NBTempoW (2017)(new!)- NBTempoW is a forensic tool for making timelines from block devices image files (raw, ewf,etc.). It uses TSK (The Sleuthkit) and it has been developed with Lazarus V. 1.6.2 ( Delphi compatible cross-platform IDE for Rapid Application Development). It runs only in Windows. If the device image file is splitted, you can select only the first chunk. (Present also on GitHub HERE)


XAll v. 1.5 (2016)- This is a forensic data and file extractor from devices and image files. sudo ./ for running it. It mounts a DD/EWF image files or devices (e.g. /dev/sdb); it copies all the allocated files, it extracts all deleted files and the slackspace; It makes a data carving on the freespace only. You can choose each type of extraction. It uses a GUI made with YAD (Yet Another Dialog), so it's simple and fast to use. (Present also on GitHub HERE)
You need:
Don't use blank spaces in the image filename!
The Sleuthkit (latest release)
(MD5: E9A09FFB62209FB5DC5EB2C9425708D1)


KWSrch v. 1.0 - Greps exported strings from files with GUI frontend. Search a string into a selected directory. It is a bash scripts using YAD.
John Lehr
(MD5: d682cea734d204e2d8a5326eb910ff7c)


FBXchat v. 1.0 - Facebook Chat Extractor. This is a Bash script, it works on the output of bulk_extractor related to the FB chat artifacts present in a binary object (pagefile.sys, hiberfil.sys, entire disk image, device, etc.). It's a first release, I hope it will be more accurate. Enjoy it!
(MD5: 0c5d3a78cd6a3f76474529d84f5146c2)


KS v. 2.2 (2013) - This is a keywords searching tool. sudo bash for running it. It mounts a DD image file; It extracts all deleted files; slackspace; It makes a data carving on the freespace only; It indexes all by RECOLL. You need:
The Sleuthkit (latest release)
It stores the index DB and the recoll.conf in the chosen output directory.
(MD5: eb8a0df14fb6e3df7ee02cc494db3b1c)

FileInfo - A GUI forensic tool for Ubuntu Linux designed to extract information from files, PE32, Thumbnail from JPEG and exif. This tool is tested on Ubuntu 10.10 and Kubuntu 10.04. It uses zenity, libimage-exiftool-perl, and many other tools built on the main Linux distributions.
(MD5: f13f620d84a11b1bac291686d1647291)

NBTempo V. 1.1(new!)- This is a GUI (Graphical User Interface) Bash script for making files timelines and reporting them in CSV (electronic sheet) format. It needs TSK 3.2.1 and YAD (Yet Another Dialog).(TSK based)
(Present also on GitHub HERE)
(MD5: 15967f40e4de7a326949f561aeea034b)

XMount-GUI 1.01(new!) - Bash script using YAD - xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike. THIS IS A Graphic User Interface by John Lehr.
(MD5: C0DF7EA60E410BE4061A31F76375DF92)

Raw2FS 1.2.1 - Bash script - It's possible to resolve the file name starting from the carved file name generated by the Foremost tool and save it, it generates an HTML report. It's possible to resolve the file name starting from the offset of a "grep" keywords search. The tool identifies automatically the change of the partition and, if the keyword is contained into the slack space, saves the sector/cluster/block where it is. (remember that for fat -> sector, ntfs -> cluster, ext2/3 -> block) (TSK based)
(Present also on GitHub HERE)
MD5: 0C1CA46129ADA0C5C8959E0CD091B291 (06/12/2015 updated!)

MultiFS 1.1 - Bash script - this tool can detect and extract the hidden file systems. (TSK based)
MD5: 70A2DB818E1A045249EB26DA8D45427A

SFDumper 2.2
- Bash script - this is a selective file retriever, it works on active, deleted and carved files. It can do a keyword search among the files retrieved. (TSK based)
MD5: 1037A96DFE56F0E53D90672884996DDD

FUNDL 2.0 - Bash script - this is a selective deleted file retriever, HTML reporting. (TSK based)
MD5: CFFACDE9290D96CBF20D332910139F27

FKLook - Bash script - by this script you can search for a keyword in many files and it copies only the files those match with the keyword, in a separated directory you chose.
MD5: 6748FAB3CE858BE4DC0A999436E39440

Offset_Brute_Force - Bash script - This is a dumb and dirty bash script born to brute force the partition offset looking for an hidden partition and trying to mount it. Example: $ ./ pen-drive.dd 0 4194304
MD5: 006060382f66661707907b03fcbc0320

fod v.0.2 - Bash script - "fod" stay for "Foremost output divide". This is a simple script for splitting foremost output directory's contents into subdirectories with a defined number of files for each type of format file.
MD5: ff150dccf6774d55a7409d740132a10a

PXS Installer 1.5.1 - Bash script - this is the easier way to install PTK on Ubuntu workstation, using XAMMP as web server. This script install PTK, Stk, libewf, afflib, XAMMP and all packages required.
MD5: CA14F76AB3098E1A36A45B18CE2D8233

If you want give us a feedback or you would like to upload one of your scripts/tools for the digital forensics, please use the link CONTACT.


Template design by Six Shooter Media - This site does not generate profiling cookie only third parts cookies.