Computer Forensics Resources

Computer Forensics Resources

Computer forensics techniques recover deleted and manipulated files. Used for investigating crimes with computers or to preserve information for further analysis.

Computer Forensics is defined as an investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.

Digital Forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices often in relation to computer crime.

Antiforensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.


CS50: Introduction to Computer Science — by David J. Malan
CS50x teaches students how to think algorithmically and solve problems efficiently. Topics include abstraction, algorithms, data structures, encapsulation, resource management, security, software engineering, and web development. Languages include C, PHP, and JavaScript plus SQL, CSS, and HTML. Problem sets inspired by real-world domains of biology, cryptography, finance, forensics, and gaming. — by Lesley Carhart
(GCIH, GREM, GCFA, GPEN, B.S. Network Technologies, DePaul University) is a 20 year IT industry veteran, including 10 years in information security (specifically, digital forensics and incident response). She speaks and writes about digital forensics and incident response, Industrial Control System Security, OSINT, and information security careers. Lesley is heavily involved in the Chicagoland information security community, and is staff at Circle City Con, Indianapolis.

The Steg Chronicles — In the Beginning — by z3r0Trust
In the beginning, people desperately needed to develop secretive ways of communicating with each other for all types of reasons. People devised methods for hiding messages within plain sight which is actually a lot easier than one might imagine. This was way before modern digital encryption and end-to-end (E2E) encrypted messaging apps such as WhatsApp, Facebook Messenger, Telegram or anything modern.

Steganography — Wikipedia
The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia, a treatise on cryptography and steganography, disguised as a book on magic. Generally, the hidden messages appear to be (or to be part of) something else: images, articles, shopping lists, or some other cover text. For example, the hidden message may be in invisible ink between the visible lines of a private letter. Some implementations of steganography that lack a shared secret are forms of security through obscurity, and key-dependent steganographic schemes adhere to Kerckhoffs's principle.

An Overview of Steganography — by Gary C. Kessler
This paper is intended as a high-level technical introduction to steganography for those unfamiliar with the field. It is directed at forensic computer examiners who need a practical understanding of steganography without delving into the mathematics, although references are provided to some of the ongoing research for the person who needs or wants additional detail.

An Explanation of Computer Forensics — by Judd Robbins
Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence.

A Hardware-Based Memory Acquisition Procedure for Digital Investigations — by Brian D. Carrier, Joe Grand
The acquisition of volatile memory from a compromised computer is difficult to perform reli-ably because the acquisition procedure should not rely on untrusted code, such as the operatingsystem or applications executing on top of it.

Introduction to DFIR — by Scott J Roberts
One of my favorite things is talking to students and people new to the security field. It feels like yesterday I was wandering around the first Shmoocon as a student in awe of the people I met and the work they were doing. Now I’m 10 years into my career and have a whole different perspective (though still in awe with those folks).

Detecting hidden information with computer forensic analysis — by Pierre Richer
With the wide use and abundance of steganography tools on the Internet, law enforcement authorities have concerns in the trafficking of illicit material through web page images, audio, and other files. Methods of detecting hidden information and understanding the overall structure of this technology is crucial in uncovering these activities.

Windows Forensic Analysis Poster — by SANS
The categories map a specific artifact to the analysis questions that it will help to answer. Use this poster as a cheat-sheet to help you remember where you can discover key Windows artifacts for computer intrusion, intellectual property theft, and other common cyber crime investigations.

DFIR Memory Forensics Analysis Poster — by SANS
Memory analysis is the decisive victory on the battlefield between offense and defense, giving the upper hand to incident responders by exposing injection and hooking techniques that would otherwise remain undetected.


CISA Hunt and Incident Response Program — by Will Deem & Jordan Mussman
(CHIRP) is a tool created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool. CHIRP does not modify any system data.

Ghidra Reverse Engineering Framework — by NSA Research Directorate
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.

Maltego Community — by Maltego Technologies
Open-source intelligence and forensics. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining.

PowerForensics — by Jared Atkinson
PowerForensics provides an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems & work has begun on Extended File System and HFS+ support.

dban — by Blancco Technology Group
While DBAN is free to use, there’s no guarantee your data is completely sanitized across the entire drive. It cannot detect or erase SSDs and does not provide a certificate of data removal for auditing purposes or regulatory compliance.

attention-deficit-disorder — Google Code Archive
The tool currently works only against Windows 7 SP1 x86. Please note that this is a proof of concept tool. It forges OS objects in memory (poorly). It would be easy (very easy) to beat with better tool development. The tools would only need to provide better sanity checks of objects discovered during scanning. In that case, further development on ADD would be needed to beat new versions of forensics tools.

UndeleteSMS — by Arne Vidstrom
UndeleteSMS can recover deleted SMS messages from a GSM SIM card. (for Windows 95 OSR2.1 / 98 / ME / NT 4.0 SP3 / XP / 2000 / 2003)

Digital Forensics Framework — by ArxSys
DFF (Digital Forensics Framework) is a Forensics Framework coming with command line and graphical interfaces. DFF can be used to investigate hard drives and volatile memory and create reports about user and system activities.

Computer Aided Investigative Environment — project manager Nanni Bassetti
CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

Autopsy® — by Brian Carrier
Digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.

The Sleuth Kit® (TSK) — by Brian Carrier
Library and collection of command line tools that allow you to investigate disk images. The core functionality of TSK allows you to analyze volume and file system data. The plug-in framework allows you to incorporate additional modules to analyze file contents and build automated systems. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

LibForensics v0.3 API Documentation — by Mark Murr
LibForensics is a library for developing digital forensics applications. Currently it is developed in pure Python. After a majority of the code has been developed and stabilized, the bottlenecks will likely be converted into C-based modules.

Open Source Network Forensic Analysis Tool (NFAT) — by Gianluca Costa & Andrea De Franceschi
The goal of Xplico is to extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

Versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools.

SIFT Workstation — by SANS
The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.

Static Host Data Collection Tool — by CrowdStrike
There is no installer for this tool. Simply unzip the contents of the downloaded ZIP file into a location of your choosing and launch it directly from there. Similarly for uninstalling; simply delete the file(s) you extracted by moving them to the Recycle Bin or permanently deleting them. It is possible there may be a very small number of elements that remain in the Registry. There can be safely ignored or manually deleted by using a registry editing tool (e.g. regedit) and navigating to HKEY_LOCAL_MACHINE\Software\\CrowdStrike or HKEY_CURRENT_USER\Software\CrowdStrike and noting the name of the tool there and removing the branch.

ExifTool — by Phil Harvey
Platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. ExifTool supports many different metadata formats including EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, as well as the maker notes of many digital cameras by Canon, Casio, DJI, FLIR, FujiFilm, GE, GoPro, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Motorola, Nikon, Nintendo, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Phase One, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony.

Volatility Memory Forensics — by The Volatility Foundation
Promoting the use of Volatility and memory analysis within the forensics community, to defend the project’s intellectual property (trademarks, licenses, etc.) and longevity, and to help advance innovative memory analysis research.

WinFEforWin10 — by kazamiya
WinFE based on WinPE for Windows 10. WinFE is a bootable lightweight Windows OS that provides for forensic use.

Belkasoft Evidence Center 2020 — by Belkasoft
30 Day free trial. Belkasoft Evidence Center is an all-in-one forensic solution for acquiring, locating, extracting, and analyzing digital evidence stored inside computers and mobile devices, RAM and cloud.

Evimetry Community — by Schatz Forensic Pty. Ltd.
Evimetry uses widely accepted techniques for preserving the integrity of evidence, combined with a foolproof means of management.

XAMN Viewer — by MSAB
XAMN Viewer is a simplified analysis tool that is free to download and use. It can be distributed to anyone in your organization that needs to open, view, analyze and/or report on mobile device data.

Forensic Toolkit® (FTK®) — by AccessData
Zero in on relevant evidence quickly, conduct faster searches and dramatically increase analysis speed with FTK®, the purpose-built solution that interoperates with mobile device and e-discovery technology. Powerful and proven, FTK processes and indexes data upfront, eliminating wasted time waiting for searches to execute. No matter how many different data sources you’re dealing with or the amount of data you have to cull through, FTK gets you there quicker and better than anything else.

Oxygen Forensic® Viewer — by Oxygen Forensics
Displays all the device evidence: contacts, messages, calls, calendars, notes, tasks, whole file system, user dictionaries, Wi-Fi connections history, passwords, etc., applications data parsing is one of the best-in-class for mobile forensic solutions: account details, contacts, calls, chats, geo data, cached files, logs from apps, helps to uncover deleted records: calls, messages, pictures and more.

Nuix Evidence Mover — by Nuix
Nuix Evidence Mover is designed to copy evidence file images from one storage location to another. It creates a hash of the files before and after moving to ensure the data has been copied accurately, and to maintain the chain of custody.

PMAP — by BlackBag Technologies, Inc.
PMAP Info displays the physical partitioning of the specified device. This tool can be used to map out all the drive information, accounting for all used sectors.

Lockmaster — by BlackBag Technologies, Inc.
LockMaster simultaneously locks multiple files using the HFS+ locked flag. Normally on a Mac, the user has the ability to either lock individual items or select an entire folder and lock all the items within that folder. This utility is a highly successful tool for concurrently locking numerous items when they are nested within various folders, and it automates the laborious process of accessing the “Get Info” window for each file and then having to manually choose the “Locked” option.

MAGNET RAM Capture — by Magnet Forensics
Magnet Ram captures the physical memory of a computer. This can help forensic investigators recover & analyze useful artifacts in the computer’s memory. Acquires full physical memory fast & leaves small footprint on live system that is under analysis.

MAGNET Web Page Saver — by Magnet Forensics
Web Page Saver (WPS) takes a list of URLs and saves scrolling captures (“snapshots”) of each page. With WPS, URLs can be typed in manually or imported from a text file or CSV file. WPS produces an easy-to-navigate HTML report file containing the saved pages, with customizable options (such as including an agency crest/logo and title for the report).

MAGNET App Simulator — by MAGNET Forensics
MAGNET App Simulator lets you load application data from Android devices in your case into a virtual environment, enabling you to view and interact with the data as the user would have seen it on their own device. Use this tool to get a feel of how a suspect was interacting with their data, or to present the evidence to juries and stakeholders in a familiar mobile appearance.