Forensic Tools & Applications
The forensic lab VM is equipped with many commonly used forensic tools that are either open source, free or licensed. You will be able to complete the investigations given the tools provided. Tools are either installed on the Windows VM itself, located in the C:\Tools folder or installed within the Ubuntu subsystem for Linux.
Note: We are open to requests for adding tools if licensing requirements can be accommodated.
Tools Available
| Tool Name | File Path / Launch Method | Category | Description |
|---|---|---|---|
| 7-Zip | Desktop Shortcut (Installed) | File Archiving | Opens and extracts archives like ZIP, RAR, and forensic image formats. |
| Autopsy | Desktop Shortcut (Installed) | GUI Forensics Suite | A digital forensics platform for hard drive investigation. |
| Event Log Explorer | Desktop Shortcut (Installed) | Event Log Analysis | GUI tool to view and analyze Windows Event Logs. |
| Notepad++ | Desktop Shortcut (Installed) | Text Editing | Lightweight editor for viewing and editing text files. |
| Visual Studio Code | Desktop Shortcut (Installed) | Text/Code Editing | Editor useful for viewing logs, code, or scripts. |
| Exterro FTK Imager | Desktop Shortcut (Installed) | Disk Imaging | Creates forensic images of drives and folders, with preview capabilities. |
| Arsenal Image Mounter | C:\Tools\Arsenal-Image-Mounter | Disk Mounting | Mounts forensic images as local disks. |
| BrowsingHistoryView | C:\Tools\browsinghistoryview-x64 | Browser Artifact Analysis | Used for analysis of browser history data. |
| CyberChef | C:\Tools\CyberChef_v10.4.0\CyberChef.html | Data Transformation | Encoding, decoding, and data parsing tool. |
| DB Browser for SQLite | C:\Tools\DB.Browser.for.SQLite-v3.13.1-win64 | Database Analysis | Used to analyze and query SQLite databases e.g. for browsers. |
| EZ Tools (Eric Zimmerman) | C:\Tools\EZTools | Artifact Analysis | Parses common Windows forensic artifacts. |
| Hayabusa | C:\Tools\hayabusa-3.2.0-win-x64 | Log Analysis | Parses and analyzes Windows Event Logs. |
| Hindsight | C:\Tools\Hindsight | Browser Artifact Analysis | Analyzes Chrome browser artifacts. |
| KAPE | C:\Tools\KAPE | Triage Collection | Collects and parses forensic artifacts. |
| RegRipper | C:\Tools\RegRipper | Registry Analysis | Parses and analyzes Windows registry hives. |
| Sysinternals Suite | C:\Tools\SysinternalsSuite | Live Analysis Tools | Tools for system monitoring and diagnostics. |
| YARA | C:\Tools\yara-v4.5.2-2326-win64 | Malware Detection | Matches patterns in files to identify malware. |
| SIDR | C:\Tools\SIDR | Search Index DB Reporter (SIDR) | Parses ESE databases (Windows.edb) and SQLite databases (Windows.db) |
| Google DriveFS Forensic Extractor & Metadata Exporter | C:\Tools\drivefs_forensic_extractor-1.0.0 | Google Drive Artifact Analysis | Forensic tool for extracting and analyzing Google DriveFS cached files and metadata. |
| Plaso | log2timeline.py psort.py psteal.py via Ubuntu WSL |
Timeline Analysis | Creates super timelines from forensic artifacts. |
| Volatility 3 | vol via Ubuntu WSL |
Memory Forensics | Framework for analyzing memory dumps. |