Offline
- Home
- Offline
Abaixo segue uma lista de ferramentas úteis para realização de investigação forense organizadas por categorias.
Disk Tools & Data Capture
| Name | From | Description |
|---|---|---|
| Arsenal Image Mounter | Arsenal Recon | Mounts disk images as complete disks in Windows, giving access to Volume Shadow Copies, etc. |
| DumpIt | MoonSols | Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive. |
| EnCase Forensic Imager | Guidance Software | Create EnCase evidence files and EnCase logical evidence files [direct download link] |
| Encrypted Disk Detector | Magnet Forensics | Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes. |
| EWF MetaEditor | 4Discovery | Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier). |
| FAT32 Format | Ridgecrop | Enables large capacity disks to be formatted as FAT32. |
| Forensics Acquisition of Websites | Web Content Protection Association | Browser designed to forensically capture web pages. |
| FTK Imager | AccessData | Imaging tool, disk viewer and image mounter. |
| Guymager | vogu00 | Multi-threaded GUI imager under running under Linux. |
| Live RAM Capturer | Belkasoft | Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds |
| NetworkMiner | Hjelmvik | Network analysis tool. Detects OS, hostname and open ports of network hosts through packet sniffing/PCAP parsing. |
| Nmap | Nmap | Utility for network discovery and security auditing. |
| Magnet RAM Capture | Magnet Forensics | Captures physical memory of a suspect’s computer. Windows XP to Windows 10, and 2003, 2008, 2012. 32 & 64 bit. |
| OSFClone | Passmark Software | Boot utility for CD/DVD or USB flash drives to create dd or AFF images/clones. |
| OSFMount | Passmark Software | Mounts a wide range of disk images. Also allows creation of RAM disks. |
File Viewers
| Name | From | Description |
|---|---|---|
| Agent Ransack | Mythicsoft | Search multiple files using Boolean operators and Perl Regex. |
| Computer Forensic Reference Data Sets | NIST | Collated forensic images for training, practice and validation. |
| EvidenceMover | Nuix | Copies data between locations, with file comparison, verification, logging. |
| FastCopy | Shirouzu Hiroaki | Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc. |
| File Signatures | Gary Kessler | Table of file signatures. |
| HexBrowser | Peter Fiskerstrand | Identifies over 1000 file types by examining their signatures. |
| HashMyFiles | Nirsoft | Calculate MD5 and SHA1 hashes. |
| MobaLiveCD | Mobatek | Run Linux live CDs from their ISO image without having to boot to them. |
| Mouse Jiggler | Arkane Systems | Automatically moves mouse pointer stopping screen saver, hibernation etc.. |
General Tools
| Name | From | Description |
|---|---|---|
| BKF Viewer | SysTools | https://www.systoolsgroup.com/lotus-dxl-viewer.html |
| DXL Viewer | SysTools | View (not save or export) Loutus Notes DXL file emails and attachments. |
| E01 Viewer | SysTools | View (not save or export from) E01 files & view messages within EDB, PST & OST files. |
| MDF Viewer | SysTools | View (not save or export) MS SQL MDF files. |
| MSG Viewer | SysTools | View (not save or export) MSG file emails and attachments. |
| OLM Viewer | SysTools | View (not save or export) OLM file emails and attachments. |
| Microsoft PowerPoint 2007 Viewer | Microsoft | View PowerPoint presentations. |
| Microsoft Visio 2010 Viewer | Microsoft | View Visio diagrams |
| VLC | VideoLAN | View most multimedia files and DVD, Audio CD, VCD, etc. |
Data Analysis Suites
| Name | From | Description |
|---|---|---|
| Autopsy | Brian Carrier | Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below). |
| Backtrack | Backtrack | Penetration testing and security audit with forensic boot capability. |
| Caine | Nanni Bassetti | Linux based live CD, featuring a number of analysis tools. |
| Deft | Dr. Stefano Fratepietro and others | Linux based live CD, featuring a number of analysis tools. |
| Digital Forensics Framework | ArxSys | Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items. |
| Forensic Scanner | Harlan Carvey | Automates ‘repetitive tasks of data collection’. Fuller description here. |
| Kali Linux | Offensive Security | Comprehensive penetration testing platform |
| Paladin | Sumuri | Ubuntu based live boot CD for imaging and analysis. |
| SIFT | SANS | VMware Appliance pre-configured with multiple tools allowing digital forensic examinations. |
| The Sleuth Kit | Brian Carrier | Collection of UNIX-based command line file and volume system forensic analysis tools. |
| Volatility Framework | Volatile Systems | Collection of tools for the extraction of artefacts from RAM. |
Internet analysis
| Name | From | Description |
|---|---|---|
| Browser History Capturer | Foxton Software | Captures history from Firefox, Chrome, Internet Explorer and Edge web browsers running on Windows computers. |
| Browser History Viewer | Foxton Software | Extract, view and analyse internet history from Firefox, Chrome, Internet Explorer and Edge web browsers. |
| Chrome Session Parser | CCL Forensics | Python module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”). |
| ChromeCacheView | Nirsoft | Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache. |
| Cookie Cutter | Mike’s Forensic Tools | Extracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits. |
| Dumpzilla | Busindre | Runs in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information. |
| Facebook Profile Saver | Belkasoft | Captures information publicly available in Facebook profiles. |
| IECookiesView | Nirsoft | Extracts various details of Internet Explorer cookies. |
| IEPassView | Nirsoft | Extract stored passwords from Internet Explorer versions 4 to 8. |
| MozillaCacheView | Nirsoft | Reads the cache folder of Firefox/Mozilla/Netscape Web browsers. |
| MozillaCookieView | Nirsoft | Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers. |
| MozillaHistoryView | Nirsoft | Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page. |
| MyLastSearch | Nirsoft | Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace). |
| PasswordFox | Nirsoft | Extracts the user names and passwords stored by Mozilla Firefox Web browser. |
