This page pulls together a broad set of DFIR tools so you can jump straight to the official download or project page. Always verify hashes, signatures, licenses, and legal requirements before using any tool in an investigation.
Follow your organizations policies.
Please understand as well that these tools are not added as recommendations to use by the developer. The tools listed in this catalog were found by AI to be of revelance in digital forensics.
This filters all tool cards on this page by name, description, and tags.
Triage & Imaging
Disk imaging, quick triage, and evidence acquisition.
FTK Imager
Lightweight imaging and preview tool for acquiring forensic images, mounting them, and verifying hash values.
Download FTK Imager →Magnet ACQUIRE
Tool for acquiring images from computers and some mobile devices, often used as an entry point for Magnet’s analysis stack.
Magnet ACQUIRE →Guymager
Fast, open-source forensic imager for Linux with support for multiple image formats and verification.
Guymager Project →Memory Forensics
RAM acquisition and deep analysis of live system artifacts.
Volatility 3
Analyze memory dumps from Windows, Linux, and macOS to recover processes, drivers, network connections, and potential malware.
Volatility 3 on GitHub →OSForensics RAM Imager
Capture physical memory from Windows systems for later analysis using Volatility and other frameworks.
OSF Memory Imager →Mobile & Device Forensics
iOS, Android, and unified logs / backup analysis.
iLEAPP
Parses iOS/iPadOS extractions and backups, surfacing logs, plists, notifications, and other artifacts into HTML/CSV reports.
iLEAPP on GitHub →ALEAPP
Companion to iLEAPP for Android devices, parsing logs, protobufs, and app data from extractions and backups.
ALEAPP on GitHub →UFADE
Uses pymobiledevice3 under the hood to create advanced iOS logical backups and extract unified logs for further analysis.
UFADE on GitHub →ALEX
ADB-based Android extraction utility supporting sdcard pulls, backups, logging, and optional on-the-fly artifacts like screenshots.
ALEX on GitHub →Arsenic Triage Tool
Mobile triage tool focusing on quick, consent-based iOS investigations with targeted artifact analysis for on-scene use.
Arsenic Triage Tool →Forensic Suites & Platforms
Full-featured forensic environments and toolkits.
Autopsy
Full GUI-based platform built on The Sleuth Kit for file system, artifacts, timeline, and media analysis.
Download Autopsy →Sleuth Kit
Command-line tools for detailed file system analysis, image parsing, and low-level artifact work.
Download Sleuth Kit →Kali Linux
Linux distribution packed with security, DFIR, and network analysis tools. Available as ISO, VM image, and WSL.
Get Kali Linux →SANS SIFT Workstation
Pre-built Linux workstation with a large collection of DFIR tools, tailored for incident response workflows.
SIFT Workstation →Windows Artifact & Triage Tools
Registry, file system, and artifact parsers.
Eric Zimmerman Tools
Collection of tools (MFTECmd, AmCacheParser, LECmd, ShellBags Explorer, etc.) for deep Windows artifact analysis.
Download EZ Tools →KAPE
Rapid collection and parsing framework that uses modular targets and parsers to triage Windows systems quickly.
Get KAPE →RegRipper
Classic Windows registry analysis tool that parses hives using plugins focused on forensic-relevant keys and values.
RegRipper on GitHub →Arsenal Image Mounter
Mount forensic images as local disks, with options to expose virtual disk structures to tools and the OS.
Arsenal Image Mounter →Network Forensics, PCAP & Port Utilities
Packet capture, protocol analysis, network monitoring, and quick port lookups.
Wireshark
Widely used network analysis tool for inspecting live traffic and PCAP files, supporting hundreds of protocols.
Download Wireshark →NetworkMiner
Parses PCAPs to extract files, credentials, sessions, and host information from captured network traffic.
NetworkMiner →Zeek
Network security engine that converts traffic into rich logs, excellent for incident response and hunt operations.
Get Zeek →SpeedGuide Port Lookup
Database of common TCP/UDP ports and their associated services, useful when analyzing firewall logs and network captures.
SpeedGuide Ports →TCPDump
Classic command-line packet analyzer used extensively on Linux/Unix systems for live capture and quick review.
TCPDump →TShark
Command-line counterpart to Wireshark for scripting, automation, and headless packet capture and analysis.
TShark Docs →Browser & Cloud Forensics
Web history, cloud app, and SaaS artifact analysis.
Hindsight
Parses Chrome/Chromium history and artifacts to reconstruct user activity, including URLs, downloads, and session data.
Hindsight on GitHub →Browser History Viewer / NirSoft Tools
Tools that read browser history, cache, and cookies from multiple browsers to support timeline reconstruction.
NirSoft Browser Tools →Reverse Engineering & Malware DFIR
Static and dynamic analysis helpers.
Ghidra
Feature-rich framework for reverse engineering binaries with a powerful decompiler and scripting support.
Download Ghidra →CAPA
Analyzes binaries to detect capabilities (e.g., keylogging, C2, persistence) using rules, rather than signatures.
CAPA on GitHub →FLOSS
Extracts and deobfuscates strings from malware, helping you quickly see C2 URLs, commands, and configuration.
FLOSS on GitHub →Password & Hash Tools
Cracking, auditing, and hash analysis.
Hashcat
High-performance password recovery tool supporting many hash types and attack modes, widely used in auditing.
Download Hashcat →John the Ripper
Classic password auditing tool that supports a wide range of hash formats and cracking strategies.
John the Ripper →Incident Response & Endpoint Platforms
Endpoint triage, hunting, and fleet visibility.
Velociraptor
Open-source platform for collecting artifacts at scale, hunting, and performing remote DFIR operations.
Velociraptor →OSQuery
Turns endpoints into SQL-queryable data sources, useful for rapid IR questions across many systems.
OSQuery →Sysinternals Suite
Comprehensive set of Windows utilities (ProcMon, ProcExp, Autoruns, etc.) essential for IR and troubleshooting.
Sysinternals Suite →Linux DFIR & Timeline Tools
Logs, timelines, and post-mortem analysis.
Plaso (log2timeline)
Creates super timelines from many log sources and artifacts, forming the backbone of time-based investigations.
Plaso on GitHub →Timesketch
Web-based tool used to explore and annotate forensic timelines, often paired with Plaso-generated data.
Timesketch on GitHub →3D, Photo & Photography Tools
Photogrammetry, point clouds, cleanup, and camera training helpers.
3DF Zephyr Photogrammetry Suite
Photogrammetry software for turning photos into 3D models, useful for scene reconstruction and documentation.
3DF Zephyr →CloudCompare
Open-source 3D point cloud and mesh processing tool, useful for analyzing scans and model comparison.
CloudCompare →Cleanup.pictures
Web-based tool for removing unwanted objects from images. Helpful for report graphics and presentation-ready visuals.
Cleanup Pictures →CameraFRASE
Tooling from CameraForensics to assist with camera-related investigation workflows.
CameraFRASE →CameraSim DSLR Simulator
DSLR behavior simulator that helps visualize how camera settings affect images—a useful teaching aid when explaining photo evidence.
CameraSim →Cutout Pro Background Remover
AI-based background remover that can quickly isolate subjects for presentations, timelines, or training material.
Cutout Pro →Data, Encoding & File Utilities
Encoding, metadata, and database helpers.
ASCII Converter
Quick conversion between characters and ASCII codes when examining data fragments or low-level artifacts.
ASCII Converter →Dcode Forensic Decoding Suite
A long-standing decoding suite for converting hex, timestamps, binary data, and other encodings common in DFIR.
Dcode Suite →SQLite Database Browser
GUI viewer and editor for SQLite databases, which underlie many application and mobile artifacts.
DB Browser for SQLite →EXIFTool
Powerful command-line utility for reading and writing metadata in a wide range of file formats (images, docs, etc.).
EXIFTool →LinangData EXIF Reader
Web EXIF viewer for quickly inspecting metadata without installing local tools— handy for quick triage.
LinangData EXIF Reader →PDFEscape Online PDF Editor
Online editor for redacting, annotating, and modifying PDFs when preparing case reports or exhibits.
PDFEscape →Design, Reporting & Visuals
Presentations, dashboards, and report-ready visuals.
Canva Templates Library
Large library of templates for reports, presentations, and visual explainers around your DFIR findings.
Canva Templates →Flourish
Tool for building interactive charts, maps, and visualizations that can help communicate forensic timelines and relationships.
Flourish Studio →Email & Header Analysis
Email tracing, headers, and deliverability checks.
MXToolbox Email Header Analyzer
Parses email headers to show routing details, delays, and potential issues, useful in phishing and fraud investigations.
MXToolbox Header Analyzer →Verifalia Email Validator
Validates whether email addresses are syntactically valid and deliverable— helpful for victim/suspect contact data.
