List of free computer forensic tools created & maintained by Forensic Control. With disk capture, file viewers, Mac OS tools, email analysis & many others. Download Mac Forensic Toolkit for free. Open source forensic toolkit for Mac OS X. Open source forensic toolkit for Mac OS X. When time is short and you need to acquire entire volumes or selected individual folders, EnCase Forensic Imager is your tool of choice. Based on trusted, industry-standard EnCase Forensic technology, EnCase Forensic Imager.
Here are 20 of the best free tools that will help you conduct a digital forensic investigation. Whether it’s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. As such, they all provide the ability to bring back in-depth information about what’s “under the hood” of a system.
This is by no means an extensive list and may not cover everything you need for your investigation. You might also need additional utilities such a file viewers, hash generators, and text editors – checkout 101 Free Admin Tools for some of these.
My articles on Top 10 Free Troubleshooting Tools for SysAdmins, Top 20 Free Network Monitoring and Analysis Tools for Sys Adminsand Top 20 Free File Management Tools for Sys Adminsmight also come in handy since they contain a bunch of tools that can be used for Digital Forensic Investigations (e.g. BackTrack and the SysInternals Suite or the NirSoft Suite of tools).
Even if you may have heard of some of these tools before, I’m confident that you’ll find a gem or two amongst this list.
01 SANS SIFT
The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.
When you first boot into the SIFT environment, I suggest you explore the documentation on the desktop to help you become accustomed to what tools are available and how to use them. There is also a good explanation of where to find evidence on a system. Use the top menu bar to open a tool, or launch it manually from a terminal window.
02 CrowdStrike CrowdResponse
CrowdResponse is a lightweight console application that can be used as part of an incident response scenario to gather contextual information such as a process list, scheduled tasks, or Shim Cache. Using embedded YARA signatures you can also scan your host for malware and report if there are any indicators of compromise.
To run CrowdsResponse, extract the ZIP file and launch a Command Prompt with Administrative Privileges. Navigate to the folder where the CrowdResponse*.exe process resides and enter your command parameters. At minimum, you must include the output path and the ‘tool’ you wish to use to collect data. For a full list of ‘tools’, enter CrowdResponse64.exe in the command prompt and it will bring up a list of supported tool names and example parameters.
Once you’ve exported the data you need, you can use CRconvert.exe to convert the data from XML to another file format like CSV or HTML.
03 Volatility
Volatility is a memory forensics framework for incident response and malware analysis that allows you to extract digital artefacts from volatile memory (RAM) dumps. Using Volatility you can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more.
If you are using the standalone Windows executable version of Volatility, simply place volatility-2.x.standalone.exe into a folder and open a command prompt window. From the command prompt, navigate to the location of the executable file and type “volatility-2.x.standalone.exe –f <FILENAME> –profile=<PROFILENAME> <PLUGINNAME>” without quotes – FILENAME would be the name of the memory dump file you wish to analyse, PROFILENAME would be the machine the memory dump was taken on and PLUGINNAME would be the name of the plugin you wish to use to extract information.
Note: In the example above I am using the ‘connscan’ plugin to search the physical memory dump for TCP connection information.
04 The Sleuth Kit (+Autopsy)
The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems. Autopsy is essentially a GUI that sits on top of The Sleuth Kit. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality.
Note: You can use The Sleuth Kit if you are running a Linux box and Autopsy if you are running a Windows box.
When you launch Autopsy, you can choose to create a new case or load an existing one. If you choose to create a new case you will need to load a forensic image or a local disk to start your analysis. Once the analysis process is complete, use the nodes on the left hand pane to choose which results to view.
05 FTK Imager
FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. Using FTK Imager you can also create SHA1 or MD5 hashes of files, export files and folders from forensic images to disk, review and recover files that were deleted from the Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer.
Note: There is a portable version of FTK Imager that will allow you to run it from a USB disk.
When you launch FTK Imager, go to ‘File > Add Evidence Item…’ to load a piece of evidence for review. To create a forensic image, go to ‘File > Create Disk Image…’ and choose which source you wish to forensically image.
06 Linux ‘dd’
dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive.
Note: dd is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.
Tip: A modified version of dd is available from http://sourceforge.net/projects/dc3dd/ – dc3dd includes additional features that were added specifically for digital forensic acquisition tasks.
