Cyber Files
As DC3 completes hardware and software testing, summaries of the projects, white papers, etc. are listed within the DC3 Cyber Files publication. The most recent version of the DC3 Cyber Files is July 2011. Governmental organizations can request a report by contacting DC3's Outreach Team at 410-981-6610 or . All of the below listed products may be downloaded from NRDFI.
Date | Title | Type | Description |
---|---|---|---|
2008-01-04 | Bearshare P2P | Study | Bearshare is a P2P program that allows for the sharing of files and social networking. |
2008-05-14 | CD/DVD Session Copying Procedure | Study | The purpose of the study is to determine if it is necessary to record data from CD/DVD storing the same data in multiple formats. The main software in issue is CD/DVD Inspector. |
2008-04-28 | FRED Operational Test | Study | The purpose of this study and testing is to investigate the discrepancy in the count of images extracted by an EnCase EnScript when executed on an HP xw8200 workstation versus the SuperFRED machine. |
2008-01-11 | Gnutella P2P | Study | Gnutella is a peer-to-peer (P2P) protocol that enables developers to create interactive clients that enables users to share files through a distributed, global network. |
2008-12-15 | HVM vs SCARF | Study | The purpose of the study is to compare two tools, HVM and SCARF, which employ virtual environments to scan files and folders for malware. HVM uses a single virtual machine which contains all the anti-virus applications to perform the malware analysis. |
2008-01-11 | X-Ways Comparison Study | Study | This study examinesthe similarities and differences between X-Ways, EnCase, FTK, and ILook. |
2008-10-01 | Adobe Acrobat v8.1 | Validation | Adobe Acrobat allows users to create and edit PDF documents. PDF has become the standard that the U.S. Government uses when distributing and archiving documents. Of its many features is allowing a user to redact a document of sensitive material and remove any metadata and other elements that they do not wish to be disseminated. |
2009-03-09 | SMT ArchivER v3.0.3.6 | Validation | SMT ArchivER v.3.0.3.6 for Outlook 2003+ is a plug-in for Microsoft Outlook that allows the user to archive items in a PST or OST file to another format such as RTF, TXT, HTML, or MSG. It can also remove attachments and embedded objects. |
2009-05-08 | AScan v2.0 | Validation | Ascan is a command line function that is used in the Windows environment to extract information from the files and data structures of Limewire /Bearshare/Ares Galaxy that are artifacts of the products. |
2009-02-23 | Autopsy v2.20 | Validation | The Autopsy Forensic Browser is a graphical interface to utilities found in The Sleuth Kit (TSK). TSK is a collection of command line tools that allow you to investigate a Windows or Unix system by examining the hard disk contents. |
2009-07-28 | BinText v3.01 | Validation | BinText v3.01, a software tool developed by Foundstone, is designed to extract plain ASCII text, Unicode (double byte ANSI) text, and Resource strings from a file. |
2009-02-05 | Black Bag Macintosh Forensic Suite v2.5 | Validation | Black Bag is a unique set of tools that provide forensic examiners with a flexible, open environment within which to perform their analysis. The suite is specifically designed for the Mac OS X operating system. |
2009-02-18 | Blindside Stegextraction Tool v1.0 | Validation | Bs break is a Windows command line application created to identify bitmap files containing data that was hidden with the steganography program Blindside. It will determine a working password, if one was used, and extract the hidden data. The extracted data is decrypted and uncompressed. Bs break produces a log in html format that can be opened in any web browser. |
2009-07-28 | Bookmark Extractor v1.0 | Validation | Bookmark Extractor was developed by DCCI. Bookmark Extractor is an EnCase EnScript designed to extract user selected bookmarks to a user specified file. |
2009-02-04 | CERT CC VMWare Tools | Validation | The CERT/CC VMware tools are used to obfuscate the virtual machine platform and prevent detection by the malware. |
2009-07-07 | COFEE v1.0 | Validation | COFEE was developed by Microsoft Corporation as a Windows based incident responder's toolkit for live analysis of a victim system. |
2009-02-12 | DatView v2.1 | Validation | SnapView was developed by the Department of Defense (DoD) Cyber Crime Institute (DCCI) as a means of decoding dat files created by KaZaA and/or KaZaAlite. |
2009-02-12 | DbbView v2.1 | Validation | The tests and procedures contained herein apply to DbbView, developed by the Department of Defense (DoD) Cyber Crime Institute (DCCI). DbbView is designed to decode .dbb files created by KaZaA and/or KaZaAlite. KaZaA and KaZaAlite are publicly available programs that enable peer-to-peer file exchanges. |
2009-02-24 | DBXtract v3.70 | Validation | DBXtract 3.70 is a free stand alone utility that is designed to extract email messages out of corrupt Outlook Express databases (.dbx) and turn them into individual .eml files. It may also be able to recover email that has been permanently deleted. |
2009-02-23 | DC3dd v6.12.2 | Validation | The purpose of dc3dd is to image and hash case evidence drives. The creation of dc3dd provides a tool that delivers the logging and specific data formats. |
2009-05-28 | DC3dd v6.12.4 | Validation | dc3dd is a command line function used in the Linux environment. The purpose of dc3dd is to image and hash case evidence to be used in DCFL for examination. The creation of dc3dd provides a LINUX and Mac OS environment tool that delivers the logging and specific data formats that help DCFL in their efforts to provide automatically generated byte counts and sector counts while properly handling bad sectors when encountered. |
2009-02-05 | DCCI AScan v2.0 | Validation | Ascan is a command line function that is used in the Windows environment to extract information from the files and data structures of Limewire /Bearshare/Ares Galaxy that are artifacts of the products. The function of Ascan is to collect and organize the |
2009-02-23 | DCCI_Video Validator v1 | Validation | DCCI_Video Validator v1.0 is a program used to verify if video files and fragments can be viewed using a multi-media player. |
