21 Free Forensic Investigation Tools You Need to Know

Hi everyone, and welcome to your Information Security Newspaper. My name is Konely Gonzalez and today I will give you 21 free forensic investigation tools that I am sure you would like to know.

Just stay until the end of the video so won´t miss any of them. As you might know, a data breach happens almost EVERY DAY. Digital forensics involves the preservation, acquisition, documentation, analysis, and

interpretation of evidence from various storage media types. It is not only limited to laptops, desktops, tablets, and mobile devices but also extends to data in transit which is transmitted across public or private networks.

Forensics has evolved over decades through various branches of forensic science, and it has have become a very important part of law enforcement all around the world. To fight cybercrime and protect digital assets on the internet, forensics are definitely

essential. What forensic tools do in these cases, is help investigators extract those crucial pieces of evidence from electronic devices so they can be presented to the authorities in order

to put criminals behind bars. So, when doing a forensic investigation, for whatever purpose, you need to use the right tools, to move faster and to be more productive.

Here we will tell you 21 forensic investigator tools that are totally free, and that you can start using right now. 1- Autopsy

Autopsy will help you locate many of the open source programs and plugins used in The Sleuth Kit. The Sleuth Kit is like a library of Unix- and Windows-based utilities that facilitates

forensic analysis of computer systems. So Autopsy is the graphical user interface, that displays the results from the forensic search of the underlying volume, which helps investigators to locate pertinent sections

of data in their investigation. It is actually used by law enforcement, military, and corporates when they want to investigate what happened on a computer.

But you can even use it to recover photos from a memory card. It has the following characteristics: It is extensible, meaning users can add new functionalities by creating plugins.

It is easy to use, specially because it offers wizards and historical tools. And the tool is completely free, is maintained by programmers from the community that buy trainings or support services and by Basis Technology Corp.

2- MAGNET Encrypted Disk Detector MAGNET Encrypted Disk Detector is a command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system.

All you need to use MAGNET Encrypted Disk Detector it in its later version, v3.0 released on May 12th, 2020, is a computer with Windows 7 or higher. Yes, you will have to fill out a form at their site,verify your email and you should receive

a copy of MAGNET Encrypted Disk Detector. This is a very useful tool during incident response, because what Encrypted Disk Detector does is check the local physical drives on a system for encrypted volumes.

MAGNET Encrypted Disk Detector supports TrueCrypt, PGP, BitLocker, Safeboot encrypted volumes. It can totally help you to secure and preserve the evidence that would otherwise be lost. And of course, you won’t have to pay anything to use it, since it is totally free.

3- Wireshark Miniaturas: https://youtu.be/IZ439VNvJqo Wireshark is an open source network capture and analyzer tool, that will help you to see what’s happening in your network at a microscopic level.

It runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. It is also used across many commercial and non-profit enterprises, government agencies,

and educational institutions, and it can be handy when investigating network-related incidents, network troubleshooting, analysis, software and communications protocol development, or simply for education.

Wireshark has a lot of features that can help you in your investigation, like: A deep inspection of hundreds of protocols, a live capture and an offline analysis, very powerful set of display filters, and it reads and writes many capture file formats.

It can also read live data from Ethernet, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and many others. It is also totally free and it works thanks volunteer contributions of networking experts

around the globe. 4- MAGNET RAM Capture The latest version now even supports RAM acquisition from Windows 10 systems that have Virtual Secure Mode enabled.

Magnet RAM Capture is a tool from Magnet Forensics and is designed to capture the physical memory of a suspect’s computer. Doing this it can allow you, during an investigation, to recover and analyze valuable data that

is found in the memory. It actually has a small memory footprint, meaning investigators can run the tool while minimizing the data that is overwritten in the memory.

The evidence that can be found in RAM with this tool includes processes and programs running on the system, network connections, evidence of malware intrusion, usernames and passwords, decrypted files and keys, and so much more.

It also gives you the option to export the captured memory data in Raw format for easily upload into other analysis tools. And it is also a free tool.

5- Network Miner Network miner is network forensic analyzer for Windows, Linux & MAC OS X. It can be used to detect OS, hostname, sessions, and open ports through packet sniffing or

by PCAP file. NetworkMiner can be used by network administrators as well as investigators to assess traffic in a network.

It is used to analyze or even capture packets transferred on a network to detect devices and corresponding operating systems, names of hosts, open ports, etc. This forensic tool allows users to fish out credentials, certificates, emails, etc. and

presents the extracted information in a friendly and interactive way. Even a keyword search option is provided on this tool. It doesn’t require installation, and iIt won’t put any traffic on the network.

Today is used by companies and organizations all over the world, like in incident response teams and law enforcement, and it has no cost at all since there is a free version of it. 6- NMAP

NMAP or Network Mapper is one of the most popular networks and security auditing tools. It supports most of the operating systems, including Windows, Linux, Solaris, Mac OS, etc.

It is used by network administrators to scan ports and map networks. It can identify in which ports certain software is running and it can discover available hosts as well as what services they are offering.

Using it, you can check a single host or a complete network. It is usually used for auditing the security of a device or firewall or for network inventory, network mapping, maintenance and asset management, or even for finding and exploiting vulnerabilities

in a network. It also appears in a lot of movies that you might have seen like Matrix, Snowden, Ocean’s 8, and many more, and is an excellent tool that can be easily implemented on your server

without having to pay anything for it. 7 RAM Capturer RAM Capturer by Belkasoft is also a tool that will help you to dump the data from a computer’s

volatile memory. It is compatible with Windows OS and it doesn't require installation, it can be runned from a usb.

Memory dumps can be a valuable source of volatile evidence and information. Mostly because in them you can sometimes find passwords to encrypted volumes like TrueCrypt, BitLocker, PGP Disk, or to account login credentials for many webmail and social network services,

or even to some file sharing services. And Belkasoft Live RAM Capturer works even when an aggressive anti-debugging or anti-memory dumping system is on.

Some other RAM acquisition tools can return with an empty area or random data when exploring a protected memory set, but Belkasoft Live RAM Capturer promesses to help you get an image of this protected memory set without even having to pay for it, since it is also

a free tool. 8-FAW FAW or Forensics Acquisition of Websites, is a tool to acquire web pages for forensic investigation.

All you will require to install it and use it is a dual core INTEL processor, 4 GB of RAM, and Windows 10. FAW will acquire web pages from any website available on the Internet.

It will allow you to acquire a whole, full resolution web page or maybe just a part of it, depending on your needs. It lets you use side scrolling and a horizontal cursor so you can decide the web page area

to be analyzed. It also has the following features: It captures all types of images, it capture HTML source code of the web page and it can be integrated with Wireshark.

It is used by forensic communities around the world as a tool to help crystallize web page, and it is also a free tool for forensic investigators. 9- HashMyFiles

HashMyFiles will help you to calculate the MD5 and SHA1 hashes. It works on almost all the latest Windows OS. By finding out the hash information on your files, you will be able to calculate their

integrity. This is a portable app, so installing it is not necessary. You can store the tool on a USB flash drive and directly run its executable file.

It also has a user-friendly interface where you can import files. The file queue displays the name, and hash of each item, along with the full path, date of creation and modification, size, file and product version, identity status, extension

and attribute. HashMyFiles actually requires a low amount of your system resources and has a good response time.

Unfortunately, there is no help file available and the interface definitely needs some improvements but only from the visual point of view, but, hey, it's still free. https://www.nirsoft.net/utils/hash_my_files.html

10- CrowdResponse Response is a windows application by Crowd Strike that will help you gather system information for incident response and security engagements.

There is also no installer for this tool. You just simply unzip the contents of the downloaded ZIP file and launch it directly from there.

Additionally, the modules are all built into the main application and are custom written. So no external or third-party tools are required. CrowdResponse is ideally suited to non-intrusive data gathering from multiple systems when

positioned across the network. Crowd Strike also has some other helpful tools for investigators, such as Tortilla,an anonymously route TCP/IP and DNS traffic through Tor.

