Forensic Acquisition Utilities
A collection of utilities and libraries intended for forensic or forensic-related investigative use in a modern Microsoft Windows environment. The components in the collection are intended to permit the investigator to sterilize media for forensic duplication, discover where logical volume information is located and to collect the evidence from a running computer system while at the same time ensuring data integrity (e.g. with a cryptographic checksums) and while minimizing distortive alterations to the subject system. The FAU is distributed under the GMG Systems, Inc. Open License.
- Dd.exe: An implementation inspired by the GNU dd utility program.
- Volume_dump.exe: A utility to dump volume information and drive information and USN journals.
- FMData.exe: A utility to collect files system metadata, to produce and verify security catalogs (cryptographic hash sets) using one or more cryptographic hash algorithms and to verify system binaries using the system file checker (SFC) API.
- Wipe.exe: A utility to sterilize media prior to forensic duplication.
- Nc.exe: Implantation of Netcat utility.
- Zlib.dll: A version of Jean-loup Gailly and Mark Adler’s Zlib (currently version 1.2.3).
- Bzip2.dll: A version of J. Seward’s bzip2 library (currently 1.0.4).
- Boost_regex-vc80-mt-1_34.dll: Boost’s regular expression library.
- Fauerror_xxx.dll: A series of dynamic link libraries (dll’s) that contain the localized language strings for FAU output.
Forensic Acquisition Utilities (FAU) is a product of GMG Systems, Inc first release in 2002 by George M. Garner Jr. Version 184.108.40.2065 was released on 19 May 2016 and is available at https://web.archive.org/web/20160719193011/http://www.gmgsystemsinc.info/fau/7d137db0-ae88-4519-a29e-42f5c5d591de/FAU-220.127.116.115.zip