Research breakthrough possible @S-Logix pro@slogix.in

Office Address

  • 2nd Floor, #7a, High School Road, Secretariat Colony Ambattur, Chennai-600053 (Landmark: SRM School) Tamil Nadu, India
  • pro@slogix.in
  • +91- 81240 01111

Social List

List of Digital Forensic Tools

  • list-of-digitial-forensic-tool

Digital Forensic Tools

  • Digital forensic tools support a wide range of operations that enable investigators to securely collect, analyze, and report on the digital evidence found on various devices and networks. The operations supported by these tools can be broadly categorized into several phases:
  • 1.Acquisition
  • Disk Imaging: Creating an exact copy or snapshot of the storage medium.
  • Memory Dump: Capturing the contents of RAM.
  • Network Packet Capture: Collecting the data packets traveling across a network.
  • Mobile Device Imaging: Extracting data from mobile devices.
  • 2. Preservation
  • Evidence Protection: Ensuring that the original data is not altered during analysis.
  • Chain of Custody: Maintaining and documenting the handling and transfer of evidence.
  • Data Integrity Check: Verifying that data has not been altered using cryptographic checksums.
  • 3. Analysis
  • File and Disk Analysis: Investigating file systems, deleted files, and disk structures.
  • Memory Analysis: Investigating the contents of volatile memory (RAM).
  • Network Analysis:Examining network logs, packet captures, and traffic patterns.
  • Registry Analysis: Investigating Windows Registry data for potential evidence.
  • Log Analysis: Reviewing system, application, and security logs.
  • Malware Analysis: Analyzing malicious software and its activity.
  • Cloud Analysis: Investigating data stored in cloud services.
  • 4. Examination
  • Keyword Searching: Locating relevant information using keywords and regular expressions.
  • Data Carving: Extracting and analyzing data chunks without associated metadata.
  • Timeline Analysis: Building timelines of user activity.
  • Steganography Detection: Identifying hidden data within files.
  • Encryption Detection: Identifying encrypted files and containers.
  • 5. Reporting
  • Evidence Documentation: Documenting findings and creating audit trails.
  • Data Visualization: Graphical representation of data and findings.
  • Case Management: Managing case data, notes, and findings systematically.
  • Expert Testimony: Providing expert insights and explanations of the findings in a legal context.
  • 6. Legal and Ethical Considerations
  • Legal Compliance: Ensuring methods and tools comply with relevant laws.
  • Privacy Considerations: Protecting the privacy of individuals and sensitive data.
  • Ethical Handling: Ensuring unbiased and ethical handling of data and results.
  • Digital forensics is a branch of forensic science that involves the recovery, investigation, and analysis of data found in digital devices, often about computer crime. Various tools and software have been developed to assist digital forensics experts in gathering, analyzing, and protecting digital evidence. Different digital forensic tools may specialize in one or more of these operations and may be combined to conduct thorough investigations. The choice of tools and methods often depends on the specifics of the case, the type of data involved, and the legal jurisdiction. Some of the popular digital forensic tools include:

Tool Name Stellar Data Recovery
Type of Forensics Computer Forensics
Type of License Open source and License version
Tool Description Stellar data recovery is a complete solution to recover lost data from various storage devices, such as desktop and laptop hard drives, external hard drives, memory cards, SSD drivers, SD
Input Data Source Photo/raw file formats, Video formats, Audio formats, Document formats, Archive formats
Operating Systems Windows, Mac
Supporting Process Model Recover the data files. Identification, Acquiring
Links https://www.stellarinfo.com/windows-data-recovery.php

Tool Name Forensic Tool Kit Imager (FTK Imager)
Type of Forensics Computer Forensics and Static Forensic Analysis
Type of License Open Source (full disk ISO file)
Tool Description FTK Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool, such as AccessData Forensic Toolkit, is warranted.
Input Data Source Full disk ISO files, image file formats
Operating Systems Windows Server 2016, Windows Server 2012, Windows 10, Windows 8.1, Windows 7 (64-bit)
Supporting Process Model Complete Process Model
Links https://www.exterro.com/ftk-product-downloads/forensic-toolkit-ftk-version-7-1-0
https://www.exterro.com/ftk-product-downloads/ftk-imager-version-4-7-1

Tool Name ProDiscover
Type of Forensics Computer Forensics
Type of License License
Tool Description ProDiscover is a powerful computer security tool that enables law enforcement professionals to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports for use in legal proceedings.
Input Data Source Disk Files
Operating Systems Windows, Mac, Linux
Supporting Process Model Complete Process Model
Links https://prodiscover.com/
https://softwareasli.com/product/prodiscover-forensics/

Tool Name Autopsy
Type of Forensics Computer Forensics and OS Forensics
Type of License Open source
Tool Description Autopsy is the premier open-source digital forensics platform that is easy to use, fast, and usable in all digital investigations.
Input Data Source Disk Images, File systems, Partitioned Drives, Logical Files, Network Packet Captures, RAM Dumps, Mobile Device Images, Container Files (zip, rar, etc.), Virtual Machine Images
Operating Systems Windows, Linux
Supporting Process Model Complete Process Model
Links https://www.autopsy.com/download/

