Packages that are used for countering forensic activities, including encryption, steganography, and anything that modifies attributes. This all includes tools to work with anything in general that makes changes to a system for the purposes of hiding information.


Tool count: 2

BlackArch anti-forensic
Name Version Description Homepage
afflib 3.7.19 An extensible open format for the storage of disk images and related forensic information.
aimage 3.2.5 A program to create aff-images.
air 2.0.0 A GUI front-end to dd/dc3dd designed for easily creating forensic images.
analyzemft 133.b6ed04f Parse the MFT file from an NTFS filesystem.
autopsy 4.21.0 The forensic browser. A GUI for the Sleuth Kit.
bmap-tools 3.7 Tool for copying largely sparse files using information from a block map file.
bmc-tools 25.c66a657 RDP Bitmap Cache parser.
bulk-extractor 1562.1c67a75 Bulk Email and URL extraction tool.
canari 3.3.10 Maltego rapid transform development and execution framework.
captipper 74.3fb2836 Malicious HTTP traffic explorer tool.
casefile 1.0.1 The little brother to Maltego without transforms, but combines graph and link analysis to examine links between manually added data to mind map your information
chaosmap 1.3 An information gathering tool and dns / whois / web server scanner
chromefreak 24.12745b1 A Cross-Platform Forensic Framework for Google Chrome
dc3dd 7.2.646 A patched version of dd that includes a number of features useful for computer forensics.
dcfldd 1.7.1 DCFL (DoD Computer Forensics Lab) dd replacement with hashing.
dfir-ntfs 1.1.19 An NTFS parser for digital forensics & incident response.
dftimewolf 737.1b1282cf Framework for orchestrating forensic collection, processing and data export.
disitool 0.4 Tool to work with Windows executables digital signatures.
dmde 4.2.2.816 Disk Editor and Data Recovery Software.
dmg2img 1.6.7 A CLI tool to uncompress Apple's compressed DMG files to the HFS+ IMG format.
dshell 142.695c891 A network forensic analysis framework.
dumpzilla 03152013 A forensic tool for firefox.
eindeutig 20050628_1 Examine the contents of Outlook Express DBX email repository files (forensic purposes)
emldump 0.0.11 Analyze MIME files.
evtkit 8.af06db3 Fix acquired .evt - Windows Event Log files (Forensics).
exiflooter 39.0c9535f Find geolocation on all image urls and directories also integrates with OpenStreetMap.
extractusnjrnl 7.362d4290 Tool to extract the $UsnJrnl from an NTFS volume.
firefox-decrypt 1.1.1.r5.g8a5fdeb Extract passwords from Mozilla Firefox, Waterfox, Thunderbird, SeaMonkey profiles.
fridump 23.3e64ee0 A universal memory dumper using Frida.
galleta 20040505_1 Examine the contents of the IE's cookie files for forensic purposes
grokevt 0.5.0 A collection of scripts built for reading Windows® NT/2K/XP/2K eventlog files.
guymager 0.8.13 A forensic imager for media acquisition.
imagemounter 413.383b30b Command line utility and Python package to ease the (un)mounting of forensic disk images.
indx2csv 17.129a411e An advanced parser for INDX records.
indxcarver 5.dee36608 Carve INDX records from a chunk of data.
indxparse 198.a977192 A Tool suite for inspecting NTFS artifacts.
interrogate 5.eb5f071 A proof-of-concept tool for identification of cryptographic keys in binary material (regardless of target operating system), first and foremost for memory dump analysis and forensic usage.
iosforensic 1.0 iOS forensic tool https://www.owasp.org/index.php/Projects/OWASP_iOSForensic
ipba2 95.c03bd85 IOS Backup Analyzer.
iphoneanalyzer 2.1.0 Allows you to forensically examine or recover date from in iOS device.
lazagne 875.9da4b87 An open source application used to retrieve lots of passwords stored on a local computer.
ldsview 47.d8bfcaa Offline search tool for LDAP directory dumps in LDIF format.
lfle 24.f28592c Recover event log entries from an image by heurisitically looking for record structures.
libfvde 207.03f12f5 Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes.
limeaide 305.ce3c9b7 Remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host.
log-file-parser 60.c7a0ae7e Parser for $LogFile on NTFS.
loki-scanner 1255.687e211 Simple IOC and Incident Response Scanner.
mac-robber 1.02 A digital investigation tool that collects data from allocated files in a mounted file system.
magicrescue 1.1.9 Find and recover deleted files on block devices
make-pdf 0.1.7 This tool will embed javascript inside a PDF document.
malheur 0.5.4 A tool for the automatic analyze of malware behavior.
maltego 4.8.1 An open source intelligence and forensics application, enabling to easily gather information about DNS, domains, IP addresses, websites, persons, etc.
malwaredetect 0.1 Submits a file's SHA1 sum to VirusTotal to determine whether it is a known piece of malware
mboxgrep 0.7.9 A small, non-interactive utility that scans mail folders for messages matching regular expressions. It does matching against basic and extended POSIX regular expressions, and reads and writes a variety of mailbox formats.
mdbtools 738.823b32f Utilities for viewing data and exporting schema from Microsoft Access Database files.
memdump 1.01 Dumps system memory to stdout, skipping over holes in memory maps.
memfetch 0.05b Dumps any userspace process memory without affecting its execution.
mft2csv 40.164eb224 Extract $MFT record info and log it to a csv file.
mftcarver 9.7bfcc0a2 Carve $MFT records from a chunk of data (for instance a memory dump).
mftrcrd 16.35c3ac2f Command line $MFT record decoder.
mftref2name 6.7df9eebb Resolve file index number to name or vice versa on NTFS.
mimipenguin 152.880a427 A tool to dump the login password from the current linux user.
mobiusft 1.12 An open-source forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions.
mp3nema 0.4 A tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data.
mxtract 90.0b34376 Memory Extractor & Analyzer.
myrescue 0.9.8 A hard disk recovery tool that reads undamaged regions first.
naft 0.0.9 Network Appliance Forensic Toolkit.
netspionage 99.c24f995 Network Forensics CLI utility that performs Network Scanning, OSINT, and Attack Detection.
networkminer 2.9 A Network Forensic Analysis Tool for advanced Network Traffic Analysis, sniffer and packet analyzer.
nfex 2.5 A tool for extracting files from the network in real-time or post-capture from an offline tcpdump pcap savefile.
ntdsxtract 34.7fa1c8c Active Directory forensic framework.
ntfs-file-extractor 6.f2b23d72 Extract files off NTFS.
ntfs-log-tracker 1.6 This tool can parse $LogFile, $UsnJrnl of NTFS.
parse-evtx 3.a4b02b9 A tool to parse the Windows XML Event Log (EVTX) format.
pasco 20040505_1 Examines the contents of Internet Explorer's cache files for forensic purposes
pcapxray 274.1721645 A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction.
pdblaster 4.fc8abb3 Extract PDB file paths from large sample sets of executable files.
pdf-parser 0.7.9 Parses a PDF document to identify the fundamental elements used in the analyzed file.
pdfbook-analyzer 2 Utility for facebook memory forensics.
pdfid 0.2.8 Scan a file to look for certain PDF keywords.
pdfresurrect 0.12 A tool aimed at analyzing PDF documents.
peepdf 0.4.2 A Python tool to explore PDF files in order to find out if the file can be harmful or not.
pev 0.81 Command line based tool for PE32/PE32+ file analysis.
powermft 5.76574543 Powerful commandline $MFT record editor.
python-acquire 3.17.r1.gc284e87 Quickly gather forensic artifacts from disk images or a live system into a lightweight container.
python-dissect.archive 1.4.r0.gd433633 A Dissect module implementing parsers for various archive and backup formats.
python-dissect.btrfs 1.6.r0.gfe4bbda A Dissect module implementing a parser for the btrfs file system.
python-dissect.cim 3.10.r0.g4d1effc A Dissect module implementing a parser for the Windows Common Information Model (CIM) database, used in the Windows operating system.
python-dissect.clfs 1.9.r0.gd3e3b7f A Dissect module implementing a parser for the CLFS (Common Log File System) file system of Windows.
python-dissect.cstruct 4.3.r0.ged1daf2 A Dissect module implementing a parser for C-like structures.
python-dissect.esedb 3.14.r0.gb052185 A Dissect module implementing a parser for Microsofts Extensible Storage Engine Database (ESEDB), used for example in Active Directory, Exchange and Windows Update.
python-dissect.etl 3.10.r0.g23354d6 A Dissect module implementing a parser for Event Trace Log (ETL) files, used by the Windows operating system to log kernel events.
python-dissect.eventlog 3.9.r0.g97fdfd7 A Dissect module implementing parsers for the Windows EVT, EVTX and WEVT log file formats.
python-dissect.evidence 3.10.r0.g852ced4 A Dissect module implementing a parsers for various forensic evidence file containers, currently: AD1, ASDF and EWF.
python-dissect.executable 1.7.r0.g7bf4930 A Dissect module implementing parsers for various executable formats such as PE, ELF and Macho-O.
python-dissect.extfs 3.12.r0.g9b0df29 A Dissect module implementing a parser for the ExtFS file system, the native filesystem for Linux operating systems.
python-dissect.fat 3.11.r0.gfe9d7dc A Dissect module implementing parsers for the FAT and exFAT file systems, commonly used on flash memory based storage devices and UEFI partitions.
python-dissect.ffs 3.10.r0.g498cb70 A Dissect module implementing a parser for the FFS file system, commonly used by BSD operating systems.
python-dissect.fve 4.0.r0.g39523e4 A Dissect module implementing a parsers for full volume encryption implementations, currently Microsoft's Bitlocker Disk Encryption (BDE) and Linux Unified Key Setup (LUKS1 and LUKS2).
python-dissect.hypervisor 3.16.r1.g54a733b A Dissect module implementing parsers for various hypervisor disk, backup and configuration files.
python-dissect.jffs 1.3.r1.gf93add9 A Dissect module implementing a parser for the JFFS2 file system, commonly used by router operating systems.
python-dissect.ntfs 3.13.r0.gef5529b A Dissect module implementing a parser for the NTFS file system, used by the Windows operating system.
python-dissect.ole 3.9.r0.ge21455d A Dissect module implementing a parser for the Object Linking & Embedding (OLE) format, commonly used by document editors on Windows operating systems.
python-dissect.regf 3.11.r0.g94b58df A Dissect module implementing a parser for Windows registry file format, used to store application and OS configuration on Windows operating systems.
python-dissect.shellitem 3.10.r0.g975a812 A Dissect module implementing a parser for the Shellitem structures, commonly used by Microsoft Windows.
python-dissect.sql 3.10.r0.g863d97e A Dissect module implementing a parsers for the SQLite database file format, commonly used by applications to store configuration data.
python-dissect.squashfs 1.8.r0.g16bc3de A Dissect module implementing a parser for the SquashFS file system.
python-dissect.target 3.20.r7.gaf1abe4 The Dissect module tying all other Dissect modules together. It provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets).
python-dissect.thumbcache 1.9.r0.gc38995e A Dissect module implementing a parser for windows thumbcache.
python-dissect.util 3.19.r0.g2a9439e A Dissect module implementing various utility functions for the other Dissect modules.
python-dissect.vmfs 3.10.r0.g13e1c48 A Dissect module implementing a parser for the VMFS file system, used by VMware virtualization software.
python-dissect.volume 3.13.r0.gdd3b289 A Dissect module implementing a parser for different disk volume and partition systems, for example LVM2, GPT and MBR.
python-dissect.xfs 3.11.r0.g5e2c336 A Dissect module implementing a parser for the XFS file system, commonly used by RedHat Linux distributions.
python-flow.record 3.18.r1.g135a7b8 Recordization library.
python2-peepdf 0.4.2 A Python tool to explore PDF files in order to find out if the file can be harmful or not.
rcrdcarver 5.54507d21 Carve RCRD records ($LogFile) from a chunk of data..
recentfilecache-parser 2.5e22518 Python parser for the RecentFileCache.bcf on Windows.
recoverdm 0.20 Recover damaged CD DVD and disks with bad sectors.
recoverjpeg 2.6.3 Recover jpegs from damaged devices.
recuperabit 77.c6f8678 A tool for forensic file system reconstruction.
regipy 2.2.2 Library for parsing offline registry hives.
reglookup 1.0.1 Command line utility for reading and querying Windows NT registries
regripper 106.89f3cac Open source forensic software used as a Windows Registry data extraction command line or GUI tool.
regrippy 2.0.0 Framework for reading and extracting useful forensics data from Windows registry hives.
rekall 1409.55d1925f Memory Forensic Framework.
replayproxy 1.1 Forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file.
rifiuti2 0.7.0 A rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file.
safecopy 1.7 A disk data recovery tool to extract data from damaged media.
scalpel 1.1687261 A frugal, high performance file carver.
scrounge-ntfs 0.9 Data recovery program for NTFS file systems
secure2csv 10.119eefb0 Decode security descriptors in $Secure on NTFS.
shadowexplorer 0.9 Browse the Shadow Copies created by the Windows Vista / 7 / 8 / 10 Volume Shadow Copy Service.
skypefreak 33.9347a65 A Cross Platform Forensic Framework for Skype.
swap-digger 51.4d18ce0 A tool used to automate Linux swap analysis during post-exploitation or forensics.
tchunt-ng 208.b8cf7fc Reveal encrypted files stored on a filesystem.
tekdefense-automater 88.42548cf IP URL and MD5 OSINT Analysis
thumbcacheviewer 1.0.3.7 Extract Windows thumbcache database files.
trid 2.24 An utility designed to identify file types from their binary signatures.
truehunter 14.0a2895d Detect TrueCrypt containers using a fast and memory efficient approach.
undbx 0.21.r3.g5e31c75 Extract e-mail messages from Outlook Express DBX files.
usbrip 291.5093c84 USB device artifacts tracker.
usnjrnl2csv 29.1ecbddc Parser for $UsnJrnl on NTFS.
usnparser 4.1.5 A Python script to parse the NTFS USN journal.
vinetto 0.07beta A forensics tool to examine Thumbs.db files
vipermonkey 1160.511ecd5 A VBA parser and emulation engine to analyze malicious macros.
volafox 143.5b42987 Mac OS X Memory Analysis Toolkit.
volatility-extra 92.d9fc072 Volatility plugins developed and maintained by the community.
windows-prefetch-parser 88.bc1fa58 Parse Windows Prefetch files.
wmi-forensics 11.0ab08dc Scripts used to find evidence in WMI repositories.
xplico 1.2.2 Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT).
zipdump 0.0.21 ZIP dump utility.