| Active Partition Recovery | A very small, easy to use DOS Program (only 150k in size) using which you can:
- Recover deleted partitions (FAT and NTFS)
- Restore deleted FAT and NTFS Logical Drives
- Create Drive Image - for backup purposes
- Scan hard drives and detect deleted FAT and NTFS partitions and/or Logical Drives
- Preview files and folders on deleted partition or drive, to recover proper data
- Backup MBR (Master Boot Record), Partition Table, Boot Sectors
- Restore MBR, Partition Table and Boot Sectors from backup if damaged
| Commercial | Download Page |
| Advanced Email Extractor | Designed to extract e-mail addresses from web-pages on the Internet (using Download Page http and Download Page httpS protocols) and from HTML and text files on local disks. | Commercial | Download Page |
| Advanced Mailbox Processor | The program is intended for extracting owner's names and e-mail addresses from the local files, and making an e-mails list. | Commercial | Download Page |
| Afind | Afind lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will. Afind allows you to search for access times between certain time frames, coordinating this with logon info provided from ntlast, you can to begin to determine user activity even if file logging has not been enabled. | Commercial | Download Page |
| AutoStart Viewer | When you start Windows, dozens of programs are already running – many of them invisible and running in the background. This software identifies what is running, why it is running and determine if any are Trojans. AutoStart Viewer allows you to see every AutoStart on your system, all on the one screen. In addition, it gives you complete control over the AutoStart references, and allows you to modify or delete them at will. | Freeware | Download Page |
| CacheView | Cache View is a viewer for the Netscape Navigator, Mozilla and Internet Explorer caches. You can open the cached files for viewing, and copy or move them out of the cache. It will even reconstruct the names and directory paths of the files for you. Cache View extracts the following information about cached files: URL, Size (in bytes), MIME Type, Last modified date, Date the file was downloaded, and the Expiry date. | Shareware | Download Page |
| Captain Nemo | This product allows connecting a drive containing the Unix/Linux (supports only Ext2 Linux file system), NT or Novell operating system directly to a Windows operating system machine and accessing, viewing, printing and copying the files as if they were on another Windows drive on the computer.
The shareware version of Captain Nemo allows you to mount and see all the files on your Novell, NT and Linux drives.
If you want to copy the files to a Windows drive you need to register the software. | Commercial | Download Page |
| CD Roller | Effectively retrieves the data off the discs created by “drag and drop” CD/DVD writing software, such as well-known Roxio (Adaptec) and Ahead Nero software packages, CeQuadrat’s PacketCD, Instant Write, B’s CliP and others. | Commercial | Download Page |
| CD/DVD Inspector | Professional software for intensive analysis and extraction of data from CD-R, CD-RW and DVD media. Tailored for professionals in data recovery, forensics, and law enforcement. | Commercial | Download Page |
| CookieView – Cookie Decoder | This software was originally written as an external viewer for Encase or iLook. Either drag and drop a cookie onto the main window or set it as an external viewer. The software will decode the internal cookie data such as the date and times, and it will split the data into separate cookie records. | Freeware | Download Page |
| DbExtract | Extracts mail messages from Outlook Express 5 DBX files. It requires the existence of the VB6 runtime dll, msvbvm60.dll. | Shareware | Download Page |
| DecExt | Recovers base 64 pictures | Freeware | Download Page |
| Decode – Forensic Date/Time Decoder | This utility was designed to decode the various date/time values found embedded within binary and other file types. | Freeware | Download Page |
| Digital Image Recovery | No matter, if you deleted images, videos or audio files from your media, formatted the media, or pulled out the media during a write process, the program reconstructs the corresponding data automatically. | Freeware | Download Page |
| Directory Snoop | Directory Snoop is a cluster-level search tool that allows Windows users to snoop through their FAT and NTFS formatted disk drives to see what data may be hiding in the cracks. Use Directory Snoop to recover deleted files you thought you would never see again or permanently erase sensitive files so that no one will know they ever existed. Supported media include local hard drives, floppy disks, Zip disks, MO disks, and flashcard devices. | Commercial | Download Page |
| DIRV | A filter for the DIR /S command. Dirv is a program for those who still use DIR /S to obtain a recursive directory list of all the files on a system. The DIR /S program produces an output that is difficult to import into a database for additional processing. Dirv takes outputs generated on either Windows NT or WIN9X file systems and converts the output to records which are one line in length and contain the appropriate path and filename merged. | Freeware | Download Page |
| DiskCat | Catalogues all files on disks. DiskCat is short for “disk cataloguer”. It creates a listing (catalogue) of all files and/or directories on a hard or floppy disk. With its many options, the operation can be customized to your needs. It is especially useful for forensic purposes and for file maintenance. Output is a fixed length record and database compatible (for further analysis/sorting.) | Freeware | Download Page |
| DriveLook | DriveLook is a powerful forensic drive investigation and search tool. DriveLook scans a drive or a partition of a drive for text strings and stores these in a table. After completion of the scan you can browse this table and view the locations where the words had been found. The search function allows you to do fast inquiries for combinations of words. The program enables you to index a hard drive for all text that ever was written to it, browse a list of all words stored on the drive, search for words or combinations of words, view the location of words in a disk editor, switch between several views, such as hex and text view, use physical drives or logical drives as an input, use image files as an input, access remote drives over serial cable or TCP/IP. | Shaireware | Download Page |
| Exifer | Exifer is a shareware for recovering and displaying the metadata (EXIF/IPTC) of pictures taken by digital cameras. | Freeware | Download Page |
| FavURLView – Favourite Viewer | This utility will decode Internet Shortcut (*.URL) files to allow you to compare the Shortcut Description with the actual link. It will also decode the Modified time and date. | Freeware | Download Page |
| FDTE – File Date time Extractor | This software hunts through binary files ‘sniffing out’ hidden, embedded 64 bit date & times.
This type of stored date is very popular in many Microsoft applications (e.g. Word and Excel). | Freeware | Download Page |
| Final Email | For message recovery in Outlook Express, Eudora, and Netscape Mail; scans the email database file and locates lost emails that do not have data location information associated with them | Commercial | Download Page |
| Galleta | Many computer crime investigations require the reconstruction of a subject’s Internet Explorer Cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favourite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows, Mac OS X, Linux, and *BSD platforms. | Commercial | Download Page |
| Gargoyle Forensic Pro | Gargoyle quickly and easily determines whether malware is present on a system under investigation.
The Forensic Pro Edition is designed for forensic investigators, examiners, law enforcement personnel, private investigators, and forensic lab use.
The Forensic Pro version includes all the malware datasets, travelling license, dataset creator, dataset converter, a single-user license of Mount Image Pro™ allowing forensic image investigations and other tools including a USB thumb drive for covert investigations and a 1-year subscription to the Digital Evidence Time Stamping service | Commercial | Download Page |
| Handle | Handle is a utility that displays information about open handles for any process in the system. You can use it to see the programs that have a file open, or to see the object types and names of all the handles of a program. | Freeware | Download Page |
| History Inspector for Internet Explorer | History Reader reads all information in the complete history database and presents you a list, either in chronological or alphabetical order. | Shareware | Download Page |
| HPA | HPA is a 16 bit program designed to work only on IDE drives. When run, HPA will identify: the drive’s manufacturer; serial number; total number of sectors on the drive; and, if the drive is Host Protected Area (HPA) capable, it will identify the number of sectors set aside in the HPA. HPA is very useful on a forensic boot disk because it can capture key information about any IDE drives in the system. The resulting information can be sent to an output log file for future reference. | Freeware | Download Page |
| HTTrack Website Copier | It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. | GPL | Download Page |
| Inquire | A Windows based application that issues a SCSI Inquiry command and lists any hard disk drives found along with model number, product revision level and serial number (ESN). | Freeware | Download Page |
| Jpegdump.zip | Dumps Smart Media or Compact Flash To An Image File; Scans File and Recovers Erased JPEG files | Freeware | Download Page |
| KaZAlyzer | KaZAlyser is the successor to the popular P2Pview KaZaA/Morpheus database viewer. KaZAlyser provides significant enhancements to the investigation process. KaZAlyser provides the following functions: List all database entries in a tabular form, Display the file integrity tag, Allow the investigator to tag and comment each record, Identify files that appear (from title, keywords etc.) to be Child Pornography, Identify files that have a known Child Pornography hash value, Identify all graphics/movie files, Sort by individual columns, Export the content of a database to a CSV file, Produce reports based on above. KaZAlyser can open one or more database files from any FastTrack based installation, such as KaZaA, iMesh and Grokster, and display the contents in a tabular form. Once loaded into KaZAlyser filters can be applied to the database entries to limit the display to particular records such as ‘all graphics files’ or ‘identify known Child Pornography’. | Commercial | Download Page |
| LADS (List Alternate Data Streams) | This program lists all alternate data streams of an NTFS directory. Of course it shows the ADS of encrypted files, even when these files were encrypted with another copy of Windows 2000. There is the /S switch to walk through subdirectories recursively and the /A switch to show the total of all bytes. | Freeware | Download Page |
| ListDLLs | ListDLLs is able to show you the full path names of loaded modules – not just their base names. In addition, ListDLLs will flag loaded DLLs that have different version numbers than their corresponding on-disk files (which occurs when the file is updated after a program loads the DLL), and can tell you which DLLs were relocated because they are not loaded at their base address. | Freeware | Download Page |
Mailbag Assistant
| An effective investigation tool for law enforcement. Mailbag Assistant supports Outlook Express, Eudora, Netscape, Mozilla, Pegasus, The Bat!, Forte Agent, Calypso, PocoMail, FoxMail, Juno 3.x, Unix mail (Pine, Elm, mbox, etc.), and EML message files. | Commercial | Download Page |
| MBXtract | Extracts mail messages from Outlook Express 4 DBX files. | Freeware | Download Page |
| Metadata Assistant | The Metadata Assistant will analyze Word/Excel/PowerPoint 97, 2000, 2002 (XP) and 2003 documents to determine what metadata (hidden information) a client might see, display its findings then offer the ability to clean the document by selecting a variety of options; | Commercial | Download Page |
