During the 1980s, most digital forensic investigations consisted of "live analysis", examining digital media directly using non-specialist tools. In the 1990s, several freeware and other proprietary tools (both hardware and software) were created to allow investigations to take place without modifying media. This first set of tools mainly focused on computer forensics, although in recent years similar tools have evolved for the field of mobile device forensics. [1] This list includes notable examples of digital forensic tools.
Name | Platform | License | Version | Description |
---|---|---|---|---|
Autopsy | Windows, macOS , Linux | GPL | 4.20 | A digital forensics platform and GUI to The Sleuth Kit |
Cellebrite Inspector | Windows/macOS | proprietary | 10.4 | Analyze computer data volumes and memory from Windows-based and Mac computers to shed light on user actions and surface leads. |
COFEE | Windows | proprietary | n/a | A suite of tools for Windows developed by Microsoft |
Digital Forensics Framework | Unix-like/Windows | GPL | 1.3 | Framework and user interfaces dedicated to digital forensics |
Elcomsoft Premium Forensic Bundle | Windows, macOS | proprietary | 1435 | Set of tools for encrypted systems & data decryption and password recovery |
E3: Universal Software | Windows | proprietary | 3.1 | E3:Universal by Paraben Corporation is an end-to-end DFIR solution that can work through ALL types of digital data: computers, email, internet data, smartphones, & IoT devices. |
EnCase | Windows | proprietary | 21.1 CE | Digital forensics suite created by Guidance Software |
FTK | Windows | proprietary | 7.6 | Multi-purpose tool, FTK is a court-cited digital investigations platform built for speed, stability and ease of use. |
IsoBuster | Windows | proprietary | 5.1 | Essential light weight tool to inspect any type data carrier, supporting a wide range of file systems, with advanced export functionality. |
LLIMAGER | macOS | proprietary | 3.7 | macOS forensic imager. |
Magnet AXIOM | Windows | proprietary | 6.X | Magnet AXIOM can recover and analyze digital evidence from the most sources, including Windows and Mac devices, Linux systems, and Chromebooks, all in one case file. |
Netherlands Forensic Institute / Xiraf [4] / HANSKEN [5] | n/a | proprietary | n/a | Computer-forensic online service. |
NTFSTool | Windows | MIT License | 1.7 | Complete forensics tool for NTFS volumes (Imaging, parsing, artefact extraction with support of Bitlocker and Encrypted File System (EFS). |
Open Computer Forensics Architecture | Linux | LGPL/GPL | 2.3.0 | Computer forensics framework for CF-Lab environment |
OSForensics [6] [7] | Windows | proprietary | 8 | Multi-purpose forensic tool |
Oxygen Forensic® Detective | Windows, macOs, Linux | proprietary | 14.3 | Oxygen Forensic® Detective can also find and extract a vast range of artifacts, system files as well as credentials from Windows, macOS, and Linux machines. |
PTK Forensics | LAMP | proprietary | 2.0 | GUI for The Sleuth Kit |
SANS Investigative Forensics Toolkit - SIFT | Ubuntu | 2.1 | Multi-purpose forensic operating system | |
SPEKTOR Forensic Intelligence [8] | Unix-like | proprietary | 6.x | Easy to use, comprehensive forensic tool used worldwide by LE/Military/Agencies/Corporates - includes rapid imaging and fully automated analysis. |
The Coroner's Toolkit | Unix-like | IBM Public License | 1.19 | A suite of programs for Unix analysis |
The Sleuth Kit | Unix-like/Windows | IPL, CPL, GPL | 4.12.0 | A library of tools for both Unix and Windows |
Windows To Go | n/a | proprietary | n/a | Bootable operating system |
Memory forensics tools are used to acquire or analyze a computer's volatile memory (RAM). They are often used in incident response situations to preserve evidence in memory that would be lost when a system is shut down, and to quickly detect stealthy malware by directly examining the operating system and other running software in memory.
Name | Vendor or sponsor | Platform | License |
---|---|---|---|
Magnet AXIOM | Magnet Forensics | Windows | proprietary |
Volatility | Volatile Systems | Windows and Linux | free (GPL) |
WindowsSCOPE | BlueRISC | Windows | proprietary |
Mobile forensics tools tend to consist of both a hardware and software component. Mobile phones come with a diverse range of connectors, the hardware devices support a number of different cables and perform the same role as a write blocker in computer devices.
Name | Platform | License | Version | Description |
---|---|---|---|---|
Cellebrite UFED | Windows | proprietary | Hardware/software package, specializes in mobile forensic extraction | |
Magnet AXIOM | Windows | proprietary | 6.X | Magnet AXIOM can recover and analyze digital evidence from the most sources, including iOS and Android devices, all in one case file. |
MicroSystemation XRY/XACT [9] | Windows | proprietary | Hardware/software package, specializes in deleted data | |
Oxygen Forensic® Detective | Windows | proprietary | 14.3 | Oxygen Forensic® Detective is an all-in-one forensic software platform built to extract, decode, and analyze data from multiple digital sources: mobile and IoT devices, device backups, UICC and media cards, drones, and cloud services. |
Software forensics is the science of analyzing software source code or binary code to determine whether intellectual property infringement or theft occurred. It is the centerpiece of lawsuits, trials, and settlements when companies are in dispute over issues involving software patents, copyrights, and trade secrets. Software forensics tools can compare code to determine correlation, a measure that can be used to guide a software forensics expert.
Name | Platform | License | Version | Description |
---|---|---|---|---|
DECAF | Windows | free | n/a | Tool which automatically executes a set of user defined actions on detecting Microsoft's COFEE tool |
Evidence Eliminator | Windows | proprietary | 6.03 | Anti-forensics software, claims to delete files securely |
HashKeeper | Windows | free | n/a | Database application for storing file hash signatures |
MailXaminer | Windows | Perpetual | 4.9.0 | Specialized email forensics tool |
Named after the famous elephant Hansken, because of their tremendous memory
Among the most popular tools are products named MicroSystemation GSM .XRY and .XACT, Cellebrite UFED, Susteen Secure View2, Paraben Device Seizure, Radio Tactics Aceso, Oxygen Phone Manager, and Compelson MobilEdit Forensic
A Linux distribution is an operating system made from a software collection that includes the Linux kernel and often a package management system. Linux users usually obtain their operating system by downloading one of the Linux distributions, which are available for a wide variety of systems ranging from embedded devices and personal computers to powerful supercomputers.
Knoppix, stylized KNOPPIX, is an operating system based on Debian designed to be run directly from a CD / DVD or a USB flash drive. It was first released in 2000 by German Linux consultant Klaus Knopper, and was one of the first popular live distributions. Knoppix is loaded from the removable medium and decompressed into a RAM drive. The decompression is transparent and on-the-fly.
This is a list of operating systems specifically focused on security. Similar concepts include security-evaluated operating systems that have achieved certification from an auditing organization, and trusted operating systems that provide sufficient support for multilevel security and evidence of correctness to meet a particular set of requirements.
Free and Open source Software Developers' European Meeting (FOSDEM) is a non-commercial, volunteer-organized European event centered on free and open-source software development. It is aimed at developers and anyone interested in the free and open-source software movement. It aims to enable developers to meet and to promote the awareness and use of free and open-source software.
In Linux systems, initrd
is a scheme for loading a temporary root file system into memory, to be used as part of the Linux startup process. initrd
and initramfs
refer to two different methods of achieving this. Both are commonly used to make preparations before the real root file system can be mounted.
Squashfs is a compressed read-only file system for Linux. Squashfs compresses files, inodes and directories, and supports block sizes from 4 KiB up to 1 MiB for greater compression. Several compression algorithms are supported. Squashfs is also the name of free software, licensed under the GPL, for accessing Squashfs filesystems.
Openmoko is a discontinued project to create a family of mobile phones that are open source, including the hardware specification, the operating system, and actual smartphone development implementation like the Neo 1973 and Neo FreeRunner. The whole project was sponsored by Openmoko Inc.
In computer security, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) by performing a hard reset of the target machine. Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off.
Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.
Alpine Linux is a Linux distribution designed to be small, simple, and secure. It uses musl, BusyBox, and OpenRC instead of the more commonly used glibc, GNU Core Utilities, and systemd. This makes Alpine one of few Linux distributions not to be based on GNU.
Pentoo is a Live CD and Live USB designed for penetration testing and security assessment. Based on Gentoo Linux, Pentoo is provided both as 32 and 64-bit installable live CD. Pentoo is also available as an overlay for an existing Gentoo installation. It features packet injection patched Wi-Fi drivers, GPGPU cracking software, and many tools for penetration testing and security assessment. The Pentoo kernel includes grsecurity and PAX hardening and extra patches - with binaries compiled from a hardened toolchain with the latest nightly versions of some tools available.
Kali Linux is a Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security. Kali Linux is based on the Debian Testing branch: most packages Kali uses are imported from the Debian repositories.
Besides the Linux distributions designed for general-purpose use on desktops and servers, distributions may be specialized for different purposes including computer architecture support, embedded systems, stability, security, localization to a specific region or language, targeting of specific user groups, support for real-time applications, or commitment to a given desktop environment. Furthermore, some distributions deliberately include only free software. As of 2015, over four hundred Linux distributions are actively developed, with about a dozen distributions being most popular for general-purpose use.
Digital Forensics Framework (DFF) was a computer forensics open-source software. It is used by professionals and non-experts to collect, preserve and reveal digital evidence without compromising systems and data.
Parrot OS is a Linux distribution based on Debian with a focus on security, privacy, and development.
Offensive Security is an American international company working in information security, penetration testing and digital forensics. Operating from around 2007, the company created open source projects, advanced security courses, the ExploitDB vulnerability database, and the Kali Linux distribution. The company was started by Mati Aharoni, and employs security professionals with experience in security penetration testing and system security evaluation. The company has provided security counseling and training to many technology companies.
CAINE Linux is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti. The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.