Go to Top

Our Tools

We’ve been quietly developing digital forensics tools and forensic software to assist in our analysis for almost 10 years, and until recently, all of that source code has been sitting around and collecting dust.  As time permits, we will be dusting it off, adding some updates, and releasing some of it to the public.

Think of it as our way of saying thank you to everyone who has written articles, published research, or contributed software/code to the forensic community.

These utilities are provided “as-is” and are free for both personal and commercial use. As with any software, including ours, you should always independently validate your findings.  Oh, and if you find any of our utilities useful, feel free to drop by @chadgough or @4Discovery on Twitter and say thanks. Bug reports and feature requests are always welcome!

  • EWF MetaEditor

  • Link Parser

  • MetaExtractor

  • USB Historian

  • UserAssistant

  • ShellBagger

  • Drive Digest

  • X-Ways Updater

  • C# X-Tensions API

EWF MetaEditorEWF MetaEditor

Edit EWF/E01 MetaData

EnCase’s Evidence Files (.E01) are similar to other documents in that they have structured internal metadata describing the evidence item, examiner, date acquired, etc…

EWF MetaEditor allows you to edit these properties in order to fix typos, rename incorrect/mislabeled evidence items, and add missing information.

Note:  Ex01 (EnCase 7) and Logical Evidence Files (*.L01) are not supported… yet.

Features

  • Remove passwords on EnCase v6 and earlier files
  • Find out if compression (and what level) was used
  • Change EWF/E01 metadata
  • Requirements: Microsoft .NET Framework v4.0
  • Free for both personal and commercial use

Screenshots

compare04

ewfMetaEdit

EWF Meta Editor v1.0 - Released 06-24-2013

Change Log

v1.0 (06-24-2013)

  • Initial Public Release

References:

LinkParserLink Parser

Parse Microsoft Shell Link (.lnk) Files

Whatever you decide to call them, Link Files, Shortcut Files, or Shell Link Items, they are valuable forensic artifacts. In addition the the filesystem MAC times, the internal structure of the link file can reveal huge amounts of data about the target file such as volume names, serial numbers, target MAC dates, and file path information.

Features

  • Parses a single item, multiple selected items, or recursively over a folder or mounted forensic image
  • Multi-Select individual files
  • Exports to CSV for easy analysis
  • GUI supports Date/Time sorting
  • Over 30 attributes extracted
  • Free for both personal and commercial use

Screenshots lnk_ss_01

Link Parser v1.3 - Released 05-24-2013

Change Log

v1.3 (05-24-2013)

  • Application now digitally signed
  • Application will automatically check for updates
  • Application now has global exception handling
  • Minor bug fixes and UI changes

v1.2 (04-09-2013)

  • Added automatic updating and error reporting
  • Now requires Microsoft .NET Framework v4.0
  • A few bug fixes

v1.1 (02-26-2013)

  • Added MD5 Hash for Link Files

v1.0 (12-16-2012)

  • Initial Public Release

References:

MetaExtractorMetaExtractor

Extract Internal Metadata from Microsoft Office and Adobe PDF Files

It’s no secret that many document types can contain metadata that can reveal a wealth of information. This data can reveal information about the history, usage, authors, and contributors of a document. This data can be a great source of information for your investigation. MetaExtractor can retrieve this information in bulk against thousands of documents in minutes.

Features

  • New: Support for OpenOffice files
  • New: Support for parsing SolidWorks CAD Drawings
  • Native file parsing (does not require Office or Acrobat to be installed)
  • Support for Office 2003/2007/2010/2013 file formats
  • Support for Adobe PDF documents
  • Can recursively parse a folder (and subfolders) of files
  • Multi-Select individual files
  • Exports to CSV for easy analysis and reporting
  • GUI supports Date/Time sorting for quick review
  • Support for over 40 metadata fields
  • Requirements: Microsoft .NET Framework v4.0
  • Free for both personal and commercial use

Screenshots

meta_ss_01

MetaExtractor v1.5 - Released 07-16-2013

Change Log

v1.5 (07-16-2013)

  • New: Support for OpenOffice and SolidWorks file formats
  • Added ability to access files with paths longer than 255 characters
  • Added basic threading and progress bar
  • Added friendly names to exports.  i.e. fieldName is now “Field Name”
  • Updated browse for folder dialog box to new Vista/7 style
  • Fixed crash on export when processed files had invalid dates
  • You can now parse multiple sources.  Results will be appended to the existing results or optionally cleared.

v1.4 (05-24-2013)

  • Application now digitally signed
  • Application will automatically check for updates
  • Application now has global exception handling
  • Minor bug fixes and UI changes
  • Now requires .Net Framework 4.0

v1.3 (03-28-2013)

  • Added additional fields from PDF documents

v1.2 (02-26-2013)

  • Added support for PDF files

v1.1 (01-15-2013)

  • Added Support for Office 2007 file formats (OpenXML)

v1.0 (11-06-2012)

  • Initial Public Release
  • Added support for Office 2003 File Formats

USB HistorianUSB Historian

Parse USB Connection History

The Microsoft Windows operating systems records artifacts when USB removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) are connected. These artifacts can be found in Plug and Play (PnP) log files as well as the Windows Registry.

