guymager is a forensic imaging tool based on Qt. Read more hot
aesfix is a tool to find AES key in RAM.
AESKeyFinder is a tool for finding and reconstructing AES keys. It illustrates automatic techniques for locating 128-bit and 256-bit AES keys in a captured memory image.
The Advanced Forensic Format Library and Tools (AFFLIB) is an on-disk format for storing computer forensic information.
AIR (Automated Image & Restore) is a GUI front-end to dd/dc3dd designed for easily creating forensic disk/partition images. Supports MD5/SHAx hashes, SCSI tape drives, imaging over a TCP/IP network, splitting images, and detailed session logging.
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
bmap-tools is a tool for copying largely sparse files using information from a block map file.
Bulk Email and URL extraction tool.
Canari is a rapid transform development framework for Maltego written in Python. The original focus of Canari was to provide a set of transforms that would aid in the execution of penetration tests, and vulnerability assessments.
CapTipper is a Python tool to analyze, explore and revive HTTP malicious traffic. CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.
Chaosmap is an information gathering tool and DNS, Whois, and Web server scanner. It can be used to look up DNS names with a dictionary with or without using a salt.
chntpw is an offline NT password editor - reset passwords in a Windows NT SAM user database file
ChromeFreak is a cross-platform forensic framework for Google Chrome. It can investigate databases and files effectively.
dc3dd is a patched version of GNU dd to include a number of features useful for computer forensics.
dcfldd is an enhanced version of dd with features useful for forensics and security. dd copies a file (from standard input to standard output, by default) converting and formatting according to the options supplied. Read more
disitool is a tool to work with Windows executables digital signatures.
dumpzilla is a forensic tool for Firefox.
emldump is a utility to analyze MIME files.
Fix acquired .evt - Windows Event Log files (Forensics).
Galleta is a forensic tool that examines the content of cookie files produced by Microsofts Internet Explorer. It parses the file and outputs a field separated that can be loaded in a spreadsheet.
GrokEVT is a collection of scripts for reading Windows event log files on Unix. The scripts work together on one or more mounted Windows partitions to extract all information needed (registry entries, message templates, and log files) to convert the logs to a human-readable format.
hashdeep is a program to compute, match, and audit hashsets. With traditional matching, programs report if an input file matched one in a set of knows or if the input file did not match
INDXParse is a suite of tools forensic investigators can use to inspect NTFS artifacts. Although INDXParse was once a single tool for working with directory index entries, the project now includes many more capabilities. These includes file enumeration, metadata extraction, logical tree browser GUI, and more.
interrogate is a proof-of-concept tool for identification of cryptographic keys in binary material (regardless of target operating system), first and foremost for memory dump analysis and forensic usage.
iosForensic is a Python tool to help in forensics analysis on iOS. It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.
lfle recovers event log entries from an image by heurisitically looking for record structures.
mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system.
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures.
md5deep is a set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. md5deep is similar to the md5sum program found in the GNU Coreutils package but with additional functionality.
Memfetch is a simple utility to take non-destructive snapshots of process address space.
Mobius Forensic Toolkit
Mobius Forensic Toolkit is a set of forensic tools written in Python/GTK. It is application-centered instead of being file-centered, which means it gathers information throughout evidence disks and directories and shows it in an integrated way.
Network Appliance Forensic Toolkit.
nfex is a tool for extracting files from the network in real-time or post-capture from an offline tcpdump pcap savefile. It is based off of the code-base from the apparently defunct project tcpxtract.
pdfbook is a utility for Facebook memory forensics.
peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks.
pev is a multiplatform toolkit to work with PE (Portable Executable) binaries. Its main goal is to provide feature-rich tool for proper analyze binaries, specially suspicious ones.
RecuperaBit is a tool for forensic file system reconstruction.
replayproxy is a forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file.
Rifiuti2 analyses recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files and whether the deleted files have been moved out from the recycle bin since they are trashed.
SkypeFreak is a cross platform forensic framework for Skype.
IP URL and MD5 OSINT Analysis.
The Coroner's Toolkit
The Coroner's Toolkit (TCT) is a collection of programs for a post-mortem analysis of a system. Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files.
TrID is a utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded logic, TrID has no fixed rules. Instead, it's extensible and can be trained to recognize new formats in a fast and automatic way.
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
The Volatility Framework is a completely open collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
zipdump is a ZIP dump utility.