is an advanced work environment for computer forensic examiners. It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator. |
| 09/02/2016 |
Forensic Toolkit (FTK) Imager |
3.4.2.2 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 09/02/2016 |
Internet Evidence Finder (IEF) |
6.7.0.0450 |
Magnet Forensics |
Internet Evidence Finder (IEF) is a Windows-based digital forensic investigation suite. IEF is capable of searching a drive, cellphone image, memory dump, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited to emails, instant chat messages, and Internet Explorer InPrivate / Recovery URLs. IEF will display the results in a generated report. IEF can perform these searches across allocated space, unallocated space, slack space, volume shadow copies, hibernate files, and page files. |
| 09/02/2016 |
CD/DVD Inspector |
5.0.13 |
InfinaDyne |
CD/DVD Inspector analyzes CDs, DVDs, and Blu Ray (BD) disks to identify sessions and files, characterize the media, and produce reports of the results. It has been tailored for professionals in data recovery, forensics, and law enforcement. CD/DVD Inspector reads all major CD and DVD filesystem formats including ISO-9660, Joliet, UDF, HSG, HFS and HFS . When the disc being examined contains more than a single filesystem, all filesystems found are displayed. |
| 08/31/2016 |
X-Ways Forensics |
15.6 SR-12 |
X-Ways Software Technology AG |
X-Ways Forensics is an advanced work environment for computer forensic examiners. It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator. |
| 08/31/2016 |
X-Ways Forensics |
16.3 |
X-Ways Software Technology AG |
X-Ways Forensics is an advanced work environment for computer forensic examiners. It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator. |
| 08/31/2016 |
WiebeTech USB WriteBlocker |
1 |
WiebeTech |
The USB WriteBlocker offers easy read-only access for suspect USB MASS Storage Devices. It is compatible with Single Storage Devices with Multiple mountable Volumes (multiple LUNs). WiebeTechs write-block technology is also compatible with forensic acquisition and analysis software. |
| 08/31/2016 |
X-Ways Forensics |
18.5 |
X-Ways Software Technology AG |
X-Ways Forensics is an advanced work environment for computer forensic examiners. It is based on the WinHex hex and disk editor and part of an efficient workflow model where computer forensic examiners share data and collaborate with investigators that use X-Ways Investigator. |
| 08/31/2016 |
Xplorer360 (Beta) |
0.9 |
360GameSaves.com |
Xplorer360 is a Windows-based tool, developed by 360GameSaves.com, used to access the hard drives used within the Xbox360 game console. Xplorer360 has the capability to view all partitions and file systems on the hard drive. Based on the customers requirements Xplorer360 will be evaluated on its ability to access the hard drive contents (file systems and partitions), export data from the hard drive to a local machine, and backup a drive image by creating a bitstream copy. |
| 08/31/2016 |
WireShark (Formerly Ethereal) |
1.0.4 |
Gerald Combs |
Wireshark is a packet analyzer. It can parse and display a variety of network protocols. Data can be analyzed in realtime as it comes over the network or it can be analyzed from a previously performed packet capture. Wireshark also has the ability to accept data captured by another machine for analysis at time of capture. Wireshark can utilize promiscuous mode on network interfaces that support it and monitor mode on wireless interfaces. A plugin system allows for the disection of new protocols. |
| 08/31/2016 |
WinHex |
14.7 |
X-Ways Software Technologies AG |
WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use, it inspects and edits all kinds of files, and recovers deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. |
| 08/31/2016 |
WinHex |
15.3 |
X-Ways Software Technologies AG |
WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use, it inspects and edits all kinds of files, and recovers deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. |
| 08/31/2016 |
WinHex |
16.3 |
X-Ways Software Technologies AG |
WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use, it inspects and edits all kinds of files, and recovers deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. |
| 08/31/2016 |
WinFE Boot Disk |
x86 & x64 |
Microsoft Corporation |
WinFE was developed by Troy Larson at Microsoft. The current version utilized in this validation was put together on a USB thumbdrive by the Federal Law Enforcement Training Centers (FLETC). WinFE is based on the Windows Pre-Installation (WinPE) environment with a slight modification to the registry which prevents mounting of any storage medium, including the source drive, as well as write-blocking any storage medium when mounted by default (read-only). This creates a forensically sound environment when booting into and/or acquiring evidence from a windows based tablet. |
| 08/31/2016 |
Windows Mobile Forensics (WinMoFo) |
2.2.17736 |
DelMar IT LLC |
WinMoFo was developed by DelMar IT, LLC. WinMoFo advertises the ability to logically extract all digital evidence from a target device. This evidence includes, the device phone number, call history, SMS history, email, appointments, contacts, tasks, and files found on the file system. |
| 08/31/2016 |
Windows Jounral Parser |
0.96 |
TZWorks LLC |
Journal Parser was developed by TZWorks LLC. It is able to parse NTFS Journal Files and output the results into XML, CSV and plaintext formats. |
| 08/31/2016 |
Win32dd/Win64dd |
1.3.1.20100417 |
Matthieu Suiche and MoonSols |
Win32dd/Win64dd was developed by Matthieu Suiche and MoonSols. Win32dd/Win64dd is a command line based tool for either 32-bit or 64-bit systems, which allows the user to acquire an image of the systems memory. Raw (dd-style) and crash dump formats are supported and there are different methods for specifying memory content. For example imaging the full address space, as opposed to the memory manager physical memory block. |
| 08/31/2016 |
Wi-Fi Investigator |
WFIH-01 |
Digital Certainty |
Wi-Fi Investigator was developed by Digital Certainty. The Digital Certainty Wi-Fi Investigator is a handheld tool which identifies the specific physical location of any type of device communicating with a Wi-Fi (802.11b/g) signal. |
| 08/31/2016 |
WriteBlocker |
RTX220-QJP |
WiebeTech |
Write-block support is provided via WiebeTechs proprietary write-block technology which offers easy, read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. Each bay offers independent dual FireWire 800 (400 compatible), single USB2, and eSATA ports. |
| 08/31/2016 |
VSS Examiner EnScript |
1.3.0 |
Guidance Software |
VSS Examiner was developed by Guidance Software. It is an EnScript designed to locate files contained within volume shadow copies that do not exist elsewhere within a case. |
| 08/31/2016 |
VSS Examiner EnScript |
2.3.0 |
Guidance Software |
VSS Examiner was developed by Guidance Software. It is an EnScript designed to locate files contained within volume shadow copies that do not exist elsewhere within a case. |
| 08/31/2016 |
VMWare Disk Mount |
5.5 |
VMWare Inc. |
The tests and procedures contained herein apply to VMware Disk Mount, developed by the VMware Inc. Disk Mount utility is designed to allow the mounting of an unused virtual disk as a separate drive without needing to connect to the virtual disk from within a virtual machine. It is also able to mount specific volumes of a virtual disk if the disk is partitioned. |
| 08/31/2016 |
VistaStumbler |
2 |
Anonymous Source |
VistaStumbler was developed by people who choose to remain anonymous. The tool is a wireless network detection software application. It is available free-of-charge from www.suriv.be. VistaStumbler runs on the Windows Vista operating system. |
| 08/31/2016 |
VidReport |
1.2.14 |
Sanderson Forensics |
Sanderson Forensics developed VidReport v1.2.14 (VidReport, hereafter) as a forensic investigation tool for the processing and reporting of video files. VidReport has various features to include playing a video file, parsing a file and displaying just a selection of frames, creating a HTML report of the video files and eliminating similar frames based on a similarity trigger. |
| 08/31/2016 |
Virtual Forensic Computing (VFC) |
3.14.5.12 |
Michael A. Penhallurick |
VFC was developed by Michael A. Penhallurick. It provides the ability to load raw disk image files and disk image files, which are mounted using tools such as FTK Imager, as virtual machines using software such as VMWare Player. |
| 08/31/2016 |
Virtual Forensic Computing (VFC) |
2.13.4.16 |
Michael A. Penhallurick |
VFC was developed by Michael A. Penhallurick. It provides the ability to load raw disk image files and disk image files, which are mounted using tools such as FTK Imager, as virtual machines using software such as VMWare Player. |
| 08/31/2016 |
DC3 VCF to CSV |
1 20140521 |
DC3 |
VCF to CSV was developed by DCCI. It is a Perl script designed to extract data from VCF files and store specific fields into CSV files. |
| 08/31/2016 |
USBDeview |
2.35 |
NirSoft Freeware |
USBDeview is a small utility that lists all current and previously connected USB devices from a Windows machine. This information is extracted from either a live system or via an exported SYSTEM registry file. |
| 08/31/2016 |
UltraDock WriteBlocker |
4 |
WiebeTech |
The UltraDock was developed by WiebeTech. Write-block support is provided via WiebeTechs proprietary writeBlock technology which offers easy read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. |
| 08/31/2016 |
UltraDock WriteBlocker |
5 |
WiebeTech |
The UltraDock was developed by WiebeTech. Write-block support is provided via WiebeTechs proprietary writeBlock technology which offers easy read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. |
| 08/31/2016 |
ue2f |
1 |
Linux Open Source |
ue2f is a Linux Open Source command line tool that resides on FBI_CART Linux Boot CD Version 5.3 (September 2009). It is used to recover erased (deleted) files from EXT2 volumes. Recovered files will be directed to an EXT2, FAT32, or NTFS partition from the source EXT2 volume. |
| 08/31/2016 |
Triforce ANJP NTFS Journal Parser |
3.11.07 |
G-C Partners |
