Computer Forensics Products

Computer Forensics Products

Product Name

Description

CRCMD5 (New Technologies)

Mathematically creates a unique signature for the contents of one, multiple or all files on a given storage device. Such signatures can be used to identify whether or not the contents of one or more computer files have changed. This forensics tool relies upon 128 bit accuracy and can easily be run from a floppy diskette to benchmark the files on a specific storage device, e.g., floppy diskette, hard disk drive and/or zip disk. CRCMd5 can be used as the first step in the implementation of a configuration management policy. Such a policy and related system bench marking can help computer specialists isolate problems and deal with computer incidents after they occur. The program is also used to document that computer evidence has not been altered or modified during computer evidence processing.

DIBS Forensic Workstation (DIBS USA, Inc.)

The DIBS® Forensic Workstation provides the complete solution to the problems faced by the computer crime investigator. Developed over a number of years by practicing forensic analysts the dedicated equipment meets the demands imposed by today's advanced enquiries.

DIBS Mobile Forensic Workstation (DIBS USA, Inc.)

The DIBS® Mobile Forensic Workstation provides all the equipment required for on-site analysis of the contents of suspect computers. Contained in a case made of ultra high impact structural polypropylene, with a neoprene O-ring seal, the DIBS® Mobile Forensic Workstation is rugged and hard working and provides full protection for the forensic equipment inside. This includes a Pentium based laptop fully configured with analysis software, an external hard disk housing and three hard disk racks and drives for reconstructions, a black and white/colour printer, PCMCIA card, cables, connectors and mouse. The DIBS® Mobile Forensic Workstation allows on-site hard disk restorations and analyses.

DIBS Portable Evidence Recovery Unit (DIBS USA, Inc.)

DIBS® Portable Evidence Recovery Unit is the efficient and easy way to copy the entire contents of a computer's hard disk. It was developed after working closely with senior police officers to find a fast, powerful and reliable way to retrieve potential evidence which was admissible in a court of law.

DIBS Professional Forensic Software (DIBS USA, Inc.)

Available as a series of modules, each designed for specific tasks, DIBS® Analyzer is highly effective and productive software. Many time consuming jobs, such as undeleting files, are automated by the software, and as you work with DIBS® Analyzer you can print out evidence and examination details in a format that will be acceptable in a court of law.

DiskSearch 32 (New Technologies)

Used find strings of text in files. Can be used to find strings of text in file slack and unallocated space. Also has the capability of finding similar or words that have been spelled incorrectly. Can also be used to search a storage device at a physical level.

DiskSig (New Technologies)

This program is used to mathematically create a unique signature for the content of a computer hard disk drive. Such signatures can then be used to validate the accuracy of forensic bit stream image backups of computer hard disk drives. This program was primarily created for use with SafeBack software by Sydex Corporation. SafeBack is used by a majority of law enforcement computer specialists and has gained wide acceptance in the law enforcement and military community over the last nine years. For this reason, NTI has created this program to verify the accuracy of forensic bit stream backups and related restorations of the content of computer hard disk drives. Although this program was primarily developed for use with SafeBack, it can also be used with any bit stream backup utility.

DM (New Technologies)

Freeware database analysis tool.

DRIVESPY (Digital Intelligence)

A forensic DOS shell. It is designed to emulate and extend the capabilities of DOS to meet forensic needs. Whenever appropriate DRIVESPY will use familiar DOS commands (CD, DIR, etc) to navigate the system under investigation. When beneficial, DRIVESPY will extend the capabilities of the associated DOS commands, or add new commands as necessary. DRIVESPY provides a familiar DOS-like prompt during system navigation.

EnCase (Guidance Software)

Fully integrated forensic application for Windows.

FileCNVT (New Technologies)

Freeware tool that supplements supplements the FileList program from New Technologies. FileList is a forensic tool that is used to quickly catalog the contents of one or more computer hard disk drives. The FileList output is compressed so that the program and related output will normally fit on just one floppy diskette.

