Breadcrumbs
Top 10 free Computer Forensic Software | |||
|---|---|---|---|
Rank |
Name |
From |
Description |
| 1 | FTK Imager | AccessData | Imaging tool, disk viewer and image mounter |
| 2 | FoxAnalysis | forensic-software | Basic analysis of internet history data from Firefox |
| 3 | Forensic Image Viewer | Sanderson Forensics | View various picture formats, enhance images, extract Exif & GPS data |
| 4 | DumpIt | MoonSols | Generates physical memory dump of Windows 32 & 64 bit machines |
| 5 | OSForensics | Passmark Software | Application suite to carry out wide range of forensic tasks |
| 6 | USB Write Blocker | DSi | Enables software write-blocking of USB ports |
| 7 | Encrypted Disk Detector | JAD Software | Checks local physical drives for TrueCrypt, PGP, or Bitlocker volumes |
| 8 | PST Viewer | Lepide Software | Open and view (not export) Outlook PST files without needing Outlook |
| 9 | Mail Viewer | MiTec | Outlook Express, Windows Mail/ Live Mail, Mozilla Thunderbird, EML file viewer |
| 10 | P2 eXplorer* | Paraben | Virtually mount drives & forensic images |
Disc and Imaging Tools
Name |
Version |
From |
Description |
|---|---|---|---|
| DumpIt | 1.3.2 | MoonSols | Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from USB keys |
| Encrypted Disk Detector | 1.2.0 | JADsoftware | Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes |
| FAT32 Format | 1.05 | Ridgecrop | Enables large capacity disks to be formatted as FAT32 |
| FTK Imager | 3.1.0 | AccessData | Imaging tool, disk viewer and image mounter |
| Guymager | 0.6.2 | vogu00 | Multi-threaded GUI imager under running under Linux |
| HotSwap | 5.0.0 | Kazuyuki Nakayama | Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area |
| P2 eXplorer* | 3.1 | Paraben | Virtually mount drives & forensic images |
| Tableau Imager* | 1.11 | Tableau | Imaging tool for use with Tableau imaging products |
| VHD Tool | 2.0 | Microsoft | Converts raw disk images to VHD format which are mountable in Windows Disk Management |
Email Analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| EDB Viewer | 11.05.01 | Lepide Software | Open and view (not export) Outlook EDB files without an Exchange server |
| Gmail Parser | 1.0.0 | Woanware | Parses various Gmail artefacts from cached HTML files |
| Mail Viewer | 1.7.6 | MiTeC | Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files |
| OST Viewer | 11.05.01 | Lepide Software | Open and view (not export) Outlook OST files without connecting to an Exchange server |
| PST Viewer | 11.05.01 | Lepide Software | Open and view (not export) Outlook PST files without needing Outlook |
General
Name |
Version |
From |
Description |
|---|---|---|---|
| Agent Ransack | 2010 (762) | Mythicsoft | Search multiple files using Boolean operators and Perl Regex |
| EvidenceMover* | 2.00 | Nuix | Copies data between locations, with file comparison, verification, logging |
| FastCopy | 2.08 | Shirouzu Hiroaki | Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc |
| File Signatures | 17 Jan. 2012 | Gary Kessler | Table of file signatures |
| Forensic Test Images | Various | Various | Collated forensic images for training, practice and validation |
| HashMyFiles | 1.85 | Nirsoft | Calculate MD5 and SHA1 hashes |
| MobaLiveCD | 2.10 | Mobatek | Run Linux live CDs from their ISO image without having to boot to them |
| Mouse Jiggler | 1.2 | Arkane Systems | Automatically moves mouse pointer stopping screen saver, hibernation etc |
| Notepad ++ | 5.9.8 | Notepad ++ | Advanced Notepad replacement |
| NSRL | 2.35 | NIST | Hash sets of ‘known’ (ignorable) files |
| Quick Hash | 1.4.1 | Ted Technology | A Linux & Windows GUI for individual and recursive SHA1 hashing of files |
| USB Write Blocker | 1.0 | DSi | Enables software write-blocking of USB ports |
| Windows Forensic Environment | Various | Troy Larson | Guide by Brett Shavers to creating and working with a Windows boot CD |
File and Data Analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| Advanced Prefetch Analyser | 2.4 | Allan Hay | Reads Windows XP,Vista and Windows 7 prefetch files |
| analyzeMFT | 2.0 | David Kovar | Parses the MFT from an NTFS file system allowing results to be analysed with other tools |
| Audit Viewer | unknown | Mandiant | Viewer used with Memoryze (see below) |
| DCode | 4.2.0.9306 | Digital Detective | Converts various data types to date/time values |
| Defraser | 1.3.0 | Various | Detects full and partial multimedia files in unallocated space |
| eCryptfs Parser | 1.0.0.a | Ted Technology | Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original filesize, signature used, etc |
| Forensic Image Viewer | 1.03 | Sanderson Forensics | View various picture formats, image enhancer, extraction of embedded Exif, GPS data |
| Highlighter | unknown | Mandiant | Examine log files using text, graphic or histogram views |
| Live Detector* | 2.1 | H-11 Digital Forensics | Collects volatile data; account & password identification; browser artefacts, user behaviour; and Microsoft Windows System info |
| LiveContactsView | 1.10 | Nirsoft | View and export Windows Live Messenger contact details |
| RSA Netwitness Investigator | 9.5.5.6 | EMC | Network packet capture and analysis |
| Memoryze | unknown | Mandiant | Acquire and/or analyze RAM images, including the page file on live systems |
| MFTview | 1.1.0 | Sanderson Forensics | Displays and decodes contents of an extracted MFT file |
| PsTools | 2.44 | Microsoft | Suite of command-line Windows utilities |
| Shadow Explorer | 23 Aug. 2011 | Shadow Explorer | Browse and extract files from shadow copies |
| SQLite Manager | 0.7.7 | Mrinal Kant, Tarakant Tripathy | Firefox add-on enabling viewing of any SQLite database |
| Strings | 2.42 | Microsoft | Command-line tool for text searches |
| Structured Storage Viewer | 3.3.1 | MiTec | View and manage MS OLE Structured Storage based files |
| TimeLord | 0.1.5.6 | Paul Tew | Time utility; timezones, BIOS times, decode computer time formats, etc |
| Windows File Analyzer | 2.5 | MiTeC | Analyse thumbs.db, Prefetch, INFO2 and .lnk files |
Data Analysis Suites
Name |
Version |
From |
Description |
|---|---|---|---|
| Autopsy | 3.0 | Brian Carrier | Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below) |
| Backtrack | 5.0 R1 | Backtrack | Penetration testing and security audit with forensic boot capability |
| Caine | 2.5.1 | Nanni Bassetti | Linux based live CD, featuring a number of analysis tools |
| Digital Forensics Framework | 1.2.0 | ArxSys | Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items |
| OSForensics | 1.0.1005 | Passmark Software | Windows application to carry out wide range of forensic tasks. |
| P2 Shuttle Free* | 1.30 | Paraben | Remote disk mounting, network RAM capture, search tools. Limited version of P2 Shuttle Pro |
| Paladin* | 2.0 | Sumuri | Ubuntu based live boot CD for imaging and analyis |
| SIFT* | 2.10 | SANS | VMware Appliance pre-configured with multiple tools allowing digital forensic examinations |
| The Sleuth Kit | 3.2.3 | Brian Carrier | Collection of UNIX-based command line file and volume system forensic analysis tools |
| Ubuntu guide | unknown | How-To Geek | Guide to using an Unbuntu live disk to recover partitions, carve files, etc |
| Volatility Framework | 2.o | Volatile Systems | Collection of tools for the extraction of artifacts from RAM |
File Viewers
Name |
Version |
From |
Description |
|---|---|---|---|
| Microsoft Excel 2007 Viewer | 1.00 | Microsoft | View Excel spreadsheets |
| Microsoft PowerPoint 2007 Viewer | 1.00 | Microsoft | View PowerPoint presentations |
| Microsoft Visio 2010 Viewer | 1.00 | Microsoft | View Visio diagrams |
| Microsoft Word Viewer | 1.00 | Microsoft | View Word documents |
| VLC | 1.1.11 | VideoLAN | View most multimedia files and DVD, Audio CD, VCD, etc |
Internet History Analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| ChromeAnalysis | 1.0.1 | Foxton Software | Analysis of internet history data generated using Google Chrome |
| ChromeCacheView | 1.35 | Nirsoft | Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache |
| FoxAnalysis | 1.4.2 | Foxton Software | Basic analysis of internet history data from Firefox versions 1, 2 and 3. |
| IECacheView | 1.46 | Nirsoft | Displays various details of files in Internet Explorer cache; number of hits, last accessed times, etc |
| IECookiesView | 1.74 | Nirsoft | Extracts various details of Internet Explorer cookies |
| IEHistoryView | 1.7 | Nirsoft | Extracts recently visited Internet Explorer URLs |
| IEPassView | 1.26 | Nirsoft | Extract stored passwords from Internet Explorer versions 4 to 8 |
| MozillaCacheView | 1.51 | Nirsoft | Reads the cache folder of Firefox/Mozilla/Netscape Web browsers |
| MozillaCookieView | 1.36 | Nirsoft | Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers |
| MozillaHistoryView | 1.42 | Nirsoft | Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page |
| MyLastSearch | 1.50 | Nirsoft | Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace) |
| PasswordFox | 1.30 | Nirsoft | Extracts the user names and passwords stored by Mozilla Firefox Web browser |
| OperaCacheView | 1.37 | Nirsoft | Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache |
| OperaPassView | 1.05 | Nirsoft | Decrypts the content of the Opera Web browser password file, wand.dat |
| Web Historian | unknown | Mandiant | Reviews list of URLs stored in the history files of the most commonly used browsers |
Registry Analysis
Name |
Version |
From |
Description |
|---|---|---|---|
| ForensicUserInfo | 1.04 | Woanware | Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file |
| Process Monitor | 2.96 | Microsoft | Examine Windows processes and registry threads in real time |
| Registry Decoder | 1.1 | US National Institute of Justice, Digital Forensics Solutions | For the acquisition, analysis, and reporting of registry contents |
| RegRipper | 20111410 | Harlan Carvey | Registry data extraction and correlation tool |
| Regshot | 1.8.3 | Regshot | Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software |
| USB Device Forensics | 1.06 | Woanware | Details previously attached USB devices on exported registry hives |
| USBDeview | 2.00 | Nirsoft | Details previously attached USB devices |
| UserAssist | 2.4.3 | Didier Stevens | Displays list of programs run, with run count and last run date and time |
Application Analysis (other)
Name |
Version |
From |
Description |
|---|---|---|---|
| KaZAlyser | 1.2.8 | Sanderson Forensics | Extracts various data from the KaZaA application |
| LiveContactsView | 1.10 | Nirsoft | View and export Windows Live Messenger contact details |
| SkypeLogView | 1.21 | Nirsoft | View Skype calls and chats |
*Entries marked with a star indicate that registration is required before downloading