Computer Forensics Tools -Part IV

Computer Forensics Tools -Part IV

Some More FREE CF Tools:


  • DFF (Digital Forensics Framework) – an open source platform applicable for data retrieval and analysis.
  • PowerForensics is a PowerShell based utility intended for live disk forensic analysis

Real-Time Utilities

  • Grr (GRR Rapid Response) is a remote live forensics tool for incident response.
  • Mig (Mozilla Investigator) – a distributed real-time platform for investigating incidents on remote endpoints.

Imaging Tools (Data Acquisition and Cloning)

  • Dc3dd – an enhanced edition of the GNU dd utility featuring on-the-fly hashing, pattern writing, file verification, and other functions for digital evidence acquisition.
  • Dcfldd is yet another improved version of the dd program.
  • Guymager is an imaging tool running under Linux that allows viewing and cloning data media.

Data Extraction

  • Bstrings is an improved version of the popular strings utility.
  • bulk_extractor enables you to extract email addresses, IP addresses and phone numbers from files.
  • Flare-floss is a utility using static analysis techniques to automatically extract obfuscated strings from malware binaries.
  • Photorec is a recovery tool that extracts deleted files, including documents, archives, photos, and videos from hard drives and CDs.

RAM Memory Forensics

  • – this tool’s distinguishing hallmark is the high speed of extracting data directly from memory.
  • KeeFarse extracts KeePass passwords from memory.
  • Rekall is a Python-based tool for analyzing RAM memory dumps.
  • Volatility framework is a collection of utilities for extracting digital artifacts from RAM memory samples.
  • VolUtility provides a web interface for the Volatility Framework mentioned above.

Network Analysis

  • SiLK Tools is a traffic analysis toolkit that facilitates security analysis for large networks.
  • Wireshark is one of the world’s most popular network sniffers.

Windows Artefacts (Extracting Files, Downloads History, USB memory stick data, etc.)

  • FastIR Collector is an all-in-one tool for harvesting Windows information (registry, file system, services, startup programs, etc.).
  • FRED is a cross-platform Windows registry analysis utility.
  • MFT Parsers is a tool facilitating comparative analysis of Master File Table information.
  • MFTExtractor – another handy parser of Master File Table.
  • RecuperaBit reconstructs NTFS file system.
  • python-ntfs is a Python library for NTFS analysis.

OS X Analysis

  • OS X Auditor is a popular free forensics tool supporting Mac OS X that parses and hashes various system artefacts.

Internet Artefacts

  • chrome-url-dumper is intended for extracting different types of web surfing information from Google Chrome.
  • Hindsight analyzes Google Chrome/Chromium history.

Timeline Analysis

  • plaso is a tool that extracts and aggregates timestamps.
  • Timesketch facilitates collaborative timeline analysis.

Hex Editors

  • 0xED is a hex editor for Mac OS X.
  • Synalyze It! is a popular hex editor for Mac OS X featuring an intuitive interface and extensible controls.
  • Hexinator is a Windows/Linux version of Synalyze It!.
  • HxD – a lightweight and fast hex editor.
  • iBored is a cross-platform hex editor supporting Windows, Linux, and Mac OS X.
  • wxHexEditor is another free cross-platform hex editor delivering extensive features for file comparison.

Data Converters

  • CyberChef is a universal tool for encryption, decoding, compression, and data analysis.
  • DateDecode is applicable for decoding random unintelligible date strings provided in 13 different formats.

File Analysis

Disk Image Processing

  • imagemounter is a command line tool that helps mount/unmount disk images.
  • libewf is a library and toolkit to access and work with EWF (Expert Witness Compression Format) and E01 format files.
  • xmount is a utility that converts between different disk image types.


All suggestions and additions or updates can be emailed to