This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.
Note: This page has gotten too big and is being broken up. See:
- Category:Disk Imaging
- Tools:Data Recovery (including file carving)
- Tools:File Analysis
- Tools:Document Metadata Extraction
- Tools:Memory Imaging
- Tools:Memory Analysis
- Tools:Network Forensics
- Tools:Logfile Analysis
- Category:Anti-forensics tools
- Category:Secure deletion
- 1 Disk Analysis Tools
- 2 Enterprise Tools (Proactive Forensics)
- 3 Forensics Live CDs
- 4 Personal Digital Device Tools
- 5 Other Tools
- 6 Telephone Scanners/War Dialers
Disk Analysis Tools
Hard Drive Firmware and Diagnostics Tools
- PC-3000 from DeepSpar Data Recovery Systems
- Macintosh Forensic Software by BlackBag Technologies, Inc.
- Belkasoft Evidence Center by Belkasoft
- This product makes it easy for an investigator to search, analyze and store digital evidence found in Instant Messenger histories, Internet Browser histories and Outlook mailboxes.
- CD/DVD Inspector by InfinaDyne
- This is the only forensic-qualified tool for examinination of optical media. It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide.
- EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc
- Facebook Forensic Toolkit (FFT) by Afentis Forensics
- eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports.
- ILook Investigator by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
- P2 Power Pack by Paraben
- DateDecoder by Live-Forensics
- A command line tool that decodes most encoded time/date stamps found on a windows system, and outputs the time/date in a human readable format.
- RecycleReader by Live-Forensics
- A command line tool that outputs the contents of the recycle bin on XP, Vista and 7.
- Dstrings by Live-Forensics
- A command line tool that searches for strings in a given file. It has the ability to compare the output of those strings against a dictionary to either exclude the dictionary terms in the output or only output files that match the dictionary. It also has the ability to search for IP Addresses and URLs/Email Addresses.
- Unique by Live-Forensics
- A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options.
- HashUtil by Live-Forensics
- HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes. It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases.
- WindowsSCOPE Pro, Ultimate, Live
- Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support.
- Software and hardware based acquisition with CaptureGUARD PCIe and ExpressCard
- Hardware based acquisition of memory on a locked computer via CaptureGUARD Gateway
- WindowsSCOPE Live provides memory analysis of Windows computers on a network from Android phones and tablets.
Open Source Tools
- A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
- Bulk Extractor
- Bulk Extractor provides digital media triage by extracting Features from digital media.
- Bulk Extractor Viewer
- Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using Bulk Extractor.
- Digital Forensics Framework (DFF)
- DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://www.digital-forensic.org
- FTimes is a system baselining and evidence collection tool.
- Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
- A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).
- Web-based, database-backed forensic and log analysis GUI written in Python.
- Linux and Windows file carving program originally based on foremost.
NDA and scoped distribution tools
Enterprise Tools (Proactive Forensics)
Forensics Live CDs
See: Forensics Live CDs
Personal Digital Device Tools
Cell Phone Forensics
- Cellebrite UFED
- DataPilot Secure View
- Fernico ZRT
- LogiCube CellDEK
- Oxygen Forensic Suite 2010
- Paraben's Device Seizure and Paraben's Device Seizure Toolbox
- Serial Port Monitoring
SIM Card Forensics
- Cellebrite UFED
- Paraben's SIM Card Seizure
- Chat Sniper
- A forensic software tool designed to simplify the process of on-scene evidence acquisition and analysis of logs and data left by the use of AOL, MSN (Live), or Yahoo instant messenger.
- Computer Forensics Toolkit
- This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
- Live View
- Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
- Microsoft Virtual PC
- VMware Player
- A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
- VMware Server
- The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
- Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
- KDE's new cross-platform hex editor with features such as signature-matching
- Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.
- Live-Forensics software that reads windows files at specified offset and length and outputs results to the console.
Telephone Scanners/War Dialers
- PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.