Tool Name | Stellar Data Recovery |
---|---|
Type of Forensics | Computer Forensics |
Type of License | Open source and License version |
Tool Description | Stellar data recovery is a complete solution to recover lost data from various storage devices, such as desktop and laptop hard drives, external hard drives, memory cards, SSD drivers, SD |
Input Data Source | Photo/raw file formats, Video formats, Audio formats, Document formats, Archive formats |
Operating Systems | Windows, Mac |
Supporting Process Model | Recover the data files. Identification, Acquiring |
Links | https://www.stellarinfo.com/windows-data-recovery.php |
Tool Name | Forensic Tool Kit Imager (FTK Imager) |
---|---|
Type of Forensics | Computer Forensics and Static Forensic Analysis |
Type of License | Open Source (full disk ISO file) |
Tool Description | FTK Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool, such as AccessData Forensic Toolkit, is warranted. |
Input Data Source | Full disk ISO files, image file formats |
Operating Systems | Windows Server 2016, Windows Server 2012, Windows 10, Windows 8.1, Windows 7 (64-bit) |
Supporting Process Model | Complete Process Model |
Links |
https://www.exterro.com/ftk-product-downloads/forensic-toolkit-ftk-version-7-1-0 https://www.exterro.com/ftk-product-downloads/ftk-imager-version-4-7-1 |
Tool Name | ProDiscover |
---|---|
Type of Forensics | Computer Forensics |
Type of License | License |
Tool Description | ProDiscover is a powerful computer security tool that enables law enforcement professionals to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports for use in legal proceedings. |
Input Data Source | Disk Files |
Operating Systems | Windows, Mac, Linux |
Supporting Process Model | Complete Process Model |
Links |
https://prodiscover.com/ https://softwareasli.com/product/prodiscover-forensics/ |
Tool Name | Autopsy |
---|---|
Type of Forensics | Computer Forensics and OS Forensics |
Type of License | Open source |
Tool Description | Autopsy is the premier open-source digital forensics platform that is easy to use, fast, and usable in all digital investigations. |
Input Data Source | Disk Images, File systems, Partitioned Drives, Logical Files, Network Packet Captures, RAM Dumps, Mobile Device Images, Container Files (zip, rar, etc.), Virtual Machine Images |
Operating Systems | Windows, Linux |
Supporting Process Model | Complete Process Model |
Links | https://www.autopsy.com/download/ |
Tool Name | Encase |
---|---|
Type of Forensics | Computer Forensics and Static Forensics |
Type of License | License |
Tool Description | Encase forensic is a digital forensic solution that can collect and preserve critical desktop/mobile evidence from multiple sources, such as text messages, call records, pictures, graphics, and much more. |
Input Data Source | Text file formats, Call Records, Picture file formats, Graphics |
Operating Systems | Windows |
Supporting Process Model | Complete Process Model |
Links |
https://www.softwareadvice.com.au/software/318942/encase-forensic https://www.opentext.com/products/encase-forensic |
Tool Name | Nmap (Network Map) |
---|---|
Type of Forensics | Network Forensics |
Type of License | Open source |
Tool Description | Nmap tool is used to discover services and hosts on a computer network by analyzing the response of sending packets. It is a free and open-source utility for network discovery and security auditing. |
Input Data Source | IP address, Hostname, IP address Range, Hosts from a file, Output files, Port ranges |
Operating Systems | Windows, Mac OS, Linux |
Supporting Process Model | Network Discovery, Vulnerability Scanning, Network Mapping |
Links | https://nmap.org/ |
Tool Name | Wireshark |
---|---|
Type of Forensics | Network Forensics and Static/Live Forensics |
Type of License | Open Source |
Tool Description | Wireshark is a powerful network forensics tool that allows you to capture and analyze network traffic. |
Input Data Source | Network Interfaces, Capture Files format, PCAP Files |
Operating Systems | Windows, Mac OS, Linux |
Supporting Process Model | Packet Identification and Analysis |
Links | https://www.wireshark.org/ |
Tool Name | Nessus |
---|---|
Type of Forensics | Network Forensics |
Type of License | License |
Tool Description | Nessus is primarily known as a vulnerability assessment tool rather than a network forensics tool. It supports scanning operating systems, network devices, next-generation firewalls, hypervisors, etc. |
Input Data Source | Network traffic log files, Web applications |
Operating Systems | Windows, Mac OS, Linux |
Supporting Process Model | Vulnerability Scanning and Assessment |
Links | https://www.tenable.com/products/nessus |
Tool Name | Snort |
---|---|
Type of Forensics | Network Forensics |
Type of License | Open source |
Tool Description | Snort is an open-source intrusion detection and prevention system that can be a valuable tool in network forensics. |
Input Data Source | Network traffic data, Network Interfaces, Packet Capture Files, Port Spanning, Network Segments |
Operating Systems | Windows |
Supporting Process Model | Real-time monitoring and analysis of Network traffic. |
Links | https://snort.en.lo4d.com/download |
Tool Name | Ettercap |
---|---|
Type of Forensics | Network Forensics |
Type of License | Open source |
Tool Description | Ettercap is an open-source tool that can support man-in-the-middle attacks on networks. |
Input Data Source | Network traffic data, Network interfaces, Host files, MiTM Configuration files, Filter Rules |
Operating Systems | Windows 7, 8, Linux |
Supporting Process Model | Network monitoring and analysis |
Links | https://www.ettercap-project.org/downloads.html |
Tool Name | Cyber Check Suit |
---|---|
Type of Forensics | Computer Forensics |
Type of License | License |
Tool Description | Cyber Check Suit is a comprehensive collection of disk forensics tools to acquire digital evidence, analysis, data recovery, and reporting of digital evidence. |
Input Data Source | Disk images, Files and folders, pictures, Gallery and Text views, Storage Media Files |
Operating Systems | Windows, Linux |
Supporting Process Model | Complete Process Model |
Links | https://www.secureindia.in/?page_id=780 |
Tool Name | Belkasoft Evidence Center |
---|---|
Type of Forensics | Computer Forensics, Mobile Forensics, Memory Forensics, Cloud Forensics and Live Forensics |
Type of License | License |
Tool Description | Belkasoft Evidence Center X Forensic edition is a complete solution for conducting in-depth investigations on all digital media devices and data sources, including computers, mobile devices and the cloud. |
Input Data Source | Computer Inputs: - Hard drives - Disk Images - Virtual Machine Files - Browser files, mailbox, documents, images, and videos, etc. Mobile Inputs: - Calls, mailbox, messages - All social media files (WhatsApp, Telegram, etc.) Cloud Inputs: - Google Cloud files (Google Drive, Google My Activity, Google Sync, etc.) - Email files - Huawei - Microsoft document files |
Operating Systems | Windows, Unix Based System (Linux, Ubuntu), mobile, cloud |
Supporting Process Model | Complete Process Model |
Links | https://belkasoft.com/x |
Tool Name | COFEE (Computer Online Forensic Evidence Extractor) |
---|---|
Type of Forensics | Computer Forensics and Live Forensics |
Type of License | License |
Tool Description | COFEE is an investigative tool that Microsoft only provides to law enforcement agencies. |
Input Data Source | Capturing data from live computer systems, Windows system-related file formats, etc. |
Operating Systems | Windows |
Supporting Process Model | Complete Process Model |
Links | https://www.tutorialjinni.com/cofee-microsoft-forensic-tool-download.html |
Tool Name | Digital Forensics Framework (DFF) Plugin |
---|---|
Type of Forensics | Computer Forensics, Software Forensics, Static/Live Forensics |
Type of License | Open Source Github (Python / C++) |
Tool Description | DFF is an open-source digital forensics tool that aims to provide a comprehensive platform for digital investigations. It offers a wide range of features and capabilities for various stages of the digital forensics process. |
Input Data Source | Hard drives, SSD drives, Memory Dumps, Mobile data files, Internet history, Chat logs, etc. |
Operating Systems | Windows, Linux, Mac |
Supporting Process Model | Complete Process Model |
Links | https://toolswatch.org/2011/03/dff-digital-forensics-framework-v1-0-0-released/ |
Tool Name | Forensic Explorer |
---|---|
Type of Forensics | Computer Forensics |
Type of License | Open Source |
Tool Description | Forensic Explorer is a commercial digital forensics software tool. It is designed to assist digital forensic investigators in various stages of the digital forensic process. |
Input Data Source | File list, Disk Images, Gallery, Display, Hash Files, Exported Files Formats, etc. |
Operating Systems | Windows 7 and 8 (32-bit) |
Supporting Process Model | Complete Process Model |
Links | https://getdataforensics.com/product/forensic-explorer-fex/ |
Tool Name | X-Ways Forensics |
---|---|
Type of Forensics | Computer Forensics |
Type of License | License |
Tool Description | X-Ways Forensics is a computer forensics tool designed to allow an investigator to capture the digital evidence while maintaining the integrity of the data. It provides a wide range of features for disk and data analysis. |
Input Data Source | Disk images, physical disks, network drives, archives, etc. |
Operating Systems | Windows |
Supporting Process Model | Complete Process Model |
Links | https://www.x-ways.net/winhex/ |
Tool Name | Digital Forensics Framework (DFF) Plugin |
---|---|
Type of Forensics | Computer Forensics, Software Forensics, Static/Live Forensics |
Type of License | Open Source Github (Python / C++) |
Tool Description | DFF is an open-source digital forensics tool that aims to provide a comprehensive platform for digital investigations. It offers a wide range of features and capabilities for various stages of the digital forensics process. |
Input Data Source | Hard drives, SSD drives, Memory Dumps, Mobile data files, Internet history, Chat logs, etc. |
Operating Systems | Windows, Linux, Mac |
Supporting Process Model | Complete Process Model |
Links | https://toolswatch.org/2011/03/dff-digital-forensics-framework-v1-0-0-released/ |
Tool Name | Magnet AXIOM |