FileList (New Technologies)

Used to quickly document information about files stored on one or more computer hard disk drives and other computer storage devices. This multi-purpose tool was designed for covert use, security reviews and forensic laboratory processing of computer evidence. It leaves no trace that it has been used and the output is compressed so that the output will usually fit on just one floppy diskette. It is compatible with DOS, Windows, Windows 95/98 and a special version is available for Windows NT systems.

FILTER (New Technologies)

Freeware program used to remove binary (non-alphanumeric) characters from computer data. The program has been used by military and law enforcement agencies for years and was donated to the law enforcement community in 1991 by Michael R. Anderson (a New Technologies founder). Once a file has been processed with this program the contents can be printed and viewed with traditional computer applications, e.g., word processors.

Filter_I (New Technologies)

This enhanced forensic filter utility is used to quickly make sense of non-sense in the analysis of ambient computer data, e.g. Windows swap file data, file slack data and data associated with erased files. Filter_I relies upon pre-programmed artificial intelligence to identify fragments of word processing communications, fragments of E-mail communications, fragments of Internet chat room communications, fragments of Internet news group posts, encryption passwords, network passwords, network logons, database entries, credit card numbers, social security numbers and the first and last names of individuals that have been listed in communications involving the subject computer. This software saves days in the processing of computer evidence when compared to traditional methods.

ForensiX (Fred Cohen & Associates)

ForensiX provides a top-flight, extensible, forensic examination system for computer evidence, all in a user friendly graphically managed package. With its broad functionality, easy-to-use interface and built-in foresnic integrity mechanisms, ForensiX meets the need of corporate and law enforcement.

FRED (Digital Intelligence)

Forensic Recovery of Evidence Device. A highly integrated platform which may be used both for the acquisition and analysis of computer based evidence. Can operate as a standard PC Platform when not in use for forensic acquisition or processing. FRED is available in stationary, mobile, or combined configurations.

FREDDIE (Digital Intelligence)

Forensic Recovery of Evidence Device Diminutive Interrogation Equipment. The little brother of FRED from Digital Intelligence. Like FRED, FREDDIE is a highly integrated platform which may be used both for the acquisition and analysis of computer based evidence. FREDDIE is a highly portable solution which meets both imaging and processing requirements. FREDDIE also uses a standard ATX Motherboard, Power Supply and other components in order to minimize compatibility issues and maximize flexibility. The removable devices in the forensic bays can be interchanged between both FRED and FREDDIE.

GetFree (New Technologies)

This program is used to capture all of the unallocated file space on DOS/Windows based computer systems for forensic analysis and review. A special version also exists for use with Windows NT systems. It is sold separately. The use of this program eliminates the need to restore potentially hundreds or thousands of files on a computer hard disk drives and floppy diskettes. It was primarily developed as a computer forensic tool for use in computer related investigations and internal audits. However, GetFree is also an ideal tool for computer security risk assessments because it automatically captures the data associated with unallocated space. Such data can be reviewed and analyzed using other NTI forensic tools to identify corporate computer policy violations and evidence in criminal and civil proceedings. From a security standpoint, this tool is also ideal for the validation of computer security scrubbers and related computer security procedures concerning the elimination of sensitive and or classified computer data.

GetSlack (New Technologies)

This program is used to capture all of the file slack on a logical DOS/Windows hard disk drive or floppy diskette for analysis with other NTI forensic tools. A special version also exists for the processing of Windows NT systems. It is sold separately. The software is an ideal tool for use in investigations, internal audits and in computer security reviews. NTI places special importance on the use of this tool in computer security risk assessments because memory dumps in file slack are cause for security concern. Typically, network logons and passwords are found in file slack. It is also possible for file encryption passwords to be stored in memory dumps made to file slack.

IMAGE (Digital Intelligence)

A standalone utility to generate physical images of floppy disks. The files which are generated by IMAGE, contain complete physical images of the diskette(s) being processed. IMAGE is capable of generating either highly compressed or "flat" images for forensic analysis. IMAGE utilizes internally implemented algorithms which are identical to those used in ZIP compatible archives. If desired, non-compressed (flat) images may also be generated to facilitate examination of the image file itself.

