Open Source UNIX Forensic Tools

Home / Tools / UNIX Tools

Submit a Tool

Bootable Environments

Data Acquisition

Media Management

File System

Application

Network

Bootable Environments

none Submit a Tool

Data Acquisition / IR Tools


Title: Advanced Forensic Format Library (afflib)	Author: Simson Garfinkel and Basis Technology
Description:The Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata.
Website: http://www.afflib.org/
Source: http://www.afflib.org/

Title: Automated Image and Restore (AIR)	Author: Steve Gibson
Description: AIR (Automated Image & Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.
Website: http://air-imager.sourceforge.net/
Source: http://sourceforge.net/project/showfiles.php?group_id=82474

Title: dcfl-dd	Author: DoD Computer Forensic Labs
Description: dcfl-dd is a modified version of the GNU binutils version of 'dd'. It calculates the MD5 hash value of the data while it copies the data.
Website: http://sourceforge.net/projects/biatchux
Source: http://sourceforge.net/project/showfiles.php?group_id=46038&release_id=84489

Title: dd	Author: GNU coreutils Team
Description: 'dd' is a common UNIX tool that copies data from one file to another. It can also be used with 'netcat' to send data to a server over the network.
Website: http://www.gnu.org/software/coreutils/
Source: http://www.gnu.org/software/coreutils/

Title:dd_rescue	Author:Kurt Garloff
Description: Like dd, dd_rescue does copy data from one file or block device to another. You can specify file positions (called seek and Skip in dd). There are several differences. dd_rescue does not provide character conversions. dd_rescue does not abort on errors on the input file, unless you specify a maximum error number. Then dd_rescue will abort when this number is reached. dd_rescue does not truncate the output file, unless asked to. You can tell dd_rescue to start from the end of a file and move bcakwards. It uses two block sizes, a large (soft) block size and a small (hard) block size. In case of errors, the size falls back to the small one and is promoted again after a while without errors.
Website: http://www.garloff.de/kurt/linux/ddrescue/
Source: http://www.garloff.de/kurt/linux/ddrescue/

Title: ddrescue	Author: Antonio Diaz
Description: GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. [Ed: This tool is similar to, but not the same as dd_rescue]
Website: http://www.gnu.org/software/ddrescue/ddrescue.html
Source: http://savannah.gnu.org/download/ddrescue/

Title: FTimes	Author: Klayton Monroe
Description: FTimes is a system baselining and evidence collection tool. The primary purpose of ftimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis.
Website: http://ftimes.sourceforge.net/FTimes/index.shtml
Source: http://sourceforge.net/project/showfiles.php?group_id=41134

Title: libewf	Author: Joachim Metz and Robert-Jan Mora
Description: Libewf is a library for support of the Expert Witness Compression Format (EWF), it support both the SMART format (EWF-S01) and the EnCase format (EWF-E01). Libewf allows you to read media information within the EWF files.
Website: https://www.uitwisselplatform.nl/projects/libewf/
Source: https://www.uitwisselplatform.nl/projects/libewf/

Title: liveview	Author: CERT
Description: Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because
Website: http://liveview.sourceforge.net/

Title: lsof	Author: Vic Abell
Description: lsof lists open file handles for running Unix processes.
Website: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
Source: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/

Title: mac-daddy	Author: Rob Lee
Description: MAC Time collector for forensic incident response. This toolset is a modified version of the two programs tree.pl and mactime from the Coroner's Toolkit by Dan Farmer and Venema Weiste. This program is portable and can be run directly from a floppy or a cdrom with a perl interpreter that can also be on the floppy or cdrom.
Website: http://www.incident-response.org/mac_daddy.html [Site has been removed]
Source: http://www.incident-response.org/mac_daddy.html [Site has been removed]

Title: mac-robber	Author: Brian Carrier
Description: mac-robber is a forensics and incident response program that collects Modified, Access, and Change (MAC) times from files. Its output can be used as input to the 'mactime' tool in The Sleuth Kit to make a time line of file activity.
Website: http://www.sleuthkit.org/mac-robber
Source: http://www.sleuthkit.org/mac-robber/download.php