2009-04-28 | Decode v2.07 | Validation | Decode v2.07, from Digital Detective, was designed to decode the various date/time values found embedded within binary and other file types. It supports various Windows, Unix and HFS date/time formats and will allow you to specify the offset from GMT. |
2008-05-09 | DNA v3.3 | Validation | The function of DNA is similar to that of Password Recovery Toolkit (PRTK), also developed by AccessData, but it utilizes the processing power of many computers to recover passwords. |
2009-02-12 | EnCase v6.11 | Validation | EnCase Forensic 6.11 is a Windows based digital forensic analysis tool created by Guidance Software. EnCase has many features, including the ability to analyze multiple platforms, view various file formats, acquire images, hash images, parse emails and attachments, and identify and support various file systems. |
2009-06-22 | EnCase v6.13.0.43 | Validation | EnCase is a Windows based digital forensic analysis tool created by Guidance Software. It has many features, including the ability to analyze multiple platforms, view various file formats, acquire images, hash images, parse emails and attachments, and identify and support various file systems. |
2009-04-28 | FDE v2.0 | Validation | FDE v2.0 was created to provide a triage function for DCFL and submitting case agents. The Carver EnScript carves out all graphics, movies, chat, email with graphic attachments, web cache, and web searches from the disk images in a case. |
2009-07-07 | FDE v2.1 | Validation | The Forensic Data Extraction (FDE) tool was created to provide a triage function for DCFL and Case Agents using EnCase. The FDE consists of five entities: 1) an EnCase carver EnScript; 2) a FrontEnd processor; 3) a callable Human Detect application; 4) a Thinstall client to run the FrontEnd on a Case Agents machine; and 5) an EnCase import EnScript. |
2009-02-06 | File Buddy v9.0.1 | Validation | File Buddy was developed by Skytag Software as a file management suite for the Macintosh Operating System, OS X. The main function of File Buddy is to manage a large volume of files and folders using a set of tools. |
2008-12-31 | Forensic Box v1.44 | Validation | Forensic Box can open and read Windows Live Messenger chat files making the contents available for viewing or exporting. |
2009-05-08 | Forensic Recovery of Evidence Device FRED | Validation | FRED (Forensic Recovery of Evidence Device) is a desk-top computer constructed with a number of removable bays of different types, as well as built-in write blockers to accommodate add on devices where needed. |
2008-11-12 | FTK Imager v2.5.4 | Validation | Access Data developed FTK Imager v2.5.4 as a data preview and imaging tool that lets a user quickly access electronic evidence to determine if further analysis with Forensic Toolkit is warranted. |
2008-10-28 | FTK v1.81 | Validation | Access Data developed Forensic Toolkit version 1.81 as a Windows-based digital forensic analysis tool suite. FTK has many features including the ability to view the file system as the user would see it, run positive/negative hash analysi |
2009-07-07 | GMER v1.0.15.14966 | Validation | GMER was developed by Przemyslaw Gmerek. GMER scans live systems for hidden processes, hidden threads, hidden services, hidden files, hidden alternate data streams, hidden registry keys, drivers hooking SSDT (System Service Descriptor Table), drivers hooking IDT (Interrupt Descriptor Table), drivers hooking IRP (I/O Request Packet) calls, and inline hooks. |
2008-12-01 | HashCalc v2.02 | Validation | HashCalc is a utility that allows users to compute message digests, checksums and HMACs for files, as well as for text and hex strings. It offers a choice of 11 different hash and checksum algorithms for calculations. |
2009-04-02 | Hash Tab v2.3 | Validation | HashTab v2.3 is a Windows shell extension which adds a tab called File Hashes to the Windows Explorer file properties. The tab contains MD5, SHA-1 and CRC-32 hash algorithms. These are common hashes that are used to verify the integrity and authenticity of files. HashTab makes it simple for Windows users to get the hash of any file on the system without using external tools. |
2009-05-28 | hdiutil - Shadow Mount & Partition Information | Validation | Hdiutil is a command-line tool developed by Apple Inc as a part of the OS X operating system. The purpose of this tool is to create and manipulate disk image files using the disk image framework. |
2009-02-06 | hfsdebug v4.32 | Validation | hfsdebug is an OSX-based tool made for exploring HFS+ internals, more so than as a debugger in the typical sense in that it cannot make any changes to the volume being examined. |
2008-09-12 | IISP Heuristics VM | Validation | The Heuristics VM is windows-based virtual machine developed by DCCI. This VM is loaded onto the examiner machine with ten anti-virus applications installed. The function of this VM is to run the anti-virus applications against a piece of media with suspected malware. |
2008-02-05 | ILook Prefetch Parser | Validation | IPP was developed to parse the prefetch folder within the ILook forensic suite. |
2009-03-24 | Ilook v8.0.19 | Validation | ILook 8.0.19 is a Windows based digital forensic analysis tool developed by the Internal Revenue Service (IRS) Criminal Investigation Division Electronic Crimes Program (CI). IRS and Perlustro, LP have combined efforts to further develop ILook as an electronic investigative tool. ILook has many features, including the ability to analyze multiple platforms, view various file formats, acquire images, hash images, and parse emails and attachments. ILook is capable of analyzing various file formats. |
2009-02-23 | IMLook v2.1 | Validation | IMLook v2.1 is a software program that decrypts the Yahoo Messenger instant messaging client's log files. The files created during a chat session cannot be opened with local Windows programs because of their special file format and encryption for security protection. Contact lists, passwords and credentials are just some of the information saved during instant message conversations. IMLook 2.1 can open and read the files making the contents available for viewing or exporting. |
2009-02-12 | ISO Buster v 2.4 | Validation | ISO Buster v2.4 is a CD/DVD data recovery tooIt can read CD and DVD images created in different formats (ISO, NRG, etc.) by various commercial applications. |
