Digital Forensics Tools
Digital forensics tools whose primary job is to collect, preserve, and analyze evidence after the fact.
Browse 250 digital forensics tools
FEATURED
USE CASES
Andrew Case's personal page for research, software projects, and speaking events
Review of various MFT parsers used in digital forensics for analyzing NTFS file systems.
A Python module for orchestrating remote forensic data acquisition and analysis from Linux instances using Amazon SSM.
Margarita Shotgun is a Python tool that enables remote memory acquisition from target systems through command line interface, supporting Linux distributions and other operating systems via Docker containers.
A command-line tool that analyzes local CloudTrail files to detect off-instance AWS key usage patterns for security monitoring and forensic analysis.
mac_apt is a versatile DFIR tool for processing Mac and iOS images, offering extensive artifact extraction capabilities and cross-platform support.
A tool for fixing acquired .evt Windows Event Log files in digital forensics.
Incident response and digital forensics tool for transforming data sources and logs into graphs.
A pure Python parser for Windows Event Log (.evtx) files that enables cross-platform forensic analysis of Windows system events.
Recover event log entries from an image by heuristically looking for record structures.
Bitscout is a Bash-based live OS constructor tool for building customizable forensic environments used in remote system triage, malware hunting, and digital forensics investigations.
pcapfex is a forensic tool that extracts files from packet capture data by analyzing network traffic and identifying embedded file content.
Open Backup Extractor is an open source program for extracting data from iPhone and iPad backups.
View physical memory as files in a virtual file system for easy memory analysis and artifact access.
SIFT is a digital forensics toolkit that provides installation management, task execution, and machine image building capabilities for forensic investigations on Ubuntu systems.
Hide data in images while maintaining perceptual similarity and extract it from printed and photographed images.
replayproxy allows you to 're-live' a HTTP session captured in a .pcap file, parsing HTTP streams, caching them, and starting a HTTP proxy to reply to requests with matching responses.
A Golang application that stores and queries NIST NSRL Reference Data Set for MD5 and SHA1 hash lookups using Bolt database technology.
A command-line forensics tool for tracking and analyzing USB device artifacts and connection history on Linux systems.
A high-performance digital forensics exploitation tool for extracting structured information from various inputs without parsing file system structures.
A bash script for automating Linux swap analysis for post-exploitation or forensics purposes.
An open source digital forensic tool for processing and analyzing digital evidence with high performance and multiplatform support.
