The dependence on technology and the increasing sophistication of attackers has heightened the need for cyber forensics expertise. By providing operational support to high-profile intrusion, identity theft, and general computer crime investigations, we are able to see the current limitations of computer forensics and incident response in the field first hand. Combining this applied research with the unique talents, operational experience, research capabilities, and the vast knowledge base of Carnegie Mellon University, DIID is unmatched in its ability to develop new tools and methods to address cybersecurity limitations and critical gap areas.

We have developed the following resources and tools to facilitate forensic examinations. 

ADIA is a VMware-based appliance used for  digital investigation and acquisition.

AfterLife permits the  collection of physical memory contents from a system after a warm or cold  reboot.

CCFinder is a suite of utilities designed to facilitate the discovery, organization, and querying of financial data and related personally identifiable information in large-scale investigations. 

DINO is a lightweight front end for network visualization and utilizes the open source network monitoring tools SiLK and SNORT to create an easy-to-use dashboard for situational awareness.

LATK is a collection of command line and web-based tools for use in incident response and long-term analysis of web server and proxy server log data.

Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk.

Law Enforcement Tools

The following forensics tools are available to authorized members of the law enforcement community.

Live View LE allows forensic investigators to take a physical device or an “image” file of a disk or partition and automatically transform it into a virtual machine.

CryptHunter alerts law enforcement if active encryption is running on a system so that investigators can act to preserve evidence that would be lost if the system were shut down.

C-CAP is a state-of-the-art forensics analysis environment that provides a broad set of tools for host-based and network investigations. 

MCARTA is a completed incident analysis framework in respect to run-time analysis with automated log and pocket data correlation.

Download

Please visit the CERT website to download any of these tools and get further information about updates.