List of digital forensics tools

Last updated August 27, 2024

During the 1980s, most digital forensic investigations consisted of "live analysis", examining digital media directly using non-specialist tools. In the 1990s, several freeware and other proprietary tools (both hardware and software) were created to allow investigations to take place without modifying media. This first set of tools mainly focused on computer forensics, although in recent years similar tools have evolved for the field of mobile device forensics.^[1] This list includes notable examples of digital forensic tools.

Forensics-focused operating systems

Debian-based

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing, formerly known as BackTrack.^[2]

Parrot Security OS is a cloud-oriented Linux distribution based on Debian and designed to perform security and penetration tests, do forensic analysis, or act in anonymity. It uses the MATE Desktop Environment, Linux Kernel 4.6 or higher and it is available as a live lightweight installable ISO image for 32-bit, 64-bit and ARM processors with forensic options at boot, optimizations for programmers, and new custom pentesting tools.^{[ citation needed ]}

Ubuntu-based

CAINE Linux is an ubuntu-based live CD/DVD. CAINE stands for Computer Aided INvestigative Environment.
PALADIN Linux is an ubuntu-based live CD/DVD. PALADIN is a non-persistent Xubuntu-based OS that comes preinstalled with a Toolkit of different forensic tools and applications.

Gentoo-based

Pentoo
Penetration Testing Overlay and Livecd is a live CD and Live USB designed for penetration testing and security assessment. Based on Gentoo Linux, Pentoo is provided both as 32-bit and 64-bit installable live CD. Pentoo also is available as an overlay for an existing Gentoo installation. It features packet injection patched Wi-Fi drivers, GPGPU cracking software, and many tools for penetration testing and security assessment. The Pentoo kernel includes grsecurity and PAX hardening and extra patches – with binaries compiled from a hardened toolchain with the latest nightly versions of some tools available.^[3]

Computer forensics

Name	Platform	License	Version	Description
Autopsy	Windows, macOS , Linux	GPL	4.20	A digital forensics platform and GUI to The Sleuth Kit
COFEE	Windows	proprietary	n/a	A suite of tools for Windows developed by Microsoft
Digital Forensics Framework	Unix-like/Windows	GPL	1.3	Framework and user interfaces dedicated to digital forensics
Elcomsoft Premium Forensic Bundle	Windows, macOS	proprietary	1435	Set of tools for encrypted systems & data decryption and password recovery
EnCase	Windows	proprietary	21.1 CE	Digital forensics suite created by Guidance Software
FTK	Windows	proprietary	8.0	Multi-purpose tool, FTK is a court-cited digital investigations platform built for speed, stability and ease of use.
IsoBuster	Windows	proprietary	5.3	Essential light weight tool to inspect any type data carrier, supporting a wide range of file systems, with advanced export functionality.
Netherlands Forensic Institute / Xiraf^[4] / HANSKEN^[5]	n/a	proprietary	n/a	Computer-forensic online service.
Open Computer Forensics Architecture	Linux	LGPL/GPL	2.3.0	Computer forensics framework for CF-Lab environment
PTK Forensics	LAMP	proprietary	2.0	GUI for The Sleuth Kit
The Coroner's Toolkit	Unix-like	IBM Public License	1.19	A suite of programs for Unix analysis
The Sleuth Kit	Unix-like/Windows	IPL, CPL, GPL	4.12.0	A library of tools for both Unix and Windows
Windows To Go	n/a	proprietary	n/a	Bootable operating system

Memory forensics

Memory forensics tools are used to acquire or analyze a computer's volatile memory (RAM). They are often used in incident response situations to preserve evidence in memory that would be lost when a system is shut down, and to quickly detect stealthy malware by directly examining the operating system and other running software in memory.

Name	Vendor or sponsor	Platform	License
Volatility	Volatile Systems	Windows and Linux	free (GPL)
WindowsSCOPE	BlueRISC	Windows	proprietary

Mobile device forensics

Mobile forensics tools tend to consist of both a hardware and software component. Mobile phones come with a diverse range of connectors, the hardware devices support a number of different cables and perform the same role as a write blocker in computer devices.

Name	Platform	License	Version	Description
Cellebrite UFED	Windows	proprietary		Hardware/software package, specializes in mobile forensic extraction
MicroSystemation XRY/XACT ^[6]	Windows	proprietary		Hardware/software package, specializes in deleted data

Software forensics

Software forensics is the science of analyzing software source code or binary code to determine whether intellectual property infringement or theft occurred. It is the centerpiece of lawsuits, trials, and settlements when companies are in dispute over issues involving software patents, copyrights, and trade secrets. Software forensics tools can compare code to determine correlation, a measure that can be used to guide a software forensics expert.

Other

Name	Platform	License	Version	Description
DECAF	Windows	free	n/a	Tool which automatically executes a set of user defined actions on detecting Microsoft's COFEE tool
Evidence Eliminator	Windows	proprietary	6.03	Anti-forensics software, claims to delete files securely
HashKeeper	Windows	free	n/a	Database application for storing file hash signatures

↑ Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
↑ "Kali Linux Has Been Released!". 12 March 2013. Archived from the original on 9 May 2013. Retrieved 18 March 2013.
↑ "Pentoo 2015 – Security-Focused Livecd based on Gentoo". Archived from the original on 1 July 2018. Retrieved 1 July 2018.
↑ Bhoedjang, R; et al. (February 2012). "Engineering an online computer forensic service". Digital Investigations. 9 (2): 96–108. doi:10.1016/j.diin.2012.10.001.
↑ Huijbregts, J (2015). "Nieuwe forensische zoekmachine van NFI is 48 keer zo snel als voorganger". Tweakers. Retrieved 11 September 2018. Named after the famous elephant Hansken, because of their tremendous memory
↑ Mislan, Richard (2010). "Creating laboratories for undergraduate courses in mobile phone forensics". Proceedings of the 2010 ACM conference on Information technology education. ACM. pp. 111–116. doi:10.1145/1867651.1867680. ISBN 9781450303439. S2CID 15030269 . Retrieved 29 November 2010. Among the most popular tools are products named MicroSystemation GSM .XRY and .XACT, Cellebrite UFED, Susteen Secure View2, Paraben Device Seizure, Radio Tactics Aceso, Oxygen Phone Manager, and Compelson MobilEdit Forensic

Related Research Articles

A Linux distribution is an operating system made from a software collection that includes the Linux kernel and often a package management system. They are often obtained from the website of each distribution, which are available for a wide variety of systems ranging from embedded devices and personal computers to servers and powerful supercomputers.

Knoppix, stylized KNOPPIX, is an operating system based on Debian designed to be run directly from a CD / DVD or a USB flash drive. It was first released in 2000 by German Linux consultant Klaus Knopper, and was one of the first popular live distributions. Knoppix is loaded from the removable medium and decompressed into a RAM drive. The decompression is transparent and on-the-fly.

A live CD is a complete bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than loading from a hard disk drive. A live CD allows users to run an operating system for any purpose without installing it or making any changes to the computer's configuration. Live CDs can run on a computer without secondary storage, such as a hard disk drive, or with a corrupted hard disk drive or file system, allowing data recovery.

This is a list of operating systems specifically focused on security. Similar concepts include security-evaluated operating systems that have achieved certification from an auditing organization, and trusted operating systems that provide sufficient support for multilevel security and evidence of correctness to meet a particular set of requirements.

Technical variations of Linux distributions include support for different hardware devices and systems or software package configurations. Organizational differences may be motivated by historical reasons. Other criteria include security, including how quickly security upgrades are available; ease of package management; and number of packages available.

PhotoRec is a free and open-source utility software for data recovery with text-based user interface using data carving techniques, designed to recover lost files from various digital camera memory, hard disk and CD-ROM. It can recover the files with more than 480 file extensions . It is also possible to add custom file signature to detect less known files.

BackTrack was a Linux distribution that focused on security, based on the Knoppix Linux distribution aimed at digital forensics and penetration testing use. In March 2013, the Offensive Security team rebuilt BackTrack around the Debian distribution and released it under the name Kali Linux.

Nokia Internet Tablets is the name given to a range of Nokia mobile Internet appliances products. These tablets fall in the range between a personal digital assistant (PDA) and an Ultra-Mobile PC (UMPC), and slightly below Intel's Mobile Internet device (MID).

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

<span class="mw-page-title-main">Pentoo</span> Gentoo based Linux distribution for penetration testing

Pentoo is a Live CD and Live USB designed for penetration testing and security assessment. Based on Gentoo Linux, Pentoo is provided both as 32 and 64-bit installable live CD. Pentoo is also available as an overlay for an existing Gentoo installation. It features packet injection patched Wi-Fi drivers, GPGPU cracking software, and many tools for penetration testing and security assessment. The Pentoo kernel includes grsecurity and PAX hardening and extra patches - with binaries compiled from a hardened toolchain with the latest nightly versions of some tools available.

Kali Linux is a Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security. The software is based on the Debian Testing branch: most packages Kali uses are imported from the Debian repositories.

Besides the Linux distributions designed for general-purpose use on desktops and servers, distributions may be specialized for different purposes including computer architecture support, embedded systems, stability, security, localization to a specific region or language, targeting of specific user groups, support for real-time applications, or commitment to a given desktop environment. Furthermore, some distributions deliberately include only free software. As of 2015, over four hundred Linux distributions are actively developed, with about a dozen distributions being most popular for general-purpose use.

Digital Forensics Framework (DFF) is a discontinued computer forensics open-source software package. It is used by professionals and non-experts to collect, preserve and reveal digital evidence without compromising systems and data.

<span class="mw-page-title-main">Parrot OS</span> Debian-based Linux distribution

Parrot OS is a Linux distribution based on Debian with a focus on security, privacy, and development.

Ubuntu is a Debian-based Linux distribution for personal computers, tablets and smartphones, where the Ubuntu Touch edition is used; and also runs network servers, usually with the Ubuntu Server edition, either on physical or virtual servers or with containers, that is with enterprise-class features.

CAINE Linux is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti. The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[casey-1] Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.

[2] "Kali Linux Has Been Released!". 12 March 2013. Archived from the original on 9 May 2013. Retrieved 18 March 2013.

[3] "Pentoo 2015 – Security-Focused Livecd based on Gentoo". Archived from the original on 1 July 2018. Retrieved 1 July 2018.

[xiraf-4] Bhoedjang, R; et al. (February 2012). "Engineering an online computer forensic service". Digital Investigations. 9 (2): 96–108. doi:10.1016/j.diin.2012.10.001.

[HANSKEN-5] Huijbregts, J (2015). "Nieuwe forensische zoekmachine van NFI is 48 keer zo snel als voorganger". Tweakers. Retrieved 11 September 2018. Named after the famous elephant Hansken, because of their tremendous memory

[mf-6] Mislan, Richard (2010). "Creating laboratories for undergraduate courses in mobile phone forensics". Proceedings of the 2010 ACM conference on Information technology education. ACM. pp. 111–116. doi:10.1145/1867651.1867680. ISBN 9781450303439. S2CID 15030269 . Retrieved 29 November 2010. Among the most popular tools are products named MicroSystemation GSM .XRY and .XACT, Cellebrite UFED, Susteen Secure View2, Paraben Device Seizure, Radio Tactics Aceso, Oxygen Phone Manager, and Compelson MobilEdit Forensic

[1]

[2]

[3]

[4]

[5]

[6]

v t e Digital forensics
Branches	Computer forensics Mobile device forensics Network forensics Database forensics Software forensics
Hardware	Forensic disk controller
Software	ADF Solutions Digital Evidence Investigator EnCase Foremost FTK PTK Forensics The Sleuth Kit The Coroner's Toolkit COFEE HashKeeper Xplico
Certification	Certified Forensic Computer Examiner (CFCE) Global Information Assurance Certification
Processes	Digital forensic process Data acquisition Digital evidence eDiscovery Anti–computer forensics
Organisations	National Software Reference Library Department of Defense Cyber Crime Center National Hi-Tech Crime Unit (NHTCU) Australian High Tech Crime Centre (AHTCC)
People	Mary Aiken Annie Antón Rebecca Bace Josh Brunty Eoghan Casey Hany Farid Simson Garfinkel Clifford Stoll Robert Zeidman
Glossary of digital forensics terms