Digital forensics

Popular Computer Forensics Top 19 Tools [updated 2021]

January 8, 2021 by Howard Poston

Introduction

Computers are a vital source of forensic evidence for a growing number of crimes. While cybercrime has been growing steadily in recent years, even traditional criminals are using computers as part of their operations. The ability to reliably extract forensic information from these machines can be vital to catching and prosecuting these criminals.

Computer forensics tools are designed to ensure that the information extracted from computers is accurate and reliable. Due to the wide variety of different types of computer-based evidence, a number of different types of computer forensics tools exist, including:

  • Disk and data capture tools
  • File viewers
  • File analysis tools
  • Registry analysis tools
  • Internet analysis tools
  • Email analysis tools
  • Mobile devices analysis tools
  • Network forensics tools
  • Database forensics tools

Within each category, a number of different tools exist. This list outlines some of the most popularly used computer forensics tools.

Disk and data capture tools

Forensic disk and data capture tools focus on analysis of a system and extracting potential forensic artifacts, such as files, emails and so on. This is a core part of the computer forensics process and the focus of many forensics tools.

1. Autopsy/The Sleuth Kit

Autopsy and The Sleuth Kit are probably the most well-known and popular forensics tools in existence. These tools are designed to analyze disk images, perform in-depth analysis of file systems and include a wide variety of other features. As a result, they include functionality from many of the forensics tool categories mentioned above and are a good starting point for a computer forensics investigation.

Autopsy and The Sleuth Kit are available for both Unix and Windows and can be downloaded here.

2. X-Ways Forensics

X-Ways Forensics is a commercial digital forensics platform for Windows. The company also offers a more stripped-down version of the platform called X-Ways Investigator.

A major selling point of the platform is that it is designed to be resource-efficient and capable of running off of a USB stick. Despite this, it boasts an impressive array of features, which are listed on its website here.

3. AccessData FTK

AccessData Forensics Toolkit (FTK) is a commercial digital forensics platform that brags about its analysis speed. It claims to be the only forensics platform that fully leverages multi-core computers. Additionally, FTK performs indexing up-front, speeding later analysis of collected forensic artifacts.

Read more here.

4. EnCase

EnCase is a commercial forensics platform. It offers support for evidence collection from over twenty-five different types of devices, including desktops, mobile devices and GPS. Within the tool, a forensic investigator can inspect the collected data and generate a wide range of reports based upon predefined templates.

Read more about EnCase here.

5. Mandiant RedLine

Mandiant RedLine is a popular tool for memory and file analysis. It collects information about running processes on a host, drivers from memory and gathers other data like meta data, registry data, tasks, services, network information and internet history to build a proper report.

Read more here

6. Paraben Suite

The Paraben Corporation offers a number of forensics tools with a range of different licensing options. Paraben has capabilities in:

  • Desktop forensics
  • Email forensics
  • Smartphone analysis
  • Cloud analysis
  • IoT forensics
  • Triage and visualization

The E3:Universal offering provides all-in-one access, the E3:DS focuses on mobile devices and other license options break out computer forensics, email forensics and visualization functionality.

Read more here.

7. Bulk Extractor

Bulk Extractor is also an important and popular digital forensics tool. It scans the disk images, file or directory of files to extract useful information. In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools. It is basically used by intelligence and law enforcement agencies in solving cybercrimes.

Currently, the latest version of the software, available here, has not been updated since 2014. However, a version 2.0 is currently under development with an unknown release date. It can be found here.

Registry analysis

The Windows registry serves as a database of configuration information for the OS and the applications running on it. For this reason, it can contain a great deal of useful information used in forensic analysis.

8. Registry Recon

Registry Recon is a popular commercial registry analysis tool. It extracts the registry information from the evidence and then rebuilds the registry representation. It can rebuild registries from both current and previous Windows installations.

Read more about it here.

Memory forensics

Analysis of the file system misses the system’s volatile memory (i.e., RAM). Some forensics tools focus on capturing the information stored here.

9. Volatility

Volatility is the memory forensics framework. It is used for incident response and malware analysis. With this tool, you can extract information from running processes, network sockets, network connection, DLLs and registry hives. It also has support for extracting information from Windows crash dump files and hibernation files. This tool is available for free under GPL license.

Read more about the tool here.

10. WindowsSCOPE

WindowsSCOPE is a commercial memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malware. It provides the ability to analyze the Windows kernel, drivers, DLLs and virtual and physical memory.

Read more here.

Network analysis

Most cyberattacks occur over the network, and the network can be a useful source of forensic data. These tools enable a forensic investigator to effectively analyze network traffic.

11. Wireshark

Wireshark is the most widely used network traffic analysis tool in existence. It has the ability to capture live traffic or ingest a saved capture file. Wireshark’s numerous protocol dissectors and user-friendly interface make it easy to inspect the contents of a traffic capture and search for forensic evidence within it.

Read more here.

12. Network Miner

Network Miner is a network traffic analysis tool with both free and commercial options. While many of the premium features are freely available with Wireshark, the free version can be a helpful tool for forensic investigations. It organizes information in a different way than Wireshark and automatically extracts certain types of files from a traffic capture.

Read more here.

13. Xplico

Xplico is an open-source network forensic analysis tool. It is used to extract useful data from applications which use Internet and network protocols. It supports most of the popular protocols including HTTP, IMAP, POP, SMTP, SIP, TCP, UDP, TCP and others. Output data of the tool is stored in an SQLite database or MySQL database. It also supports both IPv4 and IPv6.

Read more about this tool here.

Mobile device forensics

Mobile devices are becoming the main method by which many people access the internet. Some forensics tools have a special focus on mobile device analysis.

14. Oxygen Forensic Detective

Oxygen Forensic Detective focuses on mobile devices but is capable of extracting data from a number of different platforms, including mobile, IoT, cloud services, drones, media cards, backups and desktop platforms. It uses physical methods to bypass device security (such as screen lock) and collects authentication data for a number of different mobile applications. Oxygen is a commercial product distributed as a USB dongle.

More information here.

15. Cellebrite UFED

Cellebrite offers a number of commercial digital forensics tools, but its Cellebrite UFED claims to be the industry standard for accessing digital data. The main UFED offering focuses on mobile devices, but the general UFED product line targets a range of devices, including drones, SIM and SD cards, GPS, cloud and more. The UFED platform claims to use exclusive methods to maximize data extraction from mobile devices.

More information here.

16. XRY

XRY is a collection of different commercial tools for mobile device forensics. XRY Logical is a suite of tools designed to interface with the mobile device operating system and extract the desired data. XRY Physical, on the other hand, uses physical recovery techniques to bypass the operating system, enabling analysis of locked devices.

Read more about XRY here.

Linux distros

Many of the tools described here are free and open-source. Several Linux distributions have been created that aggregate these free tools to provide an all-in-one toolkit for forensics investigators.

17. CAINE

CAINE (Computer Aided Investigative Environment) is the Linux distro created for digital forensics. It offers an environment to integrate existing software tools as software modules in a user-friendly manner. This tool is open-source.

Read more about it here.

18. SANS SIFT

SIFT is another open-source Linux virtual machine that aggregates free digital forensics tools. This platform was developed by the SANS Institute and its use is taught in a number of their courses.

Read more here.

19. HELIX3

HELIX3 is a live CD-based digital forensic suite created to be used in incident response. It comes with many open-source digital forensics tools, including hex editors, data carving and password-cracking tools. If you want the free version, you can go for Helix3 2009R1. After this release, this project was taken over by a commercial vendor. So, you need to pay for the most recent version of the tool.

This tool can collect data from physical memory, network connections, user accounts, executing processes and services, scheduled jobs, Windows Registry, chat logs, screen captures, SAM files, applications, drivers, environment variables and internet history. Then it analyzes and reviews the data to generate the compiled results based on reports.

Helix3 2008R1 can be downloaded here.

The enterprise version is available here.

Conclusion

Digital forensics is a specialization that is in constant demand. As the number of cyberattacks and data breaches grow and regulatory requirements become stricter, organizations require the ability to determine the scope and impact of a potential incident.

The tools included in this list are some of the more popular tools and platforms used for forensic analysis. In many cases, these tools have similar functionality, so the choice between them mainly depends on cost and personal preference. Additionally, a wide variety of other tools are available as well.

A good starting point for trying out digital forensics tools is exploring one of the Linux platforms mentioned at the end of this article. These platforms have a range of free tools installed and configured, making it possible to try out the various options without a significant investment of licensing fees or setup time.

Posted: January 8, 2021

Uh-oh!

We've encountered a new and totally unexpected error.

Get instant boot camp pricing

Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.

Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in cryptography and malware analysis. He has a Master’s degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity R&D at Sandia National Labs. He currently provides consulting and technical content writing for cybersecurity, cryptocurrency, and blockchain.