Since the inception of data forensics almost forty years ago, methods for investigating security events have given way to a market of vendors and tools offering digital forensics software (DFS).
While several open-source tools exist for disk and data capture, network analysis, and specific device forensics, a growing number of vendors are building off what’s publicly available. As cybercrime flourishes and evolves, organizations need a range of tools to defend against and investigate incidents.
This article looks at the top digital forensics and incident response (DFIR) software tools and what customers should consider when buying or acquiring such tools. We include several free and open-source tools here, but the emphasis is on commercially available and supported solutions and services.
Also see the Best Incident Response Tools and Software
Jump ahead to:
- Top Digital Forensics Tools
- Digital Forensics Trends: Data Migration, Speed & Zero Trust
- Considerations for Digital Forensics Software (DFS) Solutions
- Why Do You Need Digital Forensic Software?
- What Are Common DFS Product Capabilities?
Top Digital Forensics Tools
eSecurity Planet evaluated a great many vendors to come up with our list of the top digital forensics products, analyzing everything from product features to analyst and user opinions. These 16 products stood out in this important market.
Paraben Corporation entered the cybersecurity marketplace in 1999, focused on digital forensics, risk assessment, and security solutions. Today, in a world with billions of devices, Paraben covers forensic investigations involving email, computers, smartphones, and Internet of Things (IoT) devices.
- The Paraben E3 Forensic Platform streamlines data from multiple sources.
- E3:Universal covers all devices, E3:DS is for mobile forensics, E3:P2C is for computer forensics, and E3:EMAIL for email.
- There are hash databases for filtering; viewers for files, hex, text, RTF, and emails; and automated embedded data detection (OLE).
- Paraben provides remote access with collection from machines and cloud storage.
- Paraben offers IoT support for brands like Xbox and Amazon Echo and cloud support for Google, Dropbox, and Slack.
- Users have the ability to work with multiple data sources together for analysis; can collect from a wide range of sources including computers, smartphones, IoT, and cloud to sort the data to logical categories; recover information; and search in multiple languages.
- Capabilities provided at a single price point with components such as cloud for computers and mobile are included.
Pricing: Monthly pricing is available for access to training courses, with a software license included. A free version is also available.
The Sleuth Kit and Autopsy
The Sleuth Kit (TSK) and Autopsy are popular open-source digital investigation tools. Sleuth Kit enables administrators to analyze file system data via a library of command-line tools for investigating disk images. Autopsy is its graphical user interface (GUI) and a digital forensics platform used in public and private computer system investigations to boost TSK’s abilities.
- TSK offers well-regarded and reviewed disk and data capture tools.
- Capabilities include timeline analysis, hash filtering, file and folder flagging, and multimedia extraction.
- Autopsy allows users to efficiently analyze hard drives and smartphones.
- Its plug-in architecture allows users to find add-on modules or develop custom modules in Java or Python.
- Sleuth Kit is a collection of command-line tools and a C library to analyze disk images and recover files.
- Commercial training, support, and custom development is available from Basis Technology.
- The core functionality of TSK is to analyze volume and file system data.
- The library can be incorporated into larger digital forensics tools, and the command-line tools can be directly used to find evidence.
- TSK is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
- TSK can be used to recover photos from a camera’s memory card.
Pricing: TSK and Autopsy are open source and free, but commercial support is available.
Founded in 1991 in Waterloo, Ontario, OpenText offers enterprise content management, networking, automation, discovery, security, and analytics services. OpenText EnCase solutions include Endpoint Security (endpoint detection and response, or EDR), Endpoint Investigator (DFIR), Forensic, Mobile Investigator, and Advanced Detection. These solutions help with recovering of evidence from multiple device types and hard drives, automating the preparation of evidence, deep and triage analysis, and evidence collection and preservation.
- EnCase Forensic is court-proven in finding, decrypting, collecting, and preserving forensic data from a variety of devices, while ensuring evidence integrity and integrating with investigation workflows.
- EnCase can acquire evidence from a variety of sources and dig deep into each source to uncover potentially relevant information.
