Best Digital Forensics Tools

Digital forensics (sometimes known as digital forensic science) is a branch of forensic science
encompassing the recovery and investigation of material found in digital devices, often in relation
to computer crime. The term digital forensics was originally used as a synonym for computer
forensics but has expanded to cover investigation of all devices capable of storing digital data. With
roots in the personal computing revolution of the late 1970s and early 80s, the discipline evolved in
a haphazard manner during the 1990s, and it was not until the early 21st century that national
policies emerged.
Digital forensics investigations have a variety of applications. The most common is to support or
refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts.
Forensics may also feature in the private sector; such as during internal corporate investigations or
intrusion investigation (a specialist probe into the nature and extent of an unauthorized network
intrusion).
The technical aspect of an investigation is divided into several sub-branches, relating to the type of
digital devices involved; computer forensics, network forensics, forensic data analysis and mobile
device forensics. The typical forensic process encompasses the seizure, forensic imaging
(acquisition) and analysis of digital media and the production of a report into collected evidence.
As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence
to specific suspects, confirm alibis or statements, determine intent, identify sources (for example, in
copyright cases), or authenticate documents. Investigations are much broader in scope than other
areas of forensic analysis (where the usual aim is to provide answers to a series of simpler
questions) often involving complex time-lines or hypotheses.

Usually computer forensics tools can be classified into various categories:

Disk and data capture tools
File viewers
File analysis tools
Registry analysis tools
Internet analysis tools
Email analysis tools
Mobile devices analysis tools
Mac OS analysis tools
Network forensics tools
Database forensics tools

Autopsy
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other
digital forensics tools. It can be used by law enforcement, military, and corporate examiners to
investigate what happened on a computer. You can even use it to recover photos from your cameras
memory card.
Autopsy Features:
Timeline Analysis: Displays system events in a graphical interface to help identify activity.
Keyword Search: Text extraction and index searched modules enable you to find files that mention
specific terms and find regular expression patterns.
Web Artifacts: Extracts web activity from common browsers to help identify user activity.
Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
LNK File Analysis: Identifies short cuts and accessed documents
Email Analysis: Parses MBOX format messages, such as Thunderbird.
EXIF: Extracts geo location and camera information from JPEG files.
File Type Sorting: Group files by their type to find all images or documents.
Media Playback: View videos and images in the application and not require an external viewer.
Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
Robust File System Analysis: Support for common file systems, including NTFS, FAT12, FAT16,
FAT32, HFS+, ISO9660 (CD-ROM), Ext2, Ext3, and UFS from The Sleuth Kit.
Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom
hashsets in HashKeeper, md5sum, and EnCase formats.
Tags: Tag files with arbitrary tag names, such as bookmark or suspicious, and add comments.
Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in
many languages (Arabic, Chinese, Japanese, etc.).
Source && Download
Best Digital Forensics Tools: autopsy download
TOP
Deft
DEFT (acronym for Digital Evidence & Forensics Toolkit) is a distribution made for Computer
Forensics, with the purpose of running live on systems without tampering or corrupting devices
(hard disks, pendrives, etc) connected to the PC where the boot process takes place.
The system is based on GNU Linux, it can run live (via DVDROM or USB pendrive), installed or
run as a Virtual Appliance on VMware or Virtualbox. Distro employs LXDE as desktop
environment and WINE for executing Windows tools under Linux. It features a comfortable mount
manager for device management.
DEFT is paired with DART (acronym for Digital Advanced Response Toolkit), a Forensics System
which can be run on Windows and contains the best tools for Forensics and Incident Response.
DART features a GUI with logging and integrity check for the instruments here contained.
Besides all this, the DEFT staff is devoted to implementing and developing applications which are
released to Law Enforcement Officers, such as Autopsy 3 for Linux.
System is currently employed in several places and by several people such as:
Military

Government Officers
Law Enforcement
Investigators
Expert Witnesses
IT Auditors
Universities
Individuals
Source && Download
Best Digital Forensics Tools: deft download
TOP
The Volatility Framework
The Volatility Framework is a completely open collection of tools, implemented in Python under the
GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM)
samples.
The Volatility Framework is a completely open collection of tools,implemented in Python under the
GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM)
samples.The extraction techniques are performed completely independent of the system being
investigated but offer visibilty into the runtime state of the system. The framework is intended to
introduce people to the techniques and complexities associated with extracting digital artifacts from
volatile memory samples and provide a platform for further work into this exciting area of research.

Source && Download

Best Digital Forensics Tools: volatility download
TOP
Santoku
Santoku is a platform for mobile forensics, mobile malware analysis and mobile application security
assessment. The free Santoku Community Edition is a collaborative project to provide a preconfigured Linux environment with utilities, drivers and guides for these areas.
Boot into Santoku and get to work, with the latest security tools and utilities focused on mobile
platforms such as Android and iOS.
Santoku Linux is a bootable Linux ISO which you can run as Live CD or install on a PC/VM.
Santoku Linux is a Free and Open Source distribution and contains the best tools from around the
web with a focus on Mobile Forensics, Mobile Malware and Mobile Security.
Sponsored by digital forensics and security firm viaForensics, Santoku Linux is available as a free
community edition. viaForensics also offers viaLabs, essentially a commercial system running on
top of Santoku. This distribution is a forka variant ofthe MobiSec Ubuntu distribution, which
means if you already know how to use Ubuntu, many of the commands and the user interface are

already very familiar to you. It also uses the popular Gnome desktop, so the graphical user
interface is one many users already use.

Source && Download

Best Digital Forensics Tools: santoku download
TOP
DFF
DFF (Digital Forensics Framework) is a free and Open Source computer forensics software built on
top of a dedicated Application Programming Interface (API).
It can be used both by professional and non-expert people in order to quickly and easily collect,
preserve and reveal digital evidences without compromising systems and data.
Preserve digital chain of custody
Access to local and remote devices
Read standard digital forensics file formats
Virtual machine disk reconstruction
Windows and Linux OS forensics
Quickly triage and search for (meta-)data
Recover hidden and deleted artifacts
Volatile memory forensics
Source && Download
Best Digital Forensics Tools: DFF Download

Open Computer Forensics Architecture

A modular computer forensics framework.The project aims to be highly modular, robust,fault
tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous
terabytes of evidence data and covers hundreds of evidence items
The Open Computer Forensics Architecture (OCFA) is an distributed open-source computer
forensics framework used to analyze digital media within a digital forensics laboratory
environment. The framework was built by the Dutch national police.

Architecture
OCFA consists of a back end for the Linux platform, it uses a PostgreSQL database for data storage,
a custom Content-addressable storageor CarvFS based data repository and a Lucene index. The
front end for OCFA has not been made publicly available due to licensing issues.

The framework integrates with other open source forensic tools and includes modules for The
Sleuth Kit, Scalpel, Photorec, libmagic, GNU Privacy Guard, objdump, exiftags, zip, 7-zip, tar,
gzip, bzip2, rar, antiword, qemu-img, and mbx2mbox. OCFA is extensible in C++ or Java.
Source && Download
Best Digital Forensics Tools: ocfa download
TOP
CAINE
CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution
created as a project of Digital Forensics
Currently the project manager is Nanni Bassetti.
CAINE offers a complete forensic environment that is organized to integrate existing software tools
as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:
an interoperable environment that supports the digital investigator during the four phases of the
digital investigation
a user friendly graphical interface
user friendly tools
C.A.I.N.E. represents fully the spirit of the Open Source philosophy, because the project is
completely open, everyone could take the legacy of the previous developer or project manager. The
distro is open source, the Windows side (Wintaylor) is open source and, the last but not the least, the
distro is installable, so giving the opportunity to rebuild it in a new brand version, so giving a long
life to this project
Source && Download
Best Digital Forensics Tools: caine Download
TOP
X-Ways Forensics
X-Ways Forensics is an advanced work environment for computer forensic examiners and our
flagship product. Runs under Windows XP/2003/Vista/2008/7/8/8.1*, 32 Bit/64 Bit,
standard/PE/FE. Compared to its competitors, X-Ways Forensics is more efficient to use after a
while, often runs faster, is not as resource-hungry, finds deleted files and search hits that the
competitors will miss, offers many features that the others lack, , is made by a German company,
and it comes at a fraction of the cost! X-Ways Forensics is fully portable, runs off a USB stick on
any given Windows system without installation. Unlike competing software, does not require you to
set up an Oracle database that makes you wonder whether you can still load your case tomorrow.
Downloads and installs within seconds (just a few MB in size, not GB). Unlike with competing
software, you are free to use your licenses for teaching and may sell your licenses to someone else.
X-Ways Forensics is based on the WinHex hex and disk editor and part of an efficient workflow
model where computer forensic examiners share data and collaborate with investigators that use XWays Investigator.

Key Features:
Disk imaging and cloning
Ability to read file system structures inside various image files
It supports most of the file systems including FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2,
Ext3, Ext4, Next3, CDFS/ISO9660/Joliet, UDF
Automatic detection of deleted or lost hard disk partition
Various data recovery techniques and powerful file carving
Bulk hash calculation
Viewing and editing binary data structures using templates
Easy detection of and access NTFS ADS
Well maintained file header
Automated activity logging
Data authenticity
Complete case management
Memory and RAM analysis
Gallery view for pictures
Internal viewer for Windows registry file
Automated registry report
Extracts metadata from various file types
Ability to extract emails from various available email clients.
And many more..
Source && Download
Best Digital Forensics Tools: X-way
TOP
HELIX3
Helix3 Enterprise is an easy to use cyber security solution integrated into your network giving you
visibility across your entire infrastructure revealing malicious activities such as Internet abuse, data
sharing and harassment. H3E also allows you to isolate and respond to incidents or threats quickly
and without user detection through a central administration tool.
Helix3 Enterprise allows you to quickly Detect, Identify, Analyze, Preserve and Report giving you
the evidence to reveal the truth and protect your business. This tool can collect data from physical
memory, network connections, user accounts, executing processes and services, scheduled jobs,
Windows Registry, chat logs, screen captures, SAM files, applications, drivers, environment
variables and Internet history.

Easy to Use
Quick Implementation
Review Employee Internet Usage
Capture Screen Shots and Key Logging
e-Discovery Across the Entire Network
Sophisticated Computer Forensic Capabilities
Reporting

Helix3 Enterprise Benefits:

Compliance Management
Cyber Security
Protection from Employee Malicious Behavior
Litigation Support
Intelligent Network Monitoring
Cost Effective
Source && Download
Best Digital Forensics Tools: Helix Download
TOP
The Sleuth Kit
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to
investigate disk images. The core functionality of TSK allows you to analyze volume and file
system data. The plug-in framework allows you to incorporate additional modules to analyze file
contents and build automated systems. The library can be incorporated into larger digital forensics
tools and the command line tools can be directly used to find evidence.

Capabilities
A summary of the tools contained in TSK can be found on the TSK Tool Overview page. Currently,
TSK supports the following file systems:
EXT2, EXT3, EXT4
FAT, exFAT
HFS
ISO 9660
NTFS
UFS 1, UFS 2
YAFFS2

Source && Download

Best Digital Forensics Tools: sleuthkit download
TOP
SIFT SANS Investigative Forensics Toolkit
The SANS Investigative Forensic Toolkit (SIFT) is a computer forensics VMware appliance that
is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is
compatible with expert witness format (E01), advanced forensic format (AFF), and raw (dd)
evidence formats. The new version has been completely rebuilt on an Ubuntu base with many
additional tools and capabilities that can match any modern forensic tool suite.

The toolkit has the ability to securely examine raw disks, multiple file systems, and evidence
formats. It places strict guidelines on how evidence is examined (read-only), verifying that the
evidence has not changed.

File system support

Windows (MS-DOS, FAT, VFAT, NTFS)
Mac (HFS)
Solaris (UFS)
Linux (ext2/3)
Evidence image support
Expert Witness (E01/L01)
RAW (dd)
Advanced Forensic Format (AFF)
Software
MantaRay (Automated Forensic Processing), MantaRays GitHub
The Sleuth Kit (File system analysis tools)
log2timeline (timeline generation tool)
ssdeep & md5deep (hashing tools)
Foremost/Scalpel (File Carving)
Wireshark (Network Forensics)
Vinetto (thumbs.db examination)
Pasco (IE Web History examination)
Rifiuti (Recycle Bin examination)
Volatility Framework (memory analysis)
DFLabs PTK (GUI front-end for Sleuthkit)
Autopsy (GUI front-end for Sleuthkit)
PyFLAG (GUI Log/Disk examination)
Source && Download
Best Digital Forensics Tools: SIFT download
TOP
Xplico
The goal of Xplico is extract from an internet traffic capture the applications data contained. For
example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP
contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isnt a network protocol analyzer.
Xplico is an open source Network Forensic Analysis Tool (NFAT).
Xplico is released under the GNU General Public License and with some scripts under Creative
Commons Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0) License. For
more details see License.

Features
Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, ;
Port Independent Protocol Identification (PIPI) for each application protocol;
Multithreading;
Output data and information in SQLite database or Mysql database and/or files;
At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and
the pcap containing the data reassembled;
Realtime elaboration (depends on the number of flows, the types of protocols and by the
performance of computer -RAM, CPU, HD access time, -);
TCP reassembly with ACK verification for any packet or soft ACK verification;
Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external
DNS server;
No size limit on data entry or the number of files entrance (the only limit is HD size);
IPv4 and IPv6 support;
Modularity. Each Xplico component is modular. The input interface, the protocol decoder
(Dissector) and the output interface (dispatcher) are all modules;
The ability to easily create any kind of dispatcher with which to organize the data extracted in the
most appropriate and useful to you;
Source && Download
Best Digital Forensics Tools: xplico download
TOP
Oxygen Forensic Suite
Oxygen Forensic Suite 2014 is a mobile forensic software for logical analysis of cell phones,
smartphones and PDAs developed by Oxygen Software. The suite can extract device information,
contacts, calendar events, SMS messages, event logs, and files. In addition, the vendor claims the
suite can extract metadata related to the above. As of December 2014 the suite supported more than
8,400 devices, including Nokia, Apple iPhone series, Apple iPod Touch, Apple iPad, Vertu, Sony
Ericsson, Samsung, Motorola, Blackberry, Panasonic, Siemens, HTC, HP, E-Ten, Gigabyte, i-Mate,
Chinese (Mediatek) Phones and other mobile phones. The suite also supports devices running
Symbian OS, Windows Mobile 5/6, Microsoft Windows Phone 8 and Android OS devices.
The purpose of Oxygen Forensic Suite is to apply advanced data recovery algorithms in order to
gather a significant amount of information from the target digital storage media, which can then be
used in creating a legal evidence set.
Source && Download
Best Digital Forensics Tools: oxygen download
TOP
PlainSight
PlainSight is a versatile computer forensics environment that allows inexperienced forensic
practitioners perform common tasks using powerful open source tools. Team have taken the best
open source forensic/security tools, customised them, and combined them with an intuitive user
interface to create an incredibly powerful forensic environment.

With PlainSight you can perform operations such as:

Get hard disk and partition information
Extract user and group information
View Internet histories
Examine Windows firewall configuration
Discover recent documents
Recover/Carve over 15 different file types
Discover USB storage information
Examine physical memory dumps
Examine UserAssist information
Extract LanMan password hashes
Preview a system before acquiring it
Source && Download
Best Digital Forensics Tools: plainsight download
TOP
EnCase
EnCase is the shared technology within a suite of digital investigations products by Guidance
Software. The software comes in several products designed for forensic, cyber security, security
analytics, and e-discovery use. The company also offers EnCase training and certification. Data
recovered by EnCase has been used successfully in various court systems around the world, such as
in the cases of the BTK Killer and the murder of Danielle van Dam.
EnCase Product Line
EnCase technology is available within a number of products, currently including: EnCase Forensic,
EnCase Cybersecurity, EnCase eDiscovery, and EnCase Portable. Guidance Software also runs
training courses and certification, over 50,000 individuals have completed the training to date.

Features
EnCase contains tools for several areas of the digital forensic process; acquisition, analysis and
reporting. The software also includes a scripting facility called EnScript with various APIs for
interacting with evidence.

EnCase Evidence File Format

EnCase contains functionality to create forensic images of suspect media. Images are stored in
proprietary EnCase Evidence File Format; the compressible file format is prefixed with case data
information and consists of a bit-by-bit (i.e. exact) copy of the media inter-spaced with CRC hashes
for every 64K of data. The file format also appends an MD5 hash of the entire drive as a footer.[5]

Mobile forensics
As of EnCase V7, Mobile Phone Analysis is possible with the addition some add-ons available from
Guidance Software.

Source && Download

Best Digital Forensics Tools: encase
TOP
Registry Recon
Registry forensics has long been relegated to analyzing only readily accessible Windows Registries,
often one at a time, in a needlessly time-consuming and archaic way. Registry Recon provides
access to an enormous volume of Registry data which has been effectively deleted, whether that
deletion occurred due to benign system activity, malfeasance by a user, or even re-imaging by IT
personnel.

