Packages that are used to find data on physical disks or embedded memory.
Tool count: 171
Name | Version | Description | Category | Website |
---|---|---|---|---|
aesfix | 1.0.1 | A tool to find AES key in RAM | forensic cracker | |
aeskeyfind | 1.0 | A tool to find AES key in RAM | forensic cracker | |
afflib | 3.7.19 | An extensible open format for the storage of disk images and related forensic information. | forensic | |
aimage | 3.2.5 | A program to create aff-images. | forensic | |
air | 2.0.0 | A GUI front-end to dd/dc3dd designed for easily creating forensic images. | forensic | |
analyzemft | 133.b6ed04f | Parse the MFT file from an NTFS filesystem. | forensic | |
analyzepesig | 0.0.0.5 | Analyze digital signature of PE file. | windows binary forensic | |
androick | 8.522cfb4 | A python tool to help in forensics analysis on android. | mobile forensic | |
atstaketools | 0.1 | This is an archive of various @Stake tools that help perform vulnerability scanning and analysis, information gathering, password auditing, and forensics. | windows scanner forensic cracker sniffer recon | |
autopsy | 1:4.21.0 | A GUI for The Sleuth Kit. | forensic | |
bios_memimage | 1.2 | A tool to dump RAM contents to disk (aka cold boot attack). | cracker forensic | |
bmap-tools | 3.7 | Tool for copying largely sparse files using information from a block map file. | forensic | |
bmc-tools | 25.c66a657 | RDP Bitmap Cache parser. | forensic sniffer | |
bulk-extractor | 1562.1c67a75 | Bulk Email and URL extraction tool. | forensic misc | |
canari | 3.3.10 | A transform framework for maltego | forensic recon scanner | |
captipper | 74.3fb2836 | Malicious HTTP traffic explorer tool. | forensic malware sniffer | |
casefile | 1.0.1 | The little brother to Maltego without transforms, but combines graph and link analysis to examine links between manually added data to mind map your information | forensic recon scanner | |
chainsaw | v2.7.3.r6.g5d908fd | A powerful ‘first-response’ capability to quickly identify threats within Windows event logs. | defensive forensic windows | |
chaosmap | 1.3 | An information gathering tool and dns / whois / web server scanner | forensic scanner recon | |
chipsec | 4:2206.28d9c90b | Framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. | hardware binary forensic scanner fuzzer | |
chkrootkit | 0.58b | Checks for rootkits on a system | defensive forensic | |
chntpw | 140201 | Offline NT Password Editor - reset passwords in a Windows NT SAM user database file | forensic cracker | |
chromefreak | 24.12745b1 | A Cross-Platform Forensic Framework for Google Chrome | forensic | |
chromensics | 1.0 | A Google chrome forensics tool. | windows forensic | |
dc3dd | 7.2.646 | A patched version of dd that includes a number of features useful for computer forensics. | forensic | |
dcfldd | 1.7.1 | DCFL (DoD Computer Forensics Lab) dd replacement with hashing | forensic | |
ddrescue | 1.28 | A data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying to rescue the good parts first in case of read errors. | forensic | |
dff | 183.d40d46b | A Forensics Framework coming with command line and graphical interfaces. | forensic | |
dfir-ntfs | 1.1.18 | An NTFS parser for digital forensics & incident response. | forensic | |
dftimewolf | 725.5637f40e | Framework for orchestrating forensic collection, processing and data export . | forensic | |
disitool | 0.4 | Tool to work with Windows executables digital signatures. | forensic | |
dmde | 3.8.0.790 | Disk Editor and Data Recovery Software. | forensic | |
dmg2img | 1.6.7 | Convert a (compressed) Apple Disk Images. A CLI tool to uncompress Apple's compressed DMG files to the HFS+ IMG format A CLI tool to uncompress Apple's compressed DMG files to the HFS+ IMG format | misc forensic | |
dshell | 142.695c891 | A network forensic analysis framework. | forensic networking | |
dumpzilla | 03152013 | A forensic tool for firefox. | forensic | |
eindeutig | 20050628_1 | Examine the contents of Outlook Express DBX email repository files (forensic purposes) | forensic | |
emldump | 0.0.11 | Analyze MIME files. | forensic | |
evtkit | 8.af06db3 | Fix acquired .evt - Windows Event Log files (Forensics). | forensic windows | |
exiflooter | 39.0c9535f | Find geolocation on all image urls and directories also integrates with OpenStreetMap. | forensic | |
exiv2 | 0.27.2 | Exif, Iptc and XMP metadata manipulation library and tools | forensic defensive | |
extractusnjrnl | 7.362d4290 | Tool to extract the $UsnJrnl from an NTFS volume. | forensic windows | |
extundelete | 0.2.4 | Utility for recovering deleted files from ext2, ext3 or ext4 partitions by parsing the journal | forensic | |
firefox-decrypt | 1.1.1.r3.g2a163fa | Extract passwords from Mozilla Firefox, Waterfox, Thunderbird, SeaMonkey profiles. | forensic | |
foremost | 1.5.7 | A console program to recover files based on their headers, footers, and internal data structures | forensic | |
fridump | 23.3e64ee0 | A universal memory dumper using Frida. | forensic | |
fs-nyarl | 1.0 | A network takeover & forensic analysis tool - useful to advanced PenTest tasks & for fun and profit. | scanner networking forensic spoof exploitation sniffer | |
galleta | 20040505_1 | Examine the contents of the IE's cookie files for forensic purposes | forensic | |
grokevt | 0.5.0 | A collection of scripts built for reading Windows NT/2K/XP/2K eventlog files. | forensic | |
guymager | 0.8.13 | A forensic imager for media acquisition. | forensic | |
hashdb | 1089.1da1b9f | A block hash toolkit. | crypto forensic misc | |
hashdeep | 4.4 | Advanced checksum hashing tool. | forensic | |
haystack | 1823.c178b5a | A Python framework for finding C structures from process memory - heap analysis - Memory structures forensics. | binary forensic | |
imagemounter | 413.383b30b | Command line utility and Python package to ease the (un)mounting of forensic disk images. | forensic misc | |
indx2csv | 17.129a411e | An advanced parser for INDX records. | forensic windows | |
indxcarver | 5.dee36608 | Carve INDX records from a chunk of data. | forensic windows | |
indxparse | 198.a977192 | A Tool suite for inspecting NTFS artifacts. | forensic | |
interrogate | 5.eb5f071 | A proof-of-concept tool for identification of cryptographic keys in binary material (regardless of target operating system), first and foremost for memory dump analysis and forensic usage. | forensic cracker | |
iosforensic | 1.0 | iOS forensic tool https://www.owasp.org/index.php/Projects/OWASP_iOSForensic | forensic mobile | |
ipba2 | 1:95.c03bd85 | IOS Backup Analyzer | forensic | |
iphoneanalyzer | 2.1.0 | Allows you to forensically examine or recover date from in iOS device. | forensic mobile | |
jpegdump | 0.0.7 | Tool to analyzse JPEG images Reads binary files and parses the JPEG markers inside them. | binary forensic | |
lazagne | 872.3ed06c7 | An open source application used to retrieve lots of passwords stored on a local computer. | forensic social | |
ldsview | 47.d8bfcaa | Offline search tool for LDAP directory dumps in LDIF format. | forensic | |
lfle | 24.f28592c | Recover event log entries from an image by heurisitically looking for record structures. | forensic | |
libfvde | 207.03f12f5 | Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes. | forensic | |
limeaide | 305.ce3c9b7 | Remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. | forensic | |
log-file-parser | 60.c7a0ae7e | Parser for $LogFile on NTFS. | forensic windows | |
loki-scanner | 1227.0dc990b | Simple IOC and Incident Response Scanner. | forensic scanner | |
mac-robber | 1.02 | A digital investigation tool that collects data from allocated files in a mounted file system. | forensic | |
magicrescue | 1.1.9 | Find and recover deleted files on block devices | forensic | |
make-pdf | 0.1.7 | This tool will embed javascript inside a PDF document. | forensic | |
malheur | 0.5.4 | A tool for the automatic analyze of malware behavior. | forensic malware | |
maltego | 4.8.0 | An open source intelligence and forensics application, enabling to easily gather information about DNS, domains, IP addresses, websites, persons, etc. | forensic recon scanner | |
malwaredetect | 0.1 | Submits a file's SHA1 sum to VirusTotal to determine whether it is a known piece of malware | forensic malware | |
mboxgrep | 0.7.9 | A small, non-interactive utility that scans mail folders for messages matching regular expressions. It does matching against basic and extended POSIX regular expressions, and reads and writes a variety of mailbox formats. | forensic | |
mdbtools | 738.823b32f | Utilities for viewing data and exporting schema from Microsoft Access Database files. | forensic | |
memdump | 1.01 | Dumps system memory to stdout, skipping over holes in memory maps. | forensic | |
memfetch | 0.05b | Dumps any userspace process memory without affecting its execution. | forensic | |
memimager | 1.0 | Performs a memory dump using NtSystemDebugControl. | windows forensic | |
mft2csv | 40.164eb224 | Extract $MFT record info and log it to a csv file. | forensic windows | |
