Unix-based Free & Open Source Forensics Tools
Following is a list of free and open source tools. Please note open source tools refer to the availability of source code which allows the user flexibility to modify and/or improve the product as per their requirements. Open source tools are usually free to use and modify however certain limitations may apply based on their corresponding license requirements.
Free on the other hand refer to the freedom of use for a certain tool for free but it does not necessarily expose the source code in contrast to the open source tools. Similar to open source tools, the freedom of use for free tools is also governed by their corresponding licenses.
It is, therefore, always recommended to check any license implications before employing any tool as part of your security strategy.
Freeware and Open Source Forensics Tools
Digital Evidence Acquisition
dd: The oldest imaging tool, also known as GNU dd.
dcfldd: An enhanced version of GNU dd.
dc3dd: Patched version of GNU dd with added features for computer forensics.
ddrescue: Raw disk imaging tool that copies data from one file or block device to another, trying hard to rescue data in case of read errors.
libewf: Library to access the Expert Witness Compression Format (EWF). It contains the following tools:
- ewfacquire: Writes storage media data from devices and files to EWF files.
- ewfacquirestream: Writes data from stdin to EWF files.
- ewfdebug: Experimental tool does nothing at the moment.
- ewfexport: Exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
- ewfrecover: Special variant of ewfexport to create a new set of EWF files from a corrupt set.
- ewfinfo: Shows the metadata in EWF files.
- Ewfmount: FUSE mounts EWF files.
- ewfverify: Verifies the storage media data in EWF files.
The libewf package also contains the following bindings:
- ewf.net: Bindings for .Net
- pyewf: Bindings for Python
afflib: Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata
Mounting Disk Images
mount: Used to mount disks
md5deep: Suite of cross platform tools to compute and audit hashes for any number of input files. It supports also SHA-1, Tiger and Whirpool.
The Sleuth Kit: Collection of UNIX-based command line tools that allow you to investigate a computer. Some of the tools included are:
blkcat: Used to output the contents of a specific data unit in a file system. It takes a data unit address as input and outputs the contents to STDOUT. It used to be called dcat.
blkls: blkls lists details about file system data units. In its default mode, it outputs the unallocated data unit contents to STDOUT. It can also list the details about which are allocated and which are not. It used to be called dls.
blkcalc: Used to map between the output of blkls and the original file system data units. blkls can be used to extract the unallocated data units from a file system. Once data is found in the unallocated data though, you may want to know where the data was in the original file system. blkcalc is used for that. blkcalc used to be called dcalc.
Icat: Outputs the contents of a file in a disk image to STDOUT. It is similar to cat on a local file, but it takes a meta data structure address as input instead of a file name.
Ils: Lists details about a range of meta data structures in a file system. Its output is in a delimited format that can be further processed.
Istat: Displays details about a specific meta data structure.
log2timeline: Provide a framework to parse various log files and artifacts found on suspect systems. The tool contains timescanner and glog2timeline.
galleta and pasco: Internet Explorer Cookie Forensic Analysis Tool.
rifiuti: Recycle Bin Forensic Analysis Tool.
antiword: Application used to display text and graphics document in Microsoft Word.
exiftool: Perl library and a command-line tool that can be used for reading and writing metadata in files.
recover_deleted_registry_keys.pl: Recover unallocated keys and key slack from a registry hive.
regripper: Extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems.
Volatility: Collection of tools, implemented in Python under the GNU General Public License (GPL v2), for the extraction of digital artifacts from volatile memory (RAM) samples.
Pdgmail: Gmail memory forensics.
Pdymail: Yahoo memory forensics.
Foremost: Recovering deleted files – this tool served as the basis for the more modern tool, Scalpel.
Magicresuce: Scans a block device for file types it knows how to recover and calls an external program to extract them.
testdisk: Primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table).
rapier: It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation.
scalpel: Recovering deleted data originally based on foremost.
Rar: Tool usedto extract, open and compress rar files.
Bzip: Tool used to extract, open and compress bzip files.
p7zip: Port of 7za.exe for POSIX systems like Unix, MacOS X.
Yara: It helps to identify and classify malware samples (based on textual or binary patterns).
Cuckoo: Malware analysis system (sandbox).
pdfid.py: PDF forensics tool that will quickly provide you an overview of a PDF files potential threats.
pdf‐parser.py: It identifies the fundamental elements used in the analyzed file.
GUI Forensics Analysis
Autopsy: Digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools.
john: Password cracker available also for Windows.
bkhive: Dumps the syskey bootkey from Windows NT/2K/XP/Vista system hive.
samdump: Dumps the Windows NT/2K/XP/Vista password hashes.
ophcrack: Ophcrack is a free Windows password cracker based on rainbow tables.
Outguess: Steganographic tool that allows the insertion of hidden information into the redundant bits of data sources.
StegSecret: Detection of hidden information in different digital media.
Tcpdump: Command-line packet analyzer.
Wireshark: Network protocol analyzer for Unix and Windows.
p0f: Passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications.
ettercap: Suite for man in the middle attacks.
tcpreplay: It permits to replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS.
socat: Relay for bidirectional data transfer between two independent data channels.
arping: Toolused to discover hosts on a computer network.
ngrep: pcap-aware tool that will allow you to specify extended regular expressions to match against data part of packets on the network.
Rdesktop: A Remote Desktop Protocol Client for accessing Windows Remote Desktop Services.
Sqlite: SQLite Database browser is a light GUI editor for SQLite databases, built on top of Qt.
dos2unix: Utility to convert text files with DOS or MAC line breaks to Unix line breaks and vice versa.