ANJP was developed by G-C Partners, LLC. ANJP reads NTFS MFT, Journal, and Log file information to detect when files were created, removed, or changed and if certain anti-forensic techniques were employed on a system to attempt to hide files. |
| 08/31/2016 |
Trident Pro |
6.11.35.1914 |
Wave Software |
Trident Pro was developed by Wave Software. Trident Pro uses dtSearch from dtSearch Corporation to provide email de matching/exclusion, file de matching/exclusion. Trident Pro operates with Microsoft PST and/or OST files and Lotus Notes NSF (additional module required) files to process items in these files. |
| 08/31/2016 |
Total Outlook Converter Pro |
3.1.0 |
Softplicity Inc. |
Total Outlook Converter Pro was developed by Softplicity, Inc. (CoolUtils.com) and is a Windows software tool for managing emails. For PST and OST, it should read, filter, create reports, and export emails, in batch, to DOCX, PDF, HTML, XHTML, EML, TXT, TIFF, and JPG. |
| 08/31/2016 |
TimeMachine Diff.sh |
1.4.1 |
DC3/DCITA |
TimeMachineDiff.sh was developed by Jon Nelson of DCITA. Time Machine lets users automatically back up an entire system in Mac OS X v10.5 and Mac OS X 10.6 or later. Time Machine keeps an up-to-date copy of all files on the Mac, and users can go back in time and restore the Mac to how it looked in the past. TimeMachineDiff.sh is a BASH script which provides a method for quickly determining the file differences between OS X Time Machine images. |
| 08/31/2016 |
Timeline EnScript |
1.7.4 |
Geoffrey Black |
Timeline EnScript v.1.7.4 gathers file information on all or selected files/folders and presents it in a timeline view. The user can select the timeframe to check and output either HTML or tab-delimited text format. The script checks Created, Modified, and Accessed times and puts files in order according to these fields. |
| 08/31/2016 |
DC3 TCDetect |
1.4 |
DC3 |
TCDetect was developed by the Defense Cyber Crime Institute. TCDetect recursively searches drives and directories for files that appear to be TrueCrypt container volumes. The tool also searches for TrueCrypt volumes that have been embedded in MP4, MOV, and 3GP videos using the TCSteg Python script. |
| 08/31/2016 |
TK8-R2 |
1 |
Tableau |
The T8R2 was developed by Tableau. Write-block support is provided via Tableaus proprietary write-block technology which offers easy read-only access to suspect USB devices through high speed FireWire 800 (400 compatible) or USB2 interfaces. Tableaus write-block technology is compatible with forensic acquisition and analysis software. |
| 08/31/2016 |
Tableau USB WriteBlocker |
T8 |
Tableau |
The USB WriteBlocker offers easy read-only access to suspect USB MASS Storage Devices. It is compatible with Single Storage Devices having Multiple mountable Volumes (multiple LUNs). Tableaus write-block technology is compatible with forensic acquisition and analysis software. |
| 08/31/2016 |
STRIKE |
1.6 |
IDEAL Corp. |
STRIKE was developed by IDEAL Corp. STRIKE provides operators with a portable, automated system, to quickly extract data and analyze information, in-field in real-time, from captured digital devices and media. Types of media and devices that can be analyzed include USB flash drives, multimedia cards, SIM cards, cell phones, PDAs, CDs/DVDs, hard drives and live computers. |
| 08/31/2016 |
StegAlyzerRTS |
3.1 |
Backbone Security |
StegRTS was developed by Backbone Security. StegRTS is capable of capturing and scanning network traffic in real-time for the presence of steganography applications and their signatures. |
| 08/31/2016 |
SQLiteman |
1.2.1 |
Peter Vanek |
SQliteman was developed by Peter Vanek. SQliteman is a software tool with a graphic user interface which writes databases with Sqlite3 technology. SQliteman can also open previously created databases as well as tune SQL statements, manage tables views and triggers, administrate a database space, and index statistics. |
| 08/31/2016 |
SQLite Database Browser |
1.3 |
Mauricio Piacentini |
SQLite DB is a freeware, public domain, open source visual tool used to create, design, and edit database files compatible with SQLite. SQLite DB is intended to be used for users and developers that want to create databases, edit, and search data using familiar spreadsheet-like interface without the need to learn complicated SQL commands. Based on the requirements of the customer SQLite DB will be evaluated on its ability to export data from a SQLite database file into a separate file in comma-separates-value (CSV) format to be open in the Microsoft Excel application. The testing procedure will be performed in the following two versions of the MAC OS X operating system: OS X v10.4.4 (Tiger) and OS X v 10.5.5 (Leopard). |
| 08/31/2016 |
Image MASSter Solo-4 |
4.12.44.0 |
Intelligent Computer Solutions (ICS) |
Image MASSter Solo is a versatile, light weight, portable, high speed acquisition device. Using the on the fly hashing capabilities, the transferred data can be guaranteed to be an exact replica of the Suspects data without modification, re-arrangement or corruption. Provides Native interface support for SAS, S-ATA, and External USB drives, in addition to supporting PATA, including ATA compatible solid state and flash devices. |
| 08/31/2016 |
SnapView |
2.1.02 |
Digital Detective |
Digital Detective has developed SnapView as a means of viewing and navigating through web pages and web page fragments on a file system. |
| 08/31/2016 |
SMT ArchivER |
3.0.3.6 |
System Management Technologies Inc. |
SMT ArchivER v.3.0.3.6 for Outlook 2003 is a plug-in for Microsoft Outlook that allows the user to archive items in a PST or OST file to another format such as RTF, TXT, HTML, or MSG. It can also remove attachments and embedded objects. |
| 08/31/2016 |
The Sleuth Kit (TSK) |
3.0.0 |
Brian Carrier |
The Sleuth Kit (TSK) is an open source forensic toolkit for analyzing Microsoft and UNIX file systems and disks. TSK enables investigators to identify and recover evidence from images acquired during incident response or from live systems. |
| 08/31/2016 |
Skype Log View |
1.36 |
Nir Sofer |
SkypeLogView is a tool used to read Skype user profiles and report on activity such as calls, chats, file transfers, and SMS messages. SkypeLogView is also able to export the information to an HTML file. |
| 08/31/2016 |
Skype Log Parser |
1.7 |
RedWolf Computer Forensics |
Skype Log Parser was developed by RedWolf Computer Forensics. Skype Log Parser is a tool used to read Skype user profiles and generate reports about them. The reports include information about the profile, a list of contacts, chat records, file transfers, SMS messages, and voicemails. |
| 08/31/2016 |
DC3 Shadow Volume Link Manager |
1 |
DC3 |
Shadow Volume Link Manager is a software tool for finding and making available the data that is maintained by the Microsoft Volume Shadow Copy Service as found in Windows Vista and Windows 7. Shadow volumes are an ideal location to hide data. Shadow Volume Link Manager is a software tool that is able to create symbolic links to shadow volumes in order to access the data contained within them. Ordinarily, shadow volumes are inaccessible, but Shadow Volume Link Manager aims to automate the linking process. |
| 08/31/2016 |
Shadow Scanner 64-bit |
1.0.3 |
EKL Software |
Shadow Scanner was developed by EKL Software. Shadow Scanner is a tool used to quickly identify changed or deleted files which are present on a particular partitions shadow volumes relative to the current state of the partition. This reduces the number of files that need to be analyzed and will point the examiner in the right direction, showing files that were intentionally changed or deleted. Shadow Scanner is also capable of exporting any of the files found to be changed or deleted. |
| 08/31/2016 |
DC3 Shadow Miner |
1 |
DC3 |
Shadow Miner was developed by DC3/DCCI. Shadow Miner is a DCCI-developed special purpose tool that is intended to help Forensic Examiners access the data that is maintained within a Microsoft Vista Shadow Volume. This is accomplished by creating a virtual machine from the dd image of an evidence drive using Live View and VMware Workstation. Once the VM is created, Shadow Miner can be run from the CD/DVD drive within the VM to identify the shadow volumes. |
| 08/31/2016 |
Safe Boot Disk |
1 |
ForensicSoft |
Safe-Disk was developed by Forensic Soft Incorporated. Safe-Disk is a boot disk (CD or USB) which, with a USB dongle, boots a computer to a forensically sound (write blocked) version of Windows, that serves as a platform for all popular Windows forensics tools. |
| 08/31/2016 |
Safe Block |
1 |
ForensicSoft |
Safe Block was developed by Forensic Soft Incorporated. SAFE Block is a software-based write blocker which facilitates the quick and safe acquisition and/or analysis of any disk or flash storage media attached directly to a Windows workstation. It is proven to be safe. |
| 08/31/2016 |
Retrospective |
1.2b3 |
Joakim Nygard |
Retrospective is an OS X based tool used to search through the web cache created by the Safari web browser. Based on the customers requirements Retrospective will be tested on its ability to process the internet cache, display the URL list found therein and print the URL list to a PDF. |
| 08/31/2016 |
RemoteDII |
1.3 |
Talekar Nagareshwar |
RemoteDll v1.3 (hereinafter referred to as RemoteDll) is a windows application developed by Talekar Nagareshwar. RemoteDll allows a user to inject or remove DLLs into or from running processes. RemoteDll uses CreateRemoteThread API to invoke LoadLibrary or FreeLibrary on the process. Many spyware programs use this technique to hide their presence, injecting themselves into legitimate windows process and operating from that process so that normal users will not suspect its presence. RemoteDLL allows the user to remove such DLLs from the process and then delete it from the system completely. RemoteDll runs on Windows NT/2000/XP. |
| 08/31/2016 |
RegShot |
1.8.2 |
TiANWEi, tulipfan, and Belogorokhov Youri |
RegShot is a small, free, and open-source utility which allows the user to quickly take and compare registry snapshots. The change report can be produced in text or HTML format, and contains a list of all modifications that have taken place between 2 snapshots. In addition, the user can also specify folders (with sub folders) to be scanned for changes. |
| 08/31/2016 |
