ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.

Platform: Windows/Linux/BSD/Mac OS;License: GNU General Public License

Reference: https://ssdeep.sourceforge.net/

The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in  The Sleuth Kit. Together, they allow you to investigate the file system and volumes of a computer. They can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).

Platform: Windows/Linux/BSD;License: GNU General Public License v2

Reference: https://www.sleuthkit.org/autopsy/

DWIP is short for Disk Wiping and Imaging Tool. This tool is being built for Mississippi State Universities National Forensics Training Center for use on a live cd to give out to it's students. The main features are: (1) Wipe media using a zero pattern, a 1 pattern, a user entered hex string, a random hex string, and using a pseudo DOD style wipe. The DOD wipe is 7 passes 3 passes each time 1's the first time 0's the second time and random the third time. (2) Imaging media in DD, E01, and AFF format. Copy one image to another location.

Platform: Linux/BSD;License: GNU General Public License

Reference: https://sourceforge.net/projects/dwip/

This project is the home of tools associated with the book "Windows Forensic Analysis", as well as other subsequent tools I've written and offer to the IR/CF community. These tools include RegRipper, etc. The project is licensed under GNU General Public License (GPL).

Platform: Windows;License: GNU General Public License

Reference: https://sourceforge.net/projects/windowsir/

ff3hr is a forensic tool to recover deleted history records from Firefox 3. This browser uses various SQLite databases to store the history, and this tool can search and recover records from four different tables in an whole disk image. The project is licensed under GNU General Public License (GPL).

Platform: Firefox 3;License: GNU General Public License

Reference: https://sourceforge.net/projects/ff3hr/

WebJob downloads a program or script from a remote WebJob server and executes it in one unified operation. Any output produced by the program/script is packaged up and sent to a remote, possibly different, WebJob server. WebJob is useful because it provides a mechanism for running known good programs on damaged or potentially compromised systems. This makes it ideal for remote diagnostics, incident response, and evidence collection. WebJob also provides a framework that is conducive to centralized management. Therefore, it can support and help automate a large number of common administrative tasks and host-based monitoring scenarios such as periodic system checks, file updates, integrity monitoring, patch/package management, and so on.

Platform: Windows/Linux/BSD/AIX/Solaris;License: BSD License

Reference: http://webjob.sourceforge.net/WebJob/

Netcat is a featured networking utility which reads and writees data across network connections, using the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

Platform: Linux/BSD;License: GNU General Public License v3

Reference: https://sourceforge.net/projects/netcat/

'sdd' is a replacement for a program called 'dd'. sdd is much faster than dd in cases where input block size (ibs) is not equal to the output block size (obs). Statistics are more easily understoon than those from 'dd'. Timing available, -time option will print transfer speed Timing & Statistics available at any time with SIGQUIT (^\) Can seek on input and output Fast null input Fast null output. Support for the RMT (Remote Tape Server) protocol makes remote I/O fast and easy.

Platform: Windows/Linux/BSD/Mac OS;License: GNU Lesser General Public License

Reference: https://code.google.com/p/deeptoad/

"Deeptoad" is a (python) library and a tool to clusterize similar files using fuzzy hashing techniques. A cryptographic function tries to identify unequivocally one given input (i.e., tries to identify only one file). Extracted from the wikipedia, an ideal cryptographic hash function have 4 properties: 1. it is easy to compute the hash value for any given message, 2. it is infeasible to find a message that has a given hash, 3. it is infeasible to modify a message without changing its hash, 4. it is infeasible to find two different messages with the same hash. This project is inspired by the well known tool ssdeep and license under GNU Lesser General Public License.

Platform: Windows/Linux/BSD/Mac OS;License: GNU Lesser General Public License

Reference: https://code.google.com/p/deeptoad/

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Platform: Windows/Linux/BSD/Mac OS;License: GNU General Public License v2

Reference: https://code.google.com/p/volatility/