Digital forensics tools list table

List of Digital Forensic Tools

Digital Forensic Tools

Digital forensic tools support a wide range of operations that enable investigators to securely collect, analyze, and report on the digital evidence found on various devices and networks. The operations supported by these tools can be broadly categorized into several phases:

1.Acquisition

Disk Imaging: Creating an exact copy or snapshot of the storage medium.
Memory Dump: Capturing the contents of RAM.
Network Packet Capture: Collecting the data packets traveling across a network.
Mobile Device Imaging: Extracting data from mobile devices.

2. Preservation

Evidence Protection: Ensuring that the original data is not altered during analysis.
Chain of Custody: Maintaining and documenting the handling and transfer of evidence.
Data Integrity Check: Verifying that data has not been altered using cryptographic checksums.

3. Analysis

File and Disk Analysis: Investigating file systems, deleted files, and disk structures.
Memory Analysis: Investigating the contents of volatile memory (RAM).
Network Analysis:Examining network logs, packet captures, and traffic patterns.
Registry Analysis: Investigating Windows Registry data for potential evidence.
Log Analysis: Reviewing system, application, and security logs.
Malware Analysis: Analyzing malicious software and its activity.
Cloud Analysis: Investigating data stored in cloud services.

4. Examination

Keyword Searching: Locating relevant information using keywords and regular expressions.
Data Carving: Extracting and analyzing data chunks without associated metadata.
Timeline Analysis: Building timelines of user activity.
Steganography Detection: Identifying hidden data within files.
Encryption Detection: Identifying encrypted files and containers.

5. Reporting

Evidence Documentation: Documenting findings and creating audit trails.
Data Visualization: Graphical representation of data and findings.
Case Management: Managing case data, notes, and findings systematically.
Expert Testimony: Providing expert insights and explanations of the findings in a legal context.

6. Legal and Ethical Considerations

Legal Compliance: Ensuring methods and tools comply with relevant laws.
Privacy Considerations: Protecting the privacy of individuals and sensitive data.
Ethical Handling: Ensuring unbiased and ethical handling of data and results.
Digital forensics is a branch of forensic science that involves the recovery, investigation, and analysis of data found in digital devices, often about computer crime. Various tools and software have been developed to assist digital forensics experts in gathering, analyzing, and protecting digital evidence. Different digital forensic tools may specialize in one or more of these operations and may be combined to conduct thorough investigations. The choice of tools and methods often depends on the specifics of the case, the type of data involved, and the legal jurisdiction. Some of the popular digital forensic tools include:

Tool Name	Stellar Data Recovery
Type of Forensics	Computer Forensics
Type of License	Open source and License version
Tool Description	Stellar data recovery is a complete solution to recover lost data from various storage devices, such as desktop and laptop hard drives, external hard drives, memory cards, SSD drivers, SD
Input Data Source	Photo/raw file formats, Video formats, Audio formats, Document formats, Archive formats
Operating Systems	Windows, Mac
Supporting Process Model	Recover the data files. Identification, Acquiring
Links	https://www.stellarinfo.com/windows-data-recovery.php

Tool Name	Forensic Tool Kit Imager (FTK Imager)
Type of Forensics	Computer Forensics and Static Forensic Analysis
Type of License	Open Source (full disk ISO file)
Tool Description	FTK Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool, such as AccessData Forensic Toolkit, is warranted.
Input Data Source	Full disk ISO files, image file formats
Operating Systems	Windows Server 2016, Windows Server 2012, Windows 10, Windows 8.1, Windows 7 (64-bit)
Supporting Process Model	Complete Process Model
Links	https://www.exterro.com/ftk-product-downloads/forensic-toolkit-ftk-version-7-1-0 https://www.exterro.com/ftk-product-downloads/ftk-imager-version-4-7-1

Tool Name	ProDiscover
Type of Forensics	Computer Forensics
Type of License	License
Tool Description	ProDiscover is a powerful computer security tool that enables law enforcement professionals to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports for use in legal proceedings.
Input Data Source	Disk Files
Operating Systems	Windows, Mac, Linux
Supporting Process Model	Complete Process Model
Links	https://prodiscover.com/ https://softwareasli.com/product/prodiscover-forensics/

Tool Name	Autopsy
Type of Forensics	Computer Forensics and OS Forensics
Type of License	Open source
Tool Description	Autopsy is the premier open-source digital forensics platform that is easy to use, fast, and usable in all digital investigations.
Input Data Source	Disk Images, File systems, Partitioned Drives, Logical Files, Network Packet Captures, RAM Dumps, Mobile Device Images, Container Files (zip, rar, etc.), Virtual Machine Images
Operating Systems	Windows, Linux
Supporting Process Model	Complete Process Model
Links	https://www.autopsy.com/download/

Tool Name	Encase
Type of Forensics	Computer Forensics and Static Forensics
Type of License	License
Tool Description	Encase forensic is a digital forensic solution that can collect and preserve critical desktop/mobile evidence from multiple sources, such as text messages, call records, pictures, graphics, and much more.
Input Data Source	Text file formats, Call Records, Picture file formats, Graphics
Operating Systems	Windows
Supporting Process Model	Complete Process Model
Links	https://www.softwareadvice.com.au/software/318942/encase-forensic https://www.opentext.com/products/encase-forensic

