Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.

Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics. Helix focuses on Incident Response & Forensics tools. It is meant to be used by individuals who have a sound understanding of Incident Response and Forensic techniques.

See:http://www.e-fense.com/helix/

DEFT (Digital Evidence & Forensic Toolkit) is a customized distribution of the Kubuntu live Linux CD. It is a very easy to use system that includes an excellent hardware detection and the best open source applications dedicated to incident response and computer forensics.

See: http://www.stevelab.net/deft/index.php

The Gnu/Linux boot CD-Rom is made by the Belgian Federal Computer Crime Unit (FCCU). It's based on the KNOPPIX Live CD version 4.02 by Klaus Knopper.
The main purpose of the CD : help the forensic analyze of computers.

See: http://www.lnx4n6.be/index.php

Penetration testing CDs are not proper computer forensics tools, but when used with caution, they can often help with live network investigations and related tasks. Some tools we used are listed below (this is not a complete list, there are much more):

Operator is a complete Linux (Debian) distribution that runs from a single bootable CD and runs entirely in RAM. The Operator contains an extensive set of Open Source network security tools that can be used for monitoring and discovering networks. This virtually can turn any PC into a network security pen-testing device without having to install any software. Operator also contains a set of computer forensic and data recovery tools that can be used to assist you in data retrieval on the local system.

BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. It's evolved from the merge of the two wide spread distributions Whax and Auditor Security Collection. By joining forces and replacing these distribution the BackTrack could gain a massive popularity and was voted in 2006 as #1 at the surveil of insecure.org. Security professionals as well as new-comers are using it as their favorite toolset all over the globe. No other commercial or freely available analysis platform offers an equivalent level of usability with automatic configuration and focus on penetration testing.

Pentoo is a penetration testing LiveCD distribution based on Gentoo. It features a lot of tools for auditing and testing a network, from scanning and discovering to exploiting vulnerabilities.

F.I.R.E., PHLACK and a few other were good tools, but are not maintained any more and only old versions can be found on the Internet.

TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in. The software was presented first in a Computer Forensics Analysis class in August 1999 (handouts can be found here). Examples of using TCT can also be found on-line in a series of columns in the Doctor Dobb's Journal. Free, includes source code, see: http://www.porcupine.org/forensics/tct.html

The Sleuth Kit (TSK), previously called TASK, is a collection of command line tools based on The Coroner's Toolkit (TCT). Autopsy is a graphical interface to the command line tools in TSK.

See also Forensic Discovery book by Dan Farmer, Wietse Venema on Recommended Books on Computer Forensics page.

ProDiscover Basic is a complete GUI based computer forensic software package. It includes the ability to image, preserve, analyze and report on evidence found on a computer disk drive. It is freeware and may be used and shared without charge. See below for commercial version.

See: http://www.techpathways.com/ to learn about ProDiscover® family of security products. Technology Pathways, LLC is a leading edge provider of computer security tools and services for the Corporate IT, government and legal communities.

The Open Source Digital Forensics site is a reference to the use of open source software in digital forensics and incident response. Open source tools may have a legal benefit over closed source tools because they have a documented procedure and allow the investigator to verify that a tool does what it claims. Sections: Tools (Unix-based, Windows-based), Procedures, Test Images and Procedures, Research Papers. Excellent resource.

See: http://www.opensourceforensics.org/

Winfingerprint is a Win32 Host/Network Enumeration Scanner. Winfingerprint is capable of performing SMB, TCP, UDP, ICMP, RPC, and SNMP scans. Using SMB, winfingerprint can enumerate OS, users, groups, SIDs, password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks, security event log, and time of day in either an NT Domain or Active Directory environment. Winfingerprint-cli is a command line version. Wininterrogate is a Win32 file system and process enumeration/integrity tool.

See: http://winfingerprint.sourceforge.net/

Excellent Hex editor for Windows environment. HxD is a carefully designed and fast hex editor including raw disk editing, modifying foreign RAM and handling files of any size. Its clear interface offers searching/replacing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of files, statistics and more.

See: http://www.mh-nexus.de/hxd/

X-Ways Forensics is an advanced work environment for computer forensic examiners. It is closely integrated with the WinHex hex and disk editor (see below) and can be purchased as a forensic license for WinHex. X-Ways Forensics comprises all the general and specialist features known from WinHex, such as disk cloning and imaging, examining the complete directory structure inside raw image files, native support for FAT, NTFS, Ext2/3, CDFS, UDF, built-in interpretation of RAID systems and dynamic disks, viewing and imaging physical RAM and the virtual memory of running processes, gathering slack space, free space, inter-partition space, and much more.

Other products: WinHex, a universal hexadecimal editor, Davory undeletes files and recovers files from logically corrupted or formatted drives, Evidor, the edidence collector for lawyers, corporate law and IT security departments, and more.

For full details see: http://www.sf-soft.de/ , see also X-Ways Support Forum

The Free Law Enforcement Suite Includes: DiskSig Pro - A CRC hashing utility that validates the accuracy of evidence grade bitstream backups. This tool is also used to inventory the number of partitions on a hard disk drive and to identify the operating systems involved. In this regard DiskSig Pro incorporates the functionality of NTI's former PTable forensics software tool and it also provides more benefits and capabilities. FileList Pro - a program that is used to inventory allocated and deleted files on Microsoft-based computer systems (including Windows XP). The tool is also useful in creating a timeline of computer usage on a computer that has been seized as evidence in a computer-related criminal case. GetGif - a 'smart' filtering and data capture tool that automatically identifies and reconstructs GIF graphics files in Internet related investigations and identity theft cases wherein fraudlent picture identification is involved, and other tools.

