Free Computer Forensic Tools
The table below lists a selection of free software which may be of use to professional computer forensic practitioners. It is the end user's responsibility to check the licensing agreements of each one before use.
Each download link goes directly to the producer's web site - the exception is for Ubuntu which links to a ‘how to’ guide. The version numbers and links are correct as of 3 July 2010. Forensic Control provides no support or warranties for their use.
You can follow the author of this list at twitter.com/jonathankrause
| Disk Tools | ||||
|---|---|---|---|---|
| Name | Version | From | Notes | Download |
| FAT32 Format | 1.05 | Ridgecrop | Enables large disks to be formatted as FAT32 | http://bit.ly/97MNOv |
| FTK Imager | 2.90 | AccessData | Imaging tool and disk viewer | http://bit.ly/8pcIpW |
| Tableau Imager | 1.11 | Tableau | Imaging tool for use with Tableau imaging products | http://bit.ly/5LnKM1 |
| Live View | 0.7b | CERT | Allows examiner to boot dd images in VMware | http://bit.ly/cZvXj3 |
| Email Analysis | ||||
| Name | Version | From | Notes | Download |
| Mail Viewer | 1.5.2 | MiTeC | Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files | http://bit.ly/9t116y |
| General | ||||
| Name | Version | From | Notes | Download |
| CaseNotes | 1.2.2010.3 | QCC | Contemporaneous notes recorder | http://bit.ly/amRjw8 |
| EvidenceMover | 1.0 | Nuix | Copies data between locations, with file comparison, verification, logging | http://bit.ly/cB1BeO |
| File Signatures | 17 Jun 2010 | Gary Kessler | Table of file signatures | http://bit.ly/9TUevt |
| HashMyFiles | 1.68 | Nirsoft | Calculate MD5 and SHA1 hashes | http://bit.ly/diG02W |
| Mouse Jiggler | 1.1 | Arkane Systems | Automatically moves mouse pointer stopping screen saver, hibernation etc | http://bit.ly/axWizs |
| Notepad ++ | 5.6.8 | Notepad ++ | Advanced Notepad replacement | http://bit.ly/bQw7k9 |
| NSRL | 2.28 | NIST | Hash sets of 'known' (ignorable) files | http://bit.ly/cfQs4W |
| USB Write Blocker | Unknown | DSi | Enables software write-blocking of USB ports | http://bit.ly/9x4Evq |
| File & Data Analysis | ||||
| Name | Version | From | Notes | Download |
| DCode | 4.02a | Digital Detective | Converts various data types to date/time values | http://bit.ly/5lHVgO |
| Exif Reader | 3.00 | Ryuuji Yoshimoto | Extracts exif data from digital photographs | http://bit.ly/9L2NsW |
| PsTools | 1 Jul 2009 | Microsoft | Suite of command-line Windows utilities | http://bit.ly/cKgdgC |
| Shadow Explorer | 0.7 | Shadow Explorer | Browse and extract files from shadow copies | http://bit.ly/b2ya6R |
| SkypeLogView | 1.12 | Nirsoft | View Skype calls and chats | http://bit.ly/c8atFG |
| Strings | 2.41 | Microsoft | Command-line tool for text searches | http://bit.ly/bzxYZu |
| Structred Storage Viewer | 3.3.1 | MiTec | View and manage MS OLE Structured Storage based files | http://bit.ly/cgFgaH |
| TimeLord | 0.1.5.6 | Paul Tew | Time utility; timezones, BIOS times, decode computer time formats, etc | http://bit.ly/blCI9S |
| Ubuntu | 10.04 | Canonical | Guide to using an Unbuntu live disk to recover partitions, carve files, etc | http://bit.ly/aLd6tS |
| Windows File Analyzer | 1 | MiTeC | Analyse thumbs.db, Prefetch, INFO2 and .lnk files | http://bit.ly/dayWCd |
| File Viewers | ||||
| Name | Version | From | Notes | Download |
| Fragview | 1.2.5.3 | QCC | View recursive HTML, jpg and Flash files | http://bit.ly/amRjw8 |
| IrfanView | 4.27 | IrfanView | Graphics viewer. Plug-ins available | http://bit.ly/cZiCht |
| Microsoft Excel 2007 Viewer | 1.00 | Microsoft | View Excel spreadsheets | http://bit.ly/9x2AVL |
| Microsoft PowerPoint 2007 Viewer | 1.00 | Microsoft | View PowerPoint presentations | http://bit.ly/aDj99g |
| Microsoft Visio 2007 Viewer | 1.00 | Microsoft | View Visio diagrams | http://bit.ly/dcE3DZ |
| Microsoft Word 2007 Viewer | 1.00 | Microsoft | View Word documents | http://bit.ly/ccUykb |
| VideoTriage | 1.2.5.1805 | QCC | Produces thumbnails of video files so that the whole video doesn't need to be watched | http://bit.ly/amRjw8 |
| Internet History Analysis | ||||
| Name | Version | From | Notes | Download |
| ChromeAnalysis | 1.0.1 | forensic-software | Analysis of internet history data generated using Google Chrome | http://bit.ly/dcv7vw |
| FoxAnalysis | 1.4.2 | forensic-software | Analysis of internet history data generated using Mozilla Firefox 3 | http://bit.ly/dcv7vw |
| Registry Analysis | ||||
| Name | Version | From | Notes | Download |
| Process Monitor | 2.91 | Microsoft | Examine Windows processes and registry threads in real time | http://bit.ly/9xVWDT |
| RegRipper | 20080909 | Harlan Carvey | Registry data extraction and correlation tool | http://bit.ly/cq0FQF |
| Regshot | 1.8.2 | Regshot | Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software | http://bit.ly/c7cIKM |
| USBDeview | 1.70 | Nirsoft | Details previously attached USB devices | http://bit.ly/dj2x2f |
| UserAssist | 2.4.3 | Didier Stevens | Displays list of programs run, with run count and last run date and time | http://bit.ly/dgFvn7 |