---|---|
Type of Forensics | Computer Forensics, Mobile Forensics |
Type of License | Commercial |
Tool Description | Magnet AXIOM is a comprehensive digital forensics solution that can be used in both criminal and corporate investigations. It supports investigations involving computer, mobile, and cloud data. |
Input Data Source | Disk images, mobile backups, cloud data, etc. |
Operating Systems | Windows, macOS |
Supporting Process Model | Complete Process Model |
Links | https://www.magnetforensics.com/ |
Tool Name | CAINE (Computer Aided INvestigative Environment) |
---|---|
Type of Forensics | Computer Forensics |
Type of License | Open Source |
Tool Description | CAINE (Computer Aided INvestigative Environment) is an open-source digital forensics platform designed for law enforcement agencies. It provides a comprehensive set of tools for digital investigations. |
Input Data Source | Disk images, mobile devices, and memory dumps. |
Operating Systems | Linux |
Supporting Process Model | Complete Process Model |
Links | https://www.caine-live.net/ |
Tool Name | OSForensics |
---|---|
Type of Forensics | Computer Forensics |
Type of License | Commercial |
Tool Description | OSForensics is a digital forensics software that enables investigators to quickly and easily extract and analyze digital evidence from various sources. |
Input Data Source | Disk images, memory dumps, and various file formats. |
Operating Systems | Windows |
Supporting Process Model | Complete Process Model |
Links | https://www.osforensics.com/ |
Tool Name | Stellar Data Recovery Professional |
---|---|
Type of Forensics | Data Recovery, Email Forensics |
Type of License | Commercial |
Tool Description | Stellar Data Recovery Professional is a versatile data recovery tool that can also assist in email forensics. It allows users to recover lost or deleted data from various storage media. |
Input Data Source | Hard drives, SSDs, email archives, etc. |
Operating Systems | Windows, Mac |
Supporting Process Model | Data Recovery and Email Forensics |
Links | https://www.stellarinfo.com/data-recovery-professional.php |
Tool Name | Paladin Forensic Suite |
---|---|
Type of Forensics | Computer Forensics |
Type of License | Open Source (Free) |
Tool Description | Paladin Forensic Suite is a free digital forensic tool that is easy to use and suitable for both beginners and experienced investigators. |
Input Data Source | Disk images, memory dumps, and various file formats. |
Operating Systems | Linux |
Supporting Process Model | Complete Process Model |
Links | https://sumuri.com/software/paladin/ |
Tool Name | HashMyFiles |
---|---|
Type of Forensics | OS Forensics |
Type of License | Free Download |
Tool Description | HashMyFiles is a small utility that calculates the MD5 and SHA1 hashes of one or more files in the system. |
Input Data Source | MD5 and SHA1 hash file list |
Operating Systems | Windows |
Supporting Process Model | Hash files integrity verification process |
Links | https://hashmyfiles.soft112.com/modal-download.html |
Tool Name | Aid4 Mail |
---|---|
Type of Forensics | Mail Forensics |
Type of License | Free Download |
Tool Description | Aid4 Mail forensics tool is used to recover, collect, search, and convert email data reliably and quickly. |
Input Data Source | Email server files, Email client files, Email attachment files. |
Operating Systems | Windows |
Supporting Process Model | Investigation and Analysis |
Links | https://www.aid4mail.com/download-free-trial#s-downloads-block_c11025254a0b837adf84f1361ceb2591 |
Tool Name | MailXaminer |
---|---|
Type of Forensics | Mail Forensics |
Type of License | License |
Tool Description | MailExaminer tool focuses on examining email data and related artifacts, making it a valuable tool for digital forensic investigators who need to analyze email evidence in various types of investigations. |
Input Data Source | Email Server Files, Email Client Files, Archive Files, and Cloud Email Service Files. |
Operating Systems | Windows |
Supporting Process Model | Email Parsing, Email Search and Filtering, Attachments Analysis, Advanced Searching. |
Links | https://www.mailxaminer.com/download.html |
Tool Name | Email Tracker Pro |
---|---|
Type of Forensics | Mail Forensics |
Type of License | Free Download |
Tool Description | Email Tracker Pro is a software tool for tracking email delivery and recipient actions, such as when an email is opened or clicked. |
Input Data Source | Email Messages, Recipient Email Addresses, Geolocation data. |
Operating Systems | Windows |
Supporting Process Model | Tracking Email Interactions, Email Marketing and Analysis. |
Links | https://www.x64bitdownload.com/download/t-64-bit-emailtrackerpro-download-uvnieocv.html |
Tool Name | Paraben E-Mail Examiner |
---|---|
Type of Forensics | Mail Forensics |
Type of License | Free Download and License |
Tool Description | Paraben’s E-mail Examiner is a handy and reliable application for users to examine various e-mail formats. |
Import Data Source | Desktop E-Mail Application Files, E-Mail Archives, E-Mail Message Files. |
Operating Systems | Windows |
Supporting Process Model | E-Mail Recovery and Analysis, E-Mail Artifact Analysis. |
