Category Archive: Digital Forensic

Dropbox Decryptor

Dropbox® Decryptor (v1.3 released 23/06/2014) from Magnet Forensics is a free tool that will decrypt the Dropbox filecache.dbx and config.dbx files, which are both encrypted SQLite databases. These two locations store information about files that have been synched to the cloud using Dropbox. Like the filecache.dbx, the config.dbx file is a simple SQLite file. Once …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2015/02/12/dropbox-decryptor/

THC-Hydra

A very fast network logon cracker which support many different services. See feature sets and services coverage page – incl. a speed comparison against ncrack and medusa Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX, QNX/Blackberry, and is made available under GPLv3 with a special OpenSSL license expansion. Currently …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2015/02/12/thc-hydra/

Magnet RAM Capture

Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory. Magnet RAM Capture has a small memory footprint, meaning investigators can run the tool while minimizing the data that is overwritten in …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2015/02/12/magnet-ram-capture/

Dshell

An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures. Key features: Robust stream reassembly IPv4 and IPv6 support Custom output handlers Chainable decoders Prerequisites Linux (developed on Ubuntu 12.04) Python 2.7 pygeoip, GNU Lesser GPL MaxMind GeoIP Legacy datasets PyCrypto, custom license dpkt, New BSD …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2015/01/30/dshell/

CAINE (Computer Aided INvestigative Environment)

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project Currently the project manager is Nanni Bassetti. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface. The main design objectives that CAINE aims …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2015/01/24/caine-computer-aided-investigative-environment/

WinDD – Disk Dump for Windows

WinDD – Disk Dump for Windows! Windows XP version of Unix ‘dd’ command. Safe, effort-free backup for FAT, FAT32, NTFS, ext2, ext3 partitions. http://sourceforge.net/projects/windd/

Permanent link to this article: http://www.darknessgate.com/2014/11/23/windd-disk-dump-windows/

Memoryze

Mandiant’s Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis. Main Features: image the full range of system memory (not reliant on API calls). image a process’ entire address space …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/18/memoryze/

UserAssistant

UserAssist keys are method that Microsoft uses to populate a user’s start menu with frequently used applications. They exist on Windows XP, Vista, and 7 and maintain counts of application usage. These values are located in each user’s NTUSER.DAT hive at SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist and are ROT-13 encoded. Features Extracts SID, User Names, Indexes, Application Names, Run …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/12/userassistant/

USB Historian

usb_ss_03.png

Parse USB Connection History The Microsoft Windows operating systems records artifacts when USB removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) are connected. These artifacts can be found in Plug and Play (PnP) log files as well as the Windows Registry. For a forensic investigator dealing with the theft, movement, or access …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/11/usb-historian/

USBDeviceForensics

USBDeviceForensics is an application to extract numerous bits of information regarding USB devices. It uses the information from a SANS blog posting to retrieve operating system specific information. It now has the ability to process multiple NTUSER.dat registry hives in one go. It should be noted that whilst the information in the blog posting is …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/11/usbdeviceforensics/

Windows ShellBag Parser (sbag)

sbag is a Windows registry parser that targets the Shellbag subkeys to pull useful directory and file artifacts to help identify user activity. There are binaries available for Windows, Linux and Mac OS-X. The Windows version allows one to parse hives resident from a live system. As background, the ShellBag information is a set of …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/11/windows-shellbag-parser-sbag/

Page 3 of 912345...Last »