21 Free Forensic Investigation Tools You Need to Know
Introduction
In this informative video, Konely Gonzalez presents 21 free forensic investigation tools that are vital for anyone involved in digital forensics. With the rise of cybercrime, these tools help investigators extract and analyze evidence from various digital devices. For a deeper understanding of the role of digital forensics in cybersecurity, check out our summary on Incident Response and Digital Forensics: A Comprehensive Overview.
Key Points
- Importance of Digital Forensics: Digital forensics involves the preservation, acquisition, documentation, analysis, and interpretation of evidence from various storage media. It plays a crucial role in law enforcement and cybercrime prevention. To learn more about the types of evidence involved, see our summary on Types of Digital Forensic Evidence in Cybersecurity Investigations.
- Overview of Tools: The video covers a range of tools, each with unique functionalities, that can be used for different aspects of forensic investigations.
List of Tools
- Autopsy: A graphical user interface for The Sleuth Kit, used for forensic analysis.
- MAGNET Encrypted Disk Detector: A command-line tool for detecting encrypted volumes.
- Wireshark: A network capture and analysis tool.
- MAGNET RAM Capture: Captures physical memory from suspect computers.
- Network Miner: Analyzes network traffic and detects devices.
- NMAP: A network mapping and security auditing tool.
- RAM Capturer: Dumps data from a computer's volatile memory.
- FAW: Acquires web pages for forensic investigation.
- HashMyFiles: Calculates file integrity hashes.
- CrowdResponse: Gathers system information for incident response.
- ExifTool: Reads and edits metadata from various file types.
- SIFT: A suite of forensic tools for incident response. For a comprehensive guide on memory analysis, refer to our Comprehensive Guide to Memory Analysis in Cybersecurity.
- Browser History Capturer: Extracts web browsing history.
- Sleuth Kit: A collection of command-line tools for digital forensics.
- CAINE: A complete forensic environment with a graphical interface.
- Volatility Framework: Analyzes volatile memory for incident response.
- Paladin Forensic Suite: A collection of forensic tools in a user-friendly interface.
- FTK Imager: Previews and creates forensic images of data.
- Bulk Extractor: Scans disk images for data extraction.
- LastActivityView: Displays recent activity on a computer.
- FireEye RedLine: An endpoint security tool for memory and file analysis.
Conclusion
These tools are essential for anyone involved in digital forensics, providing the necessary capabilities to investigate and respond to cyber incidents effectively. For those interested in ethical considerations, our Comprehensive Guide to Ethical Hacking: From Basics to Advanced Concepts offers valuable insights.
FAQs
-
What is digital forensics?
Digital forensics is the process of preserving, acquiring, analyzing, and presenting electronic evidence in a legal context. -
Are these tools really free?
Yes, all the tools mentioned in the video are available for free. -
Can I use these tools for personal investigations?
While these tools are designed for professional use, they can also be used for personal investigations, provided you comply with legal regulations. -
Do I need technical skills to use these tools?
Some tools may require technical knowledge, but many have user-friendly interfaces that make them accessible to beginners. -
How can I learn more about using these tools?
Many of these tools have documentation and community support available online to help users learn how to use them effectively. -
What types of evidence can these tools help recover?
These tools can help recover various types of evidence, including deleted files, network traffic, and metadata from files. -
Is there a risk of losing data when using these tools?
When used correctly, these tools are designed to preserve data integrity and minimize the risk of data loss.
Hi everyone, and welcome to your Information Security Newspaper. My name is Konely Gonzalez and today I will give you 21 free forensic investigation tools that I am sure you would like to know.
Just stay until the end of the video so won´t miss any of them. As you might know, a data breach happens almost EVERY DAY. Digital forensics involves the preservation, acquisition, documentation, analysis, and
interpretation of evidence from various storage media types. It is not only limited to laptops, desktops, tablets, and mobile devices but also extends to data in transit which is transmitted across public or private networks.
Forensics has evolved over decades through various branches of forensic science, and it has have become a very important part of law enforcement all around the world. To fight cybercrime and protect digital assets on the internet, forensics are definitely
essential. What forensic tools do in these cases, is help investigators extract those crucial pieces of evidence from electronic devices so they can be presented to the authorities in order
to put criminals behind bars. So, when doing a forensic investigation, for whatever purpose, you need to use the right tools, to move faster and to be more productive.
Here we will tell you 21 forensic investigator tools that are totally free, and that you can start using right now. 1- Autopsy
Autopsy will help you locate many of the open source programs and plugins used in The Sleuth Kit. The Sleuth Kit is like a library of Unix- and Windows-based utilities that facilitates
forensic analysis of computer systems. So Autopsy is the graphical user interface, that displays the results from the forensic search of the underlying volume, which helps investigators to locate pertinent sections
of data in their investigation. It is actually used by law enforcement, military, and corporates when they want to investigate what happened on a computer.
But you can even use it to recover photos from a memory card. It has the following characteristics: It is extensible, meaning users can add new functionalities by creating plugins.
It is easy to use, specially because it offers wizards and historical tools. And the tool is completely free, is maintained by programmers from the community that buy trainings or support services and by Basis Technology Corp.
2- MAGNET Encrypted Disk Detector MAGNET Encrypted Disk Detector is a command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system.
All you need to use MAGNET Encrypted Disk Detector it in its later version, v3.0 released on May 12th, 2020, is a computer with Windows 7 or higher. Yes, you will have to fill out a form at their site,verify your email and you should receive
a copy of MAGNET Encrypted Disk Detector. This is a very useful tool during incident response, because what Encrypted Disk Detector does is check the local physical drives on a system for encrypted volumes.
MAGNET Encrypted Disk Detector supports TrueCrypt, PGP, BitLocker, Safeboot encrypted volumes. It can totally help you to secure and preserve the evidence that would otherwise be lost. And of course, you won’t have to pay anything to use it, since it is totally free.
3- Wireshark Miniaturas: https://youtu.be/IZ439VNvJqo Wireshark is an open source network capture and analyzer tool, that will help you to see what’s happening in your network at a microscopic level.
It runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. It is also used across many commercial and non-profit enterprises, government agencies,
and educational institutions, and it can be handy when investigating network-related incidents, network troubleshooting, analysis, software and communications protocol development, or simply for education.
Wireshark has a lot of features that can help you in your investigation, like: A deep inspection of hundreds of protocols, a live capture and an offline analysis, very powerful set of display filters, and it reads and writes many capture file formats.
It can also read live data from Ethernet, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and many others. It is also totally free and it works thanks volunteer contributions of networking experts
around the globe. 4- MAGNET RAM Capture The latest version now even supports RAM acquisition from Windows 10 systems that have Virtual Secure Mode enabled.
Magnet RAM Capture is a tool from Magnet Forensics and is designed to capture the physical memory of a suspect’s computer. Doing this it can allow you, during an investigation, to recover and analyze valuable data that
is found in the memory. It actually has a small memory footprint, meaning investigators can run the tool while minimizing the data that is overwritten in the memory.
The evidence that can be found in RAM with this tool includes processes and programs running on the system, network connections, evidence of malware intrusion, usernames and passwords, decrypted files and keys, and so much more.
It also gives you the option to export the captured memory data in Raw format for easily upload into other analysis tools. And it is also a free tool.
5- Network Miner Network miner is network forensic analyzer for Windows, Linux & MAC OS X. It can be used to detect OS, hostname, sessions, and open ports through packet sniffing or
by PCAP file. NetworkMiner can be used by network administrators as well as investigators to assess traffic in a network.
It is used to analyze or even capture packets transferred on a network to detect devices and corresponding operating systems, names of hosts, open ports, etc. This forensic tool allows users to fish out credentials, certificates, emails, etc. and
presents the extracted information in a friendly and interactive way. Even a keyword search option is provided on this tool. It doesn’t require installation, and iIt won’t put any traffic on the network.