Links | https://e-mail-examiner.apponic.com/download/ |
Tool Name | Volatility |
---|---|
Type of Forensics | Memory Forensics and Live Forensics |
Type of License | Free Download |
Tool Description | Volatility is a collection of open-source tools specifically designed to analyze volatile memory (RAM) in digital forensics investigations. |
Input Data Source | Dumping Memory (Live System, Hibernation File, Crash Dump Files) |
Operating Systems | Windows, Linux, Mac |
Supporting Process Model | Memory Acquisition, Memory Analysis |
Links | https://www.volatilityfoundation.org/releases |
Tool Name | Windows SCOPE |
---|---|
Type of Forensics | Memory Forensics |
Type of License | License |
Tool Description | Windows SCOPE is an incident response tool that enables memory Forensics for Windows computers. |
Input Data Source | Physical Memory Files, System Files, Driver Files |
Operating Systems | Windows |
Supporting Process Model | Complete Process Model |
Links | https://www.windowsscope.com/ |
Tool Name | FotoForensics |
---|---|
Type of Forensics | Software Forensics |
Type of License | Free Download (apk module) |
Tool Description | FotoForensics is a web-based tool that provides image analysis and forensics capabilities for examining digital images to detect potential manipulation or anomalies. |
Import Data Source | Local Files, URLs, Social Media Files, Email Attachments. |
Operating Systems | Windows |
Supporting Process Model | Error Level Analysis, Meta Data Analysis, Clone Detection, Re-sampling Analysis |
Links | https://fotoforensics.com/ |
Tool Name | Forensically |
---|---|
Type of Forensics | Software Forensics |
Type of License | Open Source Online Tool |
Tool Description | Forensically is a web-based collection of tools that can be used for digital image forensics. |
Input Data Source | Image Files Formats |
Operating Systems | Online Environment |
Supporting Process Model | Verification, Magnifying Functions, Clone Detection, Level Analysis, Noise Analysis |
Links | https://29a.ch/photo-forensics/#forensic-magnifier |
Tool Name | Izitru |
---|---|
Type of Forensics | Software Forensics |
Type of License | Free Download |
Tool Description | Izitru determines the authenticity and integrity of digital images, particularly photographs, to ascertain whether they have been manipulated or altered. |
Input Data Source | Digital images from various sources include local files, online images, images on social media, etc. |
Operating Systems | iOS |
Supporting Process Model | Image authentication and verification |
Links | https://izitru-ios.soft112.com/ |
Tool Name | AutoProv |
---|---|
Type of Forensics | Computer Forensics |
Type of License | Open Source (GitHub) Python |
Tool Description | AutoProv is a two-phase script for recreating the provenance of a file from several temporal artifacts from digital forensics media. |
Input Data Source | File system, Registry Files, OS metadata, Web browser files, etc. |
Operating Systems | Ubuntu |
Supporting Process Model | Data Gathering and Data Processing |
Links | https://github.com/gilbert-peterson/AutoProv |
Tool Name | NTFSObjectIDParser |
---|---|
Type of Forensics | Computer Forensics |
Type of License | Open Source (Github) C++ / C |
Tool Description | Digital Forensics tool parsing the $ObjId index file and correlating it with the $MFT. |
Input Data Source | Object IDs, Index File, Disk Images |
Operating Systems | Ubuntu |
Supporting Process Model | Complete Process Model |
Links | https://github.com/RuneN007/NTFSObjectIDParser |
Tool Name | NTFSTool |
---|---|
Type of Forensics | Computer Forensics |
Type of License | Open Source (Github) C++/C |
Tool Description | NTFSTool is a forensics tool focused on NTFS volumes. It displays the complete structure of master, volume, and partition table records. |
Input Data Source | Master File Table, Bitlocker Encrypted Volume. |
Operating Systems | Windows, Ubuntu |
Supporting Process Model | Recover Deleted Files, Examine File Attributes, View File System Structure, Recover Data |
Links | https://github.com/thewhiteninja/ntfstool |
Tool Name | Kumodd |
---|---|
Type of Forensics | Network Forensics |
Type of License | Open Source (Github) Python |
Tool Description | Kumodd downloads files and/or generates a CSV file of metadata from a specified Google Drive account in a forensically sound manner. |
Input Data Source | doc, xls, ppt, text, pdf, image, audio, video or other |
Operating Systems | Ubuntu, Windows |
Supporting Process Model | Identification and Verification |
Links | https://github.com/andresebr/kumodd |
Tool Name | WinPmem |
---|---|
Type of Forensics | Memory Forensics |
Type of License | Open Source (Github) C/C++ |
Tool Description | WinPmem has been the default open-source memory acquisition driver for Windows for a long time. |
Input Data Source | WinPmem Executable Files, Kernel Drivers Files, System Information |
Operating Systems | Windows |
Supporting Process Model | Capturing the physical memory of a Windows system. |
Links | https://github.com/google/rekall/tree/master/tools/windows/winpmem |
Tool Name | Heapinfo |
---|---|
Type of Forensics | Memory Forensics |
Type of License | Open Source (Github) Ruby |