Tool Name Encase
Type of Forensics Computer Forensics and Static Forensics
Type of License License
Tool Description Encase forensic is a digital forensic solution that can collect and preserve critical desktop/mobile evidence from multiple sources, such as text messages, call records, pictures, graphics, and much more.
Input Data Source Text file formats, Call Records, Picture file formats, Graphics
Operating Systems Windows
Supporting Process Model Complete Process Model
Links https://www.softwareadvice.com.au/software/318942/encase-forensic
https://www.opentext.com/products/encase-forensic

Tool Name Nmap (Network Map)
Type of Forensics Network Forensics
Type of License Open source
Tool Description Nmap tool is used to discover services and hosts on a computer network by analyzing the response of sending packets. It is a free and open-source utility for network discovery and security auditing.
Input Data Source IP address, Hostname, IP address Range, Hosts from a file, Output files, Port ranges
Operating Systems Windows, Mac OS, Linux
Supporting Process Model Network Discovery, Vulnerability Scanning, Network Mapping
Links https://nmap.org/
Tool Name Wireshark
Type of Forensics Network Forensics and Static/Live Forensics
Type of License Open Source
Tool Description Wireshark is a powerful network forensics tool that allows you to capture and analyze network traffic.
Input Data Source Network Interfaces, Capture Files format, PCAP Files
Operating Systems Windows, Mac OS, Linux
Supporting Process Model Packet Identification and Analysis
Links https://www.wireshark.org/

Tool Name Nessus
Type of Forensics Network Forensics
Type of License License
Tool Description Nessus is primarily known as a vulnerability assessment tool rather than a network forensics tool. It supports scanning operating systems, network devices, next-generation firewalls, hypervisors, etc.
Input Data Source Network traffic log files, Web applications
Operating Systems Windows, Mac OS, Linux
Supporting Process Model Vulnerability Scanning and Assessment
Links https://www.tenable.com/products/nessus

Tool Name Snort
Type of Forensics Network Forensics
Type of License Open source
Tool Description Snort is an open-source intrusion detection and prevention system that can be a valuable tool in network forensics.
Input Data Source Network traffic data, Network Interfaces, Packet Capture Files, Port Spanning, Network Segments
Operating Systems Windows
Supporting Process Model Real-time monitoring and analysis of Network traffic.
Links https://snort.en.lo4d.com/download

Tool Name Ettercap
Type of Forensics Network Forensics
Type of License Open source
Tool Description Ettercap is an open-source tool that can support man-in-the-middle attacks on networks.
Input Data Source Network traffic data, Network interfaces, Host files, MiTM Configuration files, Filter Rules
Operating Systems Windows 7, 8, Linux
Supporting Process Model Network monitoring and analysis
Links https://www.ettercap-project.org/downloads.html

Tool Name Cyber Check Suit
Type of Forensics Computer Forensics
Type of License License
Tool Description Cyber Check Suit is a comprehensive collection of disk forensics tools to acquire digital evidence, analysis, data recovery, and reporting of digital evidence.
Input Data Source Disk images, Files and folders, pictures, Gallery and Text views, Storage Media Files
Operating Systems Windows, Linux
Supporting Process Model Complete Process Model
Links https://www.secureindia.in/?page_id=780

Tool Name Belkasoft Evidence Center
Type of Forensics Computer Forensics, Mobile Forensics, Memory Forensics, Cloud Forensics and Live Forensics
Type of License License
Tool Description Belkasoft Evidence Center X Forensic edition is a complete solution for conducting in-depth investigations on all digital media devices and data sources, including computers, mobile devices and the cloud.
Input Data Source Computer Inputs:
- Hard drives
- Disk Images
- Virtual Machine Files
- Browser files, mailbox, documents, images, and videos, etc.
Mobile Inputs:
- Calls, mailbox, messages
- All social media files (WhatsApp, Telegram, etc.)
Cloud Inputs:
- Google Cloud files (Google Drive, Google My Activity, Google Sync, etc.)
- Email files
- Huawei
- Instagram
- Microsoft document files
Operating Systems Windows, Unix Based System (Linux, Ubuntu), mobile, cloud
Supporting Process Model Complete Process Model
Links https://belkasoft.com/x

Tool Name COFEE (Computer Online Forensic Evidence Extractor)
Type of Forensics Computer Forensics and Live Forensics
Type of License License
Tool Description COFEE is an investigative tool that Microsoft only provides to law enforcement agencies.
Input Data Source Capturing data from live computer systems, Windows system-related file formats, etc.
Operating Systems Windows
Supporting Process Model Complete Process Model
Links https://www.tutorialjinni.com/cofee-microsoft-forensic-tool-download.html

Tool Name Digital Forensics Framework (DFF) Plugin
Type of Forensics Computer Forensics, Software Forensics, Static/Live Forensics
Type of License Open Source Github (Python / C++)
Tool Description DFF is an open-source digital forensics tool that aims to provide a comprehensive platform for digital investigations. It offers a wide range of features and capabilities for various stages of the digital forensics process.
Input Data Source Hard drives, SSD drives, Memory Dumps, Mobile data files, Internet history, Chat logs, etc.
Operating Systems Windows, Linux, Mac
Supporting Process Model Complete Process Model
Links https://toolswatch.org/2011/03/dff-digital-forensics-framework-v1-0-0-released/

Tool Name Forensic Explorer
Type of Forensics Computer Forensics
Type of License Open Source
Tool Description Forensic Explorer is a commercial digital forensics software tool. It is designed to assist digital forensic investigators in various stages of the digital forensic process.
Input Data Source File list, Disk Images, Gallery, Display, Hash Files, Exported Files Formats, etc.
Operating Systems Windows 7 and 8 (32-bit)
Supporting Process Model Complete Process Model
Links https://getdataforensics.com/product/forensic-explorer-fex/

Tool Name X-Ways Forensics
Type of Forensics Computer Forensics
Type of License License
Tool Description X-Ways Forensics is a computer forensics tool designed to allow an investigator to capture the digital evidence while maintaining the integrity of the data. It provides a wide range of features for disk and data analysis.
Input Data Source Disk images, physical disks, network drives, archives, etc.
Operating Systems Windows
Supporting Process Model Complete Process Model
Links https://www.x-ways.net/winhex/

Tool Name Digital Forensics Framework (DFF) Plugin
Type of Forensics Computer Forensics, Software Forensics, Static/Live Forensics
Type of License Open Source Github (Python / C++)
Tool Description DFF is an open-source digital forensics tool that aims to provide a comprehensive platform for digital investigations. It offers a wide range of features and capabilities for various stages of the digital forensics process.
Input Data Source Hard drives, SSD drives, Memory Dumps, Mobile data files, Internet history, Chat logs, etc.
Operating Systems Windows, Linux, Mac
Supporting Process Model Complete Process Model
Links https://toolswatch.org/2011/03/dff-digital-forensics-framework-v1-0-0-released/

Tool Name Magnet AXIOM
Type of Forensics Computer Forensics, Mobile Forensics
Type of License Commercial
Tool Description Magnet AXIOM is a comprehensive digital forensics solution that can be used in both criminal and corporate investigations. It supports investigations involving computer, mobile, and cloud data.
Input Data Source Disk images, mobile backups, cloud data, etc.
Operating Systems Windows, macOS
Supporting Process Model Complete Process Model
Links https://www.magnetforensics.com/

Tool Name CAINE (Computer Aided INvestigative Environment)
Type of Forensics Computer Forensics
Type of License Open Source
Tool Description CAINE (Computer Aided INvestigative Environment) is an open-source digital forensics platform designed for law enforcement agencies. It provides a comprehensive set of tools for digital investigations.
Input Data Source Disk images, mobile devices, and memory dumps.
Operating Systems Linux
Supporting Process Model Complete Process Model
Links https://www.caine-live.net/

Tool Name OSForensics
Type of Forensics Computer Forensics
Type of License Commercial
Tool Description OSForensics is a digital forensics software that enables investigators to quickly and easily extract and analyze digital evidence from various sources.
Input Data Source Disk images, memory dumps, and various file formats.
Operating Systems Windows
Supporting Process Model Complete Process Model
Links https://www.osforensics.com/

Tool Name Stellar Data Recovery Professional
Type of Forensics Data Recovery, Email Forensics
Type of License Commercial
Tool Description Stellar Data Recovery Professional is a versatile data recovery tool that can also assist in email forensics. It allows users to recover lost or deleted data from various storage media.
Input Data Source Hard drives, SSDs, email archives, etc.
Operating Systems Windows, Mac
Supporting Process Model Data Recovery and Email Forensics
Links https://www.stellarinfo.com/data-recovery-professional.php

Tool Name Paladin Forensic Suite
Type of Forensics Computer Forensics
Type of License Open Source (Free)
Tool Description Paladin Forensic Suite is a free digital forensic tool that is easy to use and suitable for both beginners and experienced investigators.
Input Data Source Disk images, memory dumps, and various file formats.
Operating Systems Linux
Supporting Process Model Complete Process Model
Links https://sumuri.com/software/paladin/

Tool Name HashMyFiles
Type of Forensics OS Forensics
Type of License Free Download
Tool Description HashMyFiles is a small utility that calculates the MD5 and SHA1 hashes of one or more files in the system.
Input Data Source MD5 and SHA1 hash file list
Operating Systems Windows
Supporting Process Model Hash files integrity verification process
Links https://hashmyfiles.soft112.com/modal-download.html

