List of digital forensics tools

Last updated December 05, 2023

During the 1980s, most digital forensic investigations consisted of "live analysis", examining digital media directly using non-specialist tools. In the 1990s, several freeware and other proprietary tools (both hardware and software) were created to allow investigations to take place without modifying media. This first set of tools mainly focused on computer forensics, although in recent years similar tools have evolved for the field of mobile device forensics.^[1] This list includes notable examples of digital forensic tools.

Forensics-focused operating systems

Debian-based

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing, formerly known as BackTrack.^[2]

Parrot Security OS is a cloud-oriented Linux distribution based on Debian and designed to perform security and penetration tests, do forensic analysis, or act in anonymity. It uses the MATE Desktop Environment, Linux Kernel 4.6 or higher and it is available as a live lightweight installable ISO image for 32-bit, 64-bit and ARM processors with forensic options at boot, optimizations for programmers, and new custom pentesting tools.^{[ citation needed ]}

Ubuntu-based

CAINE Linux is an ubuntu-based live CD/DVD. CAINE stands for Computer Aided INvestigative Environment.

Pentoo-based

Pentoo Penetration Testing Overlay and Livecd is a live CD and Live USB designed for penetration testing and security assessment. Based on Gentoo Linux, Pentoo is provided both as 32-bit and 64-bit installable live CD. Pentoo also is available as an overlay for an existing Gentoo installation. It features packet injection patched wifi drivers, GPGPU cracking software, and many tools for penetration testing and security assessment. The Pentoo kernel includes grsecurity and PAX hardening and extra patches – with binaries compiled from a hardened toolchain with the latest nightly versions of some tools available.^[3]

Computer forensics

Name	Platform	License	Version	Description
Autopsy	Windows, macOS , Linux	GPL	4.20	A digital forensics platform and GUI to The Sleuth Kit
Cellebrite Inspector	Windows/macOS	proprietary	10.4	Analyze computer data volumes and memory from Windows-based and Mac computers to shed light on user actions and surface leads.
COFEE	Windows	proprietary	n/a	A suite of tools for Windows developed by Microsoft
Digital Forensics Framework	Unix-like/Windows	GPL	1.3	Framework and user interfaces dedicated to digital forensics
Elcomsoft Premium Forensic Bundle	Windows, macOS	proprietary	1435	Set of tools for encrypted systems & data decryption and password recovery
E3: Universal Software	Windows	proprietary	3.1	E3:Universal by Paraben Corporation is an end-to-end DFIR solution that can work through ALL types of digital data: computers, email, internet data, smartphones, & IoT devices.
EnCase	Windows	proprietary	21.1 CE	Digital forensics suite created by Guidance Software
FTK	Windows	proprietary	7.6	Multi-purpose tool, FTK is a court-cited digital investigations platform built for speed, stability and ease of use.
IsoBuster	Windows	proprietary	5.1	Essential light weight tool to inspect any type data carrier, supporting a wide range of file systems, with advanced export functionality.
LLIMAGER	macOS	proprietary	3.7	macOS forensic imager.
Magnet AXIOM	Windows	proprietary	6.X	Magnet AXIOM can recover and analyze digital evidence from the most sources, including Windows and Mac devices, Linux systems, and Chromebooks, all in one case file.
Netherlands Forensic Institute / Xiraf^[4] / HANSKEN ^[5]	n/a	proprietary	n/a	Computer-forensic online service.
NTFSTool	Windows	MIT License	1.7	Complete forensics tool for NTFS volumes (Imaging, parsing, artefact extraction with support of Bitlocker and Encrypted File System (EFS).
Open Computer Forensics Architecture	Linux	LGPL/GPL	2.3.0	Computer forensics framework for CF-Lab environment
OSForensics^[6]^[7]	Windows	proprietary	8	Multi-purpose forensic tool
Oxygen Forensic® Detective	Windows, macOs, Linux	proprietary	14.3	Oxygen Forensic® Detective can also find and extract a vast range of artifacts, system files as well as credentials from Windows, macOS, and Linux machines.
PTK Forensics	LAMP	proprietary	2.0	GUI for The Sleuth Kit
SANS Investigative Forensics Toolkit - SIFT	Ubuntu		2.1	Multi-purpose forensic operating system
SPEKTOR Forensic Intelligence ^[8]	Unix-like	proprietary	6.x	Easy to use, comprehensive forensic tool used worldwide by LE/Military/Agencies/Corporates - includes rapid imaging and fully automated analysis.
The Coroner's Toolkit	Unix-like	IBM Public License	1.19	A suite of programs for Unix analysis
The Sleuth Kit	Unix-like/Windows	IPL, CPL, GPL	4.12.0	A library of tools for both Unix and Windows
Windows To Go	n/a	proprietary	n/a	Bootable operating system

Memory forensics

Memory forensics tools are used to acquire or analyze a computer's volatile memory (RAM). They are often used in incident response situations to preserve evidence in memory that would be lost when a system is shut down, and to quickly detect stealthy malware by directly examining the operating system and other running software in memory.

Name	Vendor or sponsor	Platform	License
Magnet AXIOM	Magnet Forensics	Windows	proprietary
Volatility	Volatile Systems	Windows and Linux	free (GPL)
WindowsSCOPE	BlueRISC	Windows	proprietary

Mobile device forensics

Mobile forensics tools tend to consist of both a hardware and software component. Mobile phones come with a diverse range of connectors, the hardware devices support a number of different cables and perform the same role as a write blocker in computer devices.

Name	Platform	License	Version	Description
Cellebrite UFED	Windows	proprietary		Hardware/software package, specializes in mobile forensic extraction
Magnet AXIOM	Windows	proprietary	6.X	Magnet AXIOM can recover and analyze digital evidence from the most sources, including iOS and Android devices, all in one case file.
MicroSystemation XRY/XACT ^[9]	Windows	proprietary		Hardware/software package, specializes in deleted data
Oxygen Forensic® Detective	Windows	proprietary	14.3	Oxygen Forensic® Detective is an all-in-one forensic software platform built to extract, decode, and analyze data from multiple digital sources: mobile and IoT devices, device backups, UICC and media cards, drones, and cloud services.

Software forensics

Software forensics is the science of analyzing software source code or binary code to determine whether intellectual property infringement or theft occurred. It is the centerpiece of lawsuits, trials, and settlements when companies are in dispute over issues involving software patents, copyrights, and trade secrets. Software forensics tools can compare code to determine correlation, a measure that can be used to guide a software forensics expert.

Other

Name	Platform	License	Version	Description
DECAF	Windows	free	n/a	Tool which automatically executes a set of user defined actions on detecting Microsoft's COFEE tool
Evidence Eliminator	Windows	proprietary	6.03	Anti-forensics software, claims to delete files securely
HashKeeper	Windows	free	n/a	Database application for storing file hash signatures
MailXaminer	Windows	Perpetual	4.9.0	Specialized email forensics tool

↑ Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
↑ "Kali Linux Has Been Released!". 12 March 2013. Archived from the original on 9 May 2013. Retrieved 18 March 2013.
↑ "Pentoo 2015 – Security-Focused Livecd based on Gentoo". Archived from the original on 1 July 2018. Retrieved 1 July 2018.
↑ Bhoedjang, R; et al. (February 2012). "Engineering an online computer forensic service". Digital Investigations. 9 (2): 96–108. doi:10.1016/j.diin.2012.10.001.
↑ Huijbregts, J (2015). "Nieuwe forensische zoekmachine van NFI is 48 keer zo snel als voorganger". Tweakers. Retrieved 11 September 2018. Named after the famous elephant Hansken, because of their tremendous memory
↑ Nelson, Bill; Phillips, Amelia; Steuart, Christopher (2015). Guide to Computer Forensics and Investigations. Cengage Learning. pp. 363, 141, 439, 421, 223, 554, 260, 168, 225, 362. ISBN 978-1-285-06003-3.
↑ "OSForensics - Digital investigation for a new era by PassMark Software®". osforensics.com.
↑ Dell Corporation (2012-07-13). "SPEKTOR Mobile Digital Forensics Intelligence Solution" (PDF).
↑ Mislan, Richard (2010). "Creating laboratories for undergraduate courses in mobile phone forensics". Proceedings of the 2010 ACM conference on Information technology education. ACM. pp. 111–116. doi:10.1145/1867651.1867680. ISBN 9781450303439. S2CID 15030269 . Retrieved 29 November 2010. Among the most popular tools are products named MicroSystemation GSM .XRY and .XACT, Cellebrite UFED, Susteen Secure View2, Paraben Device Seizure, Radio Tactics Aceso, Oxygen Phone Manager, and Compelson MobilEdit Forensic

Related Research Articles

A Linux distribution is an operating system made from a software collection that includes the Linux kernel and often a package management system. Linux users usually obtain their operating system by downloading one of the Linux distributions, which are available for a wide variety of systems ranging from embedded devices and personal computers to powerful supercomputers.

Knoppix, stylized KNOPPIX, is an operating system based on Debian designed to be run directly from a CD / DVD or a USB flash drive. It was first released in 2000 by German Linux consultant Klaus Knopper, and was one of the first popular live distributions. Knoppix is loaded from the removable medium and decompressed into a RAM drive. The decompression is transparent and on-the-fly.

This is a list of operating systems specifically focused on security. Similar concepts include security-evaluated operating systems that have achieved certification from an auditing organization, and trusted operating systems that provide sufficient support for multilevel security and evidence of correctness to meet a particular set of requirements.

Free and Open source Software Developers' European Meeting (FOSDEM) is a non-commercial, volunteer-organized European event centered on free and open-source software development. It is aimed at developers and anyone interested in the free and open-source software movement. It aims to enable developers to meet and to promote the awareness and use of free and open-source software.

In Linux systems, initrd is a scheme for loading a temporary root file system into memory, to be used as part of the Linux startup process. initrd and initramfs refer to two different methods of achieving this. Both are commonly used to make preparations before the real root file system can be mounted.

Squashfs is a compressed read-only file system for Linux. Squashfs compresses files, inodes and directories, and supports block sizes from 4 KiB up to 1 MiB for greater compression. Several compression algorithms are supported. Squashfs is also the name of free software, licensed under the GPL, for accessing Squashfs filesystems.

<span class="mw-page-title-main">Openmoko</span> Discontinued project to create a family of open source mobile phones

Openmoko is a discontinued project to create a family of mobile phones that are open source, including the hardware specification, the operating system, and actual smartphone development implementation like the Neo 1973 and Neo FreeRunner. The whole project was sponsored by Openmoko Inc.

In computer security, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) by performing a hard reset of the target machine. Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off.

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

Alpine Linux is a Linux distribution designed to be small, simple, and secure. It uses musl, BusyBox, and OpenRC instead of the more commonly used glibc, GNU Core Utilities, and systemd. This makes Alpine one of few Linux distributions not to be based on GNU.

<span class="mw-page-title-main">Pentoo</span> Gentoo based Linux distribution for penetration testing

Pentoo is a Live CD and Live USB designed for penetration testing and security assessment. Based on Gentoo Linux, Pentoo is provided both as 32 and 64-bit installable live CD. Pentoo is also available as an overlay for an existing Gentoo installation. It features packet injection patched Wi-Fi drivers, GPGPU cracking software, and many tools for penetration testing and security assessment. The Pentoo kernel includes grsecurity and PAX hardening and extra patches - with binaries compiled from a hardened toolchain with the latest nightly versions of some tools available.

Kali Linux is a Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security. Kali Linux is based on the Debian Testing branch: most packages Kali uses are imported from the Debian repositories.

Besides the Linux distributions designed for general-purpose use on desktops and servers, distributions may be specialized for different purposes including computer architecture support, embedded systems, stability, security, localization to a specific region or language, targeting of specific user groups, support for real-time applications, or commitment to a given desktop environment. Furthermore, some distributions deliberately include only free software. As of 2015, over four hundred Linux distributions are actively developed, with about a dozen distributions being most popular for general-purpose use.

Digital Forensics Framework (DFF) was a computer forensics open-source software. It is used by professionals and non-experts to collect, preserve and reveal digital evidence without compromising systems and data.

<span class="mw-page-title-main">Parrot OS</span> Debian-based Linux distribution

Parrot OS is a Linux distribution based on Debian with a focus on security, privacy, and development.

Offensive Security is an American international company working in information security, penetration testing and digital forensics. Operating from around 2007, the company created open source projects, advanced security courses, the ExploitDB vulnerability database, and the Kali Linux distribution. The company was started by Mati Aharoni, and employs security professionals with experience in security penetration testing and system security evaluation. The company has provided security counseling and training to many technology companies.

CAINE Linux is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti. The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[casey-1] Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.

[2] "Kali Linux Has Been Released!". 12 March 2013. Archived from the original on 9 May 2013. Retrieved 18 March 2013.

[3] "Pentoo 2015 – Security-Focused Livecd based on Gentoo". Archived from the original on 1 July 2018. Retrieved 1 July 2018.

[xiraf-4] Bhoedjang, R; et al. (February 2012). "Engineering an online computer forensic service". Digital Investigations. 9 (2): 96–108. doi:10.1016/j.diin.2012.10.001.

[HANSKEN-5] Huijbregts, J (2015). "Nieuwe forensische zoekmachine van NFI is 48 keer zo snel als voorganger". Tweakers. Retrieved 11 September 2018. Named after the famous elephant Hansken, because of their tremendous memory

[6] Nelson, Bill; Phillips, Amelia; Steuart, Christopher (2015). Guide to Computer Forensics and Investigations. Cengage Learning. pp. 363, 141, 439, 421, 223, 554, 260, 168, 225, 362. ISBN 978-1-285-06003-3.

[7] "OSForensics - Digital investigation for a new era by PassMark Software®". osforensics.com.

[DellCorp_2012-8] Dell Corporation (2012-07-13). "SPEKTOR Mobile Digital Forensics Intelligence Solution" (PDF).

[mf-9] Mislan, Richard (2010). "Creating laboratories for undergraduate courses in mobile phone forensics". Proceedings of the 2010 ACM conference on Information technology education. ACM. pp. 111–116. doi:10.1145/1867651.1867680. ISBN 9781450303439. S2CID 15030269 . Retrieved 29 November 2010. Among the most popular tools are products named MicroSystemation GSM .XRY and .XACT, Cellebrite UFED, Susteen Secure View2, Paraben Device Seizure, Radio Tactics Aceso, Oxygen Phone Manager, and Compelson MobilEdit Forensic

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

v t e Digital forensics
Branches	Computer forensics Mobile device forensics Network forensics Database forensics
Hardware	Forensic disk controller
Software	ADF Solutions Digital Evidence Investigator EnCase Foremost FTK PTK Forensics The Sleuth Kit The Coroner's Toolkit COFEE HashKeeper Xplico
Certification	Certified Forensic Computer Examiner (CFCE) Global Information Assurance Certification
Processes	Digital forensic process Data acquisition Digital evidence eDiscovery Anti–computer forensics
Organisations	National Software Reference Library Department of Defense Cyber Crime Center National Hi-Tech Crime Unit (NHTCU) Australian High Tech Crime Centre (AHTCC)
People	Mary Aiken Annie Antón Rebecca Bace Josh Brunty Eoghan Casey Hany Farid Simson Garfinkel Clifford Stoll Robert Zeidman
Glossary of digital forensics terms