- Predefined or customized conditions and filters can quickly locate evidence.
- Evidence processing, integrated workflows, and flexible reporting are all features offered by EnCase.
- EnCase works across computers, laptops, and mobile devices to determine whether further investigation is warranted.
- The platform ranks evidence by importance.
- Real-time evaluation of evidence is provided.
Pricing: OpenText EnCase pricing is available upon request.
Noticing that digital forensic tools used by law enforcement were insufficient, Canadian police officer Jad Saliba founded Magnet Forensics in 2011. The company offers digital forensic investigative tools to public and private organizations. Products include Magnet Axiom Cyber for incident response, Magnet Automate Enterprise, and Magnet Ignite for triage.
- Magnet Forensics now has more than 4,000 customers in over 100 countries.
- Magnet supports every digital evidence source, not just Linux and Windows OS.
- Magnet Axiom Cyber incident response is used to perform remote acquisitions and recover and analyze evidence from computers, the cloud, and mobile devices.
- Magnet Automate Enterprise is an automation solution used to simultaneously collect and process evidence from multiple endpoints in the wake of a security incident.
- Magnet Ignite performs fast, remote scans and initial analysis of endpoints as a triage action.
- Magnet Forensics performs remote acquisitions of Mac, Windows, and Linux endpoints, even when they aren’t connected to company networks.
- Data can be recovered from apps such as Microsoft Office 365 and Slack as well as storage services like Amazon Web Services and Microsoft Azure.
- All evidence is brought into one location where security teams can analyze it.
- Evidence can simultaneously be recovered and processed from multiple endpoints.
- SIEM (security information and event management) and EDR tools are integrated into workflows and a digital investigation can automatically be triggered when a threat is detected.
Pricing: Magnet doesn’t provide pricing, but free trials are available.
The Computer-Aided Investigative Environment (CAINE) is an Italian open-source Ubuntu- and Linux-based distribution for digital forensic purposes. CAINE integrates with existing Windows, Linux, and Unix systems security tools.
- CAINE provides automatic extraction of timelines from RAM (random access memory).
- It is an interoperable environment that supports the digital investigator during the four phases of the digital investigation.
- All block devices are blocked in read-only mode.
- CAINE can be used with a GUI named Unblock, which is present on CAINE’s desktop.
- CAINE assures that all disks are protected against accidental writing operations.
- If the user needs to write a disk, it can be unlocked.
Pricing: CAINE is open source and thus free.
Kroll Computer Forensics
Kroll’s computer forensics services and experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
- Physical and digital evidence is examined to uncover what did or did not happen, using a combination of computer forensic expertise and traditional investigative techniques.
- Defensible methodologies and solutions are available to identify and preserve electronic data.
- Regardless of the volume and complexity of collection needs, Kroll gathers data for electronic investigation and forensic analysis or forensic discovery.
- Whether data was deleted or manipulated on purpose or by accident, Kroll analyzes the digital clues left behind to uncover critical information.
- Experts are available on call to serve as an expert witness or special master.
Pricing: Available upon request.
SIFT Workstation is a collection of free and open-source incident response and forensic tools to perform digital forensic examinations. Offering an array of free and open-source DFIR solutions, the SIFT Workstation provides various options for deployment including virtual machine (VM), native installation on Ubuntu, or installation on Windows via a Linux subsystem.
- Developed by the SANS Institute in 2007, SIFT works on 64-bit OS, automatically updates the software with the latest forensic tools and techniques, and is a memory optimizer.
- SIFT Workstation is continually updated and has over 125,000 downloads.
- SIFT Workstation is used as part of SANS Institute training on incident response, network forensics, and cyber threat intelligence.
- It can analyze file systems, network evidence, memory images, and more.
- Support is available for NTFS, ISO9660 CD, HFS, and FAT.
- SIFT Workstation has been upgraded to improve memory utilization.
- There is cross compatibility between Linux and Windows systems.
Pricing: Available for free from SANS.