mftcarver | 9.7bfcc0a2 | Carve $MFT records from a chunk of data (for instance a memory dump). | forensic windows | |
mftrcrd | 16.35c3ac2f | Command line $MFT record decoder. | forensic windows | |
mftref2name | 6.7df9eebb | Resolve file index number to name or vice versa on NTFS. A simple tool that just converts MFT reference number to file name and path, or the other way around. | forensic windows | |
mimipenguin | 152.880a427 | A tool to dump the login password from the current linux user. | forensic cracker | |
mobiusft | 1.12 | An open-source forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. | forensic | |
mp3nema | 0.4 | A tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data. | forensic | |
ms-sys | 2.8.0 | A tool to write Win9x-.. master boot records (mbr) under linux - RTM! | backdoor binary forensic | |
munin-hashchecker | 239.95b046d | Online hash checker for Virustotal and other services | defensive forensic | |
mxtract | 90.0b34376 | Memory Extractor & Analyzer. | forensic | |
myrescue | 0.9.8 | A hard disk recovery tool that reads undamaged regions first. | forensic | |
naft | 0.0.9 | Network Appliance Forensic Toolkit. | forensic | |
networkminer | 2.9 | A Network Forensic Analysis Tool for advanced Network Traffic Analysis, sniffer and packet analyzer. | forensic sniffer | |
nfex | 2.5 | A tool for extracting files from the network in real-time or post-capture from an offline tcpdump pcap savefile. | forensic networking | |
ntdsxtract | 34.7fa1c8c | Active Directory forensic framework. | forensic | |
ntfs-file-extractor | 6.f2b23d72 | Extract files off NTFS. | forensic windows | |
ntfs-log-tracker | 1:1.6 | This tool can parse $LogFile, $UsnJrnl of NTFS. | forensic windows | |
oletools | 1:0.54.1 | Tools to analyze Microsoft OLE2 files. | binary forensic | |
parse-evtx | 3.a4b02b9 | A tool to parse the Windows XML Event Log (EVTX) format. | forensic | |
pasco | 20040505_1 | Examines the contents of Internet Explorer's cache files for forensic purposes | forensic | |
pcapfex | 60.c51055a | Packet CAPture Forensic Evidence eXtractor. | networking forensic | |
pcapxray | 274.1721645 | A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction. | forensic networking | |
pdblaster | 4.fc8abb3 | Extract PDB file paths from large sample sets of executable files. | forensic malware | |
pdf-parser | 0.7.9 | Parses a PDF document to identify the fundamental elements used in the analyzed file. | forensic | |
pdfbook-analyzer | 1:2 | Utility for facebook memory forensics. | forensic | |
pdfid | 0.2.8 | Scan a file to look for certain PDF keywords. | forensic | |
pdfresurrect | 0.12 | A tool aimed at analyzing PDF documents. | forensic | |
peepdf | 0.4.2 | A Python tool to explore PDF files in order to find out if the file can be harmful or not | forensic malware | |
periscope | 3.2 | A PE file inspection tool. | windows forensic binary | |
perl-image-exiftool | 12.98 | Reader and rewriter of EXIF informations that supports raw files | forensic defensive | |
pev | 0.81 | Command line based tool for PE32/PE32+ file analysis. | forensic reversing | |
pextractor | 0.18b | A forensics tool that can extract all files from an executable file created by a joiner or similar. | windows forensic binary | |
pmdump | 1.2 | A tool that lets you dump the memory contents of a process to a file without stopping the process. | windows forensic | |
pngcheck | 3.0.3 | Verifies the integrity of PNG, JNG and MNG files by checking the CRCs and decompressing the image data. | stego defensive forensic | |
powermft | 5.76574543 | Powerful commandline $MFT record editor. | forensic windows | |
python-oletools | 1:0.60.2 | Tools to analyze Microsoft OLE2 files. | binary forensic | |
python-rekall | 1396.041d6964 | Memory Forensic Framework. | forensic | |
python2-oletools | 1:0.60.2 | Tools to analyze Microsoft OLE2 files. | binary forensic | |
python2-peepdf | 0.4.2 | A Python tool to explore PDF files in order to find out if the file can be harmful or not. | forensic malware | |
python2-rekall | 1396.041d6964 | Memory Forensic Framework. | forensic | |
rcrdcarver | 5.54507d21 | Carve RCRD records ($LogFile) from a chunk of data.. | forensic windows | |
recentfilecache-parser | 2.5e22518 | Python parser for the RecentFileCache.bcf on Windows. | forensic | |
recoverdm | 0.20 | Recover damaged CD DVD and disks with bad sectors. | forensic | |
recoverjpeg | 2.6.3 | Recover jpegs from damaged devices. | forensic | |
recuperabit | 77.c6f8678 | A tool for forensic file system reconstruction. | forensic | |
regipy | 2.2.2 | Library for parsing offline registry hives. | forensic | |
