Autopsy - CORRECT ANSWER Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit® (TSK) and other digital forensics tools.
... [Show More] Law enforcement, military, and corporate examiners use it to investigate activities on a computer. It can even be used to recover photos from a camera's memory card. Autopsy is an end-to-end platform with in-built as well as third-party modules. Some of the modules provide the following functions: ▪ Timeline analysis: Advanced graphical event viewing interface (video tutorial included) ▪ Hash filtering: Flags known bad files and ignores known good files ▪ Keyword search: Indexed keyword search to find files that mention relevant terms ▪ Web artifacts: Extracts history, bookmarks, and cookies from Firefox, Chrome, and Internet Explorer
▪ Data carving: Recovers deleted files from unallocated space using PhotoRec ▪ Multimedia: Extracts Exif files from pictures and videos ▪ Indicators of compromise: Scans a computer using Structured Threat Information.
Sleuth Kit® - CORRECT ANSWER The Sleuth Kit® (TSK) is a library and collection of command-line tools that assist in the investigation of disk images. The core functionality of TSK allows the user to analyze volume and file-system data. The plug-in framework allows the user to incorporate additional modules to analyze file contents and build automated systems. The library can be incorporated into larger digital forensics tools, and the command-line tools can be directly used to find evidence. It supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks. It analyzes raw (i.e. dd), Expert Witness (i.e. EnCase), and AFF file systems and disk images. It supports the NTFS, FAT, ExFAT, UFS 1, UFS 2, ext2, ext3, ext4, HFS, ISO 9660, and YAFFS2 file systems.
Sleuth Kit (TSK): fsstat - CORRECT ANSWER fsstat displays the details associated with a file system. The output of this command is specific to the file system. At a minimum, the command displays the range of metadata values (inode numbers) and content units (blocks or clusters).
Sleuth Kit (TSK): istat - CORRECT ANSWER istat displays the uid, gid, mode, size, link number, modified, accessed, changed times, and all the disk units a structure has allocated.
Sleuth Kit (TSK): fls and img_st - CORRECT ANSWER The fls command lists the file and directory names in a disk image.mg_stat displays the details associated with an image file. The output of this command is specific to the image format. At a minimum, the size will be given, and the byte range of each file will be given for split image formats.
Belkasoft Live RAM Capturer - CORRECT ANSWER Belkasoft Live RAM Capturer is an open-source forensic tool that enables reliable extraction of the entire contents of the computer's volatile memory, even if protected by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available to minimize the tool's footprint. Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with Live RAM Analysis using the Belkasoft Evidence Center software. Belkasoft Live RAM Capturer is compatible with all versions and editions of Windows including XP, Vista, Windows 7, 8, and 10, 2003, and 2008 Server.
Linux Memory Extractor (LiME) - CORRECT ANSWER Linux Memory Extractor (LiME) is a loadable kernel module (LKM) that enables volatile memory acquisition from Linux and Linux-based devices. It also minimizes its interaction between user and kernel space processes during acquisition, which enables it to create memory capture files in a forensically sound manner. Using LiME, volatile memory can be acquired locally as well as remotely.
Digital Collector - CORRECT ANSWER Cellebrite Digital Collector is a forensic software solution to perform triage, live data acquisition, targeted data collection, and forensic imaging of Mac computers. It is the digital solution to create physical images of Macs with the Apple T2 chip. Digital Collector is designed for investigators to do triage and analysis, on-scene or in the lab. It also provides various features for targeted data collection, live data acquisition, and forensic imaging.
OSXPMem - CORRECT ANSWER This is a user-mode, open-source tool that works via the command line. It parses the physical memory in Mac machines and creates AFF4 format images for analysis.
AccessData FTK Imager - CORRECT ANSWER FTK Imager is a data preview and imaging tool. It can also create perfect copies (forensic images) of computer data without making changes to the original evidence.
dd Command - CORRECT ANSWER Forensic investigators can use the built-in Linux command dd to copy data from a disk drive. This command can create a bit-stream disk-to-disk copy and a disk-to-image file. It can copy any disk data that Linux can mount and access. Forensic tools such as AccessData FTK and Ilook can read dd image files.
dcfldd Command - CORRECT ANSWER Dcfldd tool is developed by Nicholas Harbour of the Defense Computer Forensics Laboratory (DCFL). dcfldd works similar to the dd command but provides additional features designed for forensic acquisitions.
Rufus - CORRECT ANSWER Rufus is a utility that helps format and create bootable USB flash drives such as USB keys/pen drives and memory sticks.
CAINE - CORRECT ANSWER CAINE (Computer Aided Investigative Environment) is an Italian GNU/Linux live distribution created as a digital forensics project. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
Guymager - CORRECT ANSWER Guymager is a free forensic imager for media acquisition.
R-Studio - CORRECT ANSWER R-STUDIO is the data recovery solution for recovery of files from NTFS, NTFS5, ReFS, FAT12/16/32, exFAT, HFS/HFS+, and APFS (Macintosh), Little and Big Endian variants of UFS1/UFS2 (FreeBSD/OpenBSD/NetBSD/Solaris), and Ext2/Ext3/Ext4 FS (Linux) partitions. It also uses raw file recovery (scan for known file types) for heavily damaged or unknown file systems. It functions on local and network disks, even if such partitions are formatted, damaged, or deleted.
EaseUS Data Recovery Wizard - CORRECT ANSWER EaseUS Data Recovery Wizard software is used to perform format recovery and unformat and recover deleted files emptied from Recycle Bin or data lost due to partition loss or damage, software crash, virus infection, unexpected shutdown, or any other unknown reasons under Windows 10, 8, 7, 2000/XP/Vista/2003/2008 R2 SP1/Windows 7 SP1. This software supports hardware RAID and hard drive, USB drive, SD card, memory card, etc.
Recover My Files - CORRECT ANSWER Recover My Files is a data recovery software that recovers deleted files/data from Windows Recycle Bin and files lost due to formatting or corruption of a hard drive, virus or Trojan infection, and unexpected system shutdown or software failure.
DiskDigger - CORRECT ANSWER DiskDigger is a program that undeletes and recovers lost files from hard drives, memory cards, and USB flash drives. This tool can be used to recover documents or photos accidentally deleted from the computer or from a reformatted camera memory card or can be used to check the files that are on an old USB drive.
Handy Recovery - CORRECT ANSWER Handy Recovery is data recovery software designed to restore files accidentally deleted from hard disks and memory cards. The program can recover files damaged by virus attacks, power failures, and software faults, or files from deleted and formatted partitions. If a program does not use the Recycle Bin when deleting files, Handy Recovery can restore such files. It can also recover files moved from the Recycle Bin after it has been emptied
Quick Recovery - CORRECT ANSWER Quick Recovery software recovers files that have been lost, deleted, corrupted, or even deteriorated. The application searches, scans, and recovers files that are encrypted and password protected and restores them. [Show Less]