Digital forensics

Kali Linux: Top 5 tools for digital forensics

July 28, 2021 by Graeme Messina

Kali Linux is a favorite operating system for digital forensics and penetration testing professionals. We want to highlight the top five tools that can be found in this handy operating system. Kali Linux allows you to tackle tasks such as encryption, password cracking, forensic analysis, wireless network attacks, reverse engineering malware, vulnerability assessment/testing and a whole lot more.

Digital forensics with Kali Linux

Digital forensics is a branch of forensic science that deals with the recovery and analysis of material from computers, cell phones, storage media or any other device that processes information. Kali Linux comes preinstalled with software that can help you to accomplish many basic digital forensics tasks. We will review some basics about the top tools for digital forensics on Kali Linux. 

Each tool will help you to accomplish a specific forensic task for you to work on an investigation. There are many more tools available in Kali Linux, so be sure to check out some of our other articles if you want to find out more.

There are tons of tools and applications that are designed with digital forensics in mind. Tasks such as disk imaging, memory image analysis and file carving are all possible with Kali Linux. Kali is also based on a live CD or USB thumb drive so you can boot up directly into a secure Linux desktop on most computers and laptops that support booting from a CD or USB.


Autopsy is a GUI for analyzing computer artifacts and the data that is stored within them. It was designed to be similar in features, capabilities and operation to other popular forensic tools like Guidance Software’s EnCase or AccessData’s FTK Imager.

It can also perform various tasks such as viewing and extracting files from partitions, performing keyword searches on extracted files using its built-in text parser (which supports basic boolean operators) and other operations:

  • Timeline analysis: you can analyze the timeline of events with this tool from a graphical environment that makes it much easier to piece events together.
  • Hash filtering: this function allows you to exclude known good files and flag known bad when looking for evidence.
  • Keyword search: keyword search for indexed files that mention relevant terms.
  • Web artifacts: this allows you to extract web artifacts such as browser history, bookmarks and cookies from widely used internet browsers such as Firefox, Chrome and IE.
  • Data carving: gives you the ability to recover deleted files from unallocated space on a hard drive using the powerful tool PhotoRec.
  • Multimedia analysis: there are multimedia features such as EXIF extraction which is metadata that is found in image files.

Autopsy also accepts disk images in different formats like:

  • Raw
  • Oe
  • EO1

It provides you with outputs in most standard reporting formats such as XML and HTML.


Xplico is a free and open-source network forensics analysis tool that allows for the packet capture, reconstruction, filtering and inspection of captured data. It is not a network protocol analyzer. It has a GUI interface as well as CLI access to allow users without programming knowledge to be able to use it too.

Xplico allows you to extract data from an internet traffic capture file as well as the application data that is housed within. If you feed Xplico a PCAP file then you can expect to extract important information such as:

  • POP
  • IMAP
  • SNMP
  • HTTP
  • SIP
  • MGCP
  • H323
  • FTP

And much more.

Xplico is a great way to quickly analyze your packet captures and get standard output and readable results without having to manually sift through data. This saves you time and sanity as it is far more efficient than searching or querying a large volume of data manually.


Guymager is a tool that allows you to extract data via a GUI or the command-line interface. One of the most important features is that it has a built-in hex editor which can edit headers, such as partition tables and bootloaders.

Guymager also supports raw image files. It is possible to convert different types of formats like JPEG and GIF into RAW format before running them through Guymager.

  • It features a simple GUI with multilingual support
  • It ships with Kali Linux and is ready to use upon booting your system.
  • It is multi-threaded which makes it very fast, and it has a design that takes advantage of both pipe-lined and multi-threaded data compression.
  • It takes advantage of multiprocessor systems, allowing it to further leverage its multi-threaded capabilities.
  • It can generate flat clones such as (dd), EWF (E01) and AFF images, and it also has support for disk cloning.
  • Guymager is free and open source.


Anyone that has tried memory forensics is probably familiar with Volatility. It is a memory forensics framework that is capable of analyzing volatile RAM and page files.

Volatility can execute other forms of analysis when it is run in a live operating system environment. It can perform operations like analyzing running processes or searching through unallocated space on a hard drive for deleted files.

The results are presented to you with all available metadata parsed out into columns that can be sorted by clicking on the table headers above each field. You can also save out these reports in PDF format if needed.


Wireshark is a network tool that you can use to find problems. It helps you with troubleshooting and capturing packets on the network. Wireshark has many features, such as filtering and formatting data in different ways, that will help you search for what you need. You can also see the data in hexadecimal.

You can do a network packet dump when you want to. If you think that you might have to do it later, then you can take the data and save it. You can also export the data in a text file or another format if you want to perform additional tasks at a later stage.

Additional features include:

  • Inspection of network protocols with deep analysis. Wireshark adds more capabilities quite often.
  • Wireshark can capture live data and perform offline analysis.
  • It is easy to navigate with a three-window packet browser.
  • Although Wireshark is found on Kali Linux, it also runs on Windows, OS X, Solaris, FreeBSD, NetBSD as well as other operating systems.
  • There are many great filters to use, so you can customize your investigation.
  • Wireshark is also good for analyzing VoIP packets.

How else can you use Kali Linux as a forensic tool?

The sheer number of programs available makes this an excellent option for anyone who needs access to digital forensics tools.

Kali Linux is a great platform for digital forensic analysis and can be used to perform many tasks that you would only expect to find in a commercial product.

Some tools allow you to acquire media-related evidence, as well as those which help create usable documentation of your findings or analyze traffic on networks so it’s easier to troubleshoot problems.

Using Kali Linux tools for digital forensics

Kali Linux is a great platform for digital forensic analysis and can be used to perform many tasks related to the field. Some tools allow you to acquire media-related evidence, as well as those which help create usable documentation of your findings or analyze traffic on networks so it’s easier to troubleshoot problems.

The sheer number of programs available make this an excellent option for anyone who needs access to these types of tools but doesn’t have them already installed on their computer, especially since most operating systems do not come with anything in this specific category.



7 best computer forensics tools, Infosec 

Computer forensics tools, Infosec

Wireshark package description, Kali Tools

Guymager, Source Forge

Posted: July 28, 2021
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.