Skip to content
Go to file

Latest commit

UAC tool added to the Live Forensics list.

Signed-off-by: Thiago Lahr <>

Git stats


Failed to load latest commit information.
Latest commit message
Commit time
Jan 9, 2020
Mar 29, 2016

Awesome Forensics Link Status

Curated list of awesome free (mostly open source) forensic analysis tools and resources.





  • dff - Forensic framework
  • dexter - Dexter is a forensics acquisition framework designed to be extensible and secure
  • IntelMQ - IntelMQ collects and processes security feeds
  • Kuiper - Digital Investigation Platform
  • Laika BOSS - Laika is an object scanner and intrusion detection system
  • PowerForensics - PowerForensics is a framework for live disk forensic analysis
  • The Sleuth Kit - Tools for low level forensic analysis
  • turbinia - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
  • IPED - Indexador e Processador de Evidências Digitais - Brazilian Federal Police Tool for Forensic Investigations

Live Forensics

  • grr - GRR Rapid Response: remote live forensics for incident response
  • Linux Expl0rer - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
  • mig - Distributed & real time digital forensics at the speed of the cloud
  • osquery - SQL powered operating system analytics
  • UAC - Shell script that makes use of built-in tools to automate the collection of system artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris.


  • artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
  • ArtifactExtractor - Extract common Windows artifacts from source images and VSCs
  • AVML - A portable volatile memory acquisition tool for Linux
  • Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
  • DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
  • FastIR Collector - Collect artifacts on windows
  • LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
  • Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries


  • dc3dd - Improved version of dd
  • dcfldd - Different improved version of dd (this version has some bugs!, another version is on github adulau/dcfldd)
  • FTK Imager - Free imageing tool for windows
  • Guymager - Open source version for disk imageing on linux systems


  • bstrings - Improved strings utility
  • bulk_extractor - Extracts information such as email addresses, creditcard numbers and histrograms from disk images
  • floss - Static analysis tool to automatically deobfuscate strings from malware binaries
  • photorec - File carving tool
  • swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.

Memory Forensics

  • - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support
  • KeeFarce - Extract KeePass passwords from memory
  • MemProcFS - An easy and convenient way of accessing physical memory as files a virtual file system.
  • Rekall - Memory Forensic Framework
  • volatility - The memory forensic framework
  • VolUtility - Web App for Volatility framework

Windows Artifacts

  • Beagle - Transform data sources and logs into graphs
  • FRED - Cross-platform microsoft registry hive editor
  • LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
  • python-evt - Pure Python parser for classic Windows Event Log files (.evt)
  • RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis.

NTFS/MFT Processing

OS X Forensics

Mobile Forensics

  • ALEAPP - An Android Logs Events and Protobuf Parser
  • ArtEx - Artifact Examiner for iOS Full File System extractions
  • iLEAPP - An iOS Logs, Events, And Plists Parser
  • MEAT - Perform different kinds of acquisitions on iOS devices

Docker Forensics

Internet Artifacts

  • chrome-url-dumper - Dump all local stored infromation collected by Chrome
  • hindsight - Internet history forensics for Google Chrome/Chromium
  • unfurl - Extract and visualize data from URLs

Timeline Analysis

  • DFTimewolf - Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
  • plaso - Extract timestamps from various files and aggregate them
  • Timeline Explorer - Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
  • timeliner - A rewrite of mactime, a bodyfile reader
  • timesketch - Collaborative forensic timeline analysis

Disk image handling

  • Disk Arbitrator - A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
  • imagemounter - Command line utility and Python package to ease the (un)mounting of forensic disk images
  • libewf - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
  • PancakeViewer - Disk image viewer based in dfvfs, similar to the FTK Imager viewer
  • xmount - Convert between different disk image formats



  • dfirtrack - Digital Forensics and Incident Response Tracking application, track systems
  • Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads

Picture Analysis

  • sherloq - An open-source digital photographic image forensic toolset

Learn Forensics




more at Recommended Readings by Andrew Case

File System Corpora





Related Awesome Lists


Pull requests and issues with suggestions are welcome!

You can’t perform that action at this time.