Digital forensics is a specialist art. It allows investigations to be undertaken without modifying the media. Being able to preserve and analyze data in a safe and non-destructive way is crucial when using digital evidence as part of an investigation, and even more so when a legal audit trail needs to be maintained. Digital forensics can be used in a wide range of investigations such as computer intrusion, unauthorised use of computers including the violation of an organisation’s internet-usage policy, gathering intelligence from documents and emails, as well as the protection of corporate assets.
We have extolled the virtues of open source software in many of our previous articles. The debate between open source and closed source software has often centered on factors such as freedom, reliability, interoperability and open standards, support, and philosophy.
In this instance, open source software offers a legal benefit, as it can increase the admissibility of digital forensic evidence. This is because open source tools enable the investigator and court to verify that a tool does what it claims and makes it easier to prove that the original drive has not been modified, or that a copy has not been modified.
Linux has a good range of digital forensics tools that can process data, perform data analysis of text documents, images, videos, and executable files, present that data to the investigator in a form that helps identify relevant data, and to search the data.
To provide an insight into the software that is available, we have compiled a list of 10 of our favorite digital forensics tools. Hopefully, there will be something of interest here for anyone who needs to undertake digital investigations.
Here’s our rating chart with recommendations. Only free and open source software is eligible for inclusion.
Click the links in the table below to learn more about each tool.
| Digital Forensics Tools | |
|---|---|
| GRR Rapid Response | Remote live forensics for incident response |
| Radare2 | Portable reversing framework |
| The Sleuth Kit | Collection of tools for forensic analysis |
| Autopsy Forensic Browser | Graphical interface to SleuthKit |
| Volatility | Advanced memory forensics framework |
| Mozilla InvestiGator | Real-time digital forensics and investigation platform |
| guymager | Forensic imaging tool based on Qt |
| dcfldd | Enhanced version of dd for forensics and security |
| rdd | Forensic copy program |
| Jomon | Network forensics and passive sniffer |
This article has been revamped in line with our recent announcement.
 Read our complete collection of recommended free and open source software. Our curated compilation covers all categories of software. Spotted a useful open source Linux program not covered on our site? Please let us know by completing this form. The software collection forms part of our series of informative articles for Linux enthusiasts. There are hundreds of in-depth reviews, open source alternatives to proprietary software from large corporations like Google, Microsoft, Apple, Adobe, IBM, Cisco, Oracle, and Autodesk. There are also fun things to try, hardware, free programming books and tutorials, and much more. |
If you want to add live OS to the list, there’s Tsurugi Linux. It has the largest collection tools (more than a thousand) for DFIR workflow. In my opinion it’s better than CAINE.