Registry Viewer (RV) |
1.5.4.44 |
AccessData |
Registry Viewer was developed by Access Data. Registry Viewer allows the user to view and analyze the contents of the registry entries on MS Windows operating systems. In addition, it allows the user to create a report containing information related to the different registry keys. |
| 08/31/2016 |
Registry Viewer (RV) |
1.6.3 |
AccessData |
Registry Viewer was developed by Access Data. Registry Viewer allows the user to view and analyze the contents of the registry entries on MS Windows operating systems. In addition, it allows the user to create a report containing information related to the different registry keys. |
| 08/31/2016 |
Registry Viewer (RV) |
1.6.3.34 |
AccessData |
Registry Viewer was developed by Access Data. Registry Viewer allows the user to view and analyze the contents of the registry entries on MS Windows operating systems. In addition, it allows the user to create a report containing information related to the different registry keys. |
| 08/31/2016 |
Registry Viewer (RV) |
1.7.4.2 |
AccessData |
Registry Viewer was developed by Access Data. Registry Viewer allows the user to view and analyze the contents of the registry entries on MS Windows operating systems. In addition, it allows the user to create a report containing information related to the different registry keys. |
| 08/31/2016 |
Registry Ripper |
2.02 |
Harlan Carvey |
Registry Ripper was developed by Harlan Carvey. Registry Ripper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT family of operating systems. Registry Ripper displays the extracted information in a text file for easy viewing. |
| 08/31/2016 |
Registry Browser |
3.1.1 |
Lock and Code |
Registry Browser was developed by Lock and Code. It is a tool capable of searching Windows registry information from a copy of a computers Windows folder. |
| 08/31/2016 |
RegDatXP |
1.41 |
Henry Ulbrich |
RegDatXP, a program developed by Henry Ulbrich, is designed to maintain the Windows registries on desktops and remote networked computers. RegDatXP allows you to search for keys and values and export them. Also, functions to compare the file with the current registry are provided as well as tools to edit the file as a tool for viewing Windows operating system registry entries. |
| 08/31/2016 |
RegDat |
1.3 |
Henry Ulbrich |
RegDat, a program developed by Henry Ulbrich, displays the contents of copies of the Win9x/Me Registry files from desktops and remote networked computers. Users can search for keys and values and export them. Functions to compare the registry file with the current registry are provided as well as tools to edit registry files. |
| 08/31/2016 |
REFIT |
0.1 |
Christopher Pfisterer |
REFIT version 0.10 is a software designed to run on a bootable compact disk and gives the user access to information in the basic input-output system of an Intel based Macintosh operating system. |
| 08/31/2016 |
Redax |
4.5.3 |
Appligent |
Appligents Redax 4.5.3 is a plug-in for Adobe Acrobat versions 6, 7 and 8. It allows redaction of text, images and line art using a number of markup methods which include manual drawing of boxes, word lists, pattern matching, templates, or full page redaction. It also automatically removes metadata from documents upon redaction. |
| 08/31/2016 |
Recovery for Outlook |
3.2 |
Recoveronix Ltd. |
Recovery for Outlook was developed by Recoveronix Ltd. This tool is used to recover and/or extract information out of Outlook file types (OST or PST). More specifically it is used to convert an OST file into a PST file. It should be noted that this validation did not test the tools ability to actually recover OST files but rather its ability to convert OST to PST. |
| 08/31/2016 |
DC3 REcat |
1.0.6 |
DC3 |
REcat is a command line tool for manipulating network sockets. It was developed as a replacement for the netcat socket utility currently being used in Intrusions and Information Assurance (I2A). Netcat is used to send data over TCP or UDP connections. Netcat also has additional utility that is not of immediate interest to I2A, and therefore was not included in the current release of REcat. REcat was designed to provide the same basic transmission functionality, while facilitating reverse engineering tasks. |
| 08/31/2016 |
PST Viewer Pro |
7.5.46 |
Encryptomatic LLC |
Open and view (not export) Outlook PST files without needing Outlook. |
| 08/31/2016 |
ProxyStrike |
2.2 |
Edge-Security |
ProxyStrike was developed by Edge-Security. ProxyStrike is an active Web Application Proxy, a tool designed to find vulnerabilities while browsing an application. |
| 08/31/2016 |
ProDiscover IR (VSC Capability) |
7.1.0.3 |
Technology Pathways LLC |
ProDiscover was developed by Technology Pathways, LLC. ProDiscover is a tool used for analyzing digital evidence such as image files and physical disks. For this validation, the focus will be on evidence that contains one or more shadow volumes. ProDiscover advertises the ability to detect and image shadow volumes and the ability to export files, hash files, and compare the contents of shadow volumes. |
| 08/31/2016 |
ProDiscover IR (VSC Capability) |
7.0.0.8 |
Technology Pathways LLC |
ProDiscover was developed by Technology Pathways, LLC. ProDiscover is a tool used for analyzing digital evidence such as image files and physical disks. For this validation, the focus will be on evidence that contains one or more shadow volumes. ProDiscover advertises the ability to detect and image shadow volumes and the ability to export files, hash files, and compare the contents of shadow volumes. |
| 08/31/2016 |
Prefetch Analyzer |
0.92 |
TZWorks LLC |
Prefetch Analyzer was developed by TZWorks LLC. Prefetch Analyzer is a command line version Windows prefetch parser. Originally inspired by the chapter on prefetch analysis as well as the perl script sample given in the book on Windows Forensic Analysis by Harlan Carvey, Prefetch Analyzer was another tool created for eventual inclusion into a computer forensic toolkit. |
| 08/31/2016 |
Property List Editor (PLE) |
2.2 |
Apple Inc. |
PLE is an OS X based tool that is bundled with the Apple Developer Tools. PLE is used to view and edit plist files. Plist files are system files within the OS X operating system used to organize data. Based on the requirements from the customer this tool will be evaluated on its ability to let the user view the contents of the plist file and copy the data out of the plist file and paste into a different file. The testing procedure will be performed on the following two versions of the MAC OS X operating system: OS X v10.4.4 (Tiger) and OS X v10.5.5 (Leopard). |
| 08/31/2016 |
PDFTK |
1.44 |
PDFLabs |
pdftk was developed by Sid Seward at PDFLabs. It is used to manipulate PDF files without requiring Adobe Acrobat. |
| 08/31/2016 |
PDF-Parser.py |
0.3.7 |
Didier Stevens |
pdf-parser was developed by Didier Stevens. |
| 08/31/2016 |
DC3 PDFinder |
1 |
DC3 |
PDFinder is designed to read and display information about artifacts contained in Adobe PDF files. The tool scans a given file or directory and identifies PDFs. It then scans the individual PDF files and outputs a report based on the metadata of any artifacts it finds. |
| 08/31/2016 |
PDFID.py |
0.11 |
Didier Stevens |
pdfid was developed by Didier Stevens. |
| 08/31/2016 |
DC3 PCAPFAST |
2.0.771 |
DC3 |
PCAPFAST is designed to process data contained in packet capture (PCAP) files conforming to the libpcap format. The tool provides examiners and analysts with reports of, and capability to, query the network traffic captured. This capability is provided through three distinct tools. PCAPIndex processes the PCAP file and extracts all data into a SQLite database. PCAPReport produces standard reports from the SQLite database detailing the sessions and associated data found within the network stream. PCAPExtract provides for custom queries against the SQLite database to perform more refined analysis of data within the network stream. PCAPFAST 2.0 will only process IPv4 packets. |
| 08/31/2016 |
Password Recovery Toolkit (PRTK) |
6.4 |
AccessData |
PRTK was developed by AccessData. PRTK is a password recovery program for standalone computer operations. It is a tool for extracting the contents of forensic examination case files with unknown passwords. |
| 08/31/2016 |
Password Recovery Toolkit (PRTK) |
6.3.3 |
AccessData |
PRTK was developed by AccessData. PRTK is a password recovery program for standalone computer operations. It is a tool for extracting the contents of forensic examination case files with unknown passwords. |
| 08/31/2016 |
Pandora |
2.4.0 |
Carnegie Mellon University |
Pandora 2.4.0 is a Windows based digital forensic analysis tool developed by Carnegie Mellon University. Pandora will unpack many packed files automatically with no intervention from the user. Some of the more complicated packing tools require user input in interactive mode. |
| 08/31/2016 |
DC3 P2P Scan (AScan 3.0) |
1 |
DC3 |
AScan3.0 was developed by a Contractor at the Defense Cyber Crime Center (DC3)/ Defense Cyber Crime Institute (DCCI). AScan3.0 is a command line function that is used in the Windows environment to extract information from the files and data structures of LimeWire /Bearshare/Ares Galaxy, which are artifacts of the products. The function of AScan3.0 is to collect and organize the information collected into an HTML document that will present the artifact information in an easy to read format. |
| 08/31/2016 |
P2P Marshal |
4.0.0 |
Architecture Technology Corporation |
P2P Marshal analyzes peer-to-peer (P2P) usage on disk images (Forensic Edition) and live systems (Field Edition). It detects what P2P client programs are, or were, present, extracts configuration and log information, and shows the shared (uploaded) and downloaded files. |
| 08/31/2016 |
OSF Mount |
1.5 |
PassMark Software |
OSF Mount was developed by PassMark Software. It is a Windows tool designed to mount image files as volumes within Windows. |
| 08/31/2016 |
OmniOutliner |
3.7.2 |
Omni Group |
OmniOutliner is an OS X based tool used to create, view, and edit documents. Based on the customers requirements this tool will be tested on its ability to open and export data from plist files in text format. The testing procedure will be performed on the following two versions of the MAC OS X operating system: OS X v10.4.4 (Tiger) and OS X v10.5.5 (Leopard). Plist files are system files used within the OS X operating system to organize data. |
