Mutt
Professional
- Messages
- 1,159
- Reaction score
- 826
- Points
- 113

This article provides free tools for conducting information security incident investigation.
Disk tools and data collection
- Arsenal Image Mounter is a utility for working with disk images in Windows, accessing partitions, volumes, etc.
- DumpIt utility for creating a physical memory dump of Windows computers, 32/64 bit. Can work from USB stick.
- EnCase Forensic Imager is a utility for creating EnCase evidence files.
- Encrypted Disk Detector is a utility to detect encrypted TrueCrypt, PGP or Bitlocker volumes.
- EWF MetaEditor utility for editing EWF metadata (E01).
- FAT32 Format is a utility for formatting large capacity drives to FAT32.
- Forensics Acquisition of Websites is a browser designed to capture web pages for investigations.
- FTK Imager viewing and cloning storage media in a Windows environment.
- Guymager is a multi-threaded GUI utility for creating Linux disk images.
- Live RAM Capturer is a utility for extracting a RAM dump, including a protected anti-debug or anti-dumping system.
- NetworkMiner is a network analysis tool to detect OS, hostname and open ports of network nodes through packet capture / PCAP analysis.
- Magnet RAM Capture is a utility for capturing RAM from Windows XP to Windows 10, Win Server 2003, 2008, 2012.
- OSFClone live CD / DVD / USB utility for creating dd or AFF images.
- OSFMount utility for monitoring disk images, also allows you to create RAM disks.
Email analysis
- EDB Viewer utility for viewing EDB Outlook files without Exchange Server.
- Mail Viewer is a utility for viewing Outlook Express files, Windows Mail / Windows Live Mail, Mozilla Thunderbird message database and individual EML files.
- MBOX Viewer utility for viewing emails and MBOX attachments.
- OST Viewer is a utility for viewing OST Outlook files without an Exchange server.
- PST Viewer is a utility to view PST Outlook files without Exchange Server.
File and data analysis
- analyzeMFT is a utility for parsing MFT from the NTFS file system, allowing you to analyze the results using other tools.
- bstrings is a binary data search utility including regular expression search.
- CapAnalysis is a PCAP viewer utility.
- Crowd Response is a Windows console application to help collect system information for responding to security incidents.
- Crowd Inspect is a utility for getting information about network processes, listing the binaries associated with each process. Creates queries against VirusTotal and other online malware analysis and reputation services.
- The DCode utility converts various data types to date / time values.
- Defraser is a utility for detecting full and partial data about multimedia files in unallocated space.
- The eCryptfs Parser utility recursively parses the headers of each eCryptfs file in the selected directory.
- Encryption Analyzer is a utility for analyzing password-protected and encrypted files, analyzes the complexity of encryption reports and decryption options for each file.
- ExifTool is a utility for reading and editing Exif data in a large number of file types.
- File Identifier online file type analysis (over 2000).
- Forensic Image Viewer is a utility for extracting data from images.
- Link Parser is a recursive folder analysis utility that extracts over 30 attributes from Windows .lnk (shortcut) files.
- Memoryze analysis of RAM images, including analysis of "page" files.
- MetaExtractor utility for extracting meta-information from office documents and pdf.
- Shadow Explorer is a utility for viewing and extracting files from shadow copies.
Tools for Mac OS
- Audit utility for displaying audits and OS X logs.
- Disk Arbitrator blocks file system mounts by adding write blocker when disk arbitration is disabled.
- FTK Imager CLI for Mac OS Console version for Mac OS of FTK Imager utility.
- IORegInfo is a utility for displaying information on devices connected to a computer (SATA, USB and FireWire, software RAID-arrays). Can define section information including sizes, types, and bus to which the device is connected.
- mac_apt utility for working with images E01, DD, DMG.
- Volafox is a utility for analyzing memory in Mac OS X.
Mobile devices
- iPBA2 is an iOS backup analysis utility.
- iPhone Analyzer is a utility for analyzing the file structure of iPad, iPod and iPhone.
- ivMeta is a utility to extract phone model and software version as well as time and GPS data from iPhone videos.
- Rubus utility for deconstructing Blackberry .ipd backup files.
- SAFT extract SMS, call logs and contacts from Android devices.