Digital devices are ubiquitous, and their use in chain-of-evidence investigations is crucial. Today’s smoking gun is more likely to be a laptop or a phone than a more literal weapon. Whether such a device belongs to a suspect or victim, the vast swathes of data these systems contain could be all an investigator needs to put together a case.
That said, retrieving that data securely, efficiently, and lawfully is not always a simple endeavor. As a result, investigators rely on new digital forensics tools to assist them.
Digital forensics tools are all relatively new. Up until the early 1990s, most digital investigations were conducted through live analysis, which meant examining digital media by using the device-in-question as anyone else would. However, as devices became more complex and packed with more information, live analysis became cumbersome and inefficient. Eventually, freeware and proprietary specialist technologies began to crop up as both hardware and software to carefully sift, extract, or observe data on a device without damaging or modifying it.
Digital forensics tools can fall into many different categories, including database forensics, disk and data capture, email analysis, file analysis, file viewers, internet analysis, mobile device analysis, network forensics, and registry analysis. In addition, many tools fulfill more than one function simultaneously, and a significant trend in digital forensics tools are “wrappers”—one that packages hundreds of specific technologies with different functionalities into one overarching toolkit.
New tools are developed daily, both as elite government-sponsored solutions and basement hacker rigs. The recipe for each is a little bit different. Some of these go beyond simple searches for files or images and delve into the arena of cybersecurity, requiring network analysis or cyber threat assessment. When there is a tool for everything, the most pressing question is which one to use.
Below, ForensicsColleges has collected some of the best digital forensics and cybersecurity tools. In selecting from the wide range of options, we considered the following criteria:
- Affordability: Price may not indicate quality, but collaborative peer reviews can be. Most of the tools below are open-sourced, and all are free and maintained by a community of dedicated developers.
- Accessibility: Unlike some proprietary brands which only sell to law-enforcement entities, all of these are available to individuals.
- Accountability: Whether through open source projects or real-world testimonials, experts have thoroughly vetted these technologies.
Featured Digital Forensics and Cybersecurity Tools
Autopsy is a digital forensics platform and graphical interface that forensic investigators use to understand what happened on a phone or computer. It aims to be an end-to-end, modular solution that is intuitive out of the box. Select modules in Autopsy can do timeline analysis, hash filtering, and keyword search. In addition, they can extract web artifacts, recover deleted files from unallocated space, and find indicators of compromise. All of this can be done relatively rapidly.
Autopsy runs background jobs in parallel so that even if a full search takes hours, a user will know within minutes whether targeted keywords have been found. In addition, investigators working with multiple devices can create a central repository through Autopsy that will flag phone numbers, email addresses, or other relevant data points.
Developed by the same team that created The Sleuth Kit, a library of command line tools for investigating disk images, Autopsy is an open-source solution, available for free in the interests of education and transparency. Unfortunately, the latest version is written in Java, and it is currently only available for Windows.
Bulk Extractor scans a file, directory, or disk image. It extracts information without parsing the file system or file system structures, allowing it to access different parts of the disk in parallel, making it faster than the average tool. The second advantage of Bulk Extractor is that it can be used to process practically any form of digital media: hard drives, camera cards, smartphones, SSDs, and optical drives.
The most recent versions of Bulk Extractor can perform social network forensics and extract addresses, credit card numbers, URLs, and other types of information from digital evidence. Other capabilities include creating histograms based on frequently used email addresses and compiling word lists, which can be helpful for password cracking.
All extracted information can be processed either manually or with one of four automated tools, one of which incorporates context-specific stop lists (i.e., search terms flagged by the investigator) that remove some human error from digital forensics investigation. The software is available for free for Windows and Linux systems.
Microsoft’s Computer Online Forensic Evidence Extractor (COFEE) is a forensic toolkit that extracts evidence from Windows computers. Developed in 2006 by a former Hong Kong police officer turned Microsoft executive, the toolkit acts as an automated forensic tool during a live analysis. It contains more than 150 features and a graphical user interface that guides an investigator through data collection and examination and helps generate reports after extraction. Password decryption, internet history recovery, and other data collection forms are all included in the toolkit.
Microsoft claimed that COFEE had reduced three- to four-hour tasks to under 20 minutes at the time of its release. In addition, thousands of law enforcement agencies worldwide (including INTERPOL) use COFEE, and Microsoft provides free technical support.
In November 2009, COFEE was leaked onto multiple torrent sites. So while it is possible—though incredibly tricky—for criminals to build around the features in COFEE, it is also possible for the average citizen to now get a look at what was once the industry standard across the world for digital forensics.