To use dd, simply open a terminal window and type dd followed by a set of command parameters (which command parameters will obviously depend on what you want to do). The basic dd syntax for forensically wiping a drive is:
dd if=/dev/zero of=/dev/sdb1 bs=1024
where if = input file, of = output file, bs = byte size
Note: Replace /dev/sdb1 with the drive name of the drive you want to forensically wipe and 1024 with the size of the byte blocks you want to write out.
The basic dd syntax for creating a forensic image of a drive is:
dd if=/dev/sdb1 of=/home/andrew/newimage.dd bs=512 conv=noerror,sync
where if = input file (or in this case drive), of = output file, bs = byte size, conv = conversion options
Tip: For additional usage info, from a terminal window, type “man dd” without quotes to bring up the help manual for the dd command.
07 CAINE
CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of digital forensic tools. Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more.
When you boot into the CAINE Linux environment, you can launch the digital forensic tools from the CAINE interface (shortcut on the desktop) or from each tool’s shortcut in the ‘Forensic Tools’ folder on the applications menu bar.
08 ExifTool
ExifTool is a command-line application used to read, write or edit file metadata information. It is fast, powerful and supports a large range of file formats (although image file types are its speciality). ExifTool can be used for analysing the static properties of suspicious files in a host-based forensic investigation, for example.
To use ExifTool, simply drag and drop the file you want to extract metadata from onto the exiftool(-k).exe application and it will open a command prompt window with the information displayed. Alternatively, rename exiftool(-k).exe to exiftool.exe and run from the command prompt.
09 Free Hex Editor Neo
Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.
Use ‘File > Open’ to load a file into Hex Editor Neo. The data will appear in the middle window where you can begin to navigate through the hex manually or press CTRL + F to run a search.
10 Bulk Extractor
bulk_extractor is a computer forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extracted information is output to a series of text files (which can be reviewed manually or analysed using other forensics tools or scripts).
Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc. You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found (i.e. if you were analysing the disk manually using a hex editor for example, you would jump to this hexadecimal value to view the data).
Bulk_extractor comes as a command-line tool or a GUI tool. In the example above I set the bulk extractor tool to extract information from a forensics image I took earlier and output the results to a folder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above.
11 DEFT
DEFT is another Linux Live CD which bundles some of the most popular free and open source computer forensic tools available. It aims to help with Incident Response, Cyber Intelligence and Computer Forensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing.
When you boot using DEFT, you are asked whether you wish to load the live environment or install DEFT to disk. If you load the live environment you can use the shortcuts on the application menu bar to launch the required tools.
12 Xplico
Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.
Once you’ve installed Xplico, access the web interface by navigating to http://<IPADDRESS>:9876 and logging in with a normal user account. The first thing you need to do is create a case and add a new session. When you create a new session you can either load a PCAP file (acquired from Wireshark for example) or start a live capture. Once the session has finished decoding, use the navigation menu on the left hand side to view the results.
13 LastActivityView
I briefly touched on LastActivityView when pointing out the NirSoft suite of tools in my Top 10 Free System Troubleshooting Tools for SysAdmins article. LastActivityView allows you to view what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer, an application or system crash or a user performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file. This tool is useful when you need to prove that a user (or account) performed an action he or she said they didn’t.
When you launch LastActivityView, it will immediately start displaying a list of actions taken on the machine it is being run on. Sort by action time or use the search button to start investigating what actions were taken on the machine.
14 DSi USB Write Blocker
DSi USB Write Blocker is a software based write blocker that prevents write access to USB devices. This is important in an investigation to prevent modifying the metadata or timestamps and invalidating the evidence.
When you run DSi USB Write Blocker, it brings up a window that allows you to enable or disable the USB Write Blocker. Once you make changes and exit the application, you can keep an eye on the status from the padlock icon in the taskbar. When performing an analysis of a USB drive, enable the USB Write Blocker first and then plug the USB drive in.
If you are looking for a command line alternative, check out ‘USB Write Blocker for ALL Windows’. This tool works by updating a registry entry to prevent USB drives from being written to. To run the tool, you simply execute the batch file and select Option 1 to put the USB ports into read-only mode.
15 FireEye RedLine
Forensic Tools For Malware Hunting
RedLine offers the ability to perform memory and file analysis of a specific host. It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile.
When you launch RedLine, you will be given a choice to Collect Data or Analyze Data. Unless you already have a memory dump file available, you’ll need to create a collector to gather data from the machine and let that process run through to completion. Once you have a memory dump file to hand you can begin your analysis.
16 PlainSight
PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to perform digital forensic tasks such as viewing internet histories, data carving, USB device usage information gathering, examining physical memory dumps, extracting password hashes, and more.
When you boot into PlainSight, a window pops up asking you to select whether you want to perform a scan, load a file or run the wizard. Enter a selection to begin the data extraction and analysis process.
17 HxD
HxD is one of my personal favourites. It is a user-friendly hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-use and performance in mind and can handle large files without issue. Features include searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files, generation of statistics and more.
From the HxD interface start your analysis by opening a file from ‘File > Open’, loading a disk from ‘Extras > Open disk…’ or loading a RAM process from ‘Extras > Open RAM…’
18 HELIX3 Free
HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors to data carving software to password cracking utilities, and more.
Note: The HELIX3 version you need is 2009R1. This version was the last free version available before HELIX was taken over by a commercial vendor. HELIX3 2009R1 is still valid today and makes for a useful addition to your digital forensics toolkit.
Forensic Tool For Acquisition
When you boot using HELIX3, you are asked whether you want to load the GUI environment or install HELIX3 to disk. If you choose to load the GUI environment directly (recommended), a Linux-based screen will appear giving you the option to run the graphical version of the bundled tools.
19 Paladin Forensic Suite
Paladin Forensic Suite is a Live CD based on Ubuntu that is packed with wealth of open source forensic tools. The 80+ tools found on this Live CD are organized into over 25 categories including Imaging Tools, Malware Analysis, Social Media Analysis, Hashing Tools, etc.
After you boot Paladin Forensic Suite, navigate to the App Menu or click on one of the icons in the taskbar to get started.
Note: A handy Quick Start Guide for Paladin Forensic Suite is available to view or download from the Paladin website as well as the taskbar within Paladin itself.
20 USB Historian
USB Historian parses USB information, primarily from the Windows registry, to give you a list of all USB drives that were plugged into the machine. It displays information such as the name of the USB drive, the serial number, when it was mounted and by which user account. This information can be very useful when you’re dealing with an investigation whereby you need to understand if data was stolen, moved or accessed.
When you launch USB Historian, click the ‘+’ icon on the top menu to launch the data parse wizard. Select which method you want to parse data from (Drive Letter, Windows and Users Folder, or Individual Hives/Files) and then select the respective data to parse. Once complete you will see information similar to that shown in the above image.
Forensic Software: Everything You Need to Know About Computer Forensics
When the average person hears the phrase “computer forensics” or “forensic computing”, an image of a shadowy figure wearing mirrored glasses immediately comes to mind. But is it an accurate representation of what computer and digital forensics are really all about? It’s not, as you’ll soon find out in this article.
Even though the same tools used by a real computer forensic specialist are used by his or her underground counterpart, the essence of digital forensics is data recovery and preservation. If you ever used a computer data recovery tool, such as Disk Drill, to recover lost files from your computer, you already have a rough idea about one aspect of the forensic computer science and the life of a computer forensic investigator. In this article, you are going to learn the rest.
Computer Forensics Definition
Techopedia defines computer forensics as “the process of uncovering and interpreting electronic data”. The main goal of this process is to “preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events”.
In other words, digital forensics is a branch of the same old forensic science that you know from old crime TV shows. You know how they usually go: a horrendous murder is committed. Police officers arrive at the scene with the chief investigator leading the pack in his Ford Galaxie 500. As soon as they step out their vehicles, somebody yells “Don’t touch anything! We need every piece of evidence we can find”.
Back in the day, such evidence would often be someone’s diary or a fingerprint on a glass of water. These days, it’s digital metadata, log files, IP addresses, and leftover chunks of ones and zeros. Some of the very first digital crimes can be traced back to the late 1970s and early 1980s. In those days, computer security and privacy were the subjects of interest to only a very small group of geeks and innovators.
A major turning point occurred in 1978, with the 1978 Florida Computer Crimes Act, which recognized the first computer crimes in the United States and included legislation against unauthorized deletion or modification of computer data. Other acts, such as the US Federal Computer Fraud and Abuse Act of 1986 and the British Computer Misuse Act of 1990, followed soon after that.