Tool Name	Nmap (Network Map)
Type of Forensics	Network Forensics
Type of License	Open source
Tool Description	Nmap tool is used to discover services and hosts on a computer network by analyzing the response of sending packets. It is a free and open-source utility for network discovery and security auditing.
Input Data Source	IP address, Hostname, IP address Range, Hosts from a file, Output files, Port ranges
Operating Systems	Windows, Mac OS, Linux
Supporting Process Model	Network Discovery, Vulnerability Scanning, Network Mapping
Links	https://nmap.org/

Tool Name	Wireshark
Type of Forensics	Network Forensics and Static/Live Forensics
Type of License	Open Source
Tool Description	Wireshark is a powerful network forensics tool that allows you to capture and analyze network traffic.
Input Data Source	Network Interfaces, Capture Files format, PCAP Files
Operating Systems	Windows, Mac OS, Linux
Supporting Process Model	Packet Identification and Analysis
Links	https://www.wireshark.org/

Tool Name	Nessus
Type of Forensics	Network Forensics
Type of License	License
Tool Description	Nessus is primarily known as a vulnerability assessment tool rather than a network forensics tool. It supports scanning operating systems, network devices, next-generation firewalls, hypervisors, etc.
Input Data Source	Network traffic log files, Web applications
Operating Systems	Windows, Mac OS, Linux
Supporting Process Model	Vulnerability Scanning and Assessment
Links	https://www.tenable.com/products/nessus

Tool Name	Snort
Type of Forensics	Network Forensics
Type of License	Open source
Tool Description	Snort is an open-source intrusion detection and prevention system that can be a valuable tool in network forensics.
Input Data Source	Network traffic data, Network Interfaces, Packet Capture Files, Port Spanning, Network Segments
Operating Systems	Windows
Supporting Process Model	Real-time monitoring and analysis of Network traffic.
Links	https://snort.en.lo4d.com/download

Tool Name	Ettercap
Type of Forensics	Network Forensics
Type of License	Open source
Tool Description	Ettercap is an open-source tool that can support man-in-the-middle attacks on networks.
Input Data Source	Network traffic data, Network interfaces, Host files, MiTM Configuration files, Filter Rules
Operating Systems	Windows 7, 8, Linux
Supporting Process Model	Network monitoring and analysis
Links	https://www.ettercap-project.org/downloads.html

Tool Name	Cyber Check Suit
Type of Forensics	Computer Forensics
Type of License	License
Tool Description	Cyber Check Suit is a comprehensive collection of disk forensics tools to acquire digital evidence, analysis, data recovery, and reporting of digital evidence.
Input Data Source	Disk images, Files and folders, pictures, Gallery and Text views, Storage Media Files
Operating Systems	Windows, Linux
Supporting Process Model	Complete Process Model
Links	https://www.secureindia.in/?page_id=780

Tool Name	Belkasoft Evidence Center
Type of Forensics	Computer Forensics, Mobile Forensics, Memory Forensics, Cloud Forensics and Live Forensics
Type of License	License
Tool Description	Belkasoft Evidence Center X Forensic edition is a complete solution for conducting in-depth investigations on all digital media devices and data sources, including computers, mobile devices and the cloud.
Input Data Source	Computer Inputs: - Hard drives - Disk Images - Virtual Machine Files - Browser files, mailbox, documents, images, and videos, etc. Mobile Inputs: - Calls, mailbox, messages - All social media files (WhatsApp, Telegram, etc.) Cloud Inputs: - Google Cloud files (Google Drive, Google My Activity, Google Sync, etc.) - Email files - Huawei - Instagram - Microsoft document files
Operating Systems	Windows, Unix Based System (Linux, Ubuntu), mobile, cloud
Supporting Process Model	Complete Process Model
Links	https://belkasoft.com/x

Tool Name	COFEE (Computer Online Forensic Evidence Extractor)
Type of Forensics	Computer Forensics and Live Forensics
Type of License	License
Tool Description	COFEE is an investigative tool that Microsoft only provides to law enforcement agencies.
Input Data Source	Capturing data from live computer systems, Windows system-related file formats, etc.
Operating Systems	Windows
Supporting Process Model	Complete Process Model
Links	https://www.tutorialjinni.com/cofee-microsoft-forensic-tool-download.html

Tool Name	Digital Forensics Framework (DFF) Plugin
Type of Forensics	Computer Forensics, Software Forensics, Static/Live Forensics
Type of License	Open Source Github (Python / C++)
Tool Description	DFF is an open-source digital forensics tool that aims to provide a comprehensive platform for digital investigations. It offers a wide range of features and capabilities for various stages of the digital forensics process.
Input Data Source	Hard drives, SSD drives, Memory Dumps, Mobile data files, Internet history, Chat logs, etc.
Operating Systems	Windows, Linux, Mac
Supporting Process Model	Complete Process Model
Links	https://toolswatch.org/2011/03/dff-digital-forensics-framework-v1-0-0-released/