For a forensic investigator dealing with the theft, movement, or access to data, these artifacts can play a critical role in an investigation.

Features

  • New: Contains a cached copy of USB ID’s from http://www.linux-usb.org/usb.ids. If available VID/PID values will be looked up to provide additional device information. 
  • Parses Computer Name to easily help locating USB devices used across multiple computers.
  • Displays over 20 attributes
  • Wizard driven analysis
  • Parses SetupAPI Logs (and backup logs)
  • Able to parse multiple NTUSER.DAT files at a time
  • Requirements: Microsoft .NET Framework v4.0
  • Free for both personal and commercial use

Screenshots

usb_ss_03

 

usb_ss_01

usb_ss_02

USB Historian v1.3 - Released 07-24-2013

Change Log

v1.3 (07-24-2013)

  • *New:* Contains a cached copy of USB ID’s from http://www.linux-usb.org/usb.ids. If available VID/PID values will be looked up to provide additional device information. 
  • You can now parse multiple sources. Results will be appended to the existing results or optionally cleared.
  • Fixed crash when VID/PID values were missing
  • Fixed crash when trying to access files in use
  • Fixed date formatting on exports
  • Fixed error that could occur when some files were missing from input
  • Added friendly names to exports. i.e. fieldName is now “Field Name”
  • Updated browse for folder dialog box to new Vista/7 style
  • Added threading for faster processing and fixed window freeze

v1.2 (05-27-2013)

  • Added FriendlyName
  • Fixed bug in SetupAPI processing
  • Fixed bug in MountedDevice processing
  • Added ReadyBoost (EMDMgmt) parsing

v1.1 (02-26-2013)

  • Application now digitally signed
  • Application will automatically check for updates
  • Application now has global exception handling
  • Minor bug fixes and UI changes
  • Now requires .Net Framework 4.0
  • Fixed bug where devices have missing vid/pid
  • Fixed bug in parsing when devices have “&” in name

v1.0 (12-16-2012)

  • Initial Public Release

References:

UserAssistantUser Assist Analyser

User Assist Analysis

Description

UserAssist keys are method that Microsoft uses to populate a user’s start menu with frequently used applications. They exist on Windows XP, Vista, and 7 and maintain counts of application usage. These values are located in each user’s NTUSER.DAT hive at SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist and are ROT-13 encoded.

Features

  • Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes
  • Saves to CSV for additional analysis
  • Requirements: Microsoft .NET Framework v4.0
  • Free for both personal and commercial use

Screenshots

userassistl_ss_02

userassistl_ss_01

User Assistant v1.2 - Released 05-24-2013

Change Log

v1.2 (05-24-2013)

  • Application now digitally signed
  • Application will automatically check for updates
  • Application now has global exception handling
  • Minor bug fixes and UI changes
  • Now requires .Net Framework 4.0

v1.1 (04-14-2013)

  • Added support for Windows 7 binary structures

v1.0 (02-02-2013)

  • Initial Public Release

References:

ShellBaggershell bag artifact analyser

Analyse ShellBag Artifacts

Description:

Microsoft Windows tracks user window viewing preferences specific to Windows Explorer. Tracked items include the size, view, icon, and position of a folder from Windows Explorer. This information is referred to as “ShellBags”, and are stored in several locations within the Registry. These keys can be extremely useful to a forensic investigator since the ShellBags are persistent and remain behind even if the directory is removed. They can also be used to reveal information about past mounted volumes such as USB drives, mapped drives, network folders, deleted files, and user actions.

ShellBags Locations

ShellBags may be found in a few locations, depending on operating system version.

Windows XP – NTUSER.DAT Hives “Software\Microsoft\Windows\Shell” “Software\Microsoft\Windows\ShellNoRoam”

Windows 7 – NTUSER.DAT and UsrClass.dat Hives “Local Settings\Software\Microsoft\Windows\ShellNoRoam” “Local Settings\Software\Microsoft\Windows\Shell”

Features

  • Parses file paths, registry dates from bag entries, modified, access, creation times from shell link items, type, file size (if available) and location
  • Performs lookups on known GUIDs
  • Saves to CSV for additional analysis/reporting
  • Requirements: Microsoft .NET Framework v4.0
  • Free for both personal and commercial use

 Screenshots

shell_ss_01

 

shell_ss_02

Change Log

v1.5 (05-24-2013)

  • Added seconds to display

v1.4 (05-24-2013)

  • Application now digitally signed
  • Application will automatically check for updates
  • Application now has global exception handling
  • Minor bug fixes and UI changes
  • Now requires .Net Framework 4.0
  • Fixed bug in path parsing
  • Added basic threading to processing

v1.3 (05-13-2013)

  • Fixed bug in parsing shell link items

v1.2 (04-18-2013)

  • Fixed crash that could occur when parsing carved hives

v1.1 (04-07-2013)

  • Enhancements to parsing algorithm. More bags are now found
  • Code cleanup

v1.0 (03-24-2013)

  • Initial Public Release

References:

Drive Digest

Analysis, Categorization, and Reporting on Documents

Drive Digest was created to automate the numerous requests we received to summarize the contents of a hard drive or document collection.