Tool Description | Heapinfo provides an abstract overview of the number of arenas, chunks, and sizes. |
Input Data Source | Memory files |
Operating Systems | Windows |
Supporting Process Model | Recover the file systems. |
Links | https://github.com/david942j/heapinfo |
Tool Name | Heapdump |
---|---|
Type of Forensics | Memory Forensics |
Type of License | Open Source (Github) Javascript |
Tool Description | Heapdump is used to dump all allocated and freed chunks to disk in separate files for further analysis. |
Input Data Source | Disk Chunk files, memory allocated files |
Operating Systems | UNIX system |
Supporting Process Model | Dumps all allocated and freed chunks to disk. |
Links | https://github.com/bnoordhuis/node-heapdump |
Tool Name | Sifter |
---|---|
Type of Forensics | Software Forensics |
Type of License | Open Source (Github) Java |
Tool Description | Sifter is a text string search application for digital forensics investigators. It indexes text from acquired images of digital media (e.g., raw and .E01), including file slack and unallocated space. |
Input Data Source | Digital media image files, Disk Images |
Operating Systems | Windows, Linux |
Supporting Process Model | Examination and Analysis |
Links | https://github.com/jonstewart/Sifter/blob/master/README.md |
Tool Name | OpenLV |
---|---|
Type of Forensics | Software Forensics |
Type of License | Open Source (Github) Java |
Tool Description | OpenLV is a Java-based graphical forensics tool that creates a virtual machine out of a raw (dd-style) disk image or physical disk. |
Input Data Source | Full disk raw images, Bootable partition raw images, Physical Disks (attached via a USB or Firewire bridge), Specialized and closed image formats |
Operating Systems | Windows, Linux |
Supporting Process Model | Identification and Analysis |
Links | https://github.com/tvidas/OpenLV |
Tool Name | Advanced Automated Disk Investigation Toolkit (AUDIT) |
---|---|
Type of Forensics | Computer Forensics |
Type of License | Open Source |
Tool Description | AUDIT intelligently integrates open-source tools and guides non-IT professionals while requiring minimal technical knowledge about the target disk image's disk structures and file systems. |
Input Data Source | Graphics files, emails, documents, and hidden locations. |
Operating Systems | Windows |
Supporting Process Model | Identification and Analysis of Disk Images. |
Links | https://sourceforge.net/projects/audit-toolkit/ |
Tool Name | AMExtractor |
---|---|
Type of Forensics | Malware Forensics |
Type of License | Open Source (Github) C |
Tool Description | AMExtractor is a tool for acquiring volatile physical memory from various Android devices and supports rootkit detection. |
Input Data Source | Windows Volatile memory files. |
Operating Systems | Windows |
Supporting Process Model | Malware Detection |
Links | https://github.com/ir193/AMExtractor |
Tool Name | DRone Open source Parser (DROP) |
---|---|
Type of Forensics | IoT Forensics |
Type of License | Open Source (Github) Python |
Tool Description | DROP tool is used to Parses proprietary DAT files extracted from the drone's nonvolatile internal storage. |
Input Data Source | CSV files |
Operating Systems | Ubuntu |
Supporting Process Model | Extraction of DAT Files |
Links | https://github.com/BiTLab-BaggiliTruthLab/DROP |
Tool Name | Wifimit |
---|---|
Type of Forensics | Network Forensics |
Type of License | Open Source (Github) Python |
Tool Description | The package combines several existing tools and attack strategies to bypass the wireless security mechanisms, such as WEP, WPA, and WPS. The presented tool can be integrated into a solution for automated penetration testing. |
Input Data Source | WPS, WPA, and WEP file formats |
Operating Systems | Linux |
Supporting Process Model | Identification and Testing |
Links | https://github.com/byt3bl33d3r/MITMf |
Tool Name | Bring2lite |
---|---|
Type of Forensics | Software Forensics |
Type of License | Open Source (Github) Python |
Tool Description | The tool was developed to process SQLite databases in respect of deleted records. Therefore, bring2lite can analyze the structures within the main database, WAL, and journal files. |
Input Data Source | SQL Database files, journal files. |
Operating Systems | Linux |
Supporting Process Model | Identification and Analysis |
Links | https://github.com/bring2lite/bring2lite |
Tool Name | Hooktracer |
---|---|
Type of Forensics | Memory Forensics |
Type of License | Open Source (Github) TypeScript |
Tool Description | The Hooktracer tool is used to perform post-processing of apihooks-generated output in conjunction with our memory analysis algorithms. |
Input Data Source | Network-related memory files (cache files, RAM files, etc.) |
Operating Systems | Linux |
Supporting Process Model | Volatile Memory Analysis |
Links | https://github.com/awendland/npm-install-hook-tracer |
Tool Name | AFF4 evidence container (The Advanced Forensics File Format 4 (AFF4)) |
---|---|
Type of Forensics | Software Forensics |
Type of License | Open Source (Github) Python |
Tool Description | The Advanced Forensics File Format 4 (AFF4) is an open-source format for storing digital evidence and data. |
