RESEARCH PAPER ON

COMPARATIVE STUDY OF DIGITAL FORENSICS TOOLS

CA Kalavathi
Membership No.157487

Batch 57: Virtual Certification course on Forensic Accounting & Fraud Detection

Page | 1
 Index

Particulars Page No

Abstract 2

Introduction 2-3

Basic Digital Forensic Investigation process 3-4

Digital Forensics 4

Forensic Evidence 4

IDFPM Framework 5

Types of Computer Forensics 6

Analysis of Forensic Tools 8

Types of Forensic Tools 9

Future Scope 12

Results & Discussions 13

Conclusion 13

Bibliography 13

Page | 1
Abstract:
Digital forensic is part of forensic discipline that absolutely covers crime that is related to computer
technology. Due to the application of computer used to investigate computer-based crime, has led to
development of a new field called Digital forensics. Digital Forensic provide foundation and new
ideas for the betterment and understanding the concepts.

Now a days the cybercrimes such as online banking fraud, credit card theft, intellectual property theft,
identity theft, unauthorized intrusion, child pornography, money laundering, digital piracy etc. are
growing rapidly with technology. Desktops, laptops, smartphones, digital cameras, GPS devices and
even watches all can be used to aid a computer-based fraud. All these devices leave behind a digital
footprint. Gathering electronic evidence and preserving it requires a special set of deliberations.
Without a complete understanding of digital forensics, evidence could be compromise and which may
cause evidence inadmissible in the court. To analyse the digital crime, the forensic technique is used.
It is use to track where exactly the crime has been taken place and where the valuable data is hidden.
To analyse the data and to recover the deleted or hidden data from the digital devices, the digital
forensic tools are used.

Data Analysis and Investigation using Digital forensics from Digital Storage Devices, is a defined
way towards effective data backup strategies, as well as a key aspect in Data Privacy and
Confidentiality. Digital storage Devices like Hard Drives (internal or external), USB Drives, floppy
disks, etc. provide a good medium for better utilisation and storage of data and information. So, the
main task is to retrieve the stolen or lost data from these devices. Digital forensics provides the exact
concept for this data extraction, in a systematic and effective manner. Now, there can be various
conditions of a damaged digital storage device like it may be burnt, wet or physically damaged parts,
all these conditions play a significant role in Data Extraction. Since, Data is the most important asset
for any organisation, so compromising with its Security and Confidentiality, may be wrong or
devastating option, for future. Just spending thousands and millions of dollars in finding the
vulnerability (large-scale or small-scale), is not a solution for being secure. There has to be proper and
effective choice of ways and tools for it.

Introduction:
The field of digital forensics has become increasingly more important over the last few years as both
the computer and the cellular market has grown. Digital forensics describes the process of going into a
technological device such as a computer or a cell phone in order to monitor the activity on these items
and determine if the item has been hacked previously and/or is being watched. We may think that we
don’t have much to hide on your technological device, so this warning need not apply to us. But just
because we have hit a 'delete' button doesn't mean that a good hacker can't find a copy of it
somewhere on our machine. Computers can yield evidence of a wide range of criminal and other
unlawful activities, criminals engaged in network-based crimes are not the only ones who store
information on computers. Many criminals engaged in murder, kidnapping, sexual assault, extortion,
drug dealing, auto theft, espionage and terrorism, gun dealing, robbery/burglary, gambling, economic
crimes, confidence games, and criminal hacking e.g. Web defacements and theft of computer files,
maintain files with incriminating evidence on their computer. Sometimes the information on the
computer is key to identifying a suspect and sometimes the computer yields the most damning
evidence. The use of scientifically derived and proven methods toward the preservation, validation,
identification, analysis, interpretation, documentation and presentation of digital evidence derived
from digital sources for the purpose of facilitating or furthering the reconstruction of events found to
be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned

Page | 2
 operations. A digital forensic investigation process is a special case of a digital investigation where
the procedures and techniques that are used will allow the results to be entered into a court of law. For
example, an investigation may be started to answer a question about whether or not illegal imports
digital images exist on a computer.

As computers, networks and digital devices are used worldwide, the chances of cyber-crimes which
demand such devices and networks will increase. In order to take actions against such crimes, first we
need to gather evidence in adequate quantity to support any criminal or civil charges, and as the
evidence will be in the digital form, it must be handled properly to maintain the integrity and value of
the data so that the evidence will be admissible in court. Hence, we need a deliberate, well-planned
process for collecting digital data in the first place; for that we require Digital forensics. Digital
forensics is the process of identifying preserving, analysing and presenting digital evidence for a legal
proceeding.

Basic Digital Forensic Investigation Process:

Digital forensics is a comprehensive branch comprises branches like computer forensics. Computer
forensics is defined as the collection, preservation, analysis, and court presentation of computer
related evidence. Digital Forensic investigation process comprises the proper acquisition and
preservation of computer evidence, authentication of collected data for court presentation, and
recovery of available data including deleted files. This process has to go through three phases
acquisition, analysis, reporting.

Acquisition Analysis Reporting

(Identification,Preservation,Colle
ction and Examination)

Identification

Preservation

Start with chain of

custody and secure data
Collection

Preserving the digital

evidences
Examination

By using image storage devices

& other storage devices
Analysis

Examine the information

available from the digital
sources Reporting
Page | 3
 Encrypted/protected
data are analyzed

Identification: In this step we need to visit the crime scene and start the chain of custody,
Document secure
fact & the
findings, summarizes
evidence and, prepare proof
data, Forensic tools are used to copy all information from the suspect storage device to a trusted
device and documents from the crime scene.

Preservation: Preserving digital evidence early from the identified, is a critical step toward
increasing our chances of a successful investigation, litigation, or incident response.

Collection: Since digital information is stored in computers, hard disks, pen drives, compact discs
etc collection of digital information means either collection of the equipment containing the
information, or recording the information on some medium. The contents and structure of a disk
volume or entire data storage device are replicated. This process is known as imaging or cloning of
disk.

Examination: Examination is best conducted on a copy of the original evidence. The original
evidence should be acquired in a manner that protects and preserves the integrity of the evidence.

Analysis: In this phase, deleted data is recovered using different methodologies to identify the digital
evidence. Also, slack space, hidden disk area, encrypted/protected data are analysed for identification
of evidence.

Reporting: To reorganize the actions and to accomplish conclusions, analysis of evidence is

performed. After thorough investigation, investigator submits his data or information, generally in the
form of a written report. A forensic examination report must list software used and their versions, the
hash results, all storage media numbers, model, make. It must be in simple language and must be
supported by photographs.

Digital Forensics:
As one of top research topic in information security since the rise of its importance, digital forensics
was a target of many research activities starting from discussing digital forensics process to the very
details of acquiring and analysing digital evidence in forensically sound environment. As well as the
different operating systems' artifacts and how can we use these artifacts to be beneficial for digital
forensics analysis. There are many guidelines about the best practices for digital forensics analysis
with its typical investigation models, but the new challenges that appear in the field require more
flexibility conducting the forensics analysis to adapt with each case circumstances.

Research activities conducted on incident response process, explaining how digital forensics fits in the
examination phase. During incident response, the team is working against time to identify, contain,
examine and understand the attack nature and components to stop the attack while keeping the normal
original work uninterrupted when possible. And it is a fact that response plan should be predefined
and tested before any incident takes place. The decision of which technique should be taken by the
responsible investigator. He should be able to categorize the severity of the incident based on
previously set criteria and respond based on the predefined plan.

Forensic Evidence:

Page | 4
Forensic evidence refers to items collected or information gathered using scientific methods for use in
legal proceedings. There are many types of forensic evidence (Eg: Log files, Network Logs) that can
be obtained to help investigators solve cybercrimes.

IDFPM Framework:
Integrated Digital Forensic Process Model consist of following processes: Preparation, Incident,
Incident response, Physical Investigation, Digital Forensic Investigation, Presentation and the
processes are performed by qualified personnel. The documentation process is included in the IDFPM
as a continuous process. The documentation process includes investigation on documents and chain of
custody recorded as accurately as possible in the entire investigation. The infrastructure and
operational readiness process is also a process that occurs in parallel.

Preparation:
This is encapsulated process by stating that forensic readiness has two main objectives, firstly to
maximize the collection of credible digital evidence from an incident environment, and secondly to
minimize the cost of a forensic incident response. Any defects may be exploited during presentation
of the digital evidence findings.

Incident:
An incident may be detected by an automated incident detection system, or a similar set of event
sequences is recognized by an investigator, based on possible previous experience. Incidents are often
detected secretly and dealt with secretly within an organization. In these instances, it is imperative that
the organization’s policies and procedures are studied to determine any possible investigative
limitation.

Incident Response:
Depending on the type of investigation, witnesses need to be safeguarded, suspects need to be
detained as soon as possible after arrival and potential evidence must be secured. The first responder
is the first custodian to maintain the chain of evidence and custody of potential digital evidence. The
first responder must be able to accurately describe the scene in the initial drafting of documentation;
these include photographs, video and sketches.

Digital forensic Investigation:

The physical investigation process occurs in parallel with the digital investigation if the crime is not
isolated to the digital space. The focus of the physical investigation is to analyse DNA, fingerprints
and other possible physical evidence obtained from the incident scene.

Presentation:
Based on the presentation report, a decision is made regarding the person to whom the incident can be
attributed. The decision must be recorded in some database for future reference. All other relevant
documentation that was compiled during the investigation and that might be relevant in reaching a
decision is included in the final presentation report. The legal processes of court case, if applicable,
will become the focus of the processes that follow.

Page | 5
Types of Computer Forensics:
According to digital devices involved in an investigation, particularly from the technical point of the
investigation computer forensics includes several sub-branches, and following are some of the its
most well-known branches:

1. File System Forensics:

Data on a physical medium, such as a hard drive or flash drive, is organized, labelled, and governed
by a file system; FAT, NTFS, and EXT are the most commonly used file systems, but there are many
more, and it is also possible that a suspect could have created their own file system, in order to
complicate an investigation.

File System Forensics is generally used for discovering the locations of files that are more useful as
evidence than the file system itself; however, the presence of a custom file system, as well as the
presence of anomalies in the locations of data (namely, data existing where it shouldn’t), are
usually proof of immoral activities.

2. Memory forensics:

This term refers to the application of forensic techniques on any/all volatile memory, which includes
RAM, caches (of all levels), and registers (not to be confused with registries). Memory forensics must
be performed during live analysis, because the contents of volatile memory are permanently lost when
the system is shut down.

3. Operating System Forensics:

Logfile analysis is a major part of operating system forensics, because logfile formats differ wildly
between operating systems.

To perform operating system forensics, the investigator must have deep and thorough knowledge of
multiple operating systems, as well as the ability to understand the meaning of logs generated by
different operating systems.

4. Multimedia Forensics:

Multimedia forensics refers to the application of computer forensics techniques on files that contain
more audio/visual data than text, such as sound recordings, music files, videos, and pictures. There are

Page | 6
many possible cases where multimedia files would be useful as evidence: Pirated music files, sound
and video recordings of crimes, and illegal pornographic images, are all some examples.

5. Network Forensics:

IP Tracing and Network Traffic Monitoring are the major components of Network Forensics. The
main objective is to look for evidence of illegal activities that involve a transfer of files or
information.
It is important to note that while most applications of Network Forensics make use of the Internet,
LANs, local ad-hoc networks, and emulated network connections between virtual
machines (VMs) and their host machines, can all be analyzed with the same techniques.
The analysis of social media accounts could be considered a combination of Network and Multimedia
Forensics, depending on which techniques are used.

6. Database Forensics:

Databases are, understandably, full of different types of information. The data can be investigated for
its malicious uses, or to determine how/whether some legitimate data was stolen or deleted.
Sometimes, the database itself is valuable information as well as the relations between tables in the
database can reveal important details of how, for example, a criminal organization, is structured.

7. Malware Forensics:

Malware Forensics refers to the reverse engineering of malware, but also covers the detection of
existing or possible malware.
One of the most immediately useful approaches is to use a goat file (named so because the file is a
scapegoat, sacrificed for the benefit of the investigator). Goat files are designed to make it very easy
for an investigator to see how malware modifies the files once it is infected.

8. Mobile Device Forensics:

Today’s mobile devices are basically smaller computers, having their own operating systems, and
usually serving a specialized purpose. All of the above forensics types and more are applicable to
Mobile Device Forensics.

Some mobile devices use proprietary operating systems, such as iOS, Windows Mobile while others
are built on open-source systems, such as Android; an investigator would need to know all of them to
be effective in the field.

9. E-mail Forensics:

A lot of information can be found in even the most ordinary emails. Malicious people can harvest
email addresses (both sender and receiver) and begin spamming these accounts in the hopes of
phishing them, or propagating malware; IP addresses can obtained as part of a recon mission, aiding
the attacker in visualizing how the network is constructed; headers contain a plethora of information
that is just as useful to a hacker, and these factors are all present even before considering the content
of an email, a leakage of which could have any variety of consequences in the real world.

Page | 7
Emails are just as useful to forensic investigators however, as they can be analysed to discover details
about the sender and his/her motives, and even submitted as court evidence.

10. Firewall Forensics:

Firewalls are used to grant or restrict access based on a set of rules defined by the administrator. They
are designed to be a first line of defence against information theft and cyber-attacks, and as such, are
forensic-friendly.

Firewalls keep extremely detailed activity logs, which can be mined for data. Because of this, log file
analysis is a big part of firewall forensics. Firewall logs contain information about programs that
attempted to access information, the information that was requested, the user account or IP address
requesting the information, and the port it was requested on (among other things).

Analysis of Forensic Tools:

Security researchers have defined proper mechanism for Investigation and Analysis of Digital
Forensics tools. As we already discussed, there are mainly 3 basic stages of Digital Forensics
Investigation, to be followed to carry out most sustainable Forensic Analysis namely, Acquisition,
Analysis and Reporting.

Now, the tools used for Examination using Digital Forensics are Award Key Loggers, USBDeview,
ProDiscover, CAINE, FTK , EnCase, Autopsy , OS Forensics , SIFT , etc. This is considerable that
the Open source tools would have less features and functioning as compared to Proprietary Tools, but
this shortcoming can let open source tool of its downfall. So, different functionalities and parameters
for effective comparative analysis of the tools namely, MD5 Hashing, SHA-1 Hashing, Platform
Support for Windows OS, Platform Support for Linux OS, User-friendly, Time Analysis, Cost,
License, Repeatability, Reliability, Documenting and Reporting, Use of GUIs vs Command Line,
Supported Image and File Format, Time Taken for Verification and Keyword search, Identify and
Recover deleted files, Mismatch Extension and Identify slack spaces, etc.

The Investigation phase and its parameters play a key role in implementation of effective Digital
Forensics Framework. Different tools differ in their functioning from each other as it may signify
performing different operations, in certain Forensic circumstances. The epidemic of Cyber-Crime can
be easily avoided by using proper and defined protocols for Forensic examinations.

Forensic is an application where investigation and analysis techniques are used to assemble and
preserve the evidence that is found from a specific computing electronic equipment in such a way that
they are suitable for presenting in a court of law. The main objective of computer forensics is to study
a well-structured subject of the investigation while detailing a documented analysis sequence of
evidence or proofs to figure out what has occurred on an electronic device and the persons who are
responsible for it.

Page | 8
Generally, Forensic investigators usually follow a quality set of procedural rules like after physically
isolating the electronic equipment in question is to make sure it should not be by chance corrupted,
investigators make sure that a digital duplicate shared copy of that device is stored. Once the first
media has been derived, it’s fast in a very safe or alternative secure facility to keep up its pristine
condition. All Forensic investigation is finished on the digital copy.

Types of Forensic Tools:

Computer forensics tools are designed to ensure that the information extracted from computers is
accurate and reliable. Due to the wide variety of different types of computer-based evidence, a
number of different types of computer forensics tools exist. Now we are discussing and analysing the
ten forensic tools which will be used for Digital Investigation process for collection of Digital
Evidence.

1. Award Key Logger:

Award Key logger is a program for tracking key presses on a keyboard. The program is an easy-to-use
surveillance tool, and its invisibility can find out what other people do with your computer while we
are away. Award Key logger records every keystroke to a log file, which will reflect everything that is
typed (Google searches, visited sites, etc.) during your absence. The program can send the log files
secretly by email or FTP to a specific receiver. On the other hand, the program can also detect specific
keywords and take a screenshot whenever one is typed.

2. USBDeview:

USBDeview is a small utility that lists all USB devices that currently connected to your computer, as
well as all USB devices that you previously used. For each USB device, extended information is
displayed: Device name/description, device type, serial number (for mass storage devices), the
date/time that device was added, VendorID, ProductID, and more.

USBDeview also allows you to uninstall USB devices previously used, disconnect USB devices that
are currently connected to your computer, as well as to disable and enable USB devices. We can also
use USBDeview on a remote computer, as long as you login to that computer with admin user.
USBDeview is a free application for Windows computers that provides a useful tool for USB devices
plugged to windows-based computers.

