Open Source Windows Forensic Tools

Home / Tools / Windows Tools

Submit a Tool

Bootable Environments

Data Acquisition

Media Management

File System

Application

Network

Frameworks

Bootable Environments

none Submit a Tool

Acquisition Tools


Title: Forensic Acquisition Utilities	Author: George Garner
Description: A collection of Windows tools such as 'dd.exe', 'md5sum.exe', 'wipe.exe', and 'nc.exe'. The version of 'dd' in this package can also image memory contents in addition to disks.
Website: http://users.erols.com/gmgarner/forensics/
Source: http://users.erols.com/gmgarner/forensics/

Title: FTimes	Author: Klayton Monroe
Description: FTimes is a system baselining and evidence collection tool. The primary purpose of ftimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.
Website: http://ftimes.sourceforge.net/FTimes/index.shtml
Source: http://sourceforge.net/project/showfiles.php?group_id=41134

Title: liveview	Author: CERT
Description: Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because
Website: http://liveview.sourceforge.net/

Title: netcat	Author: hobbit
Description: Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It can be used on a trusted server to save data from a suspect system and can be used on the suspect system to send the output of tools to the server instead of writing to the suspect disk.
Website: http://www.atstake.com/research/tools/network_utilities/
Source: http://www.atstake.com/research/tools/network_utilities/

Title: OpenGates	Author: Dan Gillen
Description: OpenGates is a small tool written in C that will "open" the hardware limitation "gates" of Windows installations. All current Windows versions (up to and including Windows 7) are too stupid to boot after the hardware to which the root disk is connected to has changed. This happens for example if you try to boot a raw copy of a Windows installation in a virtual machine like VirtualBox or VMWare or if you try to use your old Windows installation on a new PC. You will certainly end up with a BSOD telling you Windows can't access his boot device (Error code 0x0000007B). It should be possible to solve this by recovering Windows using the original installation medium but as one does not always has it, I wrote OpenGates.
Website: https://www.pinguin.lu/index.php

Title: pdd	Author: Joe Grand
Description: pdd (Palm dd) is a Windows-based tool for memory imaging and forensic acquisition of data from the Palm OS family of PDAs. pdd will preserve the crime scene by obtaining a bit-for-bit image or "snapshot" of the Palm device's memory contents. Such data can be used by forensic investigators, incident response teams, and criminal and civil prosecutors.
Website: [no longer exists]
Source: [local copy]

Title: ProDiscover DFT	Author: Technology Pathways LLC
Description: ProDiscover DFT offers forensics examiners a completely integrated Windows application for the collection, analysis, management and reporting of computer disk evidence at an affordable price.
Website: www.techpathways.com
Source: www.techpathways.com (Requires the purchase of an Enterprise License)

Title: psloggedon	Author: Mark Russinovich (sysinternals.com)
Description: PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one.
Website: http://www.sysinternals.com/ntw2k/freeware/psloggedon.shtml
Source: http://www.sysinternals.com/ntw2k/freeware/psloggedon.shtml

Title: TULP2G	Author: Netherlands Forensic Institute (NFI)
Description: TULP2G is a forensic software framework developed to make it easy to extract and decode data from digital devices. Besides the framework, it is distributed along with several plug-ins to read data from digital devices (at this point, mobile phones and SIM cards).
Website: http://sourceforge.net/projects/tulp2g/
Source: http://sourceforge.net/project/showfiles.php?group_id=119389

Title: UnxUtils	Author: Karl Syring
Description: Ports of GNU tools, including 'dd', that do not need special DLLs.
Website: http://unxutils.sourceforge.net
Source: http://unxutils.sourceforge.net (via CVS)

Title: Webjob	Author: Klayton Monroe
Description: WebJob downloads a program over HTTP/HTTPS and executes it in one unified operation. The output, if any, may be directed to stdout/stderr or a Web resource. WebJob may be useful in incident response and intrusion analysis as it provides a mechanism to run known good diagnostic programs on a potentially compromised system.
Website: http://webjob.sourceforge.net/WebJob/index.shtml
Source: http://sourceforge.net/project/showfiles.php?group_id=40788

