DFIR Tool Catalog

Microsoft-maintained Linux memory acquisition tool producing LiME-format output. Static binary; no kernel modules required.

Patched version of GNU dd with forensic features: on-the-fly hashing, progress display, error handling, multi-hash output. Standard Linux-based physical imaging tool.

Free forensic imaging tool for creating bit-for-bit disk images, memory captures, and logical evidence extraction. Widely used Windows-based imaging workflow.

Google Rapid Response framework for remote live forensics at scale. Client-server architecture with flow-based collection and analysis.

Kroll Artifact Parser and Extractor. Triage-focused collection framework for high-value Windows forensic artifacts. Free for non-commercial use.

Linux Memory Extractor kernel module. Captures raw RAM with minimal disturbance; output format compatible with Volatility.

Open-source endpoint forensics and hunting platform with VQL query language. Remote triage, continuous monitoring, and artifact-based hunts across Windows/Linux/macOS fleets.

Open-source Windows memory acquisition tool. Part of the Volatility Foundation; produces raw and ELF-format RAM captures.

CrowdStrike's free Windows IR triage tool. Modular collection of system state, artifacts, and running-process data for rapid analysis.

Commercial triage tool for rapid Windows endpoint analysis. Focus on analyst efficiency for rapid scope determination.

Exposes memory dumps as a filesystem. Combine with forensic tools that work on regular files to analyze RAM contents without bespoke Volatility plugins.

Open-source memory-analysis framework (Google). Alternative to Volatility with strong Windows 10 support. No longer actively maintained but still useful.

Python-based memory forensics framework. Parses raw RAM dumps for processes, network connections, loaded modules, injected code, rootkits, and encryption keys.

Open-source digital forensics platform with GUI. Built on The Sleuth Kit; provides timeline analysis, keyword search, registry parsing, and artifact-extraction modules.

Established commercial forensic analysis suite. E01 evidence file format is an industry de facto standard; strong court-admissibility track record.

Collection of free Windows forensic tools: EvtxECmd, RECmd, MFTECmd, AppCompatCacheParser, AmcacheParser, PECmd, SBECmd, and many more. Standard toolkit for Windows forensics.

Commercial forensic analysis platform unifying computer, mobile, and cloud evidence. Strong artifact-extraction for modern apps and cloud services.

Command-line filesystem forensics toolkit. Parses NTFS, FAT, ExFAT, ext, HFS+, APFS, ISO 9660, and more. Foundation for Autopsy and many custom workflows.

Commercial Windows-based forensic analysis platform known for speed and efficiency. Strong file-carving, hash-database, and keyword-search capabilities.

Collaborative forensic timeline analysis platform (Google). Web UI for multi-analyst timeline review with tagging, star, story, and Sigma-rule support.

Fast Rust-based EVTX hunter with Sigma support. Ideal for rapid event log triage across large EVTX collections.

Windows event log fast forensics timeline generator with Sigma support. Produces security event timelines from EVTX at scale.

Python-based super-timeline generator. Parses hundreds of artifact types from filesystem, registry, logs, browsers, and more into a unified timeline.

Open-source large-scale PCAP capture, indexing, and search (formerly Moloch). Enables query-driven access to long-retention packet data.

High-performance IDS/IPS and network-security monitoring engine. Rule-based detection with signature compatibility with Snort; also produces rich protocol logs.

Graphical packet analyzer. Standard tool for PCAP inspection with hundreds of protocol dissectors.

Network analysis framework (formerly Bro). Generates structured, protocol-aware logs (conn, http, ssl, dns, files) from PCAP or live traffic. Foundation for network-layer forensics.

Open-source automated malware analysis system. Detonates suspicious files in isolated VMs and captures behavior.

NSA-developed open-source software reverse engineering framework. Disassembler, decompiler, and analysis platform; primary alternative to IDA Pro.

Industry-standard commercial disassembler and decompiler. Strong plugin ecosystem; premium tool for malware reverse engineering.

Pattern-matching engine for malware researchers. De facto standard for expressing and sharing malware-identification rules.

AWS management-plane audit log. Primary evidence source for AWS forensic investigations; best analyzed via Athena with partitioned queries.

Commercial cloud-native digital forensics platform. Automated cloud evidence collection and analysis for AWS, Azure, GCP, and container workloads.

Open-source Python library for AWS, Azure, GCP forensic collection. Snapshots, disk copies, log exports, and triage workflows across providers.

Industry-standard commercial mobile forensics platform. Physical, logical, and file-system extraction for iOS and Android; supports checkm8 and other acquisition exploits.

Open-source iOS (iLEAPP) and Android (ALEAPP) logs, events, and properties parsers. Community-maintained mobile-artifact parser with HTML reporting.

Commercial mobile forensics product integrated with AXIOM. Supports iOS and Android acquisition and analysis with unified reporting.

Amnesty International's open-source tool for detecting spyware indicators on iOS and Android devices. Built around known-IoC and behavioral detection.

Open-source cloud-native runtime security. eBPF-based kernel instrumentation for anomalous container and Linux host behavior detection.

Open-source endpoint instrumentation framework exposing OS state as SQL-queryable tables. Linux, macOS, Windows. Widely used for fleet-wide triage.

Vendor-neutral YAML-based detection rule format. Converts to SIEM-specific query languages (KQL, SPL, EQL); community-maintained rule repository.

Microsoft Sysinternals driver providing detailed Windows system activity logging. Critical pre-deployment forensic instrumentation when EDR is absent.