Scribd
Upload
153 views91 pages

Tool Profiling 07 Oct 2021

The document lists various forensic tools used for different purposes like cyber forensic analysis, drive imaging and validation, integrity verification and hashing, data recovery, RAM analysis, registry analysis, and encryption/decryption. It provides brief 1-2 sentence descriptions for over 50 different forensic tools across these categories.

Uploaded by

Darmoni Laishram
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
153 views91 pages

Tool Profiling 07 Oct 2021

The document lists various forensic tools used for different purposes like cyber forensic analysis, drive imaging and validation, integrity verification and hashing, data recovery, RAM analysis, registry analysis, and encryption/decryption. It provides brief 1-2 sentence descriptions for over 50 different forensic tools across these categories.

Uploaded by

Darmoni Laishram
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 91

List of Forensic Tools

Cyber Forensic Suite .................................................................................................................................................................3


OSForensics .......................................................................................................................................................................3
Autopsy ...............................................................................................................................................................................4
AccessData FTK ................................................................................................................................................................5
OpenText Encase ..............................................................................................................................................................6
Nirsoft..................................................................................................................................................................................7
Windows Sysinternals Live .............................................................................................................................................8
Computer Aided Investigative Environment ..............................................................................................................9
PALADIN ......................................................................................................................................................................... 10
Digital Evidence and Forensic Toolkit ....................................................................................................................... 11
Paraben Tools ................................................................................................................................................................. 12
Computer Online Forensic Evidence Extractor ..................................................................................................... 13
Vogon ................................................................................................................................................................................ 14
SIFT Workstation........................................................................................................................................................... 15
Drive Imaging and Validation Tools .................................................................................................................................... 16
Encase Forensic Imager ................................................................................................................................................ 16
FTK Imager ...................................................................................................................................................................... 17
Norton Ghost ................................................................................................................................................................. 18
Symantec Ghost ............................................................................................................................................................. 19
Safeback ............................................................................................................................................................................ 20
ProDiscover Incident response (IR) .......................................................................................................................... 21
X-Ways Forensic (XWF) ............................................................................................................................................. 22
DriveSpy ........................................................................................................................................................................... 23
Forensic Replicator ........................................................................................................................................................ 24
SMART Acquisition Workshop (SAW) .................................................................................................................... 25
WinHex ............................................................................................................................................................................ 26
Forensic Tool for Integrity Verification and Hashing ..................................................................................................... 27
HashMyFiles ..................................................................................................................................................................... 27
HashCalc .......................................................................................................................................................................... 28
CRCMD5 ......................................................................................................................................................................... 29
DiskSig .............................................................................................................................................................................. 30
MD5summer ................................................................................................................................................................... 31
Forensic Tools for Data Recovery ...................................................................................................................................... 32
Recuva............................................................................................................................................................................... 32
Byte Back.......................................................................................................................................................................... 33
MiniToolvPower Data Recovery ................................................................................................................................ 34
IsoBuster .......................................................................................................................................................................... 35
Stellar Data Recovery ................................................................................................................................................... 36
PhotoRec.......................................................................................................................................................................... 37
EaseUs Data Recovery .................................................................................................................................................. 38
Forensic Tools for RAM Analysis ........................................................................................................................................ 39
Volatility............................................................................................................................................................................ 39
Rekall ................................................................................................................................................................................. 40
MemGator ....................................................................................................................................................................... 41
Mandiant’s Memoryze ................................................................................................................................................... 42
Magnet RAM Capture ................................................................................................................................................... 43
WinPmem ........................................................................................................................................................................ 44
dcfldd ................................................................................................................................................................................. 45
Helix3 ................................................................................................................................................................................ 46
LiME ................................................................................................................................................................................... 47
Forensic Tools for Registry Analysis .................................................................................................................................. 48
Regshot ............................................................................................................................................................................. 48
RegRipper......................................................................................................................................................................... 49
Forensic Tools for Encryption/Decryption ....................................................................................................................... 50
VeraCrypt ........................................................................................................................................................................ 50
Encrypted Disk Detector ............................................................................................................................................. 51
Forensic Tools for Password Recovery ............................................................................................................................. 52
Passware Kit Forensic ................................................................................................................................................... 52
Elcomsoft.......................................................................................................................................................................... 53
Ophcrack.......................................................................................................................................................................... 54
Forensic Tools for Analysing Network.............................................................................................................................. 55
Wireshark ........................................................................................................................................................................ 55
Packet Tracer .................................................................................................................................................................. 56
Kismet ............................................................................................................................................................................... 57
NetworkMiner ................................................................................................................................................................ 58
OpenVPN......................................................................................................................................................................... 59
Network Mapper ........................................................................................................................................................... 60
Firewalk ............................................................................................................................................................................ 61
Tripwire ............................................................................................................................................................................ 62
Snort.................................................................................................................................................................................. 63
NetAnalysis ...................................................................................................................................................................... 64
Forensic Tools for Metadata Processing ........................................................................................................................... 65
PhotoMe ........................................................................................................................................................................... 65
Metadata Assistant ......................................................................................................................................................... 66
Forensic Tools for Mobile Devices ..................................................................................................................................... 67

1
Cellebrite UFED 4PC .................................................................................................................................................... 67
RAVEN ............................................................................................................................................................................. 68
XRY ................................................................................................................................................................................... 69
ACESO ............................................................................................................................................................................. 70
MOBILedit ....................................................................................................................................................................... 71
Oxygen Forensic Suite .................................................................................................................................................. 72
Magnet Axiom................................................................................................................................................................. 73
BitPim ................................................................................................................................................................................ 74
Mobile Phone Examiner Plus ....................................................................................................................................... 75
SIMCon ............................................................................................................................................................................. 76
AFLogical .......................................................................................................................................................................... 77
Forensic Tools for Email Analysis ....................................................................................................................................... 78
Aid4Mail............................................................................................................................................................................ 78
Digital Forensics Framework (DFF) .......................................................................................................................... 79
eMailTrackerPro ............................................................................................................................................................. 80
Paraben Email Examiner ............................................................................................................................................... 81
EmailTracer...................................................................................................................................................................... 82
Adcomplain ...................................................................................................................................................................... 83
MailXaminer .................................................................................................................................................................... 84
AbusePipe ........................................................................................................................................................................ 85
Internet Evidence Finder (IEF) .................................................................................................................................... 86
FINALeMail ...................................................................................................................................................................... 87
Forensics Investigation Toolkit (FIT) ......................................................................................................................... 88
Forensic Tools for Social Media Analysis .......................................................................................................................... 89
HTTrack ........................................................................................................................................................................... 89
X1 Social Discovery ...................................................................................................................................................... 90

2
Cyber Forensic Suite

OSForensics

Tool Name OSForensics


Category Disk Forensics
Vendor/OEM PassMark Software
Licence Free/Commercial
Official
https://www.osforensics.com
Website
Description:
This is used for discovering the evidence, and identifying and reporting it. It discovers
relevant data faster using file searching and indexing. It can recover deleted files,
extracted passwords and decrypt files irrespective of the operating system and the file
system in force.
OSForensics can identify evidence and any suspicious activity using features such as
hash matching and drive signature analysis. It can create a timeline of using activity.
OSForensics has come out with new reporting features such as building custom
reports, adding narratives, and attaching another tools report to the OSF report.
A collection of tools are provided as free tools for use with OSForensics, namely
OSFMount for mounting dd images files in Windows, OSFClone which is self-booting
disk cloning tool, ImageUSB to write an image to multiple USB drives, and Volatility
Workbench which is a Windows GUI for volatility and memory analysis.
Operating Platform Windows
Windows Vista, Win 7, Win 8, Win 10
Windows Server 2000, 2003, 2008, 2012, 2016, 2019
Installation
32bit and 64bit support, (64bit recommended)
Requirement
Minimum 1GB of RAM. (8GB+ recommended)
500MB of free disk space, or can be run from USB drive
PassMark Software Pty Ltd
Level 5, 63 Foveaux St
Contact
Surry Hills, NSW 2010 Australia

BACK

3
Autopsy

Tool Name Autopsy


Category Disk Forensics
Vendor/OEM Basic Technology
License Freeware/Open Source
Official
https://www.autopsy.com
Website
Description:
The Autopsy Forensic Browser is a graphical interface to the command line digital
investigation tools in The Sleuth Kit. Together, they help in the investigation of the file
systems and volumes of a computer. It is used by law enforcement, military, and
corporate examiners to investigate what happened on a computer. Autopsy supports
web artifact analysis and registry analysis which other commercial tools do not
provide.
Dead analysis autopsy and The Sleuth Kit are run in a trusted environment, typically
in a lab, to examine the data from a suspect system. In Live analysis, the suspect
system is analysed while it is run with Autopsy and the Sleuth Kit, from a CD in an
untrusted environment, This frequently used during incident response while the
incident is being confirmed.
Operating Platform Windows, Linux, OS X
Basis Technology
1060 Broadway
Somerville, MA 02144-2078
Contact
U.S.A.
617-386-2000
[email protected]

BACK

4
AccessData FTK

Tool Name AccessData FTK


Category Disk Forensic Analysis
Vendor/OEM AccessData
License Commercial
Official
https://www.accessdata.com
Website
Description
Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It
scans a hard drive looking for various information. It can, for example, potentially
locate deleted emails and scan a disk for text strings to use them as a password
dictionary to crack encryption.
FTK is also associated with a standalone disk imaging program called FTK Imager.
This tool saves an image of a hard disk in one file or in segments that may be later on
reconstructed. It calculates MD5 and SHA1 hash values and can verify the integrity
of the data imaged is consistent with the created forensic image. The forensic image
can be saved in several formats, including DD/raw, E01, and AD1
FEATURE AND CAPABILI TIES
 Unmatched speed through distributed processing engines
 Unique architecture provides better stability
 Wizard-driven to ensure no data is missed
 State-of-the-art data visualization to highlight relationships and patterns
 Only solution that utilizes a single case database, reducing cost and complexity
of multiple case datasets
 KFF hash library with 45 million hashes
 Advanced, automated analysis without the scripting
 Wizard-driven processing ensures no data is missed
 Pre- and post-processing refinement
 Advanced data carving engine allows you to specify criteria, such as file size,
data type and pixel size to reduce the amount of irrelevant data carved while
increasing overall thoroughness
 Create, import and export reusable processing profiles with pre-defined
processing options for different investigative needs
Operating Platform Windows, Linux
Corporate Headquarters
4145 SW Watson Ave #400
Address
Beaverton, OR 97005
503.501.5100

BACK

5
OpenText Encase

Tool Name OpenText Encase

Category Disk Forensic Analysis


Vendor/OEM OpenText

License Commercial

Official
https://www.opentext.com/products/encase-forensic
Website
Description:
OpenText™ EnCase™ Forensic finds digital evidence no matter where it hides to help
law enforcement and government agencies reduce case backlogs, close cases faster and
improve public safety. For more than 20 years, investigators, attorneys and judges
around the world have depended on EnCase Forensic as the pioneer in digital forensic
software to deliver reliable investigation results.

FEATURE AND CAPABILI TIES


Unmatched performance
Rely on the ability to process evidence up to 75 percent faster than competing
products, demonstrated in investigator lab testing using real-world evidence files.

Court-accepted evidence format


Trust the evidence file formats and digital forensic evidence integrity accepted as the
proven standard by court systems around the world.

Superior efficiency
Extend the power of EnCase with a complete API that enables the automation of
common investigator tasks and improves analyst efficiency.

In-depth evidence investigation


Have confidence in investigative results with a solution that conducts disk-level
analysis and parses and reconstructs data to ensure its accuracy.
Operating Platform Windows
Waterloo
275 Frank Tompa Drive
Waterloo ON N2L 0A1
Address
Canada
Phone: 519-888-7111
Fax: 519-888-0677

BACK

6
Nirsoft

Tool Name Nirsoft

Category Cyber Forensic Suite


Vendor/OEM Nirsoft
License Freeware
Official
http://www.nirsoft.net/
Website
Description:
For almost every utility that you can find here, there is probably others alternative
tools with similar functionality. However, NirSoft utilities have some unique
advantages over many other freeware and commercial products:

Most of the utilities in this site were developed in C++, which make them fast, small
and effective.
My utilities are portable and mostly don't require any installation. While many
software companies create a bloated installation package with size of 1 - 3 MB, the
size of single utility in NirSoft is usually less than 100KB.
All my utilities (except of a few very old tools) don't write anything to the Registry or
to your profile folder. This means that you can use them from a USB Flash drive,
without leaving traces in the computer that you use.
Most of my utilities can be used from command-line, without displaying any user
interface.
You don't have to register or give your email in order to download from NirSoft.
My utilities don't collect any personal information from your computer and they will
never send any information to anyone.
My utilities are completely freeware, without any catch.

Operating Platform Windows


Address

BACK

7
Windows Sysinternals Live

Windows Sysinternals
Tool Name
Live
Category Cyber Forensic Suite
Vendor/OEM Microsoft

License Freeware

Official
https://live.sysinternals.com
Website
Description:
Sysinternals Live is a service that enables you to execute Sysinternals tools directly
from the Web without hunting for and manually downloading them. Simply enter a
tool's Sysinternals Live path into Windows Explorer or a command prompt as
live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.
Operating Platform Windows
Address

BACK

8
Computer Aided Investigative Environment

Computer Aided
Tool Name Investigative
Environment
Category Cyber Forensic Suite
Vendor/OEM CAINE

License Freeware

Official
https://www.caine-live.net/
Website
Description:
CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live
distribution created as a Digital Forensics project
Currently the project manager is Nanni Bassetti (Bari - Italy).
CAINE offers a complete forensic environment that is organized to integrate existing
software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:

an interoperable environment that supports the digital investigator during the four
phases of the digital investigation
a user-friendly graphical interface
user-friendly tools
Operating Platform Linux
Address

BACK

9
PALADIN

Tool Name PALADIN

Category Cyber Forensic Suite


Vendor/OEM Sumuri
License Freeware
Official
https://sumuri.com/software/paladin/
Website

Description:

PALADIN is a modified “live” Linux distribution based on Ubuntu that simplifies various
forensics tasks in a forensically sound manner via the PALADIN Toolbox. PALADIN is
available in 64-bit and 32-bit versions.

Operating
Linux
Platform
40 South Main Street
P.O. Box 121
Address
Magnolia, Delaware 19962
USA

BACK

10
Digital Evidence and Forensic Toolkit

Digital Evidence and


Tool Name
Forensic Toolkit
Category Cyber Forensic Suite
Vendor/OEM
License Freeware
Official
http://www.deftlinux.net/
Website
Description:

DEFT Linux it's a Computer Forensics Live Cd!

It is a very easy to use system that includes an excellent hardware detection and the
best free and open source applications dedicated to incident response and computer
forensics.

DEFT is meant to be used by police, investigators, system administrator, individuals


and all the people who need to use forensic tool but don’t know the open source
operative systems and the Forensic techniques.

