Evidence Collection Tools

Table of Contents

Disk Image Creation

  • AccessData FTK Imager - Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.
  • Bitscout - Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact.
  • GetData Forensic Imager - Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.
  • Guymager - Free forensic imager for media acquisition on Linux.
  • Magnet ACQUIRE - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.

Windows

  • AChoir - Framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows.
  • Crowd Response - Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.
  • Cyber Triage - Cyber Triage has a lightweight collection tool that is free to use. It collects source files (such as registry hives and event logs), but also parses them on the live host so that it can also collect the executables that the startup items, scheduled, tasks, etc. refer to. It’s output is a JSON file that can be imported into the free version of Cyber Triage. Cyber Triage is made by Sleuth Kit Labs, which also makes Autopsy.
  • DFIR ORC - DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artifacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on GitHub.
  • FastIR Collector - Tool that collects different artifacts on live Windows systems and records the results in csv files. With the analyses of these artifacts, an early compromise can be detected.
  • Fibratus - Tool for exploration and tracing of the Windows kernel.
  • Hoarder - Collecting the most valuable artifacts for forensics or incident response investigations.
  • IREC - All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.
  • Invoke-LiveResponse - Invoke-LiveResponse is a live response tool for targeted collection.
  • IOC Finder - Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only. No longer maintained. Only fully supported up to Windows 7 / Windows Server 2008 R2.
  • IRTriage - Incident Response Triage - Windows Evidence Collection for Forensic Analysis.
  • KAPE - Kroll Artifact Parser and Extractor (KAPE) by Eric Zimmerman. A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.
  • LOKI - Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs).
  • MEERKAT - PowerShell-based triage and threat hunting for Windows.
  • Panorama - Fast incident overview on live Windows systems.
  • PowerForensics - Live disk forensics platform, using PowerShell.
  • PSRecon - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
  • RegRipper - Open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

Linux

  • FastIR Collector Linux - FastIR for Linux collects different artifacts on live Linux and records the results in CSV files.
  • MAGNET DumpIt - Fast memory acquisition open source tool for Linux written in Rust. Generate full memory crash dumps of Linux machines.

OSX

  • Knockknock - Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX.
  • macOS Artifact Parsing Tool (mac_apt) - Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files.
  • OSX Auditor - Free Mac OS X computer forensics tool.
  • OSX Collector - OSX Auditor offshoot for live response.
  • The ESF Playground - A tool to view the events in Apple Endpoint Security Framework (ESF) in real time.