| 08/31/2016 |
OffVis |
1.1.0.0 |
Microsoft Corporation |
OffVis was developed by Microsoft Corporation. OffVis is an Office binary file format visualization tool. It was released to help IT pros, security researchers, and malware protection vendors better understand the binary file formats to deconstruct attacks and understand the vulnerabilities Microsoft fixes for protection purposes. OffVis has a GUI to generically browse around and show the bytes on disk (left half of screen) with the hierarchical view of the file as Office parses it (right half of screen). It can also generically detect a handful of publicly-exploited vulnerabilities as it reads the file. |
| 08/31/2016 |
OfficeMalScanner |
0.5 |
Frank Boldewin |
OfficeMalScanner was developed by Frank Boldewin. OfficeMalScanner v0.5 is an MS Office forensic tool which scans for malicious traces, shell code heuristics, PE-files, or embedded OLE streams. Found files are extracted to a disk. The tool supports disassembly and hex view, as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and, if found, will be extracted for further analysis. The inflate feature extracts MS Office 2007 documents into a directory and marks potentially malicious files. |
| 08/31/2016 |
Network Miner |
1 |
Erik Hjelmvik |
Network Miner is a Network Forensic Analysis Tool (NFAT) for Windows which can detect the OS, hostname, and open ports of network hosts through packet sniffing or by parsing a PCAP file. It can also extract transmitted files from network traffic. |
| 08/31/2016 |
NetWitness Investigator |
8.0.3.1 |
NetWitness |
NetWitness Investigator v8.0.3.1 (hereinafter, NetWitness) is a Windows-based software application that provides free-form contextual analysis of terabytes of raw data captured and reconstructed by the NetWitness NextGen infrastructure. NetWitness can be used to locally process packet files and collect live data from a network tap or port providing details as to the nature of the network traffic. |
| 08/31/2016 |
NetClean Analyze DI |
12.3.1 |
NetClean |
NetClean Analyze DI was developed by NetClean. The tool is specially designed for law enforcement agencies working in digital media investigations related to crimes against children. The software aims to improve the quality of work and to minimize workload by enabling the categorization and identification of images and videos of child exploitation. |
| 08/31/2016 |
NetAnalysis with HstEx |
1.36 |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 08/30/2016 |
NetAnalysis with HstEx |
1.37.0030 |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 08/30/2016 |
NetAnalysis with HstEx |
1.37 |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 08/30/2016 |
NetAnalysis with HstEx |
1.37g |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 08/30/2016 |
NetAnalysis with HstEx 3.6 |
1.52 |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 08/30/2016 |
NetAnalysis with HstEx 3.7 |
1.53 |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 08/30/2016 |
NetAnalysis with HstEx 3.8 |
1.54 |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 08/30/2016 |
NetAnalysis with HstEx 3.10 |
1.56 |
Digital Detective |
NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor this feature will allow the user to identify evidence quickly and easily. |
| 08/30/2016 |
Mount Image Pro (MIP) |
6.13.1626 |
GetData |
Mount Image Pro is developed and marketed by GetData Forensics. MIP is used to mount image files of formats: Access Data .AD1 Apple DMG EnCase .E01, Ex01, .L01, Lx01 Advanced Forensic File Format .AFF ISO (CD and DVD images) Microsoft VHD NUIX MFS01 ProDiscover SMART Unix/Linux DD and RAW images VMWare. Xways Container File. For the purpose of this validation, only the image file formats .e01 and raw (.dd) will be utilized. |
| 08/30/2016 |
Mount Image Pro (MIP) |
2.6 |
GetData |
Mount Image Pro is developed and marketed by GetData Forensics. MIP is used to mount image files of formats: Access Data .AD1 Apple DMG EnCase .E01, Ex01, .L01, Lx01 Advanced Forensic File Format .AFF ISO (CD and DVD images) Microsoft VHD NUIX MFS01 ProDiscover SMART Unix/Linux DD and RAW images VMWare. Xways Container File. For the purpose of this validation, only the image file formats .e01 and raw (.dd) will be utilized. |
| 08/30/2016 |
MiTec EXE Explorer |
1.3.0.0 |
Michael Mutl |
EXE Explorer was developed by Michal Mutl. EXE Explorer is a tool used to parse executable files and report a variety of information about them, such as sections, strings, header data, exports, imports, resources, and a hex view of the contents. |
| 08/30/2016 |
Mount Image Pro (MIP) |
2.44 |
GetData |
Mount Image Pro is developed and marketed by GetData Forensics. MIP is used to mount image files of formats: Access Data .AD1 Apple DMG EnCase .E01, Ex01, .L01, Lx01 Advanced Forensic File Format .AFF ISO (CD and DVD images) Microsoft VHD NUIX MFS01 ProDiscover SMART Unix/Linux DD and RAW images VMWare. Xways Container File. For the purpose of this validation, only the image file formats .e01 and raw (.dd) will be utilized. |
| 08/30/2016 |
MFT Reader |
1.0.0.1 |
4&6 Tech |
MFT Reader was developed by 4&6 Tech. |
| 08/30/2016 |
Multi-File List Importer (MFL) |
11.8.31 |
DC3/DCFL |
MFL Importer was developed by DC3. MFL Importer is a MS Access database with code that creates separate file lists from a large number of media items in one instance. It dynamically creates one or more MS Access tables (file lists) at one time, depending on how many evidence media items are home-plated or blue-checked in EnCase. It does not interpret, parse, or decipher data from the file list. |
| 08/30/2016 |
Metadata Assistant |
2.12.214 |
Payne Consulting |
Metadata Assistant was developed by the Payne Consulting Group Inc. The tool is designed to identify, or clean, metadata on Microsoft utilities such as Word, Excel, and PowerPoint, as well as Adobe PDF documents. Metadata is information that might not be visible to a computer user and may include information such as user name, computer name, company name, or document properties. |
| 08/30/2016 |
Memoryze |
1.4 |
Mandiant Corporation |
Memoryze was developed by Mandiant Corporation. Memoryze is a computer forensics memory acquisition software program designed to operate on Microsoft Windows platforms. Basically, it collects memory information in two modes of operation: either it collects information about programs and processes and the resources they use while the system is running (this information is saved in an IMG file on the local disk) or it extracts memory artifacts from memory dump files created by other memory acquisition tools and from previous executions of Memoryze. |
| 08/30/2016 |
MD5Summer |
1.2.0.11 |
Luke Pascoe |
Md5summer is an application for Microsoft Windows 9x, NT, ME, 2000 and XP which generates and verifies md5 checksums. Its output file is compatible with the output of the Linux GNU MD5Sum and it will also read Linux generated files. It is released under the General Public License. Md5summer is written in Borland Delphi 7. Evaluation is needed to ensure that this software can function on the Macintosh hardware platform without altering the media used in the testing procedure. |
| 08/30/2016 |
MD5Sum |
2 |
Ulrich Drepper |
MD5Sum was developed by Ulrich Drepper. MD5Sum is a standalone command-line utility that uses the well-known MD5 hash algorithm to generate MD5 hash values of data files and to check MD5 hash values of data files that have known MD5 hash values. |
| 08/30/2016 |
MD5Deep / HashDeep |
3.7 |
Jesse Kornblum |
MD5Deep was developed by Jesse Kornblum. MD5deep is a set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. MD5 through its hashdeep component is able to match and audit hashsets. With traditional matching programs, they report if an input file matched one in a set of knowns, or if the input file did not match. It is hard to get a complete sense of the state of the input files compared to the set of knowns. It is possible to have matched files, missing files, files that have moved in the set, and to find new files not in the set. Hashdeep can report all of these conditions. The tool can even spot hash collisions, when an input file matches a known file in one hash algorithm, but not in others. The results are displayed in an audit report. |
| 08/29/2016 |
MD5Deep |
3.1 |
Jesse Kornblum |
Md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. Developed by Jesse Kornblum, Md5deep is able to recursively examine an entire directory tree that is, compute the MD5 for every file in a directory and for every file in every subdirectory. Md5deep can accept a list of known hashes and compare them to a set of input files. The program can display either those input files that match the list of known hashes or those that do not match. Evaluation is needed to ensure that this software can function on the Macintosh hardware platform without altering the media used in the testing procedure. |
| 08/29/2016 |
MD5 Compare |
1 |
JADSoftware |
MD5 Compare was developed by JADsoftware. MD5 Compare is a tool which can be used to compare MD5 hash values of files. This is useful in a scenario where a user has obtained hash values of files from a particular system and wishes to compare them against some known set of hash values of interest. MD5 Compare requires text files containing hash values as input one hash value per line. The interface of the tool has labeled sections discerning which files will be searched, and which files will they be compared against. MD5 Compare generates output files containing all of the matches, if any were found. |
| 08/29/2016 |
MD5 |
2.6 |
Gnu General Public License |
MD5 is a Macintosh utility that creates and compares MD5 checksums. It can compare files as well as a file with a checksum-string. Evaluation is needed to ensure that this software can function on the Macintosh platform without altering the media used in the testing procedure. |
| 08/29/2016 |
DC3 MC&S IPP Automation EnScript |
76 |
DC3 |
IPP EnScript was developed by the Defense Cyber Crime Institute (DCCI). This tool was written to automate and standardize the initial procedures and protocols that are conducted at the beginning of each MC&S case. |
