Skip to content

This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.

Note: This page has gotten too big and is being broken up. See:

Disk Analysis Tools

Hard Drive Firmware and Diagnostics Tools

PC-3000 from ACE Lab https://www.acelab.eu.com/catalog/

Linux-based Tools

LINReS by NII Consulting Pvt. Ltd.

SMART by ASR Data http://www.asrdata.com

Second Look: Linux Memory Forensics by Pikewerks Corporation

Macintosh-based Tools

Elcomsoft Mobile Forensic Bundle by Elcomsoft https://www.elcomsoft.com/emfb.html

The Bundle includes macOS editions of Elcomsoft forensic tools for mobile and cloud data extraction.

Mac Marshal by ATC-NY

Recon for MAC OS X by Sumuri, LLC https://sumuri.com/wp-content/uploads/2019/04/recon.jpg

Windows-based Tools

Arsenal Recon Weapons by Arsenal Recon offers unique and powerful tools to mount Windows disk images, reconstruct Windows Registry and process Windows hibernation files.

Belkasoft Acquisition Tool (BAT) is a free utility to acquire a wide range of data sources: hard drives, running computers RAM memory, modern smartphones, and various types of clouds. The output can be analyzed with both Belkasoft and third-party tools.

Belkasoft Evidence Center (BEC) allows an investigator to perform all investigation steps: acquisition (aquire hard and removable drives, image smartphones and download cloud data), extraction of evidence (searches and carves more than 700 formats of various files and applications data), analysis (hex viewer, SQLite viewer, social graph building with communities detection etc) and reporting.

CD/DVD Inspector by InfinaDyne This is the only forensic-qualified tool for examinination of optical media. It has been around since 1999 and is in use by law enforcement, government and data recovery companies worldwide.

EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc

Elcomsoft Desktop Forensic Bundle by Elcomsoft https://www.elcomsoft.com/edfb.html

All password recovery tools for unlocking documents, decrypting archives and crypto containers.

Elcomsoft Premium Forensic Bundle by Elcomsoft https://www.elcomsoft.com/epfb.html

A pack of every forensic tool of Elcomsoft for data extraction from mobile devices, unlocking documents, decrypting archives, breaking into encrypted containers, viewing and analyzing evidence.

EnCase by Guidance Software

Facebook Forensic Toolkit (FFT) by Afentis_forensics eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports.

Forensic Explorer (FEX) by GetData Forensics

Forensic Toolkit (FTK) by AccessData

ILook Investigator by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)

Internet Evidence Finder (IEF) by Magnet Forensics

Mercury Indexer by MicroForensics, Inc.

Nuix Desktop by Nuix Pty Ltd https://www.nuix.com/

OSForensics by PassMark Software Pty Ltd

P2 Power Pack by Paraben

Prodiscover

Safeback by NTI and Armor Forensics

X-Ways Forensics by X-Ways AG

RecycleReader by Live-Forensics

A command line tool that outputs the contents of the recycle bin on XP, Vista and 7.

Dstrings by Live-Forensics

A command line tool that searches for strings in a given file. It has the ability to compare the output of those strings against a dictionary to either exclude the dictionary terms in the output or only output files that match the dictionary. It also has the ability to search for IP Addresses and URLs/Email Addresses.

Unique by Live-Forensics

A command line tool similar to the Unix uniq. Allows for unique string counts, as well as various sorting options.

HashUtil by Live-Forensics

HashUtil.exe will calculate MD5, SHA1, SHA256 and SHA512 hashes. It has an option that will attempt to match the hash against the NIST/ISC MD5 hash databases.

WindowsSCOPE Pro, Ultimate, Live Comprehensive Windows Memory Forensics and Cyber Analysis, Incident Response, and Education support.

Software and hardware based acquisition with CaptureGUARD PCIe and ExpressCard

Hardware based acquisition of memory on a locked computer via CaptureGUARD Gateway

WindowsSCOPE Live provides memory analysis of Windows computers on a network from Android phones and tablets.

MailXaminer by SysTools https://www.mailxaminer.com/

Forensic & eDiscovery Tool to find digital email evidences from multiple email platform through its powerful Search mechanism.

Twitter Forensic Toolkit (TFT) by Afentis_forensics eDiscovery toolkit to identify relevant Tweets, clone full profiles, download all tweets/media, data mine across comments, and generate expert reports.

YouTube Forensic Toolkit (YFT) by Afentis_forensics http://www.afentis.com/forensic-software/ eDiscovery toolkit to identify relevant online media, download/convert videos, data mine across comments, and generate expert reports.

Open Source Tools

AFFLIB A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.

Autopsy

Bulk Extractor https://github.com/simsong/bulk_extractor/wiki

Bulk Extractor provides digital media triage by extracting Features from digital media.

Bulk Extractor Viewer

Bulk Extractor Viewer is a browser UI for viewing Feature data extracted using Bulk Extractor.

Digital Forensics Framework DFF is cross-platform and open-source, user and developers oriented. It provide many features and is very modular. Our goal is to provide a powerful framework to the forensic community, so people can use only one tool during the analysis. http://digital-forensic.org/

foremost

Linux based file carving program

FTimes

FTimes is a system baselining and evidence collection tool.

gfzip

gpart

Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.

Hachoir A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).

hashdb

A tool for finding previously identified blocks of data in media such as disk images.

IPED

An open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.

magicrescue

The Open Computer Forensics Architecture

pyflag

Web-based, database-backed forensic and log analysis GUI written in Python.

Scalpel

Linux and Windows file carving program originally based on foremost.

scrounge-ntfs

The Sleuth Kit

The Coroner's Toolkit (TCT)

NDA and scoped distribution tools

Enterprise Tools (Proactive Forensics)

LiveWire Investigator 2008 by WetStone Technologies

P2 Enterprise Edition by Paraben

Elcomsoft Premium Forensic Bundle by Elcomsoft https://www.elcomsoft.com/epfb.html

Forensics Live CDs

Kali Linux, Official website

KNOPPIX http://www.knopper.net/knoppix/index-en.html

BackTrack Linux

Paladin Forensic Suite - Live Boot Ubuntu (Sumuri, LLC) https://sumuri.com

Simplifies various forensics tasks in a forensically sound manner via the PALADIN Toolbox.

See: Forensics Live CDs

Personal Digital Device Tools

GPS Forensics

  • Blackthorn GPS Forensics
  • .XRY

PDA Forensics

Cell Phone Forensics

SIM Card Forensics

Cellebrite UFED .XRY ForensicSIM Paraben SIM Card Seizure

SIMCon

Preservation Tools

Paraben StrongHold Bag Paraben StrongHold Tent

Other Tools

Serial Port Analyzer

The tool to analyze serial port and device activity.

Live View

Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.

Parallels VM

Serial and USB ports sharing https://www.flexihub.com/serial-to-ethernet-overview/

Share and access serial and USB ports over Ethernet

Microsoft Virtual PC

VMware Workstation Player

A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.

vSphere

The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.

Recon for MAC OS X

RECON for Mac OS X is simply the fastest way to conduct Mac Forensics, automates what an experienced examiner would need weeks to accomplish in minutes, now includes PALADIN 6 which comes with a full featured Forensic Suite, bootable forensic imager, a software write-blocker and so much more.

Hex Editors

bless

Okteta KDE's new cross-platform hex editor with features such as signature-matching

HexFiend A hex editor for MacOS

Hex Workshop A hex editor from BreakPoint Software Inc.

khexedit

ReclaiMe Pro The built-in disk editor visualizes most known partition and filesystem objects: boot sectors, superblocks, partition headers in structured view. Low-level data editing for extra leverage.

WinHex Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.

wxHexEditor A Multi-OS supported, open sourced, hex and disk editor.

HexReader Live-Forensics software that reads Windows files at specified offset and length and outputs results to the console.

Telephone Scanners/War Dialers

TeleSweep

SecureLogix is currently offering no-cost downloads of our award-winning TeleSweep SecureĀ® modem-vulnerability scanner. This free modem scanning software can be used to dial a batch of corporate phone numbers and report on the number of modems connected to these corporate lines. *** Registration is required for obtaining a license key *** Still free however.

WarVox

WarVOX is a free, open-source VOIP-based war dialing tool for exploring, classifying, and auditing phone systems.