Our list of over 115 free tools for digital forensics analysis is updated several times a year. Please note that we provide no support or warranties for the use of listed software, and that it is your responsibility to verify licensing agreements. Inclusion on the list does not equate to a recommendation; it is up to the end user to determine a tool’s suitability. Entries marked with a star* indicate that registration is required before downloading.
Main list last updated: 10 March 2013. Forensic Control are IT / computer forensic investigators based in London. Publishing the whole or part of this list is licensed under the terms of the Creative Commons – Attribution Non-Commercial 3.0 license. Updates to this page will be announced on our Twitter feed at twitter.com/WeFindData
Contents
Have a recommendation for this list? Would you like to see your software promoted?
We’re happy to receive suggestions for inclusion on this list. The software must be free and unrestricted, that is fully functional and not time-limited. We no longer accept submissions if the software version is not listed.
If you would like to promote your software (either free or commercial) on this page please get in touch to discuss this option..
In either case please email tools@forensiccontrol.com
Disk and imaging tools
Name |
Version |
From |
Description |
|---|---|---|---|
| DumpIt | Not listed | MoonSols | Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive. |
| EnCase Forensic Imager | 7.06 | Guidance Software | Create EnCase evidence files and EnCase logical evidence files [direct download link] |
| Encrypted Disk Detector* | Not listed | Magnet Forensics | Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes |
| FAT32 Format | 1.05 | Ridgecrop | Enables large capacity disks to be formatted as FAT32 |
| FTK Imager* | 3.1.2 | AccessData | Imaging tool, disk viewer and image mounter |
| Guymager | 0.6.13 | vogu00 | Multi-threaded GUI imager under running under Linux |
| HotSwap | 6.1.0.0 | Kazuyuki Nakayama | Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area |
| Live RAM Capturer* | 1.0 | Belkasoft | Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds |
| OSFClone | 1.0.1008 | Passmark Software | Boot utility for CD/DVD or USB flash drives to create dd or AFF images/clones. |
| OSFMount | 1.5.1013 | Passmark Software | Mounts a wide range of disk images. Also allows creation of RAM disks |
| P2 eXplorer* | 3.1 | Paraben | Virtually mount drives & forensic images |
| Tableau Imager* | 1.2.0 | Tableau | Imaging tool for use with Tableau imaging products |
| VHD Tool | 2.0 | Microsoft | Converts raw disk images to VHD format which are mountable in Windows Disk Management |
Email analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| EDB Viewer | Not listed | Lepide Software | Open and view (not export) Outlook EDB files without an Exchange server |
| Gmail Parser | 1.0.0 | Woanware | Parses various Gmail artefacts from cached HTML files |
| Mail Viewer | 1.8.5 | MiTeC | Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files |
| OST Viewer | Not listed | Lepide Software | Open and view (not export) Outlook OST files without connecting to an Exchange server |
| PST Viewer | Not listed | Lepide Software | Open and view (not export) Outlook PST files without needing Outlook |
General
Name |
Version |
From |
Description |
|---|---|---|---|
| Agent Ransack | 2010 (762) | Mythicsoft | Search multiple files using Boolean operators and Perl Regex |
| EvidenceMover* | 2.0 | Nuix | Copies data between locations, with file comparison, verification, logging |
| FastCopy | 2.11 | Shirouzu Hiroaki | Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc |
| File Signatures | 28 Feb 2013 | Gary Kessler | Table of file signatures |
| Forensic Test Images | Various | Various | Collated forensic images for training, practice and validation |
| HashMyFiles | 1.95 | Nirsoft | Calculate MD5 and SHA1 hashes |
| MobaLiveCD | 2.10 | Mobatek | Run Linux live CDs from their ISO image without having to boot to them |
| Mouse Jiggler | 1.4 | Arkane Systems | Automatically moves mouse pointer stopping screen saver, hibernation etc |
| Notepad ++ | 6.3 | Notepad ++ | Advanced Notepad replacement |
| NSRL | 2.39 | NIST | Hash sets of ‘known’ (ignorable) files |
| Quick Hash | 2.0 | Ted Technology | A Linux & Windows GUI for individual and recursive SHA1 hashing of files |
| USB Write Blocker | 1.0 | DSi | Enables software write-blocking of USB ports |
| Windows Forensic Environment | Various | Troy Larson | Guide by Brett Shavers to creating and working with a Windows boot CD |
File and data analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| Advanced Prefetch Analyser | 2.4 | Allan Hay | Reads Windows XP,Vista and Windows 7 prefetch files |
