Truehunter
Truehunter is a tool designed to detect encrypted containers with a focus on Truecrypt and Veracrypt, utilizing a fast and memory efficient approach.
Tool used for dumping memory from Android devices. Root access is required. ./mem pid out_path where pid is the target PID to capture and out_path is the local dir to write output. If out_path is not there, writes to stdout. To ensure forensic soundness, mem should be copied into memory (/dev or another tmpfs location), and netcat should be used to write data out over ADB to avoid writing to the device. Netcat versions compiled for Android can be found at https://github.com/MobileForensicsResearch/netcat. Eg: 1: On local machine run: adb forward tcp:9999 tcp:9999 2: From adb shell run: ./mem pid | nc -l -p 9999 3: On local machine run: nc 127.0.0.1 9999 > output_file
Truehunter is a tool designed to detect encrypted containers with a focus on Truecrypt and Veracrypt, utilizing a fast and memory efficient approach.
MFT and USN parser for direct extraction in filesystem timeline format with YARA rule support.
MalConfScan is a Volatility plugin for extracting configuration data of known malware and analyzing memory images.
A library to access and parse OLE 2 Compound File (OLECF) format files.
Toolkit for performing acquisitions on iOS devices with logical and filesystem acquisition support.
A tool for fixing acquired .evt Windows Event Log files in digital forensics.