The table below lists a selection of free computer forensics software and resources. It’s updated several times a year. Forensic Control provide no support or warranties for the use of any listed software. It is the end user’s responsibility to check the licensing agreements. Copying and publishing the whole or part of this table is licensed under the terms of the Creative Commons – Attribution Non-Commercial 3.0 license. * Entries marked with a star indicate that registration is required. Forensic Control are IT forensic / computer forensic investigators for London and the UK
Table last updated 31 October 2011. Updates to this list will be announced on our Twitter feed at twitter.com/WeFindData
Disc and imaging tools
Name |
Version |
From |
Description |
|---|---|---|---|
| DumpIt | 1.3.2 | MoonSols | Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from USB keys |
| Encrypted Disk Detector | 1.2.0 | JADsoftware | Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes |
| FAT32 Format | 1.05 | Ridgecrop | Enables large capacity disks to be formatted as FAT32 |
| FTK Imager | 3.0.1.1467 | AccessData | Imaging tool, disk viewer and image mounter |
| Guymager | 0.5.9 | vogu00 | Multi-threaded GUI imager under running under Linux |
| HotSwap | 5.0.0 | Kazuyuki Nakayama | Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area |
| Live View | 0.7b | CERT | Allows examiner to boot dd images in VMware. Appears to be no longer updated |
| P2 eXplorer* | 3.1 | Paraben | Virtually mount drives & forensic images |
| Tableau Imager* | 1.11 | Tableau | Imaging tool for use with Tableau imaging products |
| VHD Tool | 2.0 | Microsoft | Converts raw disk images to VHD format which are mountable in Windows Disk Management |
Email analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| EDB Viewer | 11.05.01 | Lepide Software | Open and view (not export) Outlook EDB files without an Exchange server |
| Gmail Parser | 1.0.0 | Woanware | Parses various Gmail artefacts from cached HTML files |
| Mail Viewer | 1.7.6 | MiTeC | Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files |
| OST Viewer | 11.05.01 | Lepide Software | Open and view (not export) Outlook OST files without connecting to an Exchange server |
| PST Viewer | 11.05.01 | Lepide Software | Open and view (not export) Outlook PST files without needing Outlook |
General
Name |
Version |
From |
Description |
|---|---|---|---|
| Agent Ransack | 2010 (762) | Mythicsoft | Search multiple files using Boolean operators and Perl Regex |
| CaseNotes* | 1.2.2010.6 | QCC | Contemporaneous notes recorder |
| EvidenceMover* | 2.00 | Nuix | Copies data between locations, with file comparison, verification, logging |
| FastCopy | 2.08 | Shirouzu Hiroaki | Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc |
| File Signatures | 10 October 2011 | Gary Kessler | Table of file signatures |
| Forensic Test Images | Various | Various | Collated forensic images for training, practice and validation |
| HashMyFiles | 1.72 | Nirsoft | Calculate MD5 and SHA1 hashes |
| MobaLiveCD | 2.10 | Mobatek | Run Linux live CDs from their ISO image without having to boot to them |
| Mouse Jiggler | 1.2 | Arkane Systems | Automatically moves mouse pointer stopping screen saver, hibernation etc |
| Notepad ++ | 5.9.5 | Notepad ++ | Advanced Notepad replacement |
| NSRL | 2.34 | NIST | Hash sets of ‘known’ (ignorable) files |
| Quick Hash | 1.32 | Ted Technology | A Linux & Windows GUI for individual and recursive SHA1 hashing of files |
| USB Write Blocker | 1.0 | DSi | Enables software write-blocking of USB ports |
| Windows Forensic Environment | Various | Troy Larson | Guide by Brett Shavers to creating and working with a Windows boot CD |
File and data analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| Advanced Prefetch Analyser | 2.4 | Allan Hay | Reads Windows XP,Vista and Windows 7 prefetch files |
| analyzeMFT | 2.0 | David Kovar | Parses the MFT from an NTFS file system allowing results to be analysed with other tools |
| Audit Viewer | unknown | Mandiant | Viewer used with Memoryze (see below) |
| DCode | 4.2.0.9306 | Digital Detective | Converts various data types to date/time values |
| Defraser | 1.3.0 | Various | Detects full and partial multimedia files in unallocated space |
| eCryptfs Parser | 1.0.0.a | Ted Technology | Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original filesize, signature used, etc |
| Exif Reader | 3.00 | Ryuuji Yoshimoto | Extracts exif data from digital photographs |
| Forensic Image Viewer | 1.03 | Sanderson Forensics | View various picture formats, image enhancer, extraction of embedded Exif, GPS data |
| Highlighter | unknown | Mandiant | Examine log files using text, graphic or histogram views |
| LiveContactsView | 1.10 | Nirsoft | View and export Windows Live Messenger contact details |
| Netwitness Investigator | 9.5.5.6 | Netwitness | Network packet capture and analysis |
| NetworkMiner | 1.2 | Netwitness | Network sniffer and parser of PCAP files |
| Memoryze | unknown | Mandiant | Acquire and/or analyze RAM images, including the page file on live systems |
| MFTview | 1.1.0 | Sanderson Forensics | Displays and decodes contents of an extracted MFT file |
| PsTools | 2.44 | Microsoft | Suite of command-line Windows utilities |
| Shadow Explorer | 23 August 2011 | Shadow Explorer | Browse and extract files from shadow copies |
| SQLite Manager | 0.7.6 | Mrinal Kant, Tarakant Tripathy | Firefox add-on enabling viewing of any SQLite database |
| Strings | 2.41 | Microsoft | Command-line tool for text searches |
| Structred Storage Viewer | 3.3.1 | MiTec | View and manage MS OLE Structured Storage based files |
| TimeLord | 0.1.5.6 | Paul Tew | Time utility; timezones, BIOS times, decode computer time formats, etc |
| Windows File Analyzer | 2.5 | MiTeC | Analyse thumbs.db, Prefetch, INFO2 and .lnk files |
Data analysis suites
Name |
Version |
From |
Description |
|---|---|---|---|
| Autopsy | 2.24 | Brian Carrier | Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below) |
| Backtrack | 5.0 R1 | Backtrack | Penetration testing and security audit with forensic boot capability |
| Caine | 2.5.1 | Nanni Bassetti | Linux based live CD, featuring a number of analysis tools |
| Digital Forensics Framework | 1.2.0 | ArxSys | Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items |
| OSForensics | 1.0.1001 | Passmark Software | Windows application to carry out wide range of forensic tasks. |
| P2 Shuttle Free* | 1.30 | Paraben | Remote disk mounting, network RAM capture, search tools. Limited version of P2 Shuttle Pro |
| Paladin* | unknown | Sumuri | Ubuntu based live boot CD for imaging and analyis |
| SIFT* | 2.10 | SANS | VMware Appliance pre-configured with multiple tools allowing digital forensic examinations |
| The Sleuth Kit | 3.2.3 | Brian Carrier | Collection of UNIX-based command line file and volume system forensic analysis tools |
| Ubuntu guide | unknown | How-To Geek | Guide to using an Unbuntu live disk to recover partitions, carve files, etc |
| Volatility Framework | 2.o | Volatile Systems | Collection of tools for the extraction of artifacts from RAM |
File viewers
Name |
Version |
From |
Description |
|---|---|---|---|
| Fragview* | unknown | QCC | View recursive HTML, jpg and Flash files |
| Microsoft Excel 2007 Viewer | 1.00 | Microsoft | View Excel spreadsheets |
| Microsoft PowerPoint 2007 Viewer | 1.00 | Microsoft | View PowerPoint presentations |
| Microsoft Visio 2010 Viewer | 1.00 | Microsoft | View Visio diagrams |
| Microsoft Word Viewer | 1.00 | Microsoft | View Word documents |
| VideoTriage* | unknown | QCC | Produces thumbnails of video files so that the whole video doesn’t need to be watched |
| VLC | 1.1.11 | VideoLAN | View most multimedia files and DVD, Audio CD, VCD, etc |
Internet history analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| ChromeAnalysis | 1.0.1 | forensic-software | Analysis of internet history data generated using Google Chrome |
| ChromeCacheView | 1.35 | Nirsoft | Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache |
| FoxAnalysis | 1.4.2 | forensic-software | Basic analysis of internet history data from Firefox versions 1, 2 and 3. |
| IECacheView | 1.46 | Nirsoft | Displays various details of files in Internet Explorer cache; number of hits, last accessed times, etc |
| IECookiesView | 1.74 | Nirsoft | Extracts various details of Internet Explorer cookies |
| IEHistoryView | 1.65 | Nirsoft | Extracts recently visited Internet Explorer URLs |
| IEPassView | 1.26 | Nirsoft | Extract stored passwords from Internet Explorer versions 4 to 8 |
| MozillaCacheView | 1.51 | Nirsoft | Reads the cache folder of Firefox/Mozilla/Netscape Web browsers |
| MozillaCookieView | 1.36 | Nirsoft | Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers |
| MozillaHistoryView | 1.42 | Nirsoft | Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page |
| MyLastSearch | 1.50 | Nirsoft | Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace) |
| PasswordFox | 1.30 | Nirsoft | Extracts the user names and passwords stored by Mozilla Firefox Web browser |
| OperaCacheView | 1.37 | Nirsoft | Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache |
| OperaPassView | 1.05 | Nirsoft | Decrypts the content of the Opera Web browser password file, wand.dat |
| Web Historian | unknown | Mandiant | Reviews list of URLs stored in the history files of the most commonly used browsers |
Registry analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| ForensicUserInfo | 1.04 | Woanware | Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file |
| Process Monitor | 2.96 | Microsoft | Examine Windows processes and registry threads in real time |
| Registry Decoder | 1.00 | US National Institute of Justice, Digital Forensics Solutions | For the acquisition, analysis, and reporting of registry contents |
| RegRipper | 20111410 | Harlan Carvey | Registry data extraction and correlation tool |
| Regshot | 1.8.2 | Regshot | Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software |
| USB Device Forensics | 1.06 | Woanware | Details previously attached USB devices on exported registry hives |
| USBDeview | 1.95 | Nirsoft | Details previously attached USB devices |
| UserAssist | 2.4.3 | Didier Stevens | Displays list of programs run, with run count and last run date and time |
Application analysis (other)
Name |
Version |
From |
Description |
|---|---|---|---|
| GigaView* | 1.2 | QCC | Parses exported GigaTribe chat logs, results can be imported into Excel |
| KaZAlyser | 1.2.8 | Sanderson Forensics | Extracts various data from the KaZaA application |
| LiveContactsView | 1.10 | Nirsoft | View and export Windows Live Messenger contact details |
| SkypeLogView | 1.21 | Nirsoft | View Skype calls and chats |
