resources image

Resources

Free computer forensic tools

Since 2011 Forensic Control has maintained this list of free computer forensic software as an open resource for all. The list was last reviewed on 30 August 2017. The For reference section lists applications which appear to be no longer updated, but may still be of use. Forensic Control is a cyber security and computer forensic company based in London.

Updates to this page will be announced on our Twitter feed at twitter.com/ForensicControl

Suggestions?

We’re happy to receive suggestions for inclusion on this list. The software must be free and unrestricted, that is, fully functional and not time-limited. Please send your suggestions to info@forensiccontrol.com

Terms of use

Forensic Control provides no support or warranties for the listed software and it is the user’s responsibility to verify licensing agreements. Inclusion on the list does not equate to a recommendation. Using forensic software does not, on its own, make the user a forensic analyst or the output court admissible. Publishing the whole or part of this list is licensed under the terms of the Creative Commons – Attribution Non-Commercial 4.0 license.

Contents

Disk tools and data capture

NAME

FROM

DESCRIPTION

Arsenal Consulting

Mounts disk images as complete disks in Windows, giving access to Volume Shadow Copies, etc.

MoonSols

Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive.

Guidance Software

Create EnCase evidence files and EnCase logical evidence files [direct download link]

Magnet Forensics

Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes.

4Discovery

Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier).

Ridgecrop

Enables large capacity disks to be formatted as FAT32.

Web Content Protection Association

Browser designed to forensically capture web pages.

AccessData

Imaging tool, disk viewer and image mounter.

vogu00

Multi-threaded GUI imager under running under Linux.

Belkasoft

Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds

Hjelmvik

Network analysis tool. Detects OS, hostname and open ports of network hosts through packet sniffing/PCAP parsing.

Nmap

Utility for network discovery and security auditing.

Magnet Forensics

Captures physical memory of a suspect’s computer. Windows XP to Windows 10, and 2003, 2008, 2012. 32 & 64 bit.

Passmark Software

Boot utility for CD/DVD or USB flash drives to create dd or AFF images/clones.

Passmark Software

Mounts a wide range of disk images. Also allows creation of RAM disks.

Email analysis

NAME

FROM

DESCRIPTION

Lepide Software

Open and view (not export) Outlook EDB files without an Exchange server.

MiTeC

Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files.

SysTools

View MBOX emails and attachments.

Lepide Software

Open and view (not export) Outlook OST files without connecting to an Exchange server.

Lepide Software

Open and view (not export) Outlook PST files without needing Outlook.

General

NAME

FROM

DESCRIPTION

Mythicsoft

Search multiple files using Boolean operators and Perl Regex.

NIST

Collated forensic images for training, practice and validation.

Nuix

Copies data between locations, with file comparison, verification, logging.

Shirouzu Hiroaki

Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc.

Gary Kessler

Table of file signatures.

Peter Fiskerstrand

Identifies over 1000 file types by examining their signatures.

Nirsoft

Calculate MD5 and SHA1 hashes.

Mobatek

Run Linux live CDs from their ISO image without having to boot to them.

Arkane Systems

Automatically moves mouse pointer stopping screen saver, hibernation etc..

Notepad ++

Advanced Notepad replacement.

NIST

Hash sets of ‘known’ (ignorable) files.

Ted Technology

A Linux & Windows GUI for individual and recursive SHA1 hashing of files.

DSi

Enables software write-blocking of USB ports.

FH Aachen

Application that simplifies the use of the Volatility Framework.

Troy Larson

Guide by Brett Shavers to creating and working with a Windows boot CD.

File and data analysis

NAME

FROM

DESCRIPTION

Allan Hay

Reads Windows XP,Vista and Windows 7 prefetch files.

David Kovar

Parses the MFT from an NTFS file system allowing results to be analysed with other tools.

Eric Zimmerman

Find strings in binary data, including regular expression searching.

Evolka

PCAP viewer.

CrowdStike

Windows console application to aid gathering of system information for incident response and security engagements.

CrowdStrike

Details network processes, listing binaries associated with each process. Queries VirusTotal, other malware repositories & reputation services to produce “at-a-glance” state of the system.

Digital Detective

Converts various data types to date/time values.

Various

Detects full and partial multimedia files in unallocated space.

Ted Technology

Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size, signature used, etc.

Passware

Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file.

Phil Harvey

Read, write and edit Exif data in a large number of file types.

Toolsley.com

Drag and drop web-browser JavaScript tool for identification of over 2000 file types.

Sanderson Forensics

View various picture formats, image enhancer, extraction of embedded Exif, GPS data.

Alessandro Tanasi

In-depth analysis of image (picture) files.

Mandiant

Examine log files using text, graphic or histogram views.

4Discovery

Recursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files.

Nirsoft

View and export Windows Live Messenger contact details.

Eric Zimmerman

Prefetch Explorer.

EMC

Network packet capture and analysis.

Mandiant

Acquire and/or analyse RAM images, including the page file on live systems.

4Discovery

Recursively parses folders to extract meta data from MS Office, OpenOffice and PDF files.

Sanderson Forensics

Displays and decodes contents of an extracted MFT file.

Mike’s Forensic Tools

Lists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format.

Microsoft

Suite of command-line Windows utilities.

Shadow Explorer

Browse and extract files from shadow copies.

Mrinal Kant, Tarakant Tripathy

Firefox add-on enabling viewing of any SQLite database.

Microsoft

Command-line tool for text searches.

MiTec

View and manage MS OLE Structured Storage based files.

MiTeC

Analyse thumbs.db, Prefetch, INFO2 and .lnk files.

