Skip to content ↓ | Skip to navigation ↓

In the first article in this series we looked at free tools for data mirroring, and in the second installment we looked at tools available for registry forensics. Now we will move on to tools for disk forensics, which is the process of acquiring and analyzing the data stored on physical storage media.

Disk forensics includes the recovery of hidden and deleted data and also file identification, the process of identifying who created a file or message.

Tool: ADS Locator

The ADS Locator can be used to find files that have alternate ADS streams attached. ADS is a technology used to store additional data related to files, and has a lot of legit uses by the system. So this tool will only find those ADS entries that are of the user type “alternate,” which is sometimes used by spyware, malware, and viruses.


Tool: Disk Investigator

Disk Investigator helps you to discover all that is hidden on your computer hard disk. It can also help you to recover lost data. Display the true drive contents by bypassing the operating system and directly reading the raw drive sectors.

It helps to view and search raw directories, files, clusters, and system sectors. Verify the effectiveness of file and disk wiping programs. Un-delete previously deleted files.


Tool: Recuva

Recuva is a free file recovery program that is capable of recovering lost or deleted files from local drives and external drives. With the integrated wizard, users will be guided through the whole recovery process with ease. It also supports removable media such as smart media, secure digital cards, a memory stick, digital cameras, flash cards, and many more.


Tool: Encrypted Disk Detector

Encrypted Disk Detector (EDD) is a command-line tool that checks the local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes. If no disk encryption signatures are found in the MBR, EDD also displays the OEM ID and, where applicable, the volume label for partitions on that drive, checking for Bitlocker volumes.


Encrypted Disk Detector is useful during incident response to quickly and non-intrusively check for encrypted volumes on a computer system. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled.

Tool: Passware Encryption Analyzer

This tool scans a computer for password-protected and encrypted files, and reports encryption complexity and decryption options for each file. With EA you get all password recovery and decryption options that are available for the files and hard disk images of the cases you are investigating.

In the next article in this series we will look at free tools for network forensics – stay tuned!


About the Author: Mohit Rawat writes for Infosec Institute and is an engineering graduate and works as a Security Analyst.Specialized in social engineering, penetration testing, application vulnerability assessments, digital forensics investigations and IT security architecture. He works for both public and private sector clients, perform penetration testing, digital forensics investigations and deliver security training to IT professionals.


Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.


Title image courtesy of ShutterStock