file-extens/file-extens-tools.txt

File Extension,Tool,Category,Sub-Category,Type,Useful Switches,Tool Description,Linkage,Require Install?
elf,Pyelftools,Malware,File Analysis,CLI,,Library for analyzing ELF files and DWARF debugging information,http://pypi.python.org/pypi/pyelftools/,
"7z, gz, zip, rar, dmg",7zip,File Analysis,Archive,Both,,A file archiver with a high compression ratio.,http://www.7-zip.org/,
"jar, ear, war",7zip,File Analysis,Java,Both,,A file archiver with a high compression ratio.,http://www.7-zip.org/,
exe,7zip,File Analysis,PE Analysis,Botth,"7z x <filename> -osections
7z l <filename>",A file archiver with a high compression ratio.,http://www.7-zip.org/,
swf,Adobe SWF Investigator,File Analysis,Flash,GUI,,GUI based tool that lets you both statically and dynamically analyze SWF files.,http://labs.adobe.com/downloads/swfinvestigator.html,
,aeskeyfind,,Obfuscation/Encryption,,,Find obfuscated or encrypted data,,
aff,AFFuse,Forensics,Disk Analysis,,,A FUSE-based program that gives you access to Advanced Forensic Format containers.,http://www.afflib.org,
-,AlternateStreamView,Forensics,Alternate Data Streams,CLI,,"AlternateStreamView is a small utility that allows you to scan your NTFS drive, and find all hidden alternate streams stored in the file system.",http://www.nirsoft.net/utils/alternate_data_streams.html,
,analyzeMFT.pl,Forensics,Filesystem Analysis,,,,,
,Anubis,Online Help,File Analysis,,,,http://anubis.iseclab.org/,
-,APImonitor,Malware,Filesystem Monitoring,GUI,,Monitors and controls API calls made by applications and services.,http://www.rohitab.com/apimonitor,Yes
-,Autoruns,System,Filesystem Analysis,Both,,,http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx,
,AVG ZeroAccess Remover,Malware,Rootkit Analysis,,,Win32/ZeroAccess remover,http://free.avg.com/us-en/remove-win32zeroaccess,
,BDS,Malware,File Analysis,,,The Binary Diffing Starter (part of eEye Binary Diffing Suite (EBDS)) a free and open source set of utilities for performing automated binary differential analysis.,http://www.eeye.com/resources/security-center/research/tools/eeye-binary-diffing-suite-ebds,
-,BEViewer,Forensics,File Carving,GUI,, User Interface for browsing features that have been extracted via the bulk_extractor feature extraction tool.,https://github.com/simsong/bulk_extractor,
,BinText,File Analysis,,GUI,,,,
-,binwalk,File Analysis,Firmware Analysis,-,,"Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images.",http://code.google.com/p/binwalk/,
,blkcat,Forensics,,CLI,-,Streams the content of a given data unit to STDOUT.,,
,blkls,Forensics,Disk Analysis,CLI,-,Lists details about data units & can extract all unallocated space of the file system.,,
-,blkls,Forensics,Filesystem Analysis,CLI,,Lists deleted (unallocated) disk blocks,,
,blkstat,Forensics,Disk Analysis,CLI,-,Displays information about a specific data unit. (allocation status & block group if Ext file system),,
-,bodyfile,Forensics,Timeline Creating,CLI,,Converts the bodyfile to TLN.,http://www.sleuthkit.org/sleuthkit/download.php,
-,Bokken,Forensics,File Analysis,GUI,,Bokken is a GUI for the Pyew and Radare projects ,http://inguma.eu/projects/bokken,
-,Bokken,Forensics,Website Inspection,GUI,,GUI for Pyew;The Callgraph tab will show a visual representation of all the elements found in the HTML of the website and all those links with parameters will be shown parsed and grouped,http://inguma.eu/projects/bokken/wiki/Webs,
-,BrowserSpider,Malware,Website Inspection,CLI,,BrowserSpider is a piece of code that makes a standard instance of Firefox or Chome click all the links on the websites you specify,http://blog.michaelboman.org/2012/06/mart-malware-analyst-research-toolkit_29.html,
"pdf,exe,dll,sys,pf,zip,elf",bulk_extractor,Forensics,File Carving,CLI,bulk_extractor -f,"Tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.",https://github.com/simsong/bulk_extractor,
-,BurpSuite,Network,,GUI,,Control web traffic,http://portswigger.net/burp/proxy.html,
-,bytehist,File Analysis,PE Analysis,,,Check whether the file might be packed,http://www.cert.at/downloads/software/bytehist_en.html,
-,CacheBack,Forensics,Internet Explorer,GUI,,Net analysis tool for Internet evidence.,http://www.cacheback.ca/download.asp,
pcap,CapLoader,Network,PCAP Analysis,GUI,,A Windows tool designed to handle large amounts of captured network traffic in the tcpdump/libpcap format (PCAP). *30 day trial*,http://www.netresec.com/?page=CapLoader,
-,CaptureBAT,System,Filesystem Monitoring,CLI,,,https://www.honeynet.org/node/315,Yes
db,carver,Forensics,,,,A tool for extracting Thumbnails stored in Windows Explorer thumbcache_NN.db files,http://code.google.com/p/pydetective/,
,catchme.exe,Malware,Rootkit Analysis,,,,,
-,cda_tool.py,Forensics,Filesystem Analysis,CLI,,Tool by Simson Garfinkel to perform cross-drive analysis (takes output of bulk_extractor),https://github.com/simsong/bulk_extractor,
cert,certutil,File Analysis,Certificates,CLI,,"A command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.",http://technet.microsoft.com/en-us/library/cc732443%28v=ws.10%29.aspx,
-,Charles proxy,Network,Website Tampering,GUI,,A HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.,http://www.charlesproxy.com/download/,
,ChromeCacheView,Internet Browser,Google Chrome,,,Extracts the details of all cache files stored by Google Chrome Web browser. ,http://www.nirsoft.net/utils/chrome_cache_view.html,
-,clamscan,,Anti-Virus,,sudo freshclam = refresh after updating signatures,Scan files for malware signatures,http://www.clamav.net/,
-,Comodo Instant Malware Analysis,Online Help,File Analysis,-,,Automated Analysis System,http://camas.comodo.com/,
,Compare Vmware snapshots,Forensics,,GUI,,"A string compare tool with search options for interesting (hidden) files like exe, sys and dll.",https://zairon.wordpress.com/2007/09/19/tool-compare-vmware-snapshots/,
pdf,comparepdf,File Analysis,PDF,CLI,,A command line tool for comparing two PDF file.,http://www.qtrac.eu/comparepdf.html,
-,Conficker Detection Tool,Malware,Conficker,-,,Conficker detection tool,http://www.mcafee.com/us/downloads/free-tools/conficker-detection.aspx,
dat,crashdump.pl,Forensics,Registry Analysis,CLI,,RegRipper plugin tha parses system crash dump configuration from System Hive,http://www.cutawaysecurity.com/blog/scripts-and-tools,
,CreateYaraSignature.py,Malware,File Identification,CLI,,Python script for IDA to create YARA byte code signatures,http://blog.accuvantlabs.com/sites/default/files/Tools/CreateYaraSignature.py_0.txt,
"doc, pdf",Cryptam,Malware,File Analysis,CLI,,"Detect malware in Office documents, extract encrypted embedded executables from PDF and office documents",http://www.malwaretracker.com/tools.php,
-,curl,Network,,CLI,,Retrieve websites,http://isc.sans.edu/diary.html?storyid=8038,
-,CWSandbox,Online Help,File Analysis,-,,"Free dynamic, behaviour-based malware analysis using the CWSandbox",http://www.mwanalysis.org/,
js,d8,,,,,Deobfuscate JavaScript,http://code.google.com/p/v8/,
,DarunGrim,Malware,File Analysis,,, (part of eEye Binary Diffing Suite (EBDS)) a free and open source set of utilities for performing automated binary differential analysis.,,
-,dc3dd,Forensics,Disk Imaging,CLI,"sudo dc3dd if=/dev/sdX hash=sha256 verb=on log=/media/
log.txt hof=/media/output.dd",Enhanced version of dd that can generate hashes and logs of the image process.,,
-,dc3dd,Forensics,Disk Wiping,CLI,dc3dd wipe=/dev/sdX verb=one,Enhanced version of dd that can generate hashes and logs of the image process.,,
-,dcfldd,Forensics,Disk Imaging,CLI,"hashwindow=512M hash=md5,sha1 hashlog=forensics.haslog",Enhanced version of dd that can generate hashes and logs of the image process.,,
-,dd,Forensics,Disk Imaging,CLI,,,,
,dd,Forensics,Disk Wiping,CLI,dd if=/dev/zero of=<dev> bs=4096,*nix program for wiping files/disks,,
-,ddrescue,Forensics,Disk Imaging,CLI,,"Copies data from one file or block device (hard disk, CD-ROM, etc.) to another, trying hard to rescue data in case of read errors. GNU ddrescuelog is a tool that manipulates ddrescue logfiles, shows logfile contents, converts logfiles to/from other formats, compares logfiles, tests rescue status, and can delete a logfile if the rescue is done.",http://freecode.com/projects/addrescue,
$I*,del2info,Forensics,Windows Special Files,,,A tool for analyzing Windows Recycle Bin INFO2 and $I?????? files,http://code.google.com/p/pydetective/,
INFO2,del2info,,,,,A tool for analyzing Windows Recycle Bin INFO2 and $I?????? files,http://code.google.com/p/pydetective/,
exe,densityscout,Malware,Filesystem Analysis,,densityscout -pe -p 0.1 -o results.txt c:\Windows\System32,This tool calculates density (like entropy) for files of a any file-system-path to finally output an accordingly descending ordered list. This makes it possible to quickly find (even unknown) malware on a potentially infected Microsoft Windows driven machine.,http://www.cert.at/downloads/software/densityscout_en.html,
"exe, dll, ocx, sys",Dependency Walker,Malware,PE Analysis,,,"A free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules.",http://www.dependencywalker.com/,
-,Device Tree,Forensics,Filesystem Analysis,,,"This utility has two views: (a) one view that will show you the entire PnP enumeration tree of device objects, including relationships among objects and all the device's reported PnP characteristics, and (b) a second view that shows you the device objects created, sorted by driver name.",http://www.osronline.com/article.cfm?article=97,
"bup, VBN, QBD",DeXRAY,File Analysis,Quarantine Files,CLI,-,"DeXRAY is a simple perl script that tries to discover encrypted executables and DLLs (or, more generically – Portable Executables a.k.a. PE) within a given data file e.g. it could be an encrypted PE that is embedded inside a malicious dropper (including non-PE files e.g. PDFs) or network traffic.",http://hexacorn.com/download.php?f=DeXRAY.pl,
pdf,diffpdf,File Analysis,PDF,GUI,,"Tool to compare two PDF files by modes: Words, Characters, and Appearance. ",http://www.qtrac.eu/diffpdf.html,
,Disitool,File Analysis,Certificates,CLI,disitool.py extract signed-file signature,A small Python program to manipulate embedded digital signatures.,http://blog.didierstevens.com/programs/disitool/,
-,Disk Arbitrator,Forensics,Mac Forensics,,,A Mac OS X forensic utility which manages file system mounting in support of forensic procedures.,https://github.com/aburgh/Disk-Arbitrator,
,disk_sreset,Forensics,Disk Analysis,CLI,-,Will allow you to temporarily remove a HPA from a disk. (this is nonpersistent),,
,disk_stat,Forensics,Disk Information,CLI,-,Will show if the disk has a HPA.,,
-,DiskView,Forensics,Filesystem Analysis,,,"The DiskView utility is a utility written by OSR, that allows ther user to view the MountPoints, Physical Disks, and Storage Adapters that make up the storage subsystem on the target machine. ",http://www.osronline.com/article.cfm?article=198,
,DisView,File Analysis,Microsoft Office,,,Disassembles bytes at a given offset of an MS Office file. Part of OfficeMalScanner.,http://www.reconstructer.org/code.html,
jar,DJ Java Decompiler,File Analysis,Java,,,Tool that allows you to decompile java CLASS files and save it in text or other format. ,http://members.fortunecity.com/neshkov/dj.html,
dmg,DMG Assist,Forensics,Mac Forensics,,,Mounts disk images that won’t mount with the traditional double-click method.,https://www.blackbagtech.com/resources/freetools.html,
dmg,DMG Correct,Forensics,Mac Forensics,,,"This tool corrects the partitioning structure, allowing both the system and data partitions to be mounted. DMG Correct should only be used on a copy of the original whole device dmg, as the dmg is modified for mounting purposes.",https://www.blackbagtech.com/resources/freetools.html,
dmg,DMG Rename,Forensics,Mac Forensics,,,This utility is used to rename RAW image files to a .dmg extension.,https://www.blackbagtech.com/resources/freetools.html,
sys,Driver Loader,Malware,PE Analysis,GUI,,"Installs NT kernel drivers & will make all the appropriate registry entries for your driver, and even allow you to start your driver without rebooting.",http://www.osronline.com/article.cfm?article=157,
dat,drwatson.pl,Forensics,Registry Analysis,CLI,,RegRipper plugin that parses Dr. Watson configuration information from Software Hive,http://www.cutawaysecurity.com/blog/scripts-and-tools,
-,dtSearch,Forensics,Indexing,,,"Indexing tool that allows you to search terabytes of text/documents across a desktop, network, Internet or Intranet site. *30 day trial*",http://www.dtsearch.com/,
dmp,Dumpit,Memory,Memory Analysis,CLI,,Part of MoonSols Windows Memory Toolkit that captures a 32/64 bit memory image locally.,http://www.moonsols.com/products/,
-,Epoch Converter,Forensics,Mac Forensics,,,This utility is used to convert epoch times on a Mac to show the local and UTC time.,https://www.blackbagtech.com/resources/freetools.html,
evt,Event Log Explorer XP,File Analysis,Event Logs,,,,,
dat,eventlogs.pl,Forensics,Registry Analysis,CLI,,RegRipper plugin that parses Window Event Log configuration from System Hive – contains configured hostname,http://www.cutawaysecurity.com/blog/scripts-and-tools,
"evt, evtx",evtparse.pl,Forensics,Event Logs,CLI,"evtparse.pl -s = list all records, in order by record number with corresponding TimeGenerated values to detect system time changes",,http://code.google.com/p/winforensicaanalysis/downloads/list,
evtx,Evtx Parser,File Analysis,Event Logs,CLI,,Windows Event Log Parser library (Perl),http://computer.forensikblog.de/en/2011/11/evtx-parser-1-1-1.html,
"evt, evtx",evtx_view,Forensics,Event Logs,GUI,,Tool to view Windows Event logs,http://www.tzworks.net/prototype_page.php?proto_id=4,
evtx,evtxcheck.pl ,Forensics,Event Logs,CLI,,Windows Event Log EVTX checker (Microsoft LogParse must be in the system PATH),https://code.google.com/p/hotoloti/downloads/list,
evtx,evtxrpt.pl ,Forensics,Event Logs,CLI,,Windows Event Log EVTX summarizer  (Microsoft LogParse must be in the system PATH),https://code.google.com/p/hotoloti/downloads/list,
,ewfacquire,Forensics,Disk Imaging,CLI,,Part of the LibEWF package ; Provides a robust console interface for generating EWF/E01 image files.,,
E01,ewy.py,Forensics,Disk Analysis,CLI,,Uses the LibEWF library to mount EnCase generated image files.,,
"exe, dll, ocx, sys",exeinfo,File Analysis,PE Analysis,GUI,,The ExeInfo utility shows general information about executable files.,http://www.nirsoft.net/utils/exeinfo.html,
exe,exeinfo,Malware,PE Analysis,GUI,," Packer, compressor detector / unpack info / internal exe tools; similar to PEiD",http://exeinfo.antserve.com/,
exe,exescan,Malware,PE Analysis,CLI,,"Console based tool to detect anomalies in PE (Portable Executable) files. It quickly scans given executable file and detect all kind of anomalies in its PE header fields including checksum verifications, size of various header fields, improper size of raw data, non-ascii/empty section names etc.",http://securityxploded.com/download.php#exescan,
"jpg, gif, png",exif_summarizer.py ,Forensics,Metadata,CLI,,Exif summarizer,https://code.google.com/p/hotoloti/downloads/list,
rss,exif2georss.py,Forensics,Metadata,CLI,,Takes GPS Exif metadata from image files (or whatever) and creates a GeoRSS file suitable for import into Bing Maps.,https://github.com/davehull/Exif2GeoRSS,
"jpg, docx, pptx, xlsx",exiftool,Forensics,Metadata,CLI,,Tool to extract metadata from a file ; can also read_OPEN_XML.PL for MS Office 2k7 files.,,
-,EXPOSURE,Online Help,Blacklists,-,,Detecting malicious DNS domains using large-scale passive DNS analysis,http://exposure.iseclab.org/,
-,Ext2Fsd,Forensics,Linux Forensics,,,An open source Ext2 file system driver for Windows systems ; can also read Ext3 minus journaling.,,
-,Ext2Read,Forensics,Linux Forensics,GUI,,An explorer like utility to explore ext2/ext3/ext4 files. It now supports LVM2 and EXT4 extents. It can be used to view and copy files and folders. It can recursively copy entire folders. It can also be used to view and copy disk and file ,http://sourceforge.net/projects/ext2read/,
,ext3grep,Forensics,File Recovery,CLI,,A tool to investigate an ext3 file system for deleted content and possibly recover it.,https://code.google.com/p/ext3grep,
pcap,extflow.py,File Analysis,PCAP Analysis,CLI,,This is a simple script that will carve out files from streams created by tcpflow.,http://hooked-on-mnemonics.blogspot.com/2012/04/extflowpy-hack-for-carving-files-from.html,
cab,extract.exe,Malware,File Analysis,CLI,,A command-line application that extracts individual files from compressed cabinet (.cab) files. ,http://www.softpedia.com/get/Compression-tools/Microsoft-Cabinet-Extraction-Tool.shtml,Yes
-,fakedns,Network,,,,Emulate common network services,http://code.activestate.com/recipes/491264-mini-fake-dns-server/,
-,FakeNet,Malware,Network Simulation,,,A Windows network simulation tool designed for malware analysis.,http://sourceforge.net/projects/fakenet/,
,FastDump,Forensics,Memory Analysis,,,"Memory dumping utility
*Only supports 32 bit acquisition of up to 4 gigs of RAM, but does not support Vista, Windows 2003, or Windows 2008, or 64 bit platforms.",http://www.hbgary.com/free-tools,
exe,Faster Universal Unpacker,Malware,Unpacking,GUI,,"A GUI Windows Tool with a set of tools (plugins) to help you to unpack, decompress and decrypt most of the programs packed, compressed or encrypted with the very well knowns software protection programs like UPX, ASPack, FSG, ACProtect, etc. ",https://code.google.com/p/fuu/,
,fatback,Forensics,File Carving,CLI,,Recovers deleted files from FAT file systems.,http://sourceforge.net/fastback,
-,fb.pl,Forensics,Social Media,CLI,,Parses Facebook chat logs,https://code.google.com/p/winforensicaanalysis/downloads/list,
-,FDPro,Memory,Memory Analysis,CLI,"fdpro memdump.bin –probe all
fdpro memdump.hpak (grabs pagefile)
",,http://www.hbgary.com/free-tools,
,ffind,Forensics,File Identification,CLI,-,Finds file names that reference the provided metadata number.,,
,Fget,Forensics,,,,"Forensically extracts files from raw NTFS volumes on remote windows systems in your domain. This tool works over the network and can extract any file (including those that are locked and in-use) in a forensically sound manner, without altering target filetimes or attributes.",http://www.hbgary.com/free-tools,
-,file,-,File Identification,,,Identify file type,,
pdf,FileInsight,File Analysis,Microsoft Office,GUI,,Hex editor that can parse and edit OLE structures.,http://www.mcafee.com/us/downloads/free-tools/index.aspx,
-,findaes,Cryptography,Obfuscation/Encryption,,,Find obfuscated or encrypted data,http://sourceforge.net/projects/findaes/,
,Fingerprint,Malware,,,,"Allows you to track a piece of malware based upon compile time, programming language used, language & compiler version, etc. ",http://www.hbgary.com/free-tools,
js,Firebug,Malware,,,,Deobfuscate JavaScript,http://getfirebug.com/,
swf,Flare,File Analysis,Flash,,,"Tool that processes an SWF and extracts all scripts from it. The output is written to a single text file. Only ActionScript is extracted, no text or images.",http://www.nowrap.de/flare.html,Yes
swf,Flash Dissector,File Analysis,Flash,GUI,,An interactive Java based tool for examining the structure and contents of a SWF file.  Part of SWFREtools,https://github.com/sporst/SWFREtools,
swf,flasm,File Analysis,Flash,CLI,flasm -d <file.swf> > file.out,A tool that disassembles your entire SWF including all the timelines and events. ,http://www.nowrap.de/flasm.html,
"dd, E01",fls,Forensics,Timeline Creating,CLI," fls -i ewf -r -p -m C:/ ""<Path-To-Image>\<image>.E01"" > bodyfile.txt ",Lists the file names (deleted and allocated) - but by default won't traverse the entire file system.,http://www.sleuthkit.org/sleuthkit/download.php,
,Flypaper,Malware,,,,"Keeps all components used by the malware will remain resident in the process list, and will remain present in physical memory.",http://www.hbgary.com/free-tools,
-,foremost,Forensics,File Carving,CLI,,"File carving program that uses defined headers, footers and knowledge of the internal strucutres for supported file types to aid in carving.",http://foremost.sourceforge.net,
-,forensicscanner,Forensics,Filesystem Analysis,GUI,,Tool designed to automate a good deal of the initial data collection that most analysts perform in the early stages of an examination.,http://code.google.com/p/forensicscanner,
swf,FP Debugger,Debug,Flash,,,A tool designed for tracing and monitoring Flash Player during its execution.,https://github.com/sporst/SWFREtools,
-,fseventer,Forensics,Mac Forensics,GUI,,Observes filesystem changes using the same underlying API as Spotlight & shows a graphical representation of file activity. (requires Admin creds),http://www.fernlightning.com/doku.php?id=software:fseventer:start,
,fsstat,Forensics,Filesystem Analysis,CLI,-,"Displays file system information (volume names, data unit sizes, statistical disk info)",,
,FTK Imager/Lite,Forensics,,,,,,
dat,galleta,Forensics,Internet Explorer,CLI,,Tool to analyze Internet Cookies,http://www.mcafee.com/us/downloads/free-tools/galleta.aspx,
"exe,elf",Gcluster,Malware,PE Analysis,CLI,,GCluster is a tool based on Pyew's code analysis support created to help clustering sets of executables. ,https://code.google.com/p/pyew/wiki/GCluster,
,gdb,Dissasemble,,,,Disassemble code,,
"swf, pdf",GFI Threat Track Sandbox,Online Help,File Analysis,-,,"Office documents, PDF's, malicious URL's and Flash ads.",http://www.threattrack.com/,
-,GFI Threat Track Sandbox,Online Help,Website Inspection,-,,"Office documents, PDF's, malicious URL's and Flash ads.",http://www.threattrack.com/,
,Gmail offline parser,Forensics,,,,Parse the Gmail Offline folder and display the email's,http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55,
,gmer.exe,Malware,Rootkit Analysis,GUI,,,,
-,grr,Forensics,Forensic Suite,GUI,,An Incident Response Framework focused on Remote Live Forensics.,http://code.google.com/p/grr/,
,guymager,Forensics,Disk Imaging,GUI,,"Similarly to ewfacquire it uses LibEWF to create raw, AFF and EWF/E01 image files",,
-,hachoir-metadata,Forensics,Metadata,,,Extract metadata,https://bitbucket.org/haypo/hachoir/wiki/hachoir-metadata,
-,hachoir-subfile,Forensics,,,,"Used to intelligently identify files within binary streams, including unallocated space.",,
,hachoir-urwid,File Analysis,Microsoft Office,,,Examine suspicious Microsoft Office documents,https://bitbucket.org/haypo/hachoir/wiki/hachoir-urwid,
pcap,hadoop-pcap,Network,Log Analysis,CLI,,Hadoop library to read packet capture (PCAP) files,"https://github.com/RIPE-NCC/hadoop-pcap
https://labs.ripe.net/Members/wnagele/large-scale-pcap-data-analysis-using-apache-hadoop",
-,hapi.exe,Malware,File Analysis,CLI,,A simple tool that extracts known API names from a given binary (best used on memory dumps),http://www.hexacorn.com/blog/2012/03/03/hapi-api-extractor/,
-,hashdeep,Cryptography,Obfuscation/Encryption,CLI,,"Developed to be a more robust hash auditing application than md5deep.  It can generate multiple hashes (MD5, SHA*) for files as well perform auditing on data sets.",,
-,HDDerase,Forensics,Disk Wiping,CLI,,Tool that executes the Federally-approved (NIST 800-88) Secure Erase command.,http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml,
"exe, dll",hdive,Malware,File Analysis,CLI,.hdive.exe -a <file>,Based off of HAPI - extracts interesting stuff instead of default strings output (API calls etc.),http://hexacorn.com/download.php?f=hdive.exe,
-,hdparm,Forensics,Disk Analysis,CLI,"hdparm -N <drive> = HPA
hdparm --dco-identify <drive> = DCO",Can be used to detect HPA/DCO and wipe a drive including bad sectors,http://tinyapps.org/docs/wipe_drives_hdparm.html,
,hfind,File Identification,,CLI,-,Used to query hash databases fast by first indexing the databases.,,
dmg,HFS Explorer,Forensics,Mac Forensics,GUI,-,An application that can read the HFS and HFS+ file systems including CD/DVD & DMG containers.,http://www.catacombae.org/hfsx.html,Yes
sys,hibr2bin,Memory,Hibernation File,CLI,,Part of MoonSols Windows Memory Toolkit that converts Windows hibernation files to raw memory images.,http://www.moonsols.com/products,
-,Highligher,Forensics,Log Analysis,GUI,,Highlighter is a free utility designed primarily for security analysts and system administrators. Highlighter provides a user with three views of the log or text file being analyzed:,http://www.mandiant.com/products/free_software/highlighter/,
-,Honeyd,Network,,CLI,,Intercept traffic and emulate some services.,http://www.honeyd.org/,
,icat,Forensics,,CLI,-,Streams the data unit referenced by the specific meta data address.,,
-,IDA,Dissasemble,Reverse Engineering,GUI,,,http://www.hex-rays.com/idapro/idadownfreeware.htm,
-,IECacheView,Internet Browser,Internet Explorer,,,Extracts information from the cache files (index.dat) of Internet Explorer.,http://www.nirsoft.net/utils/ie_cache_viewer.html,
dat,IECookiesView,Internet Browser,Internet Explorer,,,Extracts the content of all cookie files stored by Internet Explorer. ,http://www.nirsoft.net/utils/iecookies.html,
-,IEF,Forensics,Internet Explorer,GUI,,Internet Evidence Finder - trial limits to first 20 results.,http://www.jadsoftware.com,
dat,IEHistoryView,Internet Browser,Internet Explorer,,,Extracts information from the history file (index.dat) of Internet Explorer.,http://www.nirsoft.net/utils/iehv.html,
,ifind,Forensics,,CLI,-,Finds the metadata structure referenced by the provided file or the metadata structure that references the provided data unit address.,,
,ils,Forensics,Timeline Creating,CLI,aZ = list all inodes that are allocated or have been used at some point,"Lists the metadata structures, parsing and displaying the embedded dates, ownership etc.",,
-,ImageUSB,Forensics,Disk Imaging,GUI,,Lets you write an image concurrently to multiple USB Flash Drives,http://www.osforensics.com/tools/write-usb-images.html,
-,ImDisk,Forensics,Disk Analysis,GUI,,"Windows equivalent to losetup.  It can create virtual hard disk, floppy or CD/DVD drives using image files or system memory.",http://www.ltr-data.se/opencode.html#ImDisk,Yes
-,img_stat,Forensics,Disk Information,CLI,,Displays information about the image format (hashes etc. from forensic containers),,