| Mod Com | Mod com is a program that will alter the operating system files on a floppy boot disk so that when booted it will not alter anything on the C: drive. This is what is done manually in the basic forensic classes when you alter boot disks to keep from accessing the C: drive. This program creates a forensically sound boot disk. | Freeware | Download Page |
| NTLast | Security audit tool for Windows NT. NTLast is specifically targeted for serious security and IIS administration. Scheduled review of your NT event logs is critical for your network. A server breach can be uncovered by regular system auditing. Identifying and tracking who has gained access to your system, then documenting the details is now made easier with NTLast. This tool is able to quickly report on the status of IIS users, as well as filter out web server logons from console logons. | Freeware | Download Page |
| OmniQuad Investigator | It can reconstruct the usage history of the analyzed workstation, presenting you with a log of past actions for inspection - clearly and concisely. (Windows95/98/ME/NT/2000/XP) | Commercial | Download Page |
| Outlook Recovery | A data recovery program for corrupted Microsoft Outlook Personal Storage Files (.pst). | Commercial | Download Page |
| Pasco | An Internet Explorer activity forensic analysis tool. Many computer crime investigations require the reconstruction of a subject's internet activity. Pasco, the Latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favourite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows, Mac OS X, Linux, and *BSD platforms. | Freeware | Download Page |
| PC Inspector™ File Recovery | A data recovery program that supports the FAT 12/16/32 and NTFS file systems. Some of the features in PC INSPECTOR™ File Recovery 3.x:
· Finds partitions automatically, even if the boot sector or FAT has been erased or damaged (does not work with the NTFS file system) · Recovers files with the original time and date stamp · Supports the saving of recovered files on network drives · Recovers files, even when a header entry is no longer available. | Commercial | Download Page |
| PC Inspector™ Smart Recovery | A data recovery program for Flash Card™, Smart Media™, SONY Memory Stick™, IBM™ Micro Drive, Multimedia Card, Secure Digital Card or any other data carrier for digital cameras. | Commercial
| Download Page |
| Pictuate | Pictuate examines files one by one very quickly and sorts the image files so the user can determine whether or not the images are pornographic. The applications for this technology are wide ranging. Any time you need to audit the contents of a computer drive to determine if the contents are in violation of policy or the law, Pictuate is the tool to use. | Commercial | Download Page |
| Process Explorer | Process Explorer shows you information about which handles and DLLs processes have opened or loaded. The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. | Freeware | Download Page |
| Protected Storage Explorer | Protected Storage Explorer is a powerful tool that allows you to view all sorts of saved data from the Protected Storage Service, including passwords for e-mail accounts in Microsoft Outlook, Microsoft Outlook Express, MSN Messenger, saved Internet Explorer form data (phone numbers, credit card numbers, web email, search engine queries…), user names and passwords on Web pages, and cached logon credentials of sites that require authentication (including FTP sites.) | Freeware | Download Page |
| R-Mail | A tool designed to recover accidentally deleted e-mail messages and recovery damaged *.dbx files where MS Outlook Express stores folders with e-mail messages. The new e-mail data recovery technology IntelligentRebuild allows R-Mail users to quickly reconstruct damaged *.dbx files created by Outlook Express and easily restore the lost messages. The messages are recovered in the .eml format and can be simply imported into Outlook Express mail and news bases. | Commercial | Download Page |
| R-Undelete | A file undelete solution for FAT, NTFS, NTFS5, and Ext2FS file systems. R-Undelete can undelete files on any valid logical disks visible by the host OS. It cannot however undelete files on damaged or deleted volumes or in the case of hard drive repartitioning | Commercial | Download Page |
| Registry Information Extractor | This is a test release of a software utility that is in development and under testing. It is a Windows 95/98/ME system.dat registry information extractor. It will be updated to extract a lot more information from the registry, including NT, 2K and XP support. At present it will only extract system.dat information from Windows 95/95 and ME. It can extract the following information: Registered Owner, Registered Organization, Windows Version, Windows Version Number, Windows Installed Date & the Computer Name. RIE can also be used as a File Viewer from within EnCase. | Freeware | Download Page |