File Analysis

  • MD5 and SHA1 hashing
  • List files inside of archives
  • Supports scanning paths longer than 255 characters
  • Lists filesystem dates and times for easy filtering
  • Categorizes files by over 200 file types and provides counts and total size summaries
  • Supports regular expression rules for alerting on notable files such as encryption programs, large files, and often overlooked backup archives

Archive File Analysis

  • List Files inside of archives
  • Scans inside of zip, rar, tar, gzip, 7zip, ISO images, arm, cab and other archive types
  • Hashes files in archives
  • Configurable to scan nested archives (zip inside a zip)
  • Creates a summary of compressed size, uncompressed size, and item counts for every archive

Email Analysis (Pro Version Only)

  • Creates email listings from Microsoft Outlook PST and OST files
  • Lists documents stored as attachments in emails
  • Calculates the total size of messages and documents stored in archives
  • Creates a summary of each email archive including earliest message, newest message, count of emails, and count of attachments

Encrypted Document Detection (Pro Version Only)

  • Detects over 200 different types of encrypted documents
  • Lists document type, decryption complexity, and recovery options

Other Features

  • Multithreaded for quick analysis
  • Number of threads configurable at runtime

  • Saves all data directly to Microsoft Excel

  • Requirements: Microsoft .NET Framework v4.0

  • Lite version free for both personal and commercial use.  Pro version is restricted and not currently publicly available

 Screenshots

digest_ss_01

Drive Digest v1.2 - Released 05-24-2013

Change Log

v1.2 (05-24-2013)

  • Application now digitally signed
  • Application will automatically check for updates
  • Application now has global exception handling
  • Minor bug fixes and UI changes
  • Now requires .Net Framework 4.0
  • Added ability to limit the number of threads used for processing

v1.1 (04-11-2013)

  • Added zip summary functionality
  • Fixed bug in PST processing
  • Speed Improvements

v1.0 (03-19-2013)

  • Initial Public Release

X-Ways Updaterxw_updater_final

Keep X-Ways Forensics Up To Date

At 4Discovery, we consider X-Ways Forensics to be the swiss army knife of forensics programs. And with updates being released sometimes weekly, we created X-Ways Updater to help keep us current.

Usage: Copy xwfUpdater to the directory where you want to install X-Ways Forensics. An ini file will be created once you enter your license information. Choose the components to update and download. Your existing configuration and settings will be retained.

Features

  • Requires a valid/current X-Ways Forensic license
  • Updates X-Ways, the viewer component, or MPlayer
  • Download an updated NSRL Hash Database. Note that this is really only useful for new installs as it will overwrite any existing hash databases that exist
  • Updates scripts/templates from http://www.x-ways.net/winhex/templates/
  • Requirements: Microsoft .NET Framework v4.0
  • Free for both personal and commercial use

Screenshots

xwu_ss_01

X-Ways Updater v1.5 - Released 05-24-2013

Change Log

v1.5 (05-24-2013)

  • Application now digitally signed
  • Application will automatically check for updates
  • Application now has global exception handling
  • Minor bug fixes and UI changes
  • Now requires .Net Framework 4.0
  • Fixed bug in downloading thread

v1.4 (04-14-2013)

  • Made downloading latest version of X-Ways Forensic optional

v1.3 (03-03-2013)

  • added downloading of scripts/templates

v1.2 (02-14-2013)

  • added basic threading
  • fixed bug when incorrect credentials were used
  • added warning dialog when updating NSRL

v1.1 (01-30-2013)

  • added NSRL download

v1.0 (11-17-2012)

  • Initial Public Release

X-Ways C# X-Tension APIxwAPI256

Extend the functionality of X-Ways Forensics

Description

Starting with X-Ways Forensics v16.4 (released in early 2012), investigators have been able to automate and extend the functionality of X-Ways Forensics with X-Tensions. Since X-Tensions can be written in any programming language, the possibilities are endless. Source code for Visual Studio 2010 can be downloaded below or cloned from GitHub at https://github.com/chadgough/x-tensions

Helper Methods and Wrappers

In order to speed up development of new X-Tensions, we created some helper methods for commonly used operations.

XWFGetVolumeName 
XWFGetReportTableAssocs 
XWFGetSectorContents 
XWFGetItemType 
XWFGetVolumeInformation 
XWFSearchWithoutCodePages 
ReadItem(IntPtr hItem) 
GetFullPath(Int32 itemId) 
CreateFileFromExternalFile 
CreateSearchInfo

Features

  • This is a full feature compliant port of the C++ demo located here
  • All exported functions are present

Change Log

  • Updated to support 16.9 X-Ways

References

X-Ways Forensics X-Tensions API Documentation