Open source tools for forensic investigation process model
Forensic investigations are always challenging as you may gather all the information you could for the evidence and mitigation plan. Here are some of the computer forensic investigator tools you would need. Most of them are free!
Whether it’s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. As such, they all provide the ability to bring back in-depth information about what’s “under the hood” of a system.
Autopsy is a GUI-based open source digital forensic program to analyze hard drives and smart phones effectively. Autospy is used by thousands of users worldwide to investigate what actually happened in the computer.
2. Encrypted Disk Detector
Encrypted Disk Detector can be helpful to check encrypted physical drives. It supports TrueCrypt, PGP, Bitlocker, Safeboot encrypted volumes.
Wireshark is a network capture and analyzer tool to see what’s happening in your network. Wireshark will be handy to investigate network related incident.
4. Magnet RAM Capture
You can use Magnet RAM capture to capture the physical memory of a computer and analyze artifacts in memory.
It supports Windows operating system.
5. Network Miner
An interesting network forensic analyzer for Windows, Linux & MAC OS X to detect OS, hostname, sessions and open ports through packet sniffing or by PCAP file. Network Miner provide extracted artifacts in an intuitive user interface.
NMAP (Network Mapper) is one of the most popular networks and security auditing tools. NMAP is supported on most of the operating systems including Windows, Linux, Solaris, MAC OS, HP-UX etc. It’s open source so free.
7. RAM Capturer
RAM Capturer by Belkasoft is a free tool to dump the data from computer’s volatile memory. It’s compatible with Windows OS. Memory dumps may contain encrypted volume’s password and login credentials for webmails and social network services.
8. Forensic Investigator
If you are using Splunk then Forensic Investigator will be a very handy tool. It’s Splunk app and has many tools combined.
FAW (Forensics Acquisition of Websites) is to acquire web pages for forensic investigation which has the following features.
- Capture the entire or partial page
- Capture all types of image
- Capture HTML source code of the web page
- Integrate with Wireshark
HashMyFiles will help you to calculate the MD5 and SHA1 hashes. It works on almost all latest Windows OS.
11. USB Write Blocker
View the USB drives content without leaving the fingerprint, changes to metadata and timestamps. USB Write Blocker use Windows registry to write-block USB devices.
12. Crowd Response
Response by Crowd Strike is a windows application to gather system information for incident response and security engagements. You can view the results in XML, CSV, TSV or HTML with help of CRConvert. It runs on 32 or 64 bit of Windows XP above.
Crowd Strike has some other nice tools for investigation.
- Totrtilla – anonymously route TCP/IP and DNS traffic through TOR.
- Shellshock Scanner – scan your network for shellshock vulnerability
- Heartbleed scanner – scan your network for OpenSSL heart bleed vulnerability
13. NFI Defraser
Defraser forensic tool may help you to detect full and partial multimedia files in the data streams.
ExifTool helps you to read, write and edit meta information for a number of file types. It can read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc.
Toolsley got more than 10 useful tools for investigation.
- File signature verifier
- File identifier
- Hash & Validate
- Binary inspector
- Encode text
- Data URI generator
- Password generator
SIFT (SANS investigative forensic toolkit) workstation is freely available as Ubuntu 14.04. SIFT is a suite of forensic tools you need and one of the most popular open source incident response platform.
Extract all interesting information from Firefox, Iceweasel and Seamonkey browser to be analyzed with Dumpzilla.
18. Browser History
Foxton has two free interesting tools.
- Browser history capturer – capture web browser (chrome, firefox, IE & edge) history on Windows OS.
- Browser history viewer – extract ana analyze internet activity history from most of the modern browsers. Results are shown in the interactive graph and historical data can be filtered.
Extract the following information with ForensicUserInfo.
- LM/NT Hash
- Password reset/Account expiry date
- Login count/fail date
- Profile path
20. Kali Linux
Kali Linux is one of the most popular platforms for penetration testing but it has forensic capability too.
PALADIN forensic suite – the world’s most popular Linux forensic suite is a modified Linux distro based on Ubuntu available in 32 and 64 bit.
22. Sleuth Kit
The Sleuth Kit is a collection of command line tools to investigate and analyze volume and file systems to find the evidence.
CAINE (Computer Aided Investigate Environment) is Linux distro that offers the complete forensic platform which has more than 80 tools for you to analyze, investigate and create an actionable report.
Volatility is the memory forensics framework. It used for incident response and malware analysis. With this tool, you can extract information from running processes, network sockets, network connection, DLLs and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files. This tool is available for free under GPL license.
WindowsSCOPE is another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory.
26. The Coroner’s Toolkit
The Coroner’s Toolkit or TCT is also a good digital forensic analysis tool. It runs under several Unix-related operating systems. It can be used to aid analysis of computer disasters and data recovery.
27. Bulk Extractor
Bulk Extractor is also an important and popular digital forensics tool. It scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools. It is basically used by intelligence and law enforcement agencies in solving cyber crimes.
28. Oxygen Forensic Suite
If you are investigating a case that requires you to gather evidence from a mobile phone to support your case, Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this.
29. Free Hex Editor Neo
Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.
Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.
Wireshark is one of the best open-source forensic tools for network packet analysis. It allows you to intercept and decrypt data in real-time (it supports WEP, SSL, and IPsec). It’s one of the live forensics tools that support rich VoIP analysis, which is one of its most prominent features.
With it, you’ll always stay on top of what’s going on inside the network you’re investigating.
Network Mapper (or NMAP for short) is one of the cyber security forensics tools for network scanning and auditing. One of its core advantages is the fact that it supports almost every popular operating system in existence, including Windows, Linux, Mac, including some less popular ones like Solaris and HP-UX.
It’s open-source and thus 100% free to use.
3. Oxygen Forensic Suite
Oxygen Forensic Suite is one of the popular open-source mobile forensics tools that will help you gather the evidence you need from a mobile phone.
It also belongs on the list of Android forensic tools that let you bypass the password or lock screen gesture prompt, thus granting you unobstructed access to data that is stored inside.
This is a free alternative to SPF Pro, one of SalvationDATA’s flagship products. Since SPF Pro is way more powerful and has more features, be sure to sign up for the no-strings-attached free trial.
4. The Sleuth Kit
The Sleuth Kit is one of the open-source data acquisition tools for digital forensic analysis that allow you to extract data from hard disk drives and other types of storage media. Since it’s a collection of command-line tools, it may not be the most user-friendly computer forensic tool in existence.
So we invite you to try DRS instead.
With a free trial and a learning curve that’s much less steep, it’s a no-brainer choice.
SIFT is based on Ubuntu, thus making it one of the top digital forensic tools you can download and try for free. It has some of the finest open source incident response functionality, all while incorporating some of the latest approaches to digital forensics.
Available under the GPL license, Volatility is a memory forensics framework that allows you to extract information directly from the processes that are running on the computer, making it one of the best forensic imaging and cyber security forensics tools you can try for free.
Numerous forensics and cyber security experts use it for its malware analysis and incident response capabilities. In addition, this cyber forensic tool allows you to extract data from Windows crash dump files, DLLs, network sockets, and the network connection itself.
7. Free Hex Editor Neo
Free Hex Editor Neo is one of the top database forensics tools for handling large files.
Much like DBF by SalvationDATA, it’s one of those forensic image tools that have both a paid and a free version you can try at your leisure. Among its main features are manual data carving, data extraction, low-level file editing, and performing a deep scan to uncover hidden data.
MVT is one of the finest iOS and Android forensic tools that lets you decrypt encrypted backups and discover traces of malware that may be present in the system. It will generate a report of exactly what apps are installed on the smartphone and even present the extracted data as a JSON string.
If you’re looking for a mobile forensic tool with capabilities like this but aren’t overly trusting of free mobile forensic tools, look no further than SalvationDATA’s SPF Pro. It has better functions, ongoing support by the developer team, is more user-friendly, and has a free trial to boot.
