A selection of free computer forensics utilities (forensics)


    This article provides free tools for investigating information security incidents.

    Disk Tools and Data Acquisition

    • Arsenal Image Mounter utility for working with disk images in Windows, access to partitions and volumes, etc.
    • DumpIt utility for dumping the physical memory of Windows computers 32/64 bit. It can work with a USB drive.
    • EnCase Forensic Imager is a utility for creating EnCase evidence files.
    • Encrypted Disk Detector utility to detect encrypted volumes TrueCrypt, PGP or Bitlocker.
    • EWF MetaEditor utility for editing EWF metadata (E01).
    • FAT32 Format utility for formatting large capacity drives in FAT32.
    • Forensics Acquisition of Websites browser designed to capture web pages for investigations.
    • FTK Imager view and clone storage media in a Windows environment.
    • Guymager is a multi-threaded utility with a GUI for creating disk images running Linux.
    • Live RAM Capturer utility for RAM dump extraction, including protected by anti-debugging or anti-dumping system.
    • NetworkMiner is a network analysis tool for detecting the OS, host name, and open ports of network nodes using packet capture / PCAP analysis.
    • Magnet RAM Capture utility for capturing RAM from Windows XP to Windows 10, Win Server 2003, 2008, 2012.
    • OSFClone utility live CD / DVD / USB for creating dd or AFF images.
    • OSFMount utility for monitoring disk images, also allows you to create RAM disks.

    Email Analysis

    • EDB Viewer utility for viewing Outlook EDB files without an Exchange server.
    • Mail Viewer utility for viewing Outlook Express files, Windows Mail / Windows Live Mail, a Mozilla Thunderbird message database and individual EML files.
    • MBOX Viewer utility for viewing emails and attachments MBOX.
    • OST Viewer utility to view Outlook OST files without an Exchange server.
    • PST Viewer utility to view Outlook PST files without an Exchange server.

    File and Data Analysis

    • analyzeMFT parsing utility for MFT from the NTFS file system, allowing you to analyze the results using other tools.
    • bstrings binary data search utility, including regular expression search.
    • CapAnalysis PCAP view utility.
    • Crowd Response is a Windows-based console application to help gather system information for incident response and security.
    • Crowd Inspect utility for obtaining information about network processes, listing binary files associated with each process. It queries VirusTotal and other online malware analysis tools and reputation services.
    • The DCode utility converts various data types into date / time values.
    • Defraser utility for detecting full and partial data about multimedia files in unallocated space.
    • eCryptfs Parser utility recursively analyzes the headers of each eCryptfs file in the selected directory.
    • Encryption Analyzer utility for analyzing password-protected and encrypted files, analyzes the complexity of encryption reports and decryption options for each file.
    • ExifTool is a utility for reading and editing Exif data in a large number of file types.
    • File Identifier online file type analysis (over 2000).
    • Forensic Image Viewer utility for extracting data from images.
    • Link Parser utility for recursive folder analysis, extracting more than 30 attributes from Windows .lnk (shortcut) files.
    • Memoryze analysis of RAM images, including analysis of "page" files.
    • MetaExtractor utility for extracting meta-information from office documents and pdf.
    • Shadow Explorer utility for viewing and extracting files from shadow copies.

    Tools for Mac OS

    • Audit utility for outputting audit and OS X logs.
    • Disk Arbitrator blocks mounting of file systems, supplementing the write blocker when disabling disk arbitration.
    • FTK Imager CLI for Mac OS is the console version for Mac OS of the FTK Imager utility.
    • IORegInfo utility for displaying information on devices connected to a computer (SATA, USB and FireWire, software RAID arrays). It can determine partition information, including sizes, types, and the bus to which the device is connected.
    • mac_apt utility for working with images E01, DD, DMG.
    • Volafox is a memory analysis utility for Mac OS X.

    Mobile devices

    • iPBA2 iOS Backup Analysis Utility.
    • iPhone Analyzer utility for analyzing file structure of Pad, iPod and iPhone.
    • ivMeta is a utility for extracting the phone model and software version, as well as temporary data and GPS data from the iPhone video.
    • Rubus utility for deconstructing Blackberry .ipd backup files.
    • SAFT extract SMS, call logs and contacts from Android devices.

    Previous articles in this series:

    Computer forensics (forensics) - an overview of tools and training sites .
    Computer forensics (forensics): a selection of useful links.

    Also popular now: