Tools and packages that are used for countering forensic activities, including encryption, steganography, and anything that modify attributes. This all includes tools to work with anything in general that makes changes to a system for the purposes of hiding information.
| Repository | Description |
|---|---|
| Afflib | An extensible open format for the storage of disk images and related forensic information. |
| Air-Imager | A GUI front-end to dd/dc3dd designed for easily creating forensic images. |
| Auditpol | Displays information about and performs functions to manipulate audit policies in Windows |
| Autopsy | The forensic browser. A GUI for the Sleuth Kit. |
| Bmap-tools | Tool for copying largely sparse files using information from a block map file. |
| BleachBit | System cleaner for Windows and Linux |
| Bulk-extractor | Bulk Email and URL extraction tool. |
| BurnEye | ELF encryption program. |
| Canari3 | Maltego rapid transform development and execution framework. |
| captipper | Malicious HTTP traffic explorer tool. |
| Casefile | The little brother to Maltego without transforms, but combines graph and link analysis to examine links between manually added data to mind map your information |
| ChainSaw | ChainSaw automates the process of shredding log files and bash history from a system. It is a tool that cleans up the bloody mess you left behind when you went for a stroll behind enemy lines |
| Chaosmap | An information gathering tool and dns / whois / web server scanner |
| chntpw | Offline NT Password Editor - reset passwords in a Windows NT SAM user database file |
| Chromefreak | A Cross-Platform Forensic Framework for Google Chrome |
| Clear-EventLog | Powershell Command. Clears all entries from specified event logs on the local or remote computers. |
| DBAN | Darik's Boot and Nuke ("DBAN") is a self-contained boot image that securely wipes the hard disks of most computers. DBAN is appropriate for bulk or emergency data destruction. |
| Dc3dd | A patched version of dd that includes a number of features useful for computer forensics. |
| Dcfldd | DCFL (DoD Computer Forensics Lab) dd replacement with hashing |
| ddrescue | GNU data recovery tool |
| Disitool | Tool to work with Windows executables digital signatures. |
| Dmg2img | A CLI tool to uncompress Apple's compressed DMG files to the HFS+ IMG format |
| Dumpzilla | A forensic tool for firefox. |
| ELFcrypt | ELF crypter. |
| Emldump | Analyze MIME files. |
| Evtkit | Fix acquired .evt - Windows Event Log files (Forensics). |
| Exiftool | Reader and rewriter of EXIF informations that supports raw files |
| Exiv2 | Exif, Iptc and XMP metadata manipulation library and tools |
| Extundelete | Utility for recovering deleted files from ext2, ext3 or ext4 partitions by parsing the journal |
| Foremost | A console program to recover files based on their headers, footers, and internal data structures |
| FreeOTFE | A free "on-the-fly" transparent disk encryption program for PC & PDAs |
| Fridump | A universal memory dumper using Frida. |
| Galleta | Examine the contents of the IE's cookie files for forensic purposes |
| Grokevt | A collection of scripts built for reading Windows® NT/2K/XP/2K eventlog files. |
| Guymager | A forensic imager for media acquisition. |
| Harness | Execute ELFs in memory. |
| Hdpram | get/set hard disk parameters |
| HiddenVM | Use any desktop OS without leaving a trace. |
| Imagemounter | Command line utility and Python package to ease the (un)mounting of forensic disk images. |
| Indxparse | A Tool suite for inspecting NTFS artifacts. |
| Interrogate | A proof-of-concept tool for identification of cryptographic keys in binary material (regardless of target operating system), first and foremost for memory dump analysis and forensic usage. |
| IOSforensic | iOS forensic tool https://www.owasp.org/index.php/Projects/OWASP_iOSForensic |
| IPBA2 | IOS Backup Analyzer |
| Iphoneanalyzer | Allows you to forensically examine or recover date from in iOS device. |
| Kaiser | File-less persistence, attacks and anti-forensic capabilities (Windows 7 32-bit). |
| lazagne | An open source application used to retrieve lots of passwords stored on a local computer. |
| Lfle | Recover event log entries from an image by heurisitically looking for record structures. |
| LiMEaide | Remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. |
| LogKiller | Clear all your logs in linux/windows servers |
| MAFIA | Metasploit Anti Forensic Tools and techniques for removing forensic evidence from computer systems |
| MagicRescue | Find and recover deleted files on block devices |
| Malheur | A tool for the automatic analyze of malware behavior. |
| Maltego | An open source intelligence and forensics application, enabling to easily gather information about DNS, domains, IP addresses, websites, persons, etc. |
| MalwareDetect | Submits a file's SHA1 sum to VirusTotal to determine whether it is a known piece of malware |
| MboxGrep | A small, non-interactive utility that scans mail folders for messages matching regular expressions. It does matching against basic and extended POSIX regular expressions, and reads and writes a variety of mailbox formats. |
| MemDump | Dumps system memory to stdout, skipping over holes in memory maps. |
| MemFetch | RDumps any userspace process memory without affecting its execution. |
| Meterpreter > clearev | The meterpreter clearev command will clear the Application, System, and Security logs on a Windows system |
| Midgetpack | Midgetpack is a multiplatform secure ELF packer |
| Mimipenguin | A tool to dump the login password from the current linux user. |
| Mobiusft | An open-source forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. |
| Mp3nema | A tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data. |
| Mxtract | Memory Extractor & Analyzer. |
| Naft | Network Appliance Forensic Toolkit. |
| Networkminer | A Network Forensic Analysis Tool for advanced Network Traffic Analysis, sniffer and packet analyzer. |
| Nfex | A tool for extracting files from the network in real-time or post-capture from an offline tcpdump pcap savefile. |
| Ntdsxtract | Active Directory forensic framework. |
| nTimetools | Timestomper and Timestamp checker with nanosecond accuracy for NTFS volumes |
| NTFS-3G | NTFS-3G Safe Read/Write NTFS Driver |
| Papa Shango | Inject code into running processes with ptrace(). |
| Pasco | Examines the contents of Internet Explorer's cache files for forensic purposes. |
| PcapXray | Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction. |
| Pdf-parser | Parses a PDF document to identify the fundamental elements used in the analyzed file. |
| Pdfbook-analyzer | Utility for facebook memory forensics. |
| Pdfid | Scan a file to look for certain PDF keywords. |
| PdfResurrect | A tool aimed at analyzing PDF documents. |
| Peepdf | A Python tool to explore PDF files in order to find out if the file can be harmful or not. |
| Permanent-Eraser | Secure file erasing utility for macOS |
| Pev | Command line based tool for PE32/PE32+ file analysis. |
| python-evtx | A tool to parse the Windows XML Event Log (EVTX) format. |
| Recoverjpeg | Recover jpegs from damaged devices. |
| Recuperabit | A tool for forensic file system reconstruction. |
| Reglookup | Command line utility for reading and querying Windows NT registries. |
| Rekall | Memory Forensic Framework. |
| ReplayProxy | Forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file. |
| Rifiuti2 | A rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. |
| Rkhunter | Checks machines for the presence of rootkits and other unwanted tools. |
| SafeCopy | A disk data recovery tool to extract data from damaged media. |
| Saruman | ELF anti-forensics exec, for injecting full dynamic executables into process image (With thread injection) |
| Scalpel | An open source data carving tool. |
| Scrounge-Ntfs | Data recovery program for NTFS file systems |
| SetMace | Manipulate timestamps on NTFS |
| Sherlocked | Universal script packer-- transforms any type of script into a protected ELF executable, encrypted with anti-debugging |
| Shred | Overwrite a file to hide its contents, and optionally delete it |
| Silk-guardian | An anti-forensic kill-switch that waits for a change on your usb ports and then wipes your ram, deletes precious files, and turns off your computer. |
| SkypeFreak | A Cross Platform Forensic Framework for Skype. |
| Sleuthkit | RFile system and media management forensic analysis tools. |
| Srm | Srm is a command-line compatible rm which overwrites file contents before unlinking |
| Stegdetect | Automated tool for detecting steganographic content in images. |
| StegFS | A FUSE based steganographic file system |
| Steghide | Steganography program that is able to hide data in various kinds of image- and audio-files |
| Swap-digger | A tool used to automate Linux swap analysis during post-exploitation or forensics. |
| Tails | portable operating system that protects against surveillance and censorship |
| Tchunt-ng | Reveal encrypted files stored on a filesystem. |
| Tekdefense-automater | IP URL and MD5 OSINT Analysis. |
| TestDisk | Checks and undeletes partitions + PhotoRec, signature based recovery tool |
| Trid | An utility designed to identify file types from their binary signatures. |
| TrueHunter | Detect TrueCrypt containers using a fast and memory efficient approach. |
| Unhide | A forensic tool to find processes hidden by rootkits, LKMs or by other techniques. |
| Usbdeath | anti-forensic tool that writes udev rules for known usb devices and do some things at unknown usb device insertion or specific usb device removal |
| USBKill | An anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer. |
| Vinetto | A forensics tool to examine Thumbs.db files |
| Volafox | macOS Memory Analysis Toolkit. |
| Volatility | Advanced memory forensics framework |
| Wevtutil | Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs (windows server) |
| Wipe | A Unix tool for secure deletion |
| Wipedicks | Wipe files and drives securely with randoms ASCII dicks |
| wiper | Toolkit to perform secure destruction of sensitive virtual data, temporary files and swap memories. |
| Xplico | Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT). |
| XsUSBsentinel | Windows anti-forensics USB monitoring tool. |
| Zeroize | Zeroize is a rust library enabling to : Securely clear secrets from memory with a simple trait built on stable Rust primitives which guarantee memory is zeroed using an operation will not be ‘optimized away’ by the compiler |
| ZipDump | ZIP dump utility. |
Thanks for visiting ! If you have suggestions, then open an issue, or submit a PR. Contributions are welcome, and much appreciated !