Before the arrival of the new millennium, the discussion still revolved mostly around recognizing computer crimes as serious threats to personal, organizational, and national security. Since 2000, a new need for standardization arose, leading to the production of “Best practices for Computer Forensics” and the publication of ISO 17025 by the Scientific Working Group on Digital Evidence (SWGDE).
These standards and guides helped established a set of best practices for computer forensic specialists to follow and ignited computer forensics companies to produce capable forensic data recovery software solutions that would be able to meet the complex demands of the modern age.
The typical forensic process has several distinct stages: the seizure, forensic acquisition, analysis, and the production of a report based on the collected data. There are special free forensic software tools as well as paid forensic tools for each stage. A list of digital forensics tools can be found later in this article.
Sub-Branches of Computer Forensics
Computer forensic specialists either deal with the private or the public sector. With the public sector, their work is usually to support or refute a hypothesis before criminal or civil courts. The bread and butter of private sector forensic investigators are corporate investigations and intrusion investigations.
As the complexity of modern technology increases, computer forensic specialists often focus on one or a number of sub-branches of digital forensics, to gain expert-level knowledge. Digital forensics is typically divided according to the type of devices involved. The major branches are computer forensics, mobile device forensics, network forensics, forensic data analysis, and database forensics.
The one branch that has seen the most growth over the past few years is mobile device forensics. As people replace laptops and desktop computers with smartphones and tablets, the need for cell phone forensic software capable of forensic cell phone data recovery rises dramatically.
Computer Forensic Tools and Equipment
To describe some of many computer forensic tools used by computer forensic investigators and specialists, let’s imagine a crime scene involving child pornography stored on a personal computer. In most cases, investigators would first remove the PC’s HDD and attach with a hardware write blocking device. Such device makes this completely impossible to alter the content of the HDD in any way while allowing investigators to capture and preview the content of the disk.
PROTEGGA USES THE MOST MODERN COMPUTER FORENSIC DETECTION TOOLS
A bit-accurate copy of the disk can be made with a variety of specialized tools. There are large digital forensics frameworks and software solutions, alongside countless smaller utilities. The former group includes Digital Forensics Framework, Open Computer Forensics Architecture, CAINE (Computer Aided Investigative Environment), X-Ways Forensics, SANS Investigative Forensics Toolkit (SIFT), EnCase, The Sleuth Kit, Llibforensics, Volatility, The Coroner’s Toolkit, Oxygen Forensic Suite, Computer Online Forensic Evidence Extractor (COFEE), HELIX3, or Cellebrite UFED.
These large software solutions and forensic suites include a wide range of forensic data services in a single package. However, many professional forensic specialists prefer to build their own customized toolboxes from individual tools and utilities that exactly fit their needs and preferences. The options are plentiful for every stage of the forensic data recovery process, including hard drive forensics and file system forensic analysis.
Data capture can be done with the help of EnCase Forensic Imager, FTK Imager, Live RAM Capturer, or Disk2vhd from Microsoft. Emails are analyzed with tools such as EDB Viewer, Mail Viewer, or MBOX Viewer. Some tools are made specifically to target certain operating systems, while others support multiple platforms. Popular tools for Mac OS X include Disk Arbitrator, Volafox, and ChainBreaker, which parses keychain structure and extracts user’s information. Needless to say that no forensic analyst can be without a sizable assortment of internet analysis tools, including Dumpzilla from Busindre, Chrome Session Parser, IEPassView, OperaPassView, and Web Page Saver from Magnet Forensics.
Features of Professional Forensic Tools
Features of professional forensic tools vary greatly depending on what aspect of forensic analysis they target and what market they are aimed at. Generally, large forensic software suites have to be able to do the following:
- Support hashing of all files, which allows comparative filtering
- Full disk hashing to be able to confirm that the data has not changed (typically one tool is used to acquire and another is used to confirm the disk hash)
- Exact pathway locators
- Clear time and date stamps
- Have to include an acquisition feature
- Search and filtering of items
- The ability to load iOS backups and parse their data
Compared to law enforcement agencies, corporations are usually not concerned with volatile RAM captures. They want to acquire the evidence for private investigation and/or turn over to Law Enforcement. They are also usually not interested in previewing ability.
Major Forensic Software Providers
The field of forensic software analysis is filled with forward-thinking innovators and prolific, existing software companies that are ready to expand their operation. Large forensic software providers tend to appear at large industry gatherings, such as the High Tech Crime Investigation Association Conference, but there are many of these conferences across North America.
Let’s take a look at some of the most prolific forensic software providers and their products.
BlackBag Technologies https://www.blackbagtech.com
BlackLight by BlackBag is the premiere Mac Forensic Tool on the Market right now and costs approximately $2600. BlackLight started 5 years ago, developing a Mac-only forensic tool. It has now become a good Windows examination tool as well. It will analyze all iOS devices as well as Android. However, it is not capable of analyzing BlackBerry devices. One thing that Blacklight doesn’t do on its own is the forensic acquisition of bit for bit clones. They have an additional tool called MacQuisition.
MacQuisition runs a stripped down version of iOS 10 and costs over $1000 USD because of licensing to Apple. It does a very good job of discovering encryption and can join together fusion drives into one volume.
AccessData https://accessdata.com
AccessData is the leading provider of E-Discovery, Computer and Mobile Device Forensics for corporations, law firms, and government agencies. Their digital forensics solutions include Forensic ToolKit (FTK), which provides comprehensive processing and indexing up front, so filtering and searching are faster than with any other solution on the market.
The company is widely known for their mobile forensics tools, including Mobile Phone Examiner Plus (MPE+) and nFIELD. The former allows mobile forensic examiners to quickly collect, easily identify and effectively obtain the key data other solutions miss. The latter is an agile solution that allows users to perform logical and physical acquisitions of all MPE+ supported mobile devices in just 5 steps.
Guidance Software https://www.guidancesoftware.com
Guidance Software, founded in 1997, develops EnCase Forensic Software, which is a PC-only forensic tool that has been the mainstay of forensics for over a decade. The tool has made the headlines in 2002 when it was used in the murder trial of David Westerfield to examine his computers to find evidence of child pornography, and when French police used EnCase to discover critical emails from Richard Colvin Reid, also known as the Shoe Bomber.
EnCase Forensic Software is capable of acquisitions, hard drive restoration (cloning bit for bit and make a cloned HDD), complete a comprehensive disk-level investigation, and extensive reporting, among many other things.
Magnet Forensics https://www.magnetforensics.com
Developed by a former police officer and programmer, Magnet Forensics is a complete digital investigation platform used by over 3,000 agencies and organizations around the world. Originally, it started as an Internet-only carving tool but has now expanded to become a full-fledged forensic suite. Magnet Forensics can make physical data acquisitions of phones where possible (most Android and iPhone 4 and below, and BlackBerry). These physical acquisitions can be then loaded into tools such as Cellebrite.
X-Ways https://www.x-ways.net
X-Ways is a relative newcomer to forensics, but the company is quickly becoming popular due to its speed of innovation. Developed by a team of German Engineers, forensic tools from X-Ways do a fantastic job when it comes to disk imaging, disk cloning, virtual RAID reconstruction, remote network drive analysis, remote RAM access, cloud storage access, and more. The downside is that they require considerable experience to use.
Itool For Mac
Cellebrite https://www.cellebrite.com
A subsidiary of Japan’s Sun Corporation, Cellebrite Mobile Synchronization is an Israeli company that is considered to be the leader when it comes to mobile forensic software. Their premier mobile tool comes with a very high price tag of $12,000 USD and a yearly license around of $4000. With the high price goes a top-notch service that provides deep insight into mobile devices through Cellebrite’s Unified Digital Forensics Platform.
CERT
CERT stands for computer emergency response teams. In the United States, the organization was established in 2003 to protect the nation’s Internet infrastructure against cyber attacks. They have developed several tools used by law enforcement, including CERT Triage Tools. Triage Tools are used to capture RAM and make on-scene acquisitions. The product also includes a GNU Debugger extension called “exploitable” that is able to classify Linux application bugs by their severity. Currently, CERT Triage Tools is being publicly developed on GitHub.
Disk Drill’s Take on Forensic Data Recovery
Forensic Toolkit For Mac
Disk Drill is a proven data recovery tool that has been successfully used by countless users from all around the world to recover documents, images, video files, and other types of data from a variety of different storage devices.
Snipping Tool For Mac
Your Companion for Deleted Files Recovery
Best Forensic Tools
CleverFiles, the company behind Disk Drill, is currently working on a new version of the software, one that will include an assortment of useful forensic tools. This upcoming player on the forensic market is expected to bring to it their signature user-experience characterized by a high degree of user-interface polish and remarkable ease of use.