The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file. However, deploying a platform each for the files to be examined is a tedious procedure to be followed out every time. Thus, the industry offers an extensive range of freeware utilities to bridge the gap. It isn’t a practically possible approach to possess a supporting application for every different file type an investigator comes across. However, keeping a mutual application handy for similar file types is feasible.
Here is a compilation of the top 10 free utilities that might come handy for forensic investigator’s requirements on an elementary level.
1. Oxygen Forensic® Suite 2015 Standard
Specially dedicated to mobile forensics investigation, Oxygen Forensics has slowly upgraded its features with investigative usefulness. Cases involving the collection of evidence from mobile phones can be dealt with this utility in a Standard Edition (that can be collected on request from the vendor’s site). The tool features options to collect information from the device (OS, Manufacturer, S.no, IMEI, etc.), messages (SMS, Emails, Multimedia Message, etc.) and contact numbers, along with recovery of erased call records, messages and information from tasks and the calendar.
: Oxygen Forensic Suite is possibly one of the leading digital forensic platforms, but it also offers high-end facilities in its Standard Edition, and that sets this utility apart from all the others.
2. Exchange EDB Viewer
- Live Acquisition of Mobile Device Data
- Device Rooting,that helps in most of the cases while carving crucial artifacts ; as they are available to acquire and access only in a rooted / Jail-broken device.
- Extraction on technical details regarding a device
- Inbuilt hex, text, and multimedia file viewers
- Data filter/export and reporting, etc.
While investigating an Acquired Exchange Server Database EDB file without the actual server deployment becomes quite troublesome. The Investigator’s immediate remedy is EDB Viewer, that serves the need to preview an Exchange server database in a hostile Windows environment. The standalone tool offers a preview of the complete Exchange database mailbox items whether in corrupt or healthy state. Both Private and Public folder support is provided along with no size limitation imposed on the database.
: The application is suitable for accessing Exchange Server Database of any given size (as per tests with 1.8 TB EDB) even in a non-server environment with preview provided for all components of each mailbox listed. Deep Email Data Carving is an additional feature that the software serves with its advanced scan mode. It ensures that the compromised or deliberately purged email data is retrieved and previewed without getting into the trouble of deploying a server environment and examining the acquired data precisely.
3. Bulk Extractor
This forensic utility scans an entire disk image, file directory, or files along with extraction of information like domains, credit card details, email IDs, ZIP file contents or URLs. The extracted details are output into a series of text based files that can further be reviewed or analyzed with other scripts or tools of forensics usage. Bulk Extractor comes in handy as it does not parse the file system or structures hence rocketing its scan and preview time and saving crucial investigative time.
: Bulk Extractor is known for its agility and precision as it skips the time other tools take to scan and modulate file system structures. Designed and deployed with resilient algorithms, the tool automatically detects, decompresses, and recursively re-processes compressed data that also reveals crucial data residing in unallocated spaces. It could also be utilized to scan and process any digital media such as SSD, memory cards, TCP/IP network packet dumps, hardware and other media, that makes it amongst the most preferred tool in the Digital Forensics Industry.
4. Outlook PST Viewer
With the rise of MS Outlook usage, Investigators are often greeted with Outlook data (PST) files while extracting evidence. To preview and analyze PST files in a hostile workstation, Outlook PST Viewer serves the need satisfactorily. Being a standalone, there is no need to install or configure Microsoft Outlook for operating the tool. Both ANSI / Unicode formatted PST files can be opened to view components within.
: The application can open and examine PST file of any size including an ANSI, UNICODE or even a corrupt/damaged/tampered or encrypted PST. The ‘Advance Scanning’ mode provided helps process a damaged data file in order to make its contents accessible.
This is one of the most user friendly utilities for editing hexadecimals on a low-level. In addition to that, one can also modify the RAM (main memory) or a completely raw disk. The designing of this freeware utility was done keeping in mind with easy usage yet high performance so that files of large size are efficiently dealt with.
: : Even though it is a forensic utility to examine the hexadecimal coding of a regular document/media file, live RAM, or forensic disk image, HxD is extremely easy to operate. It serves the basic need to perform hex analysis of particular data and discover deleted or encrypted information swiftly. Secondly, the program is flexible, so much so that it offers to open and examine the applications residing in the volatile memory (RAM).
6. E01 Viewer
The utility offer to open and email files from an E01 forensic disk image file. Using the program, an investigator can open one or more E01 image files at a time and view offline Outlook data files (OST), Outlook data files (PST), or Exchange database files (EDB) stored within. It is a standalone utility that requires no external application support to run.
: The forensic image files (E01) created using FTK Imager and Encase Disk Imager are supported for examination by the tool. The application offers the detection of both selective or all data file types from one or multiple E01 files. Moreover, the integration of inbuilt viewers for all three data file types doesn’t affect the software performance at all even with the search option.
This is a network examination utility that can be utilized for identifying devices being used within a network. Evidently, the operation is carried in a ‘Live’ mode, i.e. device information is interpreted by capturing the active network packets. However, the same operation can also be executed in an ‘Offline’ mode only if you have a PCAP type file that you have to import in the tool.
: The tool’s efficiency even in a BETA version can be seen by its capability of capturing details regarding a device with the help of the network packets actively in use. In addition to that, the balance made with provision for offline forensic analysis makes the tool incomparable and a perfect fit for any digital investigator’s toolkit.
8. MBOX Viewer
The program offers to analyze MBOX files from any origin client such as Thunderbird, PocoMail or Turnpike without any external support. In case the investigation revolves around an MBOX file that belongs to Mac machine the software can still be used for viewing the file.
Gmail Investigations often kickstart with takeout data. In such a scenario MBOX Viewer serves the purpose to investigate Google Takeout Email Data without any hassles.
: The unvarying support for MBOX formatted file type regardless of its origin platform sums up the uniqueness of this tool. Also, the program comes with no limitation applied to the number of times it can be used, that makes it handy for anytime and every time usage.
9. File Viewer Lite
The utility comes handy In case a large number of document, image, video, audio, etc., files are to be analyzed. No external support is required to run this universal file access tool that supports a large number of document file types, media files, and other uncategorized files.
: The distinctiveness of this freeware is that, on discovering any unknown file type, this tool can be used for opening it as it supports most of the file types and sometimes fails to open any of them. The list includes a range of document types, image types, audio/video files, and a number of other uncategorized file types too. It should be treated as a last resort where other freeware utilities fail.
10. Outlook OST File Viewer
The tool can be used in case the forensic analysis of an Offline Outlook data file (OST) in the absence of both the Outlook and Exchange environments. Complete preview of items within the file is offered (emails, calendars, contacts, Journals, tasks and notes). OST Viewer eliminates OST file limitation of non-usability on a different machine or client except the originating machine.
: The application offers an ‘Advance Scan’ mode which makes it possible for an investigator to load and access a damaged OST file as well as permanently deleted emails of an Exchange OST file without the need of either the client or the server environment.
The Final Verdict
: While Investigating digital evidence, practitioners tend to not trust blindfolded on a standalone premium tool or utility, so freeware utilities tend to serve the purpose efficiently. The utilities mentioned above are meant to smoothen minor bottle necks or challenges faced that can slow down the whole process.
: The Investigators, users or practitioners are advised to use the utilities on their own risk. The author does not take charge of the utilities and has no connection with the utility vendors as such. Snapshots has been utilized from the official websites, and publishers are requested to inform in case any personal information has been depicted or copyrighted content has been utilized.