Today is used by companies and organizations all over the world, like in incident response teams and law enforcement, and it has no cost at all since there is a free version of it. 6- NMAP
NMAP or Network Mapper is one of the most popular networks and security auditing tools. It supports most of the operating systems, including Windows, Linux, Solaris, Mac OS, etc.
It is used by network administrators to scan ports and map networks. It can identify in which ports certain software is running and it can discover available hosts as well as what services they are offering.
Using it, you can check a single host or a complete network. It is usually used for auditing the security of a device or firewall or for network inventory, network mapping, maintenance and asset management, or even for finding and exploiting vulnerabilities
in a network. It also appears in a lot of movies that you might have seen like Matrix, Snowden, Ocean’s 8, and many more, and is an excellent tool that can be easily implemented on your server
without having to pay anything for it. 7 RAM Capturer RAM Capturer by Belkasoft is also a tool that will help you to dump the data from a computer’s
volatile memory. It is compatible with Windows OS and it doesn't require installation, it can be runned from a usb.
Memory dumps can be a valuable source of volatile evidence and information. Mostly because in them you can sometimes find passwords to encrypted volumes like TrueCrypt, BitLocker, PGP Disk, or to account login credentials for many webmail and social network services,
or even to some file sharing services. And Belkasoft Live RAM Capturer works even when an aggressive anti-debugging or anti-memory dumping system is on.
Some other RAM acquisition tools can return with an empty area or random data when exploring a protected memory set, but Belkasoft Live RAM Capturer promesses to help you get an image of this protected memory set without even having to pay for it, since it is also
a free tool. 8-FAW FAW or Forensics Acquisition of Websites, is a tool to acquire web pages for forensic investigation.
All you will require to install it and use it is a dual core INTEL processor, 4 GB of RAM, and Windows 10. FAW will acquire web pages from any website available on the Internet.
It will allow you to acquire a whole, full resolution web page or maybe just a part of it, depending on your needs. It lets you use side scrolling and a horizontal cursor so you can decide the web page area
to be analyzed. It also has the following features: It captures all types of images, it capture HTML source code of the web page and it can be integrated with Wireshark.
It is used by forensic communities around the world as a tool to help crystallize web page, and it is also a free tool for forensic investigators. 9- HashMyFiles
HashMyFiles will help you to calculate the MD5 and SHA1 hashes. It works on almost all the latest Windows OS. By finding out the hash information on your files, you will be able to calculate their
integrity. This is a portable app, so installing it is not necessary. You can store the tool on a USB flash drive and directly run its executable file.
It also has a user-friendly interface where you can import files. The file queue displays the name, and hash of each item, along with the full path, date of creation and modification, size, file and product version, identity status, extension
and attribute. HashMyFiles actually requires a low amount of your system resources and has a good response time.
Unfortunately, there is no help file available and the interface definitely needs some improvements but only from the visual point of view, but, hey, it's still free. https://www.nirsoft.net/utils/hash_my_files.html
10- CrowdResponse Response is a windows application by Crowd Strike that will help you gather system information for incident response and security engagements.
There is also no installer for this tool. You just simply unzip the contents of the downloaded ZIP file and launch it directly from there.
Additionally, the modules are all built into the main application and are custom written. So no external or third-party tools are required. CrowdResponse is ideally suited to non-intrusive data gathering from multiple systems when
positioned across the network. Crowd Strike also has some other helpful tools for investigators, such as Tortilla,an anonymously route TCP/IP and DNS traffic through Tor.
Shellshock Scanner, which will scan your network for a shellshock vulnerability. Heartbleed scanner, with which you can scan your network for an OpenSSL heartbleed vulnerability. And as well as CrowdResponse, all these other tools are also available totally for FREE.
11- ExifTool ExifTool will help you to read, write, and edit meta information for a number of file types.
