Chapter 7 · AICITSS Cyber Security

OSINT & Digital Forensics Tools Directory

A categorized reference of all tools covered in Chapter 7 — Digital Forensics Tools and Usage of OSINT Tools for Cyber Forensics. Click any tool to visit its official website.

📦 22 Tools Listed

🗂 5 Categories

🔗 Direct Links Included

🎓 For Educational Use

⚠ Educational Disclaimer: All tools listed here are for lawful, educational, and authorized use only. Use of these tools without proper authorization on systems you do not own is illegal and punishable under the IT Act, 2000 and other applicable laws. This directory is maintained for the AICITSS Cyber Security curriculum.

🔎 All Tools 🌐 OSINT Intelligence 💾 Digital Forensics Suites 📱 Mobile Forensics 🕵️ Reconnaissance 🌐 Network & Threat Intel

🌐

OSINT Intelligence Tools

Tools for gathering, analyzing, and visualizing open-source intelligence from public sources

Maltego

OSINT

Powerful link analysis and data visualization tool. Maps relationships between people, organizations, domains, IPs, and online entities using graphical transforms. Used in cyber forensics for evidence presentation in court.

Data Visualization Link Analysis Threat Tracking Incident Response

The Harvester

OSINT

Passive information gathering tool for emails, subdomains, hosts, and employee names linked to a target domain. Collects data from search engines and social media without direct interaction with the target.

Email Discovery Subdomain Mapping Digital Footprint Social Profiling

SpiderFoot

OSINT

Automated OSINT tool that aggregates data about IPs, domains, emails, and more from 200+ data sources including dark web, threat feeds, WHOIS, and social media. Ideal for comprehensive digital footprint analysis.

Entity Profiling Threat Intelligence Dark Web Scanning Geolocation

Wayback Machine

OSINT

Internet Archive’s web archiving service that stores snapshots of websites over time. Used in digital forensics to retrieve deleted or altered web content, verify historical claims, and reconstruct evidence timelines.

Website History Content Recovery Evidence Verification Timeline Building

FOCA

OSINT

Fingerprinting Organizations with Collected Archives — extracts metadata from documents (PDFs, Word, Excel) to reveal author names, creation dates, GPS coordinates, software versions, and network paths embedded in files.

Metadata Analysis Author Identification Document Forensics Network Enumeration

Metagoofil

OSINT

Extracts metadata from public documents (PDF, DOC, XLS, PPT) found via Google search. Reveals usernames, software versions, email addresses, and server paths — valuable for building intelligence about a target organization.

File Metadata Username Harvesting Insider Threat Detection Document Chain

Google Dorks

OSINT

Advanced Google search operators used to find sensitive information inadvertently exposed on the internet — login pages, open directories, vulnerable servers, and confidential documents. Used in reconnaissance and evidence gathering.

Sensitive Info Discovery Vulnerability Mapping Evidence Gathering Footprint Analysis

💾

Digital Forensics Suites

Professional-grade platforms for disk imaging, evidence collection, analysis, and reporting

EnCase Forensic

Forensics

Industry-leading forensic platform by Guidance Software (OpenText). Used by 90% of consumer goods companies, 100% of US federal agencies. Supports disk imaging, data carving, password recovery, remote collection, and automated reporting.

Disk Imaging Data Carving Password Recovery Court Reporting

Forensic Toolkit (FTK)

Forensics

By AccessData (now Exterro). Used by 130,000+ law enforcement agencies and law firms worldwide. Analyzes laptops, PCs, mobile devices, and network traffic. Features the fastest filtering and searching of any forensic tool.

Email Analysis Mobile Devices Hashing Techniques Multi-language Support

Autopsy / The Sleuth Kit

Forensics

Open-source digital forensics platform. The Sleuth Kit is a command-line library for file system analysis; Autopsy is its graphical interface. Used by law enforcement, military, and corporate investigators to analyze disk images and recover files.

File System Analysis Disk Image Analysis File Recovery Timeline Analysis

Magnet AXIOM

Forensics

Complete digital investigation platform for mobile, cloud, computer, and vehicle sources. AXIOM Process acquires images; AXIOM Examine provides integrated analysis. Includes GrayKey for iOS/Android access and DVR Examiner for CCTV footage.

