As you might know, a data breach happens almost every day. Digital forensics involves the preservation, acquisition, documentation, analysis, and interpretation of evidence from various storage media types.
Forensics has evolved over decades through various branches of forensic science, and it has have become a very important part of law enforcement all around the world. To fight cybercrime and protect digital assets on the Internet, forensics is definitely essential.
Digital Forensic tools help investigators extract those crucial pieces of evidence from electronic devices so they can be presented to the authorities.
So, when doing a forensic investigation, for whatever purpose, you need to use the right tools.
Here you will find 21 forensic investigator tools that are totally available for free.
Autopsy will help you locate many of the open source programs and plugins used in The Sleuth Kit.
It is actually used by law enforcement, military, and corporates when they want to investigate what happened on a computer. But you can even use it to recover photos from a memory card.
2- Magnet Encrypted Disk Detector
Magnet Encrypted Disk Detector is a command-line tool that can quickly and non-intrusively checks for encrypted volumes on a computer system.
This is a very useful tool during incident response, because what Encrypted Disk Detector does is check the local physical drives on a system for encrypted volumes.
And of course, you don’t have to pay anything to use it, because it is totally free.
Wireshark is an open source network capturer and analyzer tool, which will help you to see what’s happening in your network at a microscopic level.
It is also used across many commercial and non-profit enterprises, government agencies, and educational institutions, and it can be handy when investigating network-related incidents, network troubleshooting, analysis, software and communications protocol development, or simply for education.
It is also totally free and it works thanks volunteer contributions of networking experts around the globe.
4- Magnet RAM Capture
Magnet RAM Capture is a tool from Magnet Forensics and is designed to capture the physical memory of a suspect’s computer.
Doing this it can allow you, during an investigation, to recover and analyze valuable data that is found in the memory.
It also gives you the option to export the captured memory data in Raw format for easily upload into other analysis tools. And it is also a free tool.
5- Network Miner
Network miner is a network forensic analyzer that can be used to detect OS, hostname, sessions, and open ports through packet sniffing or by PCAP file.
Companies and organizations all over the world, like in incident response teams and law enforcement, use today and it has no cost at all since there is a free version of it.
NMAP or Network Mapper is one of the most popular networks and security auditing tools. Network administrators to scan ports and map networks use it. It can identify in which ports certain software is running and it can discover available hosts as well as what services they are offering.
It also appears in a lot of movies that you might have seen like Matrix, Snowden, Ocean’s 8, and many more, and is an excellent tool that can be easily implemented on your server without having to pay anything for it.
7- RAM Capturer
RAM Capturer by Belkasoft is also a tool that will help you to dump the data from a computer’s volatile memory.
It is compatible with Windows OS and it doesn’t require installation, it can be executed from an usb.
Memory dumps can be a valuable source of volatile evidence and information. Mostly because in them you can sometimes find passwords to encrypted volumes. This tool is also available for free.
FAW or Forensics Acquisition of Websites is a tool to acquire web pages for forensic investigation.
It lets you use side scrolling and a horizontal cursor so you can decide the web page area to be analyzed. It also captures all types of images, it captures HTML source code of the web page and it can be integrated with Wireshark, and it is also a free tool for forensic investigators.
HashMyFiles will help you to calculate the MD5 and SHA1 hashes.
By finding out the hash information on your files, you will be able to calculate their integrity.
Unfortunately, there is no help file available and the interface definitely needs some improvements but only from the visual point of view, but, hey, it’s still free.
Response is a windows application by Crowd Strike that will help you gather system information for incident response and security engagements.
CrowdResponse is ideally suited to non-intrusive data gathering from multiple systems when positioned across the network. According to iicybersecurity experts CrowdResponse is also available totally for free.
ExifTool will help you to read, write, and edit Meta information for a number of file types. It can read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc.
So what ExifTool is, is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.
It supports many different metadata formats and some of its features include its Geotags images from GPS track log files with time drift correction, and that the fact that it generates track logs from geotagged images.
And of course, it is also available for free.
SIFT, which stand for SANS investigative forensic toolkit, is a whole suite of forensic tools you need and one of the most popular open source incident response platforms.
The SIFT Workstation contains a group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of situations.
And if that does not seem not enough, it is freely available and frequently updated.
13- Browser History Capturer by Foxton and Browser History viewer
Browser History Viewer (BHV) is a forensic software tool for extracting and viewing Internet history from the main desktop web browsers. And Browser History Examiner is a browser forensic tool usually used for capturing, extracting, and analyzing the web browsing history data of a web browser. And these are both free tools.
14- Sleuth Kit
The Sleuth Kit is a collection of command-line tools to investigate and analyze volume and file systems used for digital forensic investigations. With its modular design, it can be used to carve out the right data and find evidence.
It’s usage is commonly in criminal investigations, or digital forensics as I was saying, or simply for file system analysis.
And, of course it is completely and totally free to use.
CAINE is a complete forensic environment with a friendly graphical interface. This is a complete digital forensics platform and graphical interface that works with other digital forensics tools.
Some of the tools included with CAINE are: The Sleuth Kit, Autopsy, RegRipper, Wireshark, PhotoRec and Fsstat. Some of them already explained here.
According to International Institute of Cyber Security experts it is also a free software.
16- Volatility Framework
Also built into SIFT, which we already explained in this article, Volatility is another open-source memory forensics framework for incident response and malware analysis.
While their releases may seem few and far between, Volatility Framework is a really unique forensic tool that lets investigators analyze the runtime state of a device. This by using system information found in the volatile memory or RAM. According to International Institute of Cyber Security experts its one of the best tool.
And what’s best, it is available for free.
17- Paladin Forensic Suite
PALADIN is an Ubuntu based tool that enables you to simplify a range of forensic tasks. In it, you will find a bunch of precompiled open-source forensic tools that can be used to perform various tasks. It actually provides more than 100 useful tools for investigating any malicious material. It can help you simplify your forensic task quickly and effectively.
And the best part is that is a courtesy of SUMURI, which means it is free for everyone.
18- FTK Imager
AccessData FTK Imager is a forensics tool for Windows whose main purpose is to preview recoverable data from a disk of any kind. It can also create perfect copies, called forensic images, of that data.
Additional features and functions like the possibility to create file hashes or mount already created disk images are other important advantages to discuss here.
Even when AccessData FTK Imager looks like a very professional tool created only for advanced forensics procedures, it’s actually very friendly. Furthermore, it is completely free.
Bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files.
The results it gives can be easily inspected and analyzed with automated tools. The program can be used for law enforcement, defense, intelligence, and cyber-investigation applications. Bulk_extractor is usually distinguished from other forensic tools by its speed. Because it ignores file system structure, bulk_extractor can process different parts of the disk in parallel. And it is also a free tool.
LastActivityView is a portable software application that will enable you to view the latest activity recorded by a computer.
However in this tool, there is an important aspect to take into account and is that the Windows registry does not get updated with new entries.
But well, let’s reviews the pros. LastActivityView has a very good response time. It is actually capable of detecting activity prior to its first run, and it also runs on a very low amount of CPU and RAM, so it won’t affect your computer’s overall performance.
It also has an overall simplicity and of course, it is totally free.
FireEye’s premier is an endpoint security tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis.
It is available from OS X and Linux environments.
Some of its features include auditing and collecting all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history.
Also, it can be very useful in-depth analysis because it allows the user to establish the timeline and scope of an incident, besides being completely free software.
These 21 tools for digital forensic will aid you in your investigation to make informed decisions regarding the case under review.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.