| OperaCacheView | Nirsoft | Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache. |
| OperaPassView | Nirsoft | Decrypts the content of the Opera Web browser password file, wand.dat |
| Web Historian | Mandiant | Reviews list of URLs stored in the history files of the most commonly used browsers. |
| Web Page Saver | Magnet Forensics | Captures how web pages look at a specific point in time |
Application analysis
| Name | From | Description |
|---|---|---|
| AppCompatCache Parser | Eric Zimmerman | Dumps list of shimcache entries showing which executables were run and their modification dates. Further details. |
| ForensicUserInfo | Woanware | Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file. |
| Process Monitor | Microsoft | Examine Windows processes and registry threads in real time. |
| RECmd | Eric Zimmerman | Command line access to offline Registry hives. Supports simple & regular expression searches as well as searching by last write timestamp. Further details. |
| Registry Decoder | US National Institute of Justice, Digital Forensics Solutions | For the acquisition, analysis, and reporting of registry contents. |
| Registry Explorer | Eric Zimmerman | Offline Registry viewer. Provides deleted artefact recovery, value slack support, and robust searching. Further details. |
| RegRipper | Harlan Carvey | Registry data extraction and correlation tool. |
| Regshot | Regshot | Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software. |
| ShellBags Explorer | Eric Zimmerman | Presents visual representation of what a user’s directory structure looked like. Additionally exposes various timestamps (e.g., first explored, last explored for a given folder. Further details. |
| USB Device Forensics | Woanware | Details previously attached USB devices on exported registry hives. |
| USB Historian | 4Discovery | Displays 20+ attributes relating to USB device use on Windows systems. |
| USBDeview | Nirsoft | Details previously attached USB devices. |
| User Assist Analysis | 4Discovery | Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys. |
| PasswordFox | Nirsoft | Extracts the user names and passwords stored by Mozilla Firefox Web browser. |
| UserAssist | Didier Stevens | Displays list of programs run, with run count and last run date and time. |
| Windows Registry Recovery | MiTec | Extracts configuration settings and other information from the Registry. |
Cloud
| Name | From | Description |
|---|---|---|
| Dropbox Decryptor | Magnet Forensics | Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox. |
| Google Maps Tile Investigator | Magnet Forensics | Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context. |
| KaZAlyser | Sanderson Forensics | Extracts various data from the KaZaA application. |
| LiveContactsView | Nirsoft | View and export Windows Live Messenger contact details. |
| SkypeLogView | Nirsoft | View Skype calls and chats. |
| Name | From | Description |
|---|---|---|
| HotSwap | Kazuyuki Nakayama | Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area. |
| iPhone Backup Browser | Rene Devichi | View unencrypted backups of iPad, iPod and iPhones. |
| IEHistoryView | Nirsoft | Extracts recently visited Internet Explorer URLs. |
| LiveView | CERT | Allows examiner to boot dd images in VMware. |
| Ubuntu guide | How-To Geek | Guide to using an Unbuntu live disk to recover partitions, carve files, etc. |
| WhatsApp Forensics | Zena Forensics | Extract WhatApp messages from iOS and Android backups. |
Password Protection
| Name | From | Description |
|---|---|---|
| Password Strength Test | How Secure Is My Password | Enter your password and see how long it will take for a computer to crack it |
| Password Meter | Password Meter | This application is designed to assess the strength of password strings |
| Secure Password Check | Kaspersky | Check how secure a password is |
| Password Manager | LastPass | Password storer with AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. |
| Password Manager | StickyPassword | Password Manager using AES‑256 encryption |
Password Hacking Protection
| Name | From | Description |
|---|---|---|
| Breach Alarm | Breach Alarm | Scans the Internet for stolen password data posted by hackers, and let you know if we spot your email address in a security breach. |
| HaveIBeenPwnd | haveibeenpwned | Check if you have an account that has been compromised in a data breach |
Browsing Security
| Name | From | Description |
|---|---|---|
| AdBlock | AdBlock Plus | The Adblock Plus for Chrome™ ad blocker has been downloaded over 500 million times and is one of the most popular and trusted on the market. |
| No Script | NoScript | NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers |
| Comodo Dragon | Comodo Cybersecurity | A Chromium technology-based Web Browser that offers you all of Chrome’s features PLUS the unparalleled level of security and privacy |
| TOR | TOR Project | Experience real private browsing without tracking, surveillance, or censorship. |
| Disconnect | Disconnect | Get greater transparency and control over the personal information you share online |
Redirect Checkers
| Name | From | Description |
|---|---|---|
| Where Goes | Where Goes | takes a URL and shows you the entire path of redirects and meta-refreshes that leads to the final destination. |
| Redirect Detective | Redirect Detective | Redirect Detective is a free URL redirection checker that allows you to see the complete path a redirected URL goes through. |
| Redirect Check | Redirect Check | This site is used to chase the redirection of URLs. |
Website URL Checkers
| Name | From | Description |
|---|---|---|
| VirusTotal | Virus Total | Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community |
| ScanURL | Scan URL | See if a website has been reported for phishing, hosting malware/viruses, or poor reputation. We check with reputable 3rd-party services, such as Google Safe Browsing Diagnostic, PhishTank, and Web of Trust (WOT). |
| Site Safety Center | TrendMicro | can check the safety of a particular URL that might seem suspicious |
| Zulu | Zscaler | Zulu is a dynamic risk scoring engine for web based content |
Data Removal
| Name | From | Description |
|---|---|---|
| Eraser | Heidi | Completely remove sensitive data from your hardrive |