By G. M. Faruk Ahmed | Linkedin Post | Nov, 2023

By Staff | Prudential Associates | Nov, 2023

By Kathryn Hedley, Associate Instructor | SANS Institute | 2021

By OpenSCAP | OpenSCAP.org | Last Acess 2024

By Staff | Guia do TI | Last Acess 2024

From CScorza | Github |

During the 1980s, most digital forensic investigations consisted of "live analysis", examining digital media directly using non-specialist tools. In the 1990s, several freeware and other proprietary tools (both hardware and software) were created to allow investigations to take place without modifying media. This first set of tools mainly focused on computer forensics, although in recent years similar tools have evolved for the field of mobile device forensics.[1] This list includes notable examples of digital forensic tools.

Autopsy® is an easy to use, GUI-based program that allows you to efficiently analyze hard drives and smart phones. It has a plug-in architecture that allows you to find add-on modules or develop custom modules in Java or Python.

Browser History Examiner is a professional tool to investigate web browser activity

A market solution for the quick and comprehensive analysis of computer extractions. BlackLight® supports ongoing forensic toolkit integrations to bring into case one including products like Berla, Semantics 21, PhotoDNA ,Vic APOLLO Project and more.

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project. Currently the project manager is Nanni Bassetti (Bari - Italy). CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface. The main design objectives that CAINE aims to guarantee are the following: an interoperable environment that supports the digital investigator during the four phases of the digital investigation, a user-friendly graphical interface snd user-friendly tools

dc3dd is a patched version of GNU dd with added features for computer forensics: on the fly hashing (md5, sha-1, sha-256, and sha-512); possibility to write errors to a file; group errors in the error log; pattern wiping; progress report; possibility to split output.

dcfldd is a modified version of GNU dd. dcfldd was originally created by Nicholas Harbour from the DoD Computer Forensics Laboratory (DCFL). Nick Harbour still maintaining the package, although he was no longer affiliated with the DCFL. Nowadays, dcfldd is maintained by volunteers.

DFF (Digital Forensics Framework) is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigation and perform incident response.

Dumpzilla application is developed in Python 3.x and has as purpose extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be analyzed. Due to its Python 3.x developement, might not work properly in old Python versions, mainly with certain characters. Works under Unix and Windows 32/64 bits systems. Works in command line interface, so information dumps could be redirected by pipes with tools such as grep, awk, cut, sed... Dumpzilla allows to visualize following sections, search customization and extract certain content.

OpenText™ EnCase™ Forensic finds digital evidence no matter where it hides to help law enforcement and government agencies reduce case backlogs, close cases faster and improve public safety. For more than 20 years, investigators, attorneys and judges around the world have depended on EnCase Forensic as the pioneer in digital forensic software to deliver reliable investigation results.

A versatile and intuitive forensic imaging solution that acquires data faster and from more media types, without sacrificing ease-of-use or portabilitySupport digital investigations with powerful, standalone forensic imaging and triage.

Photo analysis with artificial intelligence.

ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. ExifTool supports many different metadata formats including EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, Lyrics3, as well as the maker notes of many digital cameras by Canon, Casio, DJI, FLIR, FujiFilm, GE, GoPro, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Motorola, Nikon, Nintendo, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Phase One, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony. ExifTool is also available as a stand-alone Windows executable and a MacOS package: (Note that these versions contain the executable only, and do not include the HTML documentation or other files of the full distribution.)

Exif-tool is a command-line interface to ExifTool, used for reading and writing meta information in image, audio and video files. We can review all hidden meta data on our given file, such as GPS, Meta-Data Information, information about captured camera along with time.

Remote network drive analysis capability, remote RAM access, cloud storage access, ...

Fibratus is a tool for exploration and tracing of the Windows kernel. It lets you trap system-wide events such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it. It requires no drivers nor third-party software.

Forensic Email Collector (FEC) is a desktop application that connects to email servers and forensically preserves mailboxes. You can download Forensic Email Collector through our DFIR Community or by requesting a download link to your email. Both options require that you be on our customer database. If you are not, please contact us with your order number

Sometime forensic investigators need to process digital images as evidence. There are some tools around, otherwise it is difficult to deal with forensic analysis with lot of images involved. Images contain tons of information, Ghiro extracts these information from provided images and display them in a nicely formatted report. Dealing with tons of images is pretty easy, Ghiro is designed to scale to support gigs of images. All tasks are totally automated, you have just to upload you images and let Ghiro does the work. Understandable reports, and great search capabilities allows you to find a needle in a haystack. Ghiro is a multi user environment, different permissions can be assigned to each user. Cases allow you to group image analysis by topic, you can choose which user allow to see your case with a permission schema.

A GUI forensic imaging/cloning tool that can either help by creating a forensic image of a drive or clone the drive instead. Just like DD/DC3DD this tool works by creating a bit-by-bit copy of the target. The tool supports file splitting(ideally E01 format/extension), reporting and hash calculatio

Free Hex Editor Neo is one of the top database forensics tools for handling large files. It is possible to modify large files with Free version of HHD Software Hex Editor Neo.

By Alexis Brignoni | Initialization vectors Blog | December 24, 2019

Introducing a Python 3 scripts that merges all abrignoni's previous iOS digital forensics and incident response scripts (DFIR) into one.

Intruder is one of the top cybersecurity auditing tools to use in 2021 for seeking weaknesses in systems before malicious cyberattacks. It is an online vulnerability scanner to find cybersecurity weaknesses in the digital infrastructure to avoid expensive data breaches. Tech companies can get access to servers, cloud systems, websites, as well as endpoint devices to scan with the industry-leading scanning engines. This cybersecurity auditing tool helps in seeking weaknesses including missing patches, misconfigurations, encryption weaknesses, and application bugs in unauthenticated areas. This audit tool provides automatic scanning while securing the evolving IT environment efficiently and effectively. Intruder offers services such as continuous vulnerability management, attack surface monitoring, effortless reporting and compliance, intelligent result as well as continuous penetration testing.

Recover & Analyze Evidence in One Case. Examine digital evidence from mobile, cloud, computer, and vehicle sources, alongside third-party extractions all in one case file. Use powerful and intuitive analytical tools to automatically surface case-relevant evidence quickly.

ngrep is like GNU grep applied to the network layer. It's a PCAP-based tool that allows you to specify an extended regular or hexadecimal expression to match against data payloads of packets. It understands many kinds of protocols, including IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw, across a wide variety of interface types, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

Avaliação de vulnerabilidades. Avalia a superfície de ataque moderna além dos ativos de TI tradicionais: fortalece as aplicações Web, proteje sua infraestrutura da nuvem e provê visibilidade da sua superfície de ataque conectada à internet.
It provides high speed with in-depth assessments and free training. This audit tool is also helpful for educators, consultants, security practitioners, students, and working professionals to start their careers in cybersecurity. It provides utmost protection from future data breaches with unlimited assessments, configuration assessments, configurable reports, and on-demand training. Predictive Prioritization provides assistance in most critical cybersecurity issues with over 100 zero-day vulnerabilities.

NetworkMiner is an open source network forensics tool that extracts artifacts, such as files, images, emails and passwords, from captured network traffic in PCAP files. NetworkMiner can also be used to capture live network traffic by sniffing a network interface. Detailed information about each IP address in the analyzed network traffic is aggregated to a network host inventory, which can be used for passive asset discovery as well as to get an overview of which devices that are communicating. NetworkMiner is primarily designed to run in Windows, but can also be used in Linux. NetworkMiner has, since the first release in 2007, become a popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.

NMAP (Network Mapper) is a free Security Scanner. It is one of the cyber security forensics tools for network scanning and auditing. One of its core advantages is the fact that it supports almost every popular operating system in existence, including Windows, Linux, and Mac, including some less popular ones like Solaris and HP-UX.

OSSEC is a free, open-source host-based intrusion detection system (HIDS) . It performs log analysis, integrity checking, registry monitoring, rootkit detection, time-based alerting, and active response. Ossec is a tool in the Security category of a tech stack.

Tools for managing system security and standards compliance. The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. We maintain great flexibility and interoperability, reducing the costs of performing security audits.

An all-in-one digital forensic software designed to extract, decode, and analyze data. Extract data and artifacts from multiple devices with the capability for both mobile and computer forensic investigations.

An all-in-one digital forensic software designed to extract, decode, and analyze data. Extract data and artifacts from multiple devices with the capability for both mobile and computer forensic investigations.

PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks (Mechanical Hard drives, Solid State Drives...), CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. PhotoRec is free - this open source multi-platform application is distributed under GNU General Public License (GPLV v2+). PhotoRec is a companion program to TestDisk, an application for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again.

Solução de imagem, triagem e relatórios para macOS

Plaso (Plaso Langar Að Safna Öllu), or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines.

This application is designed to assist IT security professionals with analysing log files, tcpdump files and hard disk images for forensic evidence. PyFlag is designed to run on Linux and has been tested on recent versions of Redhat/Fedora and Debian (Stable/Testing). It performs data analyis using a mysql database. It is written in python and should be portable to other unix-like systems.

Redline®, FireEye’s premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. Use Redline to collect, analyze and filter endpoint data and perform IOC analysis and hit review. In addition, users of FireEye’s Endpoint Security (HX) can open triage collections directly in Redline for in-depth analysis, allowing the user to establish the timeline and scope of an incident. This app runs on Windows only.

Scalpel is a file carving and indexing application that runs on Linux and Windows. The first version of Scalpel, released in 2005, was based on Foremost 0.69. There have been a number of internal releases since the last public release, 1.60, primarily to support our own research.

The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. It can match any current incident response and forensic tool suite. SIFT demonstrates that advanced incident response capabilities and deep-dive digital forensic techniques can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

The Sleuth Kit® is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.

SolarWinds Network Configuration Manager is used by multiple tech companies to incorporate high-level cybersecurity into the existing systems. It helps to reduce cost and save time to remain compliant with automated network configuration management and backup to eliminate data breaches from the future. It has some exciting and useful features such as vulnerability detection, network automation, configuration backup and restore, network inventory, and cyber auditing for compliance. This audit tool helps tech companies to see when a configuration in the network service path has changed, identify performance and configuration issues on key network devices, and accelerate troubleshooting for performance issues with its different products such as SolarWinds Network Performance Monitor, Network Insight for Cisco Nexus, Cisco ASA, Palo Alto Network devices, and PerfStack feature in the Orion Platform.

Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.>

Automated endpoint and vulnerability platform: visibility and control over the infrastructure. Reduce management burden and improve security at the same time.

tcpdump prints out a description of the contents of packets on a network interface that match the Boolean expression ; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump

The TekDefense Forensic Investigator app is designed to be a Splunk toolkit for the first responder. Most tools do not need Internet access with the exception of a couple which use API calls. This Splunk app provides free tools for the forensic investigator which include, but are not limited to the following: (1) VirusTotal Lookups; (2) Metascan Lookups; (3) Automater; (4) Base64 conversion; (5) XOR conversion; (6) HEX conversion; and more...

Toolsley is a privately owned website dedicated to bringing you no-hassle tools that just work!

TestDisk is OpenSource software and is licensed under the terms of the GNU General Public License (GPL v2+). TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy. TestDisk can: (1) fix partition table, recover deleted partition; (2) recover FAT32 boot sector from its backup; (3) rebuild FAT12/FAT16/FAT32 boot sector; (4) fix FAT tables; Rebuild NTFS boot sector; (5) recover NTFS boot sector from its backup; and (6) fix MFT using MFT mirror

The Sleuth Kit® (TSK) is a library and collection of command line tools that allow you to investigate disk images. The core functionality of TSK allows you to analyze volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

The Volatility Foundation is an independent non-profit organization that maintains and promotes open source memory forensics with The Volatility Framework.

Wireshark is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

WinHex is in its core a universal hexadecimal editor, particularly helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security. An advanced tool for everyday and emergency use: inspect and edit all kinds of files, recover deleted files or lost data from hard drives with corrupt file systems or from digital camera cards. Features depend on the license type.

Steganography and data diding. CSAM (child sexual abuse material) investigation. Malware discovery.

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT). Xplico is released under the GNU General Public License.

Retrieving the optimal forensic data is what matters. XRY recovers data fast, in a secure, efficient, and lawful manner. XRY Logical. XRY Physical. XRY Pro. XRY Photon. XRY Cloud. XRY PinPoint. XRY Camera.

Integrated computer forensics environment. Our flagship product, based on WinHex.

Disk imaging, disk cloning, virtual RAID reconstruction. Best speed, most intelligent compression.

Reduced, simplified version of X-Ways Forensics for police investigators, lawyers, auditors, ...