Chapter 7 ยท AICITSS Cyber Security
Digital Forensics Tools Directory
A complete categorized reference of Digital Forensics tools covered in Chapter 7 โ organized by function: Disk Analysis, Memory Forensics, Network Forensics, Malware Analysis, Mobile Forensics, and Live Forensics. Click any tool to visit its official website.
๐ฌ 18 Tools Listed
๐ 6 Categories
๐ Direct Official Links
๐ Educational Use Only
โ Legal & Ethical Notice: All tools listed here must be used only on systems you own or have explicit written authorization to test. Unauthorized use of forensic tools on third-party systems is a criminal offence under the IT Act, 2000 (India) and equivalent laws globally. This directory is maintained for the AICITSS Cyber Security curriculum โ for academic study and authorized professional practice only.
๐ All Tools
๐พ Disk & File Analysis
๐ง Memory Analysis
๐ Network Forensics
๐ฆ Malware Analysis
๐ฑ Mobile Forensics
โก Live & Incident Response
Disk & File Analysis Tools
Tools for disk imaging, file recovery, data carving, and file system examination
Autopsy
Disk Analysis
Open-source graphical interface for The Sleuth Kit. Used by law enforcement, military, and corporate investigators worldwide. Analyzes disk images, recovers deleted files, builds timelines, and supports plug-in pipeline modules for automated analysis.
Disk Image Analysis
File Recovery
Timeline Building
Keyword Search
The Sleuth Kit (TSK)
Disk Analysis
A collection of command-line tools and a C library for analyzing disk images and recovering files from them. Supports FAT, NTFS, Ext2/3/4, HFS+ file systems. Provides volume-level and file-system-level support. Backbone of Autopsy’s analysis engine.
File System Analysis
Volume Analysis
File Recovery
Command-Line Interface
EnCase Forensic
Disk Analysis
Industry standard by OpenText (formerly Guidance Software). Used by 90% of consumer goods companies, 93% of banks, and 100% of US federal agencies. Performs disk imaging, data carving, password recovery, remote data collection, and automated reporting.
Disk Imaging
Data Carving
Cloud Collection
Automated Reports
Forensic Toolkit (FTK)
Disk Analysis
By Exterro (formerly AccessData). Used by 130,000+ law enforcement bodies and law firms. Fastest filtering and searching available in any forensic tool. Acquires from 3,500+ mobile devices. Supports email analysis, hashing, and multi-language evidence export.
Fast Search & Filter
Email Analysis
Hash Verification
USB Portable Mode
Bulk Extractor
Disk Analysis
Cross-platform tool (Windows, Linux, Mac) that scans disk images, directories, or raw files without requiring a file system. Extracts emails, URLs, credit card numbers, GPS coordinates, and other artifacts. Supports live analysis and file decryption.
File-System Independent
Artifact Extraction
Data Recovery
Password Recovery
Digital Forensics Framework (DFF)
Disk Analysis
Open-source forensic platform built on a customized API. Supports cryptographic hash calculation, EXIF metadata extraction, Microsoft Outlook mailbox import, memory dump analysis, scripting, and automated data extraction. Available as Free, DFF Pro, and DFF Live.
Hash Calculation
EXIF Metadata
Outlook Analysis
Scripting & Batching
Memory Analysis Tools
Tools for volatile memory (RAM) forensics โ extracting running processes, network connections, and malware traces
Volatility Framework
Memory
The world’s most widely used open-source memory forensics framework. Extracts digital artifacts from RAM dumps โ running processes, network connections, open files, registry hives, password hashes, and malware injection traces from Windows, Linux, and Mac systems.
RAM Dump Analysis
Process Extraction
Malware Detection
Password Hash Dump
Redline (FireEye / Trellix)
Memory
Free endpoint security tool by Trellix (formerly FireEye). Collects and analyzes memory, file system activity, and Windows registry data to find signs of malicious activity. Features Malware Risk Index scoring and IOC analysis for threat detection.
Memory Collection
IOC Analysis
Risk Scoring
Registry Analysis
Magnet RAM Capture
Memory
Free tool by Magnet Forensics for capturing the physical memory (RAM) of a live Windows system. Exports the memory image to a file that can be analyzed with Volatility or Magnet AXIOM. Lightweight and runs without installation โ ideal for first responders.
Live RAM Capture
First Responder Tool
Portable / No Install
Works with Volatility
Network Forensics Tools
Tools for capturing, analyzing, and reconstructing network traffic to investigate cyber incidents
Wireshark
Network
World’s most popular network protocol analyzer. Captures and interactively browses network traffic in real-time. Supports hundreds of protocols with deep inspection. Used for troubleshooting, protocol development, and forensic investigation of network-based attacks.
Packet Capture
Protocol Analysis
Traffic Reconstruction
PCAP File Analysis
NetworkMiner
Network
Passive network sniffer and packet analyzer for Windows. Detects OS, sessions, hostnames, and open ports by sniffing packets. Extracts transmitted files, certificates, images, and credentials from PCAP files. Ideal for network forensics and incident analysis.
OS Fingerprinting
File Extraction from PCAP
Credential Capture
Session Reconstruction
Xplico
Network
Open-source Network Forensic Analysis Tool (NFAT). Reconstructs application data from captured network traffic โ emails, HTTP pages, VoIP calls, FTP files. Organizes extracted data by protocol and session. Included in DEFT Linux forensic distribution.
