15 BEST Digital Forensic Tools in 2020 [Free/Paid]

Details: Last Updated: 23 December 2019

Digital forensic is a process of preservation, identification, extraction, and documentation of computer evidence which can be used by the court of law. There are many tools that help you to make this process simple and easy. These applications provide complete reports that can be used for legal procedures.

Following is a handpicked list of Digital Forensic Toolkits, with their popular features and website links. The list contains both open source(free) and commercial(paid) software.

1) ProDiscover Forensic

ProDiscover Forensic is a computer security app that allows you to locate all the data on a computer disk. It can protect evidence and create quality reports for the use of legal procedures. This tool allows you to extract EXIF(Exchangeable Image File Format) information from JPEG files.

Features:

This product supports Windows, Mac, and Linux file systems.
You can preview and search for suspicious files quickly.
It creates a copy of the entire suspected disk to keep the original evidence safe.
This tool helps you to see internet history.
You can import or export .dd format images.
It enables you to add comments to evidence of your interest.
ProDiscover Forensic supports VMware to run a captured image.

Link: https://www.prodiscover.com

2) Sleuth Kit (+Autopsy)

Sleuth Kit (+Autopsy) is a Windows based utility tool that makes forensic analysis of computer systems easier. This tool allows you to examine your hard drive and smartphone.

Features:

You can identify activity using a graphical interface effectively.
This application provides analysis for emails.
You can group files by their type to find all documents or images.
It displays a thumbnail of images to quick view pictures.
You can tag files with the arbitrary tag names.
The Sleuth Kit enables you to extract data from call logs, SMS, contacts, etc.
It helps you to flag files and folders based on path and name.

Link: https://www.sleuthkit.org

3) CAINE

CAINE is a Ubuntu-based app that offers a complete forensic environment that provides a graphical interface. This tool can be integrated into existing software tools as a module. It automatically extracts a timeline from RAM.

Features:

It supports the digital investigator during the four phases of the digital investigation.
It offers a user-friendly interface.
You can customize features of CAINE.
This software offers numerous user-friendly tools.

Link: https://www.caine-live.net

4) PALADIN

PALADIN is Ubuntu based tool that enables you to simplify a range of forensic tasks. It provides more than 100 useful tools for investigating any malicious material. This tool helps you to simplify your forensic task quickly and effectively.

Features:

It provides both 64-bit and 32-bit versions.
This tool is available on a USB thumb drive.
This toolbox has open-source tools that help you to search for the required information effortlessly.
This tool has more than 33 categories that assist you in accomplishing a cyber forensic task.

Link: https://sumuri.com/software/paladin/

5) EnCase

Encase is an application that helps you to recover evidence from hard drives. It allows you to conduct an in-depth analysis of files to collect proof like documents, pictures, etc.

Features:

You can acquire data from numerous devices, including mobile phones, tablets, etc.
It enables you to produce complete reports for maintaining evidence integrity.
You can quickly search, identify, as well as prioritize evidence.
Encase-forensic helps you to unlock encrypted evidence.
It automates the preparation of evidence.
You can perform deep and triage (severity and priority of defects) analysis.

Link: https://www.guidancesoftware.com/encase-forensic

6) SANS SIFT

SANS SIFT is a computer forensics distribution based on Ubuntu. It provides a digital forensic and incident response examination facility.

Features:

It can work on a 64-bit operating system.
This tool helps users to utilize memory in a better way.
It automatically updates the DFIR (Digital Forensics and Incident Response) package.
You can install it via SIFT-CLI (Command-Line Interface) installer.
This tool contains numerous latest forensic tools and techniques.

Link: https://digital-forensics.sans.org/community/downloads/

7) FTK Imager

FTK Imager is a forensic toolkit i developed by AccessData that can be used to get evidence. It can create copies of data without making changes to the original evidence. This tool allows you to specify criteria, like file size, pixel size, and data type, to reduce the amount of irrelevant data.

Features:

It provides a wizard-driven approach to detect cybercrime.
This program offers better visualization of data using a chart.
You can recover passwords from more than 100 applications.
It has an advanced and automated data analysis facility.
FTK Imager helps you to manage reusable profiles for different investigation requirements.
It supports pre and post-processing refinement.

