| afflib |
3.7.19 |
An extensible open format for the storage of disk images and related forensic information. |
|
| aimage |
3.2.5 |
A program to create aff-images. |
|
| air |
2.0.0 |
A GUI front-end to dd/dc3dd designed for easily creating forensic images. |
|
| analyzemft |
133.b6ed04f |
Parse the MFT file from an NTFS filesystem. |
|
| autopsy |
4.21.0 |
The forensic browser. A GUI for the Sleuth Kit. |
|
| bmap-tools |
3.7 |
Tool for copying largely sparse files using information from a block map file. |
|
| bmc-tools |
25.c66a657 |
RDP Bitmap Cache parser. |
|
| bulk-extractor |
1562.1c67a75 |
Bulk Email and URL extraction tool. |
|
| canari |
3.3.10 |
Maltego rapid transform development and execution framework. |
|
| captipper |
74.3fb2836 |
Malicious HTTP traffic explorer tool. |
|
| casefile |
1.0.1 |
The little brother to Maltego without transforms, but combines graph and link analysis to examine links between manually added data to mind map your information |
|
| chaosmap |
1.3 |
An information gathering tool and dns / whois / web server scanner |
|
| chntpw |
140201 |
Offline NT Password Editor - reset passwords in a Windows NT SAM user database file |
|
| chromefreak |
24.12745b1 |
A Cross-Platform Forensic Framework for Google Chrome |
|
| dc3dd |
7.2.646 |
A patched version of dd that includes a number of features useful for computer forensics. |
|
| dcfldd |
1.7.1 |
DCFL (DoD Computer Forensics Lab) dd replacement with hashing. |
|
| ddrescue |
1.28 |
GNU data recovery tool |
|
| dfir-ntfs |
1.1.19 |
An NTFS parser for digital forensics & incident response. |
|
| dftimewolf |
736.a6b44c6b |
Framework for orchestrating forensic collection, processing and data export. |
|
| disitool |
0.4 |
Tool to work with Windows executables digital signatures. |
|
| dmde |
4.2.2.816 |
Disk Editor and Data Recovery Software. |
|
| dmg2img |
1.6.7 |
A CLI tool to uncompress Apple's compressed DMG files to the HFS+ IMG format. |
|
| dshell |
142.695c891 |
A network forensic analysis framework. |
|
| dumpzilla |
03152013 |
A forensic tool for firefox. |
|
| eindeutig |
20050628_1 |
Examine the contents of Outlook Express DBX email repository files (forensic purposes) |
|
| emldump |
0.0.11 |
Analyze MIME files. |
|
| evtkit |
8.af06db3 |
Fix acquired .evt - Windows Event Log files (Forensics). |
|
| exiflooter |
39.0c9535f |
Find geolocation on all image urls and directories also integrates with OpenStreetMap. |
|
| extractusnjrnl |
7.362d4290 |
Tool to extract the $UsnJrnl from an NTFS volume. |
|
| firefox-decrypt |
1.1.1.r5.g8a5fdeb |
Extract passwords from Mozilla Firefox, Waterfox, Thunderbird, SeaMonkey profiles. |
|
| foremost |
1.5.7 |
A console program to recover files based on their headers, footers, and internal data structures |
|
| fridump |
23.3e64ee0 |
A universal memory dumper using Frida. |
|
| galleta |
20040505_1 |
Examine the contents of the IE's cookie files for forensic purposes |
|
| grokevt |
0.5.0 |
A collection of scripts built for reading Windows® NT/2K/XP/2K eventlog files. |
|
| guymager |
0.8.13 |
A forensic imager for media acquisition. |
|
| imagemounter |
413.383b30b |
Command line utility and Python package to ease the (un)mounting of forensic disk images. |
|
| indx2csv |
17.129a411e |
An advanced parser for INDX records. |
|
| indxcarver |
5.dee36608 |
Carve INDX records from a chunk of data. |
|
| indxparse |
198.a977192 |
A Tool suite for inspecting NTFS artifacts. |
|
| interrogate |
5.eb5f071 |
A proof-of-concept tool for identification of cryptographic keys in binary material (regardless of target operating system), first and foremost for memory dump analysis and forensic usage. |
|
| iosforensic |
1.0 |
iOS forensic tool https://www.owasp.org/index.php/Projects/OWASP_iOSForensic |
|
| ipba2 |
95.c03bd85 |
IOS Backup Analyzer. |
|
| iphoneanalyzer |
2.1.0 |