Shellshock Scanner, which will scan your network for a shellshock vulnerability. Heartbleed scanner, with which you can scan your network for an OpenSSL heartbleed vulnerability. And as well as CrowdResponse, all these other tools are also available totally for FREE.

11- ExifTool ExifTool will help you to read, write, and edit meta information for a number of file types.

It can read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc. ExifTool is Windows executable and there is also a MacOS package. So what ExifTool is, is a platform-independent Perl library plus a command-line application

for reading, writing and editing meta information in a wide variety of files. It supports many different metadata formats including EXIF, GPS, IPTC, XMP, JFIF, and many many other.

It also supports maker notes of many digital cameras by Canon, Casio, Kodak, Motorola, Nikon, Nintendo, Samsung, Sanyo, Sony ,and so many many others. It also has many other features.

Some of this other features include its Geotags images from GPS track log files with time drift correction, and that the fact that it generates track logs from geotagged images. And of course, it is also available for free.

12- SIFT SIFT, which stand for SANS investigative forensic toolkit, is available as Ubuntu 14.04 and it has cross compatibility between Linux and Windows.

SIFT is a whole suite of forensic tools you need and one of the most popular open source incident response platforms. The SIFT Workstation contains a group of free open-source incident response and forensic

tools designed to perform detailed digital forensic examinations in a variety of situations. SIFT demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools since

it can match any current incident response and forensic tool suite. Some of its newest features include the latest forensic tools and techniques, a VM Appliance ready to tackle forensics, the option to install stand-alone system via SIFT-CLI installer,

and an expanded Filesystem Support. And if that does not seem not enough, it is freely available and frequently updated. 13- Browser History Capturer by Foxton and Browser History viewer.

Browser History Viewer (BHV) is a forensic software tool for extracting and viewing internet history from the main desktop web browsers. Is designed for you to easily capture web browser history from a Windows computer.

Browser History Examiner is another of the products of Foxton Software Limited. It is a browser forensic tool usually used for capturing, extracting, and analyzing the web browsing history data of a web browser.

It stores logs of bookmarks, cached data, cookies, downloads, favicons, form history, web searches, website visits, login credentials, etc., which are almost all the types of data that are considered relevant for a web browser forensics investigation.

The tool can be run from a USB and it will basically let you capture history from the main browsers: Chrome, Edge, Firefox and Internet Explorer. The history files are copied to a destination on their original format, allowing them to

be analysed later. And these are both free tools. 14- Sleuth Kit

The Sleuth Kit is a collection of command-line tools to investigate and analyze volume and file systems used for digital forensic investigations. It supports and works on Linux and it runs on Windows and Unix platforms.

With its modular design, it can be used to carve out the right data and find evidence. It's usage is commonly in criminal investigations, or digital forensics as I was saying, or simply for file system analysis.

Some of its features and remarks are that it has a command line interface, as well as more than 50 contributors, more than 1000 GitHub stars, its source code is available and in general, is a well-known tool.

And finally, the Sleuth Kit can be used with Autopsy, which we already talked about on the first point of this video. And, of course it is completely and totally free to use.

15- CAINE CAINE is a complete forensic environment with a friendly graphical interface. This is a complete digital forensics platform and graphical interface that works with the

Sleuth Kit and other digital forensics tools. CAINE can be used on information systems that boot older operating systems, as well as newer platforms like Linux or Windows 10.

Being a Live Distribution software, it can be carried around in a flash drive, without having the need to install it. So CAINE integrates tools as modules along with powerful scripts in a graphical interface

environment. Its operational environment was designed with the intent to provide the forensic professional all the tools required to perform the digital forensic investigation process, which would

include preservation, collection, examination and analysis. Some of the tools included with CAINE Linux are: The Sleuth Kit, Autopsy, RegRipper, Wireshark, PhotoRec and Fsstat.

Most of them already explained here. It is also a free software. 16- Volatility Framework

Also built into SIFT, which we already talked about, Volatility is another open-source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux.