Gianluca Costa & Andrea De Franceschi

Network forensics analysis tool.

Mac OS tools

NAME

FROM

DESCRIPTION

Twocanoes Software

Audit Preference Pane and Log Reader for OS X.

Aaron Burghardt

Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration.

Blackbag Technologies

Converts epoch times to local time and UTC.

AccessData

Command line Mac OS version of AccessData’s FTK Imager.

Blackbag Technologies

Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected.

Blackbag Technologies

Displays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors.

Kyeongsik Lee

Memory forensic toolkit for Mac OS X

Mobile devices

NAME

FROM

DESCRIPTION

Mario Piccinelli

Explore iOS backups.

Leo Crawford, Mat Proud

Explore the internal file structure of Pad, iPod and iPhones.

Robin Wood

Extracts phone model and software version and created date and GPS data from iPhone videos.

CCL Forensics

Deconstructs Blackberry .ipd backup files.

SignalSEC Corp

Obtain SMS Messages, call logs and contacts from Android devices.

Data analysis suites

NAME

FROM

DESCRIPTION

Brian Carrier

Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below).

Backtrack

Penetration testing and security audit with forensic boot capability.

Nanni Bassetti

Linux based live CD, featuring a number of analysis tools.

Dr. Stefano Fratepietro and others

Linux based live CD, featuring a number of analysis tools.

ArxSys

Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items.

Harlan Carvey

Automates ‘repetitive tasks of data collection’. Fuller description here.

Sumuri

Ubuntu based live boot CD for imaging and analysis.

SANS

VMware Appliance pre-configured with multiple tools allowing digital forensic examinations.

Brian Carrier

Collection of UNIX-based command line file and volume system forensic analysis tools.

Volatile Systems

Collection of tools for the extraction of artefacts from RAM.

File viewers

NAME

FROM

DESCRIPTION

SysTools

View (not save or export from) contents of BKF backup files.

SysTools

View (not save or export) Loutus Notes DXL file emails and attachments.

SysTools

View (not save or export from) E01 files & view messages within EDB, PST & OST files.

SysTools

View (not save or export) MS SQL MDF files.

SysTools

View (not save or export) MSG file emails and attachments.

SysTools

View (not save or export) OLM file emails and attachments.

Microsoft

View PowerPoint presentations.

Microsoft

View Visio diagrams.

VLC

VideoLAN

View most multimedia files and DVD, Audio CD, VCD, etc.

Internet analysis

NAME

FROM

DESCRIPTION

Foxton Software

Captures history from Firefox, Chrome, Internet Explorer and Edge web browsers running on Windows computers.

Foxton Software

Extract, view and analyse internet history from Firefox, Chrome, Internet Explorer and Edge web browsers.

CCL Forensics

Python module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”).

Nirsoft

Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache.

Mike’s Forensic Tools

Extracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits.

Busindre

Runs in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information.

Belkasoft

Captures information publicly available in Facebook profiles.

Nirsoft

Extracts various details of Internet Explorer cookies.

Nirsoft

Extract stored passwords from Internet Explorer versions 4 to 8.

Nirsoft

Reads the cache folder of Firefox/Mozilla/Netscape Web browsers.

Nirsoft

Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers.

Nirsoft

Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page.

Nirsoft

Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace).

Nirsoft

Extracts the user names and passwords stored by Mozilla Firefox Web browser.

Nirsoft

Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache.

Nirsoft

Decrypts the content of the Opera Web browser password file, wand.dat

Mandiant

Reviews list of URLs stored in the history files of the most commonly used browsers.

Magnet Forensics

Registry analysis

NAME

FROM

DESCRIPTION

Eric Zimmerman

Dumps list of shimcache entries showing which executables were run and their modification dates. Further details.

Woanware

Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file.

Microsoft

Examine Windows processes and registry threads in real time.

Eric Zimmerman

Command line access to offline Registry hives. Supports simple & regular expression searches as well as searching by last write timestamp. Further details.

US National Institute of Justice, Digital Forensics Solutions

For the acquisition, analysis, and reporting of registry contents.

Eric Zimmerman

Offline Registry viewer. Provides deleted artefact recovery, value slack support, and robust searching. Further details.

Harlan Carvey

Registry data extraction and correlation tool.

Regshot

Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software.

Eric Zimmerman

Presents visual representation of what a user’s directory structure looked like. Additionally exposes various timestamps (e.g., first explored, last explored for a given folder. Further details.

Woanware

Details previously attached USB devices on exported registry hives.

4Discovery

Displays 20+ attributes relating to USB device use on Windows systems.

Nirsoft

Details previously attached USB devices.

4Discovery

Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys.

Nirsoft

Extracts the user names and passwords stored by Mozilla Firefox Web browser.

Didier Stevens

Displays list of programs run, with run count and last run date and time.

MiTec

Extracts configuration settings and other information from the Registry.

Application analysis

NAME

FROM

DESCRIPTION

Magnet Forensics

Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox.

Magnet Forensics

Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context.

Sanderson Forensics

Extracts various data from the KaZaA application.

Nirsoft

View and export Windows Live Messenger contact details.

Nirsoft

View Skype calls and chats.

For Reference

NAME

FROM

DESCRIPTION

Kazuyuki Nakayama

Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area.

Rene Devichi

View unencrypted backups of iPad, iPod and iPhones.

Nirsoft

Extracts recently visited Internet Explorer URLs.

CERT

Allows examiner to boot dd images in VMware.

How-To Geek

Guide to using an Unbuntu live disk to recover partitions, carve files, etc.

Zena Forensics

Extract WhatApp messages from iOS and Android backups.

What our clients say