In this article
Free & Open Source Computer Forensics Tools
- Areas of Study
- Commercial Computer Forensics Tools
- Computer Forensics Certifications
- Free & Open Source Tools
- Job Outlook
- Mobile Forensics
- Online Resources
- Training Resources
In this article
According to Juniper Research, cybercrime losses to businesses will surpass $2 trillion by the year 2019. With data breaches occurring all around the world every day, the demand for experts in computer forensics will also increase. Whether you need to investigate an unauthorized server access, look into an internal case of human resources, or are interested in learning a new skill, these free and open source computer forensics tools will help you conduct in-depth analysis, including hard drive forensics, memory analysis, forensic image exploration, and mobile forensics. However, this is not an extensive list by all means and may not cover all necessary tools required for a complete investigation. It only includes some of the popular and useful tools. Using the right tools can always help you move things faster and result in more productive results.
These are multipurpose forensic toolkits that can carry out a number of detailed digital forensic tasks.
Based on Ubuntu, SIFT has all the important tools needed to carry out a detailed forensic analysis or incident response study. It supports analysis in advanced forensic format (AFF), expert witness format (E01) and RAW evidence (DD) format. It comes with tools to carve data files, generate timeline from system logs, examine recycle bins, and much more.
SIFT provides user documentation that allows you to get accustomed to the available tools and their usage. It also explains where evidence can be found on a system. Tools can be opened manually from the terminal window or with the help of top menu bar.
Having more than 100,000 downloads to date, SIFT continues to be a widely used open-source forensic and incident response tool.
New key features Include:
Pros: Better utilization of memory, modern forensic tools and techniques, expanded file system support.
Autopsy is a digital forensics platform that efficiently analyzes smartphones and hard disks. It is used worldwide by a large number of users, including law enforcement agencies, the military, and corporations to carry out investigations on a computer system. It has an easy-to-use interface, processes data fast, and is cost-effective. Sleuth Kit is a collection that consists of command line tools and a C library allowing the analysis of disk images and file recovery. It is used at the back end in the Autopsy tool.
Key features of Autopsy include:
Pros: Good documentation and support
Cons: It requires special user skills because it is based on Unix.
Available in free and professional versions, this forensics tool helps you to collect evidence from a mobile phone. It collects all device information such as serial number, IMEI, OS, etc., and recovers messages, contacts and call logs. Its file browser feature enables you to have access to and analyze photos, documents, videos and device database.
Some more important features include:
Pros: It provides several ways to extract data including Bluetooth, USB cable, iTunes backups, other forensic software backups, and Android backups. Also, the main interface is straightforward and easy to use. It provides sophisticated data analysis and has several useful data analysis features.
Cons: Unlike its competitors XRY and UFED, its free version does not provide advanced features such as cracking Android backups or locked iPhone.
DEFT (digital evidence and forensics toolkit) is a Linux-based distribution that allows professionals and non-experts to gather and preserve forensic data and digital evidence. The free and open source operating system has some of the best computer forensics open source applications. DEFT Zero is a lightweight version released in 2017.
Some of its useful features are as follows:
Pros: Needs only 400 MB memory to run. This means that it can be run even on a slow or obsolete PC.
These tools help in the extraction and forensic analysis of activity across the network.
WireShark is one of the most commonly used network protocol analyzers. It allows you to investigate your network activity at the microscopic level. Wireshark is widely used by government agencies, corporations and educational institutes.
Pros: Digs deep to uncover minor details in the network data.
Cons: Does not exactly pinpoint the solution you are looking for and dumps raw data into large files for you to figure out.
This is a network forensic analysis tool (NFAT) for Windows, Mac OS X, Linux, and FreeBSD. These tools come in a free edition as well as a professional paid edition. Network Miner’s free edition can
Pros: Captures network traffic, investigates potential rogue hosts, assembles and extracts files from captured traffic.
This is an open-source network forensic analysis tool (NFAT) that can extract app data from internet traffic. For instance, Xplico can extract email, HTTP contents, VoIP call, FTP, TFTP, etc., from a pcap file. Important features of Xplico are:
Pros: There is no size limit on number of files or data size. Its command line shows more detail and its geo-map feature can be used in web interface as well as console mode.
Cons: it is not possible to copy packets and send them to two separate dissectors; instead, there is the possibility of losing the packets, as the average processing time for a packet is higher than the average number of packets per second in Xplico.
These tools help in analyzing disk images at microscopic level.
this is a data preview and imaging tool with which one can study files and folders on a hard drive, network drive, and CDs/DVDs. It allows you to:
Pros: Creates bit-by-bit image and creates exact replica of the drive, thus allowing the investigator to view deleted or irretrievable files. It also creates a keyword index for every image, which makes future searches easier.
Cons: It doesn’t carve files and lacks recursive export capabilities.
Linux dd is a powerful tool that is installed by default in most Linux distributions (Fedora, Ubuntu). It can be used for conducting a number of forensic tasks like creating raw image of a folder, file, or drive.
On the negative side, it can be quite destructive if not used properly, thus earning the name “Data Destroyer” from some users. It is therefore advisable to test the command in a safe environment first and then apply it to the real data.
This comes with a small, and fast-booting forensic image analysis in a microkernel that runs from portable media. It physically boots the device, captures and authenticates a computer system, and reconstructs the filesystem.
Key features include:
Magnet Ram Capture is one of the many tools provided by Magnet Forensics. It is a free tool that captures the physical memory of a computer. This can help forensic investigators recover and analyze useful artifacts in the computer’s memory.
Having a small memory footprint, the tool can be run while the overwritten data in the memory is minimized. The collected memory data can be exported in RAW format and uploaded into any of the forensic analysis tools.
RAM evidence captured by the tool includes processes and programs, network connections, registry hives, malware intrusion evidence, decrypted keys and files, usernames and passwords, and any other activity not usually stored on the hard disk.
Pros: Acquires full physical memory fast and leaves small footprint on live system that is under analysis.
This free memory forensic tool helps discover malicious activity in live memory. It can acquire and analyze images from memory.
Key features include:
This is the first browser that can acquire web pages from websites available online to conduct forensic investigation.
Its key features include:
Computer Forensics Training
This tool can parse all your USB history information from your windows plug-and-play registry. This can give you a complete record of the USB drives that were inserted into the machine. The tool is originally intended to conduct forensic investigations related to stealing, movement, or unauthorized access to data.
Pros: Parses computer name to located devices quickly, features wizard-driven analysis, parses backup logs and SetupAPI logs.