| A | B | C | D | E | F | G | H | I | |
|---|---|---|---|---|---|---|---|---|---|
1 | File Extension | Tool | Category | Sub-Category | Type | Useful Switches | Tool Description | Linkage | Require Install? |
2 | elf | Pyelftools | Malware | File Analysis | CLI | Library for analyzing ELF files and DWARF debugging information | http://pypi.python.org/pypi/pyelftools/ | ||
3 | 7z, gz, zip, rar, dmg | 7zip | File Analysis | Archive | Both | A file archiver with a high compression ratio. | http://www.7-zip.org/ | ||
4 | jar, ear, war | 7zip | File Analysis | Java | Both | A file archiver with a high compression ratio. | http://www.7-zip.org/ | ||
5 | exe | 7zip | File Analysis | PE Analysis | Botth | 7z x <filename> -osections 7z l <filename> | A file archiver with a high compression ratio. | http://www.7-zip.org/ | |
6 | swf | Adobe SWF Investigator | File Analysis | Flash | GUI | GUI based tool that lets you both statically and dynamically analyze SWF files. | http://labs.adobe.com/downloads/swfinvestigator.html | ||
7 | aeskeyfind | Obfuscation/Encryption | Find obfuscated or encrypted data | ||||||
8 | aff | AFFuse | Forensics | Disk Analysis | A FUSE-based program that gives you access to Advanced Forensic Format containers. | http://www.afflib.org | |||
9 | - | AlternateStreamView | Forensics | Alternate Data Streams | CLI | AlternateStreamView is a small utility that allows you to scan your NTFS drive, and find all hidden alternate streams stored in the file system. | http://www.nirsoft.net/utils/alternate_data_streams.html | ||
10 | analyzeMFT.pl | Forensics | Filesystem Analysis | ||||||
11 | Anubis | Online Help | File Analysis | http://anubis.iseclab.org/ | |||||
12 | - | APImonitor | Malware | Filesystem Monitoring | GUI | Monitors and controls API calls made by applications and services. | http://www.rohitab.com/apimonitor | Yes | |
13 | - | Autoruns | System | Filesystem Analysis | Both | http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx | |||
14 | AVG ZeroAccess Remover | Malware | Rootkit Analysis | Win32/ZeroAccess remover | http://free.avg.com/us-en/remove-win32zeroaccess | ||||
15 | BDS | Malware | File Analysis | The Binary Diffing Starter (part of eEye Binary Diffing Suite (EBDS)) a free and open source set of utilities for performing automated binary differential analysis. | http://www.eeye.com/resources/security-center/research/tools/eeye-binary-diffing-suite-ebds | ||||
16 | - | BEViewer | Forensics | File Carving | GUI | User Interface for browsing features that have been extracted via the bulk_extractor feature extraction tool. | https://github.com/simsong/bulk_extractor | ||
17 | BinText | File Analysis | GUI | ||||||
18 | - | binwalk | File Analysis | Firmware Analysis | - | Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. | http://code.google.com/p/binwalk/ | ||
19 | blkcat | Forensics | CLI | - | Streams the content of a given data unit to STDOUT. | ||||
20 | blkls | Forensics | Disk Analysis | CLI | - | Lists details about data units & can extract all unallocated space of the file system. | |||
21 | - | blkls | Forensics | Filesystem Analysis | CLI | Lists deleted (unallocated) disk blocks | |||
22 | blkstat | Forensics | Disk Analysis | CLI | - | Displays information about a specific data unit. (allocation status & block group if Ext file system) | |||
23 | - | bodyfile | Forensics | Timeline Creating | CLI | Converts the bodyfile to TLN. | http://www.sleuthkit.org/sleuthkit/download.php | ||
24 | - | Bokken | Forensics | File Analysis | GUI | Bokken is a GUI for the Pyew and Radare projects | http://inguma.eu/projects/bokken | ||
25 | - | Bokken | Forensics | Website Inspection | GUI | GUI for Pyew;The Callgraph tab will show a visual representation of all the elements found in the HTML of the website and all those links with parameters will be shown parsed and grouped | http://inguma.eu/projects/bokken/wiki/Webs | ||
26 | - | BrowserSpider | Malware | Website Inspection | CLI | BrowserSpider is a piece of code that makes a standard instance of Firefox or Chome click all the links on the websites you specify | http://blog.michaelboman.org/2012/06/mart-malware-analyst-research-toolkit_29.html | ||
27 | pdf,exe,dll,sys,pf,zip,elf | bulk_extractor | Forensics | File Carving | CLI | bulk_extractor -f | Tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. | https://github.com/simsong/bulk_extractor | |
28 | - | BurpSuite | Network | GUI | Control web traffic | http://portswigger.net/burp/proxy.html | |||
29 | - | bytehist | File Analysis | PE Analysis | Check whether the file might be packed | http://www.cert.at/downloads/software/bytehist_en.html | |||
30 | - | CacheBack | Forensics | Internet Explorer | GUI | Net analysis tool for Internet evidence. | http://www.cacheback.ca/download.asp | ||
31 | pcap | CapLoader | Network | PCAP Analysis | GUI | A Windows tool designed to handle large amounts of captured network traffic in the tcpdump/libpcap format (PCAP). *30 day trial* | http://www.netresec.com/?page=CapLoader | ||
32 | - | CaptureBAT | System | Filesystem Monitoring | CLI | https://www.honeynet.org/node/315 | Yes | ||
33 | db | carver | Forensics | A tool for extracting Thumbnails stored in Windows Explorer thumbcache_NN.db files | http://code.google.com/p/pydetective/ | ||||
34 | catchme.exe | Malware | Rootkit Analysis | ||||||
35 | - | cda_tool.py | Forensics | Filesystem Analysis | CLI | Tool by Simson Garfinkel to perform cross-drive analysis (takes output of bulk_extractor) | https://github.com/simsong/bulk_extractor | ||
36 | cert | certutil | File Analysis | Certificates | CLI | A command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. | http://technet.microsoft.com/en-us/library/cc732443%28v=ws.10%29.aspx | ||
37 | - | Charles proxy | Network | Website Tampering | GUI | A HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. | http://www.charlesproxy.com/download/ | ||
38 | ChromeCacheView | Internet Browser | Google Chrome | Extracts the details of all cache files stored by Google Chrome Web browser. | http://www.nirsoft.net/utils/chrome_cache_view.html | ||||
39 | - | clamscan | Anti-Virus | sudo freshclam = refresh after updating signatures | Scan files for malware signatures | http://www.clamav.net/ | |||
40 | - | Comodo Instant Malware Analysis | Online Help | File Analysis | - | Automated Analysis System | http://camas.comodo.com/ | ||
41 | Compare Vmware snapshots | Forensics | GUI | A string compare tool with search options for interesting (hidden) files like exe, sys and dll. | https://zairon.wordpress.com/2007/09/19/tool-compare-vmware-snapshots/ | ||||
42 | comparepdf | File Analysis | CLI | A command line tool for comparing two PDF file. | http://www.qtrac.eu/comparepdf.html | ||||
43 | - | Conficker Detection Tool | Malware | Conficker | - | Conficker detection tool | http://www.mcafee.com/us/downloads/free-tools/conficker-detection.aspx | ||
44 | dat | crashdump.pl | Forensics | Registry Analysis | CLI | RegRipper plugin tha parses system crash dump configuration from System Hive | http://www.cutawaysecurity.com/blog/scripts-and-tools | ||
45 | CreateYaraSignature.py | Malware | File Identification | CLI | Python script for IDA to create YARA byte code signatures | http://blog.accuvantlabs.com/sites/default/files/Tools/CreateYaraSignature.py_0.txt | |||
46 | doc, pdf | Cryptam | Malware | File Analysis | CLI | Detect malware in Office documents, extract encrypted embedded executables from PDF and office documents | http://www.malwaretracker.com/tools.php | ||
47 | - | curl | Network | CLI | Retrieve websites | http://isc.sans.edu/diary.html?storyid=8038 | |||
48 | - | CWSandbox | Online Help | File Analysis | - | Free dynamic, behaviour-based malware analysis using the CWSandbox | http://www.mwanalysis.org/ | ||
49 | js | d8 | Deobfuscate JavaScript | http://code.google.com/p/v8/ | |||||
50 | DarunGrim | Malware | File Analysis | (part of eEye Binary Diffing Suite (EBDS)) a free and open source set of utilities for performing automated binary differential analysis. | |||||
51 | - | dc3dd | Forensics | Disk Imaging | CLI | sudo dc3dd if=/dev/sdX hash=sha256 verb=on log=/media/ log.txt hof=/media/output.dd | Enhanced version of dd that can generate hashes and logs of the image process. | ||
52 | - | dc3dd | Forensics | Disk Wiping | CLI | dc3dd wipe=/dev/sdX verb=one | Enhanced version of dd that can generate hashes and logs of the image process. | ||
53 | - | dcfldd | Forensics | Disk Imaging | CLI | hashwindow=512M hash=md5,sha1 hashlog=forensics.haslog | Enhanced version of dd that can generate hashes and logs of the image process. | ||
54 | - | dd | Forensics | Disk Imaging | CLI | ||||
55 | dd | Forensics | Disk Wiping | CLI | dd if=/dev/zero of=<dev> bs=4096 | *nix program for wiping files/disks | |||
56 | - | ddrescue | Forensics | Disk Imaging | CLI | Copies data from one file or block device (hard disk, CD-ROM, etc.) to another, trying hard to rescue data in case of read errors. GNU ddrescuelog is a tool that manipulates ddrescue logfiles, shows logfile contents, converts logfiles to/from other formats, compares logfiles, tests rescue status, and can delete a logfile if the rescue is done. | http://freecode.com/projects/addrescue | ||
57 | $I* | del2info | Forensics | Windows Special Files | A tool for analyzing Windows Recycle Bin INFO2 and $I?????? files | http://code.google.com/p/pydetective/ | |||
58 | INFO2 | del2info | A tool for analyzing Windows Recycle Bin INFO2 and $I?????? files | http://code.google.com/p/pydetective/ | |||||
59 | exe | densityscout | Malware | Filesystem Analysis | densityscout -pe -p 0.1 -o results.txt c:\Windows\System32 | This tool calculates density (like entropy) for files of a any file-system-path to finally output an accordingly descending ordered list. This makes it possible to quickly find (even unknown) malware on a potentially infected Microsoft Windows driven machine. | http://www.cert.at/downloads/software/densityscout_en.html | ||
60 | exe, dll, ocx, sys | Dependency Walker | Malware | PE Analysis | A free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. | http://www.dependencywalker.com/ | |||
61 | - | Device Tree | Forensics | Filesystem Analysis | This utility has two views: (a) one view that will show you the entire PnP enumeration tree of device objects, including relationships among objects and all the device's reported PnP characteristics, and (b) a second view that shows you the device objects created, sorted by driver name. | http://www.osronline.com/article.cfm?article=97 | |||
62 | bup, VBN, QBD | DeXRAY | File Analysis | Quarantine Files | CLI | - | DeXRAY is a simple perl script that tries to discover encrypted executables and DLLs (or, more generically – Portable Executables a.k.a. PE) within a given data file e.g. it could be an encrypted PE that is embedded inside a malicious dropper (including non-PE files e.g. PDFs) or network traffic. | http://hexacorn.com/download.php?f=DeXRAY.pl | |
63 | diffpdf | File Analysis | GUI | Tool to compare two PDF files by modes: Words, Characters, and Appearance. | http://www.qtrac.eu/diffpdf.html | ||||
64 | Disitool | File Analysis | Certificates | CLI | disitool.py extract signed-file signature | A small Python program to manipulate embedded digital signatures. | http://blog.didierstevens.com/programs/disitool/ | ||
65 | - | Disk Arbitrator | Forensics | Mac Forensics | A Mac OS X forensic utility which manages file system mounting in support of forensic procedures. | https://github.com/aburgh/Disk-Arbitrator | |||
66 | disk_sreset | Forensics | Disk Analysis | CLI | - | Will allow you to temporarily remove a HPA from a disk. (this is nonpersistent) | |||
67 | disk_stat | Forensics | Disk Information | CLI | - | Will show if the disk has a HPA. | |||
68 | - | DiskView | Forensics | Filesystem Analysis | The DiskView utility is a utility written by OSR, that allows ther user to view the MountPoints, Physical Disks, and Storage Adapters that make up the storage subsystem on the target machine. | http://www.osronline.com/article.cfm?article=198 | |||
69 | DisView | File Analysis | Microsoft Office | Disassembles bytes at a given offset of an MS Office file. Part of OfficeMalScanner. | http://www.reconstructer.org/code.html | ||||
70 | jar | DJ Java Decompiler | File Analysis | Java | Tool that allows you to decompile java CLASS files and save it in text or other format. | http://members.fortunecity.com/neshkov/dj.html | |||
71 | dmg | DMG Assist | Forensics | Mac Forensics | Mounts disk images that won’t mount with the traditional double-click method. | https://www.blackbagtech.com/resources/freetools.html | |||
72 | dmg | DMG Correct | Forensics | Mac Forensics | This tool corrects the partitioning structure, allowing both the system and data partitions to be mounted. DMG Correct should only be used on a copy of the original whole device dmg, as the dmg is modified for mounting purposes. | https://www.blackbagtech.com/resources/freetools.html | |||
73 | dmg | DMG Rename | Forensics | Mac Forensics | This utility is used to rename RAW image files to a .dmg extension. | https://www.blackbagtech.com/resources/freetools.html | |||
74 | sys | Driver Loader | Malware | PE Analysis | GUI | Installs NT kernel drivers & will make all the appropriate registry entries for your driver, and even allow you to start your driver without rebooting. | http://www.osronline.com/article.cfm?article=157 | ||
75 | dat | drwatson.pl | Forensics | Registry Analysis | CLI | RegRipper plugin that parses Dr. Watson configuration information from Software Hive | http://www.cutawaysecurity.com/blog/scripts-and-tools | ||
76 | - | dtSearch | Forensics | Indexing | Indexing tool that allows you to search terabytes of text/documents across a desktop, network, Internet or Intranet site. *30 day trial* | http://www.dtsearch.com/ | |||
77 | dmp | Dumpit | Memory | Memory Analysis | CLI | Part of MoonSols Windows Memory Toolkit that captures a 32/64 bit memory image locally. | http://www.moonsols.com/products/ | ||
78 | - | Epoch Converter | Forensics | Mac Forensics | This utility is used to convert epoch times on a Mac to show the local and UTC time. | https://www.blackbagtech.com/resources/freetools.html | |||
79 | evt | Event Log Explorer XP | File Analysis | Event Logs | |||||
80 | dat | eventlogs.pl | Forensics | Registry Analysis | CLI | RegRipper plugin that parses Window Event Log configuration from System Hive – contains configured hostname | http://www.cutawaysecurity.com/blog/scripts-and-tools | ||
81 | evt, evtx | evtparse.pl | Forensics | Event Logs | CLI | evtparse.pl -s = list all records, in order by record number with corresponding TimeGenerated values to detect system time changes | http://code.google.com/p/winforensicaanalysis/downloads/list | ||
