Tools

This free DOS-based software can be used to test hard drives for presence of read instabilities. It can also deactivate the Master Boot Record (MBR) in order to stop a drive from being mounted by any operating system (here is why mounting is a bad idea for data recovery purposes). Unlike almost all other software tools, this utility works directly through the ATA controller rather than through the BIOS/OS, which allows for increased operational stability and more accurate identification of hard drive read instabilities.

In December 2011, a new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. This branch was later forked to become Rekall. The modularity allowed physical memory analysis functionality to be used in GRR to enable remote live in-memory analysis.

This project contains code which allows an inexperienced user to easily (one click) upload forensics evidence (such as some information about the system, a full disk image as well as the system's firmware, if supported) from a target device (that will boot on an external device containing the code) to Google Cloud Storage.

This README contains instructions on how to use the scripts in this repository to retrieve Intel AMT's Audit Log from a Linux machine without knowing the admin user's password. The ideas from the script can be used to retrieve other pertinent information from Intel AMT via the ME Interface (MEI).

dfDewey is a digital forensics string extraction, indexing, and searching tool.

Python library to carry out DFIR analysis on the Cloud

GRR Rapid Response is an incident response framework focused on remote live forensics.

Automation and Scaling of Digital Forensics Tools.

Turbinia is an open-source framework for deploying, managing, and running distributed forensic workloads. It is intended to automate running of common forensic processing tools (i.e. Plaso, TSK, strings, etc) to help with processing evidence in the Cloud, scaling the processing of large amounts of evidence, and decreasing response time by parallelizing processing where possible.

Collaborative forensic timeline analysis

Container Explorer (container-explorer) is a tool to explore containers of a disk image. Container Explorer supports exploring containers managed using containerd and docker container runtimes. Container Explorer attempts to provide the familiar output generated by tools like ctr and docker.

A tool to help forensicate offline docker acquisitions

For forensic analysts to build Contraband Filters™ from their own data sets of image and videos. Offer the ability to add newly discovered files and to merge Contraband Filters™.

Cyacomb Offender Manager and Cyacomb Responder empowers frontline investigators to rapidly triage digital devices in minutes.

Cyacomb Offender Manager and Cyacomb Responder were designed by frontline investigators for front line investigators. Easy to use, with no deep digital forensic knowledge required, users just plug in these tools and scan.

Like Cyacomb Forensics’ other digital triage tools, Cyacomb Mobile Triage scans mobile devices for known illegal content fast. Results can be reviewed on screen, with simple and clear red and green results displayed.

Cyacomb Mobile Triage operates from DATAPILOT 10 devices. Purpose built handheld computers that are rugged and portable, the combined tools help law enforcement offices to make informed decisions on scene.

Cyacomb Examiner is for investigators who want results fast. Our cutting edge block level hashing technology replaces slow MD5 scans detecting indecent images of children or terrorist material in minutes.

Our flagship forensic tool, Cyacomb Examiner is intended for skilled digital forensic analysts who want maximum control, maximum flexibility and detailed results – FAST.

Events-Ripper is based on the 5-field, pipe-delimited TLN "intermediate" events file format. This file is intermediate, as it the culmination or collection of normalized events from different data sources (i.e., Registry, WEVTX, MFT, etc.) that are then parsed into a deduped timeline.

The current iteration of Events-Ripper includes plugins that are written specifically for Windows Event Log (*.evtx) events.

This tool is intended to address a very specific problem set, one that leverages a limited data set to develop as much insight and situational awareness as possible from that data set.