One hundred and five (and counting) free apps for digital forensics analysts….
Our list of free computer forensics software is updated several times a year. We provide no support or warranties for the use of listed software, and it is your responsibility to verify licensing agreements. Entries marked with a star indicate that registration is required before downloading. Main list last updated: 30 April 2012. Forensic Control are IT / computer forensic investigators based in London. Publishing the whole or part of this list is licensed under the terms of the Creative Commons – Attribution Non-Commercial 3.0 license.Updates to this page will be announced on our Twitter feed at twitter.com/WeFindData
Contents
Top ten – March 2012 | Disc and imaging tools | Email analysis | General tools | File and data analysis | Data analysis suites | File viewers | Internet history analysis | Registry analysis | Application analysis (other) | Abandonware
Top 10 most popular free computer forensic software links during March 2012 |
|||
|---|---|---|---|
Rank |
Name |
From |
Description |
| 1 | OSForensics | Passmark Software | Application suite to carry out wide range of forensic tasks |
| 2 | FTK Imager | AccessData | Imaging tool, disk viewer and image mounter |
| 3 | Forensic Image Viewer | Sanderson Forensics | View various picture formats, enhance images, extract Exif & GPS data |
| 4 | FoxAnalysis | forensic-software | Basic analysis of internet history data from Firefox |
| 5 | Mail Viewer | MiTec | Outlook Express, Windows Mail/ Live Mail, Mozilla Thunderbird, EML file viewer |
| 6 | USB Write Blocker | DSi | Enables software write-blocking of USB ports |
| 7 | Encrypted Disk Detector | JAD Software | Checks local physical drives for TrueCrypt, PGP, or Bitlocker volumes |
| 8 | DumpIt | MoonSols | Generates physical memory dump of Windows 32 & 64 bit machines |
| 9 | PST Viewer | Lepide Software | Open and view (not export) Outlook PST files without needing Outlook |
| 10 | P2 eXplorer* | Paraben | Virtually mount drives & forensic images |
Disc and imaging tools
Name |
Version |
From |
Description |
|---|---|---|---|
| DumpIt | unknown | MoonSols | Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from USB keys |
| Encrypted Disk Detector | unknown | JADsoftware | Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes |
| FAT32 Format | 1.05 | Ridgecrop | Enables large capacity disks to be formatted as FAT32 |
| FTK Imager | 3.1.0 | AccessData | Imaging tool, disk viewer and image mounter |
| Guymager | 0.6.5 | vogu00 | Multi-threaded GUI imager under running under Linux |
| HotSwap | 6.0.0 | Kazuyuki Nakayama | Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area |
| P2 eXplorer* | 3.1 | Paraben | Virtually mount drives & forensic images |
| Tableau Imager* | 1.11 | Tableau | Imaging tool for use with Tableau imaging products |
| VHD Tool | 2.0 | Microsoft | Converts raw disk images to VHD format which are mountable in Windows Disk Management |
Email analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| EDB Viewer | unknown | Lepide Software | Open and view (not export) Outlook EDB files without an Exchange server |
| Gmail Parser | 1.0.0 | Woanware | Parses various Gmail artefacts from cached HTML files |
| Mail Viewer | 1.8.3 | MiTeC | Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files |
| OST Viewer | unknown | Lepide Software | Open and view (not export) Outlook OST files without connecting to an Exchange server |
| PST Viewer | unknown | Lepide Software | Open and view (not export) Outlook PST files without needing Outlook |
General
Name |
Version |
From |
Description |
|---|---|---|---|
| Agent Ransack | 2010 (762) | Mythicsoft | Search multiple files using Boolean operators and Perl Regex |
| EvidenceMover* | unknown | Nuix | Copies data between locations, with file comparison, verification, logging |
| FastCopy | 2.08 | Shirouzu Hiroaki | Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc |
| File Signatures | 9 March 2012 | Gary Kessler | Table of file signatures |
| Forensic Test Images | Various | Various | Collated forensic images for training, practice and validation |
| HashMyFiles | 1.88 | Nirsoft | Calculate MD5 and SHA1 hashes |
| MobaLiveCD | 2.10 | Mobatek | Run Linux live CDs from their ISO image without having to boot to them |
| Mouse Jiggler | 1.2 | Arkane Systems | Automatically moves mouse pointer stopping screen saver, hibernation etc |
| Notepad ++ | 6.0.0. | Notepad ++ | Advanced Notepad replacement |
| NSRL | 2.35 | NIST | Hash sets of ‘known’ (ignorable) files |
| Quick Hash | 1.5.2 | Ted Technology | A Linux & Windows GUI for individual and recursive SHA1 hashing of files |
| USB Write Blocker | 1.0 | DSi | Enables software write-blocking of USB ports |
| Windows Forensic Environment | Various | Troy Larson | Guide by Brett Shavers to creating and working with a Windows boot CD |
File and data analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| Advanced Prefetch Analyser | 2.4 | Allan Hay | Reads Windows XP,Vista and Windows 7 prefetch files |
| analyzeMFT | 2.0 | David Kovar | Parses the MFT from an NTFS file system allowing results to be analysed with other tools |
| Audit Viewer | unknown | Mandiant | Viewer used with Memoryze (see below) |
| DCode | 4.02.0.930 | Digital Detective | Converts various data types to date/time values |
| Defraser | 1.3.0 | Various | Detects full and partial multimedia files in unallocated space |
| eCryptfs Parser | 2011-09-22 | Ted Technology | Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original filesize, signature used, etc |
| Encryption Analyzer | 3.5 | Passware | Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file |
| Forensic Image Viewer | 1.03 | Sanderson Forensics | View various picture formats, image enhancer, extraction of embedded Exif, GPS data |
| Highlighter | unknown | Mandiant | Examine log files using text, graphic or histogram views |
| Live Detector* | unknown | H-11 Digital Forensics | Collects volatile data; account & password identification; browser artefacts, user behaviour; and Microsoft Windows System info |
| LiveContactsView | 1.10 | Nirsoft | View and export Windows Live Messenger contact details |
| RSA Netwitness Investigator | 9.7.5.4 | EMC | Network packet capture and analysis |
| Memoryze | unknown | Mandiant | Acquire and/or analyze RAM images, including the page file on live systems |
| MFTview | 1.1.0 | Sanderson Forensics | Displays and decodes contents of an extracted MFT file |
| PsTools | 2.44 | Microsoft | Suite of command-line Windows utilities |
| Shadow Explorer | unknown | Shadow Explorer | Browse and extract files from shadow copies |
| SQLite Manager | 0.7.7 | Mrinal Kant, Tarakant Tripathy | Firefox add-on enabling viewing of any SQLite database |
| Strings | 2.42 | Microsoft | Command-line tool for text searches |
| Structured Storage Viewer | 3.3.1 | MiTec | View and manage MS OLE Structured Storage based files |
| TimeLord | unknown | Paul Tew | Time utility; timezones, BIOS times, decode computer time formats, etc |
| Windows File Analyzer | 2.5 | MiTeC | Analyse thumbs.db, Prefetch, INFO2 and .lnk files |
Mac OS tools
Name |
Version |
From |
Description |
|---|---|---|---|
| Disk Arbitrator | 0.4.1 | Aaron Burghardt | Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration |
| Epoch Converter* | unknown | Blackbag Technologies | Converts epoch times to local time and UTC |
| FTK Imager CLI for Mac OS* | 2.9.0 | AccessData | Command line Mac OS version of AccessData’s FTK Imager |
| IORegInfo | unknown | Blackbag Technologies | Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected |
| Mac Memory Reader | 3.0.0 | Cyber Marshal | Command-line utility to capture physical RAM from Mac OS systems |
| PMAP Info* | unknown | Blackbag Technologies | Displays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors |
Mobile devices
Name |
Version |
From |
Description |
|---|---|---|---|
| iPhone Backup Browser | R38 | Rene Devichi | View unencrypted backups of iPad, iPod and iPhones |
| iPhone Analyzer | 2.00 | Leo Crawford, Mat Proud | Explore the internal file structure of Pad, iPod and iPhones |
| Rubus* | Unknown | CCL Forensics | Deconstructs Blackberry .ipd backup files |
Data analysis suites
Name |
Version |
From |
Description |
|---|---|---|---|
| Autopsy | 3.0 | Brian Carrier | Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below) |
| Backtrack | 5.0 R2 | Backtrack | Penetration testing and security audit with forensic boot capability |
| Caine | 2.5.1 | Nanni Bassetti | Linux based live CD, featuring a number of analysis tools |
| Digital Forensics Framework | 1.2.0 | ArxSys | Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items |
| OSForensics | 1.0.1005 | Passmark Software | Windows application to carry out wide range of forensic tasks. |
| P2 Shuttle Free* | unknown | Paraben | Remote disk mounting, network RAM capture, search tools. Limited version of P2 Shuttle Pro |
| Paladin* | 2.06 | Sumuri | Ubuntu based live boot CD for imaging and analyis |
| SIFT* | 2.12 | SANS | VMware Appliance pre-configured with multiple tools allowing digital forensic examinations |
| The Sleuth Kit | 3.2.3 | Brian Carrier | Collection of UNIX-based command line file and volume system forensic analysis tools |
| Ubuntu guide | unknown | How-To Geek | Guide to using an Unbuntu live disk to recover partitions, carve files, etc |
| Volatility Framework | 2.0 | Volatile Systems | Collection of tools for the extraction of artifacts from RAM |
File viewers
Name |
Version |
From |
Description |
|---|---|---|---|
| Microsoft Excel 2007 Viewer | 1.00 | Microsoft | View Excel spreadsheets |
| Microsoft PowerPoint 2007 Viewer | 1.00 | Microsoft | View PowerPoint presentations |
| Microsoft Visio 2010 Viewer | 1.00 | Microsoft | View Visio diagrams |
| Microsoft Word Viewer | 1.00 | Microsoft | View Word documents |
| VLC | 2.0.1 | VideoLAN | View most multimedia files and DVD, Audio CD, VCD, etc |
Internet history analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| ChromeAnalysis | 1.0.1 | Foxton Software | Analysis of internet history data generated using Google Chrome |
| ChromeCacheView | 1.4 | Nirsoft | Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache |
| FoxAnalysis | 1.4.2 | Foxton Software | Basic analysis of internet history data from Firefox versions 1, 2 and 3. |
| IECacheView | 1.46 | Nirsoft | Displays various details of files in Internet Explorer cache; number of hits, last accessed times, etc |
| IECookiesView | 1.74 | Nirsoft | Extracts various details of Internet Explorer cookies |
| IEHistoryView | 1.7 | Nirsoft | Extracts recently visited Internet Explorer URLs |
| IEPassView | 1.26 | Nirsoft | Extract stored passwords from Internet Explorer versions 4 to 8 |
| MozillaCacheView | 1.51 | Nirsoft | Reads the cache folder of Firefox/Mozilla/Netscape Web browsers |
| MozillaCookieView | 1.36 | Nirsoft | Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers |
| MozillaHistoryView | 1.45 | Nirsoft | Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page |
| MyLastSearch | 1.55 | Nirsoft | Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace) |
| PasswordFox | 1.30 | Nirsoft | Extracts the user names and passwords stored by Mozilla Firefox Web browser |
| OperaCacheView | 1.37 | Nirsoft | Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache |
| OperaPassView | 1.05 | Nirsoft | Decrypts the content of the Opera Web browser password file, wand.dat |
| Web Historian | unknown | Mandiant | Reviews list of URLs stored in the history files of the most commonly used browsers |
Registry analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| ForensicUserInfo | 1.04 | Woanware | Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file |
| Process Monitor | 3.0 | Microsoft | Examine Windows processes and registry threads in real time |
| Registry Decoder | 1.2 | US National Institute of Justice, Digital Forensics Solutions | For the acquisition, analysis, and reporting of registry contents |
| RegRipper | unknown | Harlan Carvey | Registry data extraction and correlation tool |
| Regshot | 1.8.3 | Regshot | Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software |
| USB Device Forensics | 1.06 | Woanware | Details previously attached USB devices on exported registry hives |
| USBDeview | 2.06 | Nirsoft | Details previously attached USB devices |
| UserAssist | 2.4.3 | Didier Stevens | Displays list of programs run, with run count and last run date and time |
Application analysis (other)
Name |
Version |
From |
Description |
|---|---|---|---|
| KaZAlyser | 1.2.8 | Sanderson Forensics | Extracts various data from the KaZaA application |
| LiveContactsView | 1.10 | Nirsoft | View and export Windows Live Messenger contact details |
| SkypeLogView | 1.21 | Nirsoft | View Skype calls and chats |
Abandonware
Software which appears no longer to be updated but is listed as it may still be of some use.
Name |
Version |
From |
Description |
|---|---|---|---|
| CaseNotes* | 1.2.2010.6 | QCC | Contemporaneous notes recorder |
| Exif Reader | 3.00 | Ryuuji Yoshimoto | Extracts exif data from digital photographs |
| Fragview* | unknown | QCC | View recursive HTML, jpg and Flash files |
| GigaView* | 1.2 | QCC | Parses exported GigaTribe chat logs, results can be imported into Excel |
| Live View | 0.7b | CERT | Allows examiner to boot dd images in VMware. |
| VideoTriage* | unknown | QCC | Produces thumbnails of video files so that the whole video doesn’t need to be watched |
*Entries marked with a star indicate that registration is required before downloading
