Revision as of 20:43, 1 November 2010

This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.

Note: This page has gotten too big and is being broken up. See:

• Category:Disk Imaging
• Tools:Data Recovery (including file carving)
• Tools:File Analysis
• Tools:Document Metadata Extraction
• Tools:Memory Imaging
• Tools:Network Forensics
• Tools:Logfile Analysis
• Category:Anti-forensics tools
• Category:Secure deletion

Disk Analysis Tools

Hard Drive Firmware and Diagnostics Tools

PC-3000 from DeepSpar Data Recovery Systems

http://www.deepspar.com/products-pc-3000-drive.html

http://www.pc-3000.com/

Linux-based Tools

LINReS by NII Consulting Pvt. Ltd.

http://www.niiconsulting.com/innovation/linres.html

SMART by ASR Data

http://www.asrdata.com

Macintosh-based Tools

Macintosh Forensic Software by BlackBag Technologies, Inc.

http://www.blackbagtech.com/software_mfs.html

MacForensicsLab by Subrosasoft

MacForensicLab-Subrosasoft

Mac Marshal by ATC-NY

http://www.macmarshal.com/

Windows-based Tools

Blackthorn GPS Forensics

http://www.blackthorngps.com

BringBack by Tech Assist, Inc.

http://www.toolsthatwork.com/bringback.htm

EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc

http://www.hotpepperinc.com/emd

EnCase by Guidance Software

http://www.guidancesoftware.com/

fbi by Nuix Pty Ltd

http://www.nuix.com

Forensic Toolkit (FTK) by AccessData

http://www.accessdata.com/products/ftk/

HBGary Responder Professional - Windows Physical Memory Forensic Platform

http://www.hbgary.com

ILook Investigator by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)

http://www.ilook-forensics.org/

Mercury Indexer by MicroForensics, Inc.

http://www.MicroForensics.com/

OnLineDFS by Cyber Security Technologies

http://www.cyberstc.com/

P2 Power Pack by Paraben

https://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=187

Prodiscover by Techpathways

http://www.techpathways.com/ProDiscoverWindows.htm

Safeback by NTI and Armor Forensics

http://www.forensics-intl.com/safeback.html

X-Ways Forensics by X-Ways AG

http://www.x-ways.net/forensics/index-m.html

DateDecoder by Live-Forensics

http://www.live-forensics.com/dl/DateDecoder.zip

A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.

RecycleReader by Live-Forensics

http://www.live-forensics.com/dl/RecycleReader.zip

A command line tool that outputs the contents of the recycle bin on XP, Vista and Seven.

Open Source Tools

AFFLIB

A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.

Autopsy

http://www.sleuthkit.org/autopsy/desc.php

Digital Forensics Framework (DFF)

DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://www.digital-forensic.org

foremost

http://foremost.sf.net/

Linux based file carving program

FTimes

http://ftimes.sourceforge.net/FTimes/index.shtml

FTimes is a system baselining and evidence collection tool.

gfzip

http://www.nongnu.org/gfzip/

gpart

http://www.stud.uni-hannover.de/user/76201/gpart/

Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.

Hachoir

A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).

magicrescue

http://jbj.rapanden.dk/magicrescue/

The Open Computer Forensics Architecture

http://ocfa.sourceforge.net/

pyflag

http://www.pyflag.net/PyFlagWiki/

Web-based, database-backed forensic and log analysis GUI written in Python.

Scalpel

http://www.digitalforensicssolutions.com/Scalpel/

Linux and Windows file carving program originally based on foremost.

scrounge-ntfs

http://memberwebs.com/nielsen/software/scrounge/

Sleuthkit

http://www.sleuthkit.org/

The Coroner's Toolkit (TCT)

http://www.porcupine.org/forensics/tct.html

NDA and scoped distribution tools

Enterprise Tools (Proactive Forensics)

LiveWire Investigator 2008 by WetStone Technologies

http://www.wetstonetech.com/f/livewire2008.html

P2 Enterprise Edition by Paraben

http://www.paraben-forensics.com/enterprise_forensics.html

Forensics Live CDs

BackTrack

A Live CD built on top of Ubuntu (early version are built on top of Slackware). Latest "pre-release" has "forensics mode".

http://remote-exploit.org/backtrack.html

CAINE Live CD

A forensic Live CD built on top of Ubuntu.

http://caine-live.net

DEFT Linux

A Live CD built on top of Xubuntu with the best tools for computer forensics and incident response.