ManHunt (Recourse Technologies)

Protects e-business infrastructures and provides recourse against hacking by: Rapidly responding to intrusions and DoS attacks to minimize business interruptions and damage to customer confidence; Automatically determining an attacker's precise network entry point and forwarding the information to upstream ISPs, reducing the expertise and resources required to quickly respond to attacks; Diverting attacks to a decoy environment, such as ManTrap™, allowing you to gather forensic information about the attack without suffering business interruptions.

ManTrap (Recourse Technologies)

Works covertly in order to trap hackers within a decoy environment, and then track every move they make. ManTrap is a next-generation covert security application that protects your enterprise by diverting attackers to a decoy environment, putting you in control to contain, monitor and identify the intruder. You decide what steps to take to respond to this attempted security breach, whether it is to simply prevent the intruder from coming back again based on data you gathered, or actually using the data to apprehend the intruder with the help of authorities. This protects you from the potential loss of confidential information, provides the data needed for apprehension and possible prosecution, and lessens the risk of business interruption.

NTAView (New Technologies)

Freeware tool used in investigations related to Internet E-mail, Internet Browsing and Internet File Downloading. The program is for use with New Technologies Net Threat Analyzer (NTA) software. It can be used to determine E-mail and Internet browsing frequency and has built in features that provide for frequency distribution analysis of NTA's findings.

NTI-DOC (New Technologies)

This program is used to essentially take an 'electronic snapshot' of files and subdirectories that have previously been identified as having evidentiary value. Having the program is like having a camera at the 'electronic crime scene'. It is a simple yet effective forensic documentation tool. The program automatically creates documentation that can be printed, viewed or pasted into investigative computer forensic reports. The original program titled DOC has been used for years by military and law enforcement computer specialists and was previously donated for law enforcement use by Michael R. Anderson, an NTI founder. This version contains enhancements that are not found in the original version.

PART (Digital Intelligence)

A Partition Manager which will list summary information about all the partitions on a hard disk, switch bootable partitions, and even hide and unhide DOS partitions.

Password Recovery Kit (New Technologies)

Allows access to password protected files.

PDBLOCK (Digital Intelligence)

A standalone utility designed to prevent unexpected writes to a physical disk drive. When PDBLOCK is executed on a computer its job is to prevent all writes to the physical drives. Handling both the standard Interrupt 13 and the Interrupt 13 Extensions, PDBLOCK is designed to be the next generation of write blockers providing protection for Large Hard Drives, FAT32(x), DOS 7.1. Prevents accidental overwriting of computer evidence.

PTable (New Technologies)

Hard disk partition table analysis tool. This software tool is used in computer forensics to review and analyze the partition table(s) assigned to a hard disk drive. This tool is essential concerning network forensics and/or when multiple operating systems are stored on one hard disk drive in multiptle partitions. This software is also used to identify hidden data potentially stored in the partition gap or 'unknown' partitions.

Seized (New Technologies)

Evidence preservation tool. This simple program is designed to limit access to computers that have been seized as evidence. All too often, 'resident computer experts' get curious and attempt to operate seized computers in hopes of finding clues or evidence. These individuals many times are not trained in computer forensics and are therefore unfamiliar with proper computer evidence processing procedures. They typically don't know that even the mere running of a computer system can overwrite evidence stored in the Windows swap file and/or in erased file space. This program was written to help prevent these common problems.

ShowFL (New Technologies)

Freeware tool for the timeline analysis of computer usage. It is also helpful in the investigation of conspiracies when multiple computers and computer users are involved. It is made available here so that our clients will have easy access to the current version for use in conjunction with the FileList program from New Technologies.

TCT (Dan Farmer and Wietse Venema)

Freeware - The Coroner's Toolkit. A collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in.

TextSearch Plus (New Technologies)

Used to quickly search hard disk drives, zip disks and floppy diskettes for key words or specific patterns of text. It operates at either a logical or physical level at the option of the user.

Computer Forensics Products
Product Name	Description
CRCMD5 (New Technologies)	Mathematically creates a unique signature for the contents of one, multiple or all files on a given storage device. Such signatures can be used to identify whether or not the contents of one or more computer files have changed. This forensics tool relies upon 128 bit accuracy and can easily be run from a floppy diskette to benchmark the files on a specific storage device, e.g., floppy diskette, hard disk drive and/or zip disk. CRCMd5 can be used as the first step in the implementation of a configuration management policy. Such a policy and related system bench marking can help computer specialists isolate problems and deal with computer incidents after they occur. The program is also used to document that computer evidence has not been altered or modified during computer evidence processing.
DIBS Forensic Workstation (DIBS USA, Inc.)	The DIBS® Forensic Workstation provides the complete solution to the problems faced by the computer crime investigator. Developed over a number of years by practicing forensic analysts the dedicated equipment meets the demands imposed by today's advanced enquiries.
DIBS Mobile Forensic Workstation (DIBS USA, Inc.)	The DIBS® Mobile Forensic Workstation provides all the equipment required for on-site analysis of the contents of suspect computers. Contained in a case made of ultra high impact structural polypropylene, with a neoprene O-ring seal, the DIBS® Mobile Forensic Workstation is rugged and hard working and provides full protection for the forensic equipment inside. This includes a Pentium based laptop fully configured with analysis software, an external hard disk housing and three hard disk racks and drives for reconstructions, a black and white/colour printer, PCMCIA card, cables, connectors and mouse. The DIBS® Mobile Forensic Workstation allows on-site hard disk restorations and analyses.
DIBS Portable Evidence Recovery Unit (DIBS USA, Inc.)	DIBS® Portable Evidence Recovery Unit is the efficient and easy way to copy the entire contents of a computer's hard disk. It was developed after working closely with senior police officers to find a fast, powerful and reliable way to retrieve potential evidence which was admissible in a court of law.
DIBS Professional Forensic Software (DIBS USA, Inc.)	Available as a series of modules, each designed for specific tasks, DIBS® Analyzer is highly effective and productive software. Many time consuming jobs, such as undeleting files, are automated by the software, and as you work with DIBS® Analyzer you can print out evidence and examination details in a format that will be acceptable in a court of law.
DiskSearch 32 (New Technologies)	Used find strings of text in files. Can be used to find strings of text in file slack and unallocated space. Also has the capability of finding similar or words that have been spelled incorrectly. Can also be used to search a storage device at a physical level.
DiskSig (New Technologies)	This program is used to mathematically create a unique signature for the content of a computer hard disk drive. Such signatures can then be used to validate the accuracy of forensic bit stream image backups of computer hard disk drives. This program was primarily created for use with SafeBack software by Sydex Corporation. SafeBack is used by a majority of law enforcement computer specialists and has gained wide acceptance in the law enforcement and military community over the last nine years. For this reason, NTI has created this program to verify the accuracy of forensic bit stream backups and related restorations of the content of computer hard disk drives. Although this program was primarily developed for use with SafeBack, it can also be used with any bit stream backup utility.
DM (New Technologies)	Freeware database analysis tool.
DRIVESPY (Digital Intelligence)	A forensic DOS shell. It is designed to emulate and extend the capabilities of DOS to meet forensic needs. Whenever appropriate DRIVESPY will use familiar DOS commands (CD, DIR, etc) to navigate the system under investigation. When beneficial, DRIVESPY will extend the capabilities of the associated DOS commands, or add new commands as necessary. DRIVESPY provides a familiar DOS-like prompt during system navigation.
EnCase (Guidance Software)	Fully integrated forensic application for Windows.
FileCNVT (New Technologies)	Freeware tool that supplements supplements the FileList program from New Technologies. FileList is a forensic tool that is used to quickly catalog the contents of one or more computer hard disk drives. The FileList output is compressed so that the program and related output will normally fit on just one floppy diskette.
FileList (New Technologies)	Used to quickly document information about files stored on one or more computer hard disk drives and other computer storage devices. This multi-purpose tool was designed for covert use, security reviews and forensic laboratory processing of computer evidence. It leaves no trace that it has been used and the output is compressed so that the output will usually fit on just one floppy diskette. It is compatible with DOS, Windows, Windows 95/98 and a special version is available for Windows NT systems.
