Nowadays, computer or digital forensics is very important because of crimes related to computers, the Internet and mobiles. Pieces of evidence such as computer and digital devices contain or store sensitive information that can be useful for the forensic investigator in a particular crime or incident.
Digital forensic investigation required tools to extract desired information from the devices. Several commercial tools exist for forensic investigation however huge amount is required to buy. Open source community also contributed in this field and there are several open source tools for digital forensic field. In this article, best tools related to digital forensic will be explored.
Before exploring well-known tools for digital forensic, following Linux distributions contained many free forensic tools.
1) SIFT (SANS Investigative Forensic Toolkit)
An international team of forensics experts, along SANS instructors, created the SANS Incident Forensic Toolkit (SIFT) Workstation for incident response and digital forensics use. SIFT forensic suite is freely available to the whole community. The free SIFT toolkit, that can match any modern incident response and forensic tool suite, which is used in SANS courses. It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
Features of SIFT distribution are following:
- Ubuntu LTS 14.04 Base
- 32/64 bit base system
- Latest forensic tools and techniques
- VMware Appliance ready to tackle forensics
- Cross compatibility between Linux and Windows
- Option to install stand-alone via (.iso) or use via VMware Player/Workstation/
2) CAINE (Computer Aided Investigative Environment)
CAINE is an Linux live distribution created as a Digital Forensics project. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main objectives that CAINE distribution aims to guarantee are the following:
- an inter-operable environment that supports the digital investigator during the four phases of the digital investigation
- user-friendly graphical interface
- contains open source tools
3) KALI (formerly Backtrack)
Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. Kali Linux is the fist choice of penetration tester and security professional. It has security tools for different purposes. Open source tools for mobile,network and RAM analysis are available in the Kali Linux.
4) DEFT linux ( Digital Evidence & Forensics Toolkit )
DEFT is a distribution made for Computer Forensics, with the purpose of running live on systems without tampering or corrupting devices (hard disks, pendrives). It is based on GNU Linux and it can run live (via CD/DVD or USB pendrive), installed or run as a virtual machine on VMware/Virtualbox. DEFT is paired with DART ( known as Digital Advanced Response Toolkit), a Forensics System which can be run on Windows and contains the best tools for Forensics and Incident Response.
It is a fully featured security distribution based on Debian consisting of a powerful bunch of more than 300 open source and free tools that can be used for various purposes including, but not limited to, penetration testing, ethical hacking, system and network administration, cyber forensics investigations, security testing, vulnerability analysis, and much more. It is a distribution designed for security enthusiasts and professionals, although it can be used normally as your default desktop system.
Matriux is designed to run from a Live environment like a CD / DVD or USB stick or it can easily be installed to your hard disk in a few steps. Matriux also includes a set of computer forensics and data recovery tools that can be used for forensic analysis and investigations and data retrieval.
Santoku is dedicated to mobile forensics, analysis, and security, and packaged in an easy to use, Open Source platform. It is sponsored by the mobile security firm "nowsecure".
Free Forensic tools for Linux
There are several categories of computer forensics tools however, following are well-known categories:
- Memory forensic analysis
- Hard drive forensic analysis
- Forensic imaging
- Network Forensic
8) Linux "dd" utility
"dd" utility comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive. It is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.
9) Sleuth kit (Autopsy)
Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems (FAT,NTFS, EXT2/3 etc and raw images). Autopsy is a graphical interface that for Sleuth Kit (command line tool). It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching with the ability to add other modules for extended functionality.
When you launch Autopsy, you can choose to create a new case or load an existing one. To create a new case you will need to load a forensic image to start analysis and once the analysis process is complete, use the nodes on the left hand pane to choose which results to view.
This article is about the contribution of open source in digital forensic field. Free and best known tools related to different area of digital forensic are discussed. Several Linux distributions are listed which contains many free forensics tools.