Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
Share on:

22 FREE Forensic Investigation Tools for IT Security Expert

FREE Forensic Investigation Tools for IT Security Expert
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

A data breach happens almost every day.

Some of the top data breaches are;

  • JP Morgan Chase
  • Bank of America
  • HSBC
  • TD Bank
  • Target
  • Tumbler
  • Home Depot
  • MySpace
  • eBay
  • Adobe System Inc
  • iMesh

Juniper Research suggests Cybercrime will cost over $5 trillion to the business by 2024. So computer forensic expert demand will also increase.

Tools are the administrator’s best friend; using the right tool always helps you to move things faster and make you productive. Forensic investigation is always challenging as you may gather all the information you could for the evidence and mitigation plan.

Here are some of the computer forensic investigator tools you would need. Most of them are free!


Autopsy is a GUI-based open source digital forensic program to analyze hard drives and smartphones efficiently. Autospy is used by thousands of users worldwide to investigate what happened on the computer.


It’s widely used by corporate examiners, military to investigate, and some of the features are.

  • Email analysis
  • File type detection
  • Media playback
  • Registry analysis
  • Photos recovery from memory card
  • Extract geolocation and camera information from JPEG files
  • Extract web activity from a browser
  • Show system events in a graphical interface
  • Timeline analysis
  • Extract data from Android – SMS, call logs, contacts, etc.

It has extensive reporting to generate in HTML, XLS file format.

Encrypted Disk Detector

Encrypted Disk Detector can be helpful to check encrypted physical drives. It supports TrueCrypt, PGP, BitLocker, Safeboot encrypted volumes.

Kit Forensic

Used by the law enforcement agencies like the FBI, Europol, etc., Kit Forensic from Passware is a top tool to investigate serious matters.

Its password recovery works for over 340 use cases, including MS Office, Bitcoin wallets, Mac OS X Keychain, top-rated password managers, PDF, BitLocker, and more.


One of the highlight features of Kit Forensic is its live memory analysis which helps you to dig up encryption keys and passwords from a disk image. Besides, this works to rip apart full disk encryption deployed by tools like BitLocker, TrueCrypt, Apple DMG disk, LUKS(2), McAfee, etc.

This forensic investigation tool comes in various flavors, from Kit basic to Kit forensic, based on what you need to decode. However, you can also download the limited-powered, free version to get a taste of one of the most powerful investigation tools.


Wireshark is a network capture and analyzer tool to see what’s happening in your network. Wireshark will be handy to investigate the network-related incident.

Magnet RAM Capture

You can use Magnet RAM capture to capture the physical memory of a computer and analyze artifacts in memory.

It supports the Windows operating system.

Network Miner

An interesting network forensic analyzer for Windows, Linux & MAC OS X to detect OS, hostname, sessions, and open ports through packet sniffing or by PCAP file. Network Miner provides extracted artifacts in an intuitive user interface.



NMAP (Network Mapper) is one of the most popular networks and security auditing tools. NMAP is supported on most of the operating systems, including Windows, Linux, Solaris, Mac OS, HP-UX, etc. It’s open-source so free.

RAM Capturer

RAM Capturer by Belkasoft is a free tool to dump the data from a computer’s volatile memory. It’s compatible with Windows OS. Memory dumps may contain encrypted volume’s password and login credentials for webmails and social network services.

Forensic Investigator

If you are using Splunk, then Forensic Investigator will be a convenient tool. It’s a Splunk app and has many tools combined.

  • WHOIS/GeoIP lookup
  • Ping
  • Port scanner
  • Banner grabber
  • URL decoder/parser
  • XOR/HEX/Base64 converter
  • SMB Share/NetBIOS viewer
  • Virus Total lookup


FAW (Forensics Acquisition of Websites) is to acquire web pages for forensic investigation, which has the following features.

  • Capture the entire or partial page
  • Capture all types of image
  • Capture HTML source code of the web page
  • Integrate with Wireshark


HashMyFiles will help you to calculate the MD5 and SHA1 hashes. It works on almost all the latest Windows OS.


Crowd Response

Response by Crowd Strike is a windows application to gather system information for incident response and security engagements. You can view the results in XML, CSV, TSV, or HTML with the help of CRConvert. It runs on 32 or 64 bit of Windows XP above.

Crowd Strike has some other helpful tools for investigation.

  • Totrtilla – anonymously route TCP/IP and DNS traffic through Tor.
  • Shellshock Scanner – scan your network for shellshock vulnerability.
  • Heartbleed scanner – scan your network for OpenSSL heart bleed vulnerability.

NFI Defraser

Defraser forensic tool may help you to detect full and partial multimedia files in the data streams.


ExifTool helps you to read, write, and edit meta information for a number of file types. It can read EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, Photoshop IRB, FlashPix, etc.


Toolsley got more than ten useful tools for investigation.

  • File signature verifier
  • File identifier
  • Hash & Validate
  • Binary inspector
  • Encode text
  • Data URI generator
  • Password generator


SIFT (SANS investigative forensic toolkit) workstation is freely available as Ubuntu 14.04. SIFT is a suite of forensic tools you need and one of the most popular open source incident response platform.



Extract all exciting information from Firefox, Iceweasel and Seamonkey browser to be analyzed with Dumpzilla.


Browser History

Foxton has two free exciting tools.

  1. Browser history capturer – capture web browser (chrome, firefox, IE & edge) history on Windows OS.
  2. Browser history viewer – extract and analyze internet activity history from most of modern browsers. Results are shown in the interactive graph, and historical data can be filtered.

Kali Linux

Kali Linux is one of the most popular operating systems for security and penetration testing, but it has forensic capability too. There are more than 100 tools so I am sure you will find one for your need.

3 kali linux


PALADIN forensic suite – the world’s most famous Linux forensic suite is a modified Linux distro based on Ubuntu available in 32 and 64 bit.


Paladin has more than 100 tools under 29 categories, almost everything you need to investigate an incident. Autospy is included in the latest version – Paladin 6.

Sleuth Kit

The Sleuth Kit is a collection of command-line tools to investigate and analyze volume and file systems to find the evidence.


CAINE (Computer Aided Investigate Environment) is a Linux distro that offers the complete forensic platform which has more than 80 tools for you to analyze, investigate, and create an actionable report.



I hope the above tools help you handle the Cybersecurity incident more efficiently and make the investigation process faster. If you are new to forensic investigation then you may want to check out this course.

Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder