Forensics
103 tools
7-Zip is a file archiver with a high compression ratio supporting multiple formats for packing/unpacking and extraction. It provides strong AES-256 encryption and powerful command line functionality.
aesfix corrects bit errors in AES-128 key schedules from hex-encoded files. It is designed for use with aeskeyfind output and handles unidirectional 1->0 bit errors.
Tool for locating 128-bit and 256-bit AES keys in a captured memory image. Uses algorithms and entropy tests to identify keys even with some bit corruption.
Advanced Forensics Format Library provides utilities for handling AFF disk images with metadata, digital signatures, and encryption. It enables conversion, comparison, verification, and manipulation of forensic disk images across various formats.
Autopsy is a graphical interface to The Sleuth Kit for digital forensic analysis of Windows and UNIX file systems. It provides features comparable to commercial digital forensics tools.
BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic from PCAP files or live captures. It extracts passwords, builds network maps, reconstructs TCP sessions, and converts encrypted password hashes to Hashcat format for offline brute force attacks.
bulk_extractor scans disk images, files, or directories to extract useful information without parsing file system structures. It generates feature files and histograms for easy inspection and analysis.
Cabextract is a program which unpacks Microsoft Cabinet (.cab) files used to distribute software and Windows Font Packs. It extracts files from cabinet or executable cabinet archives.
Chainsaw rapidly searches and hunts through Windows forensic artefacts like Event Logs and MFT files to identify threats. It supports keyword searches and detection using Sigma and custom Chainsaw rules.
Chaosreader traces TCP/UDP/other network sessions from snoop or tcpdump logs and exports them to HTML format. It extracts application data like telnet, FTP, HTTP transfers, and SMTP emails, creating an HTML index with session details and realtime replay programs.
chkrootkit is a rootkit detector that searches for signs of over 70 different rootkits on Linux systems. It provides automated scanning but requires human judgment for final verification.
Clam AntiVirus is an open-source anti-virus toolkit for Unix providing command-line scanning, multi-threaded daemon, and automatic virus database updates. It supports scanning files, emails, archives, executables, and documents for malware.
Python tool to extract credentials and secrets from Windows registry hives. Based on the original creddump program with many patches and fixes applied.
Cryptsetup provides an interface for configuring encryption on block devices using the Linux kernel device mapper target dm-crypt with integrated LUKS support. It includes tools for managing encrypted devices, integrity protection, and verity verification.
cryptsetup-nuke-password configures a special 'nuke password' for LUKS encrypted partitions that erases encryption keys when entered at the unlock prompt. This renders data unreadable if the system is at risk of seizure.
Patched version of GNU dd with forensic features including on-the-fly hashing, error logging, pattern wiping, progress reporting, and split output capabilities.
Enhanced version of dd for forensics and security with features like on-the-fly hashing, status output, and flexible disk wiping. It provides improved efficiency and additional capabilities for data acquisition and verification.
dd_rescue is a data recovery tool that copies data from failing disks without aborting on I/O errors, unlike standard Unix tools. It also supports secure data deletion by overwriting files or disks multiple times.
dfDateTime is a Python 3 library for digital forensics that provides date and time objects to preserve accuracy and precision. It is designed for handling timestamps in forensic investigations.
dfvfs provides read-only access to file-system objects from various storage media types and file formats. It offers a generic interface using multiple back-ends for different storage media, volume systems, and file systems.
dfWinReg is a Python 3 library that provides read-only access to Windows Registry objects. It offers a generic interface mimicking the Registry key hierarchy as seen on a live Windows system.
Dislocker reads and writes BitLocker encrypted volumes under Linux. It creates a virtual NTFS file that can be mounted to access and modify the encrypted partition.
dos2unix converts text file line endings between DOS (CRLF), Unix (LF), and Mac (CR) formats. It includes utilities like unix2dos, mac2unix, and unix2mac for bidirectional conversion.
DumpsterDiver is a tool to analyze large volumes of data for hardcoded secrets like keys and passwords. It supports custom search rules and detects potential secret leaks.
Dumpzilla is a Mozilla browser forensic tool that extracts forensic information from Firefox, Iceweasel, and Seamonkey browsers. It dumps data like cookies, bookmarks, and addons for analysis.
dwarf2json is a utility that processes files containing symbol and type information to generate Volatility3 Intermediate Symbol File (ISF) JSON output for Linux and macOS analysis.
ExifLooter finds geolocation metadata in images from URLs and directories. It integrates with OpenStreetMap to display locations.
Exifprobe reads image files from digital cameras and reports the structure and metadata contained within them. It supports various formats including TIFF, JPEG, EXIF, and multiple raw camera formats.
Library and command-line tool for reading and writing meta information in multimedia files. Supports maker note information from various digital camera manufacturers.
Exiv2 is a C++ library and command line utility to manage image metadata. It provides fast and easy read and write access to the Exif, IPTC and XMP metadata of images in various formats.
Tool to help recover deleted files on ext3 filesystems. Useful in forensics investigations.
ext4magic recovers deleted files from ext3 or ext4 partitions using file carving techniques. It extracts data directly from the filesystem journal to restore files with original filenames, owners, groups, modes, and timestamps.
Utility to recover deleted files from ext3/ext4 partitions using journal information. There is no guarantee that any particular file will be able to be undeleted.
fatcat is a tool to explore, extract, repair, and perform forensics on FAT filesystems. It supports FAT12, FAT16, and FAT32, allowing users to list files, recover deleted data, backup and hack FAT tables, and more.
Foremost is a forensic program to recover lost files based on their headers, footers, and internal data structures. It works on image files or directly on drives using built-in file types or configuration files.
A free, community-sourced, machine-readable knowledge base of forensic artifacts that serves as an information source and can be used within other tools. This package installs the data files alone, without the Python toolkit.
forensics-colorize is a set of tools to visually compare large files like filesystem images using color graphics. It provides an intuitive graphic representation of the percentage of changes between two files.
Galleta is a forensics tool for analyzing Microsoft Internet Explorer cookie files. It parses the cookie content and outputs it in a field-separated format suitable for spreadsheets.
GPT fdisk (gdisk) is a text-mode partitioning tool for manipulating GUID Partition Table (GPT) disks. It supports editing partition tables, conversions between MBR/GPT/BSD formats, and repairing damaged structures.
Gpart guesses PC disk partition tables and finds lost partitions when the primary table is damaged, incorrect, or deleted. It lists types, locations, and sizes of deleted partitions for manual recreation.
GNOME partition editor for creating, reorganizing, and deleting disk partitions. Uses libparted to detect and manipulate devices and partition tables.
GrokEVT is a collection of scripts for reading Microsoft Windows NT/2000/XP/2003 event log files. It extracts registry entries, message templates, and log files from mounted Windows partitions to convert logs to human-readable format.
GtkHash is a GTK+ utility for computing message digests and checksums. It supports hash functions including MD5, SHA1, SHA256, SHA512, and others.
Guymager is a Qt-based forensic imaging tool that produces images in EWF, AFF, and dd formats. It features a user-friendly interface, high imaging speed, and parallel compression for multi-processor systems.
Recursively compute hashsums or piecewise hashings for MD5, SHA1, SHA256, tiger, and whirlpool algorithms. Useful for comparing hashes against known lists in forensics investigations.
Hashrat is a hashing utility supporting multiple hash algorithms including MD5, SHA1, SHA256, SHA512, Whirlpool, and JH variants, with HMAC support. It offers recursive directory hashing, device hashing, traditional output formats, and remote operations.
Hivex is a library and collection of tools for reading and writing Windows Registry hive binary files. It provides command-line utilities for extracting, navigating, converting, and modifying registry data.
libewf is a library for reading and writing Expert Witness Compression Format (EWF) files used in digital forensics. It provides tools to acquire, verify, export, and mount EWF images from sources like EnCase and FTK Imager.
Library and tools for reading and extracting data from Microsoft Outlook PST files. Supports exporting emails to mbox, MH, KMail formats and contacts to LDIF or DII formats.
LVM2 is the Linux Logical Volume Manager that provides enterprise-level volume management by grouping disks into volume groups and allocating space to logical volumes accessed as regular block devices.
Lynis is a security auditing tool for Unix-based systems that scans configurations to identify system information and security issues. It assists professional auditors and supports automated audits alongside other security tools.
mac-robber collects metadata from allocated files in mounted filesystems for digital forensics investigations. The collected data can be used by mactime from The Sleuth Kit to create file activity timelines.
Magic Rescue scans block devices for known file types using magic bytes and extracts them with external programs. It serves as both an undelete utility and a tool for recovering data from corrupted drives or partitions.
mdbtools provides utilities for reading, manipulating, and exporting data from Microsoft Access (MDB) database files. It includes command-line tools for schema dumping, data export to CSV/JSON, SQL querying, and file analysis.
Utility to dump memory contents to standard output, skipping over holes in memory maps. By default, dumps physical memory contents.
metacam extracts EXIF information from digital camera files, including JPEG images from cameras and mobile phones. It supports standard EXIF fields and vendor-specific extensions from Nikon, Olympus, Canon, and Casio.
Miss Identify is a program to find MS Windows type win32 applications, displaying filenames of executables without standard extensions like exe, dll, or com. It can also display all executables regardless of extension and is useful in forensics investigations.
myrescue rescues readable data from damaged hard disks, CD-ROMs, DVDs, and flash drives. It prioritizes undamaged areas first, unlike dd_rescue, and is useful for data recovery and forensics investigations.
ncurses-hexedit is a curses-based hex editor for viewing and editing files or disks in hexadecimal, ASCII, or EBCDIC formats. It supports insert, delete, search, undo, and disk editing capabilities.
GNU Parted is a program that allows you to create, destroy, resize, move, and copy disk partitions. It supports multiple partitioning formats and can detect various file systems.
Pasco is a forensic tool that examines Microsoft Internet Explorer cache files (index.dat) and extracts information into a field-separated format for spreadsheet analysis. It is useful in forensics investigations.
CLI tool that scans shell command history for mistakenly written passwords, API keys, and secrets using regular expressions. Helps avoid accidentally exposing sensitive data in command history.
pdf-parser parses PDF files to identify fundamental elements without rendering the document. It is designed for static analysis of PDF structures and objects.
Scans PDF files for certain PDF keywords to identify potentially malicious documents. Helps detect features like JavaScript, encryption, or auto-actions without full parsing.
Plaso is a Python-based back-end engine for creating super timelines from various log files and forensic artifacts. It enables forensic investigators to parse and correlate information from computer systems and network equipment into a single timeline for analysis.
plocate is a much faster locate utility based on posting lists, providing quick file name searches on a smaller index. It serves as a drop-in replacement for mlocate and performs efficiently on both SSDs and non-SSDs.
recordMyDesktop captures audio-video data of a Linux desktop session, producing an ogg-encapsulated Theora-Vorbis file. It processes only regions of the screen that have changed to be as unobtrusive as possible.
recoverdm recovers files or complete devices from disks with damaged sectors by writing empty sectors for unreadable ones and continuing. It supports RAW mode reading for CDs/DVDs and includes mergebad to combine multiple images.
recoverjpeg recovers JFIF (JPEG) pictures and MOV movies from peripherals or filesystem images. It acts as a data carving tool useful in forensics investigations for recovering overwritten or corrupted media files.
RegLookup is a system for direct analysis of Windows NT-based registry files, providing command line tools, a C API, and Python module for accessing registry data structures with a focus on digital forensics investigations. It includes algorithms for retrieving deleted data structures from registry hives and supports filtering results by path and data type.
RegRipper is a CLI tool for performing forensic analysis of Windows Registry hives. It extracts, translates, and displays data and metadata using Perl plugins.
RFDump is a tool to decode RFID tags and display their meta information such as tag ID, type, and manufacturer. It allows viewing and modifying user data memory using hex or ASCII editors and demonstrates RFID abuse potential via a cookie feature.
Rifiuti is a tool to examine INFO2 files from the MS Windows recycle bin, providing meta information about deleted files. It is useful in forensics investigations.
Rifiuti2 is a replacement for rifiuti, a MS Windows recycle bin analysis tool. It extracts file deletion time, original path, size of deleted files, and whether files have been moved out from the recycle bin.
Rootkit Hunter scans systems for known and unknown rootkits, backdoors, sniffers and exploits. It checks for SHA256 hash changes, files commonly created by rootkits, executables with anomalous file permissions, suspicious strings in kernel modules, hidden files in system directories, and can optionally scan within files.
rling is a faster alternative to the rli utility from hashcat-utils. It removes matching lines or duplicates from files by comparing a single input file against one or more remove files.
Locates BER-encoded RSA private keys in memory images. Optionally matches keys against a specified hex-encoded modulus from a file.
Safecopy is a data recovery tool for problematic or damaged media that extracts as much data as possible by skipping bad areas and using low-level operations. It generates images similar to ddrescue and is useful for forensics and disaster recovery.
samdump2 dumps Windows 2k/NT/XP password hashes from a SAM file using the syskey bootkey from the system hive. It also provides functionality to recover the syskey bootkey from a Windows NT/2K/XP system hive.
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from image files or raw device files. It is filesystem-independent and supports carving from various filesystems like FAT, NTFS, Ext, and more.
Scrounge-ntfs is a data recovery program for NTFS filesystems that reads each block of the hard disk to rebuild the original filesystem tree into a directory. It helps retrieve data from corrupted NTFS partitions and is useful in forensics investigations.
shed is a simple hex editor with a pico-style interface for viewing and editing files in text mode using ncurses. It supports multiple display formats and is useful in forensics investigations.
Sigma command line interface using the pySigma library to manage, list, and convert Sigma rules into query languages. It provides tools for analyzing, checking, and converting detection rules for security information and event management systems.
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools for forensic analysis of file and volume systems in disk images. It enables non-intrusive examination of filesystems to reveal deleted and hidden content, and analyzes disk layouts and partitions.
Snowdrop provides steganographic watermarking for text documents and C source code to track leaks and prove originality. It uses redundant encoding across multiple channels for resilience against modifications like reformatting or spell checking.
ssdeep is a recursive piecewise hashing tool for computing and matching Context Triggered Piecewise Hashes (fuzzy hashes). It compares similar but not identical files, identifying modified versions even with insertions, modifications, or deletions.
StegCracker is a steganography brute-force utility to uncover hidden data inside files. It supports specific file types like jpg, jpeg, bmp, wav, and au.
Steghide is a steganography program that hides data in image and audio files like bmp, jpeg, wav, and au. It uses blowfish encryption and pseudo-random bit distribution to conceal data invisibly.
Stegosuite is a graphical steganography tool to hide information in image files. It supports embedding text messages and multiple files with AES encryption in BMP, GIF, JPG, and PNG formats.
Stegsnow conceals messages in ASCII text files by appending whitespaces to the end of lines, making them invisible to casual observers. It supports built-in encryption using the ICE algorithm for added security.
TestDisk is a partition scanner and disk recovery tool that checks partition and boot sectors to recover lost partitions. PhotoRec recovers lost files like pictures from digital cameras or hard disks.
EBPF-based Security Observability and Runtime Enforcement tool that detects and reacts to security events like process execution, system calls, and I/O activity. Kubernetes-aware for workload-specific security event detection.
Unar is an archive unpacker supporting a wide variety of file formats including zip, RAR, 7z, tar, and many legacy formats. It includes lsar for listing archive contents and unar for extracting them.
unblob is an accurate, fast, and easy-to-use extraction suite that parses unknown binary blobs for over 30 archive, compression, and file-system formats. It recursively extracts content and carves out unknown chunks.
UnDBX is a tool to extract, recover, and undelete email messages from Microsoft Outlook Express .dbx files. It is useful in forensics investigations for parsing corrupted files and recovering deleted messages.
unhide is a forensic tool that finds hidden processes, ports, and threads by comparing the results of multiple OS-level APIs and /proc entries. It detects rootkit-hidden processes that are invisible to standard tools like ps or netstat.
Forensics tool to find processes hidden by rootkits. Scans system for hidden processes and lists any hits on stderr.
unrar-nonfree is a non-free unarchiver for extracting files from .rar archives. It provides the unrar command along with supporting libraries for RAR file handling.
Vinetto is a forensics tool to examine Thumbs.db files by extracting thumbnail pictures and their metadata generated under Microsoft Windows. It helps *nix-based investigators preview thumbnails of deleted pictures and obtain information like dates and paths about them.
Winregfs is a FUSE-based filesystem driver that mounts Windows registry hive files as ordinary filesystems for easy access and editing with shell scripts and command-line tools. It includes fsck.winregfs for scanning registry hives for damage caused by hardware or software issues.
xmount is a tool for crossmounting between disk image formats, converting on-the-fly between multiple input and output harddisk image formats using FUSE. It creates a virtual file system representing the input image in formats like raw DD, DMG, VDI, VHD, or VMDK.
Xplico is a Network Forensic Analysis Tool (NFAT) that extracts application data from internet traffic captures. It reconstructs emails, HTTP contents, VoIP calls, FTP transfers, and other protocol data from pcap files.