Tool Name	Forensic Explorer
Type of Forensics	Computer Forensics
Type of License	Open Source
Tool Description	Forensic Explorer is a commercial digital forensics software tool. It is designed to assist digital forensic investigators in various stages of the digital forensic process.
Input Data Source	File list, Disk Images, Gallery, Display, Hash Files, Exported Files Formats, etc.
Operating Systems	Windows 7 and 8 (32-bit)
Supporting Process Model	Complete Process Model
Links	https://getdataforensics.com/product/forensic-explorer-fex/

Tool Name	X-Ways Forensics
Type of Forensics	Computer Forensics
Type of License	License
Tool Description	X-Ways Forensics is a computer forensics tool designed to allow an investigator to capture the digital evidence while maintaining the integrity of the data. It provides a wide range of features for disk and data analysis.
Input Data Source	Disk images, physical disks, network drives, archives, etc.
Operating Systems	Windows
Supporting Process Model	Complete Process Model
Links	https://www.x-ways.net/winhex/

Tool Name	Digital Forensics Framework (DFF) Plugin
Type of Forensics	Computer Forensics, Software Forensics, Static/Live Forensics
Type of License	Open Source Github (Python / C++)
Tool Description	DFF is an open-source digital forensics tool that aims to provide a comprehensive platform for digital investigations. It offers a wide range of features and capabilities for various stages of the digital forensics process.
Input Data Source	Hard drives, SSD drives, Memory Dumps, Mobile data files, Internet history, Chat logs, etc.
Operating Systems	Windows, Linux, Mac
Supporting Process Model	Complete Process Model
Links	https://toolswatch.org/2011/03/dff-digital-forensics-framework-v1-0-0-released/

Tool Name	Magnet AXIOM
Type of Forensics	Computer Forensics, Mobile Forensics
Type of License	Commercial
Tool Description	Magnet AXIOM is a comprehensive digital forensics solution that can be used in both criminal and corporate investigations. It supports investigations involving computer, mobile, and cloud data.
Input Data Source	Disk images, mobile backups, cloud data, etc.
Operating Systems	Windows, macOS
Supporting Process Model	Complete Process Model
Links	https://www.magnetforensics.com/

Tool Name	CAINE (Computer Aided INvestigative Environment)
Type of Forensics	Computer Forensics
Type of License	Open Source
Tool Description	CAINE (Computer Aided INvestigative Environment) is an open-source digital forensics platform designed for law enforcement agencies. It provides a comprehensive set of tools for digital investigations.
Input Data Source	Disk images, mobile devices, and memory dumps.
Operating Systems	Linux
Supporting Process Model	Complete Process Model
Links	https://www.caine-live.net/

Tool Name	OSForensics
Type of Forensics	Computer Forensics
Type of License	Commercial
Tool Description	OSForensics is a digital forensics software that enables investigators to quickly and easily extract and analyze digital evidence from various sources.
Input Data Source	Disk images, memory dumps, and various file formats.
Operating Systems	Windows
Supporting Process Model	Complete Process Model
Links	https://www.osforensics.com/

Tool Name	Stellar Data Recovery Professional
Type of Forensics	Data Recovery, Email Forensics
Type of License	Commercial
Tool Description	Stellar Data Recovery Professional is a versatile data recovery tool that can also assist in email forensics. It allows users to recover lost or deleted data from various storage media.
Input Data Source	Hard drives, SSDs, email archives, etc.
Operating Systems	Windows, Mac
Supporting Process Model	Data Recovery and Email Forensics
Links	https://www.stellarinfo.com/data-recovery-professional.php

Tool Name	Paladin Forensic Suite
Type of Forensics	Computer Forensics
Type of License	Open Source (Free)
Tool Description	Paladin Forensic Suite is a free digital forensic tool that is easy to use and suitable for both beginners and experienced investigators.
Input Data Source	Disk images, memory dumps, and various file formats.
Operating Systems	Linux
Supporting Process Model	Complete Process Model
Links	https://sumuri.com/software/paladin/

Tool Name	HashMyFiles
Type of Forensics	OS Forensics
Type of License	Free Download
Tool Description	HashMyFiles is a small utility that calculates the MD5 and SHA1 hashes of one or more files in the system.
Input Data Source	MD5 and SHA1 hash file list
Operating Systems	Windows
Supporting Process Model	Hash files integrity verification process
Links	https://hashmyfiles.soft112.com/modal-download.html

Tool Name	Aid4 Mail
Type of Forensics	Mail Forensics
Type of License	Free Download
Tool Description	Aid4 Mail forensics tool is used to recover, collect, search, and convert email data reliably and quickly.
Input Data Source	Email server files, Email client files, Email attachment files.
Operating Systems	Windows
Supporting Process Model	Investigation and Analysis
Links	https://www.aid4mail.com/download-free-trial#s-downloads-block_c11025254a0b837adf84f1361ceb2591

Tool Name	MailXaminer
Type of Forensics	Mail Forensics
Type of License	License
Tool Description	MailExaminer tool focuses on examining email data and related artifacts, making it a valuable tool for digital forensic investigators who need to analyze email evidence in various types of investigations.
Input Data Source	Email Server Files, Email Client Files, Archive Files, and Cloud Email Service Files.
Operating Systems	Windows
Supporting Process Model	Email Parsing, Email Search and Filtering, Attachments Analysis, Advanced Searching.
Links	https://www.mailxaminer.com/download.html

Tool Name	Email Tracker Pro
Type of Forensics	Mail Forensics
Type of License	Free Download
Tool Description	Email Tracker Pro is a software tool for tracking email delivery and recipient actions, such as when an email is opened or clicked.
Input Data Source	Email Messages, Recipient Email Addresses, Geolocation data.
Operating Systems	Windows
Supporting Process Model	Tracking Email Interactions, Email Marketing and Analysis.
Links	https://www.x64bitdownload.com/download/t-64-bit-emailtrackerpro-download-uvnieocv.html

Tool Name	Paraben E-Mail Examiner
Type of Forensics	Mail Forensics
Type of License	Free Download and License
Tool Description	Paraben’s E-mail Examiner is a handy and reliable application for users to examine various e-mail formats.
Import Data Source	Desktop E-Mail Application Files, E-Mail Archives, E-Mail Message Files.
Operating Systems	Windows
Supporting Process Model	E-Mail Recovery and Analysis, E-Mail Artifact Analysis.
Links	https://e-mail-examiner.apponic.com/download/

Tool Name	Volatility
Type of Forensics	Memory Forensics and Live Forensics
Type of License	Free Download
Tool Description	Volatility is a collection of open-source tools specifically designed to analyze volatile memory (RAM) in digital forensics investigations.
Input Data Source	Dumping Memory (Live System, Hibernation File, Crash Dump Files)
Operating Systems	Windows, Linux, Mac
Supporting Process Model	Memory Acquisition, Memory Analysis
Links	https://www.volatilityfoundation.org/releases

Tool Name	Windows SCOPE
Type of Forensics	Memory Forensics
Type of License	License
Tool Description	Windows SCOPE is an incident response tool that enables memory Forensics for Windows computers.
Input Data Source	Physical Memory Files, System Files, Driver Files
Operating Systems	Windows
Supporting Process Model	Complete Process Model
Links	https://www.windowsscope.com/

Tool Name	FotoForensics
Type of Forensics	Software Forensics
Type of License	Free Download (apk module)
Tool Description	FotoForensics is a web-based tool that provides image analysis and forensics capabilities for examining digital images to detect potential manipulation or anomalies.
Import Data Source	Local Files, URLs, Social Media Files, Email Attachments.
Operating Systems	Windows
Supporting Process Model	Error Level Analysis, Meta Data Analysis, Clone Detection, Re-sampling Analysis
Links	https://fotoforensics.com/

Tool Name	Forensically
Type of Forensics	Software Forensics
Type of License	Open Source Online Tool
Tool Description	Forensically is a web-based collection of tools that can be used for digital image forensics.
Input Data Source	Image Files Formats
Operating Systems	Online Environment
Supporting Process Model	Verification, Magnifying Functions, Clone Detection, Level Analysis, Noise Analysis
Links	https://29a.ch/photo-forensics/#forensic-magnifier

Tool Name	Izitru
Type of Forensics	Software Forensics
Type of License	Free Download
Tool Description	Izitru determines the authenticity and integrity of digital images, particularly photographs, to ascertain whether they have been manipulated or altered.
Input Data Source	Digital images from various sources include local files, online images, images on social media, etc.
Operating Systems	iOS
Supporting Process Model	Image authentication and verification
Links	https://izitru-ios.soft112.com/

Tool Name	AutoProv
Type of Forensics	Computer Forensics
Type of License	Open Source (GitHub) Python
Tool Description	AutoProv is a two-phase script for recreating the provenance of a file from several temporal artifacts from digital forensics media.
Input Data Source	File system, Registry Files, OS metadata, Web browser files, etc.
Operating Systems	Ubuntu
Supporting Process Model	Data Gathering and Data Processing
Links	https://github.com/gilbert-peterson/AutoProv

Tool Name	NTFSObjectIDParser
Type of Forensics	Computer Forensics
Type of License	Open Source (Github) C++ / C
Tool Description	Digital Forensics tool parsing the $ObjId index file and correlating it with the $MFT.
Input Data Source	Object IDs, Index File, Disk Images
Operating Systems	Ubuntu
Supporting Process Model	Complete Process Model
Links	https://github.com/RuneN007/NTFSObjectIDParser

Tool Name	NTFSTool
Type of Forensics	Computer Forensics
Type of License	Open Source (Github) C++/C
Tool Description	NTFSTool is a forensics tool focused on NTFS volumes. It displays the complete structure of master, volume, and partition table records.
Input Data Source	Master File Table, Bitlocker Encrypted Volume.
Operating Systems	Windows, Ubuntu
Supporting Process Model	Recover Deleted Files, Examine File Attributes, View File System Structure, Recover Data
Links	https://github.com/thewhiteninja/ntfstool

Tool Name	Kumodd
Type of Forensics	Network Forensics
Type of License	Open Source (Github) Python
Tool Description	Kumodd downloads files and/or generates a CSV file of metadata from a specified Google Drive account in a forensically sound manner.
Input Data Source	doc, xls, ppt, text, pdf, image, audio, video or other
Operating Systems	Ubuntu, Windows
Supporting Process Model	Identification and Verification
Links	https://github.com/andresebr/kumodd

Tool Name	WinPmem
Type of Forensics	Memory Forensics
Type of License	Open Source (Github) C/C++
Tool Description	WinPmem has been the default open-source memory acquisition driver for Windows for a long time.
Input Data Source	WinPmem Executable Files, Kernel Drivers Files, System Information
Operating Systems	Windows
Supporting Process Model	Capturing the physical memory of a Windows system.
Links	https://github.com/google/rekall/tree/master/tools/windows/winpmem

Tool Name	Heapinfo
Type of Forensics	Memory Forensics
Type of License	Open Source (Github) Ruby
Tool Description	Heapinfo provides an abstract overview of the number of arenas, chunks, and sizes.
Input Data Source	Memory files
Operating Systems	Windows
Supporting Process Model	Recover the file systems.
Links	https://github.com/david942j/heapinfo

Tool Name	Heapdump
Type of Forensics	Memory Forensics
Type of License	Open Source (Github) Javascript
Tool Description	Heapdump is used to dump all allocated and freed chunks to disk in separate files for further analysis.
Input Data Source	Disk Chunk files, memory allocated files
Operating Systems	UNIX system
Supporting Process Model	Dumps all allocated and freed chunks to disk.
Links	https://github.com/bnoordhuis/node-heapdump

Tool Name	Sifter
Type of Forensics	Software Forensics
Type of License	Open Source (Github) Java
Tool Description	Sifter is a text string search application for digital forensics investigators. It indexes text from acquired images of digital media (e.g., raw and .E01), including file slack and unallocated space.
Input Data Source	Digital media image files, Disk Images
Operating Systems	Windows, Linux
Supporting Process Model	Examination and Analysis
Links	https://github.com/jonstewart/Sifter/blob/master/README.md

Tool Name	OpenLV
Type of Forensics	Software Forensics
Type of License	Open Source (Github) Java
Tool Description	OpenLV is a Java-based graphical forensics tool that creates a virtual machine out of a raw (dd-style) disk image or physical disk.
Input Data Source	Full disk raw images, Bootable partition raw images, Physical Disks (attached via a USB or Firewire bridge), Specialized and closed image formats
Operating Systems	Windows, Linux
Supporting Process Model	Identification and Analysis
Links	https://github.com/tvidas/OpenLV

Tool Name	Advanced Automated Disk Investigation Toolkit (AUDIT)
Type of Forensics	Computer Forensics
Type of License	Open Source
Tool Description	AUDIT intelligently integrates open-source tools and guides non-IT professionals while requiring minimal technical knowledge about the target disk image's disk structures and file systems.
Input Data Source	Graphics files, emails, documents, and hidden locations.
Operating Systems	Windows
Supporting Process Model	Identification and Analysis of Disk Images.
Links	https://sourceforge.net/projects/audit-toolkit/

Tool Name	AMExtractor
Type of Forensics	Malware Forensics
Type of License	Open Source (Github) C
Tool Description	AMExtractor is a tool for acquiring volatile physical memory from various Android devices and supports rootkit detection.
Input Data Source	Windows Volatile memory files.
Operating Systems	Windows
Supporting Process Model	Malware Detection
Links	https://github.com/ir193/AMExtractor

Tool Name	DRone Open source Parser (DROP)
Type of Forensics	IoT Forensics
Type of License	Open Source (Github) Python
Tool Description	DROP tool is used to Parses proprietary DAT files extracted from the drone's nonvolatile internal storage.
Input Data Source	CSV files
Operating Systems	Ubuntu
Supporting Process Model	Extraction of DAT Files
Links	https://github.com/BiTLab-BaggiliTruthLab/DROP

Tool Name	Forensic Evidence Acquisition and Analysis System (FEAAS)
Type of Forensics	IoT Forensics
Type of License	Open Source (GitHub) Python
Tool Description	FEAAS consolidates evidentiary data into a readable report that can infer user events (like entering or leaving home) and what triggered an event (whether it was the Google Assistant through a voice command or the use of an iPhone application).
Input Data Source	Nest Mobile App datas, Google Home Mini Mobile App data
Operating Systems	Linux
Supporting Process Model	Complete Process Model
Links

Tool Name	Wifimit
Type of Forensics	Network Forensics
Type of License	Open Source (Github) Python
Tool Description	The package combines several existing tools and attack strategies to bypass the wireless security mechanisms, such as WEP, WPA, and WPS. The presented tool can be integrated into a solution for automated penetration testing.
Input Data Source	WPS, WPA, and WEP file formats
Operating Systems	Linux
Supporting Process Model	Identification and Testing
Links	https://github.com/byt3bl33d3r/MITMf

Tool Name	Bring2lite
Type of Forensics	Software Forensics
Type of License	Open Source (Github) Python
Tool Description	The tool was developed to process SQLite databases in respect of deleted records. Therefore, bring2lite can analyze the structures within the main database, WAL, and journal files.
Input Data Source	SQL Database files, journal files.
Operating Systems	Linux
Supporting Process Model	Identification and Analysis
Links	https://github.com/bring2lite/bring2lite

Tool Name	Hooktracer
Type of Forensics	Memory Forensics
Type of License	Open Source (Github) TypeScript
Tool Description	The Hooktracer tool is used to perform post-processing of apihooks-generated output in conjunction with our memory analysis algorithms.
Input Data Source	Network-related memory files (cache files, RAM files, etc.)
Operating Systems	Linux
Supporting Process Model	Volatile Memory Analysis
Links	https://github.com/awendland/npm-install-hook-tracer

Tool Name	AFF4 evidence container (The Advanced Forensics File Format 4 (AFF4))
Type of Forensics	Software Forensics
Type of License	Open Source (Github) Python
Tool Description	The Advanced Forensics File Format 4 (AFF4) is an open-source format for storing digital evidence and data.
Input Data Source	Zip file formats, document files, image files, etc.
Operating Systems	Linux
Supporting Process Model	Storage Analysis of Data
Links	https://github.com/aff4/pyaff4

Tool Name	Ptenum
Type of Forensics	Memory Forensics
Type of License	Open Source (Github) Python
Tool Description	The Ptenum plugin can detect executable pages despite any intentional (or unintentional) hiding technique.
Input Data Source	Code formats, memory format files
Operating Systems	Windows, Linux
Supporting Process Model	Analysis and Detection
Links	https://github.com/f-block/DFRWS-USA-2019

Tool Name	Vivedump
Type of Forensics	Memory Forensics
Type of License	Open Source (Github) Plugin
Tool Description	Used to analyze memory dumps of HTC Vive VR systems and share related datasets. The plugin will output a textual representation of all data.
Input Data Source	Evidentiary data, a wavefront obj formatted mesh of the VE, and pass the 3-dimensional coordinates to a Python OpenGL instance
Operating Systems	Linux
Supporting Process Model	Analyzing and Acquiring
Links	https://github.com/BiTLab-BaggiliTruthLab/VR4Sec/tree/master/vive-dump

Tool Name	Digital Drone Forensics Software
Type of Forensics	IoT Forensics
Type of License	Open Source (Github) Java
Tool Description	This tool primarily focuses on analyzing the essential log parameters of drones.
Input Data Source	Jar files, log files
Operating Systems	Windows, Linux
Supporting Process Model	Data Extraction, Data Reconstruction, Metadata analysis, Video Analysis, Image Enhancement
Links	https://github.com/ankitrlps/DroneForensicsSoftware

Tool Name	JPEGsnoop
Type of Forensics	Software Forensics
Type of License	Open Source (Github) C++/C
Tool Description	JPEGsnoop is a detailed JPEG image decoder and analysis tool. It reports all image metadata and can even help identify if an image has been edited.
Input Data Source	JPEG, AVI (MJPG), PSD images, EXIF files.
Operating Systems	Windows
Supporting Process Model	Forensics and Technical analysis of images.
Links	https://github.com/ImpulseAdventure/JPEGsnoop

Tool Name	Ghiro
Type of Forensics	Software Forensics
Type of License	Open Source (Github) Python, HTML
Tool Description	Ghiro is a fully automated tool designed to run forensics analysis over massive images using a user-friendly and fancy web application.
Input Data Source	Windows bitmap, Encapsulated PostScript, JPEG File Interchange Format, PNG Files, etc.
Operating Systems	Windows, Linux
Supporting Process Model	Image Metadata analysis, Tampering Detection, Hashing, Classification of Images
Links	https://github.com/Ghirensics/ghiro

Tool Name	OSF Mount
Type of Forensics	Live Forensics
Type of License	Free Download
Tool Description	OSF Mount tool is used to allow mount local disk image files in Windows as a physical disk or a logical drive letter.
Input Data Source	Disk Image Files
Operating Systems	Windows
Supporting Process Model	Mounting Disk Images, Data Recovery, Write Protection.
Links	https://www.osforensics.com/tools/mount-disk-images.html

Tool Name	Magnet RAM
Type of Forensics	Live Forensics
Type of License	Free Download
Tool Description	Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.
Input Data Source	Volatile Memory (RAM)
Operating Systems	Windows, Linux
Supporting Process Model	Identification, Acquisition
Links	https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/

Tool Name	The Sleuth Kit
Type of Forensics	Live Forensics
Type of License	Free Download (Open Source)
Tool Description	The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them.
Input Data Source	File System, Disk Images, executable files, etc.
Operating Systems	Windows, Linux, Mac OS
Supporting Process Model	System Analysis, File Recovery, Timeline Analysis
Links	https://www.sleuthkit.org/sleuthkit/desc.php

Tool Name	OCFA (Open Computer Forensics Architecture)
Type of Forensics	Live Forensics, Computer Forensics
Type of License	Free Download
Tool Description	Open Computer Forensics Architecture is an open-source digital forensics framework designed to facilitate acquiring, analyzing, and preserving digital evidence from various sources, including computer systems, storage devices, and digital media.
Input Data Source	Hard drives, Files System, Network Traffic, etc.
Operating Systems	Linux
Supporting Process Model	Acquiring, Processing and Analyzing Digital Evidence
Links	https://www.toolwar.com/2014/06/ocfa-open-computer-forensics.html

Tool Name	CAINE (Computer Aided Investigative Environment)
Type of Forensics	Computer Forensics, Static/Live Forensics
Type of License	Free Download
Product Description	CAINE (Computer Aided Investigative Environment) is a Linux-based distribution designed for digital forensics and incident response tasks.
Input Data Source	disk imaging tools, file system analysis utilities, memory forensics tools, network analysis tools, and reporting tools
Operating Systems	Linux, Windows
Supporting Process Model	Identification, Collection, Analysis
Links	https://www.caine-live.net/

Tool Name	The Coroner’s Toolkit
Type of Forensics	Static/Live Forensics
Type of License	Free Download
Tool Description	The Coroner's Toolkit (TCT) is a collection of digital forensic tools for analyzing computer systems and performing forensic investigations.
Input Data Source	Disk Images, Memory Dumps, File Systems, Case Files, etc.
Operating Systems	Linux
Supporting Process Model	Identification, Collection, Analysis
Links	http://www.porcupine.org/forensics/tct.html

Tool Name	MSc Autopsy Plugins (iSmartalarm, QBee, Arlo, Wink)
Type of Forensics	IoT Forensics
Type of License	Open Source (github) Python
Tool Description	This repository is a collection of plugins for Autopsy forensic software and standalone scripts to parse artifacts from iSmartalarm, QBee, Arlo and Wink devices.
Input Data Source	File Systems, Social Media Files, Data Format Files, E-Mail Files, Digital Media Files
Operating Systems	Linux
Supporting Process Model	Identification and Analysis
Links	https://github.com/fservida/msc_autopsy_plugins

Tool Name	AndroParse
Type of Forensics	IoT Forensics
Type of License	Open Source (Github) Python
Tool Description	AndroParse is a tool that can be used in conjunction with Autopsy, specifically designed to extract and analyze data from Android devices during digital forensic investigations.
Input Data Source	Android APK Files, Android Image Files, Log Files, etc.
Operating Systems	Linux
Supporting Process Model	APK Parsing, Manifest Analysis, Static Analysis, Dex File Extraction, Resource Extraction
Links	https://github.com/rschmicker/AndroParse

Tool Name	PTK Forensics
Type of Forensics	Static/Live Forensics
Type of License	Free Download
Tool Description	PTK forensics is a computer forensic framework for the command line tools in the SleuthKit, plus many more software modules. This makes it usable and easy to investigate a system. PTK forensics is an alternative advanced framework for the TSK suite.
Input Data Source	Tools Files Formats, Log Files, Disk Image Files
Operating Systems	Linux
Supporting Process Model	Identification, Analysis
Links	https://ptk-forensics.soft112.com/download.html

Tool Name	HashKeeper
Type of Forensics	Static Forensics
Type of License	Free Download
Tool Description	HashKeeper is a tool often used in digital forensics and computer security. It's designed to capture and analyze information about files and their associated metadata to aid in investigations and to help ensure the integrity of digital evidence.
Input Data Source	Hash files, Digital Storage Media files, and Data Sources.
Operating Systems	Windows
Supporting Process Model	File Hashing, Evidence Integrity, and data collection
Links	https://coptr.digipres.org/index.php/HashKeeper

Tool Name	Safeback
Type of Forensics	Static Forensics
Type of License	Open Source
Tool Description	SafeBack is a digital forensic tool designed to create a forensic image of a hard drive or storage media while preserving the original data's integrity.
Input Data Source	Hard Drives, Floppy Disks, USB Drives, Partition and File System Support, etc.
Operating Systems	Linux
Supporting Process Model	Disk Imaging, File Recovery, Write Protection
Links	https://coptr.digipres.org/index.php/SafeBack

Tool Name	Registry Recon
Type of Forensics	Static Forensics, Computer Forensics
Type of License	Commercial
Tool Description	Registry Recon is a tool used for live and static registry analysis. It is designed for computer forensics professionals and provides various features for analyzing Windows registries, identifying suspicious activities, and recovering data.
Input Data Source	Windows Registry Files, Memory Dumps, Live Systems
Operating Systems	Windows
Supporting Process Model	Registry Analysis, Evidence Recovery, Suspicious Activity Detection
Links	https://www.paraben.com/products/registry-recon-2/

Tool Name	The Windows Forensic Toolchest (WFT)
Type of Forensics	Live Forensics
Type of License	Free Download
Tool Description	The Windows Forensic Toolchest (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system.
Input Data Source	Disk Images, Real Time Analysis Data, Windows Based File System formats, Memory Images, Network Capture Files
Operating Systems	Windows
Supporting Process Model	Complete Process Model
Links	http://www.foolmoon.net/security/wft/#:~:text=WFT%20is%20essentially%20a%20forensically,confirm%20computer%20misuse%20or%20configuration.

