The Forensic Toolkit - free security utility

Forensic Toolkit v2.0 - Free  tools to examine NTFS for unauthorized activity
Platform: Windows Vista, Windows XP, Windows 2000
License: Free Download
The Forensic ToolKit contains several Win32 Command line tools that help you examine the files on a NTFS disk partition for unauthorized activity. This tool is a file properties analyzer. It performs numerous functions such as examine the files on a disk drive for unauthorized activity, lists files by their last access time, search for access times between certain time frames, scan the disk for hidden files and data streams. The Forensic toolkit will also dump file and security attributes, report on audited files, discover altered ACL’s and see if a server reveals too much info via NULL sessions.

Key Features
AFind is the only tool that lists files by their last access time without tampering the data the way that right-clicking on file properties in Explorer will. AFind allows you to search for access times between certain time frames, coordinating this with logon info provided from ntlast, you can to begin determine user activity even if file logging has not been enabled.
HFind scans the disk for hidden files. It will find files that have either the hidden attribute set, or NT’s unique and painful way of hiding things by using the directory/system attribute combination. This is the method that IE uses to hide data. HFind lists the last access times.
SFind scans the disk for hidden data streams and lists the last access times.
FileStat is a quick dump of all file and security attributes. It works on only one file at a time but this is usually sufficient.
Hunt is a quick way to see if a server reveals too much info via NULL sessions.

Command Line Switches

afind [dir] /f [filename] /ns=no subs /a after /b before /m between
time format =

hfind [dir] /hd=find dir/system attribs /ns=no subs

sfind [dir] /ns=no subs

filestat [filename]

hunt [\servername]

System Requirements

Windows NT 4.0 SP3
16MB Memory
Administrator privileges
Audit log enabled with searchable records
Set NT command line buffer to 500 or more lines. 1200 or more lines works well

Internet resource of The Forensic Toolkit

Welcome to AccessData - a pioneer in the digital forensic industry …

FTK® Mobile Phone Examiner. learn more>>. AVAILABLE NOW ! AccessData® Enterprise. learn more>>. AccessData® eDiscovery. learn more>> …

Downloads - Support - Courses - Forensic Toolkit

www.accessdata.com/

AccessData Forensic Toolkit

Forensic Toolkit® (FTK®) is recognized around the world as the standard in computer forensic investigation technology. This court-validated platform …

www.accessdata.com/forensictoolkit.html 

The Forensic ToolKit

The Forensic ToolKit contains several Win32 Command line tools that help you examine … The Forensic toolkit will also dump file and security attributes, …

www.securityfocus.com/tools/2514 

Foundstone, Inc.®

The Forensic ToolKit™ contains several Win32 Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity. …

www.foundstone.com/us/resources/proddesc/forensic-toolkit.htm 

[PDF] FORENSIC TOOLKIT 2.1.0

File Format: PDF/Adobe Acrobat - View as HTML

Users can use AD Network License Service (NLS) to get licenses for FTK sessions. Please … The UI layout now more closely resembles the FTK 1.x UI. …

ftk21.accessdata.com/ftk2_readme.pdf 

[PDF] FTK 2.1 RELEASE UPDATE:

File Format: PDF/Adobe Acrobat - View as HTML

WHAT’S NEW IN FORENSIC TOOLKIT. ® ? We’ve enhanced performance… … The UI layout now more closely resembles the FTK 1.x UI …

ftk21.accessdata.com/FTK2-1_ReleaseUpdateSlick.pdf 

Forensic Toolkit - Forensics Wiki

The Forensic toolkit can parse a number of filesystems, including FAT 12/16/32, NTFS, NTFS Compressed, Ext2, and Ext3. It can use image files created by …

www.forensicswiki.org/wiki/FTK 

Windows memory forensic toolkit (WMFT)

[WMFT] Windows Memory Forensic Toolkit - is a collection of utilities intended for … [IDETECT] Linux Memory Forensic toolkit is used to help digital …

forensic.seccure.net/ 

Ultimate Toolkit / Forensic Toolkit (UTK/FTK) - Coventry University

Another well-known commercial forensics tool is AccessData’s Forensic Toolkit (FTK). It is included in the Ultimate Toolkit (UTK).

www.coventry.ac.uk/researchnet/d/493/a/2579

SANS - Computer Forensics - Community

SANS Investigative Forensic Toolkit (SIFT) Workstation: Version 1.3. Download SIFT Workstation Now (1.5 gb). SANS SIFT Workstation Overview …

forensics.sans.org/community/downloads/