Tools

We have written some open source tools, methodologies, and white papers for the computer forensic community. Click on the buttons below to download the information you are interested in.  Questions about the tools on this site can be directed to This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

JDAFTS - A Computer Forensic Tool Suite

JDAFTS is a free software tool designed for computer forensic investigators and incident responders which aids in the analysis of electronic evidence. JDAFTS, which stands for Jones Dykstra & Associates Forensic Tool Suite, includes case data management applications that extend beyond the capabilities of currently-available forensic software applications.

JDAFTS is designed for computer forensics, corporate, government, and law enforcement investigators as well as universities. Easy to use, the tool suite allows forensics professionals to import, analyze, compare, and export electronic activity logs from sources including web browser activities, Windows Recycle Bins, and software packages like EnCase® and Forensic Toolkit® (FTK).

Some of the unique features in JDAFTS:

Comprehensive Data Timeline:

JDAFTS pulls data from several different sources and creates a combined timeline view of the correlated data. The data is displayed in a single interface with columns and abbreviations indicating each log item’s origin. Columns can be sorted, dragged and dropped, depending on users’ review preferences.


Quick Reports:

Using JDAFTS “Quick Reports”, many reports can be quickly created and easily imported into investigative reports. Browsing histories from Internet Explorer, Mozilla and Netscape can be extracted based on the domains visited and time accessed. The data can then be exported as a Word Document, Crystal Report, PDF, Excel spreadsheet or rich text format including charts and graphs. JDAFTS users can select specific domains and see when and for how long they were accessed.

Click here for the download and installation instructions for JDAFTS.

Pasco - A Web Browsing History Tool

Many computer crime investigations require the reconstruction of a subject's internet activity. Since this analysis technique is executed regularly, we researched the structure of the data found in Internet Explorer activity files (index.dat files). Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. The foundation of Pasco's examination methodology is presented in the white paper located here. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.


Usage: pasco [options] <filename>
-d Undelete Activity Records
-t Field Delimiter (TAB by default)

 

Example Usage:

[kjones:pasco/bin]% ./pasco index.dat > index.txt

Open index.txt as a TAB delimited file in MS Excel to further sort and filter your results.

 

Download:

Pasco can be downloaded from the following link at Sourceforge:

http://sourceforge.net/project/showfiles.php?group_id=146246&package_id=161375

 

Rifiuti - A Recycle Bin History Tool

Many computer crime investigations require the reconstruction of a subject's Recycle Bin. Since this analysis technique is executed regularly, we researched the structure of the data found in the Recycle Bin repository files (INFO2 files). Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. The foundation of Rifiuti's examination methodology is presented in the white paper located here. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.


Usage: rifiuti [options] <filename>
-t Field Delimiter (TAB by default)

Example Usage:

[kjones:rifiuti/rifiuti_20030410_1/bin] kjones% ./rifiuti INFO2 > INFO2.txt

Open INFO2.txt as a TAB delimited file in MS Excel to further sort and filter your results.

Download:

Rifiuti can be downloaded from the following link at Sourceforge:

http://sourceforge.net/project/showfiles.php?group_id=146246&package_id=161377

 

Galleta - A Web Browsing Cookie Tool

Many computer crime investigations require the reconstruction of a subject's Internet Explorer Cookie files. Since this analysis technique is executed regularly, we researched the structure of the data found in the cookie files. Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. The foundation of Galleta's examination methodology is documented in a white paper located here. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.


Usage: galleta [options] <filename>
-t Field Delimiter (TAB by default)


Example Usage:

[kjones:galleta/galleta_20030410_1/bin] kjones% ./galleta antihackertoolkit.txt > cookies.txt

Open cookies.txt as a TAB delimited file in MS Excel to further sort and filter your results.

Download:

Galleta can be downloaded from the following link at Sourceforge:

http://sourceforge.net/project/showfiles.php?group_id=146246&package_id=161376

Eindeutig - An Outlook Express DBX Tool

Many computer crime investigations require the reconstruction of a subject's email repository. Since this analysis technique is executed regularly, we researched the structure of the data found in Outlook Express DBX files. Eindeutig, the German word meaning "express", was developed to examine the contents of Outlook Express's DBX email repository files. The foundation of Eindeutig's examination methodology is presented in our book "Real Digital Forensics". Eindeutig will parse the information in a DBX file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Eindeutig is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.


Usage: eindeutig [-e | -f] [options] <filename>
-t Field Delimiter (TAB by default)
-f FORCE the input file as FOLDER type
-e FORCE the input file as EMAIL type
-s Only an email summary spreadsheet will be listed.
-o The output directory for exported email.

Download:

Eindeutig can be downloaded from the following link at Sourceforge:

http://sourceforge.net/project/showfiles.php?group_id=146246&package_id=161379