Email Reconstruction
HTTP Page Recovery
VoIP Analysis
Protocol Decoding
Malware Analysis Tools
Tools to safely examine, reverse-engineer, and understand malicious software behavior
Cuckoo Sandbox
Malware
Leading open-source automated malware analysis system. Executes suspicious files in an isolated virtual environment and captures behavior โ API calls, network traffic, file system changes, and memory dumps. Supports Windows, Linux, macOS, and Android analysis.
Dynamic Analysis
Behavioral Reporting
Sandbox Isolation
Multi-Platform
VirusTotal
Malware
Free online service by Google that analyzes files, URLs, IPs, and domains using 70+ antivirus engines and website scanners simultaneously. Provides instant verdict and detailed behavioral analysis report. Essential tool for quick malware triage in any investigation.
Multi-AV Scanning
URL Analysis
Hash Lookup
File Reputation
ANY.RUN
Malware
Interactive online malware sandbox that lets analysts directly interact with the file being analyzed in real-time. Provides instant IOC extraction, network traffic analysis, process tree visualization, and MITRE ATT&CK mapping for comprehensive threat analysis.
Interactive Sandbox
Real-Time Analysis
IOC Extraction
MITRE ATT&CK Map
Mobile Device Forensics Tools
Specialized tools for extracting, decrypting, and analyzing data from smartphones and tablets
Cellebrite UFED
Mobile
Universal Forensics Extraction Device by Israeli company Cellebrite. Gold standard for mobile forensics used by law enforcement globally. Supports physical, logical, and file system extraction from iOS, Android, and BlackBerry. Uses AI-powered filtering on extracted data.
Physical Extraction
Deleted Data Recovery
Passcode Bypass
iOS & Android
Cellebrite Physical Analyzer
Mobile
Software analysis platform for Cellebrite-extracted data. Decrypts raw disk images, decodes 11,000+ app data types, provides timeline visualizations, SQLite database viewer, Python scripting, and generates PDF/HTML/XML/Excel reports. Includes malware detection module.
App Data Decoding
Timeline Graph
SQLite Viewer
Report Generation
Magnet AXIOM
Mobile
Complete digital investigation platform handling mobile, cloud, computer, vehicle, and IoT sources in one case file. AXIOM Process acquires evidence; AXIOM Examine provides integrated analysis with active links, filters, and customizable reports.
Cloud Forensics
Vehicle Data
IoT Devices
Remote Acquisition
Live Forensics & Incident Response Tools
Tools designed for active systems โ capturing volatile data, responding to incidents, and change auditing
COFEE (Microsoft)
Live IR
Computer Online Forensic Evidence Extractor developed by Microsoft with INTERPOL and NW3C. Runs from a USB pen drive to perform live forensic analysis on active Windows systems โ capturing volatile data without altering the evidence. Available only to law enforcement.
Live Windows Analysis
USB Deployment
Volatile Data Capture
INTERPOL Partner
ProDiscover Forensic
Live IR
By ARC Group. The Incident Response Edition uses patented Connect-Collect-Protect technology for live analysis during active breaches โ stops threats within minutes of an alert. Smart Agent can be installed and removed remotely. Supports Perl scripting and auto-reporting.
Live Incident Response
HPA Inspection
Remote Smart Agent
Boolean Search
Quest Change Auditor
Live IR
Real-time change tracking and auditing tool for Windows environments. Monitors and alerts on unauthorized changes to Active Directory, files, Exchange, and SQL servers. Displays previous and current values, supports full-text search, and takes dynamic investigation paths.
Real-Time Monitoring
Change Tracking
Insider Attack Detection
Active Directory Audit
๐ Quick Comparison โ All Tools at a Glance
| Tool | Category | Platform | License | Best For |
|---|---|---|---|---|
| Autopsy | Disk Analysis | Win / Linux / Mac | Free | Disk image investigation with GUI |
| The Sleuth Kit | Disk Analysis | Win / Linux / Mac | Free | Command-line file system analysis |
| EnCase Forensic | Disk Analysis | Windows | Paid | Enterprise-grade court-ready investigations |
| FTK | Disk Analysis | Windows | Paid | Fastest search across large datasets |
| Bulk Extractor | Disk Analysis | Win / Linux / Mac | Free | Raw artifact extraction without file system |
| DFF | Disk Analysis | Win / Linux | Free + Pro | Open-source platform with scripting |
| Volatility | Memory Analysis | Win / Linux / Mac | Free | Deep RAM dump forensics |
| Redline | Memory Analysis | Windows | Free | Endpoint memory + IOC analysis |
| Magnet RAM Capture | Memory Analysis | Windows | Free | Quick live RAM capture for first responders |
| Wireshark | Network Forensics | Win / Linux / Mac | Free | Deep packet inspection and analysis |
| NetworkMiner | Network Forensics | Windows | Free + Pro | File extraction from captured traffic |
| Xplico | Network Forensics | Linux | Free | Application data reconstruction from pcap |
| Cuckoo Sandbox | Malware Analysis | Linux (Host) | Free | Automated dynamic malware analysis |
| VirusTotal | Malware Analysis | Web-Based | Free + API | Quick multi-engine malware triage |
| ANY.RUN | Malware Analysis | Web-Based | Free + Paid | Interactive sandbox with real-time analysis |
| Cellebrite UFED | Mobile Forensics | Hardware Device | LE Only | Physical extraction from locked phones |
| Magnet AXIOM | Mobile Forensics | Windows | Paid | All-in-one mobile + cloud + PC investigation |
| COFEE | Live IR | Windows (USB) | LE Only | Live volatile data from active Windows system |