Operating Platform Linux


Address

BACK

11
Paraben Tools

Tool Name Paraben Tools

Category Cyber Forensic Suite


Vendor/OEM Paraben
License Proprietary
Official
https://paraben.com/
Website
Description:
 Smartphone Forensics: iOS, Android, IoT, & Cloud
 Computer Forensics: Windows, Email, Internet, & Cloud
 Email Investigations: Outlook, Exchange, Office365, & more
Operating Platform Windows, iOS and Android
Address

BACK

12
Computer Online Forensic Evidence Extractor

Computer Online
Tool Name Forensic Evidence
Extractor
Category Cyber Forensic Suite
Vendor/OEM Microsoft

License Proprietary

Official
Website

Description:

Computer Online Forensic Evidence Extractor (COFEE) is a tool kit, developed by


Microsoft, to help computer forensic investigators extract evidence from a Windows
computer. Installed on a USB flash drive or other external disk drive, it acts as an
automated forensic tool during a live analysis. Microsoft provides COFEE devices and
online technical support free to law enforcement agencies.

Operating Platform Windows


Address

BACK

13
Vogon

Tool Name Vogon

Category Cyber Forensic Suite


Vendor/OEM Vogon
License Proprietary
Official
Website
Description:
Vogon Forensic Software is developed by Vogon International Ltd.. The most popular
version of this product among our users is 7.1. The name of the program executable
file is SDI32.EXE.
Operating Platform Windows
Address

BACK

14
SIFT Workstation

Tool Name SIFT Workstation


Category Disk Forensic Analysis
Vendor/OEM SANS

License Free

Official
https://www.sans.org/tools/sift-workstation/
Website
Description
The SIFT Workstation is a collection of free and open-source incident response and
forensic tools designed to perform detailed digital forensic examinations in a variety
of settings. It can match any current incident response and forensic tool suite. SIFT
demonstrates that advanced incident response capabilities and deep-dive digital
forensic techniques can be accomplished using cutting-edge open-source tools that
are freely available and frequently updated.
FEATURE AND CAPABILI TIES
 F-Response Tool Suite Compatible
 Rapid Scripting and Analysis
 Threat Intelligence and Indicator of Compromise Support
 Threat Hunting and Malware Analysis Capabilities
 Ubuntu LTS 20.04 Base
 64-bit base system
 Better memory utilization
 Auto-DFIR package update and customizations
 Latest forensic tools and techniques
 VM Appliance ready to tackle forensics
 Cross compatibility between Linux and Windows
 Option to install/upgrade stand-alone system via SIFT-CLI installer
 Expanded Filesystem Support
 Plaso/log2timeline (Timeline Generation Tool)
 Rekall Framework (Memory Analysis)
 Volatility Framework (Memory Analysis)
 3rd Party Volatility Plugins
 bulk_extractor
 afflib
Operating Platform Windows, Linux
Corporate Headquarters
Address
Bethesda, Maryland, United States

BACK

15
Drive Imaging and Validation Tools

Encase Forensic Imager

Encase Forensic
Tool Name
Imager
Category Imager
Vendor/OEM OpenText
License Freeware
Official
https://security.opentext.com/encase-forensic
Website
Description:
Encase Forensic Image is based on trusted, industry standard Encase forensic
technology. It facilitated forensic examiners with forensically sound acquisition of data
from entire volumes or selected folders and investigation of the same. It makes it
possible for forensic examiners to acquire data from a wide variety of devices such as
tablets, hard drives, and removable media, unearth potential evidence with disk-level
forensic analysis, view and browse for potential evidence with disk-level forensic
analysis, view and browse for potential evidence files including folder structures, file
metadata, and craft comprehensive reports on their findings, with maintaining the
integrity of the evidence.
Operating Platform Windows
Address OpenText: Call 1-800-499-6544

BACK

16
FTK Imager

Tool Name FTK Imager


Category Imager
Vendor/OEM AccessData
License Freeware
Official
https://www.accessdata.com
Website
Description
FTK Imager is a free tool for acquisition of data from AccessData. It creates a forensic
image as a bit stream. Some other features of FTK Imager include the following:
collection of volatile data from RAM, pre-analysis of data, information search, etc. This
tool takes a snapshot of the entire disk drive and then copies every bit for analysis. It
supports files systems such as FAT 12/16/32, NTFS, NTFS Compressed, and Linux
ext2 and ext3.
FEATURE AND CAPABILI TIES
 Parse XFS file systems when investigating and collecting from RHEL Linux
environments.
 Capture and view APFS images from Mac® hard drives. You only need one
tool for all operating systems.
 Create forensic images of local hard drives, CDs and DVDs, thumb drives or
other USB devices, entire folders, or individual files from various places within
the media.
 Preview files and folders on local hard drives, network drives, CDs and DVDs,
thumb drives or other USB devices.
 Preview the contents of forensic images stored on the local machine or on a
network drive.
 Mount an image for a read-only view that leverages Windows® Internet
Explorer® to see the content of the image exactly as the user saw it on the
original drive.
 Export files and folders from forensic images.
 See and recover files that have been deleted from the Recycle Bin, but have
not yet been overwritten on the drive.
 Create hashes of files to check the integrity of the data by using either of the
two hash functions available in FTK Imager: Message Digest 5 (MD5) and
Secure Hash Algorithm (SHA-1).
Operating Platform Windows, Linux
Corporate Headquarters
4145 SW Watson Ave #400
Address
Beaverton, OR 97005
503.501.5100

BACK

17
Norton Ghost

Tool Name Norton Ghost

Category Imager and Validation Tools


Vendor/OEM Norton
License Trialware
Official https://www.broadcom.com/products/endpoint-
Website management/ghost-solutions-suite
Description:
Ghost (an acronym for general hardware-oriented system transfer) is a disk cloning
and backup tool originally developed by Murray Haszard in 1995 for Binary Research.
The technology was acquired in 1998 by Symantec.

The backup and recovery functionality has been replaced by Symantec System
Recovery (SSR), although the Ghost imaging technology is still actively developed and
is available as part of Symantec Ghost Solution Suite.
Operating Platform Windows
Address

BACK

18
Symantec Ghost

Tool Name Symantec Ghost

Imager and Validation


Category
Tools
Vendor/OEM Symantec

License Trialware

Official https://www.broadcom.com/products/endpoint-management/ghost-
Website solutions-suite

Description:

Ghost Solution Suite 1.1 is a bundle of an updated version of Ghost, Symantec Client
Migration (a user data and settings migration tool) and the former PowerQuest equivalent,
DeployCenter (using PQI images). Ghost Solution Suite 1.1 was released in December
2005. It can create an image file that is larger than 2 GB. (In Ghost 8.2 or earlier, such
image files are automatically split into two or more segments, so that each segment has
a maximum size of 2 GB.) Other new features include more comprehensive manufacturing
tools, and the ability to create a "universal boot disk"

Operating Platform Windows


Address

BACK

19
Safeback

Tool Name Safeback

Imager and
Category
Validation Tools
Vendor/OEM Safeback
License Commercial
Official
http://www.forensics-intl.com.
Website
Description:
Safeback is a DOS-based utility for backing up, verifying, and restoring hard disks.
Safeback was written by Chuck Guzis at Sydex around 1991 and was designed from
scratch as an evidence-processing tool. It has now become a law enforcement standard.
Operating
Windows
Platform
Address

BACK

20
ProDiscover Incident response (IR)

ProDiscover Incident
Tool Name
response(IR)
Category Imager and Validation Tools
Vendor/OEM ProDiscover
License Commercial
Official
https://prodiscover.com/prodiscover-incident-response-ir
Website
Description:
ProDiscover Incident Response (IR) has capabilities to determine if a system has been
compromised and to what extent. Corporate network security personnel can take
action in real-time to protect such systems under attack from malicious hackers and
disgruntled employees.