Link: https://accessdata.com/products-services/forensic-toolkit-ftk

8) Magnet RAM capture

Magnet RAM capture records the memory of a suspected computer. It allows investigators to recover and analyze valuable items which are found in memory.

Features:

You can run this app while minimizing overwritten data in memory.
It enables you to export captured memory data and upload it into analysis tools like magnet AXIOM and magnet IEF.
This app supports a vast range of Windows operating systems.
Magnet RAM capture supports RAM acquisition.

Link: https://www.magnetforensics.com/resources/magnet-ram-capture/

9) X-Ways Forensics

X-Ways is software that provides a work environment for computer forensic examiners. This program is supports disk cloning and imaging. It enables you to collaborate with other people who have this tool.

Features:

It has ability to read partitioning and file system structures inside .dd image files.
You can access disks, RAIDs (Redundant array of independent disk), and more.
It automatically identifies lost or deleted partitions.
This tool can easily detect NTFS (New Technology File System) and ADS (Alternate Data Streams).
X-Ways Forensics supports bookmarks or annotations.
It has the ability to analyze remote computers.
You can view and edit binary data by using templates.
It provides write protection for maintaining data authenticity.

Link: http://www.x-ways.net/forensics/

10) Wireshark

Wireshark is a tool that analyzes a network packet. It can be used to for network testing and troubleshooting. This tool helps you to check different traffic going through your computer system.

Features:

It provides rich VoIP (Voice over Internet Protocol) analysis.
Capture files compressed with gzip can be decompressed easily.
Output can be exported to XML (Extensible Markup Language), CSV (Comma Separated Values) file, or plain text.
Live data can be read from the network, blue-tooth, ATM, USB, etc.
Decryption support for numerous protocols that include IPsec (Internet Protocol Security), SSL (Secure Sockets Layer), and WEP (Wired Equivalent Privacy).
You can apply intuitive analysis, coloring rules to the packet.
Allows you to read or write file in any format.

Link: https://www.wireshark.org

11) Registry Recon

Registry Recon is a computer forensics tool used to extract, recover, and analyze registry data from Windows OS. This program can be used to efficiently determine external devices that have been connected to any PC.

Features:

It supports Windows XP, Vista, 7, 8, 10, and other operating systems.
This tool automatically recovers valuable NTFS data.
You can integrate it with the Microsoft Disk Manager utility tool.
Quickly mount all VSCs (Volume Shadow Copies) VSCs within a disk.
This program rebuilds the active registry database.

Link: https://arsenalrecon.com/products/

12) Volatility Framework

Volatility Framework is software for memory analysis and forensics. It helps you to test the runtime state of a system using the data found in RAM. This app allows you to collaborate with your teammates.

Features:

It has API that allows you to lookups of PTE (Page Table Entry) flags quickly.
Volatility Framework supports KASLR (Kernel Address Space Layout Randomization).
This tool provides numerous plugins for checking Mac file operation.
It automatically runs Failure command when a service fails to start multiple times.

Link: https://www.volatilityfoundation.org

13) Xplico

Xplico is an open-source forensic analysis app. It supports HTTP( Hypertext Transfer Protocol), IMAP (Internet Message Access Protocol), and more.

Features:

You can get your output data in the SQLite database or MySQL database.
This tool gives you real time collaboration.
No size limit on data entry or the number of files.
You can easily create any kind of dispatcher to organize the extracted data in a useful way.
It supports both IPv4 and IPv6.
You can perform reserve DNS lookup from DNS packages having input files.
Xplico provides PIPI (Port Independent Protocol Identification) feature to support digital forensic.

Link: https://www.xplico.org

14) e-fense

E-fense is a tool that helps you to meet your computer forensics and cybersecurity needs. It allows you to discover files from any device in one simple to use interface.

Features:

It gives protection from malicious behavior, hacking, and policy violations.
You can acquire internet history, memory, and screen capture from a system onto a USB thumb drive.
This tool has a simple to use interface that enables you to achieve your investigation goal.
E-fense supports multithreading, that means you can execute more than one thread simultaneously.

Link: http://www.e-fense.com/products.php

15) Crowdstrike

Crowdstrike is digital forensic software that provides threat intelligence, endpoint security, etc. It can quickly detect and recover from cybersecurity incidents. You can use this tool to find and block attackers in real time.

Features: