Tools on the site are organized into the following categories:

  • Bootable Environments
    Use to boot a suspect system into a trusted state.
  • Data Acquisition
    Use to collect data from a dead or live suspect system.
  • Volume System
    Use to examine the data structures that organize media, such as partition tables and disk labels.
  • File System
    Use to examine a file system or disk image and show the file content and other meta data.
  • Application
    Use to analyze the contents of a file (i.e. at the application layer).
  • Network
    Use to analyze network packets and traffic. This does not include logs from network devices.
  • Memory
    Use to analyze memory dumps from computers.
  • Frameworks
    Frameworks used to build custom tools.