| FTK Imager Version 3.2.0.0 |
To create forensic images for the.VMDK files. |
| dd version 1.3.4–1 |
To produce a bit-for-bit image of the.VMEM files. |
| Autopsy 3.1.1 |
To parse the file system, produce directory listings, as well as extracting or analysing stored files, browsing history, ‘NTUSER.dat’ registry files (using the RegRipper plugin), ‘pagefile.sys’ Windows swap file, and unallocated spaces located within the forensics images of VMDK files. |
| HxD Version 1.7.7.0 |
To conduct keyword searches in the unstructured datasets. |
| Volatility 2.4 |
To analyse the running processes (using the ‘pslist’ function), network statistics (using the ‘netscan’ function), and detecting the location of a string (using the ‘yarascan’ function) recorded in the physical memory dumps. |
| Photorec 7.0 |
To data carve the unstructured datasets. |
| Skype Chatsync Reader |
To analyse the content of Skype’s ‘Chatsync’ file. |
| SQLite Browser Version 3.4.0 |
To view the contents of SQLite database. |
| Wireshark version 1.10.1 |
To analyse the network traffic. |
| Network Miner version 1.6.1 |
To analyse and data carve the network files. |
| Whois command |
To determine the registration information of the IP addresses. |
| Nirsoft Web Browser Passview 1.19.1 |
To recover the credential details stored within web browsers. |
| Nirsoft cache viewer, ChromeCacheView 1.56, MozillaCacheView 1.62, IECacheView 1.53 |
To analyse the web browsing cache. |
| BrowsingHistoryView v.1.60 |
To analyse the web browsing history. |
| Thumbcacheviewer Version 1.0.2.7 |
To examine the Windows thumbnail cache. |
| Windows Event Viewer Version 1.0 |
To view the Windows event logs. |
| Windows File Analyser 2.6.0.0 |
To analyse the Windows prefetch and link files. |
| NTFS Log Tracker V1.2 |
To parse and analyse the $LogFile, $MFT, and $UsnJrnl New Technology File System (NTFS) files. |