Computer Aided Investigative Environment
CAINE offers a full-scale forensic investigation platform designed to incorporate other tools and modules into a user-friendly graphic interface. Its interoperable environment is intended to assist investigators in all four stages of an investigation: preservation, collection, examination, and analysis. In addition, it comes with dozens of pre-packaged modules (Autopsy, listed above, is among them). Developed on Linux, the tool is entirely open source and available for free.
Digital Forensics Framework
Digital Forensics Framework (DFF) is an open-source computer forensics platform built upon a dedicated Application Programming Interface (API). Equipped with a graphical user interface for simple use and automation, DFF guides a user through the critical steps of a digital investigation and can be used by both professionals and amateurs alike.
The tool can be used to investigate hard drives and volatile memory and create reports about system and user activity on the device in question. The DFF was developed with the three main goals of modularity (allowing for changes to the software by developers), scriptability (allowing for automation), and genericity (keeping the operating-system agnostic to help as many users as possible). The software is available for free on GitHub.
DumpZilla performs browser analysis, specifically of Firefox, Iceweasel, and Seamonkey clients. In addition, it allows for the visualization and customized search and extraction of cookies, downloads, history, bookmarks, cache, add-ons, saved passwords, and session data.
Developed in Python, it works under Linux and Windows 32/64 bit systems and DumpZilla is available for free from the developer’s website. While this was created as a standalone tool, its specific nature and lean packaging make it a vital component of future digital forensics suites.
The recipient of SC Magazine’s “Best Computer Forensic Solution” award for ten consecutive years, EnCase is considered the gold standard in forensic cybersecurity investigations, including mobile acquisitions. Since 1998, EnCase has offered forensic software to help professionals find evidence to testify in criminal investigation cases involving cybersecurity breaches by recovering evidence and analyzing files on hard drives and mobile phones.
Offering a comprehensive software lifecycle package from triage to final reports, EnCase also features platforms such as OpenText Media Analyzer, which reduces the amount of content for investigators to review to close cases faster manually. With four site license options for small companies; federal, state, and local law enforcement; consulting organizations; and colleges and universities, it offers criminal justice evidence analysis through just a few clicks.
ExifTool is a platform-independent system for reading, writing, and editing metadata across various file types. Of particular interest to the digital investigator is the reading of metadata, which can be achieved through command-line processes or a simple GUI. For example, investigators can drag and drop different files, such as a PDF, or a JPEG, and learn when and where the file was created—a crucial component in establishing a chain of evidence.
The software itself is lightweight and quick, making it an ideal inclusion in future digital forensics suites and easy to use. ExifTool is updated regularly and is available for both Windows and OSx from the developer’s website.
For tools such as The Sleuth Kit by Autopsy to work correctly, original digital copies of hard drives must be preserved before evidence can be extracted. Enter FTK Imager, a free tool that analyzes images of a drive and preserves the original integrity of the evidence without affecting its original state.
This tool can read all operating systems and enables users to recover files that have been deleted from digital recycle bins. In addition, it can parse XFS files and create hashes of files to check data integrity.
MAGNET RAM Capture
Analyzing a computer’s physical random access memory (RAM), MAGNET RAM Capture enables cybersecurity investigators to recover and analyze digital artifacts stored in a computer’s memory. Using a small memory footprint, digital forensic investigators can use the tool and minimize the amount of overwritten memory data.
This tool can export raw memory data in raw formats (.DMP, .RAW, .BIN), which can be uploaded to other forensics analysis tools such as Magnet AXIOM and Magnet IEF. This free tool supports several versions of Windows operating systems.
Considered by many as a standard network monitoring tool for large organizations, Nagios helps cybersecurity professionals monitor computer networks in real-time. In addition, the Nagios platform alerts network security professionals via email or text message if a security threat occurs.
Nagios supports standard enterprise-level network services such as ICMP, POP3, SMTP, and HTTP. It is compatible with Linux, Windows, server, application, SNMP, and log monitoring services and integrates with third-party addons. Free trials are available.
Initially a product of Mandiant, but later taken over by FireEye, a cybersecurity firm, Redline is a freeware tool that provides endpoint security and investigative capabilities to its users. It is mainly used to perform memory analysis and look for infection or malicious activity signs. Still, it can also be used to collect and correlate data around event logs, the registry, running processes, file system metadata, web history, and network activity.
Offering much more technical and under-the-hood capability than most digital forensics investigations necessitate, Redline has more applications in cybersecurity and other tech-driven criminal behavior where a granular analysis is critical. Redline currently only functions on Windows-based systems, but it is regularly updated by FireEye for optimum performance and can be downloaded for free on the FireEye website.
The SANS Investigative Forensics Toolkit (SIFT) is a collection of open-source incident response and forensics technologies designed to perform detailed digital investigations in various settings. The toolkit can securely examine raw disks and multiple file formats in a secure, read-only manner that does not alter the evidence it discovers.
SIFT is flexible and compatible with expert witness format (E01), advanced forensic format (AFF), and raw evidence formats. Built on Ubuntu, it incorporates many separate tools (including some on this list, such as Autopsy and Volatility) and puts them at an investigator’s disposal. SIFT is available for free and updated regularly.
SNORT is an open-source network security tool that performs three tasks: sniffs for packets, logs packets, and has comprehensive network intrusion features. Because it is open-source, it can be downloaded and used for personal ($29.99 per year) and professional ($399 per year) applications.
SNORT helps IT security professionals analyze network security vulnerabilities and prevent them from happening. When a network intrusion occurs, cybersecurity professionals are notified while the software blocks security intrusions.
When surveillance is a security threat, applications like Tor help PC and mobile device users be undetectable. Tor allows users to browse anonymously and prevent identity theft through increased internet security. This is useful when users need to access websites while visiting other countries, protect their identity, or be difficult to trace. In addition, it blocks browser plugins such as Flash, Real Player, QuickTime, and others. Finally, while it works on the iOS platform, Tor suggests iOS users use their Onion Browser for private browsing that automatically closes browsing history and extra tabs.
Tor’s mission is to “advance human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.”
The Volatility Foundation is a nonprofit organization whose mission is to promote the use of memory analysis within the forensics community. Its primary software is an open-source framework for incident response and malware detection through volatile memory (RAM) forensics. This allows the preservation of evidence in memory that would otherwise be lost during a system shutdown.
Written in Python and supportive of almost all 32-bit and 64-bit machines, it can sift through cached sectors, crash dumps, DLLs, network connections, ports, process lists, and registry files. The tool is available for free, and the code is hosted on GitHub.
Wireshark is the world’s most-used network protocol analysis tool, implemented by governments, private corporations, and academic institutions worldwide. As the continuation of a project that began in 1998, Wireshark lets a user see what is happening on a network at the microscopic level. By capturing network traffic, users can then scan for malicious activity.
Captured network data can be viewed on a graphical user interface on Windows, Linux, OSx, and several other operating systems. The data can be read from Ethernet Bluetooth, USB, and several others, while the output can be exported to XML, PostScript, CSV, or plain text.
Wireshark’s applications remain primarily in cybersecurity, but there are digital forensics investigation applications. Less about the smoking gun than the breadcrumb trail, Wireshark can point an investigator in the direction of malicious activity so that it can be tracked down and investigated.
What are the five 5 steps of digital forensics? ›
Process of Digital forensics includes 1) Identification, 2) Preservation, 3) Analysis, 4) Documentation and, 5) Presentation.What are forensic tools in cyber security? ›
Digital Forensic Tools are software applications that help to preserve, identify, extract, and document computer evidence for law procedures. These tools help to make the digital forensic process simple and easy. These tools also provide complete reports for legal procedures.What are the 3 A's of cyber forensics? ›
Acquisition (without altering or damaging), Authentication (that recovered evidence is the exact copy of the original data), and Analysis (without modifying) are the three main steps of computer forensic investigations.What are 5 digital forensics elements? ›
- Identification. First, find the evidence, noting where it is stored.
- Preservation. Next, isolate, secure, and preserve the data. ...
- Analysis. Next, reconstruct fragments of data and draw conclusions based on the evidence found.
- Documentation. ...
- IBM Security QRadar.
- Magnet Forensics.
- Parrot Security OS.
- FTK Forensic Toolkit.
- Imperva Attack Analytics.
- EnCase Forensic.
Computer forensics is hard, and it requires you to have a solid and varied IT background. If you decide to pursue a career in this field, it is essential to keep up with new technology trends. It is the responsibility of investigators in this field to investigate digital data collected as evidence in criminal cases.How many C's are in computer forensics? ›
There are three c's in computer forensics.How do I get into digital forensics? ›
A bachelor's degree in computer forensics or a similar area is generally required to become a computer forensics investigator. This degree will provide you with a foundation in investigation and computer use, emerging technologies, and techniques used in the industry.What are the three C's in computer forensics? ›
Precision in security requires the data to be integrated in order to produce context, correlation and causation. We call it the "Three C's of Security." What do we mean by precision?What is the difference between cyber forensics and cyber security? ›
Computer forensics deals with locating data that was compromised during a cyberattack, while cyber security aims to prevent cyberattacks before they occur. To put it in other terms, computer forensics is a reactionary while cyber security is preventative.