| RegMon | Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing – all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry. With static tools you might be able to see what Registry values and keys changed. With Regmon you’ll see how the values and keys changed. | Freeware | Download Page |
| Rifiuti | A Recycle Bin Forensic Analysis Tool. Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favourite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows, Mac OS X, Linux, and *BSD platforms. | Freeware | Download Page |
| ShoWin | Show information about Windows. Reveal passwords etc. ShoWin displays useful information about windows by dragging a cursor over them. Perhaps one of the most popular uses of this program is to display hidden password editbox fields (text behind the asterisks *****). This will work in many programs although Microsoft has changed the way things work in some of their applications, most notably MS Office products and Windows 2000. ShoWin will not work in these cases. Neither will it work for password entry boxes on web pages, at least with most web browsers. Additional features include the ability to enable windows that have been disabled, unhide hidden windows (try the program with the include invisibles option set and see how many windows you have on your desktop that you didn't know about!) and force windows to stay on top or be placed below others. | Freeware | Download Page |
| SnapView HTML Viewer | Quick and easy way to examine recovered HTML pages from unallocated space. This little viewer is built on the same technology as used by Internet Explorer. It can load up pages very quickly. You can also toggle between page and source view by pressing F9. It not only supports HTML but a number of other formats. It can also use any Internet Explorer plug-ins, already available within the operating system, giving it quite a large selection of supported file formats. The following is not the full list, but a flavour of the file formats possibly available: HTML, JPEG, GIF, ICO, Flash Move, Adobe Acrobat, Office Documents such as Word, Excel, PowerPoint, Bitmap, PNG, ART etc. | Freeware | Download Page |
| Stealer | This utility will extract the machine name, username and the net username along with any dial-up user accounts and passwords. It will also identify any passwords and usernames for secure web sites and any password protected shared folders on a network. Much of this information is stored within the *.PWL file. This has to be run on a restored drive if you are using it to identify information on a seized computer. One law enforcement agency used it to gain access to encrypted data as the password for the encrypted material had been duplicated. Might save you weeks of waiting if you are contemplating a brute force attack. NOTE: Will only work on Win9* and ME Systems. | Freeware | Download Page |
| StegDetect | StegDetect is an automated tool for detecting steganographic content in images. It is capable of detecting several different steganographic methods to embed hidden information in JPEG images. Currently, the detectable schemes are jsteg, jphide (Unix and Windows), invisible secrets, and outguess 01.3b. | Commercial | Download Page |
| StegHide | StegHide is a steganography program which embeds a secret message in a cover file by replacing some of the least significant bits of the cover file with bits of the secret message. After that, the secret message is imperceptible and can only be extracted with the correct pass phrase. Features: support for JPEG, BMP, WAV and AU files encryption of plain data before embedding (blowfish encryption algorithm) pseudo-random distribution of hidden bits in stego file embedding of a crc32 checksum of the plain data. | GPL | Download Page |
| Stego Suite 4.1 | The Stego Suite™ is the most advanced software bundle available for the investigation, detection, analysis, and recovery of digital steganography. Stego Suite 4.1 includes Stego Watch, an automated steganography investigation scanning software package, 9 steganography detection algorithms covering all common digital image file types and audio wav files, Stego Analyst, a visual image analysis package for in-depth digital image and audio file analysis, and Stego Break, an automated steganography cracking tool. | Commercial | Download Page |
| Tex2Hex | This utility will convert ASCII characters to Hexadecimal Values.
This is particularly useful when searching using software that can accept Hex Values as search criteria. | Freeware | Download Page |
| True Time | True time is a program that will ask the user for the correct date and time, and obtain the system date and time from the system BIOS. This output can be redirected to a file for retention in forensic investigations. Excellent addition to a forensic boot disk. | Freeware | Download Page |
| WebDate | This utility was originally designed so I could establish how Microsoft Internet Explorer stored date & time values inside index.dat files. Type or paste into the main window, the URL of a website or individual file and it will return the Last Modified date & time of that site, web page or individual file. | Freeware | Download Page |
0
comments