Hailing from Portland, Oregon, Exterro launched in 2004 and specialized in workflow-driven software and governance, risk, and compliance (GRC) solutions. While all of our picks inherently support organizations’ needs to maintain compliance, Exterro is especially valuable to assist in-house legal teams, streamline compliance processes, and control risks.
Exterro offers products across e-discovery, privacy, risk management, and digital forensics. Known for its forensics-focused products dubbed FTK, its capabilities include Mac and mobile data investigations, remote agent endpoint collection, scalable DPE (data processing environment), and automated workflows.
- Exterro’s operations are SOC 2 Type 2 certified and FedRAMP authorized.
- Products are split into FTK Imager, FTK Lab, FTK Central, FTK Enterprise, and FTK Connect (previously known as API-specific solutions).
- The overall Exterro FTK Forensic Toolkit has been used in digital forensics for over 30 years for repeatable, reliable investigations.
- All FTK solutions feature fast data processing, including for mobile data extractions.
- Exterro provides remote endpoint investigation, triage, collection, and remediation.
- Unlimited DPE scalability is available to meet heavy demand.
- Exterro requires minimal training.
- Exterro is a web-based, collaborative platform to centralize forensic evidence.
- Automation is available for workflow tasks and orchestration with SIEM and SOAR (security orchestration, automation, and response) platforms.
- Examiners can perform a rapid risk assessment of a suspected compromised endpoint — even if it is disconnected from the VPN network — by previewing the live contents of an off-network endpoint before performing a time-consuming collection.
- Integration with cybersecurity platforms, such as Palo Alto Cortex XSOAR, allows users to capture and preserve endpoint data immediately upon detection of a possible threat.
- No API (application programming interface) or Python scripting is required.
Pricing: FTK Imager is free; quote available upon request for other Exterro FTK solutions.
Volatility is a command-line memory analysis and forensics tool for extracting artifacts from memory dumps. Volatility Workbench is free, open-source, and runs in Windows. This forensics framework for incident response and malware analysis is written in Python and supports Microsoft Windows, Mac OS X, and Linux.
- There is no need to install a Python script interpreter.
- Memory forensics technology enables investigators to analyze runtime states using RAM data.
- Knowledge of operating system (OS) internals, malicious code, and anomalies is used to enhance its tools.
- Embedded API can be used for lookups of PTE (page table entry) flags.
- Volatility has support for kernel address space layout randomization (KASLR).
- There is an automated execution of a failure command after multiple failed starts.
- In 2020, the Volatility Foundation released a complete rewrite of the framework known as Volatility 3 to address technical and performance challenges associated with the original code base released in 2007.
Pricing: The Volatility framework is free and open source.
X-Ways Forensics is a work environment for computer forensic examiners. Known for not being resource-hungry, yet speedy, it is based on the WinHex hex and disk editor and offers additional disk and data capture software, cloning, imaging, and other tools.
- X-Ways is portable and runs off of a USB stick on any given Windows system without installation if desired.
- X-Ways downloads and installs within seconds.
- Computer forensic examiners are enabled to share data and collaborate with investigators that use X-Ways Investigator.
- X-Ways runs under Windows XP/2003/Vista/2008/7/8/8.1/2012/10/2016/2019/11, 32-bit/64-bit, and standard/PE/FE.
- Automatic detection of lost or deleted partitions is made.
- Read partitioning is available for file system structures inside .dd image files.
- X-Ways provides analysis of remote computers.
- X-Ways can access disk and RAID configurations and detect NTFS (new technology file systems) and ADS (alternate data streams).
- There are templates to view and edit binary data.
- X-Ways offers built-in interpretation of JBOD, RAID 0, RAID 5, RAID 5EE, and RAID 6 systems, Linux software RAIDs, Windows dynamic disks, and LVM2.
- Native support is available for FAT12, FAT16, FAT32, exFAT, TFAT, NTFS, Ext2, Ext3, Ext4, Next3, CDFS/ISO9660/Joliet, and UDF.
Pricing: X-Ways publishes its prices and claims a pricing advantage over competitors.
Started in 1999 in Israel, Cellebrite specializes in mobile device forensics for law enforcement and enterprises that need to collect, review, analyze, or manage device data. The Digital Intelligence Investigative Platform helps unify the investigative life cycle and preserve digital evidence.
- Cellebrite Universal Forensic Extraction Device (UFED) can extract physical and logical data.
- Recovery methods include exclusive bootloaders, automatic EDL (emergency download) capability, and smart ADB (Android Debug Bridge).
- Cellebrite can provide analysis on Windows and Mac.
- Users can find internet history, downloads, recent searches, top sites, locations, media, messages, recycle bin, USB connections, and more.
- AI-assisted picture and video categorization, filtering, and support for whole disk encryption are available features.
- Cellebrite shows the timeline of an event and reveals the real story behind each case.
- Cellebrite is designed to scale and sift through large datasets.
- Cellebrite creates customized, court-ready reports.
- The platform exports findings easily.
Pricing: Available upon request.
ProDiscover launched in 2001 to help public and private organizations solve digital crimes. As of 2021, the India-based provider works in over 70 countries with more than 400 clients, including the NIST, NASA, and Wells Fargo. ProDiscover Forensics captures evidence from computer systems for use in forensic investigation to collect, preserve, filter, and analyze evidence.
- ProDiscover offers three products that prioritize computer forensics, incident response, electronic discovery, and corporate policy compliance investigations.
- ProDiscover locates data on a computer disk as well as protecting evidence and creating reports.
- EXIF data can be extracted from JPEG files.
- Copies of suspicious disks can be made.
- Support is available for VMware to run captured images.
- ProDiscover supports Windows, Mac, and Linux file systems.
- Evidentiary reports can be prepared and presented in court.
- ProDiscover previews and images disks.
- Memory forensics is available.
- ProDiscover offers text search with multilingual capabilities.
- ProDiscover includes cloud, social media, Web, and email investigation.
Pricing: Available upon request.
First developed in 1998, Wireshark does forensic investigation and analysis of network packets and conducts testing and troubleshooting of networks. This includes inspection of hundreds of protocols in a three-pane packet browser that encapsulates data structures.
- Wireshark is multi-platform compatible, running on Windows, Linus, macOS, Solaris, FreeBSD, and NetBSD.
- Network analysis is available with VoIP (voice over Internet Protocol) analysis.
- Wireshark can capture files compressed with gzip and export outputs to XML, CSV, or plain text.
- Users can see what’s happening on a network.
- Live capture and offline analysis are available.
- Captured network data can be browsed via a GUI, or via the teletypewriter (TTY)-mode TShark utility.
- Wireshark can read and write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer (compressed and uncompressed), Sniffer Pro, and NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, and WildPackets EtherPeek/TokenPeek/AiroPeek.
- Decryption support is available, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
Pricing: Wireshark is free and open source and boasts an active user community, but commercial training is also available.
Created in 2007, Xplico is a network forensics analysis tool that restructures data via a packet sniffer. It specializes in port independent protocol identification (PIPI) to reconstruct application data to identify its protocols. Available as a free and open-source tool, Xplico’s primary objective is to extract application data from an internet traffic capture.
- Xplico supports HTTP, IMAP, POP, SMTP, IPv6, and more.
- Xplico creates XML files that identify the flows and pcap (inputs file) contained in each data structure reassembled.
- Multithreading is possible.
- There are no data entry limits.
- Xplico can execute reserve DNS (Domain Name System) lookup from DNS pack.
- Xplico provides output data and information in SQLite database or Mysql database and/or files.
- All data reassembled by Xplico has an associated XML file that uniquely identifies it.
- Realtime elaboration.
- TCP (Transmission Control Protocol) reassembly with ACK (acknowledgement) verification is available for any packet or soft ACK verification.
- Reverse DNS lookup from DNS packages is contained in the input files, not from an external DNS server.
Pricing: Xplico is free and open source.
LogRhythm is best known for SIEM, threat intelligence, and UEBA (user and entity behavior analytics). Started in 2003 out of Boulder, Colorado, the company includes network forensics via a feature known as NetMon, but the company has been refocusing its forensics efforts as part of its network detection and response (NDR) and endpoint monitoring solutions.
- LogRhythm aggregates packet capture and derived metadata, preserves the log data, and uses network forensic sensors to fill in the gaps.
- LogRhythm measures mean time to respond (MTTR).
- Dashboards are able to identify threats.
- LogRhythm offers application recognition of over 3,000 applications and metadata for visibility into network sessions.
- Script-based deep packet analytics (DPA) is available for real-time detection.
- LogRhythm provides session-based full packet capture.
- LogRhythm offers Layer 4–7 analysis with application ID.
- SmartCapture selective packet capture is available.
- Automation actions can obtain sessions through packet capture and future case analysis.
Pricing: Available upon request, but you may still be able to obtain NetMon Freemium.
Global Digital Forensic
Global Digital Forensics has been involved in computer forensic analysis and litigation support for over two decades. It offers a range of forensic services covering all digital devices. Founded in 1992, GDF also provides e-discovery services, penetration testing, and breach response services.
- Global Digital Forensics has its own labs as well as a global network of responders, allowing it to perform forensic analysis for virtually anything in any environment.
- GDF provides expert computer witness testimony in cases.
- Features include investigative tools for computers, email, mobile devices, social networks, and disk drives.
- Data retrieval and recovery services are available.
- GDF provides forensic readiness assessments.
- GPS and smartphone tracking, internet history analysis, image recovery and authentication, and chip-off analysis are available.
- GDF offers recovery of data from all devices, from mainframes to smartphones.
- Users can find evidence in log files and video.
Pricing: Available upon request.
Digital Forensics Trends: Data Migration, Speed & Zero Trust
The data forensics market has changed a lot since our last update more than a year ago, and can be summed up with two words: speed and security.
Lee Proctor of Paraben says data is being migrated in order to make it more accessible and nearer at hand for the forensic tools that are used to investigate it.
And as cyber criminals continue to increase the frequency and severity of their attacks, enterprises will look to augment that need for speed by incorporating automation into their digital forensic and incident response workflows.
“The risks from both internal and external threats have only intensified with the shift to hybrid and remote work models,” said Adam Belsher, CEO of Magnet Forensics. “The success of a cybersecurity strategy now lies both with the individual employee and the environment created to protect them. Employees are being exposed to more threat vectors than they ever have because they’re using their own devices and more third-party apps. One error from one individual can expose an enterprise’s entire network to serious harm.”
Getting forensic evidence into the hands of investigators as fast as possible is the key to bringing cyber criminals to justice. Fast processing is a must, especially for mobile device data.
At least 70% of law enforcement investigations and a rising number of civil cases involve mobile data. Frontline officers must be able to extract, process, and parse mobile evidence quickly to then pass it to an analyst for review, all while preserving the chain of custody.
“To date, investigators have attempted to overcome these issues by manually processing data or passing data between multiple forensic platforms, but it’s a slow and cumbersome process that has seen case backlogs grow and increased the risk of data loss or compromise,” said Harsh Behl, director of product management at Exterro. “Having one collaborative platform where all types of device data can be collected, processed, and reviewed is the best way to streamline this workflow.”
Conducting internal investigations within zero trust
More and more organizations are allowing their employees to work from home indefinitely. This has introduced a greater reliance on a secure VPN network and zero-trust architecture. But IT and human resources (HR) teams must still be able to conduct internal investigations, such as the forensic collection of evidence relating to suspicious endpoint activity or a rogue employee.
“Being able to conduct incident response and carry out an endpoint triage remotely means the investigator does not need to physically be present to collate the evidence, resulting in a speedier response, which is vital in cases where malware can have time to propagate,” said Behl. “By examining data off the network, it can ensure the data is isolated and comply with the demands of a zero-trust infrastructure, which requires all access to be authenticated.”
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.