afflib |
3.7.19 |
An extensible open format for the storage of disk images and related forensic information. |
|
aimage |
3.2.5 |
A program to create aff-images. |
|
air |
2.0.0 |
A GUI front-end to dd/dc3dd designed for easily creating forensic images. |
|
analyzemft |
133.b6ed04f |
Parse the MFT file from an NTFS filesystem. |
|
autopsy |
4.21.0 |
The forensic browser. A GUI for the Sleuth Kit. |
|
bmap-tools |
3.7 |
Tool for copying largely sparse files using information from a block map file. |
|
bmc-tools |
25.c66a657 |
RDP Bitmap Cache parser. |
|
bulk-extractor |
1562.1c67a75 |
Bulk Email and URL extraction tool. |
|
canari |
3.3.10 |
Maltego rapid transform development and execution framework. |
|
captipper |
74.3fb2836 |
Malicious HTTP traffic explorer tool. |
|
casefile |
1.0.1 |
The little brother to Maltego without transforms, but combines graph and link analysis to examine links between manually added data to mind map your information |
|
chaosmap |
1.3 |
An information gathering tool and dns / whois / web server scanner |
|
chntpw |
140201 |
Offline NT Password Editor - reset passwords in a Windows NT SAM user database file |
|
chromefreak |
24.12745b1 |
A Cross-Platform Forensic Framework for Google Chrome |
|
dc3dd |
7.2.646 |
A patched version of dd that includes a number of features useful for computer forensics. |
|
dcfldd |
1.7.1 |
DCFL (DoD Computer Forensics Lab) dd replacement with hashing. |
|
ddrescue |
1.28 |
GNU data recovery tool |
|
dfir-ntfs |
1.1.18 |
An NTFS parser for digital forensics & incident response. |
|
dftimewolf |
725.5637f40e |
Framework for orchestrating forensic collection, processing and data export. |
|
disitool |
0.4 |
Tool to work with Windows executables digital signatures. |
|
dmde |
3.8.0.790 |
Disk Editor and Data Recovery Software. |
|
dmg2img |
1.6.7 |
A CLI tool to uncompress Apple's compressed DMG files to the HFS+ IMG format. |
|
dshell |
142.695c891 |
A network forensic analysis framework. |
|
dumpzilla |
03152013 |
A forensic tool for firefox. |
|
eindeutig |
20050628_1 |
Examine the contents of Outlook Express DBX email repository files (forensic purposes) |
|
emldump |
0.0.11 |
Analyze MIME files. |
|
evtkit |
8.af06db3 |
Fix acquired .evt - Windows Event Log files (Forensics). |
|
exiflooter |
39.0c9535f |
Find geolocation on all image urls and directories also integrates with OpenStreetMap. |
|
extractusnjrnl |
7.362d4290 |
Tool to extract the $UsnJrnl from an NTFS volume. |
|
firefox-decrypt |
1.1.1.r3.g2a163fa |
Extract passwords from Mozilla Firefox, Waterfox, Thunderbird, SeaMonkey profiles. |
|
foremost |
1.5.7 |
A console program to recover files based on their headers, footers, and internal data structures |
|
fridump |
23.3e64ee0 |
A universal memory dumper using Frida. |
|
galleta |
20040505_1 |
Examine the contents of the IE's cookie files for forensic purposes |
|
grokevt |
0.5.0 |
A collection of scripts built for reading Windows® NT/2K/XP/2K eventlog files. |
|
guymager |
0.8.13 |
A forensic imager for media acquisition. |
|
imagemounter |
413.383b30b |
Command line utility and Python package to ease the (un)mounting of forensic disk images. |
|
indx2csv |
17.129a411e |
An advanced parser for INDX records. |
|
indxcarver |
5.dee36608 |
Carve INDX records from a chunk of data. |
|
indxparse |
198.a977192 |
A Tool suite for inspecting NTFS artifacts. |
|
interrogate |
5.eb5f071 |
A proof-of-concept tool for identification of cryptographic keys in binary material (regardless of target operating system), first and foremost for memory dump analysis and forensic usage. |
|
iosforensic |
1.0 |
iOS forensic tool https://www.owasp.org/index.php/Projects/OWASP_iOSForensic |
|
ipba2 |
95.c03bd85 |
IOS Backup Analyzer. |
|
iphoneanalyzer |
2.1.0 |
