Capture & Data Acquisition Tools
CAINE (Computer Aided Investigative Environment) – A Linux-based forensic distribution equipped with a suite of investigative tools for evidence acquisition and analysis.
dd – A command-line utility for Unix and Unix-like systems designed to copy, convert, and create disk images at the byte level.
dcfldd – An enhanced version of dd with forensic-specific capabilities such as on-the-fly hashing, logging, and split output.
DC3DD – An advanced forensic imaging tool derived from dd, developed for use by the U.S. Department of Defense Cyber Crime Center (DC3), offering additional acquisition and verification features.
FTK Imager (AccessData) – A forensic imaging tool used for acquiring data from physical disks and creating forensic disk images.
Kali Linux – A penetration testing platform that also provides forensic features, including safe boot options and disk imaging capabilities.
Paladin (SUMURI) – A forensic-focused Linux distribution designed for data acquisition and analysis in investigations.
SANS Investigative Forensic Toolkit (SIFT) – An open-source digital forensic environment offering advanced acquisition and analysis tools.
Analysis Tools
Arsenal Image Mounter – A Windows tool that mounts disk images as complete, accessible drives for examination.
Autopsy – An open-source digital forensics platform that provides a comprehensive suite for disk image analysis and case management.
Bulk Extractor – A forensic utility that extracts artifacts such as emails, credit card numbers, and URLs from disk images without needing to parse the file system.
IrfanView – A lightweight image viewer often used in digital forensics for quick and efficient review of picture files.
Kali Linux – In forensic mode, it provides a range of utilities for evidence examination without altering the original data.
LastActivityView – A Windows utility that compiles and displays user activity and event logs from system records for investigation.
NSRL (National Software Reference Library) – A database of cryptographic hashes for known software applications, file types, and malware, used to identify benign or malicious files.
Registry Viewer (AccessData) – A utility for examining and interpreting the contents of Windows registry files.
RegRipper – A Perl-based tool that extracts and interprets data from Windows registry “hive” files using targeted plugins for investigative tasks.
SIFT (SANS Investigative Forensic Toolkit) – A widely recognized open-source forensic distribution supporting disk, memory, and network analysis.
Volatility Framework – An advanced memory forensics tool used to analyze RAM dumps and uncover system activity, processes, and potential compromises.
Hashing & Verification Tools
FCIV (File Checksum Integrity Verifier) – A command-line tool used to generate and compare cryptographic hash values (MD5, SHA) to verify file integrity.