Title:memdump	Author:Wietse Venema
Description: memory dumper for UNIX-like systems.
Website: http://www.porcupine.org/forensics/tct.html
Source: http://www.porcupine.org/forensics/tct.html

Title: netcat	Author: hobbit
Description: Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It can be used on a trusted server to save data from a suspect system and can be used on the suspect system to send the output of tools to the server instead of writing to the suspect disk.
Website: http://www.securityfocus.com/tools/137
Source: http://www.securityfocus.com/tools/137

Title:RDA	Author: Chris Boubalos and Stefanos Koutsoutos
Description: rda is a command line Linux tool to remotely acquire data (like disk cloning or disk/partition imaging) and verify the transfer using md5 and/or crc32 checksums. The program is both the server and the client.
Website: http://md5sa.com/downloads/rda/index.htm
Source: http://md5sa.com/downloads/rda/index.htm

Title:sdd	Author:Jörg Schilling
Description: 'sdd' is a replacement for a program called 'dd'. sdd is much faster than dd in cases where input block size (ibs) is not equal to the output block size (obs). Statistics are more easily understoon than those from 'dd'.Timing available, -time option will print transfer speed Timing & Statistics available at any time with SIGQUIT (^\) Can seek on input and output Fast null input Fast null output. Support for the RMT (Remote Tape Server) protocol makes remote I/O fast and easy.
Website: http://directory.fsf.org/sysadmin/Backup/sdd.html
Source: http://directory.fsf.org/sysadmin/Backup/sdd.html

Title: Webjob	Author: Klayton Monroe
Description: WebJob downloads a program over HTTP/HTTPS and executes it in one unified operation. The output, if any, may be directed to stdout/stderr or a Web resource. WebJob may be useful in incident response and intrusion analysis as it provides a mechanism to run known good diagnostic programs on a potentially compromised system.
Website: http://webjob.sourceforge.net/WebJob/index.shtml
Source: http://sourceforge.net/project/showfiles.php?group_id=40788

Media Management Analysis Tools


Title: CDfs	Author: Michiel Ronsse
Description:CDfs is a file system for Linux systems that `exports' all tracks and boot images on a CD as normal files. These files can then be mounted (e.g. for ISO and boot images), copied, played (audio and VideoCD tracks).
Website: http://www.elis.rug.ac.be/~ronsse/cdfs/
Source: http://www.elis.rug.ac.be/~ronsse/cdfs/download/

Title: Cdrecord	Author: J. Schilling
Description: Cdrecord supports DVD-R and DVD-RW with all known DVD-writers on all UNIX-like OS and on Win32. DVD writing support is implemented in cdrecord since march 1998. Cdrecord writes DVD media similar to CD media. The readcd tool can be used to read the contents of a CD.
Website: http://freshmeat.net/projects/cdrecord/
Source: ftp://ftp.berlios.de/pub/cdrecord/

Title: disktype	Author: Christoph Pfisterer
Description: The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to 'file', but gives much more details about the file system or partition table)
Website: http://disktype.sourceforge.net/
Source: http://disktype.sourceforge.net/

Title: gpart	Author: Michail Brzitwa
Description: Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
Website: http://www.stud.uni-hannover.de/user/76201/gpart/
Source: http://www.stud.uni-hannover.de/user/76201/gpart/#download

Title: The Sleuth Kit	Author: Brian Carrier
Description: A collection of command line tools for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.
Website: http://www.sleuthkit.org/sleuthkit/
Source: http://www.sleuthkit.org/sleuthkit/download.php

Title:tableau-parm	Author:Timothy D Morgan
Description: tableau-parm is an small command line utility designed to interact with Tableau forensic write blockers. It performs functions similar to the Tableau Disk Monitor, except that it operates under Linux.
Website: http://projects.sentinelchicken.org/tableau-parm/
Source: http://projects.sentinelchicken.org/tableau-parm/

