Welcome to the world of digital forensics in Cybersecurity.
A collection of digital forensics tools for verification, investigations, diagnostics, software, libraries, learning tutorials, frameworks, academic and practical resources in Cybersecurity. Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.
- Computers are increasingly being used in criminal activity. From fraud to violent crime, computers are often found to play a significant role as a tool for planning and conducting a crime, and may contain relevant evidence pertaining to an offence.
- Digital forensics is a branch of forensic science that focuses on identifying, acquiring, processing, analysing, and reporting on data stored electronically. Electronic evidence is a component of almost all criminal activities and digital forensics support is crucial for law enforcement investigations.
- Collections
- Satellite and mapping services
- Geobased searches
- Documents metadata
- Images, videos and metadata
- Social media
- Transport
- Date and time
- Archiving
- Miscellaneous
- Guides and handbooks
- Data visualization
- Online security and privacy
- List of sources per country
- Web Links
- OSINT Tools osintframework.com - huge collection of open source intelligence tools
- Bing Maps, satellite and mapping service, has more recent and sharper imagery than Google in several areas such as Iraq, bing.com/maps
- Date of the Bing imagery? Check: mvexel.dev.openstreetmap.org/bing
- conversion of coordinates, convert geographic coordinates between different notation styles, synnatschke.de/geo-tools/coordinate-converter.php
- DigitalGlobe, paid satellite imagery, but preview available for free via the catalogus, browse.digitalglobe.com/imagefinder
- Geograph, georeferenced images, geograph.org
- GeoNames, an online database of (various spellings of) locations names, geonames.org
- Google Earth Pro, google.com/earth/download/gep/agree.html
- Bing Maps satellite imagery layer: ge-map-overlays.appspot.com/bing-maps/aerial
- Google Maps, maps.google.com
- HERE WeGo, mapping service which includes more recent satellite imagery from e.g. Iraq, wego.here.com
- Mapillary, crowdsourced street-level photos, mapillary.com
- OpenStreetCam, crowdsourced street-level photos, openstreetcam.org
- OpenStreetMap, openstreetmap.org
- Panoramio, panoramio.com (no longer available)
- Sentinel Playground, apps.sentinel-hub.com/sentinel-playground
- TerraServer, also a commercial company selling satellite imagery, but previews available: terraserver.com
- Wikimapia, crowdsourced information related to geographic locations, works like Google Maps but possibility to switch between Google, Bing, OSM, etc., wikimapia.org
- Yandex Maps, yandex.ru
- ($) Echosec, echosec.net (Instagram, Twitter, VK, Foursquare)
- LiveUAmap, aggregated open source information, liveuamap.com
- Afghanistan: afghanistan.liveuamap.com
- Islamic State: isis.liveuamap.com
- Syria: syria.liveuamap.com
- Ukraine: ukraine.liveuamap.com
- Venezuela: venezuela.liveuamap.com
- ($) WarWire, warwire.net (Twitter, Instagram, VK, YouTube)
- Yomapic, yomapic.com
- YouTube youtube.github.io/geo-search-tool/search.html
- Twitter insert this is search box: geocode:[coordinates],[radius-km], for example: geocode:36.222285,43.998233,2km (only works with km, so 500m = 0.5km)
- Hachoir3 [https://github.com/haypo/hachoir3] (https://github.com/haypo/hachoir3). Python library for metadata extraction from binary streams including MS Office documents
- Forensic wiki list of metadata extractors
- Metadata extractor github
- Amnesty YouTube Dataviewer, Reverse image (still of video) search and exact uploading time, amnestyusa.org/sites/default/custom-scripts/citizenevidence
- reverse image search
- Google Reverse Image Search, images.google.com (also available as Chrome and Firefox add-on)
- TinEye, tineye.com
- Yandex, be aware that sometimes Russia’s Yandex has better results (example than Google’s reverse image search, yandex.com/images
- Jeffrey's Image Metadata Viewer, to view the metadata of (online) photos, exif.regex.info/exif.cgi
- Irfanview, irfanview.com
- Foca. Metadata extraction tool elevenpaths.com
- Goofile. Download and extract metadata
- Splunk and Metadata automation. Splunk
- Foto Forensics,fotoforensics.com
- Image Forensics, https://29a.ch/photo-forensics/#level-sweep
- InVID, verification plugin to help journalists verify images and videos and debunk fake news, [invid-project.eu]http://www.invid-project.eu/invid-releases-fake-video-news-debunker-firefox-provides-code-open-source-mit-licence/) (plugins for Chrome and Firefox (Windows, Mac OS X, Linux.
