Free Forensic Software Tools
A list of free forensic tools to examine compromised workstations.
Free Forensic Tools
CAINE Computer Aided INvestigative Environment Live CD, computer forensics, digital forensics – CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
BackTrack Linux Penetration Testing and Security Auditing – When BackTrack was developed, it was designed to be an all in one live cd used on security audits and was specifically crafted to not leave any remnants of itself on the laptop. It has since expanded to being the most widely adopted penetration testing framework in existence and is used by the security community all over the world.
Raptor – Forensic Acquisition and Preview – Raptor was designed with the understanding that many of those tasked with creating forensic images are not comfortable with using the command-line but still want to utilize the power of Linux. Raptor was also designed with the understanding that many agencies or companies have limited budgets. You can register then download an ISO to create your own bootable CD or USB.
INSERT – INSERT is a complete, bootable linux system. It comes with a graphical user interface running the fluxbox window manager while still being sufficiently small to fit on a credit card-sized CD-ROM. INSERT contains a multitude of useful tools to be at your hand in a variety of situations. Computer forensics (e.g. chkrootkit, foremost, rootkit hunter).
F.I.R.E. Forensic and Incident Response Environment Bootable CD – FIRE is a portable bootable cdrom based distribution with the goal of providing an immediate environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment. Also provides necessary tools for live forensics/analysis on win32, sparc solaris and x86 linux hosts just by mounting the cdrom and using trusted static binaries available in /statbins.
Masterkey! – Masterkey Linux is a bootable Linux live operating system focused on incident response and computer forensics. With no installation required, the forensics system is started directly from the CD/DVD-ROM or USB device of a computer and is fully accessible within minutes.
Operator – Operator is a complete Linux (Debian) distribution that runs from a single bootable CD and runs entirely in RAM. The Operator contains an extensive set of Open Source network security tools that can be used for monitoring and discovering networks. Operator also contains a set of computer forensic and data recovery tools that can be used to assist you in data retrieval on the local system.
Matriux – Matriux is designed to run from a Live environment like a CD / DVD or USB stick or it can easily be installed to your hard disk in a few steps. Matriux also includes a set of computer forensics and data recovery tools that can be used for forensic analysis and investigations and data retrieval.
Ubuntu Rescue Remix – Ubuntu-Rescue-Remix provides a robust yet lean system for data recovery and forensics. No graphical interface is used; the live system can boot and function normally on machines with very little memory or processor power. Following Ubuntu’s six-month release schedule, all the software is up-to-date, stable and supported.
fhclive.org – Forensic Hard Copy, is a Linux distribution, bootable CD (LiveCD), exclusively created to automate and speed up the copy of the storage devices. These procedures of copy are commonly in use in computer forensics.
ThePacketMaster Linux Security Server – Live Security/Forensics Linux Distribution, built from scratch and packed full of tools useful for vulnerability analysis, penetration tests, and forensic analysis.
Portable Linux Auditing CD – PLAC is a business card sized bootable cdrom running linux. It has network auditing, disk recovery, and forensic analysis tools. ISO will be avialable and scripts to roll you own cd.
DEFT Linux – Computer Forensics live cd – DEFT 7 is based on the new Kernel 3 (Linux side) and the DART (Digital Advanced Response Toolkit) with the best freeware Windows Computer Forensic tools.
Rifiuti – A Recycle Bin Forensic Analysis Tool.
OSForensics – Digital investigation – Extract forensic data from computers, quicker and easier than ever. Uncover everything hidden inside a PC. Find files quickly, Search within Files, Search for Emails, Recover Deleted Files, Uncover Recent Activity, Collect System Information, View Active Memory, Extract Logins and Passwords.
NetworkMiner – NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic.
DriveLook – a powerful forensic disk investigation tool, which enables you to Investigate a drive for suspicious content. See what others put on your computer. Find traces of user activity.
MANDIANT Memoryze – MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.
Paraben P2 eXplorer Free – P2 eXplorer is one of the only programs that mounts images as logical and physical disks. This means all the deleted, slack, and unallocated space is accessible. An image isn’t just mounted to view logical files; it is mounted as an actual bit-stream image, preserving unallocated, slack, and deleted data. P2X is easy to use and most importantly, it’s free.
Pasco v1.0 – An Internet Explorer activity forensic analysis tool.
Live View – Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to “boot up” the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra “throw away” copies of the disk or image to create the virtual machine.
The Sleuth Kit – The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
Autopsy Forensic Browser – The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit. Together, they allow you to investigate the file system and volumes of a computer.
MANDIANT Restore Point Analyzer – A simple forensic tool to analyze change.log files from restore points to determine the original paths and file names of files stored inside restore points.
CaseNotes Lite – The purpose of CaseNotes is to provide a single lightweight application program to run on the Microsoft Windows platform to allow forensic analysts and examiners of any discipline to securely record their contemporaneous notes electronically.
Galleta v1.0 – A Internet Explorer Cookie Forensic Analysis Tool.
The Internet Investigator’s Toolkit – The Internet Investigator’s Toolkit is a compact Java tool that enables quick assessment, from the online investigator’s desktop, of information about websites and other online activities.
FragView – This a very simple viewer application that allows a recursive list of html, jpg and Flash files to be viewed in an adjacent pane without having to manually navigate to each one individually and open it. A great time saver, especially for previewing exported webmail fragments!
MANDIANT Web Historian – MANDIANT Web Historian helps users review the list of websites (URLs) that are stored in the history files of the most commonly used browsers, including: Internet Explorer, Firefox and Chrome.
Paraben Shuttle Free – Paraben’s network forensic tools have been used for years by government and private organizations around the world. Now you can add a network forensic tool to your forensic toolbox for free. Paraben Shuttle Free is a light version of Paraben Shuttle Pro.
GigaView – This tool will parse exported GigaTribe chat logs and output the results to a single Tab Separated Values (TSV) file, which can then be imported into Excel for detailed analysis.
Scalpel – Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files or data fragments from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, HFS+, or raw partitions. It is useful for both digital forensics investigation and file recovery.
Forensic Toolkit v2.0 – The Forensic ToolKit contains several Win32 Command line tools that can help you examine the files on a NTFS disk partition for unauthorized activity.
MyLastSearch – MyLastSearch utility scans the cache and history files of 4 Web browsers (IE, Firefox, Opera, and Chrome), and locate all search queries made with the most popular search engines (Google, Yahoo and MSN) and with popular social networking sites (Twitter, Facebook, MySpace). The search queries are displayed in a table with the following columns: Search Text, Search Engine, Search Time, Search Type (General, Video, Images), Web Browser, and the search URL.
Private Eye – Private Eye 3.0.2 provides the ability to search the Protected Storage area for user-specified strings, as well as delete entries from the Protected Storage area.
LiveContactsView – Extracts the contacts of Windows Live Messenger stored inside the contacts.edb file.
DumpAutoComplete – This application will search for the default Firefox profile of the user who runs the tool and dump the AutoComplete cache in XML format to standard output.
VideoTriage – VideoTriage is designed to produce thumbnails of selected movie files so that the movie doesn’t need to be watched. It’s based on the VLC libraries so any movie file type supported by VLC will work with VideoTriage.
10-23 On-Scene Investigator – This toolkit was created for the non-technical first responder to a computer incident involving a Windows computer. It is remastered from Knoppix a bootable distribution of Linux. The toolkit runs completely off of the CD and out of RAM and does not touch the suspect hard drive(s).
RecycleReader (Direct Download) – RecycleReader.exe (currently in beta) will parse the INFO2 files (in XP) and the bin files in Vista/7 and output the information about deleted files. It is usually used in forensic analysis of workstations.
NirSoft Browser Forensic Software for Windows
IEHistoryView – IEHistoryView extracts information from the history file (index.dat) of Internet Explorer. This history information includes the URLs that user visited, the Web site title, The number of times that this URL was visited (Hits column), and the last date/time that the Web site visit occured. The history file also contains a list of local files that the user opened with Internet Explorer (Usually .html and image files).
IECacheView – IECacheView extracts information from the cache files (index.dat) of Internet Explorer. The information provided by IECacheView is somewhat similar to IEHistoryView. However, while the history file (IEHistoryView) stores only one record fro every Web page visit, the cache file stores multiple records for every Web page, including all images and other files loaded by the Web page.
IECookiesView – IECookiesView extracts the content of all cookie files stored by Internet Explorer.
IE PassView – IE PassView extracts the Web site passwords stored by Internet Explorer.
MozillaCacheView – MozillaCacheView extracts the details of all cache files stored by Mozilla Firefox.
MozillaHistoryView – MozillaHistoryView extracts the details of all browsing history stored by Mozilla Firefox. Starting from Mozilla Firefox 3, MozillaHistoryView requires that Firefox 3 will be installed on the computer that you run it, because it uses the sqlite3.dll library to read the SQLite history database of Firefox.
MozillaCookiesView – MozillaCookiesView extracts the content of all cookie files stored by Mozilla Firefox. Starting from Mozilla Firefox 3, MozillaCookiesView requires that Firefox 3 will be installed on the computer that you run it, because it uses the sqlite3.dll library to read the SQLite cookies database of Firefox.
PasswordFox – PasswordFox extracts the Web site passwords stored by Firefox Web browser. PasswordFox requires that Firefox will be installed on the computer that you run it, because it uses the decryption library of Firefox to decrypt the passwords.
OperaCacheView – OperaCacheView extracts the details of all cache files stored by Opera Web browser.
OperaPassView – OperaPassView extracts the Web site passwords stored by Opera Web browser. OperaPassView cannot extract the passwords and they are protected with a master password.
ChromeCacheView – ChromeCacheView extracts the details of all cache files stored by Google Chrome Web browser.
More software downloads
- Browser Security
- Startup Manager
- Drive, File and Privacy Cleaners
- Windows Hardening Tools
- Malware Removal: Stand-alone and Specific Tools
- Advanced System Protectors, Analyzers, Malware Analysis and Control Tools
- Patch and software Auditors
- Privacy, Anonymity and Proxy
- Encryption Tools
- Password Manager
- File Shredders
- Windows and Browser Forensic Tools
- Anti-Malware Rescue CD and DVD
- Website Security Tools and Services
- Security Software Removal Tools