2009-03-24 | Keith's iPod Photo Reader v2.0 | Validation | KIPR is an OS X based tool that provides access to the .ithmb photo library. The .ithmb files store copies of the full size images that are displayed directly on the iPod because the full size images would not display correctly on the iPod. These files are found in the /Photos/Thumbs directory of an iPod Photo that has been synced to contain a photo library. |
2009-02-12 | Live View v0.6 LE | Validation | Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a physical disk, a singe raw disk image, or a series of split disk images. This allows the forensic examiner to boot up the image or disk and gain an interactive, user-level perspective of the environment without modifying the underlying image or disk. Evaluation is needed to ensure that this software can function as advertised and preserve the forensic integrity of the media used in the testing procedure. |
2009-02-12 | Logorrhea v1.3.1 | Validation | Logorrhea was developed by Spiny Software as an OSX-based tool used to organize, browse and search logs created by the OSX-based iChat application. iChat is an instant messenger application, similar to AIM, used to communicate with other users via the Internet. |
2009-01-02 | MacForensicsLab v2.5 | Validation | MFL is a complete suite of forensics and analysis tools in one cohesive package, combining the power of many individual functions into one application to provide a single |
2008-12-18 | Mac Pro (Early 2008) Intel Xeon CPU X5472 @3.00GHz | Validation | Hardware validation of the 3.00GHz Mac Pro (Early 2008) Intel Xeon CPU X5472 |
2008-12-01 | md5deep v3.1 | Validation | MD5Deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. Md5deep is able to recursively examine an entire directory tree. |
2008-12-08 | md5summer v1.2.0.11 | Validation | md5summer is an application for Microsoft Windows 9x, NT, ME, 2000 and XP which generates and verifies md5 checksums. Its output file is compatible with the output of the Linux GNU MD5Sum and it will also read Linux generated files. |
2008-12-31 | MD5 v2.6 | Validation | MD5 is a Macintosh utility that creates and compares MD5 checksums. It can compare files as well as a file with a checksum-string. Evaluation is needed to ensure that this software can function on the Macintosh platform without altering the media used in the testing procedure. |
2008-11-05 | Mount Image Pro v2.6 | Validation | Mount Image Pro v2.6 will mount EnCase evidence files, Unix/Linux dd images, SMART images, and ISO (CD/DVD images) computer forensic images as a drive letter on Windows systems in a read-only 'forensically sound' environment. |
2009-05-28 | NetAnalysis v1.36 Deleted History Extractor | Validation | Digital Detectives developed NetAnalysis as a more effective method of examining internet artifacts from a piece of evidence. It has the capability to extract internet artifacts from several different web browsers, organize the data, an |
2009-02-04 | NetAnalysis,version 1.37.0030 | Validation | NetAnalysis is designed for the analysis of internet history. The source of the evidence can be a physical write-protected device, a write-protected logical device, a flat file forensic DD image, a Paraben Replicator Image, or a mounted file or disk. NetAnalysis has a History Extractor to search and extract history records from unallocated space. |
2008-01-09 | NetWitness Investigator v8.0.31 | Validation | NetWitness Investigator is a Windows-based software application that provides free-form contextual analysis of terabytes of raw data captured and reconstructed by the NetWitness NextGen infrastructure. |
2009-03-24 | OmniOutliner v3.7.2 | Validation | OmniOutliner is an OS X based tool used to create, view, and edit documents. Plist files are system files used within the OS X operating system to organize data. |
2009-02-23 | Paraben's Chat Examiner v1.0.2 | Validation | Parabens Chat Examiner v102 is a program designed to locate chat logs and create reports based on the chats it identifies. |
2009-03-24 | Property List Editor v2.2 | Validation | PLE is an OS X based tool that is bundled with the Apple Developer Tools. PLE is used to view and edit plist files. Plist files are system files within the OS X operating system used to organize data. |
2008-12-15 | PRTK 6.3.3 | Validation | Password Recovery Toolkit v6.3.3 (PRTK) is a password recovery program for standalone computer operations. It is a tool for extracting data from password-protected files which are common file formats like PDF, JPEG, HTML and archive files. |
2008-01-28 | Redax v4.53 | Validation | Appligent's Redax is a plug-in for Adobe Acrobat versions 6, 7 and 8. It allows redaction of text, images and line art using a number of markup methods which include manual drawing of boxes, word lists, pattern matching, templates, or full page redaction. It also automatically removes metadata from documents upon redaction. |
2008-02-11 | rEFIt v0.10 | Validation | rEFIt is software designed to run on a bootable compact disk and gives the user access to information in the basic input-output system of an Intel based Macintosh operating system. |
2009-02-23 | RegDat v1.30 | Validation | RegDat, developed by Henry Ulbrich, is designed to maintain the Windows 98 registries on desktops and remote networked computers. RegDat allows you to search for keys and values and export them. Also, functions to compare the file with the current Registry are provided as well as tools to edit the file as a tool for viewing Windows operating system registry entries. |
2009-02-12 | RegDatXP v1.41 | Validation | RegDatXP, a program developed by Henry Ulbrich, is designed to maintain the Windows registries on desktops and remote networked computers. RegDatXP allows you to search for keys a |
2009-02-12 | Registry Browser v3.00 | Validation | The Forensic Computer Examination Unit, Queensland Police Service (QPS) in conjunction with the Cyber Support Unit, Australian Crime Commission (ACC) developed Registry Browser version 3.00 as a tool for viewing Windows operating system registry entries. It allows the user to view registry entries of foreign machines, search them, and create reports of important keys. |
2009-07-09 | RemoteDll v1.3 | Validation | RemoteDll v1.3 is a Windows application developed by Talekar Nagareshwar. RemoteDll allows a user to inject or remove DLLs into or from running processes. |
2009-03-24 | Retrospective v1.2b3 | Validation | Retrospective is an OS X based tool used to search through the web cache created by the Safari web browser. |
2008-06-06 | Single Computer and Multiple Machine System | Validation | The Counterintelligence Field Activity (CIFA) developed the SCAMM system as an in house process that uses a series of software and hardware to effectively protect data while personnel are deployed. |
2009-02-23 | Sleuth Kit v3.0.0 | Validation | The Sleuth Kit (TSK) uses code from the file system analysis tools of The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The code was modified for platform independence. |
2009-02-23 | SnapView v2.1.02 | Validation | Digital Detective has developed SnapView as a means of viewing and navigating through web pages and web page fragments on a file system. |
2009-05-28 | SQLite Database Browser v1.3 | Validation | SQLite DB is a freeware, public domain, open source visual tool used to create, design, and edit database files compatible with SQLite. SQLite DB is intended to be used for users and developers that want to create databases, edit, and search data using familiar spreadsheet-like interface without the need to learn complicated SQL commands. |
2008-01-02 | Timeline EnScript v1.7.4 | Validation | Timeline EnScript gathers file information on all or selected files/folders and presents it in a timeline view. The user can select the timeframe to check and output either HTML or tab-delimited text format. The script checks Created, Modified, and Accessed times and puts files in order according to these fields. |
2009-02-23 | VidReport v1.2.14 | Validation | Sanderson Forensics developed VidReport v1214 as a forensic investigation tool for the processing and reporting of video files. |
2009-02-23 | VMware Disk Mount v5.5 | Validation | The tests and procedures contained herein apply to VMware Disk Mount, developed by the VMware Inc. Disk Mount utility is designed to allow the mounting of an unused virtual disk as a separate drive without needing to connect to the virtual disk from within a virtual machine. It is also able to mount specific volumes of a virtual disk if the disk is partitioned. |
2009-07-28 | Wiebe Tech Write Blocker FRTX 400H-QJ | Validation | Write block support is provided via WiebeTechs proprietary write block technology that offers easy read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. |
2009-04-28 | WinHex v14.7 SR-1 | Validation | WinHex is a general purpose hex editor produced by X-Ways Software Technology, AG. WinHex can be used to view the raw contents of files and disks, modify their contents, and hash their contents. |
2009-02-05 | Wireshark v1.0.4 | Validation | Wireshark, formally know as Ethereal, is a network packet analyzer developed originally by Gerald Combs. A network packet analyzer will attempt to capture network packets and display various types of packet data information. Wireshark is able to capture live packet data from a network interface and display the captured packet information. |
2009-05-26 | Xplorer360 beta v0.9 | Validation | Xplorer360 is a Windows-based tool used to access the hard drives used within the Xbox360 game console. Xplorer360 has the capability to view all partitions and file systems on the hard drive. |
2009-11-18 | Decode v2.07 | Validation | Decode was developed by Digital Detective. Decode was designed to decode the various date/time values found embedded within binary and other file types. It supports various Windows, Unix and HFS date/time formats and will allow you to specify the offset from GMT. |
2010-01-25 | EnCase Version 6.15.0.82 | Validation | EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, bookmarking, and reporting capabilities. |
2010-01-22 | FDE Version 3.0.0.935 | Validation | FDE was developed by the Defense Cyber Crime Institute (DCCI). FDE was created to provide a triage function for the Defense Computer Forensics Laboratory (DCFL) and submitting case agents. |
2009-11-18 | FTK Imager v2.6.1.6.2 | Validation | FTK Imager was developed by Access Data. It is a data preview and imaging tool that allows a user to quickly access electronic evidence to determine if further analysis with a Forensic Toolkit is warranted. FTK Imager can also create forensic images of computer data without making changes to the original evidence. |
2009-12-01 | FTK v1.81.5 | Validation | FTK was developed by Access Data. It is a windows based forensic suite used to perform forensic investigations. FTKs features include case file creation, adding and analyzing evidence drives, and file carving. DCCI will test FTK to ensure that it performs certain features as it explains in the user manual. |
2009-11-20 | Genpmk v1.0 | Validation | BackTrack was developed by Max Moser, Mati Aharoni, Martin J. Muench, and others. Genpmk creates a rainbow table from plaintext passphrases. Another Backtrack utility, coWPAtty, must be executed to prove that the rainbow table was created correctly. It performs a brute force attack utilizing rainbow tables to recover the password of a WPA-secured network. |
2009-11-06 | HashTab v3.0 | Validation | HashTab was developed by Cody Batt. HashTab is a Windows shell extension which adds a tab called File Hashes to the Windows Explorer file properties. The tab contains the MD5, SHA-1 and CRC-32 file hashes. These are common hashes that are used to verify the integrity and authenticity of files. |
2010-01-25 | eSATA UltraDock Write Blocker | Validation | Ultra Dock was developed by WiebeTech. The tool uses support via WiebeTech's proprietary write-block technology that offers easy read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. |
2010-01-25 | Gargoyle Investigator Forensic Pro | Validation | Gargoyle is a product of WetStone Technologies. The function of Gargoyle is to collect and organize the information regarding the contents of a suspects computer or image of suspects computer. Gargoyle maps detected files to associated weapons, and classifies them into a category of malware when found. |
2009-12-01 | MD5Sum 2.0 | Validation | MD5Sum was developed by Ulrich Drepper. MD5Sum is a standalone command-line utility that uses the well-known MD5 hash algorithm to generate MD5 hash values of data files and to check MD5 hash values of data files that have known MD5 hash values. |
2009-12-01 | Metadata Assistant v2.12.214 | Validation | Metadata Assistant was developed by the Payne Consulting Group Inc. The tool is designed to identify, or clean, metadata on Microsoft utilities such as Word, Excel, and PowerPoint, as well as Adobe PDF documents. Metadata is information that might not be visible to a computer user and may include information such as user name, computer name, company name, or document properties. |
2009-11-20 | Mount Image Pro v2.44 | Validation | MIP was developed by GetData. MIP is a utility to mount disk drive images as logical drive letters under Windows, and provides read-only access to the contents of an image file. This tool supports the following image types: EnCase, SMART, Raw, and ISO. |
2010-01-25 | NetAnalysis, v1.37g | Validation | NetAnalysis was developed by Digital Detective. This tool was designed for the analysis of internet history data. NetAnalysis has its own History Extractor; this feature will allow the user to identify evidence quickly and easily. |
2009-11-20 | NetAnalysis v1.37 | Validation | NetAnalysis was developed by Digital Detective. This tool has been designed for the analysis of the internet history data. Netanalysis has its own History Extractor which will allow you to identify the evidence quickly and easily. |
2009-07-28 | Pandora v2.4.0 | Validation | Pandora 2.4.0 is a Windows based digital forensic analysis tool developed by Carnegie Mellon University. Pandora will unpack many packed files automatically with no intervention from the user. Some of the more complicated packing tools require user input in interactive mode. |
2009-11-20 | PRTK 6.4 | Validation | PRTK was developed by AccessData. PRTK is a password recovery program for standalone computer operations. It is a tool for extracting the contents of forensic examination case files with unknown passwords. |
2008-03-31 | Video_Validator | Validation | Video_Validator is a program used to verify carved video files and fragments are viewable using a video player such as VLC media player. Video_Validator scans a set of carved files to determine which file fragments actually play. |
2009-11-06 | Registry Viewer v1.5.4.44 | Validation | Registry Viewer was developed by Access Data. This tool allows the user to view registry entries from foreign machines, read encrypted data such as passwords, and is fully integrated with the Forensic Toolkit Suite. |
2009-12-01 | WinHex Version 15.3 | Validation | Winhex was developed by X-Ways Software Technologies AG. WinHex is a general purpose hex editor that can be used in forensic examinations of physical disks, logical disks, and disk images. WinHex can open files, logical volumes, and physical devices. |
2009-11-20 | ADROIT Photo Forensics v1.002 | Validation | APF was developed by Digital Assembly. APF is a Windows based tool used to carve picture files from a disk or disk image. The carving operations are accomplished using several methods. These include sequential carving of unallocated space, carving based on data left in system logs, using human expertise to recover fragmented files, and applying a proprietary method. |
2009-10-15 | CaptureBat v2.0 | Validation | CaptureBat is a Windows based behavioral analysis tool developed by The Honeynet Project. The purpose of this tool is to find out how software operates on a system without having the source code. This is accomplished by monitoring the system's registry, process, and file activities. |
2009-11-18 | DCCI AScan v3.0 | Validation | AScan3.0 was developed by Joseph Lewthwaite, a contractor at the Defense Cyber Crime Center (DC3)/ Defense Cyber Crime Institute (DCCI). AScan3.0 is a command line function that is used in the Windows environment to extract information from the files and data structures of Limewire /Bearshare/Ares Galaxy, which are artifacts of the products. |
2009-12-01 | DCCI P2P Scan | Validation | AScan3.0 was developed by Joseph Lewthwaite a Contractor at the Defense Cyber Crime Center (DC3)/ Defense Cyber Crime Institute (DCCI). AScan3.0 is a command line function that is used in the Windows environment to extract information from the files and data structures of Limewire /Bearshare/Ares Galaxy, which are artifacts of the products. The function of AScan3.0 is to collect and organize the information collected into an HTML document that will present the artifact information in an easy to read format. |
2010-02-17 | Data Extraction and Naming Tool | Validation | DENT was developed by the Idaho National Laboratory. DENT was designed to offer fast, flexible, and customizable file carving for multiple file systems. The function of DENT is to copy files from the target file system, which are of interest to the end-user based on the plug-ins selected, and organize the files collected into a defined area with a structure to make the output easier to index and view. |
2010-04-22 | Email Detective v.4.0.3 | Validation | Email Detective was developed by Hot Pepper Technology. This tool allows investigators to extract the email contents from America Onlines database stores on a users computer disk drive. A comprehensive report is produced for the forensic investigator detailing all messages and photos retrieved. |
2010-04-23 | WiebeTech USB WriteBlocker | Validation | The USB WriteBlocker offers easy read-only access for suspect USB MASS Storage Devices. It is compatible with Single Storage Devices with Multiple mountable Volumes (multiple LUNs). WiebeTechs write-block technology is also compatible with forensic acquisition and analysis software. |
2010-04-23 | DCCI_StegCarver Version 4.9 | Validation | DCCI_StegCarver is a DCCI-developed special-purpose carving tool. DCCI_StegCarver carves key file types out of data inadvertently appended to image files, but can also be used to carve data from memory dumps, slack space, dd images, and any directory of files, e.g., hibernation files, swap (paging) files. |
2010-04-22 | VistaStumbler 2.0 | Validation | VistaStumbler was developed by people who choose to remain anonymous. The tool is a wireless network detection software application. It is available free-of-charge from www.suriv.be. VistaStumbler runs on the Windows Vista operating system. |
