This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.
Note: This page has gotten too big and is being broken up. See:
- 1 Disk Analysis Tools
- 2 Enterprise Tools (Proactive Forensics)
- 3 Forensics Live CDs
- 4 Metadata Extraction Tools
- 5 File Analysis Tools
- 6 Network Forensics Tools
- 7 Anti-forensics Tools
- 8 Personal Digital Device Tools
- 9 Other Tools
Disk Analysis Tools
Hard Drive Firmware and Diagnostics Tools
- Macintosh Forensic Software, by BlackBag Technologies, Inc.
- ILook Investigator, by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
- P2 Power Pack by Paraben
Open Source Tools
- A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
- Linux and Windows file carving program originally based on foremost.
- FTimes is a system baselining and evidence collection tool.
- Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
- web-based, database-backed forensic and log analysis GUI written in Python.
- Zeitline --- Forensic timeline editor
- A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
NDA and scoped distribution tools
Enterprise Tools (Proactive Forensics)
Forensics Live CDs
- FCCU Gnu/Linux Boot CD
- A Live CD built on top of Knoppix with a lot of tools with forensic purpose.
- It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.
- A Live CD built on top of Knoppix with special tools for incident response and electronic discovey.
- Its a hybrid CD which also contains a Cygwin environment for use on a running Windows system (w/o rebooting) including the sysinternal tools.
- THE FARMER'S BOOT CD
- A Linux Live CD, designed and optimized for previewing data in a forensically sound manner. It contains a number of programs forensic practitioners can utilize to preview both Windows and Linux systems.
- DEFT Linux
- A Live CD built on top of Kubuntu with the best tools for Computer Forensic and incident response.
- It is very easy to use with a lot of device driver. The first live CD with AFF and the brend new forensics tool.
Metadata Extraction Tools
- Extracts metadata from various Microsoft Word files (doc). Can also convert doc files to other formats such as HTML or plain text.
- pdfinfo (part of the xpdf package) displays some metadata of PDF files.
- part of Hachoir project
File Analysis Tools
Open Source Tools
- The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.
- Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.
- Parses cookie files. http://www.foundstone.com/resources/proddesc/galleta.htm
- Parses 'index.dat files. http://www.foundstone.com/resources/proddesc/pasco.htm
- Examines the INFO2 file in the Recycle Bin http://www.foundstone.com/resources/proddesc/rifiuti.htm
- Extracts the 'encrypted' info in yahoo instant messenger log files. http://www.1vs0.com/tools.html
- determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats.
NDA and scoped distribution tools
Network Forensics Tools
- NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
Linux/open-source. Based in India.
- A tool to hide files within the slack space of the NTFS file system.
- A tool that allows one to modify all four NTFS timestamp (MACE) values.
Securely deleting data
- CyberScrub cyberCide
- This program securely erases all data from drives or partitions.
- CyberScrub Privacy Suite
- This program securely erases selected data, wipes free space, powerful scheduling capabilities.
- Darik's Boot and Nuke (DBAN)
- This is a bootable disk that securely wipes any hard disk it can detect.
- Offers several patterns for wiping data including Peter Gutmann's and the US DoD 5200.28-STD standard.
- Part of GNU coreutils.
- Lenovo SDD
Personal Digital Device Tools
Cell Phone Forensics
- DataPilot Secure View
- GSM .XRY
- LogiCube CellDEK
- Oxygen PM II
- Paraben Device Seizure
- Paraben Device Seizure Toolbox
- Serial Port Monitoring
SIM Card Forensics
- VMware Player
- A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
- VMware Server
- The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
- Computer Forensics Toolkit
- This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
- Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
- Live View
- Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
- Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
Telephone Scanners/War Dialers
- PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.