Advanced Forensic Format Library (afflib)

Simson Garfinkel and Basis Technology

The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata.


David Kovar

analyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in a format that allows further analysis with other tools.

Automated Image and Restore (AIR)

Steve Gibson

AIR (Automated Image & Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.

Autopsy Forensic Browser

Brian Carrier

Autopsy is a graphical interface to the command line tools in The Sleuth Kit and allows one to view deleted and allocated files, perform keyword searches, and create timelines of file activity.


GNU binutils Team

The GNU Binutils are a collection of binary tools. For forensics, these are used for binary analysis, including 'strings'.
On Ubuntu this includes the following utils:-


Currently the project manager is Nanni Bassetti

CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a project of Digital Forensics
CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:

* an interoperable environment that supports the digital investigator during the four phases of the digital investigation
* a user friendly graphical interface


Michiel Ronsse

CDFS is a file system for Linux systems that `exports' all tracks and boot images on a CD as normal files. These files can then be mounted (e.g. for ISO and boot images), copied, played (audio and VideoCD tracks).


Author: J. Schilling

Cdrecord, now known as cdrtools, supports DVD-R and DVD-RW with all known DVD-writers on all UNIX-like OS and on Win32. Other optical media types are supported, as is multisession, and recently support for BluRay has been implemented (version 2.10). DVD writing support has been available in cdrecord since march 1998. Cdrecord writes DVD media similar to CD media. The readcd tool can be used to read the contents of a CD.


Nelson Murilo

chkrootkit is a tool to locally check for signs of a rootkit.

Clam AnvtiVirus

Tomasz Kojm

Clam AntiVirus is a GPL anti-virus toolkit for UNIX with a port for Windows. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software.

Computer Forensic Reference Data Sets (CFReDS)


The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations. National Institute of Justice funded this work in part through an interagency agreement with the NIST Office of Law Enforcement Standards.

Cuckoo Sandbox

Claudio "nex" Guarnieri

In three words, Cuckoo Sandbox is a malware analysis system.

Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.

It's mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.

But it can do much more...
It's up to you to discover what and how.

Some of the results that Cuckoo generates are:


Dod Computer Forensics Labs


GNU Coreutils Team

Description: 'dd' is a common UNIX tool that copies data from one file to another. It can also be used with 'netcat' to send data to a server over the network.

DD - GUI Wizard [Perl Frontend]

Thamir Alshammari & Michael Boncoddo

This tool provides the user with a gui frontend (designed in perl) for the popular program, dd. The frontend has been designed to allow for the same functionality as using dd via command line or terminal.

-Local/Remote imaging.
-Netcat/Cryptcat ready.
-MD5, SHA1, and other hash methods are provided.
-GUI based directories.
-DD command line argument options.
-Summary Reports.
-Imaging completion status display.

[OS Support]
-Windows XP to 7
-Variants of Linux
-OSX versions with dd.

DOWNLOAD LOCATION: http://ddgui.myftp.org/ddgui.zip


Antonio Diaz

Description: GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. [Ed: This tool is similar to, but not the same as dd_rescue]


Kurt Garloff

Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd). There are several differences. dd_rescue does not provide character conversions. dd_rescue does not abort on errors on the input file, unless you specify a maximum error number. Then dd_rescue will abort when this number is reached. dd_rescue does not truncate the output file, unless asked to. You can tell dd_rescue to start from the end of a file and move backwards. It uses two block sizes, a large (soft) block size and a small (hard) block size.


Joxean Koret

"Deeptoad" is a (python) library and a tool to clusterize similar files using fuzzy hashing techniques. This project is inspired by the well known tool ssdeep.

DEFT Linux Boot CD

Stefano Fratepietro

DEFT Linux v5 is an Italian project that is based on Kernel 2.6.31 and uses the LXDE desktop environment and thunar file manager in conjunction with best free and open source applications dedicated to incident response and computer forensics. In addition, DEFT Extra 2.0 (Computer Forensic GUI) comes with the best freeware Windows Computer Forensic tools.