- First Draft News, firstdraftnews.com/resource/visual-verification-guide-photos
- NacheChk. Same name check over dozens of social networks namechk.com
- Facebook Scanner, automatically advanced searched for Facebook profiles, stalkscan.com
- Facebook Search Tool, find accounts by name, email, screen name and phone, netbootcamp.org/facebook.html
- Lookup-ID, another very complete Facebook search tool, lookup-id.com
- Facebook Graph tips, automatically advanced searches for Facebook profiles, graph.tips
- Facebook Livemap, live broadcasts around the world, mapped on the world, facebook.com/livemap
- Facebook Video Downloader Online, for downloading Facebook videos, fbdown.net
- Facebook search tool, advanced search tool for Facebook profiles, http://inteltechniques.com/osint/menu.facebook.html
- peoplefindThor, advanced search tool for Facebook profiles, peoplefindthor.dk
- Socilab, allows users to visualise and analyse your own LinkedIn network, socilab.com
- Snap Map, a searchable map of geotagged snaps, via the mobile application, read here how.
- Tumblr Originals, find posts uploaded by the account, thus excluding reblogs, studiomoh.com/fun/tumblr_originals
- advanced search, twitter.com/search-advanced
- C, tweetbeaver.com/index.php
-
On Twitter, insert this is search box: geocode:[coordinates],[radius-km], for example: geocode:36.222285,43.998233,2km
-
Onemilliontweetmap, maps tweets per location up to 6hrs old, and has a keyword search option, onemilliontweetmap.com
-
Union Metrics, find the reach of tweets, tweetreach.com/
- term1 term2 - tweets with both term1 and term2 in any order (e.g. twitter metrics)
- term1 OR term2 - tweets with either term1 or term2 (e.g. analytics OR metrics)
- “term1 term2” - tweets with the phrase “term1 term2” (e.g. "twitter metrics")
- term1 -term2 - tweets with term1 but not term2 (e.g. twitter -facebook)
- @username - tweets mentioning or RTing a specific user (e.g. @unionmetrics)
- from:username - tweets from a specific Twitter user (e.g. from:unionmetrics)
- since:YYYY-MM-DD - tweets after a specific date in UTC (e.g. since:2017-03-30)
- until:YYYY-MM-DD - tweets before a specific date in UTC (e.g. until:2017-03-30)
- Amnesty YouTube Dataviewer, Reverse image (still of video) search and exact uploading time, amnestyusa.org/sites/default/custom-scripts/citizenevidence
- OpenSky. Free aircraft tracking project opensky-network.org
- ADS-B Exchange Global Radar, which also includes a number of military aircraft, global.adsbexchange.com/VirtualRadar/mobile.html
- Flightradar24, to track (mostly) civilian aircraft currently in the air around the world, archive goes 12 months back but ($), flightradar24.com
- RadarBox, worldwide coverage, includes private and military jets, radarbox24.com
- FlightView, flightview.com
- MarineTraffic, marinetraffic.com
- VesselFinder, vesselfinder.com
- Fleet Min, fleetmon.com
- France, full interactive map of the French railway system with live positions of trains, plus accuracy of schedule, raildar.fr/#lat=46.810&lng=6.880&zoom=6
- Germany, full interactive map of current positions of Deutsche Bahn railway network, apps-bahn.de/bin/livemap/query-livemap.exe/dn?L=vs_livefahrplan&livemap
- Netherlands, full interactive map of the Dutch railway system, including live positions of trains, http://spoorkaart.mwnn.nl
- WikiRoutes, public transport database, wikiroutes.info
- SunCalc, to make an approximation of the time of the day based on shadows, suncalc.net
- Weather, wolframalpha.com
- Censys
- Central Ops, CentralOps
- Certificate search, crt.sh
- Complete DNS, historical DNS records,completedns.com/dns-history
- BuildWith. Online database of web technologies used on website buildwith.com
- Domain Tools,DomainTools
- IXMaps,IXMaps
- Network-Tools
- Open Site Explorer Maltego
- Peekyou, peekyou.com
- Pipl, the world largest people search engine, find persons behind an e-mail address, social media username, or phone number, pipl.com
- Yasni, yasni.com
- Zaba Search, only US, zabasearch.com
- publicrecords.searchsystems.net
- cemetery.canadagenweb.org/search.html
- opencorporates.com
- Robtex
- BGPView to find networks and it's prefixes
- SearchIRC
- Shodan Computer Search
- Utrace
- ViewDNS
- D, research.dnstrails.com
- SpyOnWeb,to retrieve websites by their Trackingcodes,
- Whois, for domain search and information, whois.net or whois.icann.org
-
Archive.is, let’s you archive any webpage.
-
Let’s say you want to look whether old IS reports were archived, use a Google advanced search: make an <IS search term> justpaste.it site:archive.is and perhaps the site has been archived.
-
CachedView.com, Google Cached Pages for any web site. It is the ultimate internet cache.
-
Gruber, slideshare downloader, http://grub.cballenar.me/
-
Historic Breach Database List, https://publicdbhost.dmca.gripe/random/
-
Wayback Machine, which archives websites archive.org/web/web.php
-
Download an entire website from the Wayback Machine, github.com/hartator/wayback-machine-downloader
-
Check for collaborative fact-checking, checkmedia.org
-
Link to user guide
-
Bellingcat’s Check team
-
Document Redaction, useful for removing potentially harmful content in Pdfs before viewing, like traceback, github.com/firstlookmedia/pdf-redact-tools
-
Geo IP Tool, check your own IP, handy to check if your VPN is working, geoiptool.com
-
Google Search Operators, such as searching for a specific filetype (e.g. PDF) or on a specific website, googleguide.com/advanced_operators_
-
Insecam, network live IP video cameras directory, insecam.org/en/
-
Knight Lab, make an interactive timeline of events, timeline.knightlab.com
-
LittleSis, a database of who-knows-who at the heights of business and government, littlesis.org
-
Lumen, the Lumen database collects and analyses legal complaints and requests for removal of online materials, helping Internet users to know their rights and understand the law. These data enables us to study the prevalence of legal threats and let Internet users see the source of content removals, lumendatabase.org
-
Maltego tool, paterva.com/web7
-
Montage for collaborative working, montage.storyful.com
-
OpenCorporates, database of companies in the world,
-
People tracer, peopletracer.co.uk
-
Research sidekick Hunch.ly, hunch.ly
-
Wolfram Alpha, for any question and a computer-generated answer, wolframalpha.com
-
Zoopla, Search for property with the UK's leading resource. Browse houses and flats for sale and to rent, and find estate agents in any area, zoopla.co.uk
-
Bellingcat’s resources, www.bellingcat.com/category/resources/how-tos, for example:
-
Ee, a project by the Tactical Tech Collective, exposingtheinvisible.org
-
Includes multiple guides (website data scraping, Google Dorking etc.), resource links, and examples of successful investigations in various fields
-
First Draft News’ resources, some of which have been written by Bellingcat members, firstdraftnews.com/resources, for example:
-
The Verification Handbook (PDF) is a great place to go, verificationhandbook.com
- Open guide called “Itrace” by Conflict Armament Research, lots of information on different kinds of munitions and weapons presented graphically on a map format, itrace.conflictarm.com
- DataBasic.io, web tools for beginners that introduce concepts of working with data, databasic.io/en
- DataWrapper, easy to use chart and mapping tool, datawrapper.de
- Google Fusion Tables, fusiontables.google.com
- Maptia, maptia.com
- Visual investigative scenarios, vis.occrp.org
- RAWGraphs, free webtool to quickly visualize your data, app.rawgraphs.io
- Check for every digital service you use whether you have enabled two factor authentication (2FA), twofactorauth.org
- Security in a box guide: https://securityinabox.org/en/
- DuckDuckGo, Internet search engine, protecting privacy, duckduckgo.com
- Qwant, Internet search engine, protecting privacy, qwant.com
- Provinces of the so-called Islamic State, umap.openstreetmap.fr
- SearchFace. Face search services for Vkontakte searchface.ru
- How to use google and other online instruments to analyze person accounts. Russian language
- How to use social networks API for OSINT purposes
- Opposition media, see this excellent list compiled by Noor Nahas of multimedia sources from Syrian opposition groups, reddit.com
- Provinces of the so-called Islamic State, umap.openstreetmap.fr
Repository | Description |
---|---|
Afflib | An extensible open format for the storage of disk images and related forensic information. |
Air-Imager | A GUI front-end to dd/dc3dd designed for easily creating forensic images. |
Auditpol | Displays information about and performs functions to manipulate audit policies in Windows |
Autopsy | The forensic browser. A GUI for the Sleuth Kit. |
Bmap-tools | Tool for copying largely sparse files using information from a block map file. |
BleachBit | System cleaner for Windows and Linux |
Bulk-extractor | Bulk Email and URL extraction tool. |
BurnEye | ELF encryption program. |
Canari3 | Maltego rapid transform development and execution framework. |
captipper | Malicious HTTP traffic explorer tool. |
Casefile | The little brother to Maltego without transforms, but combines graph and link analysis to examine links between manually added data to mind map your information |
ChainSaw | ChainSaw automates the process of shredding log files and bash history from a system. It is a tool that cleans up the bloody mess you left behind when you went for a stroll behind enemy lines |
Chaosmap | An information gathering tool and dns / whois / web server scanner |
chntpw | Offline NT Password Editor - reset passwords in a Windows NT SAM user database file |
Chromefreak | A Cross-Platform Forensic Framework for Google Chrome |
Clear-EventLog | Powershell Command. Clears all entries from specified event logs on the local or remote computers. |
DBAN | Darik's Boot and Nuke ("DBAN") is a self-contained boot image that securely wipes the hard disks of most computers. DBAN is appropriate for bulk or emergency data destruction. |
Dc3dd | A patched version of dd that includes a number of features useful for computer forensics. |
Dcfldd | DCFL (DoD Computer Forensics Lab) dd replacement with hashing |
ddrescue | GNU data recovery tool |
Disitool | Tool to work with Windows executables digital signatures. |
Dmg2img | A CLI tool to uncompress Apple's compressed DMG files to the HFS+ IMG format |
Dumpzilla | A forensic tool for firefox. |
ELFcrypt | ELF crypter. |
Emldump | Analyze MIME files. |
Evtkit | Fix acquired .evt - Windows Event Log files (Forensics). |
Exiftool | Reader and rewriter of EXIF informations that supports raw files |
Exiv2 | Exif, Iptc and XMP metadata manipulation library and tools |
Extundelete | Utility for recovering deleted files from ext2, ext3 or ext4 partitions by parsing the journal |
Foremost | A console program to recover files based on their headers, footers, and internal data structures |
FreeOTFE | A free "on-the-fly" transparent disk encryption program for PC & PDAs |
Fridump | A universal memory dumper using Frida. |
Galleta | Examine the contents of the IE's cookie files for forensic purposes |
Grokevt | A collection of scripts built for reading Windows® NT/2K/XP/2K eventlog files. |
Guymager | A forensic imager for media acquisition. |
Harness | Execute ELFs in memory. |
Hdpram | get/set hard disk parameters |
HiddenVM | Use any desktop OS without leaving a trace. |
Imagemounter | Command line utility and Python package to ease the (un)mounting of forensic disk images. |
Indxparse | A Tool suite for inspecting NTFS artifacts. |
Interrogate | A proof-of-concept tool for identification of cryptographic keys in binary material (regardless of target operating system), first and foremost for memory dump analysis and forensic usage. |
IOSforensic | iOS forensic tool https://www.owasp.org/index.php/Projects/OWASP_iOSForensic |
IPBA2 | IOS Backup Analyzer |
Iphoneanalyzer | Allows you to forensically examine or recover date from in iOS device. |
Kaiser | File-less persistence, attacks and anti-forensic capabilities (Windows 7 32-bit). |
lazagne | An open source application used to retrieve lots of passwords stored on a local computer. |
Lfle | Recover event log entries from an image by heurisitically looking for record structures. |
LiMEaide | Remotely dump RAM of a Linux client and create a volatility profile for later analysis on your local host. |
LogKiller | Clear all your logs in linux/windows servers |
MAFIA | Metasploit Anti Forensic Tools and techniques for removing forensic evidence from computer systems |
MagicRescue | Find and recover deleted files on block devices |
Malheur | A tool for the automatic analyze of malware behavior. |
Maltego | An open source intelligence and forensics application, enabling to easily gather information about DNS, domains, IP addresses, websites, persons, etc. |
MalwareDetect | Submits a file's SHA1 sum to VirusTotal to determine whether it is a known piece of malware |
MboxGrep | A small, non-interactive utility that scans mail folders for messages matching regular expressions. It does matching against basic and extended POSIX regular expressions, and reads and writes a variety of mailbox formats. |
MemDump | Dumps system memory to stdout, skipping over holes in memory maps. |
MemFetch | RDumps any userspace process memory without affecting its execution. |
Meterpreter > clearev | The meterpreter clearev command will clear the Application, System, and Security logs on a Windows system |
Midgetpack | Midgetpack is a multiplatform secure ELF packer |
Mimipenguin | A tool to dump the login password from the current linux user. |
Mobiusft | An open-source forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. |
Mp3nema | A tool aimed at analyzing and capturing data that is hidden between frames in an MP3 file or stream, otherwise noted as "out of band" data. |
Mxtract | Memory Extractor & Analyzer. |
Naft | Network Appliance Forensic Toolkit. |