Input Data Source | Zip file formats, document files, image files, etc. |
Operating Systems | Linux |
Supporting Process Model | Storage Analysis of Data |
Links | https://github.com/aff4/pyaff4 |
Tool Name | Ptenum |
---|---|
Type of Forensics | Memory Forensics |
Type of License | Open Source (Github) Python |
Tool Description | The Ptenum plugin can detect executable pages despite any intentional (or unintentional) hiding technique. |
Input Data Source | Code formats, memory format files |
Operating Systems | Windows, Linux |
Supporting Process Model | Analysis and Detection |
Links | https://github.com/f-block/DFRWS-USA-2019 |
Tool Name | Vivedump |
---|---|
Type of Forensics | Memory Forensics |
Type of License | Open Source (Github) Plugin |
Tool Description | Used to analyze memory dumps of HTC Vive VR systems and share related datasets. The plugin will output a textual representation of all data. |
Input Data Source | Evidentiary data, a wavefront obj formatted mesh of the VE, and pass the 3-dimensional coordinates to a Python OpenGL instance |
Operating Systems | Linux |
Supporting Process Model | Analyzing and Acquiring |
Links | https://github.com/BiTLab-BaggiliTruthLab/VR4Sec/tree/master/vive-dump |
Tool Name | Digital Drone Forensics Software |
---|---|
Type of Forensics | IoT Forensics |
Type of License | Open Source (Github) Java |
Tool Description | This tool primarily focuses on analyzing the essential log parameters of drones. |
Input Data Source | Jar files, log files |
Operating Systems | Windows, Linux |
Supporting Process Model | Data Extraction, Data Reconstruction, Metadata analysis, Video Analysis, Image Enhancement |
Links | https://github.com/ankitrlps/DroneForensicsSoftware |
Tool Name | JPEGsnoop |
---|---|
Type of Forensics | Software Forensics |
Type of License | Open Source (Github) C++/C |
Tool Description | JPEGsnoop is a detailed JPEG image decoder and analysis tool. It reports all image metadata and can even help identify if an image has been edited. |
Input Data Source | JPEG, AVI (MJPG), PSD images, EXIF files. |
Operating Systems | Windows |
Supporting Process Model | Forensics and Technical analysis of images. |
Links | https://github.com/ImpulseAdventure/JPEGsnoop |
Tool Name | Ghiro |
---|---|
Type of Forensics | Software Forensics |
Type of License | Open Source (Github) Python, HTML |
Tool Description | Ghiro is a fully automated tool designed to run forensics analysis over massive images using a user-friendly and fancy web application. |
Input Data Source | Windows bitmap, Encapsulated PostScript, JPEG File Interchange Format, PNG Files, etc. |
Operating Systems | Windows, Linux |
Supporting Process Model | Image Metadata analysis, Tampering Detection, Hashing, Classification of Images |
Links | https://github.com/Ghirensics/ghiro |
Tool Name | OSF Mount |
---|---|
Type of Forensics | Live Forensics |
Type of License | Free Download |
Tool Description | OSF Mount tool is used to allow mount local disk image files in Windows as a physical disk or a logical drive letter. |
Input Data Source | Disk Image Files |
Operating Systems | Windows |
Supporting Process Model | Mounting Disk Images, Data Recovery, Write Protection. |
Links | https://www.osforensics.com/tools/mount-disk-images.html |
Tool Name | Magnet RAM |
---|---|
Type of Forensics | Live Forensics |
Type of License | Free Download |
Tool Description | Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory. |
Input Data Source | Volatile Memory (RAM) |
Operating Systems | Windows, Linux |
Supporting Process Model | Identification, Acquisition |
Links | https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/ |
Tool Name | The Sleuth Kit |
---|---|
Type of Forensics | Live Forensics |
Type of License | Free Download (Open Source) |
Tool Description | The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. |
Input Data Source | File System, Disk Images, executable files, etc. |
Operating Systems | Windows, Linux, Mac OS |
Supporting Process Model | System Analysis, File Recovery, Timeline Analysis |
Links | https://www.sleuthkit.org/sleuthkit/desc.php |
Tool Name | OCFA (Open Computer Forensics Architecture) |
---|---|
Type of Forensics | Live Forensics, Computer Forensics |
Type of License | Free Download |
Tool Description | Open Computer Forensics Architecture is an open-source digital forensics framework designed to facilitate acquiring, analyzing, and preserving digital evidence from various sources, including computer systems, storage devices, and digital media. |
Input Data Source | Hard drives, Files System, Network Traffic, etc. |
Operating Systems | Linux |
Supporting Process Model | Acquiring, Processing and Analyzing Digital Evidence |
Links | https://www.toolwar.com/2014/06/ocfa-open-computer-forensics.html |
Tool Name | CAINE (Computer Aided Investigative Environment) |
---|---|
Type of Forensics | Computer Forensics, Static/Live Forensics |
Type of License | Free Download |
Product Description | CAINE (Computer Aided Investigative Environment) is a Linux-based distribution designed for digital forensics and incident response tasks. |
Input Data Source | disk imaging tools, file system analysis utilities, memory forensics tools, network analysis tools, and reporting tools |
Operating Systems | Linux, Windows |
Supporting Process Model | Identification, Collection, Analysis |
Links | https://www.caine-live.net/ |
Tool Name | The Coroner’s Toolkit |
---|---|
Type of Forensics | Static/Live Forensics |
Type of License | Free Download |
Tool Description | The Coroner's Toolkit (TCT) is a collection of digital forensic tools for analyzing computer systems and performing forensic investigations. |
Input Data Source | Disk Images, Memory Dumps, File Systems, Case Files, etc. |
Operating Systems | Linux |
Supporting Process Model | Identification, Collection, Analysis |
Links | http://www.porcupine.org/forensics/tct.html |
Tool Name | MSc Autopsy Plugins (iSmartalarm, QBee, Arlo, Wink) |
---|---|
Type of Forensics | IoT Forensics |
Type of License | Open Source (github) Python |
Tool Description | This repository is a collection of plugins for Autopsy forensic software and standalone scripts to parse artifacts from iSmartalarm, QBee, Arlo and Wink devices. |
Input Data Source | File Systems, Social Media Files, Data Format Files, E-Mail Files, Digital Media Files |
Operating Systems | Linux |
Supporting Process Model | Identification and Analysis |
Links | https://github.com/fservida/msc_autopsy_plugins |
Tool Name | AndroParse |
---|---|
Type of Forensics | IoT Forensics |
Type of License | Open Source (Github) Python |
Tool Description | AndroParse is a tool that can be used in conjunction with Autopsy, specifically designed to extract and analyze data from Android devices during digital forensic investigations. |
Input Data Source | Android APK Files, Android Image Files, Log Files, etc. |
Operating Systems | Linux |
Supporting Process Model | APK Parsing, Manifest Analysis, Static Analysis, Dex File Extraction, Resource Extraction |
Links | https://github.com/rschmicker/AndroParse |
Tool Name | PTK Forensics |
---|---|
Type of Forensics | Static/Live Forensics |
Type of License | Free Download |
Tool Description | PTK forensics is a computer forensic framework for the command line tools in the SleuthKit, plus many more software modules. This makes it usable and easy to investigate a system. PTK forensics is an alternative advanced framework for the TSK suite. |
Input Data Source | Tools Files Formats, Log Files, Disk Image Files |
Operating Systems | Linux |
Supporting Process Model | Identification, Analysis |
Links | https://ptk-forensics.soft112.com/download.html |
Tool Name | HashKeeper |
---|---|
Type of Forensics | Static Forensics |
Type of License | Free Download |
Tool Description | HashKeeper is a tool often used in digital forensics and computer security. It's designed to capture and analyze information about files and their associated metadata to aid in investigations and to help ensure the integrity of digital evidence. |
Input Data Source | Hash files, Digital Storage Media files, and Data Sources. |
Operating Systems | Windows |
Supporting Process Model | File Hashing, Evidence Integrity, and data collection |
Links | https://coptr.digipres.org/index.php/HashKeeper |
Tool Name | Safeback |
---|---|
Type of Forensics | Static Forensics |
Type of License | Open Source |
Tool Description | SafeBack is a digital forensic tool designed to create a forensic image of a hard drive or storage media while preserving the original data's integrity. |
Input Data Source | Hard Drives, Floppy Disks, USB Drives, Partition and File System Support, etc. |
Operating Systems | Linux |
Supporting Process Model | Disk Imaging, File Recovery, Write Protection |
Links | https://coptr.digipres.org/index.php/SafeBack |
Tool Name | Registry Recon |
---|---|
Type of Forensics | Static Forensics, Computer Forensics |
Type of License | Commercial |
Tool Description | Registry Recon is a tool used for live and static registry analysis. It is designed for computer forensics professionals and provides various features for analyzing Windows registries, identifying suspicious activities, and recovering data. |
Input Data Source | Windows Registry Files, Memory Dumps, Live Systems |
Operating Systems | Windows |
Supporting Process Model | Registry Analysis, Evidence Recovery, Suspicious Activity Detection |
Links | https://www.paraben.com/products/registry-recon-2/ |
Tool Name | The Windows Forensic Toolchest (WFT) |
---|---|
Type of Forensics | Live Forensics |
Type of License | Free Download |
Tool Description | The Windows Forensic Toolchest (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system. |
Input Data Source | Disk Images, Real Time Analysis Data, Windows Based File System formats, Memory Images, Network Capture Files |
Operating Systems | Windows |
Supporting Process Model | Complete Process Model |
Links | http://www.foolmoon.net/security/wft/#:~:text=WFT%20is%20essentially%20a%20forensically,confirm%20computer%20misuse%20or%20configuration. |
Tool Name | CMAT (Compile Memory Analysis Tool) |
---|---|
Type of Forensics | Live Forensics, Memory Forensics |
Type of License | Open Source |