What is the difference between cyber forensics and digital forensics? ›
Digital forensics, also known as cyber forensics, is a broad term that describes activities relating to investigating attacks and cyber incidents involving various digital assets. This includes everything from mobile phones and computers to servers, networks and so on.What are the 4 steps of the forensic process? ›
The general phases of the forensic process are: the identification of potential evidence; the acquisition of that evidence; analysis of the evidence; and production of a report.What are the four steps in collecting digital evidence? ›
There are four phases involved in the initial handling of digital evidence: identification, collection, acquisition, and preservation ( ISO/IEC 27037 ; see Cybercrime Module 4 on Introduction to Digital Forensics).What are four uses of digital forensics? ›
- Identifying the cause and possible intent of a cyber attack.
- Safeguarding digital evidence used in the attack before it becomes obsolete.
- increasing security hygiene, retracing hacker steps, and finding hacker tools.
- Searching for data access/exfiltration.
1. Autopsy/The Sleuth Kit. Autopsy and The Sleuth Kit are probably the most well-known and popular forensics tools in existence. These tools are designed to analyze disk images, perform in-depth analysis of file systems and include a wide variety of other features.What are the basic methodology in cyber forensics? ›
Identification: The first step of cyber forensics experts are to identify what evidence is present, where it is stored, and in which format it is stored. Preservation: After identifying the data the next step is to safely preserve the data and not allow other people to use that device so that no one can tamper data.What are the two types of forensics software tools? ›
Autopsy and the Sleuth Kit are likely the most well-known forensics toolkits in existence. The Sleuth Kit is a command-line tool that performs forensic analysis of forensic images of hard drives and smartphones. Autopsy is a GUI-based system that uses The Sleuth Kit behind the scenes.Why are digital forensic tools important? ›
Digital forensics tools are hardware and software tools that can be used to aid in the recovery and preservation of digital evidence. Law enforcement can use digital forensics tools to collect and preserve digital evidence and support or refute hypotheses before courts.What is FTK used for? ›
Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information. It can, for example, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.What is FTK used for? ›
Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information. It can, for example, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.
Which of the following are cyber forensics tools? ›
- Autopsy/The Sleuth Kit. Autopsy and The Sleuth Kit are probably the most well-known and popular forensics tools in existence. ...
- X-Ways Forensics. X-Ways Forensics is a commercial digital forensics platform for Windows. ...
- AccessData FTK. ...
- EnCase. ...
- Mandiant RedLine. ...
- Paraben Suite. ...
- Bulk Extractor.
Autopsy and the Sleuth Kit are likely the most well-known forensics toolkits in existence. The Sleuth Kit is a command-line tool that performs forensic analysis of forensic images of hard drives and smartphones. Autopsy is a GUI-based system that uses The Sleuth Kit behind the scenes.What is autopsy forensic tool used for? ›
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.What is the difference between FTK and FTK Imager? ›
While the FTK Imager can be used for free indefinitely, FTK only works for a limited amount of time without a license. You can also order a demo from Access Data. In any case, you can find both of them on Access Data's official downloads page.How much does FTK cost? ›
FTK is a forensic suite. The owner, AccessData, also make the solid product FTK Imager available for free. They have recently expanded to offer cloud forensic capabilities. FTK is priced similarly to Encase, at around $3000.Can FTK Imager image phones? ›
So basically Android memory storage file format is not FAT/ExFAT/NTFS format and thus cannot be seen by FTK Imager.What are the three C's in computer forensics? ›
Precision in security requires the data to be integrated in order to produce context, correlation and causation. We call it the "Three C's of Security." What do we mean by precision?What is the difference between cyber forensics and digital forensics? ›
Digital forensics, also known as cyber forensics, is a broad term that describes activities relating to investigating attacks and cyber incidents involving various digital assets. This includes everything from mobile phones and computers to servers, networks and so on.What is one of the most important tools of the forensic investigator? ›
|the first task of forensic scientists is to convict a perpetrator (true or false)||false|
|our brains fill in the gaps in our memories (true or false)||true|
|one of the most important tools of the forensic investigator is the ability to...||observe, interpret, and report observations clearly|
The general phases of the forensic process are: the identification of potential evidence; the acquisition of that evidence; analysis of the evidence; and production of a report.
Why are digital forensic tools important? ›
Digital forensics tools are hardware and software tools that can be used to aid in the recovery and preservation of digital evidence. Law enforcement can use digital forensics tools to collect and preserve digital evidence and support or refute hypotheses before courts.Which technology is not used for digital forensics? ›
Digital forensics is all of them except:
Extraction of computer data.
With Autopsy and The Sleuth Kit (library), you can recover any type of data that is lost or deleted.What is the difference between autopsy and FTK Imager? ›
This is because FTK has stability issue and it crashes while processing and indexing of data. This makes FTK really slow as we can observe in the results. Autopsy is used for finding digital evidence while EnCase is used to process the evidence.Is autopsy free to download? ›
Download Autopsy for free
Built by Basis Technology with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs.