- slide 1 of 3
The work of computer forensic practitioners would be nearly impossible without software tools and hardware equipment for examining various media. While computer forensic tools are highly specialized and costly in many respects, there are many open source offerings as well.
While powerful software solutions, such as X-Ways Forensics, offers a wide array of features to analyse the structure and contents of deleted and existing files to form an idea of the overall disk space usage while displaying the results in a drive contents table. Still, some users want the flexibility to customize the forensic tools they use. Here are some open source forensic software options to consider.
- slide 2 of 3
Open Source Forensic Hard Drive Recovery Tools
File Ripper – This program can be used as a forensic tool to recover files where file system information has been lost or otherwise corrupted, or where files have been deleted. It can detect and extract PNG, ANS, ZZT, FRM, text BAS, BMP, HTML, GIF, ZIP, DOC, MZX, LBM, PBM, ANM, BAT, BAS, RTF, HLP, WAV, WRI, JPG, ARJ, DOS EXE, MZB, FLI, MSP, LZH/LHA, MOD, XM, VOC, SVX, GDM, IT, S3M, SAV, BRD, ABM, Quetzal, and even some obscure bulletin board formats.
Author: Kristofer Munsterhjelm – Maintainer
Disktype - This tool is written in C and should compile easily to run on any modern UNIX environment. Disktype is designed to detect the contents of disks and partitions once they are in well establish file system formats and boot codes. Some of the file systems that Disktype recognizes include: FAT12/FAT16/FAT32, NTFS, HPFS, MFS, HFS, HFS Plus, ISO9660, UDF, ext2/ext3, Minix, ReiserFS, Reiser4, Linux romfs, Linux cramfs, Linux squashfs, UFS (some variations), SysV FS (some variations), JFS, XFS, Amiga, FS/FFS, Amiga SFS, Amiga PFS, BeOS BFS, QNX4 FS, 3DO CD-ROM FS, Xbox DVD file system, Veritas VxFS.
Author: Christoph Pfisterer
Source code: http://disktype.sourceforge.net/
Fatback - Fatback was designed to undelete files from FAT file systems.
Source Website: http://sourceforge.net/projects/biatchux
Author: Nicholas Harbour
The Sleuth Kit - The Sleuth Kit is a collection of command line tools for analyzing FAT, NTFS, EXT2FS and FFS file systems. It can also analyze DOS, BSD, Sun, and Mac partitions. The tool allows for the recovery and analysis of deleted content while allowing them to be sorted by file type, and viewed according to file activity in a timeline display.
Author: Brian Carrier
The Coroner's Toolkit (TCT) - TCT is a collection of programs that can be used to analyze the effects of a break-in attempt on a UNIX system.
Author: Dan Farmer & Wietse Venema
File AUdit Security Toolkit (FAUST) – This tool can be used to gather data after a break-in attempt has been discovered. Its goal is not to analyze data; instead it is a perl script that can be used to collect pieces of data, to be analyzed at a later date.
Author: Frederic Raynal
File - File guesses file types based on the file’s header and footer values.
Author: Christos Zoulas
- slide 3 of 3
Open source licenses allow talented people to make enhancements to programs so that they can perform even more specialized functions. Open source forensic hard drive recovery tools are particularly useful to forensic science professionals because they often need unique solutions to complete difficult and tedious forensic investigations.
While we introduced a number of hard drive and data recovery open source tools in this article, there are still many other freeware forensic tools that are available for media management and network and application analysis.
“Open source forensic hard drive recovery tools." Tim Patterson