The best tools and resources for forensic analysis. Curated list of awesome free forensic analysis tools and resources.
Distributions
| Name | Descriptions | Download |
|---|---|---|
bitscout | Bitscout is customizable live OS constructor tool written entirely in bash. It’s main purpose is to help you quickly create own remote forensics bootable disk image. | github |
Remnux | REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. | Download |
SANS Investigative Forensics Toolkit (sift) | Linux distribution for forensic analysis | github |
Tsurugi Linux | Tsurugi Linux is a DFIR open source project that is and will be totally free, independent, without involving any commercial brand Our main goal is share knowledge and “give back to the community” | Download |
WinFE | As a result of this, WinFE will now load on UEFI as well as legacy systems, without changing BIOS settings. This means that devices, such as the Microsoft Surface Pro can be easily forensically imaged. BitLocker is also supported providing that you have access to either the unlock key or password. | Download |
Frameworks
| Name | Descriptions | Download |
|---|---|---|
Autopsy | Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card. | Download |
dff | DFF (Digital Forensics Framework) is a Forensics Framework coming with command line and graphical interfaces. DFF can be used to investigate hard drives and volatile memory and create reports about user and system activities. | github |
dexter | Forensics acquisition framework designed to be extensible and secure. | github |
IntelMQ | IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol. | github |
Kuiper | Kuiper is a digital investigation platform that provides a capabilities for the investigation team and individuals to parse, search, visualize collected evidences (evidences could be collected by fast traige script like Hoarder). | github |
Laika BOSS | Laika BOSS: Object Scanning System. | github |
PowerForensics | PowerForensics provides an all in one platform for live disk forensic analysis. | github |
The Sleuth Kit | The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence. | github |
turbinia | Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms | github |
IPED - Indexador e Processador de Evidências Digitais | IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners. | github |
Wombat Forensics | Wombat Forensics is a new Forensic Analysis tool built entirely in C and C++. The GUI is built using Qt5, so it may one day work on Windows, Linux and Macintosh systems. | github |
binwalk | Firmware Analysis Tool | github |
Memory Forensics
| Name | Descriptions | Download |
|---|---|---|
inVtero.net | High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support. | github |
KeeFarce | Extracts passwords from a KeePass 2.x database, directly from memory. | github |
MemProcFS | An easy and convenient way of accessing physical memory as files a virtual file system. | github |
Rekall | Rekall Memory Forensic Framework. | github |
volatility | The Volatility Framework is a completely open collection of tools,implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. | github |
VolUtility | Web App for Volatility framework. | github |
Network Forensics
| Name | Descriptions | Download |
|---|---|---|
NetworkMiner | NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. | Download |
Wireshark | Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. | Download |
Live Forensics
| Name | Descriptions | Download |
|---|---|---|
grr | GRR Rapid Response: remote live forensics for incident response. | github |
Linux Expl0rer | Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask. | github |
mig | Distributed & real time digital forensics at the speed of the cloud. | github |
osquery | SQL powered operating system analytics. | github |
UAC | UAC (Unix-like Artifacts Collector) is a Live Response collection tool for Incident Reponse that makes use of built-in tools to automate the collection of Unix-like systems artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris. | github |
IOC Scanner
| Name | Descriptions | Download |
|---|---|---|
Fenrir | Fenrir is a simple IOC scanner bash script. | github |
Loki | Scanner for Simple Indicators of Compromise. | github |
Redline | Redline®, FireEye’s premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. | Download |
THOR Lite | THOR Lite includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms. | Download |
Imaging
| Name | Descriptions | Download |
|---|---|---|
dc3dd | A patch to the GNU dd program, this version has several features intended for forensic acquisition of data. Highlights include hashing on-the-fly, split output files, pattern writing, a progress meter, and file verification. | Download |
dcfldd | dcfldd is an enhanced version of GNU dd with features useful for forensics and security. | Download |
FTK Imager | Free imageing tool for windows. | Download |
Guymager | Open source version for disk imageing on linux systems. | Download |
Windows Artifacts
| Name | Descriptions | Download |
|---|---|---|
Beagle | Transform data sources and logs into graphs. | github |
FRED | Cross-platform microsoft registry hive editor. | Download |
LastActivityView | LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. | Download |
LogonTracer | Investigate malicious Windows logon by visualizing and analyzing Windows event log. | github |
python-evt | Pure Python parser for classic Windows Event Log files (.evt). | github |
RegRipper3.0 | RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis. | github |
RegRippy | A framework for reading and extracting useful forensics data from Windows registry hives. | github |
OS X Forensics
| Name | Descriptions | Download |
