This is a list of over 140 free tools.
Contents
LATEST BLOG ENTRY
Disk tools and data
capture
|
Name
|
From
|
Description
|
|
MoonSols
|
Generates
physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB
flash drive.
|
|
|
Guidance
Software
|
Create
EnCase evidence files and EnCase logical evidence files [direct download
link]
|
|
|
Magnet
Forensics
|
Checks
local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted
volumes
|
|
|
4Discovery
|
Edit
EWF (E01) meta data, remove passwords (Encase v6 and earlier)
|
|
|
Ridgecrop
|
Enables
large capacity disks to be formatted as FAT32
|
|
|
Web
Content Protection Association
|
Browser
designed to forensically capture web pages
|
|
|
AccessData
|
Imaging
tool, disk viewer and image mounter
|
|
|
vogu00
|
Multi-threaded
GUI imager under running under Linux
|
|
|
Belkasoft
|
Extracts
RAM dump including that protected by an anti-debugging or anti-dumping
system. 32 and 64 bit builds
|
|
|
Hjelmvik
|
Network
analysis tool. Detects OS, hostname and open ports of network hosts through
packet sniffing/PCAP parsing
|
|
|
Nmap
|
Utility
for network discovery and security auditing
|
|
|
Magnet
Forensics
|
Captures
physical memory of a suspect’s computer. Windows XP to Windows 10, and 2003,
2008, 2012. 32 & 64 bit
|
|
|
Passmark
Software
|
Boot
utility for CD/DVD or USB flash drives to create dd or AFF images/clones.
|
|
|
Passmark
Software
|
Mounts
a wide range of disk images. Also allows creation of RAM disks
|
|
|
Wireshark
|
Network
protocol capture and analysis
|
|
|
Microsoft
|
Creates
Virtual Hard Disks versions of physical disks for use in Microsoft Virtual PC
or Microsoft Hyper-V VMs
|
Email analysis
|
Name
|
From
|
Description
|
|
Lepide
Software
|
Open
and view (not export) Outlook EDB files without an Exchange server
|
|
|
MiTeC
|
Viewer
for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird
message databases and single EML files
|
|
|
SysTools
|
View
MBOX emails and attachments
|
|
|
Lepide
Software
|
Open
and view (not export) Outlook OST files without connecting to an Exchange
server
|
|
|
Lepide
Software
|
Open
and view (not export) Outlook PST files without needing Outlook
|
General
|
Name
|
From
|
Description
|
|
Mythicsoft
|
Search
multiple files using Boolean operators and Perl Regex
|
|
|
NIST
|
Collated
forensic images for training, practice and validation
|
|
|
Nuix
|
Copies
data between locations, with file comparison, verification, logging
|
|
|
Shirouzu
Hiroaki
|
Self
labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc.
|
|
|
Gary
Kessler
|
Table
of file signatures
|
|
|
Peter
Fiskerstrand
|
Identifies
over 1000 file types by examining their signatures
|
|
|
Nirsoft
|
Calculate
MD5 and SHA1 hashes
|
|
|
Mobatek
|
Run
Linux live CDs from their ISO image without having to boot to them
|
|
|
Arkane
Systems
|
Automatically
moves mouse pointer stopping screen saver, hibernation etc.
|
|
|
Notepad
++
|
Advanced
Notepad replacement
|
|
|
NIST
|
Hash
sets of ‘known’ (ignorable) files
|
|
|
Ted
Technology
|
A
Linux & Windows GUI for individual and recursive SHA1 hashing of files
|
|
|
DSi
|
Enables
software write-blocking of USB ports
|
|
|
Sécurité
Multi-Secteurs
|
Software
write blocker for Windows XP through to Windows 8
|
|
|
FH
Aachen
|
Application
that simplifies the use of the Volatility Framework
|
|
|
Troy
Larson
|
Guide
by Brett Shavers to creating and working with a Windows boot CD
|
File and data
analysis
|
Name
|
From
|
Description
|
|
Allan
Hay
|
Reads
Windows XP,Vista and Windows 7 prefetch files
|
|
|
David
Kovar
|
Parses
the MFT from an NTFS file system allowing results to be analysed with other
tools
|
|
|
Evolka
|
PCAP
viewer
|
|
|
CrowdStike
|
Windows
console application to aid gathering of system information for incident
response and security engagements.
|
|
|
CrowdStrike
|
Details
network processes, listing binaries associated with each process. Queries
VirusTotal, other malware repositories & reputation services to produce
“at-a-glance” state of the system
|
|
|
Digital
Detective
|
Converts
various data types to date/time values
|
|
|
Various
|
Detects
full and partial multimedia files in unallocated space
|
|
|
Ted
Technology
|
Recursively
parses headers of every eCryptfs file in selected directory. Outputs
encryption algorithm used, original file size, signature used, etc.
|
|
|
Passware
|
Scans
a computer for password-protected & encrypted files, reports encryption
complexity and decryption options for each file
|
|
|
Phil
Harvey
|
Read,
write and edit Exif data in a large number of file types
|
|
|
Toolsley.com
|
Drag
and drop web-browser JavaScript tool for identification of over 2000 file
types
|
|
|
Sanderson
Forensics
|
View
various picture formats, image enhancer, extraction of embedded Exif, GPS
data
|
|
|
Alessandro
Tanasi
|
In-depth
analysis of image (picture) files
|
|
|
Mandiant
|
Examine
log files using text, graphic or histogram views
|
|
|
4Discovery
|
Recursively
parses folders extracting 30+ attributes from Windows .lnk (shortcut) files
|
|
|
Nirsoft
|
View
and export Windows Live Messenger contact details
|
|
|
AppliedAlgo
|
||
|
EMC
|
Network
packet capture and analysis
|
|
|
Mandiant
|
Acquire
and/or analyse RAM images, including the page file on live systems
|
|
|
4Discovery
|
Recursively
parses folders to extract meta data from MS Office, OpenOffice and PDF files
|
|
|
Sanderson
Forensics
|
Displays
and decodes contents of an extracted MFT file
|
|
|
Mike’s
Forensic Tools
|
Lists
EXIF, and where available, GPS data for all photographs present in a
directory. Export data to .xls or Google Earth KML format
|
|
|
Microsoft
|
Suite
of command-line Windows utilities
|
|
|
Shadow
Explorer
|
Browse
and extract files from shadow copies
|
|
|
Mrinal
Kant, Tarakant Tripathy
|
Firefox
add-on enabling viewing of any SQLite database
|
|
|
Microsoft
|
Command-line
tool for text searches
|
|
|
MiTec
|
View
and manage MS OLE Structured Storage based files
|
|
|
Mike’s
Forensic Tools
|
Text
replacement/converter/decoder for when dealing with URL encoding, etc
|
|
|
MiTeC
|
Analyse
thumbs.db, Prefetch, INFO2 and .lnk files
|
|
|
Gianluca
Costa & Andrea De Franceschi
|
Network
forensics analysis tool
|
Mac OS tools
|
Name
|
From
|
Description
|
|
Twocanoes
Software
|
Audit
Preference Pane and Log Reader for OS X
|
|
|
Kyeongsik
Lee
|
Parses
keychain structure, extracting user’s confidential information such as
application account/password, encrypted volume password (e.g. filevault), etc
|
|
|
Aaron
Burghardt
|
Blocks
the mounting of file systems, complimenting a write blocker in disabling disk
arbitration
|
|
|
Blackbag
Technologies
|
Converts
epoch times to local time and UTC
|
|
|
AccessData
|
Command
line Mac OS version of AccessData’s FTK Imager
|
|
|
Blackbag
Technologies
|
Lists
items connected to the computer (e.g., SATA, USB and FireWire Drives,
software RAID sets). Can locate partition information, including sizes,
types, and the bus to which the device is connected
|
|
|
Blackbag
Technologies
|
Displays
the physical partitioning of the specified device. Can be used to map out all
the drive information, accounting for all used sectors
|
|
|
Kyeongsik
Lee
|
Memory
forensic toolkit for Mac OS X
|
Mobile devices
|
Name
|
From
|
Description
|
|
Mario
Piccinelli
|
Explore
iOS backups
|
|
|
Leo
Crawford, Mat Proud
|
Explore
the internal file structure of Pad, iPod and iPhones
|
|
|
Robin
Wood
|
Extracts
phone model and software version and created date and GPS data from iPhone
videos.
|
|
|
Dan
Roe
|
Parses
physical flash dumps and Nokia PM records to find details of previously
inserted SIM cards.
|
|
|
CCL
Forensics
|
Deconstructs
Blackberry .ipd backup files
|
|
|
SignalSEC
Corp
|
Obtain
SMS Messages, call logs and contacts from Android devices
|
Data analysis
suites
|
Name
|
From
|
Description
|
|
Brian
Carrier
|
Graphical
interface to the command line digital investigation analysis tools in The
Sleuth Kit (see below)
|
|
|
Backtrack
|
Penetration
testing and security audit with forensic boot capability
|
|
|
Nanni
Bassetti
|
Linux
based live CD, featuring a number of analysis tools
|
|
|
Dr.
Stefano Fratepietro and others
|
Linux
based live CD, featuring a number of analysis tools
|
|
|
ArxSys
|
Analyses
volumes, file systems, user and applications data, extracting metadata,
deleted and hidden items
|
|
|
Harlan
Carvey
|
Automates
‘repetitive tasks of data collection’. Fuller description here
|
|
|
Sumuri
|
Ubuntu
based live boot CD for imaging and analysis
|
|
|
SANS
|
VMware
Appliance pre-configured with multiple tools allowing digital forensic
examinations
|
|
|
Brian
Carrier
|
Collection
of UNIX-based command line file and volume system forensic analysis tools
|
|
|
Volatile
Systems
|
Collection
of tools for the extraction of artefacts from RAM
|
File viewers
|
Name
|
From
|
Description
|
|
SysTools
|
View
(not save or export from) contents of BKF backup files
|
|
|
SysTools
|
View
(not save or export) Loutus Notes DXL file emails and attachments
|
|
|
SysTools
|
View
(not save or export from) E01 files & view messages within EDB, PST &
OST files
|
|
|
SysTools
|
View
(not save or export) MS SQL MDF files
|
|
|
SysTools
|
View
(not save or export) MSG file emails and attachments
|
|
|
SysTools
|
View
(not save or export) OLM file emails and attachments
|
|
|
Microsoft
|
View
PowerPoint presentations
|
|
|
Microsoft
|
View
Visio diagrams
|
|
|
VideoLAN
|
View
most multimedia files and DVD, Audio CD, VCD, etc.
|
Internet analysis
|
Name
|
From
|
Description
|
|
Foxton
Software
|
Captures
history from Firefox, Chrome and Internet Explorer web browsers running on a
Windows computer
|
|
|
Foxton
Software
|
Extract,
view and analyse internet history from Firefox, Chrome and Internet Explorer
web browsers
|
|
|
CCL
Forensics
|
Python
module for performing off-line parsing of Chrome session files (“Current
Session”, “Last Session”, “Current Tabs”, “Last Tabs”)
|
|
|
Nirsoft
|
Reads
the cache folder of Google Chrome Web browser, and displays the list of all
files currently stored in the cache
|
|
|
Mike’s
Forensic Tools
|
Extracts
embedded data held within Google Analytics cookies. Shows search terms used
as well as dates of and the number of visits.
|
|
|
Busindre
|
Runs
in Python 3.x, extracting forensic information from Firefox, Iceweasel and
Seamonkey browsers. See manual for more information.
|
|
|
Belkasoft
|
Captures
information publicly available in Facebook profiles.
|
|
|
Nirsoft
|
Extracts
various details of Internet Explorer cookies
|
|
|
Nirsoft
|
Extract
stored passwords from Internet Explorer versions 4 to 8
|
|
|
Nirsoft
|
Reads
the cache folder of Firefox/Mozilla/Netscape Web browsers
|
|
|
Nirsoft
|
Parses
the cookie folder of Firefox/Mozilla/Netscape Web browsers
|
|
|
Nirsoft
|
Reads
the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the
list of all visited Web page
|
|
|
Nirsoft
|
Extracts
search queries made with popular search engines (Google, Yahoo and MSN) and
social networking sites (Twitter, Facebook, MySpace)
|
|
|
Nirsoft
|
Extracts
the user names and passwords stored by Mozilla Firefox Web browser
|
|
|
Nirsoft
|
Reads
the cache folder of Opera Web browser, and displays the list of all files
currently stored in the cache
|
|
|
Nirsoft
|
Decrypts
the content of the Opera Web browser password file, wand.dat
|
|
|
Mandiant
|
Reviews
list of URLs stored in the history files of the most commonly used browsers
|
|
|
Magnet
Forensics
|
Takes
list of URLs saving scrolling captures of each page. Produces HTML report
file containing the saved pages
|
Registry analysis
|
Name
|
From
|
Description
|
|
Eric
Zimmerman
|
Dumps
list of shimcache entries showing which executables were run and their
modification dates.Further
details.
|
|
|
Woanware
|
Extracts
user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts
the LM/NT hashes from the SAM file
|
|
|
Microsoft
|
Examine
Windows processes and registry threads in real time
|
|
|
Eric
Zimmerman
|
Command
line access to offline Registry hives. Supports simple & regular
expression searches as well as searching by last write timestamp. Further
details.
|
|
|
US
National Institute of Justice, Digital Forensics Solutions
|
For
the acquisition, analysis, and reporting of registry contents
|
|
|
Eric
Zimmerman
|
Offline
Registry viewer. Provides deleted artefact recovery, value slack support, and
robust searching.Further
details.
|
|
|
Harlan
Carvey
|
Registry
data extraction and correlation tool
|
|
|
Regshot
|
Takes
snapshots of the registry allowing comparisons e.g., show registry changes
after installing software
|
|
|
Eric
Zimmerman
|
Presents
visual representation of what a user’s directory structure looked like.
Additionally exposes various timestamps (e.g., first explored, last explored
for a given folder. Further
details.
|
|
|
Woanware
|
Details
previously attached USB devices on exported registry hives
|
|
|
4Discovery
|
Displays
20+ attributes relating to USB device use on Windows systems
|
|
|
Nirsoft
|
Details
previously attached USB devices
|
|
|
4Discovery
|
Extracts
SID, User Names, Indexes, Application Names, Run Counts, Session, and Last
Run Time Attributes from UserAssist keys
|
|
|
Didier
Stevens
|
Displays
list of programs run, with run count and last run date and time
|
|
|
MiTec
|
Extracts
configuration settings and other information from the Registry
|
Application
analysis
|
Name
|
From
|
Description
|
|
Magnet
Forensics
|
Decrypts
the Dropbox filecache.dbx file which stores information about files that have
been synced to the cloud using Dropbox
|
|
|
Magnet
Forensics
|
Takes
x,y,z coordinates found in a tile filename and downloads surrounding tiles
providing more context
|
|
|
Sanderson
Forensics
|
Extracts
various data from the KaZaA application
|
|
|
Nirsoft
|
View
and export Windows Live Messenger contact details
|
|
|
Nirsoft
|
View
Skype calls and chats
|
For Reference
|
Name
|
From
|
Description
|
|
Kazuyuki
Nakayama
|
Safely
remove SATA disks similar to the “Safely Remove Hardware” icon in the
notification area
|
|
|
Rene
Devichi
|
View
unencrypted backups of iPad, iPod and iPhones
|
|
|
Nirsoft
|
Extracts
recently visited Internet Explorer URLs
|
|
|
CERT
|
Allows
examiner to boot dd images in VMware.
|
|
|
How-To
Geek
|
Guide
to using an Unbuntu live disk to recover partitions, carve files, etc.
|
|
|
Zena
Forensics
|
Extract
WhatApp messages from iOS and Android backups
|