Allows you to forensically examine or recover date from in iOS device. |
|
| lazagne |
875.9da4b87 |
An open source application used to retrieve lots of passwords stored on a local computer. |
|
| ldsview |
47.d8bfcaa |
Offline search tool for LDAP directory dumps in LDIF format. |
|
| lfle |
24.f28592c |
Recover event log entries from an image by heurisitically looking for record structures. |
|
| libfvde |
207.03f12f5 |
Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes. |
|
| limeaide |
305.ce3c9b7 |
Remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. |
|
| log-file-parser |
60.c7a0ae7e |
Parser for $LogFile on NTFS. |
|
| loki-scanner |
1227.0dc990b |
Simple IOC and Incident Response Scanner. |
|
| mac-robber |
1.02 |
A digital investigation tool that collects data from allocated files in a mounted file system. |
|
| magicrescue |
1.1.9 |
Find and recover deleted files on block devices |
|
| make-pdf |
0.1.7 |
This tool will embed javascript inside a PDF document. |
|
| malheur |
0.5.4 |
A tool for the automatic analyze of malware behavior. |
|
| maltego |
4.8.1 |
An open source intelligence and forensics application, enabling to easily gather information about DNS, domains, IP addresses, websites, persons, etc. |
|
| malwaredetect |
0.1 |
Submits a file's SHA1 sum to VirusTotal to determine whether it is a known piece of malware |
|
| mboxgrep |
0.7.9 |
A small, non-interactive utility that scans mail folders for messages matching regular expressions. It does matching against basic and extended POSIX regular expressions, and reads and writes a variety of mailbox formats. |
|
| mdbtools |
738.823b32f |
Utilities for viewing data and exporting schema from Microsoft Access Database files. |
|
| memdump |
1.01 |
Dumps system memory to stdout, skipping over holes in memory maps. |
|
| memfetch |
0.05b |
Dumps any userspace process memory without affecting its execution. |
|
| mft2csv |
40.164eb224 |
Extract $MFT record info and log it to a csv file. |
|
| mftcarver |
9.7bfcc0a2 |
Carve $MFT records from a chunk of data (for instance a memory dump). |
|
| mftrcrd |
16.35c3ac2f |
Command line $MFT record decoder. |
|
| mftref2name |
6.7df9eebb |
Resolve file index number to name or vice versa on NTFS. |
|
| mimipenguin |
152.880a427 |
A tool to dump the login password from the current linux user. |
|
| mobiusft |
1.12 |
An open-source forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. |
|
| mp3nema |
0.4 |
A tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data. |
|
| mxtract |
90.0b34376 |
Memory Extractor & Analyzer. |
|
| myrescue |
0.9.8 |
A hard disk recovery tool that reads undamaged regions first. |
|
| naft |
0.0.9 |
Network Appliance Forensic Toolkit. |
|
| networkminer |
2.9 |
A Network Forensic Analysis Tool for advanced Network Traffic Analysis, sniffer and packet analyzer. |
|
| nfex |
2.5 |
A tool for extracting files from the network in real-time or post-capture from an offline tcpdump pcap savefile. |
|
| ntdsxtract |
34.7fa1c8c |
Active Directory forensic framework. |
|
| ntfs-file-extractor |
6.f2b23d72 |
Extract files off NTFS. |
|
| ntfs-log-tracker |
1.6 |
This tool can parse $LogFile, $UsnJrnl of NTFS. |
|
| parse-evtx |
3.a4b02b9 |
A tool to parse the Windows XML Event Log (EVTX) format. |
|
| pasco |
20040505_1 |
Examines the contents of Internet Explorer's cache files for forensic purposes |
|
| pcapxray |
274.1721645 |
A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction. |
|
| pdblaster |
4.fc8abb3 |
Extract PDB file paths from large sample sets of executable files. |
|
| pdf-parser |
0.7.9 |
Parses a PDF document to identify the fundamental elements used in the analyzed file. |
|
| pdfbook-analyzer |
2 |
Utility for facebook memory forensics. |
|
| pdfid |
0.2.8 |
Scan a file to look for certain PDF keywords. |
|
| pdfresurrect |
0.12 |
A tool aimed at analyzing PDF documents. |
|
| peepdf |
0.4.2 |
