A selection of free forensic utilities

Mutt

Professional
Messages
1,159
Reaction score
826
Points
113
15e431df-2c34-436e-a9a5-bf6221aa7123.png

This article provides free tools for conducting information security incident investigation.

Disk tools and data collection

Email analysis
  • EDB Viewer utility for viewing EDB Outlook files without Exchange Server.
  • Mail Viewer is a utility for viewing Outlook Express files, Windows Mail / Windows Live Mail, Mozilla Thunderbird message database and individual EML files.
  • MBOX Viewer utility for viewing emails and MBOX attachments.
  • OST Viewer is a utility for viewing OST Outlook files without an Exchange server.
  • PST Viewer is a utility to view PST Outlook files without Exchange Server.

File and data analysis
  • analyzeMFT is a utility for parsing MFT from the NTFS file system, allowing you to analyze the results using other tools.
  • bstrings is a binary data search utility including regular expression search.
  • CapAnalysis is a PCAP viewer utility.
  • Crowd Response is a Windows console application to help collect system information for responding to security incidents.
  • Crowd Inspect is a utility for getting information about network processes, listing the binaries associated with each process. Creates queries against VirusTotal and other online malware analysis and reputation services.
  • The DCode utility converts various data types to date / time values.
  • Defraser is a utility for detecting full and partial data about multimedia files in unallocated space.
  • The eCryptfs Parser utility recursively parses the headers of each eCryptfs file in the selected directory.
  • Encryption Analyzer is a utility for analyzing password-protected and encrypted files, analyzes the complexity of encryption reports and decryption options for each file.
  • ExifTool is a utility for reading and editing Exif data in a large number of file types.
  • File Identifier online file type analysis (over 2000).
  • Forensic Image Viewer is a utility for extracting data from images.
  • Link Parser is a recursive folder analysis utility that extracts over 30 attributes from Windows .lnk (shortcut) files.
  • Memoryze analysis of RAM images, including analysis of "page" files.
  • MetaExtractor utility for extracting meta-information from office documents and pdf.
  • Shadow Explorer is a utility for viewing and extracting files from shadow copies.

Tools for Mac OS
  • Audit utility for displaying audits and OS X logs.
  • Disk Arbitrator blocks file system mounts by adding write blocker when disk arbitration is disabled.
  • FTK Imager CLI for Mac OS Console version for Mac OS of FTK Imager utility.
  • IORegInfo is a utility for displaying information on devices connected to a computer (SATA, USB and FireWire, software RAID-arrays). Can define section information including sizes, types, and bus to which the device is connected.
  • mac_apt utility for working with images E01, DD, DMG.
  • Volafox is a utility for analyzing memory in Mac OS X.

Mobile devices
  • iPBA2 is an iOS backup analysis utility.
  • iPhone Analyzer is a utility for analyzing the file structure of iPad, iPod and iPhone.
  • ivMeta is a utility to extract phone model and software version as well as time and GPS data from iPhone videos.
  • Rubus utility for deconstructing Blackberry .ipd backup files.
  • SAFT extract SMS, call logs and contacts from Android devices.
 
Top