GetSlack - Forensic Data Capture Utility. This software is used to capture all of the file slack contained on a logical hard disk drive or floppy diskette. FileList Pro is a unique computer forensic utility that is used to quickly inventory a computer storage device and to document information about both "deleted" files and allocated files.

See: http://www.forensics-intl.com/suite7.html to check who quelifies for free software see: http://www.forensics-intl.com/lepolicy.html

Guidance Software’s EnCase® computer forensic software is the industry standard. Used by thousands of law enforcement agencies worldwide, EnCase software seizes, authenticates, searches, and recovers computer evidence in a rapid and thorough manner. Computer evidence recovered with EnCase software has been admitted into thousands of court proceedings in several countries and jurisdictions, and EnCase software has been expressed validated by the courts in several published decisions.

See also library of Computer Forensics White Papers, (mostly Guidance Software specific, but some not). For full details see: http://www.guidancesoftware.com/

P2 Power Pack Paraben's P2 Examination Process is an alternative way of thinking in computer forensics. P2 works hand-in-hand with the Paraben forensic tool line. P2 Examination Technology includes all of our tools, each taking a different role in the examination. Each tool lessens the work-load by distributing the examination amongst different specialized tools. This product contains the following items: Case Agent Companion, Decryption Collection Enterprise, E-mail Examiner, Forensic Replicator, Forensic Sorter, Network E-mail Examiner, PDA Seizure, Text Searcher.

Cell Seizure is a unique software for performing forensic analysis of cell phones.

For full details see http://www.paraben-forensics.com/

Ultimate Toolkit ™ Tools for Computer Crime Investigators. Everything you need in one package. The Ultimate Toolkit is the complete AccessData Software Kit. Some tools included:

Forensic Toolkit® (FTK™) offers law enforcement and corporate security professionals the ability to perform complete and thorough computer forensic examinations. The FTK features powerful file filtering and search functionality. FTK's customizable filters allow you to sort through thousands of files to quickly find the evidence you need. FTK is recognized as the leading forensic tool to perform e-mail analysis.

Registry Viewer™ gives you the ability to view independent Windows registry files. Using the Registry Viewer provides access to the “Protected Storage System Provider” key, which contains e-mail and Internet passwords and settings. Easily generate reports containing valuable data from Registry keys of interest. The Registry Viewer includes a USB or parallel dongle to restrict unauthorized use.

Password Recovery Toolkit™ (PRTK™) includes all the password recovery modules except for the NT & Novell password replacement.

For full details see http://www.accessdata.com/

Computer security tools and services. The ProDiscover® family of security products combines high quality, performance, and ease of use at affordable prices. The ProDiscover® Family of computer security tools enables systems administrators, consultants, and investigators find the data they need on a computer disc. Solutions for incident response, corporate policy compliance investigation, e-discovery and computer forensics (find all the data, even in hidden HPA section, Alternate Data Streams or slack space; create hash signatures for all files and compare them to the information from the National Drug Intelligence "Hashkeeper"database, automatically generate reports and "evidentiary quality" information that will hold up in court).

See above for free, "Basic" edition.

For full details see: http://www.techpathways.com/ , see also The Resource Center for list of useful materials and links: Technical White Papers, Webinars, Presentations, Forensics Reference, General Security Reference, Computer Crime, and Forensics Links.

Forensic Acquisition Utilities - a collection of utilities and libraries intended for forensic or forensic-related investigative use in a modern Microsoft Windows environment. The components in this collection are intended to permit the investigator to sterilize media for forensic duplication, discover where logical volume information is located and to collect the evidence from a running system while at the same time guaranteeing data integrity (e.g. with a cryptographic checksum) and while minimizing changes to the subject system.

dcfldd is an enhanced version of GNU dd with features useful for forensics and security. Based on the dd program found in the GNU Coreutils package, dcfldd has the following additional features: hashing on-the-fly, status output, flexible disk wipes, iImage/wipe verify, multiple outputs, split output, piped output and logs.

MD5 & Hashing Utilities (also Decode - Forensic Date/Time Decoder, Favourite Viewer, Cookie Decoder and a few other free tools).

Ports of common GNU utilities to native Win32.

...there are many more.

The Digital Forensic Research Workshop (DFRWS) was initiated in August 2001 to bring academic researchers and digital forensic investigators and practitioners together for active discussion that addresses three major objectives:

• Define the need and create the processes for the incorporation of a rigorous scientific method as a fundamental tenant of the evolving discipline of Digital Forensic Science
• Develop a research agenda that considers practitioner requirements, multiple investigative environments and emphasizes real world usability
• The discovery, explanation and presentation of conclusive, persuasive evidence that will meet the heightened scrutiny of the courts and other decision-makers in military and civilian environments

Common Digital Evidence Storage Format (CDESF) working group intends to define an open data format that can store both digital evidence and related metadata. For example, the CDESF could contain a bit-wise image of a hard disk as well as the location from where the image was made, a digital photograph of the hard disk, the name of the person who made the image, and the case number. A different instance of the CDESF could contain a contraband file along with the unique identifier of the hard disk image from which it was extracted, the name of the investigator, and its original file name path. Another instance of the CDESF could contain only the metadata for a hard disk bit-wise image and a pointer to a second file where the actual hard disk image is stored in a raw format.