While their releases may seem few and far between,Volatility Framework is a really unique forensic tool that lets investigators analyze the runtime state of a device. This by using system information found in the volatile memory or RAM.

In digital forensics, it is crucial to be able to extract data from the volatile memory in order to find out about recent activities. So, this is why Volatility Framework has become very popular with law enforcement and intelligence

agencies, in addition to military and civilian investigators. It is supported by professional forensic experts from around the world and is based on many years of academic research on advanced memory analysis techniques.

And what's best, it is available for free. 17- Paladin Forensic Suite PALADIN is an ubuntu based tool that enables you to simplify a range of forensic tasks.

In it, you will find a bunch of precompiled open-source forensic tools that can be used to perform various tasks. It actually provides more than 100 useful tools for investigating any malicious material.

It can help you simplify your forensic task quickly and effectively. The centerpiece of these box full of tools is definitely the PALADIN Toolbox. It has combined and simplified multiple forensic tasks into an easy to use GUI, or graphical

user interface, that requires minimal training and does not require you to utilize the command line. The “engine” that runs the PALADIN Toolbox is a combination of applications that have

been used by forensic examiners and investigators for years, and have a history of scrutiny in many courts of law. And the best part is that is a courtesy of SUMURI, which means it is free for everyone.

18- FTK Imager AccessData FTK Imager is a forensics tool for Windows whose main purpose is to preview recoverable data from a disk of any kind.

It can also create perfect copies, called forensic images, of that data. This powerful tool can create forensic images of local hard drives, floppy disks, Zip disks, CDs, and DVDs, entire folders, or even of individual files from various places within

the media storage device. The fact that it can export files and folders from the created image means that this application can also recover data on its own.

Though it is a powerful tool, its interface is simple, intuitive and easy to operate with. Additional features and functions like the possibility to create file hashes or mount already created disk images are other important advantages to discuss.

So, even if AccessData FTK Imager looks like a veryprofessional tool created only for advanced forensics procedures, it’s actually very friendly. Furthermore, it is completely free.

19-Bulk Extractor Bulk extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and r is available for Windows, Linux, and Mac users.

The results it gives can be easily inspected and analyzed with automated tools. The program can be used for law enforcement, defense, intelligence, and cyber-investigation applications.

bulk_extractor is usually distinguished from other forensic tools by its speed. Because it ignores file system structure, bulk_extractor can process different parts of the disk in parallel.

bulk_extractor also automatically detects, decompresses, and recursively re-processes compressed data that is compressed with a variety of algorithms. And another advantage of ignoring file systems is that bulk_extractor can be used to process

any digital media. We have used the program to process hard drives, SSDs, optical media, camera cards, cell phones, network packet dumps, and other kinds of digital information.

And it is also a free tool. 20- LastActivityView LastActivityView is a portable software application that will enable you to view the latest activity

recorded by your computer. However in this tool, there is an important aspect to take into account and is that the Windows registry does not get updated with new entries.

But well, let’s reviews the pros. Since installation is not a requirement, you can just click it to run. The interface is based on a standard window with a plain and simple layout, where the

list with the recent activity is immediately populated at startup. You can view the action time and date, description, file name, full path and other information. LastActivityView has a very good response time.

It is actually capable of detecting activity prior to its first run, and it also runs on a very low amount of CPU and RAM, so it won’t affect your computer's overall performance. It also has an overall simplicity and of course, it is totally free.

21-FireEye RedLine FireEye's premier is an endpoint security tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis.

It is available from OS X and Linux environments. Some of its features include auditing and collecting all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services,

tasks and web history. Also analyzing and viewing imported audit data, streamline memory analysis with a proven workflow for analyzing malware based on relative priority and perform Indicators of Compromise

(IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.

Also, it can be very useful in-depth analysis because it allows the user to establish the timeline and scope of an incident, besides being a completely free software. So I really hope you find this information useful.

Don’t forget to give us a thumbs up and to subscribe. Click on the bell button so you won’t miss any of our videos. My name is Konely Gonzalez and I wish you the best.