| analyzeMFT | 1.10 | David Kovar | Parses the MFT from an NTFS file system allowing results to be analysed with other tools |
| DCode | 4.2.0.9306 | Digital Detective | Converts various data types to date/time values |
| Defraser | 1.3.5 | Various | Detects full and partial multimedia files in unallocated space |
| eCryptfs Parser | 1.1.0 | Ted Technology | Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original filesize, signature used, etc |
| Encryption Analyzer | 4.3 | Passware | Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file |
| Forensic Image Viewer | 1.03 | Sanderson Forensics | View various picture formats, image enhancer, extraction of embedded Exif, GPS data |
| Highlighter | 1.1.3 | Mandiant | Examine log files using text, graphic or histogram views |
| LiveContactsView | 1.22 | Nirsoft | View and export Windows Live Messenger contact details |
| RSA Netwitness Investigator* | 9.7.5.4 | EMC | Network packet capture and analysis |
| Memoryze | 2.0 | Mandiant | Acquire and/or analyze RAM images, including the page file on live systems |
| MFTview | 1.1.0 | Sanderson Forensics | Displays and decodes contents of an extracted MFT file |
| NetSleuth | 1.6 | NetGrab | Network monitoring tool, with covert “silent portscanning” |
| PictureBox | Not listed | Mike’s Forensic Tools | Lists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format |
| PsTools | 6 June 2012 | Microsoft | Suite of command-line Windows utilities |
| Shadow Explorer | 0.9 | Shadow Explorer | Browse and extract files from shadow copies |
| Simple File Parser | 1.5.1 | Chris Mayhew | GUI tool for parsing lnk files, prefetch and jump list artefacts |
| SQLite Manager | 0.7.7 | Mrinal Kant, Tarakant Tripathy | Firefox add-on enabling viewing of any SQLite database |
| Strings | 2.5 | Microsoft | Command-line tool for text searches |
| Structured Storage Viewer | 3.3.1 | MiTec | View and manage MS OLE Structured Storage based files |
| Structured Storage Viewer | 3.3.1 | MiTec | View and manage MS OLE Structured Storage based files |
| Switch-a-Roo | Not listed | Mike’s Forensic Tools | Text replacement/converter/decoder for when dealing with URL encoding, etc |
| Windows File Analyzer | 2.6 | MiTeC | Analyse thumbs.db, Prefetch, INFO2 and .lnk files |
Mac OS tools
Name |
Version |
From |
Description |
|---|---|---|---|
| Disk Arbitrator | 0.4.2 | Aaron Burghardt | Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration |
| Epoch Converter* | Not listed | Blackbag Technologies | Converts epoch times to local time and UTC |
| FTK Imager CLI for Mac OS* | 3.1.1 | AccessData | Command line Mac OS version of AccessData’s FTK Imager |
| IORegInfo | Not listed | Blackbag Technologies | Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected |
| Mac Memory Reader | 3.0.2 | Cyber Marshal | Command-line utility to capture physical RAM from Mac OS systems |
| PMAP Info* | Not listed | Blackbag Technologies | Displays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors |
Mobile devices
Name |
Version |
From |
Description |
|---|---|---|---|
| iPhone Backup Browser | R38 | Rene Devichi | View unencrypted backups of iPad, iPod and iPhones |
| iPhone Analyzer | 2.1.0 | Leo Crawford, Mat Proud | Explore the internal file structure of Pad, iPod and iPhones |
| Rubus* | Not listed | CCL Forensics | Deconstructs Blackberry .ipd backup files |
| SAFT | 1.0.0.1 | SignalSEC Corp | Obtain SMS Messages, call logs and contacts from Android devices |
Data analysis suites
Name |
Version |
From |
Description |
|---|---|---|---|
| Autopsy | 3.0 | Brian Carrier | Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below) |
| Backtrack | 5.0 R3 | Backtrack | Penetration testing and security audit with forensic boot capability |
| Caine | 3.0 | Nanni Bassetti | Linux based live CD, featuring a number of analysis tools |
| Digital Forensics Framework | 1.3.0 | ArxSys | Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items |
| Forensic Scanner | Not listed | Harlan Carvey | Automates ‘repetitive tasks of data collection’. Fuller description here |
| OSForensics | 2.0.1001 | Passmark Software | Windows application to carry out wide range of forensic tasks. |
| P2 Shuttle Free* | Not listed | Paraben | Remote disk mounting, network RAM capture, search tools. Limited version of P2 Shuttle Pro |
| Paladin* | 4.0 | Sumuri | Ubuntu based live boot CD for imaging and analyis |
| SIFT* | 2.14 | SANS | VMware Appliance pre-configured with multiple tools allowing digital forensic examinations |
| The Sleuth Kit | 4.0.2 | Brian Carrier | Collection of UNIX-based command line file and volume system forensic analysis tools |
| Ubuntu guide | Not listed | How-To Geek | Guide to using an Unbuntu live disk to recover partitions, carve files, etc |
| Volatility Framework | 2.1 | Volatile Systems | Collection of tools for the extraction of artifacts from RAM |
File viewers
Name |
Version |
From |
Description |
|---|---|---|---|
| Microsoft Excel 2007 Viewer | 1.00 | Microsoft | View Excel spreadsheets |
| Microsoft PowerPoint 2007 Viewer | 1.00 | Microsoft | View PowerPoint presentations |
| Microsoft Visio 2010 Viewer | 1.00 | Microsoft | View Visio diagrams |
| Microsoft Word Viewer | 1.00 | Microsoft | View Word documents |
| VLC | 2.0.5 | VideoLAN | View most multimedia files and DVD, Audio CD, VCD, etc |
Internet useage analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| ChromeAnalysis | 1.0.1 | Foxton Software | Analysis of internet history data generated using Google Chrome |
| Chrome Session Parser | 4 Feb 2013 | CCL Forensics | Python module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”) |
| ChromeCacheView | 1.46 | Nirsoft | Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache |
| ChromeCacheView | 1.46 | Nirsoft | Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache |
| Cookie Cutter | Not listed | Mike’s Forensic Tools | Extracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits. |
| Cookie Cutter | Not listed | Mike’s Forensic Tools | Extracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits. |
| Dumpzilla | 15/03/2013 | Busindre | Runs in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information. |
| IECookiesView | 1.74 | Nirsoft | Extracts various details of Internet Explorer cookies |
| IEHistoryView | 1.7 | Nirsoft | Extracts recently visited Internet Explorer URLs |
| IEPassView | 1.26 | Nirsoft | Extract stored passwords from Internet Explorer versions 4 to 8 |
| MozillaCacheView | 1.57 | Nirsoft | Reads the cache folder of Firefox/Mozilla/Netscape Web browsers |
| MozillaCookieView | 1.40 | Nirsoft | Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers |
| MozillaHistoryView | 1.50 | Nirsoft | Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page |
| MyLastSearch | 1.58 | Nirsoft | Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace) |
| PasswordFox | 1.35 | Nirsoft | Extracts the user names and passwords stored by Mozilla Firefox Web browser |
| OperaCacheView | 1.40 | Nirsoft | Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache |
| OperaPassView | 1.05 | Nirsoft | Decrypts the content of the Opera Web browser password file, wand.dat |
| Web Historian | 2.15 | Mandiant | Reviews list of URLs stored in the history files of the most commonly used browsers |
| Web Page Saver* | Not listed | Magnet Forensics | Takes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages |
Registry analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| ForensicUserInfo | 1.04 | Woanware | Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file |
| Process Monitor | 3.03 | Microsoft | Examine Windows processes and registry threads in real time |
| Registry Decoder | 1.2 | US National Institute of Justice, Digital Forensics Solutions | For the acquisition, analysis, and reporting of registry contents |
| RegRipper | 2.5 | Harlan Carvey | Registry data extraction and correlation tool |
| Regshot | 1.9.0 | Regshot | Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software |
| USB Device Forensics | 1.06 | Woanware | Details previously attached USB devices on exported registry hives |
| USBDeview | 2.21 | Nirsoft | Details previously attached USB devices |
| UserAssist | 2.4.3 | Didier Stevens | Displays list of programs run, with run count and last run date and time |
Application analysis (other)
Name |
Version |
From |
Description |
|---|---|---|---|
| Dropbox Decryptor* | 1.1 | Magnet Forensics | Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox |
| Google Maps Tile Investigator* | 1.0 | Magnet Forensics | Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context |
| KaZAlyser | 1.2.8 | Sanderson Forensics | Extracts various data from the KaZaA application |
| LiveContactsView | 1.22 | Nirsoft | View and export Windows Live Messenger contact details |
| SkypeLogView | 1.42 | Nirsoft | View Skype calls and chats |
Abandonware
Software which appears no longer to be updated but is listed as it may still be of some use.
Name |
Version |
From |
Description |
|---|---|---|---|
| CaseNotes* | 1.2.2010.6 | QCC | Contemporaneous notes recorder |
| Exif Reader | 3.00 | Ryuuji Yoshimoto | Extracts exif data from digital photographs |
| Fragview* | Not listed | QCC | View recursive HTML, jpg and Flash files |
| GigaView* | 1.2 | QCC | Parses exported GigaTribe chat logs, results can be imported into Excel |
| Live View | 0.7b | CERT | Allows examiner to boot dd images in VMware. |
| VideoTriage* | Not listed | QCC | Produces thumbnails of video files so that the whole video doesn’t need to be watched |
*Entries marked with a star indicate that registration is required before downloading