Allows you to forensically examine or recover date from in iOS device. |
|
lazagne |
872.3ed06c7 |
An open source application used to retrieve lots of passwords stored on a local computer. |
|
ldsview |
47.d8bfcaa |
Offline search tool for LDAP directory dumps in LDIF format. |
|
lfle |
24.f28592c |
Recover event log entries from an image by heurisitically looking for record structures. |
|
libfvde |
207.03f12f5 |
Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes. |
|
limeaide |
305.ce3c9b7 |
Remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. |
|
log-file-parser |
60.c7a0ae7e |
Parser for $LogFile on NTFS. |
|
loki-scanner |
1227.0dc990b |
Simple IOC and Incident Response Scanner. |
|
mac-robber |
1.02 |
A digital investigation tool that collects data from allocated files in a mounted file system. |
|
magicrescue |
1.1.9 |
Find and recover deleted files on block devices |
|
make-pdf |
0.1.7 |
This tool will embed javascript inside a PDF document. |
|
malheur |
0.5.4 |
A tool for the automatic analyze of malware behavior. |
|
maltego |
4.8.0 |
An open source intelligence and forensics application, enabling to easily gather information about DNS, domains, IP addresses, websites, persons, etc. |
|
malwaredetect |
0.1 |
Submits a file's SHA1 sum to VirusTotal to determine whether it is a known piece of malware |
|
mboxgrep |
0.7.9 |
A small, non-interactive utility that scans mail folders for messages matching regular expressions. It does matching against basic and extended POSIX regular expressions, and reads and writes a variety of mailbox formats. |
|
mdbtools |
738.823b32f |
Utilities for viewing data and exporting schema from Microsoft Access Database files. |
|
memdump |
1.01 |
Dumps system memory to stdout, skipping over holes in memory maps. |
|
memfetch |
0.05b |
Dumps any userspace process memory without affecting its execution. |
|
mft2csv |
40.164eb224 |
Extract $MFT record info and log it to a csv file. |
|
mftcarver |
9.7bfcc0a2 |
Carve $MFT records from a chunk of data (for instance a memory dump). |
|
mftrcrd |
16.35c3ac2f |
Command line $MFT record decoder. |
|
mftref2name |
6.7df9eebb |
Resolve file index number to name or vice versa on NTFS. |
|
mimipenguin |
152.880a427 |
A tool to dump the login password from the current linux user. |
|
mobiusft |
1.12 |
An open-source forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. |
|
mp3nema |
0.4 |
A tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data. |
|
mxtract |
90.0b34376 |
Memory Extractor & Analyzer. |
|
myrescue |
0.9.8 |
A hard disk recovery tool that reads undamaged regions first. |
|
naft |
0.0.9 |
Network Appliance Forensic Toolkit. |
|
networkminer |
2.9 |
A Network Forensic Analysis Tool for advanced Network Traffic Analysis, sniffer and packet analyzer. |
|
nfex |
2.5 |
A tool for extracting files from the network in real-time or post-capture from an offline tcpdump pcap savefile. |
|
ntdsxtract |
34.7fa1c8c |
Active Directory forensic framework. |
|
ntfs-file-extractor |
6.f2b23d72 |
Extract files off NTFS. |
|
ntfs-log-tracker |
1.6 |
This tool can parse $LogFile, $UsnJrnl of NTFS. |
|
parse-evtx |
3.a4b02b9 |
A tool to parse the Windows XML Event Log (EVTX) format. |
|
pasco |
20040505_1 |
Examines the contents of Internet Explorer's cache files for forensic purposes |
|
pcapxray |
274.1721645 |
A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction. |
|
pdblaster |
4.fc8abb3 |
Extract PDB file paths from large sample sets of executable files. |
|
pdf-parser |
0.7.9 |
Parses a PDF document to identify the fundamental elements used in the analyzed file. |
|
pdfbook-analyzer |
2 |
Utility for facebook memory forensics. |
|
pdfid |
0.2.8 |
Scan a file to look for certain PDF keywords. |
|
pdfresurrect |
0.12 |
A tool aimed at analyzing PDF documents. |
|
peepdf |
0.4.2 |
