Resources

Open Source Forensic Tools

Here is a list of open source forensic tools


dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive.

is an open and extensible file format designed to store disk images and associated metadata. This site also lists tools that work with AFF.

The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Together, they can analyse Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).

TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in.

mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system.

a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the env.

The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.

The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools.

TULP2G is a .NET 2.0 based forensic software framework for extracting and decoding data stored in electronic devices. Along with the framework this version includes several plug-ins in the area of retrieving data from mobile phones.

Wireshark is a network capture and analyzer tool to see what’s happening in your network. Wireshark will be handy to investigate network related incident.

An interesting network forensic analyser for Windows, Linux & MAC OS X to detect OS, hostname, sessions and open ports through packet sniffing or by PCAP file. Network Miner provide extracted artefacts in an intuitive user interface.

NMAP (Network Mapper) is one of the most popular networks and security auditing tools. NMAP is supported on most of the operating systems including Windows, Linux, Solaris, MAC OS, HP-UX etc. It’s open source so free.

RAM Capturer by Belkasoft is a free tool to dump the data from computer’s volatile memory. It’s compatible with Windows OS. Memory dumps may contain encrypted volume’s password and login credentials for web-mails and social network services.

If you are using Splunk then Forensic Investigator will be a very handy tool. It’s Splunk app and has many tools combined.

FAW (Forensics Acquisition of Websites) is to acquire web pages for forensic investigation which has the following features: Capture the entire or partial page, Capture all types of image, Capture HTML source code of the web page, and Integrate with Wireshark.

HashMyFiles will help you to calculate the MD5 and SHA1 hashes. It works on almost all latest Windows OS.

View the USB drives content without leaving the fingerprint, changes to metadata and timestamps. USB Write Blocker use Windows registry to write-block USB devices.

This tool can parse all USB history information from your windows plug-and-play registry. This can give you a complete record of the USB drives that were inserted into the machine.

Response by Crowd Strike is a windows application to gather system information for incident response and security engagements. You can view the results in XML, CSV, TSV or HTML with help of CRConvert. It runs on 32 or 64 bit of Windows XP above. Crowd Strike has some other nice tools for investigation; Totrtilla – anonymously route TCP/IP and DNS traffic through TOR, Shellshock Scanner – scan your network for shellshock vulnerability, and Heartbleed scanner – scan your network for OpenSSL heart bleed vulnerability

Defraser forensic tool may help you to detect full and partial multimedia files in the data streams.

ExifTool helps you to read, write and edit meta information for a number of file types. It can read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc.

Toolsley got more than 10 useful tools for investigation: File signature verifier, File identifier, Hash & Validate, Binary inspector, Encode text, Data URI generator, and Password generator.

DEFT (digital evidence and forensics toolkit) is a Linux-based distribution that allows professionals and non-experts to gather and preserve forensic data and digital evidence. It has some of the best computer forensics open source applications.

SIFT (SANS investigative forensic toolkit) workstation is freely available as Ubuntu 14.04. SIFT is a suite of forensic tools you need and one of the most popular open source incident response platform.

Extract all interesting information from Firefox, Iceweasel and Seamonkey browser to be analyzed with Dumpzilla.

Two free interesting tools; Browser history capturer – capture web browser (chrome, firefox, IE & edge) history on Windows OS, and  Browser history viewer – extract and analyze internet activity history from most of the modern browsers. Results are shown in the interactive graph and historical data can be filtered.

Extract the following information with ForensicUserInfo: RID, LM/NT Hash, Password reset/Account expiry date, Login count/fail date, Groups, and Profile path.

Kali Linux is one of the most popular platforms for penetration testing but it has forensic capability too.

PALADIN forensic suite – the world’s most popular Linux forensic suite is a modified Linux distro based on Ubuntu available in 32 and 64 bit.

CAINE (Computer Aided Investigate Environment) is Linux distro that offers the complete forensic platform which has more than 80 tools for you to analyze, investigate and create an actionable report.

HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors to data carving software to password cracking utilities, and more.

Volatility is the memory forensics framework. It used for incident response and malware analysis. With this tool, you can extract information from running processes, network sockets, network connection, DLLs and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files. This tool is available for free under GPL license.

RedLine offers the ability to perform memory and file analysis of a specific host. It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile.

A free memory forensic tool helps discover malicious activity in live memory. It can acquire and analyze images from memory.

WindowsSCOPE is another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory.

Bulk Extractor is also an important and popular digital forensics tool. It scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools. It is basically used by intelligence and law enforcement agencies in solving cyber crimes.

Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.

Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.

Evidence Files

These are for training and/or testing purposes.


Scenarios are collections of multiple disk images, memory dumps, network traffic, and/or data from portable devices. These scenarios are created to simulate the experience of performing a real digital forensics case.

These include evidence files from various sources that do not have the accompanying fully fleshed scenario that the above links have.

NIST is developing Computer Forensic Reference Data Sets (CFReDS) for digital evidence.

Testing in the public view is an important part of increasing confidence in software and hardware tools.

Enron e-mail messages and attachments in two sets of downloadable compressed files: XML and PST.

From the Forensic Incident Response Blog, and the link is to the onedrive containing the images.

Great resource for practicing your Linux forensic skills.

A source for pcap files and malware samples. This site has published over 1600 blog entries about malware or malicious network traffic.

Network packet captures for analysis.

These are used in the above book.

Visit Us On Social Media:

Subscribe to our Facebook Group
Follow Us On Twitter
Like our Facebook Page

Copyright © Association of Cyber Forensics and Threat Investigators. All rights reserved.