|---|---|---|
APFS Fuse | This project is a read-only FUSE driver for the new Apple File System. It also supports software encrypted volumes and fusion drives. Firmlinks are not supported yet. | github |
mac_apt (macOS Artifact Parsing Tool) | mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. | github |
MacLocationsScraper | Dump the contents of the location database files on iOS and macOS. | github |
macMRUParser | Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format. | github |
OSXAuditor | OS X Auditor is a free Mac OS X computer forensics tool. | github |
OSX Collect | OSXCollector is a forensic evidence collection & analysis toolkit for OSX. | github |
Mobile Forensics
| Name | Descriptions | Download |
|---|---|---|
Andriller | Andriller – is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. | github |
ALEAPP | Android Logs Events And Protobuf Parser. | github |
ArtEx | DoubleBlak Digital Forensics is a Digital Forensics web site aimed at helping forensic examiners. I am Ian Whiffin, an ex-Law Enforcement Officer / Digital Forensics Examiner with a mid-sized municipal police agency. | Download |
iLEAPP | An iOS Logs, Events, And Plists Parser. | github |
iOS Frequent Locations Dumper | Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/ | github |
MEAT | Perform different kinds of acquisitions on iOS devices. | github |
MobSF | An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. | github |
OpenBackupExtractor | An app for extracting data from iPhone and iPad backups. | github |
Docker Forensics
| Name | Descriptions | Download |
|---|---|---|
dof (Docker Forensics Toolkit) | A toolkit for the post-mortem examination of Docker containers from forensic HDD copies. | github |
Docker Explorer | Extracts and interprets forensic artifacts from disk images of Docker Host systems. | github |
Picture Analysis
| Name | Descriptions | Download |
|---|---|---|
Ghiro | A fully automated tool designed to run forensics analysis over a massive amount of images. | Download |
sherloq | Forensic Image Analysis is the application of image science and domain expertise to interpret the content of an image and/or the image itself in legal matters. | github |
Image Analyzer | is a program that you can use to view and edit image files. The interface of the tool is plain and easy to navigate through. Image Analyzer definitely needs some improvements when it comes to its appearance, since it’s a little outdated. Pictures can be opened via the file browser only, since the “drag and drop” method is not supported. So, you can configure file format options, such as compression level, transparent color key, quality and file size. | Download |
pngcheck | pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs, a.k.a. checksums, and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities. | Download |
Metadata Forensics
| Name | Descriptions | Download |
|---|---|---|
ExifTool | ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. | Download |
FOCA | FOCA is a tool used mainly to find metadata and hidden information in the documents. | github |
Steganography
| Name | Descriptions | Download |
|---|---|---|
Sonicvisualizer | Sonic Visualiser is a free, open-source application for Windows, Linux, and Mac, designed to be the first program you reach for when want to study a music recording closely. | Download |
Steghide | is a steganography program that hides data in various kinds of image and audio files. | github |
Wavsteg | A steganographic coder for WAV files. github | |
Zsteg | A steganographic coder for WAV files. | github |
Outguess | Outguess is an advanced steganography tool. Outguess will conceal your document inside image (JPG) of your choice. | github |
Management
| Name | Descriptions | Download |
|---|---|---|
dfirtrack | Digital Forensics and Incident Response Tracking application, track systems. | github |
Incidents | Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads. | github |
Decryption
| Name | Descriptions | Download |
|---|---|---|
hashcat | Fast password cracker with GPU support | Download |
John the Ripper | John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types, including for: user passwords of Unix flavors (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, “web apps” (e.g., WordPress), groupware (e.g., Notes/Domino), and database servers (SQL, LDAP, etc.); network traffic captures (Windows network authentication, WiFi WPA-PSK, etc.); encrypted private keys (SSH, GnuPG, cryptocurrency wallets, etc.), filesystems and disks (macOS .dmg files and “sparse bundles”, Windows BitLocker, etc.), archives (ZIP, RAR, 7z), and document files (PDF, Microsoft Office’s, etc.) These are just some of the examples – there are many more. | Download |
Disk image handling
| Name | Descriptions | Download |
|---|---|---|
Disk Arbitrator | A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device. | github |
imagemounter | Command line utility and Python package to ease the (un)mounting of forensic disk images. | github |
libewf | Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01). | github |
PancakeViewer | Disk image viewer based in dfvfs, similar to the FTK Imager viewer. | github |
xmount | Convert between different disk image formats. | Download |
Resources
| Name | detail |
|---|---|
Learning Network Forensics | Learning Network Forensics by packt |
Steganography for the Computer Forensics | An Overview of Steganography forthe Computer Forensics Examiner |
image forensics | Learning Rich Features for Image Manipulation Detection. |
Docker Forensics | Docker Forensics for Containers |
memory forensics | Learn Windows memory forensics |
Smartphone Forensic | Smartphone Forensic Analysis In-Depth |
