Tools

Colorize and Filecompare
Colorize creates visual represations of raw file data. Filecompares looks at two files, in arbitrary block sizes, and produces output for which can be run through colorize to display them. See http://jessekornblum.livejournal.com/290358.html for details.

Windows: http://jessekornblum.com/tools/colorize/colorize-1.0.zip
Source code: https://github.com/jessek/colorize/archive/1.0.zip
Development: https://github.com/jessek/colorize/

Samecat
Computes and matches signatures for similar looking pictures. See http://jessekornblum.livejournal.com/286446.html for details.
Usage:
C:\> python samecat.py [FILES] C:\> python samecat.py -m [known] [FILES]

samecat.py version 1.0

encase2txt
Converts Encase hash files to plain text format. Built from the documentation at the forensics wiki entry on Encase hash file format. The zip file contains a Windows executable and the source code, both licensed under version 3 of the GNU General Public License (GPL).
Usage:
C:\> encase2txt [FILES]

encase2txt version 1.0

hexdump
Creates a hex dump from standard input. Designed to be similar to, but not identical, to the *nix program xxd. There is a cross-platform Python script and a C program, which are not identical. C Program Usage:
C:\> hexdump.exe [FILE] C:\> hexdump.exe < [FILE] C:\> echo [TEXT] | hexdump.exe

Windows executable Source code

Python script Usage:
C:\> python hexdump.py < [FILE] C:\> type [FILE]| python hexdump.py C:\> echo.|set /p=[TEXT]|python hexdump.py

hexdump.py

findaes
Scans input files for AES128, AES192, and AES256 keys. Originally intended for memory images, can be used on anything. Works by eliminating anything which is not a valid AES key schedule.
findaes Related blog posts

md5deep and hashdeep
A set of cross platform tools to compute, compare, match, and audit cryptographic hashes. Supported algorithms are MD5, SHA-1, SHA-256, Tiger, and Whirlpool.
md5deep Project Page Related blog posts

ssdeep
A fuzzy hashing tool to identify similar but not identical files. In this case, 'similar' applies at the byte level. No effort is made to examine higher level structures. The package includes both a client program for matching and an API for adding fuzzy hashing to other programs.
ssdeep Project Page Paper Related blog posts

Miss Identify
Identifies Win32 executables. Originally designed to detect executables that don't have an executable extension (e.g. exe, com, dll), it can also produce a list of all executables encountered.
Miss Identify Project Page

Foremost
A linear file carver. Uses headers and footers to recover files from a data stream.
Foremost Project Page

Volatility™ Plugins
Here are some plugins I've written for the Volatility™ memory analysis framework. There are many more plugins listed on the Forensics Wiki list of Volatility™ plugins. Volatility™ is a trademark of Verizon. Jesse Kornblum is not sponsored or approved by, or affiliated with Verizon.

These plugins, and a few other changes I made to version 2.0 of the framework for use in my memory forensics course, SANS FOR526: Windows Memory Forensics In-Depth, are available as a separate download: Volatility 2.0 modified for SANS FOR526 .

Note that some of these were written for older versions of the framework and may not work anymore. To use any of these plugins, save them to your volatility/plugins directory.

modmemdump and rawmoddump - Used for recovering kernel drivers when the traditional plugins don't work. See http://jessekornblum.livejournal.com/291418.html for complete details on what they are and why I wrote them.

pstotal - Displays processes which are found by the brute force search for processes but not the walk of the operating system's list of active processes. An earlier version of this plugin was written for release 1.4 of the framework: pstotal for Volatility™ 1.4

psinfo: Displays information about each process, with some rough detection of "suspicious" processes.

suspicious: Highlights 'suspicious' processes with Volatility™ version 1.3.

cryptoscan: Find TrueCrypt passphrases with Volatility™ version 1.3.