It's a very light and fast live system created for the Computer Forensics specialists.

The first live CD with AFF, dhash and Xplico.

http://www.deftlinux.net

THE FARMER'S BOOT CD

A Linux Live CD, designed and optimized for previewing data in a forensically sound manner. It contains a number of programs forensic practitioners can utilize to preview both Windows and Linux systems.

FCCU Gnu/Linux Boot CD

A Live CD built on top of Debian Live with a lot of tools with forensic purpose.

http://www.lnx4n6.be

grml

A forensic Live CD built on top of Debian.

http://grml.org

Helix3 (Helix3 Pro)

A Live CD built on top of Ubuntu with special tools for incident response and electronic discovery.

http://e-fense.com

MacQuisition Boot CD

A forensic Live CD built for imaging Macintosh systems.

Masterkey Linux

A Linux Live CD built on top of Slackware featuring a wide variety of free and open source tools, focused on both Incident Response and Computer Forensic Examination.

http://masterkeylinux.com

PlainSight

A forensic Live CD built on top of Knoppix.

http://www.plainsight.info

Recovery Is Possible

A Linux Live CD with a number of recovery applications such as TestDisk, PhotoRec, etc.

http://www.tux.org/pub/people/kent-robotti/looplinux/rip/

SAFE Boot Disk

The first and only commercially available forensically sound Windows Boot disk.

Includes built-in driver support, access to the NTFS file system and built-in software write blocking.

http://www.forensicsoft.com/catalog/product.php

SMART Linux

Two Live CDs built on top of Slackware and Ubuntu. Includes SMART and other forensic tools.

http://asrdata2.com

SPADA

A forensic Live CD built on top of Knoppix.

http://spada-cd.info

Out of date Live CDs

Knoppix STD

A Live CD built on top of Knoppix.

http://s-t-d.org/

Penguin Sleuthkit

A Linux Live CD that includes SleuthKit.

http://penguinsleuth.org/

SNARL

A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).

http://sourceforge.net/projects/snarl/

Personal Digital Device Tools

GPS Forensics

Blackthorn GPS Forensics

PDA Forensics

Cellebrite UFED

Paraben PDA Seizure

Paraben PDA Seizure Toolbox

PDD

Cell Phone Forensics

BitPIM

Cellebrite UFED

DataPilot Secure View

GSM .XRY

Fernico ZRT

ForensicMobile

LogiCube CellDEK

MOBILedit!

Oxygen Forensic Suite 2010

http://www.oxygen-forensic.com

Paraben's Device Seizure and Paraben's Device Seizure Toolbox

http://www.paraben-forensics.com/handheld_forensics.html

Serial Port Monitoring

TULP2G

SIM Card Forensics

Cellebrite UFED

ForensicSIM

Paraben's SIM Card Seizure

http://www.paraben-forensics.com/handheld_forensics.html

SIMCon

Preservation Tools

Paraben StrongHold Bag

Paraben StrongHold Tent

Other Tools

Computer Forensics Toolkit

http://computer-forensics.privacyresources.org

This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.

Live View

http://liveview.sourceforge.net/

Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.

Parallels VM

http://www.parallels.com/

http://en.wikipedia.org/wiki/Parallels_Workstation

Microsoft Virtual PC

http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx

http://en.wikipedia.org/wiki/Virtual_PC

VMware Player

http://www.vmware.com/products/player/

http://en.wikipedia.org/wiki/VMware#VMware_Workstation

A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.

VMware Server

http://www.vmware.com/products/server/

The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.

Webtracer

http://www.forensictracer.com

Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)

Hex Editors

biew

http://biew.sourceforge.net/en/biew.html

Okteta

KDE's new cross-platform hex editor with features such as signature-matching

http://utils.kde.org/projects/okteta/

hexdump

...

HexFiend

A hex editor for Apple OS X

http://ridiculousfish.com/hexfiend/

Hex Workshop

A hex editor from BreakPoint Software, Inc.

http://www.bpsoft.com

khexedit

http://docs.kde.org/stable/en/kdeutils/khexedit/index.html

WinHex

Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.

http://www.x-ways.net/winhex

xxd

...

HexReader

Live-Forensics software that reads windows files at specified offset and length and outputs results to the console.

http://www.live-forensics.com/dl/HexReader.zip

Telephone Scanners/War Dialers

PhoneSweep

http://www.sandstorm.net/products/phonesweep/

PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.