Verifalia →Browser, Capture & Scraping Tools
Screenshots, web capture, scraping, and media grabbers.
CopyFish OCR
Browser extension that performs OCR on selected screen areas, useful for grabbing text from images and web apps.
CopyFish OCR →DumpItBlue+
Screenshot tool focused on capturing web content for documentation and evidence.
DumpItBlue+ →Nimbus Screenshot
Capture entire pages, regions, or videos from the browser for later reference or inclusion in case files.
Nimbus Screenshot →Greenshot
Lightweight screenshot utility for Windows that supports annotations and quick exports.
Greenshot →HTTrack Website Copier
Downloads sites for offline browsing and preservation; useful when you need a local copy of web content.
HTTrack →OBS Studio
Open-source screen recording and streaming tool often used to capture volatile or interactive evidence.
OBS Studio →Online Video Downloader
Online service that converts and downloads videos from popular platforms for evidence preservation (use legally).
Online Video Downloader →Web to PDF Converter
Converts full web pages into PDFs for archiving and including in case documentation.
Web2PDF Converter →Windows Screen Recorder Pro
Microsoft Store-based screen recorder for capturing on-screen actions and volatile states on Windows systems.
Screen Recorder Pro →Device Specs & IMEI Lookups
Handset identification, specs, and IMEI-based lookups.
GSM Arena Device Database
Comprehensive database of mobile device specifications, generations, and variants.
GSM Arena →IMEI Check
Online IMEI checker useful for validating device identifiers during mobile investigations.
IMEI Check →IMEI.info
IMEI-based device lookup service for retrieving manufacturer, model, and sometimes basic status information.
IMEI.info →PhoneScoop
Phone directory and spec database that can assist in identifying handset capabilities and release timelines.
PhoneScoop →Additional IR / DFIR Tool Collections
Suites, collections, and curated tool lists.
Breakpoint Forensics Tools
Collection of DFIR tools and utilities for artifact parsing and investigation tasks.
Breakpoint Tools →CyberTriage
Incident response and triage platform for quickly assessing compromised systems.
CyberTriage Eval →CyberTriage Product Page →
Technitium MAC Address Changer
Utility for viewing and changing MAC addresses on Windows adapters—useful in lab or testing environments.
Technitium MAC Changer →FireEye Redline
Classic endpoint triage tool that collects system information, memory data, and indicators for analysis.
Redline Download →INV Network Free DFIR Tools
Hub of free forensic tools and resources maintained by INV Network.
INV DFIR Tools →Arsenal Recon Downloads
Download center for Arsenal Recon utilities, including powerful imaging and mounting tools.
Arsenal Recon Downloads →Kali Linux Tools List
Online index of all tools included with Kali Linux, organized by category and function.
Kali Tools List →Monolith Forensics Free Tools
Collection of free forensic utilities and scripts curated by Monolith Forensics.
Monolith Free Tools →Password & Hash Resources
Online hash lookup and cracking references.
CrackStation Hash Lookup
Online service for looking up common hashed passwords via a large precomputed table— useful during password investigations.
CrackStation →Time, Date & Misc Utilities
Time zones, math helpers, and general utilities.
SavvyTime UTC Converter
Convert timestamps across time zones, particularly helpful when correlating logs from different regions.
SavvyTime Converter →World Clock Time Zone Converter
Compare multiple time zones at once, simplifying cross-region case timelines.
TimeAndDate Converter →WhatTimeIsIt
Minimal clock site for quickly confirming current time without OS clutter.
WhatTimeIsIt.com →Speed Distance Time Calculator
Calculator for solving speed, distance, and time problems—occasionally useful for reconstructions and vehicle cases.
Speed/Distance/Time Calculator →Blockchain Explorer
High-level blockchain explorer for reviewing cryptocurrency addresses and transactions in crypto-related cases.
Blockchain Explorer →TextEm
Web interface for sending SMS via carriers—occasionally referenced in investigations or testing scenarios.
TextEm →AlternativeTo
Directory for finding alternative software when specific tools are not allowed, licensed, or available in your environment.
AlternativeTo →TinyWow
Collection of small web utilities for file conversion, PDF manipulation, and more.
TinyWow →Utility & Misc Tools
Data wrangling, decoding, and helper utilities.
CyberChef
Web and local tool for encoding/decoding, parsing, and analyzing data used in DFIR, malware analysis, and OSINT.
CyberChef on GitHub →