If you’re a fan of open-source forensic tools that come with a GUI, you’ll love this one. Hard drive forensics tools like this one give you everything you need to check the state of the hard drive and recover deleted, fragmented or overwritten files.
Moreover, it also lets you recover data from smartphones. If you’re also looking for ongoing support and guidance, DRS by SalvationDATA is a digital forensics solution that does all of this and more.
Forensics Acquisition of Websites (or FAW for short) is one of the best digital forensic tools for analyzing websites. After you run it, it will capture the entire source code and any images it contains and investigates it for traces of criminal activity.
Once finished, you can take the data and integrate it with other computer forensic software tools like Wireshark.
11. USB Write Blocker
Much like DRS by SalvationDATA, USB Write Blocker comes with a write-blocker that will protect the files inspected from being overwritten. Both of these PC forensics tools are perfect for analyzing a USB flash drive or a photo memory stick and can pull up lost data that would otherwise be impossible to salvage on your own.
12. NFI Defraser
NFI Defraser is one of the video forensic tools that can access a data stream and detect multimedia files if it contains some, whether they be full or partial.
For a more advanced alternative that’s fully suitable for recovering video evidence and making it admissible in court, VIP 2.0 by SalvationDATA is the go-to choice entrusted by numerous IT forensics experts around the world.
As the name implies, ExifTool can read, write, and edit EXIF and metadata across a wide range of format types, thus making it a suitable option if you’re looking for free photo forensics tools. In addition, it’s compatible with FlashPix, IRB, IPTC, GPS, GeoTIFF, XMP, JFIF, and other formats.
In essence, Dumpzilla is a Python 3 script designed for extracting data from popular web browsers: Firefox, Seamonkey, and Iceweasel. It’s compatible with both Windows and Unix-based operating systems, thus making it one of the most flexible free open source forensic tools that’s geared towards a specific purpose.
Computer-Aided Investigative Environment (or CAINE for short) is not only a free computer forensic tool but a full-blown Linux distro you can use as part of your forensics investigation. Bundled with it, there are 80+ open-source forensic tools to give you an edge in cracking the case.
Do note that installing a standalone Linux distribution requires a certain degree of IT and computer knowledge, so we invite you to check out our Digital Forensic Lab, a much more time-effective and user-friendly one-stop solution for all your digital forensics needs.
16. Crowd Response
Crowd Response falls within the category of Windows security forensics tools with an incident response functionality. The report-generating feature allows you to export it to a wide range of formats, including CSV, XML, HTML, or TSV.
In addition, it comes with other useful cyber security features such as scanning your network for vulnerabilities.
If you need a tool capable of doing a forensic analysis of email, look no further than this. Xplico is a powerful open-source tool that can analyze POP, SMTP, and IMAP traffic and extract content from e-mail messages.
Furthermore, it supports multiple protocols, including IMAP, HTTP, TCP, UDP, SIP, and others. The output it generates comes in the form of a MySQL or SQLite database.
ForensicUserInfo is one of the best computer forensic tools if the objective is to get into a Windows-powered device. It easily pulls out the user profile info, right along with the password hashes. It’s available for download from GitHub and other sources.
Paladin is a full-fledged Linux distro, specially modified to suit your digital forensics needs. Naturally, this means it’s packed full of open-source forensic tools. However, this comes at the cost of user-friendliness, and the mere thought of installing another type of operating system can put people off, let alone use it. So keep this in mind.
20. The Coroner’s Toolkit
This is a suite of security forensics tools and software for digital forensics analysis. Unfortunately, only Unix-based operating systems are supported, but you should have no trouble running it on Linux, FreeBSD, Solaris, OpenBSD, and others.
The hidden risks and drawbacks of using open source digital forensic tools
Open source forensic tools may sound good on paper (particularly due to their non-existing price tag), but the reality of actually using them may be quite different than what you imagine it to be.
There are just some of the issues you may encounter with them:
- Limited capacity
- Lack of support
- Steep learning curve
- Trojans or spyware
- Data loss
- OS corruption
In addition to the above, any open source forensic tool may no longer be actively developed, updated, or supported in case the developers decide to abandon the project. This can lead to usability issues, cyber security concerns, and relying on technology that is out of date or no longer relevant.