reglookup | 1.0.1 | Command line utility for reading and querying Windows NT registries | forensic | |
regreport | 1.6 | Windows registry forensic analysis tool. | windows forensic | |
regripper | 104.5bb3c86 | Open source forensic software used as a Windows Registry data extraction command line or GUI tool. | forensic | |
regrippy | 2.0.0 | Framework for reading and extracting useful forensics data from Windows registry hives. | forensic | |
regview | 1.3 | Open raw Windows NT 5 Registry files (Windows 2000 or higher). | windows forensic | |
rekall | 1409.55d1925f | Memory Forensic Framework. | forensic | |
replayproxy | 1.1 | Forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file. | forensic proxy | |
rifiuti2 | 1:0.7.0 | A rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. | forensic recon | |
rkhunter | 1.4.6 | Checks machines for the presence of rootkits and other unwanted tools. | forensic defensive | |
rsakeyfind | 1.0 | A tool to find RSA key in RAM. | cracker forensic | |
safecopy | 1.7 | A disk data recovery tool to extract data from damaged media. | forensic | |
scalpel | 1:1.1687261 | A frugal, high performance file carver | forensic | |
scrounge-ntfs | 0.9 | Data recovery program for NTFS file systems | forensic | |
secure2csv | 10.119eefb0 | Decode security descriptors in $Secure on NTFS. | forensic windows | |
shadowexplorer | 0.9 | Browse the Shadow Copies created by the Windows Vista / 7 / 8 / 10 Volume Shadow Copy Service. | forensic windows | |
skypefreak | 33.9347a65 | A Cross Platform Forensic Framework for Skype. | forensic | |
sleuthkit | 4.12.1 | File system and media management forensic analysis tools | forensic | |
snort | 2.9.20 | A lightweight network intrusion detection system. | defensive networking forensic | |
stegdetect | 20.28a4f07 | An automated tool for detecting steganographic content in images. | stego defensive forensic | |
stenographer | 486.355604b | A packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. | sniffer networking forensic | |
stringsifter | 39.33c0cd5 | Machine learning tool that automatically ranks strings based on their relevance for malware analysis. | binary forensic | |
swap-digger | 51.4d18ce0 | A tool used to automate Linux swap analysis during post-exploitation or forensics. | forensic | |
syft | 814.5e5312c | A CLI tool and go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. | forensic | |
tchunt-ng | 208.b8cf7fc | Reveal encrypted files stored on a filesystem. | forensic crypto | |
tekdefense-automater | 88.42548cf | IP URL and MD5 OSINT Analysis | forensic | |
tell-me-your-secrets | 1:v2.4.2.r3.g5434b9d | Find secrets on any machine from over 120 Different Signatures. | code-audit forensic | |
testdisk | 7.2 | Checks and undeletes partitions + PhotoRec, signature based recovery tool | forensic | |
thumbcacheviewer | 1.0.3.7 | Extract Windows thumbcache database files. | forensic windows | |
trid | 2.24 | An utility designed to identify file types from their binary signatures. | forensic binary | |
truehunter | 14.0a2895d | Detect TrueCrypt containers using a fast and memory efficient approach. | forensic | |
undbx | 0.21.r3.g5e31c75 | Extract e-mail messages from Outlook Express DBX files. | forensic | |
unhide | 20220611 | A forensic tool to find processes hidden by rootkits, LKMs or by other techniques. | forensic | |
usbrip | 291.5093c84 | USB device artifacts tracker. | forensic | |
usnjrnl2csv | 29.1ecbddc | Parser for $UsnJrnl on NTFS. | forensic windows | |
usnparser | 4.1.5 | A Python script to parse the NTFS USN journal. | forensic windows | |
vinetto | 0.07beta | A forensics tool to examine Thumbs.db files | forensic | |
vipermonkey | 1160.511ecd5 | A VBA parser and emulation engine to analyze malicious macros. | forensic malware | |
volafox | 143.5b42987 | Mac OS X Memory Analysis Toolkit. | forensic binary | |
volatility | 2.6.1 | Advanced memory forensics framework | forensic | |
volatility-extra | 92.d9fc072 | Volatility plugins developed and maintained by the community. | forensic | |
volatility3 | 2.7.0 | Advanced memory forensics framework | forensic | |
windows-prefetch-parser | 88.bc1fa58 | Parse Windows Prefetch files. | forensic | |
wmi-forensics | 11.0ab08dc | Scripts used to find evidence in WMI repositories. | forensic | |
wyd | 0.2 | Gets keywords from personal files. IT security/forensic tool. | cracker forensic | |
xplico | 1:1.2.2 | Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT). | forensic networking | |
zipdump | 0.0.21 | ZIP dump utility. | forensic |