DEFT is meant to be used by:

* police
* investigators
* system administrator
* individuals who need to use forensic tools to recover data


Frederic Baguelin, Solal Jacob, Christophe Malinge, Jeremey Mounier, and Francois Percot

DFF is a simple but powerfull open source tool with a flexible module system written in C++ and Python. The aim is to provide an extensible framework by which additional features may be added to analyze and recover any kind of digital artifact

Latest developments and contributions available from http://tracker.digital-forensic.org
Documentation available from http://wiki.digital-forensic.org


Stefano Fratepietro

Very fast tool for compute and verify MD5, SHA1 and SFV hash, with a GUI and a useful progress bar.

Digital Forensics Tool Testing (DFTT)

Brian Carrier

A collection of file system and disk images that test the functionality of analysis tools.




Christoph Pfisterer

The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to 'file', but gives much more details about the file system or partition table)


Marek Zelem, Milan Pikula, Martin Leopold

e2salvage is a utility which tries to do in-place data recovery a from damaged ext2 file systems. Unlike e2fsck, it does not look for the data at particular places and it don't tend to believe the data it finds; thus it can handle much more damaged file system.

eCryptfs Parser

Ted Smith

eCryptfs Parser is a GUI for Linux and Windows that recursively parses the headers of every eCryptfs file found in a given directory. It will tell you what encryption algorithm was used, the original filesize of the file before it was encrypted, the private signature used etc.

Enhanced Linux Loopback

Jason Luttgens

The enhanced loopback driver modifies the native loopback driver of the Linux kernel and adds functionality that can make the driver emulate a disk drive in some ways. Most important to us is providing automatic interpretation and mapping of partitions contained within an image file of a hard drive.

Event Log Parser

Jamie French

A PHP script to parse Windows event logs.


Nicholas Harbour

Fatback is a tool for undeleting files from FAT file systems.

FCCU GNU/Linux Forensic Boot CD

Christophe Monniez

The FCCU GNU/Linux Forensic boot CD-Rom was created by the Belgian Federal Computer Crime Unit (FCCU) to assist in the forensic analysis of computers. It is based on version 4.02 of the KNOPPIX Live CD and contains open source forensic utilities.

File AUdit Security Toolkit (FAUST)

Frederic Raynal

faust is a perl script that helps to analyze files found after an intrusion or the compromising of a honeypot. Its goal is not to make the analysis, but to extract the pieces of information that _you_ will use afterward in your analysis.

File Ripper

Kristofer Munsterhjelm

File Ripper is a file extractor based on header recognition. It can be used to recover files from unfragmented disk images where filesystem information has been lost or otherwise corrupted, or the files have been inadvertently deleted. It detects and extracts PNG, HTML, GIF, ZIP, LBM, PBM, ANM, BAT, BAS, RTF, HLP, WAV, WRI, JPG, ARJ, DOS EXE, ANS, ZZT, FRM, text BAS, BMP, MZB, FLI, MSP, DOC, MZX, GDM, IT, S3M, SAV, BRD, LZH/LHA, MOD, XM, VOC, SVX, ABM, Quetzal, and certain obscure bulletin board system formats.

File System Investigator

Bill Rossi

FileSystem Investigator is a platform independent file system viewer and data extraction tool. It allows the user to: View the contents of the target file system in a forensically safe manner, bypassing the normal operating system mechanisms. Extract files and whole directory trees of files from the source filesystem.


GNU findutils Team

The find program searches a directory tree to find a file or group of files. It traverses the directory tree and reports all occurrences of a file matching the user's specifications. The find program includes very powerful searching capability.


Jesse Kornblum

Foremost is a Linux program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.

Forensic Hash Database

Matthias Hofherr

The Forensic Hash Database is a project to combine the various hashsum sources like Dan Farmer's FUCK baseline collection, The NIST National Software Reference Library (NSRL), Known Goods Database, and Hashkeeper into a single meta RDBMS (relational database management system).


Klayton Monroe

FTimes is a system baselining and evidence collection tool. The primary purpose of ftimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.


