Home  /  Tools  / Windows Tools Submit a Tool
Bootable Environments Data Acquisition Media Management File System Application Network Frameworks

Bootable Environments
none
Submit a Tool
 

Acquisition Tools
 
Title: Forensic Acquisition Utilities Author: George Garner
Description: A collection of Windows tools such as 'dd.exe', 'md5sum.exe', 'wipe.exe', and 'nc.exe'. The version of 'dd' in this package can also image memory contents in addition to disks.
Website: http://users.erols.com/gmgarner/forensics/
Source: http://users.erols.com/gmgarner/forensics/
 
 
Title: FTimes Author: Klayton Monroe
Description: FTimes is a system baselining and evidence collection tool. The primary purpose of ftimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.
Website: http://ftimes.sourceforge.net/FTimes/index.shtml
Source: http://sourceforge.net/project/showfiles.php?group_id=41134
 
 
Title: liveview Author: CERT
Description: Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because
Website: http://liveview.sourceforge.net/
 
 
Title: netcat Author: hobbit
Description: Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It can be used on a trusted server to save data from a suspect system and can be used on the suspect system to send the output of tools to the server instead of writing to the suspect disk.
Website: http://www.atstake.com/research/tools/network_utilities/
Source: http://www.atstake.com/research/tools/network_utilities/
 
 
Title: pdd Author: Joe Grand
Description: pdd (Palm dd) is a Windows-based tool for memory imaging and forensic acquisition of data from the Palm OS family of PDAs. pdd will preserve the crime scene by obtaining a bit-for-bit image or "snapshot" of the Palm device's memory contents. Such data can be used by forensic investigators, incident response teams, and criminal and civil prosecutors.
Website: [no longer exists]
Source: [local copy]
 
 
Title: ProDiscover DFT Author: Technology Pathways LLC
Description: ProDiscover DFT offers forensics examiners a completely integrated Windows application for the collection, analysis, management and reporting of computer disk evidence at an affordable price.
Website: www.techpathways.com
Source: www.techpathways.com (Requires the purchase of an Enterprise License)
 
 
Title: psloggedon Author: Mark Russinovich (sysinternals.com)
Description: PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one.
Website: http://www.sysinternals.com/ntw2k/freeware/psloggedon.shtml
Source: http://www.sysinternals.com/ntw2k/freeware/psloggedon.shtml
 
 
Title: TULP2G Author: Netherlands Forensic Institute (NFI)
Description: TULP2G is a forensic software framework developed to make it easy to extract and decode data from digital devices. Besides the framework, it is distributed along with several plug-ins to read data from digital devices (at this point, mobile phones and SIM cards).
Website: http://sourceforge.net/projects/tulp2g/
Source: http://sourceforge.net/project/showfiles.php?group_id=119389
 
 
Title: UnxUtils Author: Karl Syring
Description: Ports of GNU tools, including 'dd', that do not need special DLLs.
Website: http://unxutils.sourceforge.net
Source: http://unxutils.sourceforge.net (via CVS)
 
 
Title: Webjob Author: Klayton Monroe
Description: WebJob downloads a program over HTTP/HTTPS and executes it in one unified operation. The output, if any, may be directed to stdout/stderr or a Web resource. WebJob may be useful in incident response and intrusion analysis as it provides a mechanism to run known good diagnostic programs on a potentially compromised system.
Website: http://webjob.sourceforge.net/WebJob/index.shtml
Source: http://sourceforge.net/project/showfiles.php?group_id=40788
 

Media Management Analysis Tools
 
Title:TestDisk Author: Christophe Grenier
Description: Tool to check and undelete partition. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3, Linux SWAP (version 1 and 2), NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, and ReiserFS.
Website: http://www.cgsecurity.org/testdisk.html
Source: http://www.cgsecurity.org/testdisk.html
 

File System Analysis Tools
 
Title:Explore2fs Author: John Newbigin
Description: Explore2fs allows you to view the contents of an Ext2FS partition from within Windows.
Website: http://uranus.it.swin.edu.au/~jn/linux/explore2fs.htm
Source: http://uranus.it.swin.edu.au/~jn/linux/explore2fs.htm
 
 
Title: ProDiscover DFT Author: Technology Pathways LLC
Description: ProDiscover DFT offers forensics examiners a completely integrated Windows application for the collection, analysis, management and reporting of computer disk evidence at an affordable price.
Website: www.techpathways.com
Source: www.techpathways.com (Requires the purchase of an Enterprise License)
 

Application Analysis Tools
 
Title:Event Log Parser Author:Jamie French
Description: A PHP script to parse through Windows event logs.
Website: http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html
Source: http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html
 
 
Title: Galleta Author: Keith Jones
Description: Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/galleta.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152412
 
 
Title: libpff Author: Joachim Metz
Description: The libpff package contains a shared library and tooling to analyse Microsoft Outlook Personal Folder Files (PAB, PST and OST). PFF files are used to store e-mails, appointments, contacts, notes, tasks, etc. libpff provides:
  • pffexport to export PFF items
  • pffinfo to provide basic information about PFF files
  • pffrecover to recover and export PFF items
Website: http://libpff.sourceforge.net
 
 
Title: md5deep Author: Jesse Kornblum
Description: md5deep is an MD5 program that can compute recursively, compare hashes with a database, and estimates the time to completion.
Website: http://md5deep.sourceforge.net/
Source: http://md5deep.sourceforge.net/
 
 
Title: MD5summer Author: Luke Pascoe
Description: MD5summer is an application for Microsoft Windows 9x, NT, ME, 2000 and XP which generates and verifies md5 checksums. Its output file is compatible with the output of the Linux GNU MD5Sum and it will also read Linux generated files.
Website: http://www.md5summer.org/
Source: http://www.md5summer.org/download.html
 
 
Title: Outport Author: chief1ic
Description: Outport provides a means of migrating information from Microsoft Outlook to Ximian Evolution and several standard data formats.
Website: http://outport.sourceforge.net/
Source: http://outport.sourceforge.net/
 
 
Title: Pasco Author: Keith Jones
Description: Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/pasco.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152387
 
 
Title: ProDiscover DFT Author: Technology Pathways LLC
Description: ProDiscover DFT offers forensics examiners a completely integrated Windows application for the collection, analysis, management and reporting of computer disk evidence at an affordable price.
Website: www.techpathways.com
Source: www.techpathways.com (Requires the purchase of an Enterprise License)
 
 
Title: RegRipper Author: Harlan Carvey
Description: The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems.
Website: http://windowsir.blogspot.com/2008/04/updated-regripper.html
 
 
Title: Rifiuti Author: Keith Jones
Description: Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/rifiuti.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152410
 

Network Analysis Tools
 
Title: Network Miner Author: Erik Hjelmvik
Description: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
Website: http://networkminer.sourceforge.net/
 

Analysis Frameworks
Title: DFF (Digital Forensics Framework) Author: Solal Jacob
Description: DFF is multi-platform and open-source, user and developers oriented, provide many features and is very modular. Our goal is to provide a real framework to the forensic community, so people can use only one tool during the analysis.
Website: http://www.digital-forensic.org
 
 
Title: LibForensics Author: Michael Murr
Description: LibForensics is a Python framework for developing computer forensics applications. LibForensics also includes a series of demo tools that use the framework to extract information from various types of evidence/artifacts.
Website: http://www.libforensics.com
 
 
Copyright © 2003-2007 by Brian Carrier www.opensourceforensics.org<