Computer forensics (forensics): a selection of useful links


    In order to successfully conduct investigations into information security incidents, you must have practical skills in working with digital artifact extraction tools. This article will provide a list of useful links and tools for collecting digital evidence.

    The main goal in carrying out such work is the use of methods and means for preserving (immutability), collecting and analyzing digital material evidence in order to recover the events of the incident.

    The term "forensics" is an abbreviated form of "forensic science", literally "forensic science", that is, the science of the study of evidence - exactly what is called criminalistics in Russian. The Russian term "forensics" means not all forensics, namely computer.
    Some authors distinguish between computer forensics and network forensic.

    The main field of application of forensics is the analysis and investigation of events in which computer information appears as an object of assault, a computer as a tool for committing a crime, as well as any digital evidence.

    For the full collection and analysis of information, various highly specialized utilities are used, which will be discussed below. I want to warn that when conducting work on the conclusion in a particular criminal case, the presence of certain certificates and software conformities (licenses of the FSTEC) will most likely be considered. In this case, you will have to use combined methods for collecting and analyzing information, or write conclusions and conclusions based on the received data from non-certified sources.


    • dff - Digital Forensics Framework is an open source platform for data mining and research.
    • PowerForensics - PowerForensics utility written in PowerShell, designed to study hard drives.
    • The Sleuth Kit - The Sleuth Kit (TSK) is a C library and a collection of command-line tools that let you explore disk images.

    Real time utilities

    • grr - GRR Rapid Response: an incident investigation and analysis tool.
    • mig - Mozilla InvestiGator is a distributed real-time platform for investigating and analyzing incidents.

    Work with images (creation, cloning)

    • dc3dd is an improved version of the dd console utility.
    • adulau / dcfldd is another improved version of dd.
    • FTK Imager - FTK Imager- View and clone storage media in a Windows environment.
    • Guymager - View and clone storage media in a Linux environment.

    Data extraction

    • bstrings is an improved version of the popular strings utility.
    • bulk_extractor - identify email, IP addresses, phones from files.
    • floss This utility uses advanced static analysis methods to automatically deobfuscate data from malware binaries.
    • photorec - utility for extracting data and image files.

    RAM operation

    • is a high-speed framework.
    • KeeFarce - extract KeePass passwords from memory.
    • Rekall is a RAM dump analysis written in python.
    • volatility - Volatility Framework is a set of utilities for versatile analysis of physical memory images.
    • VolUtility is a web interface for the Volatility framework.

    Network analysis

    • SiLK Tools - traffic analysis tools to facilitate security analysis of large networks.
    • Wireshark is a well-known network sniffer.

    Windows artifacts (extract files, download histories, USB devices, etc.)

    OS X Research

    Internet artifacts

    Time interval analysis

    Hex editors

    • 0xED - HEX OS X editor.
    • Hexinator - Windows version of Synalyze It.
    • HxD is a small and fast HEX editor.
    • iBored is a cross-platform HEX editor.
    • Synalyze It! - HEX editor in teamplay.
    • wxHex Editor is a cross-platform HEX editor with file comparison.


    • CyberChef is a multi-tool for encoding, decoding, compressing and analyzing data.
    • DateDecode - binary data conversion.

    File analysis

    Disk Image Processing

    • imagemounter - command line utility for fast mounting disk images
    • libewf - Libewf library and access and processing utilities for EWF, E01 formats.
    • xmount - convert disk images.


    To conduct research and collection of digital evidence, it is necessary to adhere to the principles of immutability, integrity, completeness of information and its reliability. To do this, follow the software recommendations and investigation methods. In the next article I will give examples of the practical use of utilities for analyzing memory images.

    Also popular now: