Digital forensics software packages

These network tools enable a forensic investigator to effectively analyze network traffic. Wireshark is the most widely used network traffic analysis tool in existence. It has the ability to capture live traffic or ingest a saved capture file.

Network Miner is a network traffic analysis tool with both free and commercial options. While many of the premium features are freely available with Wireshark, the free version can be a helpful tool for forensic investigations. It organizes information in a different way than Wireshark and automatically extracts certain types of files from a traffic capture. Xplico is an open-source network forensic analysis tool.

It is used to extract useful data from applications which use Internet and network protocols. It also supports both IPv4 and IPv6. Read more about this tool here. Mobile devices are becoming the main method by which many people access the internet. Some mobile forensics tools have a special focus on mobile device analysis. Oxygen Forensic Detective focuses on mobile devices but is capable of extracting data from a number of different platforms, including mobile, IoT, cloud services, drones, media cards, backups and desktop platforms.

It uses physical methods to bypass device security such as screen lock and collects authentication data for a number of different mobile applications. Oxygen is a commercial product distributed as a USB dongle. More information here. Cellebrite offers a number of commercial digital forensics tools, but its Cellebrite UFED claims to be the industry standard for accessing digital data. The UFED platform claims to use exclusive methods to maximize data extraction from mobile devices. XRY is a collection of different commercial tools for mobile device forensics.

XRY Logical is a suite of tools designed to interface with the mobile device operating system and extract the desired data. XRY Physical, on the other hand, uses physical recovery techniques to bypass the operating system, enabling analysis of locked devices. Read more about XRY here. Many of the tools described here are free and open-source. Several Linux distributions have been created that aggregate these free tools to provide an all-in-one toolkit for forensics investigators.

It offers an environment to integrate existing software tools as software modules in a user-friendly manner. This tool is open-source. SIFT is another open-source Linux virtual machine that aggregates free digital forensics tools.

This platform was developed by the SANS Institute and its use is taught in a number of their courses. It comes with many open-source digital forensics tools, including hex editors, data carving and password-cracking tools. If you want the free version, you can go for Helix3 R1.

After this release, this project was taken over by a commercial vendor. So, you need to pay for the most recent version of the tool. This tool can collect data from physical memory, network connections, user accounts, executing processes and services, scheduled jobs, Windows Registry, chat logs, screen captures, SAM files, applications, drivers, environment variables and internet history.

Analysts can use it to investigate malware without having to find, install, and configure the tools. Then, follow these instructions to add the REMnux components. SIFT workstation is playing an essential role for the Brazilian national prosecution office, especially due to Brazilian government budgetary constraints. Its incident response and forensic capabilities are bundled in a way that allows an investigation to be conducted much faster than it would take if not having the right programs grouped on such a great Linux distribution.

The new version, which will be bootable, will be even more helpful. I'd highly recommend SIFT for government agencies or other companies as a first alternative, for acquisition and analysis, from the pricey forensics software available on the market. What I like the best about SIFT is that my forensic analysis is not limited because of only being able to run an incident response or forensic tool on a specific host operating system.

EnCase is not the only tool to fit that bill, but because it's used extensively by law enforcement, it's gained a lot of familiarity with judges, Priebe says. Ability to preserve only relevant data.

Some tools enable you to reduce the volume of data you preserve by filtering out certain types of files such as executables. Or you might be able to narrow down data by using keyword searches or context searching capabilities. Case management capabilities. Especially when running multiple investigations, it's important to maintain a record of your activities, as well as all the data objects associated with each investigation.

Many vendors have worked to integrate their tools with other software that aids in forensics work, such as incident management, e-mail analysis, decryption tools, password-recovery tools and so on. Other vendors offer preintegrated modules that extend a tool's capabilities into areas such as e-discovery, password analysis, e-mail analysis and incident response.

DON'T confuse e-discovery with forensics. Some vendors of forensics suites are marketing their tools for e-discovery because, in fact, the steps involved with forensics work are actually subsets of the e-discovery process, as defined by the Electronic Discovery Reference Model. The EDRM defines forensics as encompassing identification, preservation and collection—three steps of its overall model, which also includes information management, review, analysis, production and presentation.

Vendors such as Guidance and AccessData also sell e-discovery modules. When using an e-discovery module, the tool doesn't make a full bit-by-bit copy of the entire hard drive, explains Socha; instead, it uses a keyword search function over the network to locate relevant files in specific folders or drives, he says. This enables the scan to happen much more quickly, according to Patzakis. But while forensics tools can perform e-discovery work, Priebe and others discourage users from doing the opposite—using nonforensics tools for forensics work.

DO train staff before using these tools. This ethos powers CrossLink. How can we help everyone, whether they are an investigator, a SOC analyst, or an incident responder, tell better stories about their data?

Search results from six verticals of actor-centric and network data quickly provide key information that can easily be assembled and shared within an organization. CrossLink was created by an experienced team of analysts with decades of experience in investigating a wide range of threats. Data verticals include a vast array of information about actors, communications, historical Internet registration records and IP reputation.

Passive DNS telemetry is also available to jump-start investigations into incidents and actors. CrossLink allows users to create alerts, lightweight management functions and shareable case folders.

Xplico Xplico. Multiple users can simultaneously access Xplico. Each user can manage one or several Cases. Xplico can also be used as a Cloud Network Forensic Analysis tool. Xplico's goal is to extract from internet traffic the applications data.

Xplico doesn't perform network protocol analysis. Each data reassembled with Xplico is associated with an XML file which uniquely identifies the flows as well as the pcap containing that data. Parrot OS Parrot Security. Parrot is a global community of security specialists and developers that works together to create a common framework of tools to make their jobs easier, more reliable, and more secure. It provides a portable lab for all types of cyber security operations.

This includes reverse engineering, pentesting, digital forensics, and reverse engineering. However, it also contains everything you need to create your own software. It is constantly updated and has many sandboxing and hardening options. You have complete control over everything. You can download the system, share it with anyone, and even read the source code. You can also make any changes you wish. This system was created to respect your freedom and will continue to be so.

EnCase Forensic OpenText. Enhance investigation efficiency by releasing optical character recognition OCR , which seamlessly extracts embedded text from scanned documents, images, and PDFs as part the evidence collection workflow.

It also includes an enhanced workflow that allows users cross-reference different artifact types. This greatly improves evidence processing workflows. EnCase Forensic is the only solution that offers the same level in functionality, flexibility, and court acceptance. ProDiscover ProDiscover. The ProDiscover forensics suite covers a wide range cybercrime scenarios that are encountered by law enforcement officers and corporate internal security investigators. The product suite also includes tools for electronic discovery and diagnostics.

ProDiscover is a tool that helps you quickly find files and data. Dashboards, timeline views, and wizards are all useful in quickly locating vital information. Investigators have access to a variety of tools and integrated viewers that allow them to examine the evidence disks and extract relevant artifacts.

ProDiscover offers speed, accuracy, and ease-of-use at a reasonable price. ProDiscover was launched in It has a rich history. ProDiscover was the first product to support remote forensic capabilities. AD Enterprise AccessData. Digital forensics teams today face many challenges in an environment that is flooded with data.

AD Enterprise gives you deep insight into live data at the endpoint. This allows you to conduct more targeted, faster enterprise-wide compliance, HR, and post-breach investigations using a single, robust solution. AD Enterprise allows you to respond quickly, remotely, and covertly, while still maintaining chain of custody. It also facilitates forensic investigations and post breach analysis, without interrupting business operations.