A Python tool to explore PDF files in order to find out if the file can be harmful or not. |
|
perl-image-exiftool |
12.97 |
Reader and rewriter of EXIF information that supports raw files |
|
pev |
0.81 |
Command line based tool for PE32/PE32+ file analysis. |
|
powermft |
5.76574543 |
Powerful commandline $MFT record editor. |
|
python2-peepdf |
0.4.2 |
A Python tool to explore PDF files in order to find out if the file can be harmful or not. |
|
rcrdcarver |
5.54507d21 |
Carve RCRD records ($LogFile) from a chunk of data.. |
|
recentfilecache-parser |
2.5e22518 |
Python parser for the RecentFileCache.bcf on Windows. |
|
recoverdm |
0.20 |
Recover damaged CD DVD and disks with bad sectors. |
|
recoverjpeg |
2.6.3 |
Recover jpegs from damaged devices. |
|
recuperabit |
77.c6f8678 |
A tool for forensic file system reconstruction. |
|
regipy |
2.2.2 |
Library for parsing offline registry hives. |
|
reglookup |
1.0.1 |
Command line utility for reading and querying Windows NT registries |
|
regripper |
104.5bb3c86 |
Open source forensic software used as a Windows Registry data extraction command line or GUI tool. |
|
regrippy |
2.0.0 |
Framework for reading and extracting useful forensics data from Windows registry hives. |
|
rekall |
1409.55d1925f |
Memory Forensic Framework. |
|
replayproxy |
1.1 |
Forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file. |
|
rifiuti2 |
0.7.0 |
A rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. |
|
rkhunter |
1.4.6 |
Checks machines for the presence of rootkits and other unwanted tools. |
|
safecopy |
1.7 |
A disk data recovery tool to extract data from damaged media. |
|
scalpel |
1.1687261 |
A frugal, high performance file carver. |
|
scrounge-ntfs |
0.9 |
Data recovery program for NTFS file systems |
|
secure2csv |
10.119eefb0 |
Decode security descriptors in $Secure on NTFS. |
|
shadowexplorer |
0.9 |
Browse the Shadow Copies created by the Windows Vista / 7 / 8 / 10 Volume Shadow Copy Service. |
|
skypefreak |
33.9347a65 |
A Cross Platform Forensic Framework for Skype. |
|
sleuthkit |
4.12.1 |
File system and media management forensic analysis tools |
|
swap-digger |
51.4d18ce0 |
A tool used to automate Linux swap analysis during post-exploitation or forensics. |
|
tchunt-ng |
208.b8cf7fc |
Reveal encrypted files stored on a filesystem. |
|
tekdefense-automater |
88.42548cf |
IP URL and MD5 OSINT Analysis |
|
testdisk |
7.2 |
Checks and undeletes partitions + PhotoRec, signature based recovery tool |
|
thumbcacheviewer |
1.0.3.7 |
Extract Windows thumbcache database files. |
|
trid |
2.24 |
An utility designed to identify file types from their binary signatures. |
|
truehunter |
14.0a2895d |
Detect TrueCrypt containers using a fast and memory efficient approach. |
|
undbx |
0.21.r3.g5e31c75 |
Extract e-mail messages from Outlook Express DBX files. |
|
unhide |
20220611 |
A forensic tool to find processes hidden by rootkits, LKMs or by other techniques. |
|
usbrip |
291.5093c84 |
USB device artifacts tracker. |
|
usnjrnl2csv |
29.1ecbddc |
Parser for $UsnJrnl on NTFS. |
|
usnparser |
4.1.5 |
A Python script to parse the NTFS USN journal. |
|
vinetto |
0.07beta |
A forensics tool to examine Thumbs.db files |
|
vipermonkey |
1160.511ecd5 |
A VBA parser and emulation engine to analyze malicious macros. |
|
volafox |
143.5b42987 |
Mac OS X Memory Analysis Toolkit. |
|
volatility-extra |
92.d9fc072 |
Volatility plugins developed and maintained by the community. |
|
volatility3 |
2.7.0 |
Advanced memory forensics framework |
|
windows-prefetch-parser |
88.bc1fa58 |
Parse Windows Prefetch files. |
|
wmi-forensics |
11.0ab08dc |
Scripts used to find evidence in WMI repositories. |
|
xplico |
1.2.2 |
Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT). |
|
zipdump |
0.0.21 |
ZIP dump utility. |
|