Windows 8 forensic tools

Windows operating system stores the following information inside 'Windows Vault': Passwords of Internet Explorer Login Information of Windows Mail application Windows 8 or later.

In order to decrypt the data stored inside Windows Vault files on external drive, you have to know the login password of the user. In the 'Vault Decryption Options' window, you have to choose the 'Decrypt vault files of any system' option and then choose the drive letter of the external disk, click the 'Automatic Fill' button to automatically fill all other folders needed to decrypt the Windows Vault files.

You may also need to provide the logon password of the user if the password was used to decrypt the data. In order to decrypt wireless keys stored on external drive, open the 'Advanced Options' window F9 , choose the 'Load the wireless keys from external instance of Windows installation' option and then fill the Windows directory and the Wlansvc Profiles folder on the external drive.

You can load multiple event log files and watch all of them in a single table. In order to watch events from external drive, you have to open the 'Choose Data Source' window F7 , select the 'Load events from external folder with log files' option and then type event logs folder e.

The history file also contains a list of local files that the user opened with Internet Explorer Usually. From command-line: Use -folder command-line parameter to specify the history folder in the external disk, for example: iehv. However, while the history file IEHistoryView stores only one record fro every Web page visit, the cache file stores multiple records for every Web page, including all images and other files loaded by the Web page. Computers are a vital source of forensic evidence for a growing number of crimes.

While cybercrime has been growing steadily in recent years, even traditional criminals are using computers as part of their operations. The ability to reliably extract forensic information from these machines can be vital to catching and prosecuting these criminals. Computer forensics tools are designed to ensure that the information extracted from computers is accurate and reliable.

Due to the wide variety of different types of computer-based evidence, a number of different types of computer forensics tools exist, including:.

Within each category, a number of different tools exist. This list outlines some of the most popularly used computer forensics tools. Forensic disk and data capture tools focus on analysis of a system and extracting potential forensic artifacts, such as files, emails and so on.

This is a core part of the computer forensics process and the focus of many forensics tools. Autopsy and The Sleuth Kit are probably the most well-known and popular forensics tools in existence.

These tools are designed to analyze disk images, perform in-depth analysis of file systems and include a wide variety of other features. As a result, they include functionality from many of the forensics tool categories mentioned above and are a good starting point for a computer forensics investigation.

X-Ways Forensics is a commercial digital forensics platform for Windows. The company also offers a more stripped-down version of the platform called X-Ways Investigator. A major selling point of the platform is that it is designed to be resource-efficient and capable of running off of a USB stick. Despite this, it boasts an impressive array of features, which are listed on its website here. It claims to be the only forensics platform that fully leverages multi-core computers.

Additionally, FTK performs indexing up-front, speeding later analysis of collected forensic artifacts. Read more here. EnCase is a commercial forensics platform. It offers support for evidence collection from over twenty-five different types of devices, including desktops, mobile devices and GPS.

Within the tool, a forensic investigator can inspect the collected data and generate a wide range of reports based upon predefined templates. Read more about EnCase here. Mandiant RedLine is a popular tool for memory and file analysis.

It collects information about running processes on a host, drivers from memory and gathers other data like meta data, registry data, tasks, services, network information and internet history to build a proper report. The Paraben Corporation offers a number of forensics tools with a range of different licensing options. Paraben has capabilities in:.

The E3:Universal offering provides all-in-one access, the E3:DS focuses on mobile devices and other license options break out computer forensics, email forensics and visualization functionality. Bulk Extractor is also an important and popular digital forensics tool. It scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools.

It is basically used by intelligence and law enforcement agencies in solving cybercrimes. Currently, the latest version of the software, available here , has not been updated since However, a version 2. It can be found here. The Windows registry serves as a database of configuration information for the OS and the applications running on it. For this reason, it can contain a great deal of useful information used in forensic analysis.

Registry Recon is a popular commercial registry analysis tool. It extracts the registry information from the evidence and then rebuilds the registry representation. It can rebuild registries from both current and previous Windows installations. Read more about it here. Some forensics tools focus on capturing the information stored here. Volatility is the memory forensics framework. It is used for incident response and malware analysis. I have also listed a software in this list which comes with OS Fingerprinting feature.

A software in this run-down lists all the activities of the user. If the user encrypts the data of a computer, there is also a software to detect such type of activity. It scans the hard drives and detects the encrypted data if any. Explore the article to know about the supported encryption volumes.

It is the first forensic web browser, widely used by the forensic experts to minimise the cyber crimes. Read the article to know more about it. Autopsy is my favorite digital forensic tool for Windows. I also like Network Miner. You can extract the data transferred over a network by using this free digital forensic tool. It is the only software in this list, which comes with OS Fingerprinting feature. Autopsy is an open source forensic tool for Windows. It is one of the most popular forensic software which are used by the forensic experts to investigate all unauthorized access.

Also, it offers a lot of features which make it an important tool in the field of digital forensics. All in all, Autopsy is a complete software in the field of digital forensics which is available free of cost.

Wireshark is one of the most widely used network capture and analysis tool for Windows. Hence, it can be used in a forensic investigation. You can view all the activities going on in a network. Once you launch the Wireshark, it starts capturing the network information in the form of packets.

The Info part provides further information about the network being captured by Wireshark, like Application Data, Encryption Alert, Standard Query , etc. This free digital forensic tool also provides a search feature. You can use this feature to search a particular packet within the list of packets being captured by the software. Moreover, you can also apply filters to your searches. Besides this, you can also make case-sensitive searches. It has a live capturing feature, hence it keeps you updated with network packets.

You can also enable the feature to automatically scroll to the bottom during live capture to view latest updates. Besides this, it also lets you analyze the captured data offline. NetworkMiner is another free digital forensic software. The good part of the software is that it captures all the data without putting any traffic on the network.

It also comes with a feature to extract files, emails, certificates, etc. All this information can be parsed in PCAP Files, so that the forensic experts could analyze the generated reports offline. The PCAP parsing speed in the free version of the software is 2. You can use this feature to extract and save the files streamed over the network by the user. Apart from the above-listed features, the free version of this software has a very important feature, named OS Fingerprinting.

This free digital forensic tool also captures the screenshots and save them as thumbnails. Such an information can be viewed in the Images tab of the software. NetworkMiner is also capable to capture the important information of the user, like his username and passwords. But this feature is limited to some supported protocols.

Such an information is displayed in the Credential tab of the software. You can copy the username and password and paste it at any location on your PC.