Tool Name Aid4 Mail
Type of Forensics Mail Forensics
Type of License Free Download
Tool Description Aid4 Mail forensics tool is used to recover, collect, search, and convert email data reliably and quickly.
Input Data Source Email server files, Email client files, Email attachment files.
Operating Systems Windows
Supporting Process Model Investigation and Analysis
Links https://www.aid4mail.com/download-free-trial#s-downloads-block_c11025254a0b837adf84f1361ceb2591

Tool Name MailXaminer
Type of Forensics Mail Forensics
Type of License License
Tool Description MailExaminer tool focuses on examining email data and related artifacts, making it a valuable tool for digital forensic investigators who need to analyze email evidence in various types of investigations.
Input Data Source Email Server Files, Email Client Files, Archive Files, and Cloud Email Service Files.
Operating Systems Windows
Supporting Process Model Email Parsing, Email Search and Filtering, Attachments Analysis, Advanced Searching.
Links https://www.mailxaminer.com/download.html

Tool Name Email Tracker Pro
Type of Forensics Mail Forensics
Type of License Free Download
Tool Description Email Tracker Pro is a software tool for tracking email delivery and recipient actions, such as when an email is opened or clicked.
Input Data Source Email Messages, Recipient Email Addresses, Geolocation data.
Operating Systems Windows
Supporting Process Model Tracking Email Interactions, Email Marketing and Analysis.
Links https://www.x64bitdownload.com/download/t-64-bit-emailtrackerpro-download-uvnieocv.html

Tool Name Paraben E-Mail Examiner
Type of Forensics Mail Forensics
Type of License Free Download and License
Tool Description Paraben’s E-mail Examiner is a handy and reliable application for users to examine various e-mail formats.
Import Data Source Desktop E-Mail Application Files, E-Mail Archives, E-Mail Message Files.
Operating Systems Windows
Supporting Process Model E-Mail Recovery and Analysis, E-Mail Artifact Analysis.
Links https://e-mail-examiner.apponic.com/download/

Tool Name Volatility
Type of Forensics Memory Forensics and Live Forensics
Type of License Free Download
Tool Description Volatility is a collection of open-source tools specifically designed to analyze volatile memory (RAM) in digital forensics investigations.
Input Data Source Dumping Memory (Live System, Hibernation File, Crash Dump Files)
Operating Systems Windows, Linux, Mac
Supporting Process Model Memory Acquisition, Memory Analysis
Links https://www.volatilityfoundation.org/releases

Tool Name Windows SCOPE
Type of Forensics Memory Forensics
Type of License License
Tool Description Windows SCOPE is an incident response tool that enables memory Forensics for Windows computers.
Input Data Source Physical Memory Files, System Files, Driver Files
Operating Systems Windows
Supporting Process Model Complete Process Model
Links https://www.windowsscope.com/

Tool Name FotoForensics
Type of Forensics Software Forensics
Type of License Free Download (apk module)
Tool Description FotoForensics is a web-based tool that provides image analysis and forensics capabilities for examining digital images to detect potential manipulation or anomalies.
Import Data Source Local Files, URLs, Social Media Files, Email Attachments.
Operating Systems Windows
Supporting Process Model Error Level Analysis, Meta Data Analysis, Clone Detection, Re-sampling Analysis
Links https://fotoforensics.com/

Tool Name Forensically
Type of Forensics Software Forensics
Type of License Open Source Online Tool
Tool Description Forensically is a web-based collection of tools that can be used for digital image forensics.
Input Data Source Image Files Formats
Operating Systems Online Environment
Supporting Process Model Verification, Magnifying Functions, Clone Detection, Level Analysis, Noise Analysis
Links https://29a.ch/photo-forensics/#forensic-magnifier

Tool Name Izitru
Type of Forensics Software Forensics
Type of License Free Download
Tool Description Izitru determines the authenticity and integrity of digital images, particularly photographs, to ascertain whether they have been manipulated or altered.
Input Data Source Digital images from various sources include local files, online images, images on social media, etc.
Operating Systems iOS
Supporting Process Model Image authentication and verification
Links https://izitru-ios.soft112.com/

Tool Name AutoProv
Type of Forensics Computer Forensics
Type of License Open Source (GitHub) Python
Tool Description AutoProv is a two-phase script for recreating the provenance of a file from several temporal artifacts from digital forensics media.
Input Data Source File system, Registry Files, OS metadata, Web browser files, etc.
Operating Systems Ubuntu
Supporting Process Model Data Gathering and Data Processing
Links https://github.com/gilbert-peterson/AutoProv

Tool Name NTFSObjectIDParser
Type of Forensics Computer Forensics
Type of License Open Source (Github) C++ / C
Tool Description Digital Forensics tool parsing the $ObjId index file and correlating it with the $MFT.
Input Data Source Object IDs, Index File, Disk Images
Operating Systems Ubuntu
Supporting Process Model Complete Process Model
Links https://github.com/RuneN007/NTFSObjectIDParser

Tool Name NTFSTool
Type of Forensics Computer Forensics
Type of License Open Source (Github) C++/C
Tool Description NTFSTool is a forensics tool focused on NTFS volumes. It displays the complete structure of master, volume, and partition table records.
Input Data Source Master File Table, Bitlocker Encrypted Volume.
Operating Systems Windows, Ubuntu
Supporting Process Model Recover Deleted Files, Examine File Attributes, View File System Structure, Recover Data
Links https://github.com/thewhiteninja/ntfstool

Tool Name Kumodd
Type of Forensics Network Forensics
Type of License Open Source (Github) Python
Tool Description Kumodd downloads files and/or generates a CSV file of metadata from a specified Google Drive account in a forensically sound manner.
Input Data Source doc, xls, ppt, text, pdf, image, audio, video or other
Operating Systems Ubuntu, Windows
Supporting Process Model Identification and Verification
Links https://github.com/andresebr/kumodd

Tool Name WinPmem
Type of Forensics Memory Forensics
Type of License Open Source (Github) C/C++
Tool Description WinPmem has been the default open-source memory acquisition driver for Windows for a long time.
Input Data Source WinPmem Executable Files, Kernel Drivers Files, System Information
Operating Systems Windows
Supporting Process Model Capturing the physical memory of a Windows system.
Links https://github.com/google/rekall/tree/master/tools/windows/winpmem

Tool Name Heapinfo
Type of Forensics Memory Forensics
Type of License Open Source (Github) Ruby
Tool Description Heapinfo provides an abstract overview of the number of arenas, chunks, and sizes.
Input Data Source Memory files
Operating Systems Windows
Supporting Process Model Recover the file systems.
Links https://github.com/david942j/heapinfo

Tool Name Heapdump
Type of Forensics Memory Forensics
Type of License Open Source (Github) Javascript
Tool Description Heapdump is used to dump all allocated and freed chunks to disk in separate files for further analysis.
Input Data Source Disk Chunk files, memory allocated files
Operating Systems UNIX system
Supporting Process Model Dumps all allocated and freed chunks to disk.
Links https://github.com/bnoordhuis/node-heapdump

Tool Name Sifter
Type of Forensics Software Forensics
Type of License Open Source (Github) Java
Tool Description Sifter is a text string search application for digital forensics investigators. It indexes text from acquired images of digital media (e.g., raw and .E01), including file slack and unallocated space.
Input Data Source Digital media image files, Disk Images
Operating Systems Windows, Linux
Supporting Process Model Examination and Analysis
Links https://github.com/jonstewart/Sifter/blob/master/README.md

Tool Name OpenLV
Type of Forensics Software Forensics
Type of License Open Source (Github) Java
Tool Description OpenLV is a Java-based graphical forensics tool that creates a virtual machine out of a raw (dd-style) disk image or physical disk.
Input Data Source Full disk raw images, Bootable partition raw images, Physical Disks (attached via a USB or Firewire bridge), Specialized and closed image formats
Operating Systems Windows, Linux
Supporting Process Model Identification and Analysis
Links https://github.com/tvidas/OpenLV

Tool Name Advanced Automated Disk Investigation Toolkit (AUDIT)
Type of Forensics Computer Forensics
Type of License Open Source
Tool Description AUDIT intelligently integrates open-source tools and guides non-IT professionals while requiring minimal technical knowledge about the target disk image's disk structures and file systems.
Input Data Source Graphics files, emails, documents, and hidden locations.
Operating Systems Windows
Supporting Process Model Identification and Analysis of Disk Images.
Links https://sourceforge.net/projects/audit-toolkit/

Tool Name AMExtractor
Type of Forensics Malware Forensics
Type of License Open Source (Github) C
Tool Description AMExtractor is a tool for acquiring volatile physical memory from various Android devices and supports rootkit detection.
Input Data Source Windows Volatile memory files.
Operating Systems Windows
Supporting Process Model Malware Detection
Links https://github.com/ir193/AMExtractor

Tool Name DRone Open source Parser (DROP)
Type of Forensics IoT Forensics
Type of License Open Source (Github) Python
Tool Description DROP tool is used to Parses proprietary DAT files extracted from the drone's nonvolatile internal storage.
Input Data Source CSV files
Operating Systems Ubuntu
Supporting Process Model Extraction of DAT Files
Links https://github.com/BiTLab-BaggiliTruthLab/DROP

Tool Name Forensic Evidence Acquisition and Analysis System (FEAAS)
Type of Forensics IoT Forensics
Type of License Open Source (GitHub) Python
Tool Description FEAAS consolidates evidentiary data into a readable report that can infer user events (like entering or leaving home) and what triggered an event (whether it was the Google Assistant through a voice command or the use of an iPhone application).
Input Data Source Nest Mobile App datas, Google Home Mini Mobile App data
Operating Systems Linux
Supporting Process Model Complete Process Model
Links

Tool Name Wifimit
Type of Forensics Network Forensics
Type of License Open Source (Github) Python
Tool Description The package combines several existing tools and attack strategies to bypass the wireless security mechanisms, such as WEP, WPA, and WPS. The presented tool can be integrated into a solution for automated penetration testing.
Input Data Source WPS, WPA, and WEP file formats
Operating Systems Linux
Supporting Process Model Identification and Testing
Links https://github.com/byt3bl33d3r/MITMf

Tool Name Bring2lite
Type of Forensics Software Forensics
Type of License Open Source (Github) Python
Tool Description The tool was developed to process SQLite databases in respect of deleted records. Therefore, bring2lite can analyze the structures within the main database, WAL, and journal files.
Input Data Source SQL Database files, journal files.
Operating Systems Linux
Supporting Process Model Identification and Analysis
Links https://github.com/bring2lite/bring2lite

Tool Name Hooktracer
Type of Forensics Memory Forensics
Type of License Open Source (Github) TypeScript
Tool Description The Hooktracer tool is used to perform post-processing of apihooks-generated output in conjunction with our memory analysis algorithms.
Input Data Source Network-related memory files (cache files, RAM files, etc.)
Operating Systems Linux
Supporting Process Model Volatile Memory Analysis
Links https://github.com/awendland/npm-install-hook-tracer

Tool Name AFF4 evidence container (The Advanced Forensics File Format 4 (AFF4))
Type of Forensics Software Forensics
Type of License Open Source (Github) Python
Tool Description The Advanced Forensics File Format 4 (AFF4) is an open-source format for storing digital evidence and data.
Input Data Source Zip file formats, document files, image files, etc.
Operating Systems Linux
Supporting Process Model Storage Analysis of Data
Links https://github.com/aff4/pyaff4

Tool Name Ptenum
Type of Forensics Memory Forensics
Type of License Open Source (Github) Python
Tool Description The Ptenum plugin can detect executable pages despite any intentional (or unintentional) hiding technique.
Input Data Source Code formats, memory format files
Operating Systems Windows, Linux
Supporting Process Model Analysis and Detection
Links https://github.com/f-block/DFRWS-USA-2019

Tool Name Vivedump
Type of Forensics Memory Forensics
Type of License Open Source (Github) Plugin
Tool Description Used to analyze memory dumps of HTC Vive VR systems and share related datasets. The plugin will output a textual representation of all data.
Input Data Source Evidentiary data, a wavefront obj formatted mesh of the VE, and pass the 3-dimensional coordinates to a Python OpenGL instance
Operating Systems Linux
Supporting Process Model Analyzing and Acquiring
Links https://github.com/BiTLab-BaggiliTruthLab/VR4Sec/tree/master/vive-dump

Tool Name Digital Drone Forensics Software
Type of Forensics IoT Forensics
Type of License Open Source (Github) Java
Tool Description This tool primarily focuses on analyzing the essential log parameters of drones.
Input Data Source Jar files, log files
Operating Systems Windows, Linux
Supporting Process Model Data Extraction, Data Reconstruction, Metadata analysis, Video Analysis, Image Enhancement
Links https://github.com/ankitrlps/DroneForensicsSoftware

Tool Name JPEGsnoop
Type of Forensics Software Forensics
Type of License Open Source (Github) C++/C
Tool Description JPEGsnoop is a detailed JPEG image decoder and analysis tool. It reports all image metadata and can even help identify if an image has been edited.
Input Data Source JPEG, AVI (MJPG), PSD images, EXIF files.
Operating Systems Windows
Supporting Process Model Forensics and Technical analysis of images.
Links https://github.com/ImpulseAdventure/JPEGsnoop

Tool Name Ghiro
Type of Forensics Software Forensics
Type of License Open Source (Github) Python, HTML
Tool Description Ghiro is a fully automated tool designed to run forensics analysis over massive images using a user-friendly and fancy web application.
Input Data Source Windows bitmap, Encapsulated PostScript, JPEG File Interchange Format, PNG Files, etc.
Operating Systems Windows, Linux
Supporting Process Model Image Metadata analysis, Tampering Detection, Hashing, Classification of Images
Links https://github.com/Ghirensics/ghiro

Tool Name OSF Mount
Type of Forensics Live Forensics
Type of License Free Download
Tool Description OSF Mount tool is used to allow mount local disk image files in Windows as a physical disk or a logical drive letter.
Input Data Source Disk Image Files
Operating Systems Windows
Supporting Process Model Mounting Disk Images, Data Recovery, Write Protection.
Links https://www.osforensics.com/tools/mount-disk-images.html

Tool Name Magnet RAM
Type of Forensics Live Forensics
Type of License Free Download
Tool Description Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.
Input Data Source Volatile Memory (RAM)
Operating Systems Windows, Linux
Supporting Process Model Identification, Acquisition
Links https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/

Tool Name The Sleuth Kit
Type of Forensics Live Forensics
Type of License Free Download (Open Source)
Tool Description The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them.
Input Data Source File System, Disk Images, executable files, etc.
Operating Systems Windows, Linux, Mac OS
Supporting Process Model System Analysis, File Recovery, Timeline Analysis
Links https://www.sleuthkit.org/sleuthkit/desc.php

Tool Name OCFA (Open Computer Forensics Architecture)
Type of Forensics Live Forensics, Computer Forensics
Type of License Free Download
Tool Description Open Computer Forensics Architecture is an open-source digital forensics framework designed to facilitate acquiring, analyzing, and preserving digital evidence from various sources, including computer systems, storage devices, and digital media.
Input Data Source Hard drives, Files System, Network Traffic, etc.
Operating Systems Linux
Supporting Process Model Acquiring, Processing and Analyzing Digital Evidence
Links https://www.toolwar.com/2014/06/ocfa-open-computer-forensics.html

Tool Name CAINE (Computer Aided Investigative Environment)
Type of Forensics Computer Forensics, Static/Live Forensics
Type of License Free Download
Product Description CAINE (Computer Aided Investigative Environment) is a Linux-based distribution designed for digital forensics and incident response tasks.
Input Data Source disk imaging tools, file system analysis utilities, memory forensics tools, network analysis tools, and reporting tools
Operating Systems Linux, Windows
Supporting Process Model Identification, Collection, Analysis
Links https://www.caine-live.net/

Tool Name The Coroner’s Toolkit
Type of Forensics Static/Live Forensics
Type of License Free Download
Tool Description The Coroner's Toolkit (TCT) is a collection of digital forensic tools for analyzing computer systems and performing forensic investigations.
Input Data Source Disk Images, Memory Dumps, File Systems, Case Files, etc.
Operating Systems Linux
Supporting Process Model Identification, Collection, Analysis
Links http://www.porcupine.org/forensics/tct.html

Tool Name MSc Autopsy Plugins (iSmartalarm, QBee, Arlo, Wink)
Type of Forensics IoT Forensics
Type of License Open Source (github) Python
Tool Description This repository is a collection of plugins for Autopsy forensic software and standalone scripts to parse artifacts from iSmartalarm, QBee, Arlo and Wink devices.
Input Data Source File Systems, Social Media Files, Data Format Files, E-Mail Files, Digital Media Files
Operating Systems Linux
Supporting Process Model Identification and Analysis
Links https://github.com/fservida/msc_autopsy_plugins

Tool Name AndroParse
Type of Forensics IoT Forensics
Type of License Open Source (Github) Python
Tool Description AndroParse is a tool that can be used in conjunction with Autopsy, specifically designed to extract and analyze data from Android devices during digital forensic investigations.
Input Data Source Android APK Files, Android Image Files, Log Files, etc.
Operating Systems Linux
Supporting Process Model APK Parsing, Manifest Analysis, Static Analysis, Dex File Extraction, Resource Extraction
Links https://github.com/rschmicker/AndroParse

Tool Name PTK Forensics
Type of Forensics Static/Live Forensics
Type of License Free Download
Tool Description PTK forensics is a computer forensic framework for the command line tools in the SleuthKit, plus many more software modules. This makes it usable and easy to investigate a system. PTK forensics is an alternative advanced framework for the TSK suite.
Input Data Source Tools Files Formats, Log Files, Disk Image Files
Operating Systems Linux
Supporting Process Model Identification, Analysis
Links https://ptk-forensics.soft112.com/download.html

Tool Name HashKeeper
Type of Forensics Static Forensics
Type of License Free Download
Tool Description HashKeeper is a tool often used in digital forensics and computer security. It's designed to capture and analyze information about files and their associated metadata to aid in investigations and to help ensure the integrity of digital evidence.
Input Data Source Hash files, Digital Storage Media files, and Data Sources.
Operating Systems Windows
Supporting Process Model File Hashing, Evidence Integrity, and data collection
Links https://coptr.digipres.org/index.php/HashKeeper

Tool Name Safeback
Type of Forensics Static Forensics
Type of License Open Source
Tool Description SafeBack is a digital forensic tool designed to create a forensic image of a hard drive or storage media while preserving the original data's integrity.
Input Data Source Hard Drives, Floppy Disks, USB Drives, Partition and File System Support, etc.
Operating Systems Linux
Supporting Process Model Disk Imaging, File Recovery, Write Protection
Links https://coptr.digipres.org/index.php/SafeBack

Tool Name Registry Recon
Type of Forensics Static Forensics, Computer Forensics
Type of License Commercial
Tool Description Registry Recon is a tool used for live and static registry analysis. It is designed for computer forensics professionals and provides various features for analyzing Windows registries, identifying suspicious activities, and recovering data.
Input Data Source Windows Registry Files, Memory Dumps, Live Systems
Operating Systems Windows
Supporting Process Model Registry Analysis, Evidence Recovery, Suspicious Activity Detection
Links https://www.paraben.com/products/registry-recon-2/

Tool Name The Windows Forensic Toolchest (WFT)
Type of Forensics Live Forensics
Type of License Free Download
Tool Description The Windows Forensic Toolchest (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system.
Input Data Source Disk Images, Real Time Analysis Data, Windows Based File System formats, Memory Images, Network Capture Files
Operating Systems Windows
Supporting Process Model Complete Process Model
Links http://www.foolmoon.net/security/wft/#:~:text=WFT%20is%20essentially%20a%20forensically,confirm%20computer%20misuse%20or%20configuration.

Tool Name CMAT (Compile Memory Analysis Tool)
Type of Forensics Live Forensics, Memory Forensics
Type of License Open Source
Tool Description The Compile Memory Analysis Tool (CMAT) is a self-contained memory analysis tool that analyzes a Windows O/S memory (either in a dump or via XenAccess in a Xen VM) and extracts information about the operating system and the running processes.
Input Data Source Official Documentation files, Memory Dumps, etc.
Operating Systems Windows
Supporting Process Model Incident Response Analysis, Malware Analysis
Links https://sourceforge.net/projects/cmat/

Tool Name Intella
Type of Forensics Live Forensics
Type of License License
Tool Description Intella is a digital forensic search and e-discovery application designed to make the process of searching, collecting, and analyzing electronic data more efficient and effective.
Input Data Source Email data, Chat Data, Office files, Image files, etc.
Operating Systems Windows
Supporting Process Model Search, Collection, Analysis
Links https://www.vound-software.com/

Tool Name IRCR (Incident Response Collection Report)
Type of Forensics Live Forensics
Type of License Open Source
Tool Description The Incident Response Collection Report is a script to call a collection of tools that gathers and/or analyzes data on a Microsoft Windows system.
Input Data Source Initial Incident Report, Network and System Logs, Endpoint Data, etc.
Operating Systems Windows
Supporting Process Model Identification, Collection, Analysis Examination.
Links https://sourceforge.net/projects/ircr/

Tool Name Bulk Extractor
Type of Forensics Live Forensics, Computer Forensics
Type of License Open source (GitHub) C++
Tool Description Bulk extractor is a high-performance digital forensics exploitation tool. It rapidly scans any input and extracts structured information such as email addresses, credit card numbers, JPEGs, and JSON snippets without parsing the file system or file system structures.
Input Data Source Disk images, files, directories of files, etc.
Operating Systems Amazon Linux, Fedora 36, Ubuntu 20.04LTS, MAC OS
Supporting Process Model Identification, Analysis, Reporting
Links https://github.com/simsong/bulk_extractor

Tool Name EPRB (Elcomsoft Password Recovery Bundle)
Type of Forensics Live Forensics
Type of License License
Tool Description All password recovery tools are in a single value pack. Unlock documents, decrypt archives, and break into encrypted containers with an all-in-one Desktop Forensic Bundle.
Input Data Source All versions of Microsoft Office, OpenOffice, NFS Encrypted File System, Windows and macOS passwords, macOS Keychain, ZIP/RAR/RAR5, PDF, BitLocker/PGP/TrueCrypt/VeraCrypt, and many more.
Operating Systems Windows, Mac OS
Supporting Process Model Advanced Archive Password Recovery, Advanced EFS Data Recovery, Advanced Office Password Recovery, Proactive System Password Recovery
Links https://www.elcomsoft.com/edfb.html

Tool Name SAFT (SANS Investigative Forensics Tool Kit)
Type of Forensics Live Forensics
Type of License Free Download
Tool Description SIFT is a computer forensics distribution created by the SANS Forensics team for performing digital forensics. This distro includes most tools required for digital forensics analysis and incident response examinations.
Input Data Source Digital Storage Media Files, Memory Dumps, Network Traffic, File Systems, etc.
Operating Systems Ubuntu, Windows
Supporting Process Model Identification, Collection, Examination, Analysis.
Links Link

Tool Name Timeline2GUI
Type of Forensics Software Forensics
Type of License Open Source (GitHub) Python
Tool Description This is a tool to import and view the contents of the Timeline CSV file. The features include filtering the data based on column values, searching for text, saving the data to a CSV file, and highlighting a few rows.
Input Data Source File System Data, Registry Data, System Logs, Network Traffic Logs, Memory Files, etc.
Operating Systems Linux
Supporting Process Model Analysis
Links https://github.com/parvathycec/Timeline2GUI/tree/master

Tool Name MongoDB Deleted Data Recovery Tool
Type of Forensics Software Forensics
Type of License Open Source, License
Tool Description MongoDB Deleted Data Recovery Tool is widely recognized or provided by MongoDB as an official product or tool for recovering deleted data.
Input Data Source Backup Files, Log Files, Data Files, etc.
Operating Systems Linux
Supporting Process Model Data Recovery Process
Links https://github.com/etherfoundry/mongo-data-recovery

Tool Name A Forensic Email Analysis Tool Using Dynamic Private/Personal
Type of Forensics Software Forensics
Type of License Open Source
Tool Description Email forensic tools exist for analyzing email data in digital investigations; dynamically incorporating private or personal information is more specialized.
Input Data Source Email files, Attachments files, link files, etc.
Operating Systems Windows, Linux
Supporting Process Model Header Analysis, Server Investigation, Sender Mail Fingerprints
Links https://linuxhint.com/email_forensics_analysis/