
A selection of free computer forensics utilities (forensics)

This article provides free tools for investigating information security incidents.
Disk Tools and Data Acquisition
- Arsenal Image Mounter utility for working with disk images in Windows, access to partitions and volumes, etc.
- DumpIt utility for dumping the physical memory of Windows computers 32/64 bit. It can work with a USB drive.
- EnCase Forensic Imager is a utility for creating EnCase evidence files.
- Encrypted Disk Detector utility to detect encrypted volumes TrueCrypt, PGP or Bitlocker.
- EWF MetaEditor utility for editing EWF metadata (E01).
- FAT32 Format utility for formatting large capacity drives in FAT32.
- Forensics Acquisition of Websites browser designed to capture web pages for investigations.
- FTK Imager view and clone storage media in a Windows environment.
- Guymager is a multi-threaded utility with a GUI for creating disk images running Linux.
- Live RAM Capturer utility for RAM dump extraction, including protected by anti-debugging or anti-dumping system.
- NetworkMiner is a network analysis tool for detecting the OS, host name, and open ports of network nodes using packet capture / PCAP analysis.
- Magnet RAM Capture utility for capturing RAM from Windows XP to Windows 10, Win Server 2003, 2008, 2012.
- OSFClone utility live CD / DVD / USB for creating dd or AFF images.
- OSFMount utility for monitoring disk images, also allows you to create RAM disks.
Email Analysis
- EDB Viewer utility for viewing Outlook EDB files without an Exchange server.
- Mail Viewer utility for viewing Outlook Express files, Windows Mail / Windows Live Mail, a Mozilla Thunderbird message database and individual EML files.
- MBOX Viewer utility for viewing emails and attachments MBOX.
- OST Viewer utility to view Outlook OST files without an Exchange server.
- PST Viewer utility to view Outlook PST files without an Exchange server.
File and Data Analysis
- analyzeMFT parsing utility for MFT from the NTFS file system, allowing you to analyze the results using other tools.
- bstrings binary data search utility, including regular expression search.
- CapAnalysis PCAP view utility.
- Crowd Response is a Windows-based console application to help gather system information for incident response and security.
- Crowd Inspect utility for obtaining information about network processes, listing binary files associated with each process. It queries VirusTotal and other online malware analysis tools and reputation services.
- The DCode utility converts various data types into date / time values.
- Defraser utility for detecting full and partial data about multimedia files in unallocated space.
- eCryptfs Parser utility recursively analyzes the headers of each eCryptfs file in the selected directory.
- Encryption Analyzer utility for analyzing password-protected and encrypted files, analyzes the complexity of encryption reports and decryption options for each file.
- ExifTool is a utility for reading and editing Exif data in a large number of file types.
- File Identifier online file type analysis (over 2000).
- Forensic Image Viewer utility for extracting data from images.
- Link Parser utility for recursive folder analysis, extracting more than 30 attributes from Windows .lnk (shortcut) files.
- Memoryze analysis of RAM images, including analysis of "page" files.
- MetaExtractor utility for extracting meta-information from office documents and pdf.
- Shadow Explorer utility for viewing and extracting files from shadow copies.
Tools for Mac OS
- Audit utility for outputting audit and OS X logs.
- Disk Arbitrator blocks mounting of file systems, supplementing the write blocker when disabling disk arbitration.
- FTK Imager CLI for Mac OS is the console version for Mac OS of the FTK Imager utility.
- IORegInfo utility for displaying information on devices connected to a computer (SATA, USB and FireWire, software RAID arrays). It can determine partition information, including sizes, types, and the bus to which the device is connected.
- mac_apt utility for working with images E01, DD, DMG.
- Volafox is a memory analysis utility for Mac OS X.
Mobile devices
- iPBA2 iOS Backup Analysis Utility.
- iPhone Analyzer utility for analyzing file structure of Pad, iPod and iPhone.
- ivMeta is a utility for extracting the phone model and software version, as well as temporary data and GPS data from the iPhone video.
- Rubus utility for deconstructing Blackberry .ipd backup files.
- SAFT extract SMS, call logs and contacts from Android devices.
Previous articles in this series:
Computer forensics (forensics) - an overview of tools and training sites .
Computer forensics (forensics): a selection of useful links.