afflib |
3.7.19 |
An extensible open format for the storage of disk images and related forensic information. |
|
aimage |
3.2.5 |
A program to create aff-images. |
|
air |
2.0.0 |
A GUI front-end to dd/dc3dd designed for easily creating forensic images. |
|
analyzemft |
133.b6ed04f |
Parse the MFT file from an NTFS filesystem. |
|
autopsy |
4.21.0 |
The forensic browser. A GUI for the Sleuth Kit. |
|
bmap-tools |
3.7 |
Tool for copying largely sparse files using information from a block map file. |
|
bmc-tools |
25.c66a657 |
RDP Bitmap Cache parser. |
|
bulk-extractor |
1562.1c67a75 |
Bulk Email and URL extraction tool. |
|
canari |
3.3.10 |
Maltego rapid transform development and execution framework. |
|
captipper |
74.3fb2836 |
Malicious HTTP traffic explorer tool. |
|
casefile |
1.0.1 |
The little brother to Maltego without transforms, but combines graph and link analysis to examine links between manually added data to mind map your information |
|
chaosmap |
1.3 |
An information gathering tool and dns / whois / web server scanner |
|
chromefreak |
24.12745b1 |
A Cross-Platform Forensic Framework for Google Chrome |
|
dc3dd |
7.2.646 |
A patched version of dd that includes a number of features useful for computer forensics. |
|
dcfldd |
1.7.1 |
DCFL (DoD Computer Forensics Lab) dd replacement with hashing. |
|
dfir-ntfs |
1.1.19 |
An NTFS parser for digital forensics & incident response. |
|
dftimewolf |
737.1b1282cf |
Framework for orchestrating forensic collection, processing and data export. |
|
disitool |
0.4 |
Tool to work with Windows executables digital signatures. |
|
dmde |
4.2.2.816 |
Disk Editor and Data Recovery Software. |
|
dmg2img |
1.6.7 |
A CLI tool to uncompress Apple's compressed DMG files to the HFS+ IMG format. |
|
dshell |
142.695c891 |
A network forensic analysis framework. |
|
dumpzilla |
03152013 |
A forensic tool for firefox. |
|
eindeutig |
20050628_1 |
Examine the contents of Outlook Express DBX email repository files (forensic purposes) |
|
emldump |
0.0.11 |
Analyze MIME files. |
|
evtkit |
8.af06db3 |
Fix acquired .evt - Windows Event Log files (Forensics). |
|
exiflooter |
39.0c9535f |
Find geolocation on all image urls and directories also integrates with OpenStreetMap. |
|
extractusnjrnl |
7.362d4290 |
Tool to extract the $UsnJrnl from an NTFS volume. |
|
firefox-decrypt |
1.1.1.r5.g8a5fdeb |
Extract passwords from Mozilla Firefox, Waterfox, Thunderbird, SeaMonkey profiles. |
|
fridump |
23.3e64ee0 |
A universal memory dumper using Frida. |
|
galleta |
20040505_1 |
Examine the contents of the IE's cookie files for forensic purposes |
|
grokevt |
0.5.0 |
A collection of scripts built for reading Windows® NT/2K/XP/2K eventlog files. |
|
guymager |
0.8.13 |
A forensic imager for media acquisition. |
|
imagemounter |
413.383b30b |
Command line utility and Python package to ease the (un)mounting of forensic disk images. |
|
indx2csv |
17.129a411e |
An advanced parser for INDX records. |
|
indxcarver |
5.dee36608 |
Carve INDX records from a chunk of data. |
|
indxparse |
198.a977192 |
A Tool suite for inspecting NTFS artifacts. |
|
interrogate |
5.eb5f071 |
A proof-of-concept tool for identification of cryptographic keys in binary material (regardless of target operating system), first and foremost for memory dump analysis and forensic usage. |
|
iosforensic |
1.0 |
iOS forensic tool https://www.owasp.org/index.php/Projects/OWASP_iOSForensic |
|
ipba2 |
95.c03bd85 |
IOS Backup Analyzer. |
|
iphoneanalyzer |
2.1.0 |
Allows you to forensically examine or recover date from in iOS device. |
|
lazagne |
875.9da4b87 |
An open source application used to retrieve lots of passwords stored on a local computer. |
|
ldsview |
47.d8bfcaa |
Offline search tool for LDAP directory dumps in LDIF format. |
|
lfle |
24.f28592c |
Recover event log entries from an image by heurisitically looking for record structures. |
|
libfvde |
207.03f12f5 |
Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes. |
|
limeaide |
305.ce3c9b7 |
Remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. |
|
log-file-parser |
60.c7a0ae7e |
Parser for $LogFile on NTFS. |
|
loki-scanner |
1255.687e211 |
Simple IOC and Incident Response Scanner. |
|
mac-robber |
1.02 |
A digital investigation tool that collects data from allocated files in a mounted file system. |
|
magicrescue |
1.1.9 |
Find and recover deleted files on block devices |
|
make-pdf |
0.1.7 |
This tool will embed javascript inside a PDF document. |
|
malheur |
0.5.4 |
A tool for the automatic analyze of malware behavior. |
|
maltego |
4.8.1 |
An open source intelligence and forensics application, enabling to easily gather information about DNS, domains, IP addresses, websites, persons, etc. |
|
malwaredetect |
0.1 |
Submits a file's SHA1 sum to VirusTotal to determine whether it is a known piece of malware |
|
mboxgrep |
0.7.9 |
A small, non-interactive utility that scans mail folders for messages matching regular expressions. It does matching against basic and extended POSIX regular expressions, and reads and writes a variety of mailbox formats. |
|
mdbtools |
738.823b32f |
Utilities for viewing data and exporting schema from Microsoft Access Database files. |
|
memdump |
1.01 |
Dumps system memory to stdout, skipping over holes in memory maps. |
|
memfetch |
0.05b |
Dumps any userspace process memory without affecting its execution. |
|
mft2csv |
40.164eb224 |
Extract $MFT record info and log it to a csv file. |
|
mftcarver |
9.7bfcc0a2 |
Carve $MFT records from a chunk of data (for instance a memory dump). |
|
mftrcrd |
16.35c3ac2f |
Command line $MFT record decoder. |
|
mftref2name |
6.7df9eebb |
Resolve file index number to name or vice versa on NTFS. |
|
mimipenguin |
152.880a427 |
A tool to dump the login password from the current linux user. |
|
mobiusft |
1.12 |
An open-source forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. |
|
mp3nema |
0.4 |
A tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data. |
|
mxtract |
90.0b34376 |
Memory Extractor & Analyzer. |
|
myrescue |
0.9.8 |
A hard disk recovery tool that reads undamaged regions first. |
|
naft |
0.0.9 |
Network Appliance Forensic Toolkit. |
|
netspionage |
99.c24f995 |
Network Forensics CLI utility that performs Network Scanning, OSINT, and Attack Detection. |
|
networkminer |
2.9 |
A Network Forensic Analysis Tool for advanced Network Traffic Analysis, sniffer and packet analyzer. |
|
nfex |
2.5 |
A tool for extracting files from the network in real-time or post-capture from an offline tcpdump pcap savefile. |
|
ntdsxtract |
34.7fa1c8c |
Active Directory forensic framework. |
|
ntfs-file-extractor |
6.f2b23d72 |
Extract files off NTFS. |
|
ntfs-log-tracker |
1.6 |
This tool can parse $LogFile, $UsnJrnl of NTFS. |
|
parse-evtx |
3.a4b02b9 |
A tool to parse the Windows XML Event Log (EVTX) format. |
|
pasco |
20040505_1 |
Examines the contents of Internet Explorer's cache files for forensic purposes |
|
pcapxray |
274.1721645 |
A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction. |
|
pdblaster |
4.fc8abb3 |
Extract PDB file paths from large sample sets of executable files. |
|
pdf-parser |
0.7.9 |
Parses a PDF document to identify the fundamental elements used in the analyzed file. |
|
pdfbook-analyzer |
2 |
Utility for facebook memory forensics. |
|
pdfid |
0.2.8 |
Scan a file to look for certain PDF keywords. |
|
pdfresurrect |
0.12 |
A tool aimed at analyzing PDF documents. |
|
peepdf |
0.4.2 |
A Python tool to explore PDF files in order to find out if the file can be harmful or not. |
|
pev |
0.81 |
Command line based tool for PE32/PE32+ file analysis. |
|
powermft |
5.76574543 |