Why a paid solution will get you much further during a digital forensic investigation
When the outcome of a case is at stake and time is a luxury that comes in limited quantities, you need a reliable solution that won’t leave you hanging. Open source forensic tools may be free, but they may not be in line with the best industry practices or may have other deficiencies.
Here are some of the reasons why free digital forensic tools pale in comparison with their paid counterparts:
With any free software, expecting ongoing support is not realistic. At the end of the day, developers need to put food on the table too, and they certainly won’t be able to make it with free products alone.
As technology evolves, so do forensic software tools. The paid ones have a dedicated team of developers behind them and they’re working round the clock to make continual tweaks and improvements (not to mention security enhancements).
In the paid forensic analysis tools space, the competition is quite fierce. This puts pressure on the developers to keep making their products better and adding more features over time to remain competitive.
Built by industry professionals
When your digital forensics career is at stake, who will you entrust the task to – industry professionals or some amateur code-monkeys who whipped something up in the basement? It’s not even up for debate.
The zero-cost aspect of open source forensic tools tends to be the most appealing. But did you know that most paid counterparts tend to come with a free trial? It usually lasts 30 days, which should be plenty of time for any law enforcement and intelligence organization to determine if it suits their needs.
Admissible in court
If you want the evidence to be admissible in court, certain industry standards need to be followed. While free digital forensic tools usually don’t guarantee this, it’s the exact opposite with paid forensic tools.
Discover SalvationDATA’s industry-grade forensic solutions portfolio
SalvationDATA is the leading digital forensics and investigations solution provider, offering intuitive one-click forensics gear and software tools that will help you crack the most complex of cases. As part of its portfolio, you will find:
Video Investigation Portable 2.0
VIP 2.0 is one of the most potent video forensic tools, capable of handling complex digital forensics tasks such as video recovery, retrieval, enhancement, and analysis. With it, recovering deleted, corrupted, and fragmented video files is a breeze.
SVR for Hikvision
SVR for Hikvision allows you to extract footage from most Hikvision DVR and NVR models with ease, effectively bypassing any passwords that stand in the way. It allows you to preview the footage recovered, thus saving you valuable time during the forensic investigation.
Smartphone Forensic System Professional
SPF PRO is the leading mobile forensic tool in the digital forensics industry. With it, you’ll have everything you need to break the encryption of most modern smartphones and operating systems, thus allowing for swift retrieval, recovery, extraction and analysis of data extracted.
Data Recovery System
DRS is the go-to one-click data recovery forensics software for gathering evidence from hard drives, USB flash drives, and other storage devices that is compatible with virtually every OS in existence. With DRS, you can count on swift recovery without further damaging or corrupting the files.
Database Forensic Analysis System
DBF is a one-stop database cybercrime forensics solution and one of the leading database forensics tools for tackling network fraud, encryption digital crime, financial crime, etc. It can effectively bypass the database password and reconstruct deleted, corrupted, or fragmented database files.
Digital Forensic Lab
Digital Forensic Lab is a one-stop solution for all your digital forensics needs and one of the most comprehensive forensic software tools of all. Uniformly visualize evidence, automate reporting, improve office comfort, and get more recognition and credibility among your peers in law enforcement.
With this, we conclude the list of digital forensic tools you can try with no fee or obligation today.
In the grand scheme of things, open-source solutions may be free, but they tend to be harder to learn, are inefficient, offer zero to no support, and, on top of that, could be potentially insecure. The field of digital forensics comes with a fair share of responsibility, so it’s much better to have reliable professional tools when you need them.
Since most paid digital forensics solutions tend to have a free 30-day trial, there is no risk involved and you can see for yourself why they’re the preferable alternative to open-source forensic tools.
On top of that, professional solution providers in digital forensics like SalvationDATA always provide training, on-site case assistance, maintenance, upgrades, and the list goes on.