Media Management Analysis Tools


Title:TestDisk	Author: Christophe Grenier
Description: Tool to check and undelete partition. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3, Linux SWAP (version 1 and 2), NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, and ReiserFS.
Website: http://www.cgsecurity.org/testdisk.html
Source: http://www.cgsecurity.org/testdisk.html

File System Analysis Tools


Title: analyzeMFT	Author: David Kovar
Description: analyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in a format that allows further analysis with other tools.
Website: http://www.integriography.com/

Title:Explore2fs	Author: John Newbigin
Description: Explore2fs allows you to view the contents of an Ext2FS partition from within Windows.
Website: http://uranus.it.swin.edu.au/~jn/linux/explore2fs.htm
Source: http://uranus.it.swin.edu.au/~jn/linux/explore2fs.htm

Title: ProDiscover DFT	Author: Technology Pathways LLC
Description: ProDiscover DFT offers forensics examiners a completely integrated Windows application for the collection, analysis, management and reporting of computer disk evidence at an affordable price.
Website: www.techpathways.com
Source: www.techpathways.com (Requires the purchase of an Enterprise License)

Application Analysis Tools


Title:Event Log Parser	Author:Jamie French
Description: A PHP script to parse through Windows event logs.
Website: http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html
Source: http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html

Title: Galleta	Author: Keith Jones
Description: Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/galleta.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152412

Title: libpff	Author: Joachim Metz
Description: The libpff package contains a shared library and tooling to analyse Microsoft Outlook Personal Folder Files (PAB, PST and OST). PFF files are used to store e-mails, appointments, contacts, notes, tasks, etc. libpff provides: pffexport to export PFF items pffinfo to provide basic information about PFF files pffrecover to recover and export PFF items
Website: http://libpff.sourceforge.net

Title: md5deep	Author: Jesse Kornblum
Description: md5deep is an MD5 program that can compute recursively, compare hashes with a database, and estimates the time to completion.
Website: http://md5deep.sourceforge.net/
Source: http://md5deep.sourceforge.net/

Title: MD5summer	Author: Luke Pascoe
Description: MD5summer is an application for Microsoft Windows 9x, NT, ME, 2000 and XP which generates and verifies md5 checksums. Its output file is compatible with the output of the Linux GNU MD5Sum and it will also read Linux generated files.
Website: http://www.md5summer.org/
Source: http://www.md5summer.org/download.html

Title: Outport	Author: chief1ic
Description: Outport provides a means of migrating information from Microsoft Outlook to Ximian Evolution and several standard data formats.
Website: http://outport.sourceforge.net/
Source: http://outport.sourceforge.net/

Title: Pasco	Author: Keith Jones
Description: Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/pasco.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152387

Title: ProDiscover DFT	Author: Technology Pathways LLC
Description: ProDiscover DFT offers forensics examiners a completely integrated Windows application for the collection, analysis, management and reporting of computer disk evidence at an affordable price.
Website: www.techpathways.com
Source: www.techpathways.com (Requires the purchase of an Enterprise License)

Title: RegRipper	Author: Harlan Carvey
Description: The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems.
Website: http://windowsir.blogspot.com/2008/04/updated-regripper.html

Title: Rifiuti	Author: Keith Jones
Description: Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/rifiuti.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152410

Network Analysis Tools


Title: Network Miner	Author: Erik Hjelmvik
Description: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
Website: http://networkminer.sourceforge.net/

Analysis Frameworks

Title: DFF (Digital Forensics Framework)	Author: Solal Jacob
Description: DFF is multi-platform and open-source, user and developers oriented, provide many features and is very modular. Our goal is to provide a real framework to the forensic community, so people can use only one tool during the analysis.
Website: http://www.digital-forensic.org

Title: LibForensics	Author: Michael Murr
Description: LibForensics is a Python framework for developing computer forensics applications. LibForensics also includes a series of demo tools that use the framework to extract information from various types of evidence/artifacts.
Website: http://www.libforensics.com