A selection of free computer forensics utilities (forensics)

This article provides free tools for investigating information security incidents.

Disk Tools and Data Acquisition

• Arsenal Image Mounter utility for working with disk images in Windows, access to partitions and volumes, etc.
• DumpIt utility for dumping the physical memory of Windows computers 32/64 bit. It can work with a USB drive.
• EnCase Forensic Imager is a utility for creating EnCase evidence files.
• Encrypted Disk Detector utility to detect encrypted volumes TrueCrypt, PGP or Bitlocker.
• EWF MetaEditor utility for editing EWF metadata (E01).
• FAT32 Format utility for formatting large capacity drives in FAT32.
• Forensics Acquisition of Websites browser designed to capture web pages for investigations.
• FTK Imager view and clone storage media in a Windows environment.
• Guymager is a multi-threaded utility with a GUI for creating disk images running Linux.
• Live RAM Capturer utility for RAM dump extraction, including protected by anti-debugging or anti-dumping system.
• NetworkMiner is a network analysis tool for detecting the OS, host name, and open ports of network nodes using packet capture / PCAP analysis.
• Magnet RAM Capture utility for capturing RAM from Windows XP to Windows 10, Win Server 2003, 2008, 2012.
• OSFClone utility live CD / DVD / USB for creating dd or AFF images.
• OSFMount utility for monitoring disk images, also allows you to create RAM disks.

Email Analysis

• EDB Viewer utility for viewing Outlook EDB files without an Exchange server.
• Mail Viewer utility for viewing Outlook Express files, Windows Mail / Windows Live Mail, a Mozilla Thunderbird message database and individual EML files.
• MBOX Viewer utility for viewing emails and attachments MBOX.
• OST Viewer utility to view Outlook OST files without an Exchange server.
• PST Viewer utility to view Outlook PST files without an Exchange server.

File and Data Analysis

• analyzeMFT parsing utility for MFT from the NTFS file system, allowing you to analyze the results using other tools.
• bstrings binary data search utility, including regular expression search.
• CapAnalysis PCAP view utility.
• Crowd Response is a Windows-based console application to help gather system information for incident response and security.
• Crowd Inspect utility for obtaining information about network processes, listing binary files associated with each process. It queries VirusTotal and other online malware analysis tools and reputation services.
• The DCode utility converts various data types into date / time values.
• Defraser utility for detecting full and partial data about multimedia files in unallocated space.
• eCryptfs Parser utility recursively analyzes the headers of each eCryptfs file in the selected directory.
• Encryption Analyzer utility for analyzing password-protected and encrypted files, analyzes the complexity of encryption reports and decryption options for each file.
• ExifTool is a utility for reading and editing Exif data in a large number of file types.
• File Identifier online file type analysis (over 2000).
• Forensic Image Viewer utility for extracting data from images.
• Link Parser utility for recursive folder analysis, extracting more than 30 attributes from Windows .lnk (shortcut) files.
• Memoryze analysis of RAM images, including analysis of "page" files.
• MetaExtractor utility for extracting meta-information from office documents and pdf.
• Shadow Explorer utility for viewing and extracting files from shadow copies.

Tools for Mac OS

• Audit utility for outputting audit and OS X logs.
• Disk Arbitrator blocks mounting of file systems, supplementing the write blocker when disabling disk arbitration.
• FTK Imager CLI for Mac OS is the console version for Mac OS of the FTK Imager utility.
• IORegInfo utility for displaying information on devices connected to a computer (SATA, USB and FireWire, software RAID arrays). It can determine partition information, including sizes, types, and the bus to which the device is connected.
• mac_apt utility for working with images E01, DD, DMG.
• Volafox is a memory analysis utility for Mac OS X.

Mobile devices

• iPBA2 iOS Backup Analysis Utility.
• iPhone Analyzer utility for analyzing file structure of Pad, iPod and iPhone.
• ivMeta is a utility for extracting the phone model and software version, as well as temporary data and GPS data from the iPhone video.
• Rubus utility for deconstructing Blackberry .ipd backup files.
• SAFT extract SMS, call logs and contacts from Android devices.

---

Previous articles in this series:

Computer forensics (forensics) - an overview of tools and training sites .
Computer forensics (forensics): a selection of useful links.