It can read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc. ExifTool is Windows executable and there is also a MacOS package. So what ExifTool is, is a platform-independent Perl library plus a command-line application
for reading, writing and editing meta information in a wide variety of files. It supports many different metadata formats including EXIF, GPS, IPTC, XMP, JFIF, and many many other.
It also supports maker notes of many digital cameras by Canon, Casio, Kodak, Motorola, Nikon, Nintendo, Samsung, Sanyo, Sony ,and so many many others. It also has many other features.
Some of this other features include its Geotags images from GPS track log files with time drift correction, and that the fact that it generates track logs from geotagged images. And of course, it is also available for free.
12- SIFT SIFT, which stand for SANS investigative forensic toolkit, is available as Ubuntu 14.04 and it has cross compatibility between Linux and Windows.
SIFT is a whole suite of forensic tools you need and one of the most popular open source incident response platforms. The SIFT Workstation contains a group of free open-source incident response and forensic
tools designed to perform detailed digital forensic examinations in a variety of situations. SIFT demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools since
it can match any current incident response and forensic tool suite. Some of its newest features include the latest forensic tools and techniques, a VM Appliance ready to tackle forensics, the option to install stand-alone system via SIFT-CLI installer,
and an expanded Filesystem Support. And if that does not seem not enough, it is freely available and frequently updated. 13- Browser History Capturer by Foxton and Browser History viewer.
Browser History Viewer (BHV) is a forensic software tool for extracting and viewing internet history from the main desktop web browsers. Is designed for you to easily capture web browser history from a Windows computer.
Browser History Examiner is another of the products of Foxton Software Limited. It is a browser forensic tool usually used for capturing, extracting, and analyzing the web browsing history data of a web browser.
It stores logs of bookmarks, cached data, cookies, downloads, favicons, form history, web searches, website visits, login credentials, etc., which are almost all the types of data that are considered relevant for a web browser forensics investigation.
The tool can be run from a USB and it will basically let you capture history from the main browsers: Chrome, Edge, Firefox and Internet Explorer. The history files are copied to a destination on their original format, allowing them to
be analysed later. And these are both free tools. 14- Sleuth Kit
The Sleuth Kit is a collection of command-line tools to investigate and analyze volume and file systems used for digital forensic investigations. It supports and works on Linux and it runs on Windows and Unix platforms.
With its modular design, it can be used to carve out the right data and find evidence. It's usage is commonly in criminal investigations, or digital forensics as I was saying, or simply for file system analysis.
Some of its features and remarks are that it has a command line interface, as well as more than 50 contributors, more than 1000 GitHub stars, its source code is available and in general, is a well-known tool.
And finally, the Sleuth Kit can be used with Autopsy, which we already talked about on the first point of this video. And, of course it is completely and totally free to use.
15- CAINE CAINE is a complete forensic environment with a friendly graphical interface. This is a complete digital forensics platform and graphical interface that works with the
Sleuth Kit and other digital forensics tools. CAINE can be used on information systems that boot older operating systems, as well as newer platforms like Linux or Windows 10.
Being a Live Distribution software, it can be carried around in a flash drive, without having the need to install it. So CAINE integrates tools as modules along with powerful scripts in a graphical interface
environment. Its operational environment was designed with the intent to provide the forensic professional all the tools required to perform the digital forensic investigation process, which would
include preservation, collection, examination and analysis. Some of the tools included with CAINE Linux are: The Sleuth Kit, Autopsy, RegRipper, Wireshark, PhotoRec and Fsstat.
Most of them already explained here. It is also a free software. 16- Volatility Framework
Also built into SIFT, which we already talked about, Volatility is another open-source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux.
While their releases may seem few and far between,Volatility Framework is a really unique forensic tool that lets investigators analyze the runtime state of a device. This by using system information found in the volatile memory or RAM.
In digital forensics, it is crucial to be able to extract data from the volatile memory in order to find out about recent activities. So, this is why Volatility Framework has become very popular with law enforcement and intelligence
agencies, in addition to military and civilian investigators. It is supported by professional forensic experts from around the world and is based on many years of academic research on advanced memory analysis techniques.
And what's best, it is available for free. 17- Paladin Forensic Suite PALADIN is an ubuntu based tool that enables you to simplify a range of forensic tasks.
In it, you will find a bunch of precompiled open-source forensic tools that can be used to perform various tasks. It actually provides more than 100 useful tools for investigating any malicious material.
It can help you simplify your forensic task quickly and effectively. The centerpiece of these box full of tools is definitely the PALADIN Toolbox. It has combined and simplified multiple forensic tasks into an easy to use GUI, or graphical
user interface, that requires minimal training and does not require you to utilize the command line. The “engine” that runs the PALADIN Toolbox is a combination of applications that have
been used by forensic examiners and investigators for years, and have a history of scrutiny in many courts of law. And the best part is that is a courtesy of SUMURI, which means it is free for everyone.
18- FTK Imager AccessData FTK Imager is a forensics tool for Windows whose main purpose is to preview recoverable data from a disk of any kind.
It can also create perfect copies, called forensic images, of that data. This powerful tool can create forensic images of local hard drives, floppy disks, Zip disks, CDs, and DVDs, entire folders, or even of individual files from various places within
the media storage device. The fact that it can export files and folders from the created image means that this application can also recover data on its own.
Though it is a powerful tool, its interface is simple, intuitive and easy to operate with. Additional features and functions like the possibility to create file hashes or mount already created disk images are other important advantages to discuss.
So, even if AccessData FTK Imager looks like a veryprofessional tool created only for advanced forensics procedures, it’s actually very friendly. Furthermore, it is completely free.
19-Bulk Extractor Bulk extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and r is available for Windows, Linux, and Mac users.
The results it gives can be easily inspected and analyzed with automated tools. The program can be used for law enforcement, defense, intelligence, and cyber-investigation applications.
bulk_extractor is usually distinguished from other forensic tools by its speed. Because it ignores file system structure, bulk_extractor can process different parts of the disk in parallel.
bulk_extractor also automatically detects, decompresses, and recursively re-processes compressed data that is compressed with a variety of algorithms. And another advantage of ignoring file systems is that bulk_extractor can be used to process
any digital media. We have used the program to process hard drives, SSDs, optical media, camera cards, cell phones, network packet dumps, and other kinds of digital information.
And it is also a free tool. 20- LastActivityView LastActivityView is a portable software application that will enable you to view the latest activity
recorded by your computer. However in this tool, there is an important aspect to take into account and is that the Windows registry does not get updated with new entries.
But well, let’s reviews the pros. Since installation is not a requirement, you can just click it to run. The interface is based on a standard window with a plain and simple layout, where the
list with the recent activity is immediately populated at startup. You can view the action time and date, description, file name, full path and other information. LastActivityView has a very good response time.
It is actually capable of detecting activity prior to its first run, and it also runs on a very low amount of CPU and RAM, so it won’t affect your computer's overall performance. It also has an overall simplicity and of course, it is totally free.
21-FireEye RedLine FireEye's premier is an endpoint security tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis.
It is available from OS X and Linux environments. Some of its features include auditing and collecting all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services,
tasks and web history. Also analyzing and viewing imported audit data, streamline memory analysis with a proven workflow for analyzing malware based on relative priority and perform Indicators of Compromise
(IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.
Also, it can be very useful in-depth analysis because it allows the user to establish the timeline and scope of an incident, besides being a completely free software. So I really hope you find this information useful.
Don’t forget to give us a thumbs up and to subscribe. Click on the bell button so you won’t miss any of our videos. My name is Konely Gonzalez and I wish you the best.
Digital forensics involves the preservation, acquisition, documentation, analysis, and interpretation of evidence from various digital storage media. It is crucial for law enforcement and cybersecurity as it helps in investigating data breaches and cybercrimes, allowing authorities to gather evidence to prosecute criminals.