Title:TestDisk	Author: Christophe Grenier
Description: Tool to check and undelete partition. Works with the following partitions: FAT12 FAT16 FAT32, Linux EXT2/EXT3, Linux SWAP (version 1 and 2), NTFS (Windows NT/W2K/XP), BeFS (BeOS), UFS (BSD), Netware, and ReiserFS.
Website: http://www.cgsecurity.org/testdisk.html
Source: http://www.cgsecurity.org/testdisk.html

File System Analysis Tools


Title: Autopsy Forensic Browser	Author: Brian Carrier
Description: Autopsy is a graphical interface to the command line tools in The Sleuth Kit and allows one to view deleted NTFS, FAT, EXTxFS, and FFS files, perform keyword searches, and create timelines of file activity.
Website: http://www.sleuthkit.org/autopsy
Source: http://www.sleuthkit.org/autopsy/download.php

Title:disktype	Author:Christoph Pfisterer
Description: The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to 'file', but gives much more details about the file system or partition table)
Website: http://disktype.sourceforge.net/
Source: http://disktype.sourceforge.net/

Title: e2salvage	Author: Marek Zelem, Milan Pikula, Martin Leopold
Description: e2salvage is a utility which tries to do in-place data recovery a from damaged ext2 filesystems. Unlike e2fsck, it does not look for the data at particular places and it don't tend to believe the data it finds; thus it can handle much more damaged filesystem.
Website: http://e2salvage.sourceforge.net/
Source: http://sourceforge.net/project/showfiles.php?group_id=91345

Title: Enhanced Linux Loopback	Author: Jason Luttgens (NASA)
Description: The enhanced loopback driver modifies the native loopback driver of the Linux kernel and adds functionality that can make the driver emulate a disk drive in some ways. Most important to us is providing automatic interpretation and mapping of partitions contained within an image file of a hard drive.
Website: ftp://ftp.hq.nasa.gov/pub/ig/ccd/enhanced_loopback/readme.txt
Source: ftp://ftp.hq.nasa.gov/pub/ig/ccd/enhanced_loopback

Title: fatback	Author: Nicholas Harbour
Description: Fatback is a tool for undeleting files from FAT file systems.
Website: http://sourceforge.net/projects/biatchux
Source: http://sourceforge.net/project/showfiles.php?group_id=46038&release_id=84491

Title:File System Investigator	Author:Bill Rossi
Description: FileSystem Investigator is a platform independent file system viewer and data extraction tool. It allows the user to: View the contents of the target file system in a forensicly safe manner, bypassing the normal operating system mechanisms. Extract files and whole directory trees of files from the source filesystem.
Website: http://www.rossi.com/fstools/intro.html
Source: http://www.rossi.com/fstools/download.html

Title: Linux Loopback	Author: Linux Community
Description: Loopback support in the Linux kernel allows one to mount a file system image read-only for a forensic analysis of allocated data.
Website: http://www.linux.org
Source: http://www.linux.org/dist/index.html (Depends on the distribution)

Title:pyflag	Author:David Collett & Michael Cohen
Description: FLAG was designed to simplify the process of log file analysis and forensic investigations. Often, when investigating a large case, a great deal of data needs to be analysed and correlated. Flag uses a database as a backend to assist in managing the large volumes of data. This allows flag to remain responsive and expedite data manipulation operations.
Website: http://pyflag.sourceforge.net/
Source: http://pyflag.sourceforge.net/

Title: SalvageNTFS	Author:Will Glynn
Description: SalvageNTFS is a set of applications and an associated library aimed at data recovery from NTFS volumes. It can "undelete" files, bypass file system permissions, and retrieve information from badly corrupted or inconsistent volumes.
Website: http://www.salvagentfs.com/
Source: http://www.salvagentfs.com/

Title: The Sleuth Kit	Author: Brian Carrier
Description: A collection of command line tools for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.
Website: http://www.sleuthkit.org/sleuthkit/
Source: http://www.sleuthkit.org/sleuthkit/download.php

Title: The Coroner's Toolkit (TCT)	Author: Dan Farmer & Wietse Venema
Description: TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in.
Website: http://www.porcupine.org/forensics/tct.html
Source: http://www.porcupine.org/forensics/tct.html#source_code

Title: TCTUTILs	Author: Brian Carrier
Description: Adds file name support and additional utilities to TCT.
Website: http://www.digital-evidence.org/tools/index.html
Source: http://www.digital-evidence.org/tools/index.html

Application Analysis Tools


Title: Autopsy Forensic Browser	Author: Brian Carrier
Description: Autopsy is a graphical interface to the command line tools in The Sleuth Kit and allows one to view deleted NTFS, FAT, EXTxFS, and FFS files, perform keyword searches, and create timelines of file activity.
Website: http://www.sleuthkit.org/autopsy
Source: http://www.sleuthkit.org/autopsy/download.php

Title: binutils	Author: GNU binutils Team
Description: The GNU Binutils are a collection of binary tools. For forensics, these are used for binary analysis, including 'strings'.
Website: http://www.gnu.org/software/binutils/
Source: http://www.gnu.org/software/binutils/

Title: chkrootkit	Author: Nelson Murilo
Description: chkrootkit is a tool to locally check for signs of a rootkit.
Website: http://www.chkrootkit.org/
Source: http://www.chkrootkit.org/

Title: Clam AntiVirus	Author:Tomasz Kojm
Description: Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software.
Website: http://www.clamav.net
Source: http://www.clamav.net

Title:Event Log Parser	Author:Jamie French
Description: A PHP script to parse through Windows event logs.
Website: http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html
Source: http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html

Title: File AUdit Security Toolkit (FAUST)	Author: Frederic Raynal
Description: faust is a perl script that helps to analyze files found after an intrusion or the compromising of a honeypot. Its goal is not to make the analysis, but to extract the pieces of information that _you_ will use afterward in your analysis.
Website: http://security-labs.org/index.php3?page=faust
Source: http://security-labs.org/index.php3?page=faust

Title: find	Author: GNU findutils Team
Description: The find program searches a directory tree to find a file or group of files. It traverses the directory tree and reports all occurrences of a file matching the user's specifications. The find program includes very powerful searching capability.
Website: http://www.gnu.org/software/findutils/
Source: http://www.gnu.org/software/findutils/

Title: file	Author: Christos Zoulas
Description: Guesses file type based on magic header and footer values.
Website: ftp://ftp.astron.com/pub/file/
Source: ftp://ftp.astron.com/pub/file/

Title: File Ripper	Author: Kristofer Munsterhjelm - Maintainer
Description: File Ripper is a file extractor based on header recognition. It can be used to recover files from unfragmented disk images where filesystem information has been lost or otherwise corrupted, or the files have been inadvertently deleted. It detects and extracts PNG, HTML, GIF, ZIP, LBM, PBM, ANM, BAT, BAS, RTF, HLP, WAV, WRI, JPG, ARJ, DOS EXE, ANS, ZZT, FRM, text BAS, BMP, MZB, FLI, MSP, DOC, MZX, GDM, IT, S3M, SAV, BRD, LZH/LHA, MOD, XM, VOC, SVX, ABM, Quetzal, and certain obscure bulletin board system formats.
Website: http://directory.fsf.org/project/fripper/
Source: http://directory.fsf.org/project/fripper/

Title: foremost	Author: Jesse Kornblum
Description: Foremost is a Linux program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.
Website: http://foremost.sourceforge.net
Source: http://foremost.sourceforge.net