Networkminer | A Network Forensic Analysis Tool for advanced Network Traffic Analysis, sniffer and packet analyzer. |
Nfex | A tool for extracting files from the network in real-time or post-capture from an offline tcpdump pcap savefile. |
Ntdsxtract | Active Directory forensic framework. |
nTimetools | Timestomper and Timestamp checker with nanosecond accuracy for NTFS volumes |
NTFS-3G | NTFS-3G Safe Read/Write NTFS Driver |
Papa Shango | Inject code into running processes with ptrace(). |
Pasco | Examines the contents of Internet Explorer's cache files for forensic purposes. |
PcapXray | Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction. |
Pdf-parser | Parses a PDF document to identify the fundamental elements used in the analyzed file. |
Pdfbook-analyzer | Utility for facebook memory forensics. |
Pdfid | Scan a file to look for certain PDF keywords. |
PdfResurrect | A tool aimed at analyzing PDF documents. |
Peepdf | A Python tool to explore PDF files in order to find out if the file can be harmful or not. |
Permanent-Eraser | Secure file erasing utility for macOS |
Pev | Command line based tool for PE32/PE32+ file analysis. |
python-evtx | A tool to parse the Windows XML Event Log (EVTX) format. |
Recoverjpeg | Recover jpegs from damaged devices. |
Recuperabit | A tool for forensic file system reconstruction. |
Reglookup | Command line utility for reading and querying Windows NT registries. |
Rekall | Memory Forensic Framework. |
ReplayProxy | Forensic tool to replay web-based attacks (and also general HTTP traffic) that were captured in a pcap file. |
Rifiuti2 | A rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. |
Rkhunter | Checks machines for the presence of rootkits and other unwanted tools. |
SafeCopy | A disk data recovery tool to extract data from damaged media. |
Saruman | ELF anti-forensics exec, for injecting full dynamic executables into process image (With thread injection) |
Scalpel | An open source data carving tool. |
Scrounge-Ntfs | Data recovery program for NTFS file systems |
SetMace | Manipulate timestamps on NTFS |
Sherlocked | Universal script packer-- transforms any type of script into a protected ELF executable, encrypted with anti-debugging |
Shred | Overwrite a file to hide its contents, and optionally delete it |
Silk-guardian | An anti-forensic kill-switch that waits for a change on your usb ports and then wipes your ram, deletes precious files, and turns off your computer. |
SkypeFreak | A Cross Platform Forensic Framework for Skype. |
Sleuthkit | RFile system and media management forensic analysis tools. |
Srm | Srm is a command-line compatible rm which overwrites file contents before unlinking |
Stegdetect | Automated tool for detecting steganographic content in images. |
StegFS | A FUSE based steganographic file system |
Steghide | Steganography program that is able to hide data in various kinds of image- and audio-files |
Swap-digger | A tool used to automate Linux swap analysis during post-exploitation or forensics. |
Tails | portable operating system that protects against surveillance and censorship |
Tchunt-ng | Reveal encrypted files stored on a filesystem. |
Tekdefense-automater | IP URL and MD5 OSINT Analysis. |
TestDisk | Checks and undeletes partitions + PhotoRec, signature based recovery tool |
Trid | An utility designed to identify file types from their binary signatures. |
TrueHunter | Detect TrueCrypt containers using a fast and memory efficient approach. |
Unhide | A forensic tool to find processes hidden by rootkits, LKMs or by other techniques. |
Usbdeath | anti-forensic tool that writes udev rules for known usb devices and do some things at unknown usb device insertion or specific usb device removal |
USBKill | An anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer. |
Vinetto | A forensics tool to examine Thumbs.db files |
Volafox | macOS Memory Analysis Toolkit. |
Volatility | Advanced memory forensics framework |
Wevtutil | Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs (windows server) |
Wipe | A Unix tool for secure deletion |
Wipedicks | Wipe files and drives securely with randoms ASCII dicks |
wiper | Toolkit to perform secure destruction of sensitive virtual data, temporary files and swap memories. |
Xplico | Internet Traffic Decoder. Network Forensic Analysis Tool (NFAT). |
XsUSBsentinel | Windows anti-forensics USB monitoring tool. |
Zeroize | Zeroize is a rust library enabling to : Securely clear secrets from memory with a simple trait built on stable Rust primitives which guarantee memory is zeroed using an operation will not be ‘optimized away’ by the compiler |
ZipDump | ZIP dump utility. |
MIT License & cc license
This work is licensed under a Creative Commons Attribution 4.0 International License.