A Python tool to explore PDF files in order to find out if the file can be harmful or not. |
|
| perl-image-exiftool |
13.03 |
Reader and rewriter of EXIF information that supports raw files |
|
| pev |
0.81 |
Command line based tool for PE32/PE32+ file analysis. |
|
| powermft |
5.76574543 |
Powerful commandline $MFT record editor. |
|
| python2-peepdf |
0.4.2 |
A Python tool to explore PDF files in order to find out if the file can be harmful or not. |
|
| rcrdcarver |
5.54507d21 |
Carve RCRD records ($LogFile) from a chunk of data.. |
|
| recentfilecache-parser |
2.5e22518 |
Python parser for the RecentFileCache.bcf on Windows. |
|
| recoverdm |
0.20 |
Recover damaged CD DVD and disks with bad sectors. |
|
| recoverjpeg |
2.6.3 |
Recover jpegs from damaged devices. |
|
| recuperabit |
77.c6f8678 |
A tool for forensic file system reconstruction. |
|
| regipy |
2.2.2 |
Library for parsing offline registry hives. |
|
| reglookup |
1.0.1 |
Command line utility for reading and querying Windows NT registries |
|
| regripper |
106.89f3cac |
Open source forensic software used as a Windows Registry data extraction command line or GUI tool. |
|
| regrippy |
2.0.0 |
Framework for reading and extracting useful forensics data from Windows registry hives. |
|
| rekall |
1409.55d1925f |
Memory Forensic Framework. |
|
| replayproxy |
1.1 |
Forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file. |
|
| rifiuti2 |
0.7.0 |
A rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. |
|
| rkhunter |
1.4.6 |
Checks machines for the presence of rootkits and other unwanted tools. |
|
| safecopy |
1.7 |
A disk data recovery tool to extract data from damaged media. |
|
| scalpel |
1.1687261 |
A frugal, high performance file carver. |
|
| scrounge-ntfs |
0.9 |
Data recovery program for NTFS file systems |
|
| secure2csv |
10.119eefb0 |
Decode security descriptors in $Secure on NTFS. |
|
| shadowexplorer |
0.9 |
Browse the Shadow Copies created by the Windows Vista / 7 / 8 / 10 Volume Shadow Copy Service. |
|
| skypefreak |
33.9347a65 |
A Cross Platform Forensic Framework for Skype. |
|
| sleuthkit |
4.12.1 |
File system and media management forensic analysis tools |
|
| swap-digger |
51.4d18ce0 |
A tool used to automate Linux swap analysis during post-exploitation or forensics. |
|
| tchunt-ng |
208.b8cf7fc |
Reveal encrypted files stored on a filesystem. |
|
| tekdefense-automater |
88.42548cf |
IP URL and MD5 OSINT Analysis |
|
| testdisk |
7.2 |
Checks and undeletes partitions + PhotoRec, signature based recovery tool |
|
| thumbcacheviewer |
1.0.3.7 |
Extract Windows thumbcache database files. |
|
| trid |
2.24 |
An utility designed to identify file types from their binary signatures. |
|
| truehunter |
14.0a2895d |
Detect TrueCrypt containers using a fast and memory efficient approach. |
|
| undbx |
0.21.r3.g5e31c75 |
Extract e-mail messages from Outlook Express DBX files. |
|
| unhide |
20220611 |
A forensic tool to find processes hidden by rootkits, LKMs or by other techniques. |
|
| usbrip |
291.5093c84 |
USB device artifacts tracker. |
|
| usnjrnl2csv |
29.1ecbddc |
Parser for $UsnJrnl on NTFS. |
|
| usnparser |
4.1.5 |
A Python script to parse the NTFS USN journal. |
|
| vinetto |
0.07beta |
A forensics tool to examine Thumbs.db files |
|
| vipermonkey |
1160.511ecd5 |
A VBA parser and emulation engine to analyze malicious macros. |
|
| volafox |
143.5b42987 |
Mac OS X Memory Analysis Toolkit. |
|
| volatility-extra |
92.d9fc072 |
Volatility plugins developed and maintained by the community. |
|
| volatility3 |
2.7.0 |
Advanced memory forensics framework |
|
| windows-prefetch-parser |
88.bc1fa58 |
Parse Windows Prefetch files. |
|
| wmi-forensics |
11.0ab08dc |
Scripts used to find evidence in WMI repositories. |
|
| xplico |
1.2.2 |
Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT). |
|
| zipdump |
0.0.21 |
ZIP dump utility. |
|