List of digital forensics tools

Last updated February 22, 2025

During the 1980s, most digital forensic investigations consisted of "live analysis", examining digital media directly using non-specialist tools. In the 1990s, several freeware and other proprietary tools (both hardware and software) were created to allow investigations to take place without modifying media. This first set of tools mainly focused on computer forensics, although in recent years similar tools have evolved for the field of mobile device forensics.^[1] This list includes notable examples of digital forensic tools.

Forensics-focused operating systems

Debian-based

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing, formerly known as BackTrack.^[2]

Parrot Security OS is a cloud-oriented Linux distribution based on Debian and designed to perform security and penetration tests, do forensic analysis, or act in anonymity. It uses the MATE Desktop Environment, Linux Kernel 4.6 or higher and it is available as a live lightweight installable ISO image for 32-bit, 64-bit and ARM processors with forensic options at boot, optimizations for programmers, and new custom pentesting tools.^{[ citation needed ]}

Ubuntu-based

CAINE Linux is an ubuntu-based live CD/DVD. CAINE stands for Computer Aided INvestigative Environment.
PALADIN Linux is an ubuntu-based live CD/DVD. PALADIN is a non-persistent Xubuntu-based OS that comes preinstalled with a Toolkit of different forensic tools and applications.

Gentoo-based

Pentoo
Penetration Testing Overlay and Livecd is a live CD and Live USB designed for penetration testing and security assessment. Based on Gentoo Linux, Pentoo is provided both as 32-bit and 64-bit installable live CD. Pentoo also is available as an overlay for an existing Gentoo installation. It features packet injection patched Wi-Fi drivers, GPGPU cracking software, and many tools for penetration testing and security assessment. The Pentoo kernel includes grsecurity and PAX hardening and extra patches – with binaries compiled from a hardened toolchain with the latest nightly versions of some tools available.^[3]

Computer forensics

Name	Platform	License	Version	Description
Autopsy	Windows, macOS , Linux	Apache 2.0	4.21.0	A digital forensics platform and GUI to The Sleuth Kit
Belkasoft Evidence Center X	Windows	proprietary	2.6	Multi-purpose tool for computer, mobile, memory and cloud forensics
Bulk_Extractor	Windows, MacOS and Linux	MIT	2.1.1	Extracts email addresses, URLs, and a variety of binary objects from unstructured data using recursive re-analysis.
COFEE	Windows	proprietary	n/a	A suite of tools for Windows developed by Microsoft
Digital Forensics Framework	Unix-like/Windows	GPL	1.3	Framework and user interfaces dedicated to digital forensics
Elcomsoft Premium Forensic Bundle	Windows, macOS	proprietary	1435	Set of tools for encrypted systems & data decryption and password recovery
EnCase	Windows	proprietary	21.1 CE	Digital forensics suite created by Guidance Software
FTK	Windows	proprietary	8.0	Multi-purpose tool, FTK is a court-cited digital investigations platform built for speed, stability and ease of use.
IsoBuster	Windows	proprietary	5.3	Essential light weight tool to inspect any type data carrier, supporting a wide range of file systems, with advanced export functionality.
Netherlands Forensic Institute / Xiraf^[4] / HANSKEN^[5]	n/a	proprietary	n/a	Computer-forensic online service.
Open Computer Forensics Architecture	Linux	LGPL/GPL	2.3.0	Computer forensics framework for CF-Lab environment
PTK Forensics	LAMP	proprietary	2.0	GUI for The Sleuth Kit
The Coroner's Toolkit	Unix-like	IBM Public License	1.19	A suite of programs for Unix analysis
The Sleuth Kit	Unix-like/Windows	IPL, CPL, GPL	4.12.0	A library of tools for both Unix and Windows
Windows To Go	n/a	proprietary	n/a	Bootable operating system

Memory forensics

Memory forensics tools are used to acquire or analyze a computer's volatile memory (RAM). They are often used in incident response situations to preserve evidence in memory that would be lost when a system is shut down, and to quickly detect stealthy malware by directly examining the operating system and other running software in memory.

Name	Vendor or sponsor	Platform	License
Volatility	Volatile Systems	Windows and Linux	free (GPL)
WindowsSCOPE	BlueRISC	Windows	proprietary

Mobile device forensics

Mobile forensics tools tend to consist of both a hardware and software component. Mobile phones come with a diverse range of connectors, the hardware devices support a number of different cables and perform the same role as a write blocker in computer devices.

Name	Platform	License	Version	Description
Cellebrite UFED	Windows	proprietary		Hardware/software package, specializes in mobile forensic extraction
MicroSystemation XRY/XACT ^[6]	Windows	proprietary		Hardware/software package, specializes in deleted data

Software forensics

Software forensics is the science of analyzing software source code or binary code to determine whether intellectual property infringement or theft occurred. It is the centerpiece of lawsuits, trials, and settlements when companies are in dispute over issues involving software patents, copyrights, and trade secrets. Software forensics tools can compare code to determine correlation, a measure that can be used to guide a software forensics expert.

Other

Name	Platform	License	Version	Description
DECAF	Windows	free	n/a	Tool which automatically executes a set of user defined actions on detecting Microsoft's COFEE tool
Evidence Eliminator	Windows	proprietary	6.03	Anti-forensics software, claims to delete files securely
HashKeeper	Windows	free	n/a	Database application for storing file hash signatures

References

↑ Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
↑ "Kali Linux Has Been Released!". 12 March 2013. Archived from the original on 9 May 2013. Retrieved 18 March 2013.
↑ "Pentoo 2015 – Security-Focused Livecd based on Gentoo". Archived from the original on 1 July 2018. Retrieved 1 July 2018.
↑ Bhoedjang, R; et al. (February 2012). "Engineering an online computer forensic service". Digital Investigations. 9 (2): 96–108. doi:10.1016/j.diin.2012.10.001.
↑ Huijbregts, J (2015). "Nieuwe forensische zoekmachine van NFI is 48 keer zo snel als voorganger". Tweakers. Retrieved 11 September 2018. Named after the famous elephant Hansken, because of their tremendous memory
↑ Mislan, Richard (2010). "Creating laboratories for undergraduate courses in mobile phone forensics". Proceedings of the 2010 ACM conference on Information technology education. ACM. pp. 111–116. doi:10.1145/1867651.1867680. ISBN 9781450303439. S2CID 15030269 . Retrieved 29 November 2010. Among the most popular tools are products named MicroSystemation GSM .XRY and .XACT, Cellebrite UFED, Susteen Secure View2, Paraben Device Seizure, Radio Tactics Aceso, Oxygen Phone Manager, and Compelson MobilEdit Forensic

v t e Digital forensics
Branches	Computer forensics Mobile device forensics Network forensics Database forensics Software forensics
Hardware	Forensic disk controller
Software	ADF Solutions Digital Evidence Investigator EnCase Foremost FTK PTK Forensics The Sleuth Kit The Coroner's Toolkit COFEE HashKeeper Xplico
Certification	Certified Forensic Computer Examiner (CFCE) Global Information Assurance Certification
Processes	Digital forensic process Data acquisition Digital evidence eDiscovery Anti–computer forensics
Organisations	National Software Reference Library Department of Defense Cyber Crime Center National Hi-Tech Crime Unit (NHTCU) Australian High Tech Crime Centre (AHTCC)
People	Mary Aiken Annie Antón Rebecca Bace Josh Brunty Eoghan Casey Hany Farid Simson Garfinkel Clifford Stoll Robert Zeidman
Glossary of digital forensics terms