Here is a list of open source forensic tools

• Linux ‘dd’

dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive.

• Advanced Forensic Format (AFF)

is an open and extensible file format designed to store disk images and associated metadata. This site also lists tools that work with AFF.

• Autopsy

The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Together, they can analyse Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).

• The Coroner's ToolKit (TCT)

TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in.

• mac-robber

mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system.

• Live View

a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the env.

• Open computer Forensics Architecture

The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.

• Sleuth Kit

The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools.

• TULP2G

TULP2G is a .NET 2.0 based forensic software framework for extracting and decoding data stored in electronic devices. Along with the framework this version includes several plug-ins in the area of retrieving data from mobile phones.

• Wireshark

Wireshark is a network capture and analyzer tool to see what’s happening in your network. Wireshark will be handy to investigate network related incident.

• Network Miner 

An interesting network forensic analyser for Windows, Linux & MAC OS X to detect OS, hostname, sessions and open ports through packet sniffing or by PCAP file. Network Miner provide extracted artefacts in an intuitive user interface.

• NMAP

NMAP (Network Mapper) is one of the most popular networks and security auditing tools. NMAP is supported on most of the operating systems including Windows, Linux, Solaris, MAC OS, HP-UX etc. It’s open source so free.

• RAM Capturer

RAM Capturer by Belkasoft is a free tool to dump the data from computer’s volatile memory. It’s compatible with Windows OS. Memory dumps may contain encrypted volume’s password and login credentials for web-mails and social network services.

• Forensic Investigator

If you are using Splunk then Forensic Investigator will be a very handy tool. It’s Splunk app and has many tools combined.

• FAW

FAW (Forensics Acquisition of Websites) is to acquire web pages for forensic investigation which has the following features: Capture the entire or partial page, Capture all types of image, Capture HTML source code of the web page, and Integrate with Wireshark.

• HashMyFiles

HashMyFiles will help you to calculate the MD5 and SHA1 hashes. It works on almost all latest Windows OS.

• USB Write Blocker

View the USB drives content without leaving the fingerprint, changes to metadata and timestamps. USB Write Blocker use Windows registry to write-block USB devices.

• USB Historian (Closed Source Freeware Tools)

This tool can parse all USB history information from your windows plug-and-play registry. This can give you a complete record of the USB drives that were inserted into the machine.

• Crowd Response

Response by Crowd Strike is a windows application to gather system information for incident response and security engagements. You can view the results in XML, CSV, TSV or HTML with help of CRConvert. It runs on 32 or 64 bit of Windows XP above. Crowd Strike has some other nice tools for investigation; Totrtilla – anonymously route TCP/IP and DNS traffic through TOR, Shellshock Scanner – scan your network for shellshock vulnerability, and Heartbleed scanner – scan your network for OpenSSL heart bleed vulnerability

• NFI Defraser

Defraser forensic tool may help you to detect full and partial multimedia files in the data streams.

• ExifTool

ExifTool helps you to read, write and edit meta information for a number of file types. It can read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc.

• Toolsley

Toolsley got more than 10 useful tools for investigation: File signature verifier, File identifier, Hash & Validate, Binary inspector, Encode text, Data URI generator, and Password generator.

• DEFT Zero

DEFT (digital evidence and forensics toolkit) is a Linux-based distribution that allows professionals and non-experts to gather and preserve forensic data and digital evidence. It has some of the best computer forensics open source applications.

•  SIFT

SIFT (SANS investigative forensic toolkit) workstation is freely available as Ubuntu 14.04. SIFT is a suite of forensic tools you need and one of the most popular open source incident response platform.

• Dumpzilla

Extract all interesting information from Firefox, Iceweasel and Seamonkey browser to be analyzed with Dumpzilla.

• Browser History

Two free interesting tools; Browser history capturer – capture web browser (chrome, firefox, IE & edge) history on Windows OS, and  Browser history viewer – extract and analyze internet activity history from most of the modern browsers. Results are shown in the interactive graph and historical data can be filtered.

• ForensicUserInfo

Extract the following information with ForensicUserInfo: RID, LM/NT Hash, Password reset/Account expiry date, Login count/fail date, Groups, and Profile path.

• Kali Linux

Kali Linux is one of the most popular platforms for penetration testing but it has forensic capability too.

• Paladin

PALADIN forensic suite – the world’s most popular Linux forensic suite is a modified Linux distro based on Ubuntu available in 32 and 64 bit.

• CAINE

CAINE (Computer Aided Investigate Environment) is Linux distro that offers the complete forensic platform which has more than 80 tools for you to analyze, investigate and create an actionable report.

• HELIX3 Free

HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors to data carving software to password cracking utilities, and more.

• Volatility

Volatility is the memory forensics framework. It used for incident response and malware analysis. With this tool, you can extract information from running processes, network sockets, network connection, DLLs and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files. This tool is available for free under GPL license.

• FireEye RedLine (Closed Source Freeware Tools)

RedLine offers the ability to perform memory and file analysis of a specific host. It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile.

• Memoryze

A free memory forensic tool helps discover malicious activity in live memory. It can acquire and analyze images from memory.

• WindowSCOPE

WindowsSCOPE is another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory.

• Bulk Extractor

Bulk Extractor is also an important and popular digital forensics tool. It scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools. It is basically used by intelligence and law enforcement agencies in solving cyber crimes.

• Free Hex Editor Neo

Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.

• Xplico

Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.

These are for training and/or teaching purposes.

• Data Hiding Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols

• Python Forensics: A workbench for inventing and sharing digital forensic 

• Python Passive Network Mapping: P2NMAP

• Executing Windows Command Line Investigations: While Ensuring Evidentiary

• Integrating Python with Leading Computer Forensics Platforms

• Cyber Security [3 volumes]: Protecting Businesses, Individuals, and the Government from the Next Cyber Attacks

• Defending IoT Infrastructures with the Raspberry Pi: Monitoring and Detecting

• PowerShell and Python Together: Targeting Digital Investigations

• Enabling Things to Talk: Designing IoT solutions with the IoT Architectural 

• The Internet of Things

• Practical Threat Intelligence and Data-Driven Threat Hunting 

These are for training and/or testing purposes.

• Digital Corpora Scenarios

Scenarios are collections of multiple disk images, memory dumps, network traffic, and/or data from portable devices. These scenarios are created to simulate the experience of performing a real digital forensics case.

• Digital Corpora Evidence Files

These include evidence files from various sources that do not have the accompanying fully fleshed scenario that the above links have.

• The CFReDS Project

NIST is developing Computer Forensic Reference Data Sets (CFReDS) for digital evidence.

• Digital Forensics Tool Testing Images

Testing in the public view is an important part of increasing confidence in software and hardware tools.

• Enron Email Dataset

Enron e-mail messages and attachments in two sets of downloadable compressed files: XML and PST.

• HogFly's Memory Dumps

From the Forensic Incident Response Blog, and the link is to the onedrive containing the images.

• The Law Enforcement and Forensic Examiner's Introduction to Linux

Great resource for practicing your Linux forensic skills.

• Traffic Analysis Exercises

A source for pcap files and malware samples. This site has published over 1600 blog entries about malware or malicious network traffic.

• Wireshark Sample Captures Wiki

Network packet captures for analysis.

• Wireshark Network Analysis Book Images

These are used in the above book.