| 08/29/2016 |
Mac Forensics Lab |
2.5 |
Subrosasoft |
MFL is a complete suite of forensics and analysis tools in one cohesive package, combining the power of many individual functions into one application to provide a single solution for law enforcement professionals. MFL is the first software suite specifically for the Apple Mac range of personal computers. |
| 08/29/2016 |
Mac OS X EnScripts |
1 |
Guidance Software |
Guidance Softwares EnCase Forensic has a community of EnScript developers that have developed various extensions (EnScripts) to the EnCase application. The specific EnScripts tested in this validation are HFS Journal Parser developed by Teru Yamazaki, Mac OS X Binary Cookie File Parser developed by Simon Key, and Mac OS X Log Entry Finder developed by Simon Key. HFS Journal Parser finds and parses Catalog file records in the HFS /HFSX .journal file. Mac OS X Binary Cookie File Parser parses user-specified Mac OS X binary cookie files. Mac OS X Log Entry Finder searches user-specified Mac OS X plaintext log files for log entries containing one or more keywords. Bzip2 and Gzip archives of each log file are expanded and searched automatically. All three EnScripts output results to the Bookmarks view in EnCase and also generate either .csv or tab-delimited output files. |
| 08/29/2016 |
Mac Marshal Field Edition |
3 |
Architecture Technology Corporation |
Mac Marshal was developed by Architecture Technology Corporation. Mac Marshal is a tool used to aid in the automated analysis of disk images from Apple Mac hardware. Mac OS X and common applications on the Mac platform provide an abundance of information about the users activities in configuration files, caches, and logs. Mac Marshal automatically determines what operating system(s) are installed on the disk image, either as dual-boot setups or virtual machines, and analyzes OS X forensically-relevant data. The Field Edition includes all of the functionality of the Forensic Edition, but in addition, it can run live from a USB drive directly on the machine under investigation and capture live state information about the target. |
| 08/29/2016 |
Logorrhea |
1.3.1 |
Spiny Software |
Logorrhea was developed by Spiny Software as an OSX-based tool used to organize, browse and search logs created by the OSX-based iChat application. iChat is an instant messenger application, similar to AIM, used to communicate with other users via the Internet. Logorrhea extracts the contents of the logs and displays them in a user-friendly interface for analysis. |
| 08/29/2016 |
Log2Timeline |
1.1.0 |
Kristinn Gudjonsson |
Log2Timeline was developed by The Plaso Project (kiddaland). Log2timeline is a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on a suspects system (and supporting systems, such as network equipment) and produce a timeline that can be analyzed by forensic investigators. |
| 08/29/2016 |
Live View |
0.6 |
CERT Software Engineering Institute |
Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a physical disk, a single raw disk image, or a series of split disk images. This allows the forensic examiner to boot up the image or disk and gain an interactive, user-level perspective of the environment without modifying the underlying image or disk. |
| 08/29/2016 |
Keiths iPod Photo Reader (KIPR) |
2 |
Keith Wiley |
KIPR is an OS X based tool that provides access to the .ithmb photo library. The .ithmb files store copies of the full size images that are displayed directly on the iPod because the full size images would not display correctly on the iPod. These files are found in the /Photos/Thumbs directory of an iPod Photo that has been synced to contain a photo library. Based on the requirements of the customer this tool will be evaluated on the following two versions of the Mac operating system: OS X 10.5.5 (Leopard) and OS X v10.4.4 (Tiger). |
| 08/29/2016 |
JPCAP |
0.01.17 |
Patrick Charles |
JPCAP was developed by Patrick Charles. JPCAP is a tool designed to passively monitor and capture network activity. The tool can be used in live network captures or pre-captured environments (in pcap format). JPCAP provides visual data, as well as textual information, for packets captured. |
| 08/29/2016 |
ISO Buster |
2.4 |
ISO Buster |
ISO Buster v2.4 is a CD/DVD data recovery tool. It can read CD and DVD images created in different formats (ISO, NRG, etc.) by various commercial applications. ISO Buster v2.4 can create special image files (.IBP,.IBQ) which can be used to speed up the data recovery process without having to go back to the original disk. It can also read and recognize different file systems such as ISO 9660, Joliet and UDF. |
| 08/29/2016 |
iPod Slurp |
1.5 |
DC3/DCITA |
iPod Slurp is used to copy certain file types from a target machine to a USB drive. |
| 08/29/2016 |
DC3 iPhone Analyzer |
1 |
DC3 |
DC3 iPhone Analyzer extracts all forensically relevant data from a physical image (or iTunes backup) of an iPhone, iPod Touch, or iPad. Extracted data includes, but is not limited to: call logs, contacts, text messages, emails, pictures, keyboard logs, and position data. |
| 08/29/2016 |
Internet Evidence Finder (IEF) |
5.8.00777 |
Magnet Forensics |
Internet Evidence Finder (IEF) is a Windows-based digital forensic investigation suite. IEF is capable of searching a drive, cellphone image, memory dump, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited to emails, instant chat messages, and Internet Explorer InPrivate / Recovery URLs. IEF will display the results in a generated report. IEF can perform these searches across allocated space, unallocated space, slack space, volume shadow copies, hibernate files, and page files. |
| 08/29/2016 |
Internet Evidence Finder (IEF) |
6.2.1 |
Magnet Forensics |
Internet Evidence Finder (IEF) is a Windows-based digital forensic investigation suite. IEF is capable of searching a drive, cellphone image, memory dump, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited to emails, instant chat messages, and Internet Explorer InPrivate / Recovery URLs. IEF will display the results in a generated report. IEF can perform these searches across allocated space, unallocated space, slack space, volume shadow copies, hibernate files, and page files. |
| 08/29/2016 |
Intel Xeon CPU X5472 at 3GHz |
1 |
Apple Inc. |
Mac Pro (Early 2008) is a Dual Quad-Core Intel Xeon 3.00 GHz 64bit CPU that runs on an X5472 chipset. It contains 4.00GB of 800MHz DDR2 memory. Externally the system has five USB2 ports, two FireWire 400Mbs ports, two firewire 800Mbs ports and two DVI ports. Internally the system has four SATA ports, one PCI2-extended port for the video card, one PCI2 port and two PCI1 ports. |
| 08/29/2016 |
DC3 IMLook |
2.1 20110907 |
DC3 |
IMLook was developed by the Defense Cyber Crime Institute (DCCI). IMLook is a tool used to decrypt and display Yahoo! Messenger chat logs. |
| 08/29/2016 |
Image MASSter Solo-4 |
1 |
Intelligent Computer Solutions (ICS) |
Image MASSter Solo is a versatile, light weight, portable, high speed acquisition device. Using the on the fly hashing capabilities, the transferred data can be guaranteed to be an exact replica of the Suspects data without modification, re-arrangement or corruption. Provides Native interface support for SAS, S-ATA, and External USB drives, in addition to supporting PATA, including ATA compatible solid state and flash devices. |
| 08/29/2016 |
ILook Prefetch Parser |
1 |
Perlustro Inc. |
The prefetch folder contains .pf files. The .pf files contain records of executables that have been run on the Windows system. IPP was developed to parse the prefetch folder within the ILook forensic suite. The function of this script is to parse all entries in the prefetch folder within the Windows file system. After the folder is parsed, the data within each .pf file is output to a tabbed plain text format The data output from each .pf file includes file name, MAC times, times executed, and md5 hash value. |
| 08/29/2016 |
ILook |
8.0.19 |
Internal Revenue Service (IRS) Criminal Investigation Division, Electronic Crimes Program |
ILook 8.0.19 is a Windows based digital forensic analysis tool developed by the Internal Revenue Service (IRS) Criminal Investigation Division Electronic Crimes Program (CI). IRS and Perlustro, LP have combined efforts to further develop ILook as an electronic investigative tool. ILook has many features, including the ability to analyze multiple platforms, view various file formats, acquire images, hash images, and parse emails and attachments. ILook is capable of analyzing various file formats. |
| 08/29/2016 |
DC3 IISP Heuristics VM |
1 |
DC3 |
The Heuristics VM is windows-based virtual machine developed by DCCI. This VM is loaded onto the examiner machine with ten anti-virus applications installed. The function of this VM is to run the anti-virus applications against a piece of media with suspected malware. The applications are executed within the virtual environment via command line as one function (Gargoyle Anti-Virus was not included in the command line function this application was executed via the GUI). The VM acts as a safe environment that will not affect the local machine. The examiner can retrieve accurate threat analysis from the VM results without putting his machine at risk. After the applications have been executed a single master report is created to outline the results from each antivirus application. |
| 08/29/2016 |
Internet Evidence Finder (IEF) Frontline |
1.0.0.0147 |
Magnet Forensics |
Frontline was developed by Magnet Forensics. It is a tool capable of searching a Windows computer for various types of Internet artifacts and image files. These include, but are not limited to, chat messages, web browser history, and image files. Frontline will display the results in a generated report. |
| 08/29/2016 |
Internet Evidence Finder (IEF) |
3.5.1 |
Magnet Forensics |
Internet Evidence Finder (IEF) is a Windows-based digital forensic investigation suite. IEF is capable of searching a drive, cellphone image, memory dump, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited to emails, instant chat messages, and Internet Explorer InPrivate / Recovery URLs. IEF will display the results in a generated report. IEF can perform these searches across allocated space, unallocated space, slack space, volume shadow copies, hibernate files, and page files. |
