The tables below list a selection of free computer forensics software and resources. It is the end user’s responsibility to check the licensing agreements of each one before use. Forensic Control provides no support or warranties for their use. Copying and publishing the whole or part of the table is licensed solely under the terms of the Creative Commons – Attribution Non-Commercial 3.0 license.

Version numbers and links are correct as of 3 March 2011. *Entries marked with a star indicate that registration is required. Note for Chrome users: You may have to allow pop-ups for this site in order to use the links below, or right click and select ‘Open link in new tab’.

Disc Tools

Name
Version
From
Description
Encrypted Disk Detector 1.1.0 JADsoftware Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes
FAT32 Format 1.05 Ridgecrop Enables large capacity disks to be formatted as FAT32
FTK Imager 3.0.0.1443 AccessData Imaging tool, disk viewer and image mounter
Guymager 0.5.7beta1 vogu00 Multi-threaded GUI imager under running under Linux
HotSwap 5.0.0 Kazuyuki Nakayama Enables safe removal of SATA disks through spindown, etc
P2 eXplorer* 3.0.0 Paraben Virtually mount drives & forensic images
Tableau Imager* 1.11 Tableau Imaging tool for use with Tableau imaging products
Live View 0.7b CERT Allows examiner to boot dd images in VMware

Email Analysis

Name
Version
From
Description
Mail Viewer 1.7.3.0 MiTeC Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files

General

Name
Version
From
Description
Agent Ransack 2010 (762) Mythicsoft Search multiple files using Boolean operators and Perl Regex
CaseNotes* 1.2.2010.6 QCC Contemporaneous notes recorder
EvidenceMover* 2.00 Nuix Copies data between locations, with file comparison, verification, logging
FastCopy 2.06 Shirouzu Hiroaki The ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc
File Signatures 21 Dec 2010 Gary Kessler Table of file signatures
Forensic Test Images unknown Various Collated forensic images for training, practice and validation
HashMyFiles 1.70 Nirsoft Calculate MD5 and SHA1 hashes
MobaLiveCD 2.10 Mobatek Run Linux live CDs from their ISO image without having to boot to them
Mouse Jiggler 1.2 Arkane Systems Automatically moves mouse pointer stopping screen saver, hibernation etc
Notepad ++ 5.8.7 Notepad ++ Advanced Notepad replacement
NSRL 2.31 NIST Hash sets of ‘known’ (ignorable) files
USB Write Blocker unknown DSi Enables software write-blocking of USB ports
Windows Forensic Environment unknown Troy Larson Forensically boot and examine PCs within a Windows enviroment

File & Data Analysis

Name
Version
From
Description
Audit Viewer unknown Mandiant Viewer used with Memoryze (see below)
DCode 4.02a Digital Detective Converts various data types to date/time values
Defraser 1.2.7 Various Detects full and partial multimedia files in unallocated space
Exif Reader 3.00 Ryuuji Yoshimoto Extracts exif data from digital photographs
Forensic Image Viewer 1.03 Sanderson Forensics View various picture formats, image enhancer, extraction of embedded Exif, GPS data
Highlighter unknown unknown Examine log files using text, graphic or histogram views
LiveContactsView 1.10 Nirsoft View and export Windows Live Messenger contact details
Netwitness Investigator 9.0.5.4 Netwitness Network packet capture and analysis
Memoryze unknown Mandiant Acquire and/or analyze RAM images, including the page file on live systems
MFTview 1.1.0 Sanderson Forensics Displays and decodes contents of an extracted MFT file
PsTools 1 Jul 2009 Microsoft Suite of command-line Windows utilities
Shadow Explorer 0.8 Shadow Explorer Browse and extract files from shadow copies
SQLite Manager 0.6.8 Mrinal Kant, Tarakant Tripathy Firefox add-on enabling viewing of any SQLite database
Strings 2.41 Microsoft Command-line tool for text searches
Structred Storage Viewer 3.3.1 MiTec View and manage MS OLE Structured Storage based files
TimeLord 0.1.5.6 Paul Tew Time utility; timezones, BIOS times, decode computer time formats, etc
Windows File Analyzer 2.1.0 MiTeC Analyse thumbs.db, Prefetch, INFO2 and .lnk files

Data Analysis Suites

Name
Version
From
Description
Autopsy 2.24 Brian Carrier Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below)
Backtrack 4 R2 Backtrack Penetration testing and security audit with forensic boot capability
Caine 2.00 University of Modena e Reggio Emilia Linux live CD, featuring a number of analysis tools
P2 Shuttle Free* 1.30 Paraben Remote disk mounting, network RAM capture, search tools. Limited version of P2 Shuttle Pro
Paladin 16/08/2010 Sumuri Ubuntu based live boot CD for imaging and analyis
SIFT* 2.00 SANS VMware Appliance pre-configured with multiple tools allowing digital forensic examinations
The Sleuth Kit 3.2.1 Brian Carrier Collection of UNIX-based command line file and volume system forensic analysis tools
Ubuntu 10.10 Canonical Guide to using an Unbuntu live disk to recover partitions, carve files, etc
Volatility Framework 1.3 Volatile Systems Collection of tools for the extraction of artifacts from RAM

File Viewers

Name
Version
From
Description
Fragview* unknown QCC View recursive HTML, jpg and Flash files
Microsoft Excel 2007 Viewer 1.00 Microsoft View Excel spreadsheets
Microsoft PowerPoint 2007 Viewer 1.00 Microsoft View PowerPoint presentations
Microsoft Visio 2007 Viewer 1.00 Microsoft View Visio diagrams
Microsoft Word 2007 Viewer 1.00 Microsoft View Word documents
VideoTriage* unknown QCC Produces thumbnails of video files so that the whole video doesn’t need to be watched
VLC 1.1.7 VideoLAN View most multimedia files and DVD, Audio CD, VCD, etc

Internet History Analysis

Name
Version
From
Description
ChromeAnalysis 1.0.1 forensic-software Analysis of internet history data generated using Google Chrome
ChromeCacheView 1.26 Nirsoft Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
FoxAnalysis 1.4.2 forensic-software Analysis of internet history data generated using Mozilla Firefox 3
IECacheView 1.36 Nirsoft Displays various details of files in Internet Explorer cache; number of hits, last accessed times, etc
IECookiesView 1.74 Nirsoft Extracts various details of Internet Explorer cookies
IEHistoryView 1.56 Nirsoft Extracts recently visited Internet Explorer URLs
IEPassView 1.26 Nirsoft Extract stored passwords from Internet Explorer versions 4 to 8
MozillaCacheView 1.36 Nirsoft Reads the cache folder of Firefox/Mozilla/Netscape Web browsers
MozillaCookieView 1.36 Nirsoft Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers
MozillaHistoryView 1.31 Nirsoft Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page
MyLastSearch 1.49 Nirsoft Scans the cache and history files to locate search queries made with the most popular search engines (Google, Yahoo and MSN) and with
popular social networking sites (Twitter, Facebook, MySpace)
PasswordFox 1.30 Nirsoft Extracts the user names and passwords stored by Mozilla Firefox Web browser
OperaCacheView 1.37 Nirsoft Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache
OperaPassView 1.05 Nirsoft Decrypts the content of the Opera Web browser password file, wand.dat
Web Historian 2.03 Mandiant Reviews list of URLs stored in the history files of the most commonly used browsers

Registry Analysis

Name
Version
From
Description
ForensicUserInfo 1.04 Woanware Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file
Process Monitor 2.94 Microsoft Examine Windows processes and registry threads in real time
RegRipper 022011 Harlan Carvey Registry data extraction and correlation tool
Regshot 1.8.2 Regshot Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software
USBDeviceForensics 1.05 Woanware Details previously attached USB devices on exported registry hives
USBDeview 1.87 Nirsoft Details previously attached USB devices
UserAssist 2.4.3 Didier Stevens Displays list of programs run, with run count and last run date and time

Web Application Analysis

Name
Version
From
Description
GigaView* 1.2 QCC Parses exported GigaTribe chat logs, results can be imported into Excel
KaZAlyser 1.2.8 Sanderson Forensics Extracts various data from the KaZaA application
LiveContactsView 1.10 Nirsoft View and export Windows Live Messenger contact details
SkypeLogView 1.21 Nirsoft View Skype calls and chats