From ForensicsWiki
Revision as of 01:40, 9 September 2009 by Jessek (Talk | contribs) (Windows-based Tools: - Changed to local link)

Jump to: navigation, search

This is an overview of available tools for forensic investigators. Please click on the name of any tool for more details.

Note: This page has gotten too big and is being broken up. See:

Disk Analysis Tools

Hard Drive Firmware and Diagnostics Tools

PC-3000 from DeepSpar Data Recovery Systems

Linux-based Tools

LINReS by NII Consulting Pvt. Ltd.

Macintosh-based Tools

Macintosh Forensic Software by BlackBag Technologies, Inc.
MacForensicsLab by Subrosasoft
Mac Marshal by ATC-NY

Windows-based Tools

Blackthorn GPS Forensics
HBGary Responder Professional - Windows Physical Memory Forensic Platform
BringBack by Tech Assist, Inc.
EMail Detective - Forensic Software Tool by Hot Pepper Technology, Inc
EnCase by Guidance Software
fbi by Nuix Pty Ltd
Forensic Toolkit (FTK) by AccessData
ILook Investigator by Elliot Spencer and U.S. Dept of Treasury, Internal Revenue Service - Criminal Investigation (IRS)
Mercury Indexer by MicroForensics, Inc.
OnLineDFS by Cyber Security Technologies
P2 Power Pack by Paraben
Safeback by NTI and Armor Forensics
X-Ways Forensics by X-Ways AG
Prodiscover by Techpathways

Open Source Tools

A library for working with disk images. Currently AFFLIB supports raw, AFF, AFD, and EnCase file formats. Work to support segmented raw, iLook, and other formats is ongoing.
Linux based file carving program
Linux and Windows file carving program originally based on foremost.
FTimes is a system baselining and evidence collection tool.
Tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
The Open Computer Forensics Architecture
Web-based, database-backed forensic and log analysis GUI written in Python.
The Coroner's Toolkit (TCT)
A generic framework for binary file manipulation, it supports FAT12, FAT16, FAT32, ext2/ext3, Linux swap, MSDOS partition header, etc. Recognize file type. Able to find subfiles (hachoir-subfile).

NDA and scoped distribution tools

Enterprise Tools (Proactive Forensics)

P2 Enterprise Edition by Paraben
LiveWire Investigator 2008 by WetStone Technologies

Forensics Live CDs

FCCU Gnu/Linux Boot CD
A Live CD built on top of Knoppix with a lot of tools with forensic purpose.
It leaves the target devices unaltered (it does not use the swap partitions found on the devices) nor does it automount partitions.
Helix (Helix3 Pro)
A Live CD built on top of Ubuntu with special tools for incident response and electronic discovery.
A hybrid CD which also contains a Cygwin environment for use on a running Windows system (w/o rebooting) including the Sysinternals tools.
A FreeBSD based forensics Bootable ISO (includes Autopsy and Sleuth Kit).
Knoppix STD
A Live CD built on top of Knoppix.
Penguin Sleuthkit
A Linux Live CD that includes SleuthKit.
A Linux Live CD, designed and optimized for previewing data in a forensically sound manner. It contains a number of programs forensic practitioners can utilize to preview both Windows and Linux systems.
MacQuisition Boot CD
A forensic Live CD built for imaging Macintosh systems.
DEFT Linux
A Live CD built on top of Xubuntu with the best tools for computer forensics and incident response.
It's a very light and fast live system created for the Computer Forensics specialist.
The first live CD with AFF, dhash and Xplico.
Recovery Is Possible
A Linux Live CD with a number of recovery applications such as TestDisk, PhotoRec etc.
Ubuntu-rescue-remix is a live cd that provides the data recovery expert with an environment equipped with the best free-libre, open source data recovery and forensics tools available. Since many of those libraries and tools are part of the Ubuntu Installer, it makes sense to remix Ubuntu into a lightweight and powerful environment for data recovery. This project was formerly known as Rescubuntu.
Stagos FSE
Stagos FSE aims to be a computer forensic framework based on Ubuntu Linux. It can read various filesystems, including NTFS, and EnCase images.
4BAK liveUSB
4bak is a Slax-based LiveUSB with a collection of forensics command line interface (CLI) tools.

Personal Digital Device Tools

GPS Forensics

Blackthorn GPS Forensics

PDA Forensics

Cellebrite UFED
Paraben PDA Seizure
Paraben PDA Seizure Toolbox

Cell Phone Forensics

Cellebrite UFED
DataPilot Secure View
Fernico ZRT
LogiCube CellDEK
Oxygen Forensic Suite 2
Paraben's Device Seizure and Paraben's Device Seizure Toolbox
Serial Port Monitoring

SIM Card Forensics

Cellebrite UFED
Paraben's SIM Card Seizure

Preservation Tools

Paraben StrongHold Bag
Paraben StrongHold Tent

Other Tools

VMware Player
A free player for VMware virtual machines that will allow them to "play" on either Windows or Linux-based systems.
VMware Server
The free server product, for setting up/configuring/running VMware virtual machine.Important difference being that it can run 'headless', i.e. everything in background.
Computer Forensics Toolkit
This is a collection of resources, most of which are informational, designed specifically to guide the beginner, often in a procedural sense.
Software for forensic analysis of internet resources (IP address, e-mail address, domain name, URL, e-mail headers, log files...)
Live View
Live View is a graphical forensics tool that creates a VMware virtual machine out of a dd disk image or physical disk.
Parallels VM
Microsoft Virtual PC

Hex Editors


Cellebrite UFED

A hex editor for Apple OS X
Hex Workshop
A hex editor from BreakPoint Software, Inc.
Computer forensics software, data recovery software, hex editor, and disk editor from X-Ways.

Telephone Scanners/War Dialers

PhoneSweep is a commercial grade multi-line wardialer used by many security auditors to run telephone line scans in their organizations. PhoneSweep Gold is the distributed-access add-on for PhoneSweep, for organizations that need to run scans remotely.