| 08/29/2016 |
Internet Evidence Finder (IEF) |
3.6.0 |
Magnet Forensics |
Internet Evidence Finder (IEF) is a Windows-based digital forensic investigation suite. IEF is capable of searching a drive, cellphone image, memory dump, folder (and optionally subfolders), or file for various types of Internet artifacts. These include, but are not limited to emails, instant chat messages, and Internet Explorer InPrivate / Recovery URLs. IEF will display the results in a generated report. IEF can perform these searches across allocated space, unallocated space, slack space, volume shadow copies, hibernate files, and page files. |
| 08/29/2016 |
HfsDebug |
4.32 |
Amit Singh |
hfsdebug is an OSX-based tool made for exploring HFS internals, more so than as a debugger in the typical sense in that it cannot make any changes to the volume being examined. |
| 08/29/2016 |
Hdiutil |
1 |
Apple Inc. |
Hdiutil is a command-line tool developed by Apple Inc as a part of the OS X operating system. The purpose of this tool is to create and manipulate disk image files using the disk image framework. The requirements set forth by the customer dictate that the following features are to be validated: shadow mounting and partition information. |
| 08/29/2016 |
HashTab |
2.3 |
Cody Batt |
HashTab was developed by Cody Batt. HashTab provides OS extensions to calculate file hashes. HashTab supports many hash algorithms including MD5, SHA1, SHA2, RipeMD, HAVAL, and Whirlpool. The tool provides an easy way to verify file integrity and authenticity. |
| 08/29/2016 |
HashTab |
3 |
Cody Batt |
HashTab was developed by Cody Batt. HashTab provides OS extensions to calculate file hashes. HashTab supports many hash algorithms including MD5, SHA1, SHA2, RipeMD, HAVAL, and Whirlpool. The tool provides an easy way to verify file integrity and authenticity. |
| 08/29/2016 |
HashTab |
5.0.0.19 |
Cody Batt |
HashTab was developed by Cody Batt. HashTab provides OS extensions to calculate file hashes. HashTab supports many hash algorithms including MD5, SHA1, SHA2, RipeMD, HAVAL, and Whirlpool. The tool provides an easy way to verify file integrity and authenticity. |
| 08/29/2016 |
HashDeep |
4.3 (Ubuntu) |
Jesse Kornblum |
Hashdeep performs hashing of files and physical devices and is capable of employing a number of different hashing algorithms. The hashdeep executable is the same as the md5deep executable (with identical hash values). |
| 08/29/2016 |
HashDeep |
3.9.2 |
Jesse Kornblum |
Hashdeep performs hashing of files and physical devices and is capable of employing a number of different hashing algorithms. The hashdeep executable is the same as the md5deep executable (with identical hash values). |
| 08/29/2016 |
HashDeep |
4.1 |
Jesse Kornblum |
Hashdeep performs hashing of files and physical devices and is capable of employing a number of different hashing algorithms. The hashdeep executable is the same as the md5deep executable (with identical hash values). |
| 08/29/2016 |
HashDeep |
4.3 |
Jesse Kornblum |
Hashdeep performs hashing of files and physical devices and is capable of employing a number of different hashing algorithms. The hashdeep executable is the same as the md5deep executable (with identical hash values). |
| 08/29/2016 |
HashCalc |
2.02 |
SlavaSoft Inc. |
HashCalc is a utility that allows users to compute message digests (hashes), checksums and HMACs for files, as well as for text and hex strings. It offers a choice of 11 different hashes and checksum algorithms for calculations. Evaluation is needed to ensure that this software can function on the Macintosh hardware platform without altering the media used in the testing procedure. |
| 08/29/2016 |
Guymager |
0.7.3 |
Guy Voncken |
Guymager is a free forensic imager for media acquisition. Guymager runs under Linux and utilizes multi-processor and multi-threaded capabilities for operations, such as data compression. Guymager can create flat dd image files, EnCase E01 image files, AFF image files, or clone a hard disk. Guymager can also perform hash verification of evidence. |
| 08/29/2016 |
Gtkhash |
0.7.0 |
Tristan Heaven |
Gtkhash is a GTK utility for computing message digests or checksums. It supports a number of hashing functions including MD5, MD6, SHA1, SHA256, SHA512, RIPEMD, TIGER, and WHIRLPOOL. Gtkhash can be run against individual files or against a group of files (allowing for a batch hashing job). |
| 08/29/2016 |
GMER |
1.0.15.14966 |
Przemyslaw Gmerek |
GMER is a rootkit detector for Windows. It scans live systems for hidden processes, hidden threads, hidden services, hidden files, hidden alternate data streams, hidden registry keys, drivers hooking SSDT (System Service Descriptor Table), drivers hooking IDT (Interrupt Descriptor Table), drivers hooking IRP (I/O Request Packet) calls, and inline hooks. GMER also allows the user to monitor the following system functions: process creating, drivers loading, libraries loading, file functions, registry entries, and TC/IP connections. GMER runs on Windows NT/W2K/XP. |
| 08/29/2016 |
Forensic Explorer |
1.6.1 |
GetData Forensics Pty Ltd. |
Forensic Explorer is a Windows-based digital forensic investigation suite. It provides imaging, analysis, and reporting capabilities. |
| 08/29/2016 |
Genpmk |
1 |
Max Moser, Mati Aharoni, Martin J. Muench, and others |
BackTrack was developed by Max Moser, Mati Aharoni, Martin J. Muench, and others. Genpmk creates a rainbow table from plaintext passphrases. Another Backtrack utility, coWPAtty, must be executed to prove that the rainbow table was created correctly. It performs a brute force attack utilizing rainbow tables to recover the password of a WPA-secured network. |
| 08/26/2016 |
Gargoyle Investigator Forensic Pro |
1 |
WetStone Technologies |
The function of Gargoyle is to collect and organize the information regarding the contents of a suspects computer or image of suspects computer. Gargoyle maps detected files to associated weapons, and classifies them into a category of malware when found. |
| 08/26/2016 |
Forensic Toolkit (FTK) Imager |
3.1.1 (Ubuntu 64-bit) |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 08/26/2016 |
Forensic Toolkit (FTK) Imager |
3.1.1 (Mac OSX) |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 08/26/2016 |
Forensic Toolkit (FTK) Imager |
2.5.4 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 08/26/2016 |
Forensic Toolkit (FTK) Imager |
2.6.1.6.2 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 08/26/2016 |
Forensic Toolkit (FTK) Imager |
3.0.0.1443 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 08/26/2016 |
Forensic Toolkit (FTK) Imager |
3.1.0.1514 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 08/26/2016 |
Forensic Toolkit (FTK) Imager |
3.1.2.0 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 08/26/2016 |
Forensic Toolkit (FTK) Imager |
3.4.0.1 |
AccessData |
FTK Imager is a data preview and imaging tool that lets an examiner quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can create forensic images of evidence without making changes to the original evidence. FTK Imager is also able to compute the MD5 and SHA1 hash values of the evidence. |
| 08/26/2016 |
Forensic Toolkit (FTK) |
1.81.5 |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 08/26/2016 |
Forensic Toolkit (FTK) |
3.2 |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 08/26/2016 |
Forensic Toolkit (FTK) |
4.0.1 (Dell T7500s) |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 08/26/2016 |
Forensic Toolkit (FTK) |
5.4 |
AccessData |
Forensic Tool Kit (FTK) is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking and reporting capabilities. |
| 08/26/2016 |
Forensic Labdock |
1 |
WeibeTech |
Write-block support is provided via WiebeTechs proprietary write-block technology. This offers easy read-only access to suspect hard drives through high speed FireWire 800 (400 compatible) or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. Installed in a standard 5.25 bay, Forensic LabDock gives convenient forensic access to suspect hard drives. Write-blocked access to thumb drives is just as convenient as write-blocked SATA and IDE. The Forensic LabDock also incorporates a USB WriteBlocker so the examiner can forensically access flash drives or full size USB enclosures. Most USB 1.1 and 2.0 devices which normally register with the computer as a USB Mass Storage Device are supported. |
| 08/26/2016 |
Forensic Box |
1.44 |
Unknown |
Windows Live Messenger is a Windows XP instant messaging client. The files created during a chat session cannot be opened with local Windows programs because of their special file format and encryption for security protection. Contact lists, passwords and credentials are just some of the information saved during instant message conversations. Forensic Box v1.44 can open and read these files making the contents available for viewing or exporting. |
| 08/26/2016 |
DC3 FMAV Command Line |
1 |
DC3 |
FMAV was developed by the Defense Cyber Crime Center (DC3). FMAV is a tool used to scan a selected directory or media device for the presence of malicious software. FMAV utilizes a preconfigured virtual machine with several antivirus suites installed to perform the scan. FMAV is available in both a GUI and command line mode, this validation only pertains to the command line mode. |
| 08/26/2016 |
File Buddy |
9.0.1 |
Skytag Software |
File Buddy was developed by Skytag Software as a file management suite for theMacintosh Operating System, OS X. The main function of File Buddy is to manage a large volume of files and folders using a set of tools. These tools are used to manually and automatically perform file and folder management tasks that would otherwise require a long time to complete. |
| 08/26/2016 |
FastDump Pro |
2 |
HB Gary, Inc. |
FDPro was developed by HB Gary, Inc. The software is a standalone, Windows based, executable program driven from a command prompt. When running the program, the current run state of its host is collected by copying data from RAM to the local disk or external media. The output data is a standard binary formatted file or a proprietary formatted HPAK file. Since FDPro only dumps RAM, different tools are needed to analyze both dump formats. |
| 08/26/2016 |
Fast Disk Acquisition System |
1.5 |
CyanLine |
FDAS gives the digital forensic examiner the ability to extract a forensically sound image in dd format at a faster rate than would be possible with conventional techniques. |
| 08/26/2016 |
Forensic Falcon |
3.2.48 |
Logicube |
The Falcon images and verifies the following formats: native or mirror copies, dd images, e01, ex01 and file-based copies. e01 and ex01 feature user-selectable compression levels and the Falcon supports SHA1, SHA256, or MD5 authentication. The Falcon can simultaneously perform multiple imaging tasks from one or two drives to multiple output drives in different formats. |
| 08/26/2016 |
eSATA UltraDock WriteBlocker |
1 |
WiebeTech |
Ultra Dock was developed by WiebeTech. The tool uses support via WiebeTechs proprietary write-block technology that offers easy read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2/3, or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. |
| 08/26/2016 |
Epilog |
1.3.0 |
CCL Forensics |
Epilog was developed by CCL Forensics. It is able to parse SQLite database files, WAL files, and Journal files in order to recover deleted entries, reconstruct portions of malformed databases and to determine the sequence database events occurred in when running within WAL mode. |
| 08/26/2016 |
EnCase |
6.11 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 08/26/2016 |
EnCase |
6.13.0.43 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 08/26/2016 |
EnCase |
6.15.0.82 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 08/26/2016 |
EnCase |
6.19.7 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 08/26/2016 |
EnCase |
7.05.02.03 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 08/26/2016 |
EnCase Forensic Imager |
7.06 |
Guidance Software |
EnCase Forensic Imager was developed by Guidance Software. EnCase Forensic Imager is a tool for data imaging and verification. EnCase Forensic Imager is able to create forensic images of evidence without making changes to the original evidence. This tool is also able to compute the MD5 and SHA1 hash values of the evidence. EnCase Forensic Imager is capable of wiping local disk drives and restoring evidence to a wiped disk drive. |
| 08/26/2016 |
EnCase |
7.08 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 08/26/2016 |
EnCase |
7.09.02.12 |
Guidance Software |
EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, and reporting capabilities. |
| 08/26/2016 |
Email Detective |
4.0.3 |
Hot Pepper Technology |
Email detective allows investigators to extract the email contents from America Online databases and any MBox email client datastores on a users computer disk drive. A comprehensive report is produced for the forensic investigator detailing all messages and photos retrieved. |
| 08/26/2016 |
DumpIt |
1.3.2.20110401 |
Matthieu Suiche and MoonSols |
DumpIt is a command line based tool for either 32-bit or 64-bit systems that allows the user to acquire an image of the systems memory. Raw (dd-style) memory dump files can be generated for the current systems memory. |
| 08/26/2016 |
Distributed Network Attack (DNA) |
3.3 |
AccessData |
Distributed Network Attack (DNA) as a tool that allows the user to recover passwords and gain access to critical information in computer files. DNA provides password-cracking modules for most industry standard applications such as Microsoft Office, WinZip, and Adobe PDF formats. The function of DNA is similar to that of Password Recovery Toolkit (PRTK), also developed by AccessData, but it utilizes the processing power of many computers to recover passwords. |
| 08/26/2016 |
Decode |
2.07-20091118 |
Digital Detective |
Decode was developed by Digital Detective. Decode was designed to decode the various date/time values found embedded within binary and other file types. It supports various Windows, Unix and HFS date/time formats and will allow you to specify the offset from GMT. |
| 08/26/2016 |
Decode |
2.07-20090428 |
Digital Detective |
Decode was developed by Digital Detective. Decode was designed to decode the various date/time values found embedded within binary and other file types. It supports various Windows, Unix and HFS date/time formats and will allow you to specify the offset from GMT. |
| 08/26/2016 |
DC3 Video Validator |
1 |
DC3 |
DCCI Video Validator was developed by the Department of Defense Cyber Crime Institute (DCCI). Video Validator is a tool used mainly to quickly verify whether or not video fragments obtained by data carving techniques are able to be played. Video Validator can run as a standalone application or it can be run from within DCCI_StegCarver. Video Validator is capable of creating thumbnail storyboards for any validated videos. |
| 08/26/2016 |
DC3 Video Validator |
2 |
DC3 |
DCCI Video Validator was developed by the Department of Defense Cyber Crime Institute (DCCI). Video Validator is a tool used mainly to quickly verify whether or not video fragments obtained by data carving techniques are able to be played. Video Validator can run as a standalone application or it can be run from within DCCI_StegCarver. Video Validator is capable of creating thumbnail storyboards for any validated videos. |
| 08/26/2016 |
DC3OSS |
2c_20141017 |
DC3 |
DC3 OSS was developed by the Defense Cyber Crime Center (DC3). It is a live CD based tool on the Knoppix 7.0 distribution. It allows law enforcement investigators in the field to preview a suspects computer before making a decision on whether to seize the computer. |
| 08/26/2016 |
DC3DD |
6.12.2 (Linux & Mac Leopard) |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 08/26/2016 |
DC3DD |
6.12.4 (Linux & Mac Leopard) |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 08/26/2016 |
DC3DD |
7.0.0 (Ubuntu 10.04 LTS) |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 08/26/2016 |
DC3DD |
7.0.0 (Windows XP & 2003 using CYGWIN 1.7.5) |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 08/26/2016 |
DC3DD |
7.1.604 (Windows 7 using CYGWIN 1.7.5) |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 08/26/2016 |
DC3DD |
7.1.604 (Linux, Mac OS, Windows 7) |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 08/26/2016 |
DC3DD |
7.2.629 (Windows 7 and Linux Ubuntu) |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 08/26/2016 |
DC3DD |
7.2.627 (Mac Snow Leopard) |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 08/26/2016 |
DC3DD |
7.2.629 (Snow Leopard, Windows 7, Ubuntu 10.4 LTS) |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 08/26/2016 |
DC3DD |
7.2.641 (Mac OSX Mountain Lion) |
DC3 |
Inspired by GNU dd, this program has several features specialized for forensic imaging. Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging. |
| 08/26/2016 |
DC3 Computer Vision (CV) |
3.0 (Windows 7) |
DC3 |
DC3_CV is used to expedite the time an examiner spends sifting through large directories of image files. With DC3_CV, examiners can use pre-trained datasets or easily create custom datasets of a person of interest. Using these datasets, DC3_CV finds other lookalikes automatically and presents the findings in a built-in viewer. DC3_CV can be run via a graphical user interface or a command line. |
| 08/26/2016 |
DBXtract |
3.7 |
Stephen L. Cochran |
DBXtract 3.70 is a free stand alone utility that is designed to extract email messages out of corrupt Outlook Express databases (.dbx) and turn them into individual .eml files. It may also be able to recover email that has been permanently deleted from the Deleted Items.dbx. |
| 08/26/2016 |
CERT/CC VMware Tools |
1.3 |
CERT/CC and VMware Inc. |
The VMware environment has become the standard used by many analysts to test and evaluate malicious code as well as binary files. This isolated environment has provided the platform to study and document the effects of these malware programs without causing harm to a native system. VMware attempts to duplicate the actual computer system environment in a virtual manner that is unknown to the programs being executed within the system. However, there are flaws that have been exploited by malicious code developers in order to gauge whether the program is in this virtual environment, alerting malware developers that someone is trying to analyze their program. If this analysis is discovered, then the developers intention is to make the effects of the malicious code unknown and/or hidden from that analysis, thus making the analysis of the program unreliable. The CERT/CC VMware tools are used to obfuscate the virtual machine platform and prevent those flaws from allowing detection by the malware. |
| 08/26/2016 |
DC3 DbbView |
2.1 |
DC3 |
The tests and procedures contained herein apply to DbbView, developed by the Department of Defense (DoD) Cyber Crime Institute (DCCI). DbbView is designed to decode .dbb files created by KaZaA and/or KaZaAlite. KaZaA and KaZaAlite are publicly available programs that enable peer-to-peer file exchanges. |
| 08/26/2016 |
Dariks Boot and Nuke (DBAN) |
2.2.6 |
Darik Horn |
DBAN is a boot disk that completely wipes a hard drive or selected partition. Six wiping methods are available: 1) Quick Erase, 2) RCMP TSSIT OPS-II, 3) DoD Short, 4) DoD 5220.22-M, 5) Guttman Wipe, and 6) PRNG Stream. DBAN claims to prevent or thoroughly hinder all known techniques of hard disk forensic analysis. |
| 08/26/2016 |
DC3 DatView |
2.1 |
DC3 |
The tests and procedures contained herein apply to DatView, developed by the Department of Defense (DoD) Cyber Crime Institute (DCCI). DatView is designed to decode .dat files created by KaZaA and/or KaZaAlite. KaZaA and KaZaAlite are publicly available programs that enable peer-to-peer file exchanges. |
| 08/26/2016 |
Data Extraction and Naming Tool (DENT) |
1 |
Idaho National Laboratory |
DENT was developed by the Idaho National Laboratory. DENT was designed to offer fast, flexible, and customizable file carving for multiple file systems. The function of DENT is to copy files from the target file system, which are of interest to the end-user based on the plug-ins selected, and organize the files collected into a defined area with a structure to make the output easier to index and view. |
| 08/26/2016 |
Computer Online Forensic evidence Extractor (COFEE) |
1 |
Microsoft Corp. |
COFEE was developed by Microsoft Corporation as a Windows based incident responders toolkit for live analysis of a victim system. It brings together several forensic utilities under an easy to use interface. note that there is no web site for this tool, as it is available only to legal law enforcement entities. the tool is available through Interpol and NW3C. The URL listed is for the Wikipedia site, which gives info on the tool. |
| 08/26/2016 |
CD/DVD Inspector |
4 |
InfinaDyne |
CD/DVD Inspector analyzes CDs, DVDs, and Blu Ray (BD) disks to identify sessions and files, characterize the media, and produce reports of the results. It has been tailored for professionals in data recovery, forensics, and law enforcement. CD/DVD Inspector reads all major CD and DVD filesystem formats including ISO-9660, Joliet, UDF, HSG, HFS and HFS . When the disc being examined contains more than a single filesystem, all filesystems found are displayed. |
| 08/26/2016 |
CD/DVD Inspector |
4.1 |
InfinaDyne |
CD/DVD Inspector analyzes CDs, DVDs, and Blu Ray (BD) disks to identify sessions and files, characterize the media, and produce reports of the results. It has been tailored for professionals in data recovery, forensics, and law enforcement. CD/DVD Inspector reads all major CD and DVD filesystem formats including ISO-9660, Joliet, UDF, HSG, HFS and HFS . When the disc being examined contains more than a single filesystem, all filesystems found are displayed. |
| 08/26/2016 |
Capture-Bat |
2 |
The Honeynet Project |
CaptureBat is a Windows based behavioral analysis tool developed by The Honeynet Project. The purpose of this tool is to find out how software operates on a system without having the source code. This is accomplished by monitoring the systems registry, process, and file activities. |
| 08/26/2016 |
CacheBack |
2.8.11 |
SiQuest Corporation |
CacheBack was developed by the SiQuest Corporation. CacheBack is a tool used for retrieving and displaying Internet browser records. The tools main feature is the ability to rebuild cached webpages and display them to the examiner, but there are many additional features. CacheBack can generate reports, organize and filter data based upon many criteria, as well as run custom queries against the data. |
| 08/26/2016 |
CacheBack |
3.7.21 |
SiQuest Corporation |
CacheBack was developed by the SiQuest Corporation. CacheBack is a tool used for retrieving and displaying Internet browser records. The tools main feature is the ability to rebuild cached webpages and display them to the examiner, but there are many additional features. CacheBack can generate reports, organize and filter data based upon many criteria, as well as run custom queries against the data. |
| 08/26/2016 |
CacheBack |
3.7.8 |
SiQuest Corporation |
CacheBack was developed by the SiQuest Corporation. CacheBack is a tool used for retrieving and displaying Internet browser records. The tools main feature is the ability to rebuild cached webpages and display them to the examiner, but there are many additional features. CacheBack can generate reports, organize and filter data based upon many criteria, as well as run custom queries against the data. |
| 08/26/2016 |
DC3 Bookmark Extractor |
1 |
DC3 |
Bookmark Extractor was developed by DCCI. Bookmark Extractor is an EnCase EnScript designed to extract user selected bookmarks to a user specified file. |
| 08/26/2016 |
Blindside StegExtraction Tool |
1 |
Blindside |
The Blindside Stegextraction Tool, version 1.0 (hereinafter, bs_break) is a Windows command line application created to identify bitmap files containing data that was hidden with the steganography program Blindside. Bs_break will determine a working password, if one was used, and extract the hidden data. The extracted data is decrypted and uncompressed. Bs_break produces a log in html format that can be opened in any web browser. This log contains the list of files found to contain hidden Blindside data, as well as hypertext links to the extracted documents. |
| 08/26/2016 |
BlackLight |
2014r2 (Mac OS) |
Black Bag Technologies Inc. |
BlackLight is a cross-platform solution for conducting forensic investigations. BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. The tool runs on both Windows and Mac OSX. It can logically acquire Android and iPhone/iPad devices. BlackLight can analyze data from both PC, Mac, and mobile platforms within one interface. |
| 08/26/2016 |
BlackLight |
2012r4 (Mac OSX) |
Black Bag Technologies Inc. |
BlackLight is a cross-platform solution for conducting forensic investigations. BlackLight quickly analyzes computer volumes and mobile devices. It sheds light on user actions and includes analysis of memory images. BlackLight allows for easy searching, filtering and otherwise sifting through large data sets. The tool runs on both Windows and Mac OSX. It can logically acquire Android and iPhone/iPad devices. BlackLight can analyze data from both PC, Mac, and mobile platforms within one interface. |
| 08/26/2016 |
Black Bag Macintosh Forensic Suite |
2.5 |
Black Bag Technologies Inc. |
Black Bag is a unique set of tools that provide forensic examiners with a flexible, open environment within which to perform their analysis. The suite is specifically designed for the Mac OS X operating system. The applications are designed to efficiently carve and copy the pertinent sectors of a target hard drive speeding the examiners analysis time, while ensuring a thorough investigation of the drive. |
| 08/26/2016 |
BinText |
3.01 |
Foundstone |
BinText allows the user to extract plain ASCII text, Unicode (double byte ANSI) text, and Resource strings from a file. It has many capabilities including an advanced view mode and filtering options that helps prevent unwanted text from being listed. The gathered information can be searched and saved to a separate file as either a plain text file or in tabular form. |
| 08/26/2016 |
Autopsy |
3.1.2 |
Basis Technology Corporation & Brian Carrier |
Autopsy was developed by Basis Technology Corporation and Brian Carrier. Autopsy is a custom front-end application for The Sleuth Kit (TSK) which provides a user interface, as well as case management. TSK is a library and collection of UNIX and Windows based tools and utilities to allow for the forensic analysis of computer systems. Autopsy can be used to perform digital investigations and data extraction from images of mobile devices, Windows, Linux, and UNIX systems. |
| 08/26/2016 |
Autopsy |
2.2 |
Basis Technology Corporation & Brian Carrier |
Autopsy was developed by Basis Technology Corporation and Brian Carrier. Autopsy is a custom front-end application for The Sleuth Kit (TSK) which provides a user interface, as well as case management. TSK is a library and collection of UNIX and Windows based tools and utilities to allow for the forensic analysis of computer systems. Autopsy can be used to perform digital investigations and data extraction from images of mobile devices, Windows, Linux, and UNIX systems. |
| 08/26/2016 |
Audit Viewer |
1.4 |
FireEye |
Audit Viewer runs on the Microsoft Windows operating system. This tool is for viewing output files produced by Memoryze, in particular, but also other tools that create raw memory dumps. Audit Viewer has a graphical user interface (GUI) with good tab and menu names that help users select, view, and print bulky memory dumps. Data is divided into logical groupings and displayed in an easy-to-read format on the screen and on paper. Also, it invokes Memoryze with the click of a mouse instead of running it from the command line. The GUI makes interacting with Memoryze easier but the process of configuring it to parse memory for specific information still requires some knowledge about the data of interest. |
| 08/26/2016 |
DC3 AScan |
2 |
DC3 |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| 08/26/2016 |
DC3 AScan |
3 |
DC3 |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| 08/26/2016 |
DC3 AScan |
3.5 (Windows 7) |
DC3 |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| 08/26/2016 |
DC3 AScan |
4.1 |
DC3 |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| 08/26/2016 |
DC3 AScan |
5 |
DC3 |
AScan is a command line program which is used in the Windows environment to extract information from the files and data structures of Limewire/BearShare/Ares Galaxy. AScan organizes the information collected into an HTML document which presents the artifact information in an easy to read format. |
| 08/26/2016 |
DC3 Ariadne |
2.1.7 |
DC3 |
Ariadne was developed by Defense Cyber Forensics Laboratory (DCFL). Ariadne is used to automatically carve encoded/obfuscated code in supported file types. |
| 08/26/2016 |
Apple SAN Process |
1 |
I&E Group |
The process was developed by the I&E group to document the way that evidence will be duplicated, and made ready for the later processing by a lab investigator. This process was created to define the way to label and track the evidence, as well as provide an archive of said evidence should it be required to reproduce in case of device failure or later reprocessing of the evidence. |
| 08/26/2016 |
ADROIT Photo Forensics |
1.002 |
Digital Assembly |
Adroit Photo Forensics is a Windows based tool used to carve picture files from a disk or disk image. The carving operations are accomplished using several methods. These include sequential carving of unallocated space, carving based on data left in system logs, using human expertise to recover fragmented files, and applying a proprietary method. |
| 08/26/2016 |
AnalyzeMFT |
1.7 |
David Kovar |
AnalyzeMFT parses the MFT file from an NTFS file system. It then presents the results in a format that allows further analysis with other tools. |
| 08/26/2016 |
Aid4Mail |
2.6 |
Fookes Software Ltd. |
Aid4Mail is a mail conversion application for migrating, searching, extracting, archiving, and performing forensics on email messages. The tool supports many email client programs and formats, as well as webmail through Internet Message Access Protocol (IMAP). |
| 08/26/2016 |
Adobe Acrobat |
8.1.0 |
Adobe |
Adobe Acrobat allows users to create and edit PDF documents. PDF has become the standard that the U.S. Government uses when distributing and archiving documents. Of its many features is allowing a user to redact a document of sensitive material and remove any metadata and other elements that they do not wish to be disseminated. |