Title: Forensic Hash Database	Author: Matthias Hofherr
Description: The Forensic Hash Database is a project to combine the various hashsum sources like Dan Farmer's FUCK baseline collection, The NIST National Software Reference Library (NSRL), Known Goods Database, and Hashkeeper into a single meta RDBMS (relational database management system).
Website: http://www.forinsect.de/forensics/
Source: http://www.forinsect.de/forensics/

Title: Galleta	Author: Keith Jones
Description: Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/galleta.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152412

Title: grep	Author: GNU grep Team
Description: Grep searches one or more input files for lines containing a match to a specified pattern. By default, grep prints the matching lines.
Website: http://www.gnu.org/software/grep/grep.html
Source: http://www.gnu.org/software/grep/grep.html

Title:GrokEVT	Author:Sentinel Chicken Networks.
Description: GrokEVT is a collection of scripts built for reading Windows NT™ event log files.
Website: http://www.sentinelchicken.org/projects/grokevt/
Source: http://www.sentinelchicken.org/projects/grokevt/download/

Title: Hachoir	Author: Julien Muchembled and Victor Stinner
Description: hachoir-parser is a package of most common file format parsers written using hachoir-core.
Website: http://hachoir.org/wiki/hachoir-parser
Source: http://hachoir.org/wiki/hachoir-parser

Title: Kregedit	Author: Jelmer Vernooij
Description: kregedit is KDE utility for viewing native Windows registry files. It is similar to the regedt32 utility that can be found on most Windows platforms. Only the NT registry format (NT4/2000/XP) is supported.
Website: http://samba.org/~jelmer/kregedit/
Source: http://samba.org/~jelmer/kregedit/

Title:LibPST	Author:Dave Smith
Description: LibPST provides functions in library form for accessing Outlook's Personal Folders. Included with this library is a program that will take a PST file and convert it to an mbox format.
Website: http://sourceforge.net/projects/ol2mbox
Source: http://sourceforge.net/project/showfiles.php?group_id=18756&release_id=117314

Title: Magic Rescue	Author: jbj
Description: Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them. It looks at "magic bytes" in file contents, so it can be used both as an undelete utility and for recovering a corrupted drive or partition. As long as the file data is there, it will find it.
Website: http://jbj.rapanden.dk/magicrescue/
Source: http://jbj.rapanden.dk/magicrescue/

Title: md5deep	Author: Jesse Kornblum
Description: md5deep is an MD5 program that can compute recursively, compare hashes with a database, and estimates the time to completion.
Website: http://md5deep.sourceforge.net/
Source: http://md5deep.sourceforge.net/

Title: md5sum	Author: GNU coreutils Team
Description: Calculates the MD5 hash value for a file.
Website: http://www.gnu.org/software/coreutils/
Source: http://www.gnu.org/software/coreutils/

Title: ntreg	Author:Todd Sabin
Description: ntreg is a file system driver for linux, which understands the NT registry file format. With it, you can take registry files from NT, e.g., SAM, SECURITY, etc., and mount them on linux. Currently, it's read-only, though I may add read-write capability in the future.
Website: http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm
Source: http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm

Title: Pasco	Author: Keith Jones
Description: Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/pasco.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152387

Title: RegLookup	Author: Timothy D. Morgan
Description: RegLookup is an small command line utility for reading and querying Windows NT/2K/XP registries. RegLookup is released under the GNU GPL, and is implemented in ANSI C.
Website: http://projects.sentinelchicken.org/reglookup/
Source: http://projects.sentinelchicken.org/reglookup/

Title: regutils	Author: Michael Rendell
Description: Regutils is a collection of programs that can assist in the installation of windows 9x software on diskless clients. The basic procedure is to take a snap shot of a (diskfull) system before and after a piece of software is installed and then look at what changed.
Website: http://www.cs.mun.ca/~michael/regutils/
Source: http://www.cs.mun.ca/~michael/regutils/

Title: RegViewer	Author: Chris Eagle
Description: RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform independent allowing for examination of Windows registry files from any platform. Particularly useful when conducting forensics of Windows files from *nix systems.
Website: http://sourceforge.net/projects/regviewer/
Source: http://sourceforge.net/project/showfiles.php?group_id=96788

Title: Rootkit Hunter	Author: Michael Boelen, Stephane Dudzinski
Description: Rootkit scanner is scanning tool to ensure you for about 99.9% you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like: MD5 hash compare, Look for default files used by rootkits, Wrong file permissions for binaries, Look for suspected strings in LKM and KLD modules, Look for hidden files, Optional scan within plaintext and binary files.
Website: http://www.rootkit.nl/projects/rootkit_hunter.html
Source: http://www.rootkit.nl/projects/rootkit_hunter.html

Title: Rifiuti	Author: Keith Jones
Description: Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. Rifiuti will parse the information in an INFO2 file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
Website: http://www.foundstone.com/resources/proddesc/rifiuti.htm
Source: http://sourceforge.net/project/showfiles.php?group_id=78332&release_id=152410

Title: Safari_download	Author: Jake Cunningham
Description: Parses the Safari XML Downloads.plist file and prints the results in TAB delimited format.
Website: http://jafat.sourceforge.net/files.html

Title: safari_hist	Author: Jake Cunningham
Description: Parses the Safari binary History.plist file and prints the results in TAB delimited format.
Website: http://jafat.sourceforge.net/files.html

Title: Scalpel	Author: Golden G. Richard III
Description: Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel resulted from a complete rewrite of foremost 0.69, a popular open source file carver, to enhance performance and decrease memory usage.
Website: http://www.digitalforensicssolutions.com/Scalpel
Source: http://www.digitalforensicssolutions.com/Scalpel

Title: The Sleuth Kit	Author: Brian Carrier
Description: A collection of command line tools for the analysis of NTFS, FAT, FFS, and EXT2FS file systems and DOS, BSD, Sun, and Mac partitions. The tools allow for the recovery and analysis of deleted content, hash database lookups, sorting by file type, and timelines of file activity.
Website: http://www.sleuthkit.org/sleuthkit/
Source: http://www.sleuthkit.org/sleuthkit/download.php

Title: Vinetto	Author: Michel Roukine
Description: Vinetto is a forensics tool to examine Thumbs.db files. It is a command line python script that works on Linux, Mac OS X and Cygwin(win32).
Website: http://vinetto.sourceforge.net/

Title: Zeitline	Author: Florian Buchholz
Description:A graphical front-end that allows an investigator to manage event reconstruction. Super events may be created based on selected sub-events. Events may be moved around via drag-and-drop or directly assigned to a super event hierarchy. The event hierarchy can be displayed in a tree-like view allowing to collapse all or select branches. This way, an investigator can concentrate on events only relevant to his direct attention.
Website: http://www.cerias.purdue.edu/homes/forensics/timeline.php
Source: http://www.cerias.purdue.edu/homes/forensics/timeline.php

Network Analysis Tools


Title: Ethereal	Author: Ethereal Team
Description: Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows.
Website: http://www.ethereal.com/
Source: http://www.ethereal.com/download.html

Title: tcpflow	Author: Jeremy Elson
Description: tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
Website: http://www.circlemud.org/~jelson/software/tcpflow/
Source: http://www.circlemud.org/~jelson/software/tcpflow/

Title: tcpreplay	Author: Aaron Turner
Description: tcpreplay is a BSD-style licensed tool to replay saved tcpdump files at arbitrary speeds. It provides a variety of features for replaying traffic for both passive sniffer devices as well as inline devices such as routers, firewalls, and the new class of inline IDS's.
Website: http://tcpreplay.sourceforge.net/
Source: http://tcpreplay.sourceforge.net/

Memory Analysis

Title: Unhide	Author: YJesus
Description: Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
Website: http://www.security-projects.com/?Unhide

Analysis Frameworks

Title: Open Compuer Forensics Architecture	Author: Dutch National Police Agency
Description: The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.
Website: http://ocfa.sourceforge.net/