Cloud Forensics CCTV Analysis IoT Devices Remote Acquisition

Bulk Extractor

Forensics

Cross-platform (Windows, Linux, Mac) forensic tool that scans disk images without requiring a file system. Extracts emails, URLs, credit card numbers, and other artifacts from raw data. Supports live analysis and decryption.

Raw Data Scanning Email Extraction Data Recovery Live Analysis

Digital Forensics Framework (DFF)

Forensics

Open-source forensic platform built on a customized API. Used by law enforcement, educational institutions, and private companies. Supports EXIF metadata extraction, Outlook mailbox analysis, memory dump analysis, and scripting capabilities.

EXIF Extraction Memory Analysis Live & Static Analysis Scripting

📱

Mobile Forensics Tools

Specialized tools for data extraction, decryption, and analysis from smartphones and tablets

Cellebrite UFED

Mobile

Universal Forensics Extraction Device by Israeli company Cellebrite. Industry standard for extracting data from iOS, Android, and BlackBerry devices. Supports physical and logical acquisition with AI-powered keyword filtering. Available only to licensed law enforcement agencies.

iOS & Android Deleted Data Recovery Passcode Bypass Law Enforcement

Cellebrite Physical Analyzer

Mobile

Software companion to UFED hardware. Provides automated decryption, data visualization, timeline graphs, SQLite database viewer, and report generation (PDF/HTML/XML/Excel). Supports 11,000+ applications and devices. Includes malware detection and Python scripting.

App Data Decoding Timeline Visualization SQLite Viewer Report Generation

COFEE (Microsoft)

Mobile

Computer Online Forensic Evidence Extractor — developed by Microsoft in collaboration with INTERPOL and NW3C. Runs from a USB drive to perform live forensic analysis on Windows systems. Available exclusively to law enforcement agencies worldwide.

Live Analysis Windows Forensics USB Deployment INTERPOL Partner Tool

🕵️

Reconnaissance & Web Intelligence

Tools for passive and active information gathering, web profiling, and digital footprint analysis

Recon-ng

Recon

Full-featured web reconnaissance framework with modular architecture. Integrates with OSINT sources to gather domain names, subdomains, email addresses, and employee names. Automates data analysis and supports link analysis for pattern discovery.

Passive Recon OSINT Gathering Metadata Collection Automated Analysis

Shodan

Recon

Search engine for internet-connected devices and infrastructure. Identifies open ports, services, banners, and SSL certificates. Used to discover vulnerable IoT devices, CCTV cameras, industrial systems, and unsecured servers during investigations.

IoT Discovery Vulnerability Assessment Banner Grabbing Network Recon

Netcraft

Recon

Internet services company providing detailed data on web hosting, server technologies, SSL/TLS certificates, and site reputation. Widely used for phishing site detection, DDoS attack monitoring, email tracking, and hosting provider identification.

Phishing Detection SSL Certificate Analysis DDoS Monitoring Site Reputation

🌐

Network & Threat Intelligence

Tools for network mapping, SSL analysis, IoC identification, and real-time threat intelligence

Censys

Network

Internet-wide scanning platform focused on network-connected devices. Provides asset discovery, SSL/TLS certificate analysis, vulnerability identification, and IoC (Indicator of Compromise) lookups. Offers historical data for tracking network configuration changes.

Asset Discovery SSL/TLS Analysis IoC Identification Network Mapping

ThreatCrowd

Threat Intel

Open threat intelligence platform that aggregates data on domains, IPs, email addresses, and malware from multiple threat intel sources. Enables IoC searches, malware pattern analysis, phishing URL tracking, and real-time threat monitoring for incident response teams.

IoC Search Malware Analysis Threat Sharing Incident Response

ProDiscover Forensic

Network

By ARC Group, New York. Available in Basic, Forensic Edition, and Incident Response Edition. The IR Edition uses patented Connect-Collect-Protect technology for live analysis during active breaches. Supports malware hash sets, Perl scripting, and Boolean searches.

Live Incident Response HPA Analysis Malware Hash Sets Boolean Search