The table below lists a selection of free computer forensics software and resources. It is the end user’s responsibility to check the licensing agreements of each one before use. Forensic Control who compiled the list, TriniCSI.com nor CPDMS Ltd provide no support or warranties for their use. The version numbers and links are correct as of 9 October 2010.
*Entries marked with a star indicate that registration is required.
Disk Tools | ||||
---|---|---|---|---|
Name | Version | From | Description | |
Encrypted Disk Detector | 1.1.0 | JADsoftware | Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes | |
FAT32 Format | 1.05 | Ridgecrop | Enables large capacity disks to be formatted as FAT32 | |
FTK Imager | 3.0.0.1443 | AccessData | Imaging tool, disk viewer and image mounter | |
Guymager | 0.5.7 | vogu00 | Multi-threaded GUI imager under running under Linux | |
HotSwap | 5.0.0 | Kazuyuki Nakayama | Enables safe removal of SATA disks through spindown, etc | |
P2 eXplorer* | 3.0.0 | Paraben | Virtually mount drives & forensic images | |
Tableau Imager* | 1.11 | Tableau | Imaging tool for use with Tableau imaging products | |
Live View | 0.7b | CERT | Allows examiner to boot dd images in VMware | |
Email Analysis | ||||
Name | Version | From | Description | |
Mail Viewer | 1.6.1 | MiTeC | Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files | |
General | ||||
Name | Version | From | Description | |
Agent Ransack | 2010 (762) | Mythicsoft | Search multiple files using Boolean operators and Perl Regex | |
CaseNotes* | 1.2.2010.3 | QCC | Contemporaneous notes recorder | |
EvidenceMover* | 2.00 | Nuix | Copies data between locations, with file comparison, verification, logging | |
FastCopy | 2.03 | Shirouzu Hiroaki | The ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc | |
File Signatures | 15 Jul 2010 | Gary Kessler | Table of file signatures | |
Forensic Test Images | 21/10/2010 | Various | Collated forensic images for training, practice and validation | |
HashMyFiles | 1.68 | Nirsoft | Calculate MD5 and SHA1 hashes | |
MobaLiveCD | 2.10 | Mobatek | Run Linux live CDs from their ISO image without having to boot to them | |
Mouse Jiggler | 1.2 | Arkane Systems | Automatically moves mouse pointer stopping screen saver, hibernation etc | |
Notepad ++ | 5.8.1 | Notepad ++ | Advanced Notepad replacement | |
NSRL | 2.29 | NIST | Hash sets of ‘known’ (ignorable) files | |
USB Write Blocker | Unknown | DSi | Enables software write-blocking of USB ports | |
Windows Forensic Environment | 21/10/2010 | Troy Larson | Forensically boot and examine PCs within a Windows enviroment | |
File & Data Analysis | ||||
Name | Version | From | Description | |
Audit Viewer | 1.3.2003 | Mandiant | Viewer used with Memoryze (see below) | |
DCode | 4.02a | Digital Detective | Converts various data types to date/time values | |
Defraser | 1.2.7 | Various | Detects full and partial multimedia files in unallocated space | |
Exif Reader | 3.00 | Ryuuji Yoshimoto | Extracts exif data from digital photographs | |
Forensic Image Viewer | 1.03 | Sanderson Forensics | View various picture formats, image enhancer, extraction of embedded Exif, GPS data | |
Highlighter | 1.1.1 | Mandiant | Examine log files using text, graphic or histogram views | |
LiveContactsView | 1.07 | Nirsoft | View and export Windows Live Messenger contact details | |
Memoryze | 1.4.2900 | Mandiant | Acquire and/or analyze RAM images, including the page file on live systems | |
MFTview | 1.1.0 | Sanderson Forensics | Displays and decodes contents of an extracted MFT file | |
PsTools | 1 Jul 2009 | Microsoft | Suite of command-line Windows utilities | |
Shadow Explorer | 0.7 | Shadow Explorer | Browse and extract files from shadow copies | |
SQLite Manager | 0.6.2 | Mrinal Kant, Tarakant Tripathy | Firefox add-on enabling viewing of any SQLite database | |
Strings | 2.41 | Microsoft | Command-line tool for text searches | |
Structred Storage Viewer | 3.3.1 | MiTec | View and manage MS OLE Structured Storage based files | |
TimeLord | 0.1.5.6 | Paul Tew | Time utility; timezones, BIOS times, decode computer time formats, etc | |
Windows File Analyzer | 1 | MiTeC | Analyse thumbs.db, Prefetch, INFO2 and .lnk files | |
Data Analysis Suites | ||||
Name | Version | From | Description | |
Autopsy | 2.24 | Brian Carrier | Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below) | |
Backtrack | 4.00 | Backtrack | Penetration testing and security audit with forensic boot capability | |
Caine | 2.00 | University of Modena e Reggio Emilia | Linux live CD, featuring a number of analysis tools | |
P2 Shuttle Free* | 1.30 | Paraben | Remote disk mounting, network RAM capture, search tools. Limited version of P2 Shuttle Pro | |
SIFT* | 2.00 | SANS | VMware Appliance pre-configured with multiple tools allowing digital forensic examinations | |
The Sleuth Kit | 3.1.3 | Brian Carrier | Collection of UNIX-based command line file and volume system forensic analysis tools | |
Ubuntu | 10.10 | Canonical | Guide to using an Unbuntu live disk to recover partitions, carve files, etc | |
Volatility Framework | 1.1.2 | Volatile Systems | Collection of tools for the extraction of artifacts from RAM | |
File Viewers | ||||
Name | Version | From | Description | |
Fragview* | 1.3.0.0 | QCC | View recursive HTML, jpg and Flash files | |
Microsoft Excel 2007 Viewer | 1.00 | Microsoft | View Excel spreadsheets | |
Microsoft PowerPoint 2007 Viewer | 1.00 | Microsoft | View PowerPoint presentations | |
Microsoft Visio 2007 Viewer | 1.00 | Microsoft | View Visio diagrams | |
Microsoft Word 2007 Viewer | 1.00 | Microsoft | View Word documents | |
VideoTriage* | 1.2.5.1805 | QCC | Produces thumbnails of video files so that the whole video doesn’t need to be watched | |
VLC | 1.1.4 | VideoLAN | View most multimedia files and DVD, Audio CD, VCD, etc | |
Internet History Analysis | ||||
Name | Version | From | Description | |
ChromeAnalysis | 1.0.1 | forensic-software | Analysis of internet history data generated using Google Chrome | |
ChromeCacheView | 1.25 | Nirsoft | Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache | |
FoxAnalysis | 1.4.2 | forensic-software | Analysis of internet history data generated using Mozilla Firefox 3 | |
IECacheView | 1.33 | Nirsoft | Displays various details of files in Internet Explorer cache; number of hits, last accessed times, etc | |
IECookiesView | 1.74 | Nirsoft | Extracts various details of Internet Explorer cookies | |
IEHistoryView | 1.50 | Nirsoft | Extracts recently visited Internet Explorer URLs | |
IEPassView | 1.20 | Nirsoft | Extract stored passwords from Internet Explorer versions 4 to 8 | |
MozillaCacheView | 1.30 | Nirsoft | Reads the cache folder of Firefox/Mozilla/Netscape Web browsers | |
MozillaCookieView | 1.30 | Nirsoft | Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers | |
MozillaHistoryView | 1.26 | Nirsoft | Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page | |
MyLastSearch | 1.44 | Nirsoft | Scans the cache and history files to locate search queries made with the most popular search engines (Google, Yahoo and MSN) and with popular social networking sites (Twitter, Facebook, MySpace) | |
PasswordFox | 1.25 | Nirsoft | Extracts the user names and passwords stored by Mozilla Firefox Web browser | |
OperaCacheView | 1.37 | Nirsoft | Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache | |
OperaPassView | 1.01 | Nirsoft | Decrypts the content of the Opera Web browser password file, wand.dat | |
Web Historian | 2.03 | Mandiant | Reviews list of URLs stored in the history files of the most commonly used browsers | |
Registry Analysis | ||||
Name | Version | From | Description | |
ForensicUserInfo | 1.03 | Woanware | Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file | |
Process Monitor | 2.93 | Microsoft | Examine Windows processes and registry threads in real time | |
RegRipper | 20080909 | Harlan Carvey | Registry data extraction and correlation tool | |
Regshot | 1.8.2 | Regshot | Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software | |
USBDeviceForensics | 1.05 | Woanware | Details previously attached USB devices on exported registry hives | |
USBDeview | 1.8 | Nirsoft | Details previously attached USB devices | |
UserAssist | 2.4.3 | Didier Stevens | Displays list of programs run, with run count and last run date and time | |
Web Application Analysis | ||||
Name | Version | From | Description | |
GigaView* | 1.20 | QCC | Parses exported GigaTribe chat logs, results can be imported into Excel | |
KaZAlyser | 1.2.8 | Sanderson Forensics | Extracts various data from the KaZaA application | |
LiveContactsView | 1.07 | Nirsoft | View and export Windows Live Messenger contact details | |
SkypeLogView | 1.15 | Nirsoft | View Skype calls and chats |
Updates to this list will be announced on twitter.com/jonathankrause