Keith Jones

Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

Gatekeeping Out Of The Box: Open Source Software As A Mechanism To Assess Reliability For Digital Evidence

Erin Kenneally

This article examines digital evidence reliability by first identifying and differentiating the two competing categories of software from which this evidence is derived: proprietary and Open Source. The next section explores the standards for software reliability in both the industrial marketplace and the legal arena. Specifically, the current standards are addressed in light of their value to industry and the law, as well as their respective historical origins This sets the stage for a reconciliation of standards for reliability as between industry and the courtroom.


Michail Brzitwa

Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.

Appears to be no longer developed, however is still available for most Linux distrubutions e.g. Ubuntu, installs version 0.1h-11, n.b. Beta version.


GNU grep Team

Grep searches one or more input files for lines containing a match to a specified pattern. By default, grep prints the matching lines.


Sentinel Chicken Networks.

GrokEVT is a collection of scripts built for reading Windows NT/2K/XP/2K3 event log files.


Oliver Eichner

gTableauParm is similar to the Tableau Disk Monitor for Windows. It is a GTK front-end for tableau-parm, written in C++/Gtkmm. It shows Tableau-Bridges and attached Devices in a TreeView and shows the different information's about write-protection, DCO/HPA Status etc.


Guy Voncken

guymager is a forensic imager for media acquisition. Its main features are:
* Easy user interface in different languages
* Runs under Linux
* Really fast, due to multi-threaded design, multi-threaded data compression
* Makes full usage of multi-processor machines
* Generates flat (dd), EWF (E01) and AFF images


Julien Muchembled and Victor Stinner

hachoir-parser is a package of most common file format parsers written using hachoir-core.



HashLibrarian is a Linux/Unix utility that is capable of hashing a single file or a directory recursively through multiple hashing algorithms. The fun doesn't stop there, HashLibrarian also places these hashes into a database, which it then encrypts with a user's GPG key and protects through hashing. Along with this functionality, HashLibrarian can also load these protected databases back into memory, verify their integrity, and then scan a directory, locating all matches. These matches can then be placed into an HTML formatted report with just a simple command-line option.

How to do full packet capture on a Cisco Firewall, in 4 steps.

Amar Yousif

Step by step instructions on how to start a full payload packet capture on a Cisco ASA.

I Have The Power

Ted Smith

A Windows\Linux GUI for demonstrating the numerical enormity of large hash algorithms like MD5 (128 bits), SHA1 (160 bits), SHA256 (256 bits) and SHA512 (512 bits). It is designed for the delivery of demonstrations about hashing to non-technical audiences such as jury panels, lawyers, students, case officers and so on by converting the scientific notation of the algorithm to "The chance of two different files having the same X hash value is 1 in XX billion\trillion....".


Jelmer Vernooij

kregedit is KDE utility for viewing native Windows registry files. It is similar to the regedt32 utility that can be found on most Windows platforms. Only the NT registry format (NT4/2000/XP) is supported.

KS - keywords searcher

Nanni Bassetti

KS - This is a keywords searching tool. sudo bash ks.sh for running it. It mounts a DD image file; It extracts all deleted files; slackspace; It makes a data carving on the freespace only; It indexes all by RECOLL. You need:
The Sleuthkit (last release)
It stores the index DB and the recoll.conf in the chosen output directory.
NEW file formats added and README.txt for the HowTo expand the search range.


Joachim Metz

Library and tools to support the BitLocker Drive Encryption (BDE) format.


Joachim Metz

Library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.


Joachim Metz

Library and tooling to access the Windows Event Log (EVT) format.


Joachim Metz

Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.


Michael Murr

LibForensics is a Python framework for developing computer forensics applications. LibForensics also includes a series of demo tools that use the framework to extract information from various types of evidence/artifacts.


Omar Choudary, Joachim Metz

Library and tools for reading FileVault2 Drive Encryption (FVDE) encrypted volumes.


Joachim Metz

Library and tools to access the Windows Shortcut File (LNK) Format.


Joachim Metz

Library and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.


Joachim Metz

Library and tooling to support the Microsoft Outlook Nickfile (NK2) format. The nickfile is used to store email address aliases.


Joachim Metz

The libpff package contains a shared library and tools to analyze Microsoft Outlook Personal Folder Files (PFF). PFF files such as PAB, PST and OST files, are used to store e-mails, appointments, contacts, notes, tasks, etc. libpff provides: pffexport to export PFF items, pffinfo to provide basic information about PFF files and pffexport -m recover to recover and export PFF items


Dave Smith and Carl Byington

LibPST provides functions in library form for accessing Outlook's Personal Folders. Included with this library is a program that will take a PST file and convert it to an mbox format.


Joachim Metz

Library and tools to support the Volume Shadow Snapshot (VSS) format.

Linux Loopback

Linux Community

Loopback support in the Linux kernel allows a user to mount a file system image for forensic analysis. Images mounted via loopback can be mounted read-only.



Live View


Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk.


Kristinn Gudjonsson

log2timeline is a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analyzed by forensic investigators/analysts


Vic Abell

lsof lists open file handles for running Unix processes.


Brian Carrier

mac-robber is a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. Its output can be used as input to the 'mactime' tool in The Sleuth Kit to make a time line of file activity.

Magic Rescue


Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it.

It works on any file system, but on very fragmented file systems it can only recover the first chunk of each file. Practical experience shows that chunks of 30-50MB are not uncommon.


Jesse Kornblum

md5deep is an MD5 program that can compute recursively, compare hashes with a database, and estimates the time to completion.

md5sum & sha1sum & sha2sum

GNU Coreutils Team

md5sum computes a 128-bit checksum (or fingerprint or message-digest) for each specified file.
Documentation: http://www.gnu.org/software/coreutils/manual/coreutils.html#md5sum-invoc...

sha1sum computes a 160-bit checksum for each specified file. The usage and options of this command are precisely the same as for md5sum.
Documentation: http://www.gnu.org/software/coreutils/manual/coreutils.html#sha1sum-invo...


Wietse Venema

memory dumper for UNIX-like systems.


Nanni Bassetti

NBTempo - This is a GUI (Graphical User Interface) Bash script for making files timelines and reporting them in CSV (electronic sheet) format. It needs TSK 3.2.1 and YAD (Yet Another Dialog).(TSK based)



Description: Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It can be used on a trusted server to save data from a suspect system and can be used on the suspect system to send the output of tools to the server instead of writing to the suspect disk.



nxlog is a modular, multi-threaded, high-performance log management solution with multi-platform support. In concept, it is similar to syslog-ng or rsyslog, but is not limited to Unix/syslog only. It can collect logs from files in various formats, receive logs from the network remotely over UDP, TCP, or TLS/SSL on all supported platforms. It supports platform-specific sources such as the Windows Eventlog, Linux kernel logs, Android device logs, local syslog, etc. Writing and reading logs to/from databases is also supported for many database servers.




Dutch National Police Agency

The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency [KLPD/Dutch]. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.

Open Source Computer Forensics Manual

Matias Bevilacqua

An open-source manual for computer forensics covering methodology, process and delving into technical standard operating procedures.

Open Source Digital Forensics Tools: The Legal Argument

Brian Carrier

This paper addresses open source digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, it must be reliable and relevant. The reliability is tested by applying Daubert guidelines. This paper examines the guidelines and shows that open source tools may more clearly and comprehensively meet the guidelines than closed source tools would.


Keith Jones

Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.


Jose Miguel Esparza

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.


Eoin Hinchy

PlainSight is a versatile computer forensics tool that allows both experienced and inexperienced forensic practitioners perform common tasks using powerful open source tools.

PST files from Enron Energy Corporation

Electronic Discovery Reference Model (EDRM)

EDRM – the Electronic Discovery Reference Model – was created in 2005 by George Socha and Tom Gelbmann. Since 2005, over 300 e-discovery experts, vendors and end-users from more than 125 organizations have worked together to address the lack of standards and guidelines in the electronic discovery (e-discovery) market.

The EDRM reference model provides a common, flexible and extensible framework for the development, selection, evaluation and use of electronic discovery products and services. The completed model was placed in the public domain in May 2006.



PTK forensics is an alternative advanced framework for the TSK suite (The SleuthKit). Born as a free interface in order to improve the features already present in "Autopsy Forensic Browser" (the former TSK interface). PTK Forensics, now, is much more. In addition to providing the functions already present in Autopsy Forensic Browser it now implements numerous new essential forensic features.