FILTER (New Technologies)	Freeware program used to remove binary (non-alphanumeric) characters from computer data. The program has been used by military and law enforcement agencies for years and was donated to the law enforcement community in 1991 by Michael R. Anderson (a New Technologies founder). Once a file has been processed with this program the contents can be printed and viewed with traditional computer applications, e.g., word processors.
Filter_I (New Technologies)	This enhanced forensic filter utility is used to quickly make sense of non-sense in the analysis of ambient computer data, e.g. Windows swap file data, file slack data and data associated with erased files. Filter_I relies upon pre-programmed artificial intelligence to identify fragments of word processing communications, fragments of E-mail communications, fragments of Internet chat room communications, fragments of Internet news group posts, encryption passwords, network passwords, network logons, database entries, credit card numbers, social security numbers and the first and last names of individuals that have been listed in communications involving the subject computer. This software saves days in the processing of computer evidence when compared to traditional methods.
ForensiX (Fred Cohen & Associates)	ForensiX provides a top-flight, extensible, forensic examination system for computer evidence, all in a user friendly graphically managed package. With its broad functionality, easy-to-use interface and built-in foresnic integrity mechanisms, ForensiX meets the need of corporate and law enforcement.
FRED (Digital Intelligence)	Forensic Recovery of Evidence Device. A highly integrated platform which may be used both for the acquisition and analysis of computer based evidence. Can operate as a standard PC Platform when not in use for forensic acquisition or processing. FRED is available in stationary, mobile, or combined configurations.
FREDDIE (Digital Intelligence)	Forensic Recovery of Evidence Device Diminutive Interrogation Equipment. The little brother of FRED from Digital Intelligence. Like FRED, FREDDIE is a highly integrated platform which may be used both for the acquisition and analysis of computer based evidence. FREDDIE is a highly portable solution which meets both imaging and processing requirements. FREDDIE also uses a standard ATX Motherboard, Power Supply and other components in order to minimize compatibility issues and maximize flexibility. The removable devices in the forensic bays can be interchanged between both FRED and FREDDIE.
GetFree (New Technologies)	This program is used to capture all of the unallocated file space on DOS/Windows based computer systems for forensic analysis and review. A special version also exists for use with Windows NT systems. It is sold separately. The use of this program eliminates the need to restore potentially hundreds or thousands of files on a computer hard disk drives and floppy diskettes. It was primarily developed as a computer forensic tool for use in computer related investigations and internal audits. However, GetFree is also an ideal tool for computer security risk assessments because it automatically captures the data associated with unallocated space. Such data can be reviewed and analyzed using other NTI forensic tools to identify corporate computer policy violations and evidence in criminal and civil proceedings. From a security standpoint, this tool is also ideal for the validation of computer security scrubbers and related computer security procedures concerning the elimination of sensitive and or classified computer data.
GetSlack (New Technologies)	This program is used to capture all of the file slack on a logical DOS/Windows hard disk drive or floppy diskette for analysis with other NTI forensic tools. A special version also exists for the processing of Windows NT systems. It is sold separately. The software is an ideal tool for use in investigations, internal audits and in computer security reviews. NTI places special importance on the use of this tool in computer security risk assessments because memory dumps in file slack are cause for security concern. Typically, network logons and passwords are found in file slack. It is also possible for file encryption passwords to be stored in memory dumps made to file slack.
IMAGE (Digital Intelligence)	A standalone utility to generate physical images of floppy disks. The files which are generated by IMAGE, contain complete physical images of the diskette(s) being processed. IMAGE is capable of generating either highly compressed or "flat" images for forensic analysis. IMAGE utilizes internally implemented algorithms which are identical to those used in ZIP compatible archives. If desired, non-compressed (flat) images may also be generated to facilitate examination of the image file itself.