2010-04-27 | STRIKE v1.6 | Validation | STRIKE was developed by IDEAL Corp. STRIKE provides operators with a portable, automated system, to quickly extract data and analyze information, in-field in real-time, from captured digital devices and media. Types of media and devices that can be analyzed include; USB flash drives, multimedia cards, SIM cards, cell phones, PDAs, CDs/DVDs, hard drives and live computers. |
2010-01-10 | CD/DVD Inspector v.4.0 | Validation | Inspector was developed as a forensic tool to be used in the analysis of CD and DVD media. Inspector reads all major CD and DVD file system formats including: ISO-9660, Joliet, and UDF. |
2010-07-27 | ue2f v1.0 | Validation | ue2f is a Linux Open Source command line tool that resides on FBI_CART Linux Boot CD Version 5.3 (September 2009). It is used to recover erased (deleted) files from EXT2 volumes. Recovered files will be directed to an EXT2, FAT32, or NTFS partition from the source EXT2 volume. |
2010-07-27 | Network Miner | Validation | Network Miner is a Network Forensic Analysis Tool (NFAT) for Windows which can detect the OS, hostname, and open ports of network hosts through packet sniffing or by parsing a PCAP file. It can also extract transmitted files from network traffic. |
2010-07-27 | PDFinder 1.0 | Validation | PDFinder was developed by the Defense Cyber Crime Institute (DCCI). This Windows based tool is designed to read and display information about artifacts contained in Adobe PDF files. The tool scans a given file or directory and identifies PDFs inside, and then scans the individual PDF files and outputs a report based on the metadata of any artifacts contained inside. |
2010-07-27 | MD5Deep/Hashdeep 3.6 | Validation | MD5Deep was developed by Jesse Kornblum. MD5deep is a set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. The tool, through its hashdeep component, is also able to match and audit hashsets. With traditional matching, programs report if an input file matched one in a set of knowns, or if the input file did not match. With this method, it is difficult to obtain a complete sense of the state of the input files compared to the set of knowns. Its possible to have matched files, missing files, files that have moved in the set, and to find new files not in the set. MD5deep can report all of these conditions. It can even spot hash collisions, when an input file matches a known file in one hash algorithm but not in others. All the results are displayed in an audit report. |
2010-08-24 | Internet Evidence Finder 3.5.1 | Validation | IEF was developed by JADsoftware. IEF is used to search a disk drive, folder, subfolder, or file for Internet artifacts. The tool can be configured to filter out various types of information, such as emails, chat records, or IE8 URLs. The tool will then generate a report containing the results, or create individual files containing the data found. |
2010-08-31 | X-Ways Forensics Version 15.6 SR-12 | Validation | X-Ways was developed by X-Ways Software Technology AG. X-Ways is an advanced work environment for computer forensic examiners. It runs under Windows 2000, XP, 2003, Vista, 2008, 7, and both 32 Bit and 64 Bit. The tool is based on the WinHex hex disk editor, and can natively process FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, CDFS/ISO9660/Joliet, and UDF data storage formats. |
2010-09-10 | DC3 Triage Version 1.0.0.198 | Validation | DC3 Triage was developed by the Defense Cyber Crime Institute (DCCI). DC3 Triage integrates multiple programs to quickly evaluate folders or disk image (dd type) files for items of interest in an investigation. The tool integrates the following tools; Drive Prophet from Guardian Digital Forensics, StegCarver, VideoValidator, HumanDetect, AScan, and the Virtual Disk Driver (VDK) from Ken Kato. DC3 Triage produces an HTML file of all results and provides a Graphical User Interface (GUI) to view the results of the analysis requested, or the results of prior analysis. |
2010-09-23 | Shadow Miner v1.0 | Validation | Shadow Miner was developed by Timothy R. Leschke. Shadow Miner is a DCCI-developed special purpose tool that is intended to help Forensic Examiners access the data that is maintained within a Microsoft Vista Shadow Volume. |
2010-10-05 | MD5 Compare v1.0 | Validation | MD5 Compare was developed by JADsoftware. MD5 Compare is a tool which can be used to compare MD5 hash values of files. This is useful in a scenario where a user has obtained hash values of files from a particular system and wishes to compare them against some known set of hash values of interest. MD5 Compare requires text files containing hash values as input; one hash value per line. The interface of the tool has labeled sections discerning which files will be searched, and which files will they be compared against. MD5 Compare generates output files containing all of the matches, if any were found. |
2010-10-14 | CacheBack v2.8.11 | Validation | CacheBack was developed by SiQuest Corporation. CacheBack is a standalone Windows based program that rebuilds Internet web pages which have been stored on a computer system through the use of an Internet browser. CacheBack also examines browsing histories and identifies relationships between both web page content and history records through Universal Resource Locators URLs . |
2010-10-14 | Fast Disk Acquisition System 1.5 | Validation | FDAS was developed by CyanLine. FDAS gives the digital forensic examiner the ability to extract a forensically sound image in dd format at a faster rate than would be possible with conventional techniques. |
2010-10-14 | Apple SAN Process Validation | Validation | The process was developed by the I&E group to document the way that evidence will be duplicated, and made ready for the later processing by a lab investigator. This process was created to define the way to label and track the evidence, as well as provide an archive of said evidence should it be required to reproduce in case of device failure or later reprocessing of the evidence. |
2011-01-05 | FDE Version 3.0.0.968 | Validation | FDE was developed by DCCI. FDE was created to provide a triage function for DCFL and submitting case agents. The Carver EnScript carves out all graphics, movies, chat, email with graphic attachments, web cache, and web searches from the disk images in a case. The DCFL Frontend is then run to generate thumbnails and Human and Real scores. These files and the Case Agent (Thinstall) Frontend are sent to the case agent for review. After tagging files of interest, an XML file is sent back to DCFL and imported into the EnCase case file with the Importer EnScript, which creates bookmarks of these files of interest. |
2011-01-11 | DC3DD V7.0.0 Imager on Windows XP and 2003 Using CYGWIN 1.7.5 | Validation | dc3dd is a command line function used in the CYGWIN environment. The purpose of dc3dd is to image and hash case evidence drives to be used in the lab for examination. The creation of dc3dd provides a Windows XP and 2003 OS environment tool that delivers the logging and specific data formats that help the LAB in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. This new version will provide the capability of creating multiple output streams to different devices and/or files, and allow for the automatic hashing of the resultant images if desired. |
2011-01-11 | DC3DD V7.0.0 Imager On UBUNTU 10.04 LTS | Validation | dc3dd is a command line function used in the Linux environment. The purpose of dc3dd is to image and hash case evidence drives to be used in the lab for examination. The creation of dc3dd provides a LINUX environment tool that delivers the logging and specific data formats that help the LAB in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. |
2011-02-11 | Wi-Fi Investigator v. WFIH-01 | Validation | Wi-Fi Investigator was developed by Digital Certainty. The Digital Certainty Wi-Fi Investigator is a handheld tool which identifies the specific physical location of any type of device communicating with a Wi-Fi (802.11b/g) signal. |
2011-02-11 | Ariadne 2.1.7 | Validation | Ariadne was developed by Defense Cyber Forensics Laboratory (DCFL). Ariadne is used to automatically carve encoded/obfuscated code in supported file types. |
2011-02-11 | StegAlyzerRTS 3.1 | Validation | StegRTS was developed by Backbone Security. StegRTS is capable of capturing and scanning network traffic in real-time for the presence of steganography applications and their signatures. |
2011-02-11 | MD5Deep/Hashdeep 3.7 | Validation | MD5Deep was developed by Jesse Kornblum. MD5deep is a set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. MD5 through its hashdeep component is able to match and audit hashsets. With traditional matching programs, they report if an input file matched one in a set of knowns, or if the input file did not match. It is hard to get a complete sense of the state of the input files compared to the set of knowns. |
2011-02-11 | Internet Evidence finder 3.6.0 | Validation | IEF was developed by JADsoftware. IEF is used to search a disk drive, folder, subfolders, or file for Internet artifacts. The tool can be configured to filter out various information; such as emails, chat records, and IE8 URLs. IEF can then generate a report containing the results or create individual files containing the data found. |
2010-02-11 | TABLEAU T8 USB Write Blocker Firmware Update | Validation | The USB WriteBlocker offers easy read-only access to suspect USB MASS Storage Devices. It is compatible with Single Storage Devices having Multiple mountable Volumes (multiple LUNs). Tableau's write-block technology is compatible with forensic acquisition and analysis software. |
2011-02-11 | JPCAP 0.01.17 | Validation | JPCAP was developed by Patrick Charles. JPCAP is a tool designed to passively monitor and capture network activity. The tool can be used in live network captures or pre-captured environments (in pcap format). JPCAP provides visual data, as well as textual information, for packets captured. |
2011-02-18 | Win32dd/Win64dd 1.3.1.20100417 | Validation | Win32dd/Win64dd was developed by Matthieu Suiche and MoonSols. Win32dd/Win64dd is a command line based tool for either 32-bit or 64-bit systems, which allows the user to acquire an image of the systems memory. Raw dd-style and crash dump formats are supported and there are different methods for specifying memory content. |
2011-02-18 | WIEBETECH WRITE BLOCKER | Validation | Write-block support is provided via WiebeTech's proprietary write-block technology which offers easy, read-only access to suspect hard drives through high speed FireWire 800 (400 compatible), USB2, or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. |
2011-02-18 | Hash Tab 3.0 | Validation | HashTab was developed by Cody Batt. HashTab provides OS extensions to calculate file hashes. HashTab supports many hash algorithms, including: MD5, SHA1, SHA2, RipeMD, HAVAL and Whirlpool. The tool provides an easy way to verify file integrity and authenticity. |
2011-03-02 | EnCase Version 6.18.0.59 | Validation | EnCase is a Windows-based digital forensic investigation suite created by Guidance Software. It provides imaging, analysis, bookmarking, and reporting capabilities. |
2011-03-02 | NetAnalysis 1.52 with HstEx 3.6 | Validation | NetAnalysis and HstEx were developed by Digital Detective Group Ltd. NetAnalysis is a software tool used for the recovery and analysis of internet browser artifacts. NetAnalysis offers powerful searching, filtering, and evidence identification. |
2011-03-02 | Registry Viewer 1.6.3 | Validation | Registry Viewer was developed by Access Data. Registry Viewer allows you to view the contents of the registries on the Windows operating system. |
2011-03-14 | FTK Imager 3.0.0.1443 | Validation | FTK Imager was developed by AccessData. FTK Imager is a data preview and imaging tool that lets the user quickly assess electronic evidence to determine if further analysis with a forensic tool is warranted. FTK Imager can also create forensic images of evidence without making changes to the original evidence. |
2011-04-21 | WinMoFo Version 2.217736 | Validation | WinMoFo was developed by DelMar IT, LLC. WinMoFo advertises the ability to logically extract all digital evidence from a target device. This evidence includes, the device phone number, call history, SMS history, email, appointments, contacts, tasks, and files found on the file system. |
2011-04-27 | DC3 Triage Version 2.0.0.274 | Validation | DC3 Triage was developed by the Defense Cyber Crime Center (DC3), DC3 Cyber Crime Institute (DCCI). |
2011-05-05 | DCCI_Stegcarver (SC) Viewer 1.0.3161 | Validation | SC-Viewer was developed by the Defense Cyber Crime Institute (DCCI). The tool is used to expedite the time an examiner spends sifting through file carving results. |
2011-05-05 | DC3 CV v3.0 | Validation | DC3_CV (Computer Vision) is a DC3-developed, special purpose tool used to expedite the time an examiner spends sifting through large directories of image files. With DC3_CV, examiners can use pre-trained datasets or easily create custom datasets from pictures they have of persons of interest. |
2011-05-19 | DC3dd V7.1.604 Imager on Windows 7 (64Bit) using CYGWIN 1.7.5 | Validation | The creation of dc3dd provides a Windows 7 (64Bit) environment tool which delivers the logging and specific data formats that help the lab in their efforts to provide automatically generated byte counts and sector counts, while properly handling bad sectors when encountered. |
2011-05-19 | DCCI_Video Validator v1.0 | Validation | Video Validator was developed by the Department of Defense Cyber Crime Institute DCCI. Video Validator is a tool used mainly to quickly verify whether or not video fragments obtained by data carving techniques are able to be played. |
2011-06-07 | Tablets in Learning Environments | Study | To remain current in today's competitive educational landscape, organizations must incorporate the latest technologies into the learning environment. |
2011-01-06 | Extraction and Categorization of LimeWire Artifacts | Study | Additionally, this project intended to determine the feasibility of performing an analysis of a RAM dump in search of LimeWire artifacts. |
2011-05-19 | StegAlyzerRTS v3.1 | Validation | StegRTS was developed by Backbone Security. StegRTS is capable of capturing and scanning network traffic in real-time for the presence of steganography applications and their signatures. |
2011-07-07 | ForensicSoft Safe Block | Validation | Safe Block was developed by Forensic Soft Incorporated. SAFE Block is a software-based write blocker which facilitates the quick and safe acquisition and/or analysis of any disk or flash storage media attached directly to a Windows workstation. It is proven to be safe. |
2011-07-07 | WiebeTech Forensic Labdock | Validation | Write-block support is provided via WiebeTechs proprietary write-block technology. This offers easy read-only access to suspect hard drives through high speed FireWire 800 400 compatible or eSATA interfaces. WiebeTechs write-block technology is compatible with forensic acquisition and analysis software. |
2011-07-07 | FTK v3.2 | Validation | FTK was developed by Access Data. It is a MS Windows based forensic suite used to conduct forensic analysis of digital media. It allows a forensic examiner to conduct analysis of various media types, including hashing and searching for keywords, as well as bookmarking, and reporting capabilities. |
2011-07-07 | DC3DD V7.1.604 Imager | Validation | dc3dd is a command line function used in the Linux , Mac OS and Windows 7(64Bit) environments. The purpose of dc3dd is to image and hash case evidence drives to be used in the lab for examination. |
2011-07-07 | CD/DVD INSPECTOR VERSION 4.1 | Validation | CD/DVD Inspector was developed by CD-ROM Productions, LLC. CD/DVD Inspector utilizes a great deal of knowledge about how optical media works and how the file systems are constructed to dig out lost and hidden files that otherwise would not be available. |
2011-07-07 | Audit Viewer 1.4 | Validation | Audit Viewer was developed by Mandiant Corporation. Audit Viewer runs on the Microsoft Windows operating system. This tool is for viewing output files produced by Memoryze, in particular, but also other tools that create raw memory dumps. |
2011-07-07 | FastDump Pro 2.0 | Validation | FDPro was developed by HB Gary, Inc. The software is a standalone, Windows based, executable program driven from a command prompt. When running the program, the current run state of its host is collected by copying data from RAM to the local disk or external media. |
2011-07-07 | Memoryze 1.4 | Validation | Memoryze was developed by Mandiant Corporation. Memoryze is a computer forensics memory acquisition software program designed to operate on Microsoft Windows platforms. |
2011-07-07 | pdf-parser.py 0.37 | Validation | pdf-parser was developed by Didier Stevens. |
2011-07-07 | pdfid.py 0.11 | Validation | pdfid was developed by Didier Stevens. |
2011-07-07 | pdftk 1.44 | Validation | pdftk was developed by Sid Seward at PDFLabs. It is used to manipulate PDF files without requiring Adobe Acrobat. |
2011-07-07 | RegShot 1.8.2 | Validation | RegShot was developed by TiANWEi, tulipfan, and Belogorokhov Youri. RegShot is a small, free, and open-source registry which compares utility, and allows the user to quickly take a snapshot of your registry and then compare it with a second one. The changes report can be produced in text or HTML format and contains a list of all modifications that have taken place between snapshot1 and snapshot2. |
2011-07-07 | Validate Deletion of Data Deletion From Media-DBAN 2.2.6 | Validation | DBAN was developed by Darik Horn, and Boot And Nuke is a registered trademark of GEEP EDS LLC. DBAN is a boot disk that completely wipes a hard drive or selected partition. Six wiping methods are available: 1) Quick Erase, 2) RCMP TSSIT OPS-II, 3) DoD Short, 4) DoD 5220.22-M, 5) Guttman Wipe, and 6) PRNG Stream. DBAN claims to prevent or thoroughly hinder all known techniques of hard disk forensic analysis. |
2011-07-07 | SQliteman 1.2.1 | Validation | SQliteman was developed by Peter Vanek. SQliteman is a software tool with a graphic user interface which writes databases with Sqlite3 technology. |
2011-07-07 | ProDiscover IR (VSC capability) 6.11.0.0 | Validation | ProDiscover was developed by Technology Pathways, LLC. ProDiscover is a tool used for analyzing digital evidence, such as image files and physical disks. For this validation, the focus will be on evidence that contains one or more shadow volumes. |
2011-07-29 | Shadow Scanner 64-bit 1.0.3 | Validation | Shadow Scanner was developed by EKL Software. Shadow Scanner is a tool used to quickly identify changed or deleted files which are present on a particular partitions shadow volumes relative to the current state of the partition. |