Using ProDiscover IR, administrators can remotely monitor key servers to identify,
neutralize, and prevent any potential threats and breaches.
Operating Platform Windows
DotC Technologies Pvt Ltd.
Level 3, Nirvanaz, Plot No 240
Address Road No. 36, Jubilee Hills
Hyderabad - 500033
Telangana, India

BACK

21
X-Ways Forensic (XWF)

X-Ways Forensic
Tool Name
(XWF)
Category Imager and Validation Tools
Vendor/OEM X-Ways
License Commercial
Official
https://www.x-ways.net/forensics/
Website
Description:
X-Ways Forensics is an advanced work environment for computer forensic examiners
and our flagship product. Runs under Windows
XP/2003/Vista/2008/7/8/8.1/2012/10/2016/2019/11*, 32 Bit/64 Bit,
standard/PE/FE. X-Ways Forensics is more efficient to use after a while, by far not
as resource-hungry, often runs much faster, finds deleted files and search hits that
the competitors will miss, offers many features that the others lack, as a German
product is potentially more trustworthy, comes at a fraction of the cost, does not have
any ridiculous hardware requirements, does not depend on setting up a complex
database, etc.! X-Ways Forensics is fully portable and runs off a USB stick on any
given Windows system without installation if you want. Downloads and installs within
seconds (just a few MB in size, not GB). X-Ways Forensics is based on the WinHex
hex and disk editor and part of an efficient workflow model where computer forensic
examiners share data and collaborate with investigators that use X-Ways Investigator.
Operating Platform Windows
Address

BACK

22
DriveSpy

Tool Name DriveSpy

Category Imager and Validation Tools


Vendor/OEM
License Freeware
Official
https://digitalintelligence.com/
Website
Description:
DriveSpy allows forensic examiners to direct information from one sector range to
another. It creates direct disk-to-disk forensic duplicates, processes duplicate drives
of both physical drive geometry and sector translation, processes large hard drives,
hard drives without partitions, slack space, unallocated space etc.
Operating Platform Windows
Address

BACK

23
Forensic Replicator

Tool Name Forensic Replicator

Category Imager and Validation Tools


Vendor/OEM Paraben

License Freeware

Official
https://www.qbssoftware.com/forensic-replicator.html
Website
Description:
Forensic Replicator is a bit-stream forensic image creation tool.
Paraben Forensic Replicator is a Windows based bit-stream imaging tool that gives
you the flexibility you need for creating forensic grade, bit-by-bit images of hard drives
and media. Forensic Replicator can image any media that mounts as a drive in
Windows including floppy disks, the creation of ISO images and creating VHD images.
Forensic Replicator also supports the most popular write blockers so your image
creation report will show if you used a write blocker when creating your image.
• Supported Image Formats:
o PFR Images
o Raw Images
o Fixed Size VHD Images
o Dynamically Expanding VHD Images
• SHA1 Hash Value Calculation
• DoD Standard Media Wiping
• Drive to Drive Image Option
• Preview Image Files
• Encrypt Images
• Split Images to Specific Sizes
• Compress Images to Save Space
• Restore Images to Physical Drive
• Create Self Extracting Files
Operating Platform Windows
Address

BACK

24
SMART Acquisition Workshop (SAW)

SMART Acquisition
Tool Name
Workshop (SAW)
Category Imager and Validation Tools
Vendor/OEM
License
Official
Website
Description:
Smart Acquisition Workshop (SAW) is the Data Acquisition component of a case
management framework optimized to deliver outstanding performance and benefits in
large, complex data forensic investigations.

Operating Platform
Address

BACK

25
WinHex

Tool Name WinHex

Category Hex and Disk Editor


Vendor/OEM X-Ways

License Freeware/Commercial

Official
https://x-ways.net/winhex/
Website
Description
This is a Windows based universal hexadecimal editor and disk management utility
from X-Ways Software Technology. It is used to recover lost or damaged files and edit
disk contents.
WinHex can natively interpret and show the directory structure on FAT, NTFS,
Ext2/3, Reiser, CDFS, and UDF media and image files. It performs safe recoveries on
hard disks, memory card, flash disks, floppy disks, ZIP, JAZ, CDs, DVDs, and more.
It incorporates several automated file recovery mechanisms and allows to conveniently
recover data manually. WinHex provides sophisticated, flexible and lightning-fast
simultaneous search functions that you may use to scan entire media (or image files),
including slack, for deleted files, hidden data and more. Via physical access, this can
be accomplished even if a volume is undetectable by the operating system e.g. due to
an unknown or a corrupt file system.
Operating Platform Windows
X-Ways AG
PO box 62 02 08
Address
50695 Cologne
Germany

BACK

26
Forensic Tool for Integrity Verification and Hashing

HashMyFiles

Tool Name HashMyFiles

Integrity Verification and


Category
Hashing
Vendor/OEM
License Freeware
Official
Website
Description:

Operating Platform
Address

BACK

27
HashCalc

Tool Name HashCalc

Integrity Verification and


Category
Hashing
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

28
CRCMD5

Tool Name CRCM5

Integrity Verification and


Category
Hashing
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

29
DiskSig

Tool Name DiskSig

Integrity Verification and


Category
Hashing
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

30
MD5summer

Tool Name MD5summer

Integrity Verification and


Category
Hashing
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

31
Forensic Tools for Data Recovery

Recuva

Tool Name Recuva

Category Data Recovery


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

32
Byte Back

Tool Name Byte Back

Category Data Recovery


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

33
MiniToolvPower Data Recovery

MiniTool Power Data


Tool Name
Recovery
Category Data Recovery
Vendor/OEM
License Free
Official
https://www.minitool.com
Website
Description:
MiniTool Power Data Recovery, free and read-only data recovery software can help to
recover deleted, formatted or lost data from hard drive, SSD, USB, memory card,
and other storage devices easily and quickly. The best free data recovery software
offers 4 recovery modules for all data loss situations.Accidental deletion or
formatting of files and partitions, virus attacks, damaged discs or media storage
devices – MiniTool Power Data Recovery offers you a neatly-structured set of utilities
capable of dealing with any of these situations in a straightforward and efficient
way.
Operating Platform Windows
Windows XP, Vista, Windows 7, Windows 8, Windows 8.1,
Installation
Windows 10, Windows Server 2003, Windows Server 2008
Requirement
(R2), Windows Server 2012
 Clear and intuitive interface
 Neatly-structured recovery options
 Fast scan processes
 Clear scanning reports
 Various file preview options
Features and  it is an on-premise solution that helps recover deleted
Capabilities files, folders, and digital media from lost/damaged
partitions.
 MiniTool Power Data Recovery not only recovers data
from hard disk and RAID device, but also supports to
recover data from CD, DVD disks, memory card,
memory stick, and flash drive.

BACK

34
IsoBuster

Tool Name IsoBuster

Category Data Recovery


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

35
Stellar Data Recovery

Stellar Data
Tool Name
recovery
Category Data Recovery
Vendor/OEM EaseUS

License Free

Official https://www.easeus.com/
Website
Description:
Stellar Data Recovery Software for Windows serves various data loss situations to help
you get data back. This reliable windows data recovery software provides advanced
recovery options to easily and seamlessly recover your valuable data from any storage
media.
Operating Platform Windows
Installation Windows XP,Windows 2000,Windows 7,Windows Vista,
Requirement Windows 2003, Windows 8.1,Windows 10,Windows 8
 Supports unlimited types such as documents, photos, etc.
 Recovers data from inaccessible and RAW drive volumes.
 Restores from any storage media such as HDD, SSD, USB
flash, etc.
Features and
 Recovery from formatted systems, encrypted, corrupted drives.
Capabilities
 Support all data loss situations such as corruption, virus
attack.
 100% accurate, reliable and efficient data recovery software.

BACK

36
PhotoRec

Tool Name PhotoRec


Category Data Recovery Software

Vendor
cgsecurity
Name

Official
https://www.cgsecurity.org/
Website

Description
PhotoRec is file data recovery software designed to recover lost files including video,
documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes
after the underlying data, so it will still work even if your media's file system has been
severely damaged or reformatted.
DOS/Windows 9x, Windows 10/8.1/8/7/Vista/XP, Windows
Server 2016/2012/2008/2003, Linux, FreeBSD, NetBSD,
Operating Platform
OpenBSD, Sun Solaris, Mac OS X

PhotoRec ignores the file system; this way it works even if the
file system is severely damaged.
It can recover lost files from at least
Recovery  FAT
Functionality  NTFS
 exFAT
 ext2/ext3/ext4 filesystem
 HFS+

Address Le Perreux sur Marne (near Paris), France

BACK

37
EaseUs Data Recovery

EaseUs Data
Tool Name
recovery
Category Data Recovery
Vendor/OEM EaseUS

License Commercial

Official https://www.easeus.com/
Website
Description:
EaseUS Data Recovery is one of the best and most used system tuning and utility
tool on the market today for Windows and macOS. It helps you recover your lost or
corrupted data from the hard drive, memory cards, mobile phones, or any other
device. With this tool, you can easilyretrieve your lost data from any device in all
formats in just a few steps. And the good news for you here is that you don't have to
pay for it because, if your lost data is less than 2GB, you can use it for free.
Operating Platform Windows
Installation Windows XP,Windows 2000,Windows 7,Windows Vista,
Requirement Windows 2003, Windows 8.1,Windows 10,Windows 8
 Fix some bugs for more effective and stable data
recovery.
 Simplify the scanning process for much easier data
recovery experience.
 Capable of quickly getting back all deleted, formatted,
and inaccessible RAW files on Windows
Features and
XP/Vista/2003/2008/7/8/10
Capabilities
 It scans deeper into storage media devices than any
other data recovery software on the market, which
guarantees results.
 Even if your whole partition is missing or cannot be
recognized by the system, your data is still
recoverable.

BACK

38
Forensic Tools for RAM Analysis

Volatility

Tool Name Volatility


Category Memory Forensics
Vendor/OEM Volatility Foundation
License Open Source
Official
https://www.volatilityfoundation.org/releases
Website
Description
This is an open source suite of programs for analyzing RAM, and has support for
Windows, Linux and Mac operating systems. It can analyze RAW, Crash, VMWare,
and Virtualbox dumps with no issues.
Operating
Windows/Linux/Mac
Platform
 A single, cohesive framework analyzes RAM dumps from 32-
and 64-bit windows, linux, mac, and android systems.
 It’s Open Source GPLv2, which means you can read it, learn
from it, and extend it.
 It’s written in Python, an established forensic and reverse
engineering language with loads of libraries that can easily
integrate into volatility.
 Runs on windows, linux, or mac analysis systems (anywhere
Python runs) – a refreshing break from other memory analysis
tools that only run on windows and require .NET installations
and admin privileges just to open.
 Extensible and scriptable API gives you the power to go
beyond and continue innovating.
Features and  Unparalleled feature sets based on reverse engineering and
Capabilities specialized research.
 Comprehensive coverage of file formats – volatility can analyze
raw dumps, crash dumps, hibernation files, VMware .vmem,
VMware saved state and suspended files (.vmss/.vmsn),
VirtualBox core dumps, LiME (Linux Memory Extractor),
expert witness (EWF), and direct physical memory over
Firewire.
 Fast and efficient algorithms let you analyze RAM dumps from
large systems without unnecessary overhead or memory
consumption.
 Serious and powerful community of practitioners and
researchers who work in the forensics, IR, and malware
analysis fields. It brings together contributors from
commercial companies, law enforcement, and academic
institutions around the world.

BACK

39
Rekall

Tool Name Rekall


Category Memory Forensics
Vendor/OEM Rekall Forensic

License Freeware

Official
http://www.rekall-forensic.com/
Website
Description
Rekall is an end-to-end solution for incident responders and investigators, and
features both acquisition and analysis tools. It can be thought of as more of a forensic
framework suite than just a single application. Rekall is the only open source memory
analysis tool that can work with the windows page file and mapped files.
Operating Platform Windows/Linux/Mac
 A repository, which contains profiles for the majority of
operating systems
 An opportunity to examine dumps gathered from Windows,
Linux, and Mac OS
Features and  An opportunity to automatically detect profiles for Windows
Capabilities operating systems
 An opportunity to gather all the profiles you need for Linux
systems manually, using the script, stored on the official
GitHub account

BACK

40
MemGator

Tool Name MemGator


Category Memory Forensics
Vendor/OEM Orion Forensic
License Freeware
Official
http://www.orionforensics.com/forensics-tools/
Website
Description
MemGator is a memory file analysis tool that automates the extraction of data from
a memory file and compiles a report for the investigator. The framework brings
together a number of tools such as the Volatility Framework, Scalpel File Carver and
AESKeyFinder into one program.
Operating Platform Windows
 Automated data extraction from memory files and
creates reports for investigators
 Automated execution of almost all the commands from
the Volatility Framework
 Automatic selection of the right OS profile for all the
Volatility commands
Features and
 Opportunity for users to manually pick the OS profile,
Capabilities
if they wish not to let the tool do it automatically
 Opportunity to create reports in HTML
 Automated running of Scalpel, including carving for
usernames and passwords for email and social media
accounts, such as Gmail, Yahoo, and Facebook, and
auto-filling form entries for the Chrome browser
Usage Download and execute .exe file

BACK

41
Mandiant’s Memoryze

Tool Name Mandiant’s Memoryze


Category Memory Forensics
Vendor/OEM Fireeye
License Freeware
Official
https://www.fireeye.com/services/freeware/memoryze.html
Website
Description
Mandiant’s Memoryze is free memory forensic software that helps incident
responders find evil in live memory. Memoryze can acquire and/or analyze memory
images and on live systems can include the paging file in its analysis.
Operating Platform Windows,Mac
 Image the full range of system memory (not reliant on
API calls).
 Image a process’ entire address space to disk. This
includes a process’ loaded DLLs, EXEs, heaps and
stacks.
 Image a specified driver or all drivers loaded in memory
to disk.
 Enumerate all running processes (including those
hidden by rootkits). For each process, Memoryze can:
o Report all open handles in a process (for
example, all files, registry keys, etc.).
o List all network sockets that the process has
open, including any hidden by rootkits.
o Specify the functions imported by the EXE and
DLLs.
Features and o Specify the functions exported by the EXE and
Capabilities DLLs.
o Hash the EXE and DLLs in the process address
space (MD5, SHA1, SHA256. This is disk based.)
o Hash the EXE and DLLs in the process address
space. (This is a MemD5 of the binary in
memory).
o Verify the digital signatures of the EXE and
DLLs. (This is disk based.)
o Output all strings in memory on a per process
basis.
 Identify all drivers loaded in memory, including those
hidden by rootkits. For each driver, Memoryze can:
o Specify the functions the driver imports.
o Specify the functions the driver exports.
o Hash the driver. (MD5, SHA1, SHA256. this is
disk based.)