Michael Cohen

The tool is an acronym for "Forensic and Log Analysis GUI", written for analysis of various log file types and network traffic analysis but can also be used for forensic analysis of disk images includes support for the Volatility framework http://www2.opensourceforensics.org/node/15 and supports file carving to recover known file types.


Sebastien Damaye

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 9 testing modules:


Willi Ballenthin

python-registry is a pure Python module for reading from Windows Registry files (NTUSER.DAT, userdiff, etc.). It exposes a high level interface analogous to the MSDN APIs, and a low level interface for working with the internal structure of the Registry.

Quick Hash

Ted Smith

A Linux & Windows GUI to enable the rapid selection and subsequent MD5, SHA1, SHA256 or SHA512 hashing of files, either individually or recursively throughout a folder structure, of text, of single files, and (since v.2.4.0) physical disks. The tool was designed for practitioners wanting to easily hash files in Linux but without the understanding of command line tools like sha1sum. It is also available for Windows.


Nanni Bassetti

It's possible to resolve the file name starting from the carved file name generated by the Foremost tool and save it, it generates an HTML report. It's possible to resolve the file name starting from the offset of a "grep" keywords search. The tool identifies automatically the change of the partition and, if the keyword is contained into the slack space, saves the sector/cluster/block where it is. (TSK based)


Chris Boubalos and Stefanos Koutsoutos

Description: rda is a command line Linux tool to remotely acquire data (like disk cloning or disk/partition imaging) and verify the transfer using md5 and/or crc32 checksums. The program is both the server and the client.


Timothy D. Morgan

RegLookup is an small command line utility for reading and querying Windows NT/2K/XP registries. RegLookup is released under the GNU GPL, and is implemented in ANSI C.


Harlan Carvey

The RegRipper is an open-source application for extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems.

Harlan Carvey has written a number of extremely useful tools, and his blog is an extremely useful resource. e.g.

It is also worth noting that regripper has its own dedicated forum. Additionally regripper can be harnessed together with Moyix's tool to parse registry information from Volatility.


Michael Rendell

Regutils is a collection of programs that can assist in the installation of windows 9x software on diskless clients. The basic procedure is to take a snap shot of a system before and after a piece of software is installed and then look at what changed.


Chris Eagle

RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems.


Joachim Metz

ReviveIT (revit) is a file recovery tool (carver). It contains a proof of concept of the Smart Carving method introduced at the 2006 DFRWS forensic (carving) challenge. And was refined for the 2007 DFRWS forensic (carving) challenge.


Adam Laurie

RFIDIOt is an open source python library for exploring RFID devices!




Keith Jones

Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.


abelcheung & ypwong

As its name indicates, rifiuti2 is a rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. Analysis of Windows Recycle Bin is usually carried out during Windows computer forensics. Quoting from original Foundstone page:

Rootkit Hunter

Michael Boelen, Stephane Dudzinski

Rootkit scanner is scanning tool to ensure you for about 99.9% you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like: MD5 hash compare, Look for default files used by rootkits, Wrong file permissions for binaries, Look for suspected strings in LKM and KLD modules, Look for hidden files, Optional scan within plaintext and binary files.


Jake Cunningham

Parses the Safari XML Downloads.plist file and prints the results in TAB delimited format.


Jake Cunningham

Parses the Safari binary History.plist file and prints the results in TAB delimited format


Golden G. Richard III

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel resulted from a complete rewrite of foremost 0.69, a popular open source file carver, to enhance performance and decrease memory usage.


Jörg Schilling

Description: 'sdd' is a replacement for a program called 'dd'. sdd is much faster than dd in cases where input block size (ibs) is not equal to the output block size (obs). Statistics are more easily understood than those from 'dd'.Timing available, -time option will print transfer speed Timing & Statistics available at any time with SIGQUIT (^\) Can seek on input and output Fast null input Fast null output. Support for the RMT (Remote Tape Server) protocol makes remote I/O fast and easy.

Selective File Dumper

Nanni Bassetti & Denis Frati

Selective File Dumper is a forensics bash script for Linux systems that can retrieve/recover files based on their file extension with only one tool referenced (TSK).


Amar Yousif

SMTPCAT will read a pcap file and attempt to identify all smtp conversations and print info about them in the following format:
a. [INDEX] (Sender IP) --> (SMTP Server IP)
b. [INDEX] (Sender e-mail) --> (Receiver e-mail) (Date)
d. [INDEX] (AuthSMTP Passwd) <-- this is outputted only with the –p option


Jesse Kornblum

A program for computing 'fuzzy hashes'. These can be used to identify files which are similar but not identical. The hashes are signatures, like MD5 hashes, but match non-identical files.


Timothy D Morgan

tableau-parm is an small command line utility designed to interact with Tableau forensic write blockers. It performs functions similar to the Tableau Disk Monitor, except that it operates under Linux.


Several - Collaborative

This is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
In addition to packet capture it can be used to read back a capture file. It is able to decode layer 2 through to layer 4 protocols, and some higher layer protocols as well. Decoded packets may be displayed in raw or ASCII.

Perhaps the most powerful feature is the inclusion of an extremely powerful filtering language called the "Berkley Packet Filter" BPF.


Jeremy Elson

tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis


Aaron Turner

tcpreplay is a BSD-style licensed tool to replay saved tcpdump files at arbitrary speeds. It provides a variety of features for replaying traffic for both passive sniffer devices as well as inline devices such as routers, firewalls, and the new class of inline IDS's.


Brian Carrier

A series of programs to add file name support and additional utilities to TCT.


Christophe Grenier

Tool to check and undelete partition. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3/EXT4, Linux SWAP (version 1 and 2), Linux Logical Volume Manager (LVM), Linux Raid, Linux LUKS, NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, and ReiserFS.

Operating System support is comprehensive, with precompiled binaries available for many popular types.

The Coroner's Toolkit (TCT)

Dan Farmer & Wietse Venema

TCT is a collection of programs for the post-mortem analysis of a UNIX system after break-in.

The disktype File System Sampler

Christoph Pfisterer

The disktype File System Sampler is a collection of disk images with various file systems. Its purpose is to aid in the testing and development of the disktype program.

The Sleuth Kit

Brian Carrier

A collection of command line tools and a C library for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.

Tracking an anonymous e-mailer

Amar Yousif

An approach to track or identify, the sender of an email through the use of social engineering and a remotely hosted image.


Avi Rozen

Tool to extract, recover and undelete e-mail messages from Outlook Express .dbx files.



Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hiding technique.


Michel Roukine

Vinetto is a forensics tool to examine Thumbs.db files. It is a command line python script that works on Linux, Mac OS X and Cygwin(win32)


AAron Walters

Volatility is an extensible memory forensics tool using python. Volatility comes with a number of standard plugins. The plugins use various techniques to extract artifacts from volatile memory (RAM) samples, these include:
- Running processes
- Open network sockets
- Open network connections
- DLLs loaded for each process
- Open files for each process
Volatility also has support for extracting artificats from Windows Hibernation files and Windows crash dump files.

To view further documentation and follow latest developments visit http://code.google.com/p/volatility/


Klayton Monroe

WebJob downloads a program over HTTP/HTTPS and executes it in one unified operation. The output, if any, may be directed to stdout/stderr or a Web resource. WebJob may be useful in incident response and intrusion analysis as it provides a mechanism to run known good diagnostic programs on a potentially compromised system.


Wireshark Team

Wireshark® is the world's most popular network protocol analyzer. It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology.


Daniel Gillen

xmount allows you to convert on-the-fly between multiple input and output hard disk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file.


Gianluca Costa

The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract from a network capture (pcap file or real-time acquisition) all application data content. For example, Xplico is able to extract all emails carried by the POP and SMTP protocols and all content carried by HTTP protocols from a pcap file.


Florian Buchholz

A graphical front-end that allows an investigator to manage event reconstruction. Super events may be created based on selected sub-events. Events may be moved around via drag-and-drop or directly assigned to a super event hierarchy. The event hierarchy can be displayed in a tree-like view allowing to collapse all or select branches. This way, an investigator can concentrate on events only relevant to his direct attention.

Syndicate content