82 | evtx | Evtx Parser | File Analysis | Event Logs | CLI | Windows Event Log Parser library (Perl) | http://computer.forensikblog.de/en/2011/11/evtx-parser-1-1-1.html | ||
83 | evt, evtx | evtx_view | Forensics | Event Logs | GUI | Tool to view Windows Event logs | http://www.tzworks.net/prototype_page.php?proto_id=4 | ||
84 | evtx | evtxcheck.pl | Forensics | Event Logs | CLI | Windows Event Log EVTX checker (Microsoft LogParse must be in the system PATH) | https://code.google.com/p/hotoloti/downloads/list | ||
85 | evtx | evtxrpt.pl | Forensics | Event Logs | CLI | Windows Event Log EVTX summarizer (Microsoft LogParse must be in the system PATH) | https://code.google.com/p/hotoloti/downloads/list | ||
86 | ewfacquire | Forensics | Disk Imaging | CLI | Part of the LibEWF package ; Provides a robust console interface for generating EWF/E01 image files. | ||||
87 | E01 | ewy.py | Forensics | Disk Analysis | CLI | Uses the LibEWF library to mount EnCase generated image files. | |||
88 | exe, dll, ocx, sys | exeinfo | File Analysis | PE Analysis | GUI | The ExeInfo utility shows general information about executable files. | http://www.nirsoft.net/utils/exeinfo.html | ||
89 | exe | exeinfo | Malware | PE Analysis | GUI | Packer, compressor detector / unpack info / internal exe tools; similar to PEiD | http://exeinfo.antserve.com/ | ||
90 | exe | exescan | Malware | PE Analysis | CLI | Console based tool to detect anomalies in PE (Portable Executable) files. It quickly scans given executable file and detect all kind of anomalies in its PE header fields including checksum verifications, size of various header fields, improper size of raw data, non-ascii/empty section names etc. | http://securityxploded.com/download.php#exescan | ||
91 | jpg, gif, png | exif_summarizer.py | Forensics | Metadata | CLI | Exif summarizer | https://code.google.com/p/hotoloti/downloads/list | ||
92 | rss | exif2georss.py | Forensics | Metadata | CLI | Takes GPS Exif metadata from image files (or whatever) and creates a GeoRSS file suitable for import into Bing Maps. | https://github.com/davehull/Exif2GeoRSS | ||
93 | jpg, docx, pptx, xlsx | exiftool | Forensics | Metadata | CLI | Tool to extract metadata from a file ; can also read_OPEN_XML.PL for MS Office 2k7 files. | |||
94 | - | EXPOSURE | Online Help | Blacklists | - | Detecting malicious DNS domains using large-scale passive DNS analysis | http://exposure.iseclab.org/ | ||
95 | - | Ext2Fsd | Forensics | Linux Forensics | An open source Ext2 file system driver for Windows systems ; can also read Ext3 minus journaling. | ||||
96 | - | Ext2Read | Forensics | Linux Forensics | GUI | An explorer like utility to explore ext2/ext3/ext4 files. It now supports LVM2 and EXT4 extents. It can be used to view and copy files and folders. It can recursively copy entire folders. It can also be used to view and copy disk and file | http://sourceforge.net/projects/ext2read/ | ||
97 | ext3grep | Forensics | File Recovery | CLI | A tool to investigate an ext3 file system for deleted content and possibly recover it. | https://code.google.com/p/ext3grep | |||
98 | pcap | extflow.py | File Analysis | PCAP Analysis | CLI | This is a simple script that will carve out files from streams created by tcpflow. | http://hooked-on-mnemonics.blogspot.com/2012/04/extflowpy-hack-for-carving-files-from.html | ||
99 | cab | extract.exe | Malware | File Analysis | CLI | A command-line application that extracts individual files from compressed cabinet (.cab) files. | http://www.softpedia.com/get/Compression-tools/Microsoft-Cabinet-Extraction-Tool.shtml | Yes | |
100 | - | fakedns | Network | Emulate common network services | http://code.activestate.com/recipes/491264-mini-fake-dns-server/ |