BACK

42
Magnet RAM Capture

Tool Name Magnet RAM Capture


Category Memory Forensics
Vendor/OEM Magnet Forensic

License Freeware

Official
https://www.magnetforensics.com/resources/magnet-ram-capture/
Website
Description
MAGNET RAM Capture is a free imaging tool designed to capture the physical
memory of a suspect’s computer, allowing investigators to recover and analyze
valuable artifacts that are often only found in memory.
Operating Platform Windows
 The tool has a small memory footprint, meaning
investigators can run the tool while minimizing the
data that is overwritten in memory.
Features and
 You can export captured memory data in Raw
Capabilities
(.DMP/.RAW/.BIN) format.
 Operating Systems Supported: Windows XP, Vista, 7,
8, 10, 2003, 2008, 2012 (32 and 64 bit support)
Usage Download and execute .exe file

BACK

43
WinPmem

Tool Name WinPmem


Category Memory Forensics
Vendor/OEM Rekall Project
License Freeware
Official
https://github.com/Velocidex/WinPmem/releases/tag/v4.0.rc1
Website
Description
Winpmem has been the default open source memory acquisition driver for windows
for a long time. It used to live in the Rekall project, but has recently been separated
into its own repository.
Operating Platform Windows
 Supports all windows versions from WinXP SP2 to
Windows 10 in both i386 andamd64 flavours.
 Raw memory images.
 ELF Core dump files for use in rekall.
 Output to stdout (in both the above formats) for piping
through other tools(e.g. ssh, ewfacquirestream etc).
Features and
 Memory acquisition using
Capabilities
 MmMapIoSpace method.
 \Device\PhysicalMemory and ZwMapViewOfSection
method.
 PTE Remapping technique (default)
 Direct analysis of the running kernel using Rekall (Live
memory analysis).
Usage Download and execute .exe file

BACK

44
dcfldd

Tool Name dcfldd


Category Memory Forensics
Vendor/OEM Unix/Linux
License Open Source
Official
https://github.com/adulau/dcfldd
Website
Description
dcfldd is an enhanced version of GNU dd with features useful for forensics and
security. Based on the dd program found in the GNU Coreutils package
Operating Platform Unix/Linux
 Hashing on-the-fly - dcfldd can hash the input data as it is
being transferred, helping to ensure data integrity.
 Status output - dcfldd can update the user of its progress
in terms of the amount of data transferred and how much
longer operation will take.
 Flexible disk wipes - dcfldd can be used to wipe disks
quickly and with a known pattern if desired.
Features and  Image/wipe Verify - dcfldd can verify that a target drive is
Capabilities
a bit-for-bit match of the specified input file or pattern.
 Multiple outputs - dcfldd can output to multiple files or
disks at the same time.
 Split output - dcfldd can split output to multiple files with
more configurability than the split command.
 Piped output and logs - dcfldd can send all its log data and
output to commands as well as files natively
# dcfldd if=/dev/sda hash=md5,sha256 hashwindow=20G
Usage
md5log=md5.txt bs=512 conv=noerror,sync of=sda.dd
Nicholas Harbour from the DoD Computer Forensics
Developer
Laboratory (DCFL)

BACK

45
Helix3

Tool Name Helix3


Category Memory Forensics
Vendor/OEM e-fence
License Freeware/Paid
Official
https://www.e-fense.com/helix3pro.php
Website
Description
This is a bootable live CD as well as a standalone application that makes it very easy
for you to capture a memory dump or memory image of a system. There are some risks
associated with running this directly on a target system, namely an acquisition
footprint, so make sure that it fits your requirements.
Operating Platform Windows/Linux
 A multi-platform LIVE side for three environments; Mac OS
X, Windows and Linux with one simple to use interface
Features and  A bootable forensically sound environment to boot any x86
Capabilities system
 Several open source forensic applications to assist with data
analysis including cell phone analysis.

BACK

46
LiME

Tool Name LiME


Category Memory Forensics
Vendor/OEM 504ensicsLabs
License Open Source
Official
https://github.com/504ensicsLabs/LiME
Website
Description
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the
acquisition of volatile memory from Linux and Linux-based devices, such as those
powered by Android. The tool supports acquiring memory either to the file system of
the device or over the network. LiME is unique in that it is the first tool that allows
full memory captures.
Operating Platform Linux
 Full Android memory acquisition
 Linux memory acquisition
Features and
 Acquisition over network interface
Capabilities
 Minimal process footprint
 Hash of dumped memory
sudo insmod lime-4.9.0-8-amd64.ko
Usage
"path=/media/external/dump.mem format=lime

BACK

47
Forensic Tools for Registry Analysis

Regshot

Tool Name Regshot

Category Registry Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

48
RegRipper

Tool Name RegRipper

Category Registry Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

49
Forensic Tools for Encryption/Decryption

VeraCrypt

Tool Name VeraCrypt

Category Encryption/Decryption
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

50
Encrypted Disk Detector

Encrypted disk
Tool Name
Detector
Category Encryption/Decryption
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

51
Forensic Tools for Password Recovery

Passware Kit Forensic

Tool Name Passware Kit Forensic

Category Password Recovery


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

52
Elcomsoft

Tool Name Elcomsoft

Category Password Recovery


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

53
Ophcrack

Tool Name Ophcrack

Category Password Recovery


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

54
Forensic Tools for Analysing Network

Wireshark

Tool Name WireShark


Category Network Forensics
Sub-
Ethernet/WiFi
Category
Vendor
Wireshark org.
Name
Official
https://www.wireshark.org/
Website
Description
Wireshark is a free and open-source packet analyzer. It is used for network
troubleshooting, analysis, software and communications protocol development, and
education. Originally named Ethereal, the project was renamed Wireshark in May
2006 due to trademark issues.
There is also a terminal-based (non-GUI) version called TShark.
Operating Platform Windows/OSX/Linux/Unix/BSD/Solaris
Installation Windows 7 and above, OSX 11 and Above, Linux 16 and
Requirement above
 Deep inspection of hundreds of protocols, with more
being added all the time
 Live capture and offline analysis
 Rich VoIP analysis
 Read/write many different capture file formats:
tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco
Secure IDS iplog, Microsoft Network Monitor, Network
General Sniffer® (compressed and uncompressed),
Sniffer® Pro, and NetXray®, Network Instruments
Observer, NetScreen snoop, Novell LANalyzer,
RADCOM WAN/LAN Analyzer, Shomiti/Finisar
Surveyor, Tektronix K12xx, Visual Networks Visual
Features
UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek,
and many others
 Capture files compressed with gzip can be
decompressed on the fly
 Live data can be read from Ethernet, IEEE 802.11,
PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame
Relay, FDDI, and others (depending on your platform)
 Decryption support for many protocols, including
IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP,
and WPA/WPA2
 Coloring rules can be applied to the packet list for
quick, intuitive analysis
Original Author Gerald Combs
License Type Free

BACK

55
Packet Tracer

Tool Name Packet Tracer

Category Network Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

56
Kismet

Tool Name Kismet


Category Network Forensics
Sub-
WiFi
Category

Vendor
KISMET
Name

Official
https://kismetwireless.net
Website
Description
Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS
(wireless intrusion detection) framework.
Kismet works with Wi-Fi interfaces, Bluetooth interfaces, some SDR (software
defined radio) hardware like the RTLSDR, and other specialized capture hardware
Operating Platform Windows/OSX/Linux
 Windows 7 and above
Installation
 OSX 11 and Above
Requirement
 Linux 16 and above
 Wi-Fi interfaces
Acquisition  Bluetooth interfaces
Functionality  SDR (Software Defined Radio)
 Hardware like the RTLSDR etc.
 Wireless network and device detector
Analysis  Sniffer
Functionality  Wardriving tool
 WIDS (wireless intrusion detection)
Category/License Free/OpenSource

BACK

57
NetworkMiner

Tool Name NetworkMiner


Category Network Forensics
Sub-
WiFi
Category

Vendor
NETWORKMINER
Name

Official
https://www.netresec.com/?page=NetworkMiner
Website
Description
NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) which can
be used as a passive network sniffer/packet capturing tool in order to detect
operating systems, sessions, hostnames, open ports etc. without putting any traffic
on the network. NetworkMiner can also parse PCAP files for off-line analysis and to
regenerate/reassemble transmitted files and certificates from PCAP files.
NetworkMiner makes it easy to perform advanced Network Traffic Analysis (NTA) by
providing extracted artifacts in an intuitive user interface. The way data is presented
not only makes the analysis simpler, it also saves valuable time for the analyst or
forensic investigator.
Operating Platform Windows/OSX/Linux
 Windows 7 and above
Installation  OSX 11 and Above
Requirement  Linux 16 and above
 FreeBSD
 FTP (File Transfer Protocol)
 TFTP (Trivial File Transfer Protocol)
 HTTP (Hypertext Transfer Protocol)
 SMB (Server Message Block)
Supported
 SMB2 (Server Message Block Protocol Versions 2)
Protocols
 SMTP (Simple Mail Transfer Protocol)
 POP3 (Post Office Protocol 3)
 IMAP (Internet Message Access Protocol)

License Type Free/Professional

BACK

58
OpenVPN

Tool Name OpenVPN

Category Network Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

59
Network Mapper

Tool Name Network Mapper

Category Network Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

60
Firewalk

Tool Name Firewalk

Category Network Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

61
Tripwire

Tool Name Tripwire

Category Network Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

62
Snort

Tool Name Snort

Category Network Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

63
NetAnalysis

Tool Name NetAnalysis

Category Network Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

64
Forensic Tools for Metadata Processing

PhotoMe

Tool Name PhotoMe

Category Encryption/Decryption
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

65
Metadata Assistant

Tool Name Metadata Assistant

Category Encryption/Decryption
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

66
Forensic Tools for Mobile Devices

Cellebrite UFED 4PC

Tool Name Cellebrite UFED 4PC


Category Mobile Forensics
Sub-
Android and iOS
Category
Vendor/OEM Cellebrite
License and Commercial/Forensic
Tool Type Software + Physical Key
Official
https://www.cellebrite.com/en/home/
Website
Description
UFED 4PC is available with either an Ultimate or Logical offering. UFED 4PC
Ultimate enables physical, -le system, and logical extractions of intact and deleted
data, and passwords. It comes with the UFED Physical Analyzer for in-depth
analysis and decoding. UFED 4PC Logical enables fast and simplied logical and
password extractions. It comes with the UFED Logical Analyzer for easy analysis and
reporting.
Operating Platform Windows
 SIM Card Reading and Cloning
Acquisition  Secure XRY file with forensic log
Functionality  Hash Algorithms
 Selective Extraction of Data
 Mobile Device Logical and Physical Examinations
Analysis  Tablet & GPS Devices Examinations
Functionality  Memory Card Logical and Physical Examinations
 File Signature Analysis
Cellebrite Ltd.
94 Em Hamoshavot St.
Petah Tikva 49130
Address
Israel
Tel: +972 3 926 0900
Fax: +972 3 924 7104

BACK

67
RAVEN

Tool Name RAVEN


Category Mobile Forensics
Sub-
Android
Category
Vendor/OEM MSAB
License Commercial
https://raven.msab.com/,
Official
https://www.msab.com/download/13550/english/72312/msab-
Website
raven-en.pdf
Description
Raven is an innovative, highly portable mobile device triage toolset designed for
operators in the field who need to quickly extract data from mobile devices to make
quick informed decisions. Raven’s capabilities, ease of use and minimal effect on
personal equipment load makes it ideal for discrete operations.
Operating Platform Windows
Intel 6th Generation (Core i3 or above) or equivalent, 8 GB
RAM minimum
4 GB of hard-disk space required for XRY program
installation
Installation 256 GB HDD for data storage minimum ~ recommended
Requirement 500GB or more
2 USB-ports minimum – recommended 3 or more
Windows 8 or 10 (64 bit)
Microsoft .NET Framework 4.7
Minimum screen resolution: 1600×900 pixels
 SIM Card Reading and Cloning
Acquisition  Secure XRY file with forensic log
Functionality  Hash Algorithms
 Selective Extraction of Data
 Mobile Device Logical and Physical Examinations
Analysis  Tablet & GPS Devices Examinations
Functionality  Memory Card Logical and Physical Examinations
 File Signature Analysis
(Postal Address HQ)
Box 17111
Address
SE-104 62 Stockholm
Sweden

BACK

68
XRY

Tool Name XRY


Category Mobile Forensics
Sub-
Android and iOS Mobiles
Category
Vendor/OEM MSAB
Commercial (Forensic
License
Software + Physical Key)
Official
https://www.msab.com/
Website
Description
XRY is a digital forensics and mobile device forensics product by the Swedish
company Micro Systemation used to analyze and recover information from mobile
devices such as mobile phones, smartphones, GPS navigation tools and tablet
computers.
Operating Platform Windows
Intel 6th Generation (Core i3 or above) or equivalent, 8 GB
RAM minimum
4 GB of hard-disk space required for XRY program
installation
Installation 256 GB HDD for data storage minimum ~ recommended
Requirement 500GB or more
2 USB-ports minimum – recommended 3 or more
Windows 8 or 10 (64 bit)
Microsoft .NET Framework 4.7
Minimum screen resolution: 1600×900 pixels
 SIM Card Reading and Cloning
Acquisition  Secure XRY file with forensic log
Functionality  Hash Algorithms
 Selective Extraction of Data
 Mobile Device Logical and Physical Examinations
Analysis  Tablet & GPS Devices Examinations
Functionality  Memory Card Logical and Physical Examinations
 File Signature Analysis
(Postal Address HQ)
Box 17111
Address
SE-104 62 Stockholm
Sweden

BACK

69
ACESO

Tool Name ACESO


Category Mobile Forensics
Sub-
Android and iOS Mobiles
Category
Vendor/OEM MSAB

License and Commercial (Forensic


Tool Type Software + Hardware)

Official
https://radio-tactics.com/
Website
Description
Radio tactics is a UK based Mobile forensics Products oriented company. Self-design
hardware modules with software packages. Only trained personnel can able to
utilizes their products.
Operating Platform Windows
 Handset Access Card creation
 Blocks network access for all SIM and USIM cards
 Prevents overwrite of existing data
 SIM/USIM Acquisition
 Dual mode also supported
 Handset Acquisition
Acquisition  350 Supported Handsets including Blackberry and
Functionality Symbian
 1000+ handsets data acquired with Generic Acquisition
 Data types supported: contacts, SMS, MMS, call registers,
calendar, file system
 Memory Card Acquisition
 Raw bit-for-bit image
 File system
 Integrated Analysis Suite for report pre-viewing and
Analysis burning to disc for the evidential file
Functionality  Increases the need of real-time examination and delivers
results at the point and time of need.

BACK

70
MOBILedit

Tool Name MOBILedit


Category Mobile Forensics
Sub-
Android and iOS
Category
Vendor/OEM Compelson

License/Tool Commercial/Forensic Software +


Type Physical Key

Official
https://www.mobiledit.com/
Website
Description
MOBILedit Forensic Express is a phone and cloud extractor, data analyzer and
report generator all in one solution. A powerful 64-bit application using both
the physical and logical data acquisition methods, MOBILedit is excellent for
its advanced application analyzer, deleted data recovery, live updates, wide
range of supported phones including most feature phones, fine -tuned reports,
concurrent phone processing, and easy-to-use user interface. With the
password and PIN breaker you can gain access to locked ADB or iTunes
backups with GPU acceleration and multi-threaded operations for maximum
speed.
Operating Platform Windows
 Large quantity of phones supported
 Frequent updates and upgrades with new features and
more phones
 Direct SIM analyzer through SIM readers
 Reads deleted messages from the SIM card
 Reports Generator based on your templates
Features and  Print reports ready for courtroom
Acquisition  Reports generated in any language
Functionality  Make backup now and reports when needed
 Manual investigation mode
 Secure and tamper-proof using MD5 hash
 Compliant with Word or any other RTF editor
 View formatted reports in browser including original
pictures
 Exports to Word, Excel/XLS, browser, XML/XSL
Phone: +420 601 07 07 07
COMPELSON Labs
Jankovcova 1569/2c
Address
170 00, Prague 7
Czech Republic
European Union

BACK

71
Oxygen Forensic Suite

Tool Name Oxygen Forensic Suite

Category Mobile Forensics

Sub-
Android and iOS
Category
Vendor/OEM Oxygen Forensics
License/Tool Commercial/Forensic Software +
Type Physical Key
Official
Website https://www.oxygen-forensic.com/en/
Description
Oxygen Forensics Suite is a forensic software that is used to acquire data from
almost all kinds of mobile devices, their backups and images, SIM card data,
messenger logs, and cloud storage. Oxygen Forensics Suite is used by a large
number of criminal investigation agencies, Law enforcement agencies, army
departments, customs, and other major government sectors to investigate the digital
attacks involving Smartphones, IoT devices, Drones, Smart-watches, etc. It supports
a variety of devices and manufacturers and can be used for many purposes.
The current version of Oxygen Forensics Suite supports 25000+ mobile devices
that could be running any kind of operating system like Windows, Android, iOS,
Qualcomm chipsets, BlackBerry, Nokia, MTK, etc.
Operating Platform Windows 8 and above
 Phone basic information and SIM-card data
 Contacts list (including mobile, wireline, fax numbers,
postal addresses, contact photos and other contact
information)
 Missed/Outgoing/Incoming calls
 SIM card data
 Caller Groups information
 Organizer (calendar meetings, appointments, memos, call
Features and
reminders, anniversaries and birthdays, to-do tasks)
Acquisition
 Text notes
Functionality
 SMS Messages (messages, log, folders, deleted messages
with some restrictions)
 Multimedia Messages (log only)
 E-mail Messages (e-mails log and folders)
 GPRS, EDGE, CSD, HSCSD and Wi-Fi traffic and
sessions log
 Photos and gallery images

BACK

72
Magnet Axiom

Tool Name Magnet Axiom


Digital Storage Media Forensics,
Category Media Forensics, Cloud
Forensics
Vendor/OEM Magnet Forensics

License/Tool Commercial/Forensic Software +


Type Physical Key

Official
https://www.magnetforensics.com/products/magnet-axiom/
Website
Description
Magnet AXIOM is a comprehensive, integrated digital forensics platform. It's the only
platform that acquires and processes computer, smartphone, and cloud data in a
single case file.

Magnet AXIOM has two components: AXIOM Process and AXIOM Examine.
Depending on your license, using AXIOM Process, you can acquire forensic images,
load existing images, and run scans on those images all from the same interface. After
processing is complete, you can review the evidence in AXIOM Examine.
Operating Platform Windows

BACK

73
BitPim

Tool Name BitPim

Category Mobile Forensics


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

74
Mobile Phone Examiner Plus

Mobile Phone
Tool Name
Examiner Plus
Category Mobile Forensics
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

75
SIMCon

Tool Name SIMCon

Category Mobile Forensics


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

76
AFLogical

Tool Name AFLogical

Category Mobile Forensics


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

77
Forensic Tools for Email Analysis

Aid4Mail

Tool Name Aid4Mail

Category Email Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

78
Digital Forensics Framework (DFF)

Digital Forensics
Tool Name
Framework(DFF)
Category Email Analysis
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

79
eMailTrackerPro

Tool Name eMailTrackerPro

Category Email Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

80
Paraben Email Examiner

Paraben Email
Tool Name
Examiner
Category Email Analysis
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

81
EmailTracer

Tool Name EmailTracer

Category Email Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

82
Adcomplain

Tool Name Adcomplain

Category Email Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

83
MailXaminer

Tool Name MailXaminer

Category Email Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

84
AbusePipe

Tool Name AbusePipe

Category Email Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

85
Internet Evidence Finder (IEF)

Internet Evidence
Tool Name
Finder(IEF)
Category Email Analysis
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

86
FINALeMail

Tool Name FINALeMail

Category Email Analysis


Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

87
Forensics Investigation Toolkit (FIT)

Forensics Investigation
Tool Name
Toolkit(FIT)
Category Email Analysis
Vendor/OEM
License
Official
Website
Description:

Operating Platform
Address

BACK

88
Forensic Tools for Social Media Analysis

HTTrack

Tool Name HTTrack

Category Social media analysis


Sub-Category Website analysis
Vendor/OEM HTTrack
License Freeware
Official
http://www.httrack.com/
Website
Description:
HTTrack is a free (GPL, libre/free software) and easy-to-use offline browser utility. It
allows you to download a World Wide Web site from the Internet to a local directory,
building recursively all directories, getting HTML, images, and other files from the
server to your computer.
Installation system
OS: Linux, OSX, Windows, Android
Requirement
Features and HTTrack uses a Web crawler to download a website
Acquisition Acquire/Clone the complete suspected website Stores the
acquired website to the local directory Recommended only for
Functionality
small scale website

BACK

89
X1 Social Discovery

Tool Name X1 Social Discovery

Category Social media Forensics


Vendor/OEM X1
License/Tool
Commercial/Forensic Software
Type
Official
https://www.x1.com/
Website
Description:
X1 Social Discovery™ is the industry-leading solution for law enforcement, law firms
or legal consultants who need to collect and search data from social networks and
the internet.
OS: Windows 10
Installation system
Software: Internet Explorer, Microsoft.NET framework4.5.2
Requirement
or later, windows media player
 Collect from multiple social media platforms
simultaneously
 Preserves critical metadata
Features and
 Single user interface designed specifically for social media
Acquisition
data review
Functionality
 Export to multiple formats
 Court-validated MD5 authentication
 Pending patent for web page authentication
X1 Social Discovery is designed to address social media
content from the leading social media networking sites,
websites and email including:
• Web pages & websites
• Facebook
• Twitter
Analysis • Instagram
Functionality • YouTube
• Tumblr
• Gmail
• YahooMail
• Outlook.com
• AOL Mail
• Internet Message Access Protocol (IMAP)
617 W 7th St, 6th Floor
Address
Los Angeles, CA 90017

BACK

90

You might also like