Matt Churchill over at Binary Intelligence has put together a listing of tools for forensics. Its a really good building block, when i find more resources ill add them =) If you have one you would like to list just post!

I just wanted to say thanks for this list. 

Unfortunately, the best forensics tools out there are not open-source.  I don't know any investigators who aren't using EnCase for most of their work.  It's not cheap.

Encase is awesome, no argument there. You can, with some determination. get all the functionality of it through open source tools. That'd be a good article for someone to write *wink*

I think being most expensive and have a team of lawyers to defend it does not make it the best. Yes, agreed it is one of the better commercial collections of tools which can do some reliable point and click stuff.

Also, as you said  "but in litigation, tools used to always get questioned in terms of repeatability and procedure. " So if you can demonstrate repeatability and procedure with a tool in courts you dont need a team of expensive lawyers to defend it

the final point being it is very easy to use and Hex editor and modify the partition table just enough to make that expensive toold not be able to seee or read any data on the image or hard drive.

VJ

Vijay, most expensive definitely doesn't make it the best.   Agreed there.  

You can modify anything in a hex editor, including wiping out the MBR, creating encrypted partitions within encrypted partitions, shredding files, etc.  This is where EnCase makes it much easier to put together the correct story.  We used to use Norton's Disk Editor for forensic investigations.  With today's volumes of data and deadlines, that's no longer practical, but is still possible.  It is my opinion that the same logic extends to the open source tools out there.

The amount of data types supported alone make EnCase and FTK  tools much more robust than anything else out there.  For example, what other forensics tools can handle PST files, NSF files, Exchange EDB (granted not so well on the later ) files, Registry files, etc., all natively within the same application.  I understand that you can export an NSF file and open it in Lotus Notes, or export the registry file and open it in a Registry viewer.   The problem is that you are involving yet another piece of software.  In the case of Lotus Notes or Outlook, it likes to modify the file immediately.   Outlook won't even open a write-protected PST file.   The list just goes on.   Guidance has spent years reversing various file formats and incorporating them into EnCase.  I am much more comfortable saying that I am reasonably certain EnCase didn't modify the structure of my PST file than I am even mentioning that I analyzed a PST file in Microsoft Outlook.

In the open-source world, you have Autopsy/PTK/Sleuthkit, and a set of tools like skalpel, dcflldd, regviewer, etc.   What you have is a combination of tools that do about 70% of what EnCase does in a single tool.  Every time you export a file from your safe and verified image, you are introducing another element to your report.  When you have to deal with the native software application because you couldn’t find a forensics tool that supports the format, that's another nightmare.

Like I said, I would love to be proven wrong here and come away with a good set of tools that do everything EnCase and FTK do.  I am a big supporter of open-source tools.  I would love to be able to go open-source.   Every time we have researched this the conclusion is always the same, open source tools will do about 70% of what we need.   That's just not enough.  

I guess my point is that the open-source community is lacking in the forensics industry when compared to others, especially pen testing.   One of the problems is that software vendors like Microsoft will actually release some of their source code to companies like Guidance.  That will never release anything to an open source project.   It's quite frustrating actually.

As I have recently read some books on forensics, some more tools and toolkits which were mentioned (though most of them were already mentioned in this thread):

Autopsy Forensic Browser
F.I.R.E.
F.R.E.D.
ForensiX-CD
EnCase
dd, sdd, dcfldd
IRCR (Incident Response Collection Report)
Forensic Acquisition Utilities
WFT (Windows Forensic Toolchest)
STD (Security Tools Distribution, based on Knoppix)
Helix
FTK (AccessData Forensic Toolkit)
Live View
TCTUtils, TCT (The Coroner's Toolkit)
The Sleuth Kit

you can still find copies of Helix2008R1.iso floating on the internet that's free.