The tools and technologies provided through these resources were developed through NIJ grant funded projects intended to build the electronic crime and digital evidence capacity of the criminal justice community throughout the United States. The goal of these projects is to provide law enforcement with low cost or no cost tools and technologies to investigate electronic crime, collect digital evidence and conduct forensic examinations on digital evidence that may be seized as evidence including hard drives, cell phones, electronic media and other data storage devices. While some of these tools and technologies are free to the criminal justice community others are provided to the criminal justice community by the developers at a cost. These tools and technologies are intended to provide the criminal justice community with affordable electronic crime and digital evidence solutions that are an alternative to cost prohibitive computer forensic software applications.
P2P MarshalATC-NY developed P2P Marshal to automatically analyze peer-to-peer (P2P) usage on disk images (Forensic Edition) and live systems (Field Edition).
It detects what P2P client programs are, or were, present, extracts configuration and log information, and shows you the shared (uploaded) and downloaded files. It also includes extensive search capabilities and a thumbnail browser and image viewer. It produces reports in RTF, PDF, and HTML formats and runs on Windows machines.
Request a free copy through ECTCoE
Mac MarshalATC-NY developed Mac Marshal to analyze Mac OS X file system images. It scans a Macintosh disk image, automatically detects and displays Macintosh and Windows operating systems and virtual machine images, then runs a number of analysis tools on the image to extract Mac OS X-specific forensic evidence written by the OS and common applications. Mac Marshal Forensic Edition runs on an investigator's Mac workstation to analyze a disk image. Mac Marshal Field Edition runs on a Mac target machine from a USB drive. It extracts volatile system state data, including a snapshot of physical RAM. Mac Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It produces reports in RTF, PDF, and HTML formats, and runs on Mac OS X-based analysis machines.
Request a free copy through ECTCoE
Router MarshalATC-NY developed Router Marshal to automatically acquire digital forensic evidence from network devices such as routers and wireless access points. An investigator can use the Router Marshal software in the field to identify a network device, automatically acquire volatile forensic evidence from the device, and view and interpret this evidence. Router Marshal follows forensic best practices and maintains a detailed log file of all activities it performs and all communications with the target device. It produces reports in RTF, PDF, and HTML formats and runs on Windows and Linux analysis machines.
Request a free copy through ECTCoE
Live MarshalATC-NY's Live Marshalâ„¢ is a user-configurable software tool to aid first responders in rapid forensic examinations. Live Marshal enables a responder to rapidly acquire data from one or more systems over an enterprise network. Live Marshal is user-configurable, enabling responders to incorporate their own, trusted command-line tools.
Live Marshal follows forensic best practices and maintains a detailed log file of all activities it performs, including all communications with the target device. It produces easily readable reports by copying the acquired results to a text file for a rapid analysis. It runs from a laptop or other computer running a Linux operating system.
Request a free copy through ECTCoE
Mac Memory ReaderMac Memory Reader is a simple command-line utility to capture the contents of physical RAM on a suspect Macintosh computer, letting an investigator gather volatile state information prior to shutting the machine down. Mac Memory Reader is based on the physical RAM acquisition tools in Mac Marshal Field Edition, a computer forensic tool for Mac OS X investigations.
eMule ReaderThe eMule Reader utilities are a collection of command-line tools that parse and output the contents of configuration and log files from the eMule P2P file-sharing client. These tools are based on the eMule acquisition and analysis tools in P2P Marshal, a computer forensic tool for automated peer-to-peer investigations.
Redlight Porn ScannerRedLight is the fastest law enforcement pornography scanner available. RedLight detects pornography based on how law enforcement investigates a case - by finding likely pornography in images very quickly, allowing visual confirmation by the investigator through a display of thumbnails, and then exporting selected images, reports, and hash sets (suitable for importing into powerful analysis tools such as EnCase, FTK, and X-Ways).
Video PreviewerThe DFC's Video Previewer is a free application that quickly processes a video and shows its key frames in a PDF file. It is particularly useful in investigations where watching a video is time consuming. It allows specification to select frames at equally spaced intervals, or to perform intelligent selection of frames based on scene changes.
SAFE VNCSAFE VNC is a free add-on to the SAFE Windows forensics boot disk. It allows an investigator access over the standard Internet to a remote suspect computer that has been booted with SAFE. It allows an on-site person to boot the suspect computer and attach a drive for fast imaging on that computer's bus (not slow imaging over the network as some remote tools require), and for the trained investigator to run tools in the booted environment that perform the acquisition and triage - all from an off-site location.
US-LATTUS-LATT is a live acquisition and triage tool that is an outgrowth of National Institute of Justice (NIJ) sponsored research projects. US-LATT provides investigators and first-responders with the ability to triage live evidence that is lost during pull-the-plug only investigations. How this technology works is simple. Insert the US-LATT USB device into the suspect system triage and acquire the most volatile and stateful evidence then remove the device. All acquisition results are written to individual case directories, thus multiple triage and acquisitions are possible using a single device.
US-LATT is available on many removable devices (ranging from 4GB USB Tokens to 2 TB USB 3.0 drives and the triage and acquisition capabilities continue to expand.)
Request a free copy through ECTCoE
T.A.P.ST.A.P.S. is a software tool created for Law Enforcement as a result of a research grant from the National Institute of Justice (NIJ). The research being conducted is discovering ways to improve search performance and accuracy to identify malicious applications and contraband. As storage devices become larger and the need to identify malicious applications and contraband such as the presence of purposely concealed data (i.e. steganography) is growing, the need for this software is of paramount importance.
The core technology of this initial version of T.A.P.S. utilizes a new hashing algorithm developed under the research grant Fibonacci Hashing or FIB-H1. FIB-H1 is designed to perform rapid scanning for known malicious applications and their derivatives. This new method has allowed us to perform searches for specific objects up to 50 times faster than conventional MD5 hashing methods. This first release includes a rapid response dataset for the identification of Steganography Programs, while future updates will include other targeted search datasets. Coupled with Steganography Program identification is our latest proprietary jpeg steganography detection algorithm. This latest approach allows for rapid and accurate identification of suspicious jpeg files that may contain hidden information. This new method utilizes machine learning techniques to unearth traits from JPEG images in order to detect the presence of JPEG embedded steganography.
T.A.P.S. provides direct media scanning (with write blocker), DD or Raw Image Mounting and scanning and supports scanning inside archives. Detailed reporting and time lining of results are also included.