3. ProDiscover:

ProDiscover is widely used in Computer Forensics and Incident Response. The product suite is also
equipped with diagnostic and evidence collection tools for corporate policy compliance investigations
and electronic discovery.

Page | 9
ProDiscover helps in efficiently uncovering files and data of interest. Wizards, dashboards and
timeline views help in speedily discovering vital information. Investigators are provided with a wide
range of tools and integrated viewers to explore the evidence disks and extract artifacts relevant to the
investigation.

Features:

 This product supports Windows, Mac, and Linux file systems.

 You can preview and search for suspicious files quickly.
 This Digital forensic software creates a copy of the entire suspected disk to keep the original
evidence safe.
 Fetches the data even if it is deleted or hidden without effecting the files Metadata.
 You can import or export .dd format images.
 No data loss happens in critical issues.
 ProDiscover Forensic supports VMware to run a captured image.

4. CAINE (COMPUTER AIDED INVESTIGATIVE ENVIRONMENT):

It is an open-source tool required to perform the digital forensic investigation. It is used by law
authorization, corporate and military inspectors to examine the action which occurred on a PC. It is
integrated with various digital forensic tool such as The sleuth Kit(Autopsy),WinAudit, Photorec etc

Features:

 It supports the digital investigator during the four phases of the digital investigation.
 It offers a user-friendly interface.
 You can customize features of CAINE.
 This software offers numerous user-friendly tools.

5. X-WAYS FORENSICS:

An application for law enforcement, intelligence agency and the private sector to conduct
investigations, document analysis and report generation.

It is meant for investigators who are specialized in: Accounting, construction rules, money laundering,
corruption, murder and child pornography

Mainly used by: Research analysts, officers, attorneys, paralegals, judges, internal and external
auditors

Features:

 It supports Windows
 Disk, file and RAM Editor
 Disk Cloning
 Data and partition recovery
 Disk Wiping
 File Slack Capturing

Page | 10
  Unused Space Capturing
 Media Details Report
 Simultaneous Search
 PhotoDNA hashing
 Skin colour detection
 Create skeleton, snippet and cleansed images
 Can read and write EnCase images

6. THE SLEUTH KIT (+AUTOPSY):

Is an open-source command-line based application that allow the investigator to analyse disk images
and retrieve data from them. It is also used in Autopsy which is a GUI based software which functions
in a similar manner. Autopsy provides facilities to find add-on and develop custom modules.

Features:

 You can identify activity using a graphical interface effectively.

 This application provides analysis for emails.
 You can group files by their type to find all documents or images.
 It displays a thumbnail of images to quick view pictures.
 You can tag files with the arbitrary tag names.
 The Sleuth Kit enables you to extract data from call logs, SMS, contacts, etc.
 It helps you to flag files and folders based on path and name.

7. Active File Recovery:

Active file recovery tool is one of the best tools for data recovery. It recovers the lost files and
directories. It supports almost all file systems, storage devices. It can recover data from large drives
having size more than 2 terabytes. It allows recovering files by file signatures.

Features:

 File Examination
 Log Examination
 Deleted file indexing
 File indexing
 Memory dump analysis
 Can recover the files even though files are deleted from the recycle bin.
 It recovers the files damage by virus attacks, lost due to accidental disk formatting, power
failure, or malicious program, photos and pictures lost after formatting Memory Card or
deleted from a USB flash.

8. Encase:

Page | 11
Encase is an application that helps you to recover evidence from hard drives. It allows you to conduct
an in-depth analysis of files to collect proof like documents, pictures, etc. It is quite expensive
software.

Features:

 You can acquire data from numerous devices, including mobile phones, tablets, etc.
 It is one of the best mobile forensic tools that enables you to produce complete reports for
maintaining evidence integrity.
 You can quickly search, identify, as well as prioritize evidence.
 Encase-forensic helps you to unlock encrypted evidence.
 It is one of the best digital forensics tools that automates the preparation of evidence.
 You can perform deep and triage (severity and priority of defects) analysis.

9. FTK Imager:

FTK Imager is a forensic toolkit developed by AccessData that can be used to get evidence. It can
create copies of data without making changes to the original evidence. This tool allows you to specify
criteria, like file size, pixel size, and data type, to reduce the amount of irrelevant data.

Features:

 It provides a wizard-driven approach to detect cybercrime.

