Digital forensics tools
Digital forensics is becoming more important as connectivity keeps growing. By using the right tools, one can do better analysis and research. This category of tools has the open source options available to perform such analysis in memory and on disk.
Digital forensics tools are typically used for criminal investigations and digital forensics.
Users for these tools include forensic specialists, security professionals.
Bitscout (remote forensics meta tool)
Bitscout contains a set of popular tools to acquire and analyze disk images onsite. It saves engineers from traveling to the physical location. In other words, it is providing the option to do remote forensics. The project claims that everything is correctly implemented when it comes to digital forensics. One of these requirements is that no data is altered. For example, the remote security professional can obtain a disk image clone, but not alter the machine state.
dfis (DFIR toolkit)
This toolkit of scripts are made by Hal to help in forensic assignments. They make several parts of the job easier, like converting data to another format for further processing.
FIR (fast incident response tool)
incident response, security monitoring
FIR is an incident response tool written in the Django framework. It provides a web interface to deal with the creation and management of security-related incidents.
GRR Rapid Response (remote live forensics for incident response)
digital forensics, intrusion detection, threat hunting
The goal of the GRR tooling is to support digital forensics and investigations. By using a fast and scalable model, analysts can quickly perform their analysis. One of the main features is the ability to search for particular information or details. This process is called hunting.
libewf (forensics library for Expert Witness Format)
The libewf toolkit is useful for those who need to create a disk image or perform disk forensics.
LogonTracer (visualize Windows authentication events)
criminal investigations, digital forensics, learning
LogonTracer is a tool to investigate malicious logins from Windows event logs with visualization capabilities.
Loki (file scanner to detect indicators or compromise)
digital forensics, intrusion detection, security monitoring
Loki is security tool to find so-called indicators of compromise (IOC). It does this by scanning files and then uses pattern matching.
MIG (real-time investigation tool)
digital forensics, intrusion detection
MIG provides a platform to perform investigative analysis on remote systems. By using the right queries, information can be obtained from these systems. This all happens in parallel, making intrusion detection, investigation, and follow-up easier.
r2frida (bridge between Radare2 and Frida)
application testing, binary analysis, memory analysis
Both Radare2 and Frida have their own area of expertise. This project combines both, to allow a more extensive analysis of files and processes.
radare2 (reverse engineering tool and binary analysis)
digital forensics, reverse engineering, software exploitation, troubleshooting
shellbags (extract information from Windows Registry file)
Typically this tool will be used to gather information from a compromised system or to track traces from a system to find evidence. Shellbags can provide some insight on browsed directories on the system via Explorer on Microsoft Windows systems.
The Sleuth Kit (toolkit for forensics)
criminal investigations, digital forensics, file system analysis
The Sleuth Kit is a forensics tool to analyze volume and file system data on disk images. With its modular design, it can be used to carve out the right data, find evidence, and use it for digital forensics.
Missing a favorite tool in this list? Share a tool suggestion and we will review it.