ManHunt (Recourse Technologies)	Protects e-business infrastructures and provides recourse against hacking by: Rapidly responding to intrusions and DoS attacks to minimize business interruptions and damage to customer confidence; Automatically determining an attacker's precise network entry point and forwarding the information to upstream ISPs, reducing the expertise and resources required to quickly respond to attacks; Diverting attacks to a decoy environment, such as ManTrap™, allowing you to gather forensic information about the attack without suffering business interruptions.
ManTrap (Recourse Technologies)	Works covertly in order to trap hackers within a decoy environment, and then track every move they make. ManTrap is a next-generation covert security application that protects your enterprise by diverting attackers to a decoy environment, putting you in control to contain, monitor and identify the intruder. You decide what steps to take to respond to this attempted security breach, whether it is to simply prevent the intruder from coming back again based on data you gathered, or actually using the data to apprehend the intruder with the help of authorities. This protects you from the potential loss of confidential information, provides the data needed for apprehension and possible prosecution, and lessens the risk of business interruption.
NTAView (New Technologies)	Freeware tool used in investigations related to Internet E-mail, Internet Browsing and Internet File Downloading. The program is for use with New Technologies Net Threat Analyzer (NTA) software. It can be used to determine E-mail and Internet browsing frequency and has built in features that provide for frequency distribution analysis of NTA's findings.
NTI-DOC (New Technologies)	This program is used to essentially take an 'electronic snapshot' of files and subdirectories that have previously been identified as having evidentiary value. Having the program is like having a camera at the 'electronic crime scene'. It is a simple yet effective forensic documentation tool. The program automatically creates documentation that can be printed, viewed or pasted into investigative computer forensic reports. The original program titled DOC has been used for years by military and law enforcement computer specialists and was previously donated for law enforcement use by Michael R. Anderson, an NTI founder. This version contains enhancements that are not found in the original version.
PART (Digital Intelligence)	A Partition Manager which will list summary information about all the partitions on a hard disk, switch bootable partitions, and even hide and unhide DOS partitions.
Password Recovery Kit (New Technologies)	Allows access to password protected files.
PDBLOCK (Digital Intelligence)	A standalone utility designed to prevent unexpected writes to a physical disk drive. When PDBLOCK is executed on a computer its job is to prevent all writes to the physical drives. Handling both the standard Interrupt 13 and the Interrupt 13 Extensions, PDBLOCK is designed to be the next generation of write blockers providing protection for Large Hard Drives, FAT32(x), DOS 7.1. Prevents accidental overwriting of computer evidence.
PTable (New Technologies)	Hard disk partition table analysis tool. This software tool is used in computer forensics to review and analyze the partition table(s) assigned to a hard disk drive. This tool is essential concerning network forensics and/or when multiple operating systems are stored on one hard disk drive in multiptle partitions. This software is also used to identify hidden data potentially stored in the partition gap or 'unknown' partitions.
Seized (New Technologies)	Evidence preservation tool. This simple program is designed to limit access to computers that have been seized as evidence. All too often, 'resident computer experts' get curious and attempt to operate seized computers in hopes of finding clues or evidence. These individuals many times are not trained in computer forensics and are therefore unfamiliar with proper computer evidence processing procedures. They typically don't know that even the mere running of a computer system can overwrite evidence stored in the Windows swap file and/or in erased file space. This program was written to help prevent these common problems.
ShowFL (New Technologies)	Freeware tool for the timeline analysis of computer usage. It is also helpful in the investigation of conspiracies when multiple computers and computer users are involved. It is made available here so that our clients will have easy access to the current version for use in conjunction with the FileList program from New Technologies.
TCT (Dan Farmer and Wietse Venema)	Freeware - The Coroner's Toolkit. A collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in.
TextSearch Plus (New Technologies)	Used to quickly search hard disk drives, zip disks and floppy diskettes for key words or specific patterns of text. It operates at either a logical or physical level at the option of the user.