The tools and technologies provided through these resources were developed through NIJ grant funded projects intended to build the electronic crime and digital evidence capacity of the criminal justice community throughout the United States. The goal of these projects is to provide law enforcement with low cost or no cost tools and technologies to investigate electronic crime, collect digital evidence and conduct forensic examinations on digital evidence that may be seized as evidence including hard drives, cell phones, electronic media and other data storage devices. While some of these tools and technologies are free to the criminal justice community others are provided to the criminal justice community by the developers at a cost. These tools and technologies are intended to provide the criminal justice community with affordable electronic crime and digital evidence solutions that are an alternative to cost prohibitive computer forensic software applications.
MacResponse LE™MacResponse LE™ is a computer incident response toolkit developed by AIS, Inc. for law enforcement. The toolkit consist of the ‘Live’ and ‘Console’ applications. The Live application provides the ability to efficiently acquire and analyze volatile system data from running Mac OS X systems. Executing from an external storage device (such as USB drive), the ‘Live’ application is able to acquire volatile data from MAC OS X versions 10.5 (Leopard), 10.6 (Snow Leopard), and 10.7 (Lion). The Java based ‘Console’ application is the ‘offline’ analysis component that runs on Windows and Mac operating systems. MacResponse LE™ was developed through a National Institute of Justice (NIJ) grant.
MacResponse LE™ is free to Law Enforcement and can be downloaded from AIS, Inc.’s MacResponse LE™ website by clicking on the MacResponse LE™ link above.
P2P MarshalATC-NY developed P2P Marshal to automatically analyze peer-to-peer (P2P) usage on disk images (Forensic Edition) and live systems (Field Edition).
It detects what P2P client programs are, or were, present, extracts configuration and log information, and shows you the shared (uploaded) and downloaded files. It also includes extensive search capabilities and a thumbnail browser and image viewer. It produces reports in RTF, PDF, and HTML formats and runs on Windows machines.
Request a free copy through ECTCoE
Mac MarshalATC-NY developed Mac Marshal to analyze Mac OS X file system images. It scans a Macintosh disk image, automatically detects and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools on the image to extract Mac OS X-specific forensic evidence written by the OS and common applications. Mac Marshal Forensic Edition runs on an investigator's Mac workstation to analyze a disk image. Mac Marshal Field Edition runs on a Mac target machine from a USB drive. It extracts volatile system state data, including a snapshot of physical RAM. Mac Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It produces reports in RTF, PDF, and HTML formats, and runs on Mac OS X-based analysis machines.
Request a free copy through ECTCoE
Router MarshalATC-NY developed Router Marshal to automatically acquire digital forensic evidence from network devices such as routers and wireless access points. An investigator can use the Router Marshal software in the field to identify a network device, automatically acquire volatile forensic evidence from the device, and view and interpret this evidence. Router Marshal follows forensic best practices and maintains a detailed log file of all activities it performs and all communications with the target device. It produces reports in RTF, PDF, and HTML formats and runs on Windows and Linux analysis machines.
Request a free copy through ECTCoE
Live MarshalATC-NY's Live Marshal™ is a user-configurable software tool to aid first responders in rapid forensic examinations. Live Marshal enables a responder to rapidly acquire data from one or more systems over an enterprise network. Live Marshal is user-configurable, enabling responders to incorporate their own, trusted command-line tools.
Live Marshal follows forensic best practices and maintains a detailed log file of all activities it performs, including all communications with the target device. It produces easily readable reports by copying the acquired results to a text file for a rapid analysis. It runs from a laptop or other computer running a Linux operating system.
Request a free copy through ECTCoE
Mem MarshalATC-NY's Mem Marshal™ is a user-friendly, automated memory analysis system that assists and automates computer forensic investigations of volatile memory (RAM) images. Mem Marshal enables computer forensic investigators to analyze and effectively make use of information contained in volatile memory. Memory analysis produces important, case-relevant data for investigators that cannot be obtained from disk analysis, such as running applications, open files, active network connections.
Mem Marshal enables investigators to focus and enhance time-consuming disk analysis, reducing investigation time, by using information acquired from memory images, which can be searched and analyzed quickly.
Mem Marshal follows forensic best practices and maintains a detailed log file of all activities it perform. It produces reports in RTF, PDF, and HTML formats.
Request a free copy through ECTCoE
Mac Memory ReaderMac Memory Reader is a simple command-line utility to capture the contents of physical RAM on a suspect Macintosh computer, letting an investigator gather volatile state information prior to shutting the machine down. Mac Memory Reader is based on the physical RAM acquisition tools in Mac Marshal Field Edition, a computer forensic tool for Mac OS X investigations.
eMule ReaderThe eMule Reader utilities are a collection of command-line tools that parse and output the contents of configuration and log files from the eMule P2P file-sharing client. These tools are based on the eMule acquisition and analysis tools in P2P Marshal, a computer forensic tool for automated peer-to-peer investigations.
Redlight Porn ScannerRedLight is the fastest law enforcement pornography scanner available. RedLight detects pornography based on how law enforcement investigates a case - by finding likely pornography in images very quickly, allowing visual confirmation by the investigator through a display of thumbnails, and then exporting selected images, reports, and hash sets (suitable for importing into powerful analysis tools such as EnCase, FTK, and X-Ways).
Video PreviewerThe DFC's Video Previewer is a free application that quickly processes a video and shows its key frames in a PDF file. It is particularly useful in investigations where watching a video is time consuming. It allows specification to select frames at equally spaced intervals, or to perform intelligent selection of frames based on scene changes.
SAFE VNCSAFE VNC is a free add-on to the SAFE Windows forensics boot disk. It allows an investigator access over the standard Internet to a remote suspect computer that has been booted with SAFE. It allows an on-site person to boot the suspect computer and attach a drive for fast imaging on that computer's bus (not slow imaging over the network as some remote tools require), and for the trained investigator to run tools in the booted environment that perform the acquisition and triage - all from an off-site location.
Skout Collect EnterpriseSkout Collect Enterprise is a pre-acquisition tool that can turn any hard drive into an automated Skout Collect Drive. Skout Collect Drives are a cost effective solution, that enable anyone to take a full and comprehensive forensic acquisition. With just a key-stroke, the pre-configured Skout Collect Drives will automatically perform a full forensic data aquisition. Skout Collect Drives feature a number of additional features including full disk encryption, chain of custody documentation, and MD5 Hash generation to name a few.
Request a free copy through ECTCoE
Active Content Address VerifierACAV is a tool designed to aid law enforcement investigator attempt to identify criminals using anonymization on the Internet to hide their criminal activities. The tool is an outgrowth of a National Institute of Justice (NIJ) sponsored research project. ACAV provides investigators with the ability to deploy technology that helps to identify the actual Internet Protocol address of targets of investigations. The technology uses the protocols already in existence on the Internet along with technology developed to expose the real IP address of the offender.
Request a free copy through ECTCoE
US-LATTUS-LATT is a live acquisition and triage tool that is an outgrowth of National Institute of Justice (NIJ) sponsored research projects. US-LATT provides investigators and first-responders with the ability to triage live evidence that is lost during pull-the-plug only investigations. How this technology works is simple. Insert the US-LATT USB device into the suspect system triage and acquire the most volatile and stateful evidence then remove the device. All acquisition results are written to individual case directories, thus multiple triage and acquisitions are possible using a single device.
US-LATT is available on many removable devices (ranging from 4GB USB Tokens to 2 TB USB 3.0 drives and the triage and acquisition capabilities continue to expand.)
Request a free copy through ECTCoE
T.A.P.ST.A.P.S. is a software tool created for Law Enforcement as a result of a research grant from the National Institute of Justice (NIJ). The research being conducted is discovering ways to improve search performance and accuracy to identify malicious applications and contraband. As storage devices become larger and the need to identify malicious applications and contraband such as the presence of purposely concealed data (i.e. steganography) is growing, the need for this software is of paramount importance.
The core technology of this initial version of T.A.P.S. utilizes a new hashing algorithm developed under the research grant Fibonacci Hashing or FIB-H1. FIB-H1 is designed to perform rapid scanning for known malicious applications and their derivatives. This new method has allowed us to perform searches for specific objects up to 50 times faster than conventional MD5 hashing methods. This first release includes a rapid response dataset for the identification of Steganography Programs, while future updates will include other targeted search datasets. Coupled with Steganography Program identification is our latest proprietary jpeg steganography detection algorithm. This latest approach allows for rapid and accurate identification of suspicious jpeg files that may contain hidden information. This new method utilizes machine learning techniques to unearth traits from JPEG images in order to detect the presence of JPEG embedded steganography.
T.A.P.S. provides direct media scanning (with write blocker), DD or Raw Image Mounting and scanning and supports scanning inside archives. Detailed reporting and time lining of results are also included.