Forensic investigation tools can analyze a wide range of devices including laptops, desktops, tablets, mobile devices, and even data in transit across networks. This versatility is essential for comprehensive investigations.
Yes, the video mentions several free forensic investigation tools including Autopsy, MAGNET Encrypted Disk Detector, Wireshark, MAGNET RAM Capture, Network Miner, NMAP, and many others, totaling 21 tools.
Autopsy is a graphical user interface that helps investigators locate pertinent sections of data during forensic analysis. It is built on The Sleuth Kit, which provides a library of utilities for analyzing computer systems, making it user-friendly and extensible with plugins.
Wireshark is an open-source network capture and analysis tool that allows investigators to see detailed network activity. It is useful for troubleshooting, analyzing network incidents, and developing communication protocols, making it a valuable asset in forensic investigations.
Many of the tools mentioned, such as RAM Capturer and LastActivityView, are portable and do not require installation. They can be run directly from a USB drive, which is convenient for forensic investigators.
Most of the tools mentioned in the video can be downloaded directly from their respective websites. Some may require you to fill out a form or verify your email, but they are all available for free.
Heads up!
This summary and transcript were automatically generated using AI with the Free YouTube Transcript Summary Tool by LunaNotes.
Generate a summary for freeRelated Summaries
Types of Digital Forensic Evidence in Cybersecurity Investigations
This summary explores the various types of digital forensic evidence encountered during cybersecurity investigations, particularly in the context of a data breach at a financial institution. Key evidence types discussed include network logs, memory dumps, data images, and file system artifacts, each providing unique insights into the circumstances surrounding cyber incidents.
Understanding the Role of a Digital Forensics Investigator
This video explores the essential skills and characteristics required to become a successful digital forensics investigator. It highlights the importance of technical knowledge, analytical skills, and effective communication in tackling cybercrime and preventing future attacks.
Comprehensive Guide to Memory Analysis in Cybersecurity
This video transcript covers the essentials of memory analysis, focusing on tools like Volatility and WinPM for memory dumping and analysis. It highlights the importance of using multiple tools, understanding memory structures, and the challenges faced with Windows 10 memory analysis.
Incident Response and Digital Forensics: A Comprehensive Overview
In this engaging webcast, Paul Sarian and John Strand delve into the critical topics of incident response and digital forensics, responding to audience demand for more content in these areas. They discuss practical tools, techniques, and the importance of baselining systems to effectively identify and respond to security incidents.
Comprehensive Guide to Windows Event Log Analysis in Incident Response
In this webcast, Hal Pomeranz, a Digital Forensic Investigator, shares insights on analyzing Windows Event Logs for effective incident response. He discusses key event IDs, their significance, and how to leverage them for understanding attacker behavior during investigations.
Most Viewed Summaries
Kolonyalismo at Imperyalismo: Ang Kasaysayan ng Pagsakop sa Pilipinas
Tuklasin ang kasaysayan ng kolonyalismo at imperyalismo sa Pilipinas sa pamamagitan ni Ferdinand Magellan.
A Comprehensive Guide to Using Stable Diffusion Forge UI
Explore the Stable Diffusion Forge UI, customizable settings, models, and more to enhance your image generation experience.
Pamamaraan at Patakarang Kolonyal ng mga Espanyol sa Pilipinas
Tuklasin ang mga pamamaraan at patakaran ng mga Espanyol sa Pilipinas, at ang epekto nito sa mga Pilipino.
Mastering Inpainting with Stable Diffusion: Fix Mistakes and Enhance Your Images
Learn to fix mistakes and enhance images with Stable Diffusion's inpainting features effectively.
Pamaraan at Patakarang Kolonyal ng mga Espanyol sa Pilipinas
Tuklasin ang mga pamamaraan at patakarang kolonyal ng mga Espanyol sa Pilipinas at ang mga epekto nito sa mga Pilipino.
If you found this summary useful, consider buying us a coffee. It would help us a lot!