Digital forensics tools

Disk platter with head related to digital forensics


Digital forensics is becoming more important as connectivity keeps growing. By using the right tools, one can do better analysis and research. This category of tools has the open source options available to perform such analysis in memory and on disk.


Digital forensics tools are typically used for criminal investigations and digital forensics.

Users for these tools include forensic specialists and security professionals.


Popular digital forensics tools

Bitscout (remote forensics meta tool)

digital forensics

Bitscout contains a set of popular tools to acquire and analyze disk images onsite. It saves engineers from traveling to the physical location. In other words, it is providing the option to do remote forensics. The project claims that everything is correctly implemented when it comes to digital forensics. One of these requirements is that no data is altered. For example, the remote security professional can obtain a disk image clone, but not alter the machine state.

FIR (fast incident response tool)

incident response, security monitoring

FIR is an incident response tool written in the Django framework. It provides a web interface to deal with the creation and management of security-related incidents.

GRR Rapid Response (remote live forensics for incident response)

digital forensics, intrusion detection, threat hunting

The goal of the GRR tooling is to support digital forensics and investigations. By using a fast and scalable model, analysts can quickly perform their analysis. One of the main features is the ability to search for particular information or details. This process is called hunting.

LogonTracer (visualize Windows authentication events)

criminal investigations, digital forensics, learning

LogonTracer is a tool to investigate malicious logins from Windows event logs with visualization capabilities.

Loki (file scanner to detect indicators or compromise)

digital forensics, intrusion detection, security monitoring

Loki is security tool to find so-called indicators of compromise (IOC). It does this by scanning files and then uses pattern matching.

MIG (real-time investigation tool)

digital forensics, intrusion detection

MIG provides a platform to perform investigative analysis on remote systems. By using the right queries, information can be obtained from these systems. This all happens in parallel, making intrusion detection, investigation, and follow-up easier.

The Sleuth Kit (toolkit for forensics)

criminal investigations, digital forensics, file system analysis

The Sleuth Kit is a forensics tool to analyze volume and file system data on disk images. With its modular design, it can be used to carve out the right data, find evidence, and use it for digital forensics.

Volatility (memory forensics framework)

digital forensics

Volatile memory framework used for forensics and analysis purposes. The framework is written in Python and runs on almost all platforms.

dfis (DFIR toolkit)

digital forensics

This toolkit of scripts are made by Hal to help in forensic assignments. They make several parts of the job easier, like converting data to another format for further processing.

libewf (forensics library for Expert Witness Format)

digital forensics

The libewf toolkit is useful for those who need to create a disk image or perform disk forensics.

r2frida (bridge between Radare2 and Frida)

application testing, binary analysis, memory analysis

Both Radare2 and Frida have their own area of expertise. This project combines both, to allow a more extensive analysis of files and processes.

radare2 (reverse engineering tool and binary analysis)

digital forensics, reverse engineering, software exploitation, troubleshooting

Radare2 is a popular framework to perform reverse engineering on many different file types. It can be used to analyze malware, firmware, or any other type of binary files. Besides reverse engineering, it can be used for forensics on filesystems and do data carving. Tasks can be scripted and support languages like JavaScript, Go, and Python. Even software exploitation is one of the functions it can be used in.

shellbags (extract information from Windows Registry file)

digital forensics

Typically this tool will be used to gather information from a compromised system or to track traces from a system to find evidence. Shellbags can provide some insight on browsed directories on the system via Explorer on Microsoft Windows systems.

Missing a favorite tool in this list? Share a tool suggestion and we will review it.

Related topics

Looking for more specific topics within this tool group? Have a look at the following relevant topics.