Tool Description | The Compile Memory Analysis Tool (CMAT) is a self-contained memory analysis tool that analyzes a Windows O/S memory (either in a dump or via XenAccess in a Xen VM) and extracts information about the operating system and the running processes. |
Input Data Source | Official Documentation files, Memory Dumps, etc. |
Operating Systems | Windows |
Supporting Process Model | Incident Response Analysis, Malware Analysis |
Links | https://sourceforge.net/projects/cmat/ |
Tool Name | Intella |
---|---|
Type of Forensics | Live Forensics |
Type of License | License |
Tool Description | Intella is a digital forensic search and e-discovery application designed to make the process of searching, collecting, and analyzing electronic data more efficient and effective. |
Input Data Source | Email data, Chat Data, Office files, Image files, etc. |
Operating Systems | Windows |
Supporting Process Model | Search, Collection, Analysis |
Links | https://www.vound-software.com/ |
Tool Name | IRCR (Incident Response Collection Report) |
---|---|
Type of Forensics | Live Forensics |
Type of License | Open Source |
Tool Description | The Incident Response Collection Report is a script to call a collection of tools that gathers and/or analyzes data on a Microsoft Windows system. |
Input Data Source | Initial Incident Report, Network and System Logs, Endpoint Data, etc. |
Operating Systems | Windows |
Supporting Process Model | Identification, Collection, Analysis Examination. |
Links | https://sourceforge.net/projects/ircr/ |
Tool Name | Bulk Extractor |
---|---|
Type of Forensics | Live Forensics, Computer Forensics |
Type of License | Open source (GitHub) C++ |
Tool Description | Bulk extractor is a high-performance digital forensics exploitation tool. It rapidly scans any input and extracts structured information such as email addresses, credit card numbers, JPEGs, and JSON snippets without parsing the file system or file system structures. |
Input Data Source | Disk images, files, directories of files, etc. |
Operating Systems | Amazon Linux, Fedora 36, Ubuntu 20.04LTS, MAC OS |
Supporting Process Model | Identification, Analysis, Reporting |
Links | https://github.com/simsong/bulk_extractor |
Tool Name | EPRB (Elcomsoft Password Recovery Bundle) |
---|---|
Type of Forensics | Live Forensics |
Type of License | License |
Tool Description | All password recovery tools are in a single value pack. Unlock documents, decrypt archives, and break into encrypted containers with an all-in-one Desktop Forensic Bundle. |
Input Data Source | All versions of Microsoft Office, OpenOffice, NFS Encrypted File System, Windows and macOS passwords, macOS Keychain, ZIP/RAR/RAR5, PDF, BitLocker/PGP/TrueCrypt/VeraCrypt, and many more. |
Operating Systems | Windows, Mac OS |
Supporting Process Model | Advanced Archive Password Recovery, Advanced EFS Data Recovery, Advanced Office Password Recovery, Proactive System Password Recovery |
Links | https://www.elcomsoft.com/edfb.html |
Tool Name | SAFT (SANS Investigative Forensics Tool Kit) |
---|---|
Type of Forensics | Live Forensics |
Type of License | Free Download |
Tool Description | SIFT is a computer forensics distribution created by the SANS Forensics team for performing digital forensics. This distro includes most tools required for digital forensics analysis and incident response examinations. |
Input Data Source | Digital Storage Media Files, Memory Dumps, Network Traffic, File Systems, etc. |
Operating Systems | Ubuntu, Windows |
Supporting Process Model | Identification, Collection, Examination, Analysis. |
Links | Link |
Tool Name | Timeline2GUI |
---|---|
Type of Forensics | Software Forensics |
Type of License | Open Source (GitHub) Python |
Tool Description | This is a tool to import and view the contents of the Timeline CSV file. The features include filtering the data based on column values, searching for text, saving the data to a CSV file, and highlighting a few rows. |
Input Data Source | File System Data, Registry Data, System Logs, Network Traffic Logs, Memory Files, etc. |
Operating Systems | Linux |
Supporting Process Model | Analysis |
Links | https://github.com/parvathycec/Timeline2GUI/tree/master |
Tool Name | MongoDB Deleted Data Recovery Tool |
---|---|
Type of Forensics | Software Forensics |
Type of License | Open Source, License |
Tool Description | MongoDB Deleted Data Recovery Tool is widely recognized or provided by MongoDB as an official product or tool for recovering deleted data. |
Input Data Source | Backup Files, Log Files, Data Files, etc. |
Operating Systems | Linux |
Supporting Process Model | Data Recovery Process |
Links | https://github.com/etherfoundry/mongo-data-recovery |
Tool Name | A Forensic Email Analysis Tool Using Dynamic Private/Personal |
---|---|
Type of Forensics | Software Forensics |
Type of License | Open Source |
Tool Description | Email forensic tools exist for analyzing email data in digital investigations; dynamically incorporating private or personal information is more specialized. |
Input Data Source | Email files, Attachments files, link files, etc. |
Operating Systems | Windows, Linux |
Supporting Process Model | Header Analysis, Server Investigation, Sender Mail Fingerprints |
Links | https://linuxhint.com/email_forensics_analysis/ |