Powerful commandline $MFT record editor. |
|
python-acquire |
3.17.r1.gc284e87 |
Quickly gather forensic artifacts from disk images or a live system into a lightweight container. |
|
python-dissect.archive |
1.4.r0.gd433633 |
A Dissect module implementing parsers for various archive and backup formats. |
|
python-dissect.btrfs |
1.6.r0.gfe4bbda |
A Dissect module implementing a parser for the btrfs file system. |
|
python-dissect.cim |
3.10.r0.g4d1effc |
A Dissect module implementing a parser for the Windows Common Information Model (CIM) database, used in the Windows operating system. |
|
python-dissect.clfs |
1.9.r0.gd3e3b7f |
A Dissect module implementing a parser for the CLFS (Common Log File System) file system of Windows. |
|
python-dissect.cstruct |
4.3.r0.ged1daf2 |
A Dissect module implementing a parser for C-like structures. |
|
python-dissect.esedb |
3.14.r0.gb052185 |
A Dissect module implementing a parser for Microsofts Extensible Storage Engine Database (ESEDB), used for example in Active Directory, Exchange and Windows Update. |
|
python-dissect.etl |
3.10.r0.g23354d6 |
A Dissect module implementing a parser for Event Trace Log (ETL) files, used by the Windows operating system to log kernel events. |
|
python-dissect.eventlog |
3.9.r0.g97fdfd7 |
A Dissect module implementing parsers for the Windows EVT, EVTX and WEVT log file formats. |
|
python-dissect.evidence |
3.10.r0.g852ced4 |
A Dissect module implementing a parsers for various forensic evidence file containers, currently: AD1, ASDF and EWF. |
|
python-dissect.executable |
1.7.r0.g7bf4930 |
A Dissect module implementing parsers for various executable formats such as PE, ELF and Macho-O. |
|
python-dissect.extfs |
3.12.r0.g9b0df29 |
A Dissect module implementing a parser for the ExtFS file system, the native filesystem for Linux operating systems. |
|
python-dissect.fat |
3.11.r0.gfe9d7dc |
A Dissect module implementing parsers for the FAT and exFAT file systems, commonly used on flash memory based storage devices and UEFI partitions. |
|
python-dissect.ffs |
3.10.r0.g498cb70 |
A Dissect module implementing a parser for the FFS file system, commonly used by BSD operating systems. |
|
python-dissect.fve |
4.0.r0.g39523e4 |
A Dissect module implementing a parsers for full volume encryption implementations, currently Microsoft's Bitlocker Disk Encryption (BDE) and Linux Unified Key Setup (LUKS1 and LUKS2). |
|
python-dissect.hypervisor |
3.16.r1.g54a733b |
A Dissect module implementing parsers for various hypervisor disk, backup and configuration files. |
|
python-dissect.jffs |
1.3.r1.gf93add9 |
A Dissect module implementing a parser for the JFFS2 file system, commonly used by router operating systems. |
|
python-dissect.ntfs |
3.13.r0.gef5529b |
A Dissect module implementing a parser for the NTFS file system, used by the Windows operating system. |
|
python-dissect.ole |
3.9.r0.ge21455d |
A Dissect module implementing a parser for the Object Linking & Embedding (OLE) format, commonly used by document editors on Windows operating systems. |
|
python-dissect.regf |
3.11.r0.g94b58df |
A Dissect module implementing a parser for Windows registry file format, used to store application and OS configuration on Windows operating systems. |
|
python-dissect.shellitem |
3.10.r0.g975a812 |
A Dissect module implementing a parser for the Shellitem structures, commonly used by Microsoft Windows. |
|
python-dissect.sql |
3.10.r0.g863d97e |
A Dissect module implementing a parsers for the SQLite database file format, commonly used by applications to store configuration data. |
|
python-dissect.squashfs |
1.8.r0.g16bc3de |
A Dissect module implementing a parser for the SquashFS file system. |
|
python-dissect.target |
3.20.r7.gaf1abe4 |
The Dissect module tying all other Dissect modules together. It provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets). |
|
python-dissect.thumbcache |
1.9.r0.gc38995e |
A Dissect module implementing a parser for windows thumbcache. |
|
python-dissect.util |
3.19.r0.g2a9439e |
A Dissect module implementing various utility functions for the other Dissect modules. |
|
python-dissect.vmfs |
3.10.r0.g13e1c48 |
A Dissect module implementing a parser for the VMFS file system, used by VMware virtualization software. |
|
python-dissect.volume |
3.13.r0.gdd3b289 |
A Dissect module implementing a parser for different disk volume and partition systems, for example LVM2, GPT and MBR. |
|
python-dissect.xfs |
3.11.r0.g5e2c336 |
A Dissect module implementing a parser for the XFS file system, commonly used by RedHat Linux distributions. |
|
python-flow.record |
3.18.r1.g135a7b8 |
Recordization library. |
|
python2-peepdf |
0.4.2 |
A Python tool to explore PDF files in order to find out if the file can be harmful or not. |
|
rcrdcarver |
5.54507d21 |
Carve RCRD records ($LogFile) from a chunk of data.. |
|
recentfilecache-parser |
2.5e22518 |
Python parser for the RecentFileCache.bcf on Windows. |
|
recoverdm |
0.20 |
Recover damaged CD DVD and disks with bad sectors. |
|
recoverjpeg |
2.6.3 |
Recover jpegs from damaged devices. |
|
recuperabit |
77.c6f8678 |
A tool for forensic file system reconstruction. |
|
regipy |
2.2.2 |
Library for parsing offline registry hives. |
|
reglookup |
1.0.1 |
Command line utility for reading and querying Windows NT registries |
|
regripper |
106.89f3cac |
Open source forensic software used as a Windows Registry data extraction command line or GUI tool. |
|
regrippy |
2.0.0 |
Framework for reading and extracting useful forensics data from Windows registry hives. |
|
rekall |
1409.55d1925f |
Memory Forensic Framework. |
|
replayproxy |
1.1 |
Forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file. |
|
rifiuti2 |
0.7.0 |
A rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. |
|
safecopy |
1.7 |
A disk data recovery tool to extract data from damaged media. |
|
scalpel |
1.1687261 |
A frugal, high performance file carver. |
|
scrounge-ntfs |
0.9 |
Data recovery program for NTFS file systems |
|
secure2csv |
10.119eefb0 |
Decode security descriptors in $Secure on NTFS. |
|
shadowexplorer |
0.9 |
Browse the Shadow Copies created by the Windows Vista / 7 / 8 / 10 Volume Shadow Copy Service. |
|
skypefreak |
33.9347a65 |
A Cross Platform Forensic Framework for Skype. |
|
swap-digger |
51.4d18ce0 |
A tool used to automate Linux swap analysis during post-exploitation or forensics. |
|
tchunt-ng |
208.b8cf7fc |
Reveal encrypted files stored on a filesystem. |
|
tekdefense-automater |
88.42548cf |
IP URL and MD5 OSINT Analysis |
|
thumbcacheviewer |
1.0.3.7 |
Extract Windows thumbcache database files. |
|
trid |
2.24 |
An utility designed to identify file types from their binary signatures. |
|
truehunter |
14.0a2895d |
Detect TrueCrypt containers using a fast and memory efficient approach. |
|
undbx |
0.21.r3.g5e31c75 |
Extract e-mail messages from Outlook Express DBX files. |
|
usbrip |
291.5093c84 |
USB device artifacts tracker. |
|
usnjrnl2csv |
29.1ecbddc |
Parser for $UsnJrnl on NTFS. |
|
usnparser |
4.1.5 |
A Python script to parse the NTFS USN journal. |
|
vinetto |
0.07beta |
A forensics tool to examine Thumbs.db files |
|
vipermonkey |
1160.511ecd5 |
A VBA parser and emulation engine to analyze malicious macros. |
|
volafox |
143.5b42987 |
Mac OS X Memory Analysis Toolkit. |
|
volatility-extra |
92.d9fc072 |
Volatility plugins developed and maintained by the community. |
|
windows-prefetch-parser |
88.bc1fa58 |
Parse Windows Prefetch files. |
|
wmi-forensics |
11.0ab08dc |
Scripts used to find evidence in WMI repositories. |
|
xplico |
1.2.2 |
Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT). |
|
zipdump |
0.0.21 |
ZIP dump utility. |
|