 This program offers better visualization of data using a chart.
 You can recover passwords from more than 100 applications.
 It has an advanced and automated data analysis facility.
 FTK Imager helps you to manage reusable profiles for different investigation requirements.
 It supports pre and post-processing refinement.

10. Wireshark:
Wireshark is a tool that analyses a network packet. It can be used to for network testing and
troubleshooting. This tool helps you to check different traffic going through your computer system.

Features:

 It provides rich VoIP (Voice over Internet Protocol) analysis.

 Capture files compressed with gzip can be decompressed easily.
 Output can be exported to XML (Extensible Markup Language), CSV (Comma Separated
Values) file, or plain text.
 Live data can be read from the network, blue-tooth, ATM, USB, etc.
 Decryption support for numerous protocols that include IPsec (Internet Protocol Security),
SSL (Secure Sockets Layer), and WEP (Wired Equivalent Privacy).
 You can apply intuitive analysis, colouring rules to the packet.
 Allows you to read or write file in any format.

FUTURE SCOPE:

Page | 12
 Investigating the cybercrime is not an easy task. It requires the right expertise along with multiple
tools and techniques to quickly and productively leap into the digital crime scene. Once this is
available, a proper analysis of data and investigate the cause, and discover the attackers behind the
cybercrime. Cyber forensics at the government level will be complicated in the future. To hunt down
cyber criminals, governments will need to turn more to their national security organizations. They will
also need to discover anti-forensic software and techniques to keep their activities and assets
confidential. Information security standards such as ISO27001 and ITIL will be implemented more in
corporate organizations. Only few companies will be able to afford the cost of compliance
implementation. Hence, it is important for the companies to have precise incident response methods
and related cyber forensic investigation functions.

RESULTS AND DISCUSSIONS:

Computer related crime is growing as fast as the Internet itself. Today, enterprises focus on
implementing preventative security solutions that reduce vulnerabilities, with little concern for
systematic recovery or investigation. We have reviewed the literatures in Digital forensics and
identified three main categories of activity in Digital forensics. The three research categories are
framework, Digital forensics Investigation process, and Tools. The advances such as framework,
process and tools of Digital Forensic have been reviewed and discussed. We should not leave
everything to Digital forensics experts. If we are going to find a solution to the computer crime
problem, it will be through a collaborative effort. Everyone from individual users, to company owners
have to get involved. The considered tools, investigation process, and the framework, enhance the
forensics of computer security by helping experts in the field do their job faster and more efficiently.
It is up to the companies and users to adopt these policies according to their needs.

CONCLUSION:

The forensic analysis provides a domain for defining the repercussions of data loss or data theft. Now,
it can be a vital breakthrough if people are made aware of all the advantages and disadvantages of
digital forensics and especially when it comes to the data security domain. Secondly, hard drives,
USB drives, and other digital storage devices provide a path for data accessing and retrieval but can
also prove to be a disaster when it comes to the loss of most important part of any system or
workspace. Defining tools for implementing digital forensics at an organization, criminal
investigation or on an individual level are developed, where some are the proprietor and some GPL.
Various branches of digital forensics also defined as a solution for maintaining integrity at different
levels of software development. Different stages of digital forensics also define a relationship and
inter-dependence of data retrieval or extraction scenario through its effective and secure
implementation. All the services provided by Digital forensic are evaluated and helpful enough to
access the various domains of data or individual property loss related to data and cyber-crimes, which
includes forensic analysis. In this study, one can figure out, with practice, implementation and skill, as
to which tool, can be used for what particular purpose, be it Mobile Forensics, Network Forensics,
Computer Forensics, Network Forensics or Database Forensics. This is because different tools have
different pros and cons and all of them work differently, and are used for different purposes.

Bibliography:

Page | 13
E-Learning Material
Forensic Material and relevant information from internet
Award Keylogger Pro 3.8 Download (Free trial) - kl.exe (informer.com)
USBDeview - Download (softonic.com)
ProDiscover Forensics – ProDiscover
CAINE Live USB/DVD - computer forensics digital forensics (caine-live.net)
Computer Forensics Software (x-ways.net)
Autopsy (sleuthkit.org)
Download Active File Recovery 22.0.7.0 for Windows - Filehippo.com
OpenText EnCase Forensic Software
SIFT Workstation | SANS Institute
FTK® Forensic Toolkit - Exterro
Wireshark · Go Deep.

Page | 14