Tool Name	CMAT (Compile Memory Analysis Tool)
Type of Forensics	Live Forensics, Memory Forensics
Type of License	Open Source
Tool Description	The Compile Memory Analysis Tool (CMAT) is a self-contained memory analysis tool that analyzes a Windows O/S memory (either in a dump or via XenAccess in a Xen VM) and extracts information about the operating system and the running processes.
Input Data Source	Official Documentation files, Memory Dumps, etc.
Operating Systems	Windows
Supporting Process Model	Incident Response Analysis, Malware Analysis
Links	https://sourceforge.net/projects/cmat/

Tool Name	Intella
Type of Forensics	Live Forensics
Type of License	License
Tool Description	Intella is a digital forensic search and e-discovery application designed to make the process of searching, collecting, and analyzing electronic data more efficient and effective.
Input Data Source	Email data, Chat Data, Office files, Image files, etc.
Operating Systems	Windows
Supporting Process Model	Search, Collection, Analysis
Links	https://www.vound-software.com/

Tool Name	IRCR (Incident Response Collection Report)
Type of Forensics	Live Forensics
Type of License	Open Source
Tool Description	The Incident Response Collection Report is a script to call a collection of tools that gathers and/or analyzes data on a Microsoft Windows system.
Input Data Source	Initial Incident Report, Network and System Logs, Endpoint Data, etc.
Operating Systems	Windows
Supporting Process Model	Identification, Collection, Analysis Examination.
Links	https://sourceforge.net/projects/ircr/

Tool Name	Bulk Extractor
Type of Forensics	Live Forensics, Computer Forensics
Type of License	Open source (GitHub) C++
Tool Description	Bulk extractor is a high-performance digital forensics exploitation tool. It rapidly scans any input and extracts structured information such as email addresses, credit card numbers, JPEGs, and JSON snippets without parsing the file system or file system structures.
Input Data Source	Disk images, files, directories of files, etc.
Operating Systems	Amazon Linux, Fedora 36, Ubuntu 20.04LTS, MAC OS
Supporting Process Model	Identification, Analysis, Reporting
Links	https://github.com/simsong/bulk_extractor

Tool Name	EPRB (Elcomsoft Password Recovery Bundle)
Type of Forensics	Live Forensics
Type of License	License
Tool Description	All password recovery tools are in a single value pack. Unlock documents, decrypt archives, and break into encrypted containers with an all-in-one Desktop Forensic Bundle.
Input Data Source	All versions of Microsoft Office, OpenOffice, NFS Encrypted File System, Windows and macOS passwords, macOS Keychain, ZIP/RAR/RAR5, PDF, BitLocker/PGP/TrueCrypt/VeraCrypt, and many more.
Operating Systems	Windows, Mac OS
Supporting Process Model	Advanced Archive Password Recovery, Advanced EFS Data Recovery, Advanced Office Password Recovery, Proactive System Password Recovery
Links	https://www.elcomsoft.com/edfb.html

Tool Name	SAFT (SANS Investigative Forensics Tool Kit)
Type of Forensics	Live Forensics
Type of License	Free Download
Tool Description	SIFT is a computer forensics distribution created by the SANS Forensics team for performing digital forensics. This distro includes most tools required for digital forensics analysis and incident response examinations.
Input Data Source	Digital Storage Media Files, Memory Dumps, Network Traffic, File Systems, etc.
Operating Systems	Ubuntu, Windows
Supporting Process Model	Identification, Collection, Examination, Analysis.
Links	Link

Tool Name	Timeline2GUI
Type of Forensics	Software Forensics
Type of License	Open Source (GitHub) Python
Tool Description	This is a tool to import and view the contents of the Timeline CSV file. The features include filtering the data based on column values, searching for text, saving the data to a CSV file, and highlighting a few rows.
Input Data Source	File System Data, Registry Data, System Logs, Network Traffic Logs, Memory Files, etc.
Operating Systems	Linux
Supporting Process Model	Analysis
Links	https://github.com/parvathycec/Timeline2GUI/tree/master

Tool Name	MongoDB Deleted Data Recovery Tool
Type of Forensics	Software Forensics
Type of License	Open Source, License
Tool Description	MongoDB Deleted Data Recovery Tool is widely recognized or provided by MongoDB as an official product or tool for recovering deleted data.
Input Data Source	Backup Files, Log Files, Data Files, etc.
Operating Systems	Linux
Supporting Process Model	Data Recovery Process
Links	https://github.com/etherfoundry/mongo-data-recovery

Tool Name	A Forensic Email Analysis Tool Using Dynamic Private/Personal
Type of Forensics	Software Forensics
Type of License	Open Source
Tool Description	Email forensic tools exist for analyzing email data in digital investigations; dynamically incorporating private or personal information is more specialized.
Input Data Source	Email files, Attachments files, link files, etc.
Operating Systems	Windows, Linux
Supporting Process Model	Header Analysis, Server Investigation, Sender Mail Fingerprints
Links	https://linuxhint.com/email_forensics_analysis/

Office Address

Social List

List of Digital Forensic Tools

Digital Forensic Tools

1.Acquisition

2. Preservation

3. Analysis

4. Examination

5. Reporting

6. Legal and Ethical Considerations

S-Logix (OPC) Private Limited