Features
Intuitive and efficient workflow
Resurrection of Windows Registries long since forgotten
Access to enormous amounts of deleted Registry data
Unique keys and values shown by default in historical fashion
Seamless access to all instances of keys and values
Windows restore point and volume shadow copy support
Ability to view keys (and their values) at particular points in time

Source && Download

Best Digital Forensics Tools: recon
TOP
Llibforensics
LibForensics is a library for developing digital forensics applications. Currently it is developed in
pure Python. After a majority of the code has been developed and stabilized, the bottlenecks will
likely be converted into C-based modules.
LibForensics is meant to provide a full forensic stack. Providing tools to do everything from
location, to extraction, decoding, and interpretation. For instance, data structures are first class
objects
LibForensics requires Python version 3.1.
Source && Download
Best Digital Forensics Tools: libforensics

TOP
XRY
XRY is a software application designed to run on the Windows operating system which allows you
to perform a secure forensic extraction of data from a wide variety of mobile devices, such as
smartphones, gps navigation units, 3G modems, portable music players and the latest tablet
processors such as the iPad.
Extracting data from mobile / cell phones is a specialist skill and not the same as recovering
information from computers. Most mobile devices dont share the same operating systems and are
proprietary embedded devices which have unique configurations and operating systems. What does
that mean in terms of getting data out of them? Well in simple terms, it means it is very difficult to
do.
XRY has been designed and developed to make that process a lot easier for you, with support for
over 13,000 different mobile device profiles and over 500 smartphone app versions. We supply a
complete solution to get you what you need and the software guides you through the process step by
step to make it as easy as possible.
Source && Download
Best Digital Forensics Tools: xry download
TOP
Mandiant RedLine
Redline lets you analyze a potentially compromised Windows operating system (OS) memory and
file structure to find signs of malicious activity.
With Redline, you can:
Collect run processes, files, registry data, and memory images
View imported data, including narrowing and filtering results around a given timeframe using
Redlines
TimeWrinkle and TimeCrunch features.
Identify processes more likely worth investigating based on their Redline Malware Risk Index
(MRI) score.
Perform Indicators of Compromise (IOC) analysis.
Use whitelists to filter out known valid data based on MD5 hash values.

Source && Download

Best Digital Forensics Tools: redline download
TOP
P2 eXplorer
P2 eXplorer is a forensic image mounting tool designed to help investigators manage and examine
evidence. With P2 eXplorer, you can mount forensic images as read-only local logical and physical
disks. Once mounted, you can explore the contents of the image using Windows Explorer or you
can load it into your forensic analysis tool. Because images mount as physical disks, you can view
the deleted data, slack, and unallocated space of the image.

Besides mounting forensic images as local drives, P2 eXplorer can be used to mount Parabens
Forensic Containers. These encrypted storage containers can be used to share evidence from P2
Commander. Simply export pertinent evidence into a Forensic Container and anyone can review the
evidence using P2 eXplorer. You can also use P2 eXplorer and Forensic Containers to minimize
evidence storage. By exporting only significant evidence from a case, you can reduce your long
term storage needs. Since P2 eXplorer is free, you can share your evidence with anyone you want.

Features:
Mounts images as physical disks
Mounts Parabens Forensic Replicator images (PFR)
Mounts compressed & encrypted PFR images
Mounts EnCase images
Mounts SafeBack 1, 2 and 3 images
Mounts SMART images
Mounts FTK DD and FTK EnCase images
Mounts WinImage non-compressed images
Mounts RAW images from Linux DD & other tools
Mounts Parabens Forensic Containers created in P2 Commander and Deployable P2 Commander
Mounts vmWare static and dynamic disk images
Mounts vmWare snapshots
VirtualPC static and dynamic disk images
VirtualPC snapshots
VirtualBox images (VDI)
Auto-detects image format
Supports both logical and physical images types
MD5 hash verification
Shell support for easy mounting/unmounting
Write-protection for preserving evidence
MD5 checksum verification
Mount several images at a time

Source && Download

Best Digital Forensics Tools: p2-explorer download
TOP
Bulk Extractor
bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and
extracts useful information without parsing the file system or file system structures. The results can
be easily inspected, parsed, or processed with automated tools. bulk_extractor also created a
histograms of features that it finds, as features that are more common tend to be more important.
The program can be used for law enforcement, defense, intelligence, and cyber-investigation
applications.

bulk_extractor is distinguished from other forensic tools by its speed and thoroughness. Because it
ignores file system structure, bulk_extractor can process different parts of the disk in parallel. In
practice, the program splits the disk up into 16MiByte pages and processes one page on each
available core. This means that 24-core machines process a disk roughly 24 times faster than a 1core machine. bulk_extractor is also thorough. Thats because bulk_extractor automatically detects,
decompresses, and recursively re-processes compressed data that is compressed with a variety of
algorithms. Our testing has shown that there is a significant amount of compressed data in the
unallocated regions of file systems that is missed by most forensic tools that are commonly in use
today.
Another advantage of ignoring file systems is that bulk_extractor can be used to process any digital
media. We have used the program to process hard drives, SSDs, optical media, camera cards, cell
phones, network packet dumps, and other kinds of digital information.