Skip to content

Tools file analysis

Software Forensics

CodeSuite by Software Analysis & Forensic Engineering CodeSuite comprises BitMatch, CodeCross, CodeDiff, CodeMatch, and SourceDetective for comparing and analyzing source code and object code to find copyright infringement and trade secret theft. It can be used for free on small sets of code.

CodeSuite also includes FileCount and FileIsolate for counting file attributes and quickly copying or deleting entire file trees. Both are free utilities.

Open Source Tools

file The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.

ldd List dynamic dependencies of executable files.

truss Solaris tool used to trace the system/library calls (not user calls) and signals made/received by a new or existing process. It sends the output to stderr.

PDF Miner "...suite of programs that aims to help analyzing text data from PDF documents. It includes a PDF parser, a PDF renderer (though only rendering text is supported for now), and a couple of nice tools to extract texts. Unlike other PDF-related tools, it allows to obtain the exact location of texts in a page, as well as other layout information such as font size or font name, which could be useful for analyzing the document. It also infers text running within a page by using clustering technique."

ltrace Library call tracer.

strace System Call Tracer.

xtrace eXtended trace utility, similar to strace, ptrace, truss, but with extended functionality and unique features, such as dumping function calls (dynamically or statically linked), dumping call stack and more.

ktrace Enables kernel process tracing on OpenBSD.

Valgrind Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired.

DTrace Comprehensive dynamic tracing framework for Solaris (also ported to MacOS X - XRays and FreeBSD). DTrace provides a powerful infrastructure to permit investigation of the behavior of the operating system and user programs.

strings Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.

The Open Computer Forensics Architecture

Rifiuti Examines the INFO2 file in the Recycle Bin.

Pasco Parses index.dat files.

Galleta Parses cookie files. MS Windows Recycle Bin INFO2 parser MS IE cookie file parser

Hachoir Determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats.


Linux like environment for Windows.


Common unix utilities compiled for a Windows environment.


Common GNU utilities compiled for a Windows Environment.

File Sharing Analysis Tools

P2P Marshal Tools to discover and analyze peer-to-peer files for Windows.