-,inception,Forensics,Live IR,CLI,,A FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any machine you have physical access to.,https://github.com/carmaa/inception,
dat,IndexDatSpy,Internet Browser,Internet Explorer,,,Index Dat Spy is a powerful and easy-to-use application that exposes the contents of any index.dat file - even if the file is currently in use by Windows.,http://www.stevengould.org/index.php?option=com_content&task=view&id=47&Itemid=88,Yes
$I*,INDXParse.py,Forensics,Windows Special Files,CLI,,Parses Windows NTFS INDX files ($I30( - can't be run against a live system,https://github.com/williballenthin/INDXParse,
-,inetsim,Malware,Network Simulation,CLI,,,http://www.inetsim.org/,
-,InteractiveSieve,Forensics,Log Analysis,GUI,,Tool to analyze log files and other data in tabular form and allows you to hide or color events (or data) that are not relevant.,http://blog.didierstevens.com/2012/04/17/interactivesieve/,
,Internet History Parser,Forensics,,,,"Parse the IE files (cookies, index.dat, history) and display reports",http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55,
,Internet Parser,Forensics,,,,"Parse the following browsers flock, chrome, firefox and display reports",http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55,
-,IOReg Info,Forensics,Mac Forensics,,,This utility is used to display the Input/Output Registry from a Mac system.,https://www.blackbagtech.com/resources/freetools.html,
mbdb,iPhoneBackupBrowser,Forensics,Cell Phone,GUI,,Tool that shows the content of your iDevice backup & parses the manifest.mdbd file.,https://code.google.com/p/iphonebackupbrowser/,
-,ISC Hash Database,Online Help,File Analysis,-,,Online SHA1/MD5 lookup from NSRL/Cymru.  Not the most recent though.,http://isc.sans.edu/tools/hashsearch.html,
,istat,Forensics,,CLI,-,"Displays information about a specific metadata structure (ownership, time information, block allocations)",,
,Itunes Parser,Forensics,,,,Parse an Itunes library and determine Email address songs were registered to,http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55,
jar,JAD Java Decompiler,File Analysis,Java,,,Decompile Java class files,http://www.varaneckas.com/jad,
-,jcat,Forensics,Journals,CLI,,Streams the content of the required journal block to STDOUT.,,
,jd-gui,File Analysis,Java,,,Decompile Java class files,http://java.decompiler.free.fr/?q=jdgui,
-,jls,Forensics,Journals,CLI,,Lists items in the file system journal.,,
"pdf, doc, ppt, xls, docx, pptx, xlsx",Joe Document Dissector,Online Help,File Analysis,,http://joedd.joesecurity.org/,,,
js,js-beautify,File Analysis,Java,CLI,,"Will reformat and reindent bookmarklets, ugly JavaScript, unpack scripts packed by Dean Edward’s popular packer, as well as deobfuscate scripts processed by javascriptobfuscator.com.",https://github.com/einars/js-beautify,
js,JSDetox,File Analysis,JavaScript,GUI,,A Javascript malware analysis tool using static analysis / deobfuscation techniques and an execution engine featuring HTML DOM emulation,http://www.relentless-coding.com/projects/jsdetox,
js,JSUNPACK,Online Help,Website Inspection,-,,A Generic JavaScript Unpacker,http://jsunpack.jeek.org/,
js,jsunpack-extractjs,File Analysis,JavaScript,CLI,,,REMnux,
js,Jsunpack-n,File Analysis,JavaScript,CLI,,"Inspect malicious websites, JavaScript files and traffic captures",https://code.google.com/p/jsunpack-n/,
pcap,Jsunpack-n,File Analysis,PCAP Analysis,CLI,"jsunpackn.py -v -g <out.png> -s <file.pcap> = verbose, save urls to graphic & save everything","Inspect malicious websites, JavaScript files and traffic captures",https://code.google.com/p/jsunpack-n/,
-,JumpLister,Forensics,Jump Lists Analysis,GUI,,GUI to parse Windows  7 Jump Lists,http://www.woanware.co.uk/?page_id=266,
-,l2t_tools,Forensics,Timeline Creating,GUI,,log2timeline front end,https://code.google.com/p/l2t-tools/,
-,Lantern Lite,Cellular,iOS,,,,https://github.com/KatanaForensics/LanternLite/downloads,
plist,last_session.pl,Forensics,Mac Forensics,CLI,,Safari LastSession.plist parser - Part of SFT (Safari Forensic Tools),http://jafat.sourceforge.net/files.html,
-,libbde,Cryptography,Obfuscation/Encryption,CLI,,Linux based library and tools to support the BitLocker Drive Encryption (BDE) encrypted volumes.,https://code.google.com/p/libbde/,
-,libfvde,Forensics,Mac Forensics,CLI,,"Library and tools for reading FileVault2 Drive Encryption (FVDE) encrypted volumes. The FVDE format is used by MacOS-X, as of Lion, to encrypt data on a storage media volume.",https://code.google.com/p/libfvde/,
-,libvshadow,Forensics,Volume Shadow Copies,CLI,,Linux based library and tools to support the Volume Service Snapshot (VSS) format.,https://code.google.com/p/libvshadow/,
-,LiMe,Memory,Memory Analysis,CLI,,"LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.",https://code.google.com/p/lime-forensics/,
-,listdlls,Malware,PE Analysis,CLI,listdlls -u = searched for unsigned DLLS in an image,A utility that reports the DLLs loaded into processes.,http://technet.microsoft.com/en-us/sysinternals/bb896656.aspx,
001,LiveView,Forensics,Disk Analysis,GUI,,Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk.,http://liveview.sourceforge.net,
lnk,lnkanalyser,Forensics,File Analysis,,,Windows LNK parser,http://www.woanware.co.uk/?page_id=121,
-,LockMaster,Forensics,Mac Forensics,,,This utility is used to concurrently lock and unlock multiple files on a Mac.,https://www.blackbagtech.com/resources/freetools.html,
log,Log Parser,Forensics,Log Analysis,CLI,,"A powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.",https://www.microsoft.com/en-us/download/details.aspx?id=24659,Yes
log,Log Parser Lizard,Forensics,Log Analysis,GUI,,GUI for MS Logparser (requires ms Log Parser 2.2+ & .net 3.5),http://www.lizard-labs.net/log_parser_lizard.aspx,Yes
log,Log Parser Studio,Forensics,Log Analysis,GUI,,"A utility that allows you to search through and create reports from your IIS, Event, EXADB and others types of logs.",http://gallery.technet.microsoft.com/Log-Parser-Studio-cd458765,
,log2timeline,Forensics,Timeline Creating,CLI,,A framework for automatic creation of a super timeline.,https://code.google.com/p/log2timeline/,
-,log2timeline GUI,Forensics,Timeline Creating,GUI,,,https://code.google.com/p/l2t-tools/,
-,LogAnalyzer,Forensics,Log Analysis,GUI,,"Syslog, Windows events, web urls etc.",http://loganalyzer.adiscon.com/,
-,logstash,Forensics,Log Analysis,GUI,,Logstash is a tool for managing events and logs.,http://logstash.net/,
exe,LordPE,File Analysis,File Identification,GUI,,"A tool for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit, fix its import table etc.",http://www.woodmann.com/collaborative/tools/index.php/LordPE,
lnk,lp,Forensics,Link File Analysis,CLI,,Tool to analyze link file metadata,,
-,Mac Memoryze,Memory,Mac Forensics,Both,,A free memory forensic software that helps incident responders find evil in memory on Macs,http://www.mandiant.com/resources/download/mac-memoryze-1.0trade,
-,macho_dump,Malware,File Analysis,CLI,,Mach-O analyzer,http://www.opensource.apple.com/source/llvmCore/llvmCore-3418.0.78/tools/macho-dump/macho-dump.cpp,
-,MacMemoryReader,Memory,Mac Forensics,CLI,-,Mac Memory Reader is a simple command-line utility to capture the contents of physical RAM.  It executes directly on 32- and 64-bit target machines running Mac OS X 10.4 through 10.7 and requires a PowerPC G4 or newer or any Intel processor.,http://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader,
,mactime,Forensics,Timeline Creating,CLI,-,Generates a timeline based on processing the bodyfile produced by ils and/or fls.,,
pdf,make-pdf-javascript.py,,PDF,CLI,,"Allows one to create a simple PDF document with embedded JavaScript that will execute upon opening of the PDF document. It’s essentially glue-code for the mPDF.py module which contains a class with methods to create headers, indirect objects, stream objects, trailers and XREFs.",http://blog.didierstevens.com/programs/pdf-tools/,
,MalHost-Setup,File Analysis,Microsoft Office,,,Extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis.  Part of OfficeMalScanner.,http://www.reconstructer.org/code.html,
pdf,malpdfobj,File Analysis,PDF,CLI,,Builds json representation of PDF,https://github.com/9b/malpdfobj,
exe,Malware Classifier,Malware,PE Analysis,CLI,,Tool which allows you to quickly and easily determine if a binary file contains malware,http://sourceforge.net/projects/malclassifier.adobe/files/,
dll,Malware Classifier,Malware,PE Analysis,CLI,,Tool which allows you to quickly and easily determine if a binary file contains malware,http://sourceforge.net/projects/malclassifier.adobe/files/,
-,Malware Domain List,Online Help,Website Inspection,-,,,http://www.malwaredomainlist.com/mdl.php,
-,malwarehouse,Malware,File Classification,CLI,,"Malwarehouse is a warehouse for your malware. It's a single place to put all malware samples, store them, search for them.",https://github.com/sroberts/malwarehouse,
"pdf, dll, exe, php, js",malwr,Online Help,File Analysis,-,http://malwr.com/search.php?md5=,Online Cuckoo sandbox for PDF/DLL/EXE/PHP/PERL files,http://malwr.com/,
js,Malzilla,File Analysis,JavaScript,GUI,,"Can extract and decompress zlib streams from PDFs, and can help deobfuscate JavaScript.",http://www.malzilla.org/,
-,Mandian Web historian,Internet Browser,-,GUI,,"Tool that helps users review the list of websites (URLs) that are stored in the history files of the most commonly used browsers, including: Internet Explorer, Firefox and Chrome.",http://www.mandiant.com/resources/download/web-historian,
-,Mandiant IOCe.exe,Malware,File Identification,GUI,,A free editor for Indicators of Compromise (IOCs).,http://www.mandiant.com/resources/download/ioc-editor/,Yes
-,Mandiant WebHistorian,Forensics,Internet History,GUI,,"Helps users review the list of websites (URLs) that are stored in the history files of the most commonly used browsers, including: Internet Explorer, Firefox and Chrome",http://www.mandiant.com/resources/download/web-historian,
-,mandiant_ioc_finder.exe,Malware,Filesystem Analysis,CLI,"mandiant_ioc_finder.exe collect
mandiant_ioc_finder.exe report -t html -i <path/to/IOCs>",A free tool for collecting host system data and reporting the presence of Indicators of Compromise (IOCs).,http://www.mandiant.com/resources/download/ioc-finder/,
-,mbr.exe,Malware,Rootkit Analysis,,,,,
-,mbr_parser.py,Forensics,Filesystem Analysis,CLI,,A script I wrote that parses the MBR as well as hashes and disassembles the bootcode,https://raw.github.com/gleeda/misc-scripts/master/misc_python/mbr_parser.py,
-,McAfee Internal Hash DB,File Analysis,Anti-Virus,,,,http://beaav1webwf1.corp.nai.org/hashinfo/hashinfo.aspx?md5=,
-,McAfee Rootkit Remover,Malware,Rootkit Analysis,,,McAfee's rootkit remover (updated regularly),http://downloadcenter.mcafee.com/products/mcafee-avert/,
-,McAfee Threat Intelligence,Online Help,Website Inspection,-,,,http://www.mcafee.com/us/mcafee-labs/threat-intelligence.aspx,
-,md5deep,Cryptography,Obfuscation/Encryption,CLI,,A suite of hashing utilities designed to recurse through a set of inout files or directories and produce hash lists.,http://hashdeep.com/,
-,md5sum,Cryptography,Obfuscation/Encryption,CLI,,,,
"dd, dmp",MemGator,Memory,Memory Analysis,GUI,, MemGator is a memory file analysis tool that automates the extraction of data from a memory file and compiles a HTML report for the investigator. MemGator brings together a number of memory analysis tools such as the Volatility Framework and AESKeyFinder into the one program.,http://www.orionforensics.com/MemGator.html,
-,mft.pl,Forensics,Filesystem Analysis,CLI,,,,
-,MHR Lookup,Online Help,Anti-Virus,-,,The HTTP/HTTPS interface to WebMHR acts as a web-based proxy to the underlying WHOIS service. ,https://hash.cymru.com/,
-,MIDAS,File Analysis,Metadata,CLI,,Tool that automates the inspection and databasing of all Meta data information contained within all files destined for an organization (generally via dumping the files which are attached to emails through the use of YARA,https://github.com/Xen0ph0n/MIDAS,
-,mimikatz,Pentest,Password Cracking,CLI,"privilege::debug
inject::process lsass.exe sekurlsa.dll
@getLogonPasswords",Tool that allows you to dump clear-text passwords from LSASS,http://blog.gentilkiwi.com/mimikatz,
"docx, pptx, xlsx",MiTeC Structured Storage Viewer,Forensics,Microsoft Office,GUI,,"This tool allows to completely manage any MS OLE Structured Storage based file. You can save and load streams, add, delete, rename and edit items and property sets.",http://www.mitec.cz/ssv.html,
"db, fpt, dat, lnk, INFO2",MiTeC Windows File Analyzer,Forensics,File Analysis,GUI,,Decodes and analyzes some special files used by Windows OS.,http://www.mitec.cz/wfa.html,
,mmls,Forensics,Partition Indentification/Recovery,CLI,,,,
vmdk,Mount Image Pro,Forensics,Virtual Machine Analysis,GUI,,Forensics disk/file mounting utility (shareware),http://www.mountimage.com/,
E01,MountEWF.py,Forensics,Disk Analysis,,,A program that presents an Expert Witness Format forensic image as a raw image.,,
,MozillaCacheView,Internet Browser,Mozilla Firefox,,,Extracts the details of all cache files stored by Mozilla Firefox. ,http://www.nirsoft.net/utils/mozilla_cache_viewer.html,
sqlite,MozillaCookies,Internet Browser,Mozilla Firefox,,,Extracts the content of all cookie files stored by Mozilla Firefox.,http://www.nirsoft.net/utils/mzcv.html,
dat,MozillaHistoryView,Internet Browser,Mozilla Firefox,,,Extracts the details of all browsing history stored by Mozilla Firefox.,http://www.nirsoft.net/utils/mozilla_history_view.html,
pcap,naft-gfe,Forensics,PCAP Analysis,CLI,,"Generic Frame Extraction and is a tool to extract network packets from memory dumps, of whatever device, via pattern recognition (part of NAFT)",,
,NetCat,,,CLI,,,,
pcap,Netwitness Investigator,Network,PCAP Analysis,GUI,,An interactive threat analysis application of the NetWitness enterprise network monitoring platform.,http://netwitness.com/products-services/investigator,
pcap,Networkminer,Network,PCAP Analysis,GUI,,,http://www.netresec.com/?page=NetworkMiner,
pcap,ngrep,Network,,CLI,,"Queries several passive DNS databases; DNSParse, ISC, BFK.de, and CERTEE; to return previously seen resource records (DNS answers). This is useful to security experts who wish to trace the relationships of domains and IP addresses over time. ",http://code.google.com/p/passive-dns-query-tool/,
-,Nigilant32,Forensics,Forensic Suite,GUI,,"Tool to create a report snapshot of critical live-system processes, services, accounts, tasks, ports, and so on, as well as file-system review tool and active memory imaging support.",http://www.agileriskmanagement.com/publications_4.html,
-,NORMAN  sandbox,Online Help,File Analysis,-,,Automated Analysis System,http://www.norman.com/security_center/security_tools/,
-,Notepad++,Forensics,Log Analysis,GUI,,All inclusive text editor.,http://notepad-plus-plus.org/,
-,novirusthanks,Online Help,Anti-Virus,-,,Multi-Engine Antivirus Scanner,http://vscan.novirusthanks.org/,
-,NSRLookup,Online Help,File Analysis,-,md5deep -r * | nsrllookup -s nsrl.kyr.us,NSRL online lookup (nsrl.kyr.us),http://nsrlquery.sourceforge.net/,
-,nsrlquery,File Identification,Fuzzy Hashing,CLI,,A crossplatform Python script that queries a nsrlsvr. Feed it a list of SHA-1 hashes and nsrlquery will split them into known-good hashes and unknown hashes.,http://sourceforge.net/p/nsrlquery/wiki/Home/,
$I*,ntfscopy,Forensics,Windows Special Files,CLI,,ntfscopy' is a prototype tool that can copy any file (or alternate data stream) from a NTFS partition. This can be from either from a live system or from an imaged NTFS partition. ,http://tzworks.net/prototype_page.php?proto_id=9,
$I*,ntfswalk,Forensics,Filesystem Analysis,,,"'ntfswalk' is a prototype version of a tool that traverses a specified NTFS volume reading all MFT entries, pulling predefined statistics.",http://tzworks.net/prototype_page.php?proto_id=12,
,objdump,Dissasemble,,,,Disassemble code,http://sourceware.org/binutils/docs/binutils/objdump.html,
-,Octopussy,Forensics,Log Analysis,GUI,,"Logs Analyzer, Alerter & Reporter with a Web Interface that runs on *nix",http://sourceforge.net/projects/syslog-analyzer/,
,Office Binary Translator,File Analysis,Microsoft Office,,,"converts DOC, PPT, and XLS files into Open XML files (includes BiffView tool).",http://b2xtranslator.sourceforge.net/,
,Office metadata Parser,Forensics,Microsoft Office,,,Parse Microsoft office documents and report on it.,http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55,
,officecat,File Analysis,Microsoft Office,,,Scans MS Office files for embedded exploits that target several known vulnerabilities.,http://www.snort.org/vrt/vrt-resources/officecat,
"doc, xls, ppt",OfficeMalScanner,File Analysis,Microsoft Office,,,Locates shellcode and VBA macros from MS Office files.,http://www.reconstructer.org/code.html,
,offvis,File Analysis,Microsoft Office,,,"Shows raw contents and structure of an MS Office file, and identifies some common exploits.  Part of OfficeMalScanner.",http://www.microsoft.com/download/en/details.aspx?id=2096,
-,OllyDbg,Debug,Reverse Engineering,GUI,,,http://www.ollydbg.de/,
pdf,Origami,File Analysis,JavaScript,-,,,http://esec-lab.sogeti.com/pages/Origami,
-,OSFClone,Forensics,Disk Imaging,CLI,,Self-booting solution which enables you to create or clone exact raw disk images,http://www.osforensics.com/tools/create-disk-images.html,
"img, dd, iso, bin, nrg, sdi, aff, afm, E01, S01, 001",OSFMount,Forensics,Disk Analysis,GUI,,Allows you to create a ramdisk on Windows as well as mount images.,http://www.osforensics.com/tools/mount-disk-images.html,
vmdk,OSFMount,Forensics,Virtual Machine Analysis,GUI,,Allows you to create a ramdisk on Windows as well as mount images.,http://www.osforensics.com/tools/mount-disk-images.html,
-,OSForensics,Forensics,,GUI,,,http://www.osforensics.com/download.html,
sys,OSRloader,Malware,PE Analysis,GUI,,GUI-based tool for installing/starting your driver during development process,http://www.osronline.com/section.cfm?section=27,
plist,Oxygen Forensic Plist Viewer,Forensics,Mac Forensics,,,Property List XML file viewer ( Trial requires registration),http://oxygen-forensic.com/en/download/,
,Parse_Prefetch,Forensics,Prefetch,Both,,Parse the prefetch files and display information,http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55,
dat,pasco,Forensics,Internet Explorer,CLI,,Tool to analyze Internet Explorer Cache,www.mcafee.com/us/downloads/free-tools/pasco.aspx,
-,Passive DNS lookyp,Online Help,Network Monitoring,,,,http://www.bfk.de/bfk_dnslogger.html,
zip,patator,Forensics,Password Cracking,CLI,unzip_pass zipfile=<file.zip> password=FILE0 0=<wordlist.dic> -x ignore:code!=0 ,"Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.",https://code.google.com/p/patator/,
pdb,PdbXtract,Forensics,File Analysis,GUI,,Tool that allows you to browse and search Microsoft  PDB files.,http://www.mandiant.com/resources/download/pdbxtract,
pdf,PDF Examiner,Online Help,File Analysis,-,,,http://www.malwaretracker.com/pdfexaminer.php,
pdf,PDF Stream Dumper,File Analysis,PDF,GUI,,,http://sandsprite.com/blogs/index.php?uid=7&pid=57,Yes
pdf,pdf.py,File Analysis,PDF,,,Extract JavaScript or SWFs from PDFs,http://securitybananas.com/?p=455,
pdf,pdf2graph,File Analysis,PDF,CLI,,Generates a DOT or GraphML file out of a document.,http://code.google.com/p/origami-pdf/,
pdf,pdfcocoon,File Analysis,PDF,CLI,,Embeds a document into another and makes it open at startup.,http://code.google.com/p/origami-pdf/,
pdf,pdfcop,File Analysis,PDF,CLI,,"A PDF filtering engine, performing an automated analysis given a configured policy.",http://code.google.com/p/origami-pdf/,
pdf,pdfdecompress,File Analysis,PDF,CLI,,Removes any compression/encoding from a document.,http://code.google.com/p/origami-pdf/,
pdf,pdfdecrypt,File Analysis,PDF,CLI,,Decrypts a PDF file.,http://code.google.com/p/origami-pdf/,
pdf,pdfencrypt,File Analysis,PDF,CLI,,Encrypts a PDF file.,http://code.google.com/p/origami-pdf/,
pdf,pdfextract,File Analysis,PDF,CLI,,Extracts various objects from a document & extracts JavaScript or SWFs from PDFs,http://code.google.com/p/origami-pdf/,
pdf,pdfid.py,File Analysis,PDF,CLI,,"Scans a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened.",http://blog.didierstevens.com/programs/pdf-tools/,
pdf,pdfmetadata,File Analysis,PDF,CLI,,Retrieves metadata out of a document.,http://code.google.com/p/origami-pdf/,
pdf,pdf-parser.py,File Analysis,PDF,CLI,--search<flash>,This tool will parse a PDF document to identify the fundamental elements used in the analyzed file.,http://blog.didierstevens.com/programs/pdf-tools/,
pdf,pdfscope,File Analysis,PDF,GUI,,A wxPython GUI create for use with Didier Stevens PDFiD.pf and pdf-parser.py,https://code.google.com/p/pdfscope/,
pdf,Pdftk,File Analysis,PDF,,,Pdftk allows you to manipulate PDF easily and freely.,http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/,
pdf,pdfwalker,File Analysis,PDF,,,Navigate through PDFs,http://esec-lab.sogeti.com/pages/Origami,
pdf,pdfxray_lite,File Analysis,PDF,CLI,,A PDF scanner that will try and classify if a suspicious PDF is malicious or not,https://github.com/9b/pdfxray_lite#readme,
,pdgmail,Memory,,CLI,,Extracts Gmail artifacts from a memory dump.,http://www.jeffbryner.com/code/pdgmail,
-,pdnstool,Network,,CLI,,,,
exe,pe editor,File Analysis,PE Analysis,,,,http://www.softpedia.com/get/Programming/File-Editors/PEditor.shtml,
dmp,PEBrowse Crash-Dump Analyzer,Memory,Crash Dump,GUI,,"A  Windows usermode crash-dump analysis tool for Microsoft Windows 2000, Windows XP and Windows 2003",http://www.smidgeonsoft.prohosting.com/pebrowse-crash-dump-analyzer.html,
"exe, dll, ocx, sys",PEBrowsePro,Malware,PE Analysis,,,A static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft,http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html,
pdf,Peepdf,File Analysis,PDF,CLI,"set output , reset, js_code, js_analyze, info, -i",Navigate through PDFs,http://eternal-todo.com/tools/peepdf-pdf-analysis-tool,
exe,PEiD,File Analysis,File Identification,,,Attempts to identify the packer used on a file.,,
"exe, dll",pescanner,File Analysis,File Identification,CLI,,Scan the executable for suspicious characteristics and packer signatures using,,
"pe,dll",pev,Malware,PE Analysis,CLI,,pev is a multiplatform PE analysis toolkit that includes tools to retrieve and parsing information about Windows PE files.,http://sourceforge.net/projects/pev/,
"exe, dll, obj, lib, dbg",PEView,File Analysis,File Identification,GUI,,"Quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files which supports the viewing of EXE, DLL, OBJ, LIB, DBG, and other file types.",http://www.magma.ca/~wjr/,
pf,pf,Forensics,Prefetch,CLI,,Tool to analyze Windows Prefetch files,,
-,pffdetect,Network,Fast Flux,CLI,,"A simple python script to check if a given domain, or list of them, looks like fast-fluxed domain. Can also be easily used as an external python module. ",https://code.google.com/p/pffdetect/,
pst,pffexport,Forensics,Email Analysis,CLI,,Tool to extract the contents of an MS outlook .pst file & can also extract/decode any attachments,,
-,PhotoRec,Forensics,File Carving,CLI,,"File recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory.  PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. ",http://www.cgsecurity.org/wiki/PhotoRec,
-,pigz,System,Archive,CLI,,Faster alternative to gzip; compresses using threads to make use of multiple processors and cores. ,http://www.linuxcertif.com/man/1/pigz/,
plist,plist editor,File Analysis,Mac Forensics,GUI,-,Part of Mac's Xcode developer tools.,,
-,PMAP Info,Forensics,Mac Forensics,,,This utility is used to display the physical partition map of a selected device.,https://www.blackbagtech.com/resources/freetools.html,
,pref.pl,Forensics,Filesystem Analysis,CLI,,,,
plist,pref_parser.pl,Forensics,Mac Forensics,CLI,,General purpose plist parser - Part of SFT (Safari Forensic Tools),http://jafat.sourceforge.net/files.html,
pf,Prefetch Hash Calculator,Forensics,Prefetch,CLI,,Produces a lookup table that you can grep or import to Excel and use VLOOKUP function to search for the known Prefetch file name.,http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/,
csv,ProcDot,Malware,File Analysis,GUI,,"Tool which  processes Sysinternals Process Monitor (Procmon) logfiles and PCAP-logs (Windump, Tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed. ",http://www.cert.at/downloads/software/procdot_en.html,
-,Process Explorer,System,Process Monitoring,GUI,,,http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx,
,Process Hacker,System,Process Monitoring,GUI,,,http://processhacker.sourceforge.net/,Yes
-,Process Monitor,System,Filesystem Monitoring,GUI,,"A monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.",http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx,
"java, jar, class",ProGuard,Pentest,Obfuscation/Encryption,CLI,,"Java class file shrinker, optimizer, obfuscator, and preverifier",http://proguard.sourceforge.net/,
py,py2exe,Programming,,CLI,,Converts Python scripts into executable Windows programs,http://sourceforge.net/projects/py2exe/,
pdf,pyew,File Analysis,PDF,CLI,"url, threat, antivm, sc, pdf, ole",Navigate through PDFs,http://code.google.com/p/pyew/wiki/PDFAnalysis,
exe,pyew,File Analysis,PE Analysis,CLI,"url, threat, antivm, sc, pdf, ole, pyew.imports",Explore the executable’s internals,http://code.google.com/p/pyew/wiki/MalwareAnalysis,
"doc, xls, ppt",pyew,Forensics,Microsoft Office,CLI,,Can parse the OLE2 format,https://code.google.com/p/pyew,
pcap,PyFlag,Network,File Analysis,GUI,,"A web-based, database-backed forensic and log analysis GUI and Computer forensics framework written in Python.",http://sourceforge.net/projects/pyflag/,
log,PyFlag,Forensics,Log Analysis,GUI,,"A web-based, database-backed forensic and log analysis GUI and Computer forensics framework written in Python.",http://sourceforge.net/projects/pyflag/,
,pylogsparser,Forensics,Log Analysis,CLI,,An opensource python library used as the core mechanism for logs tagging and normalization ,https://github.com/wallix/pylogsparser,
"doc, xls, ppt",pyOLEScanner.py,File Analysis,Microsoft Office,,,Examine suspicious Microsoft Office documents,https://github.com/Evilcry/PythonScripts/blob/master/pyOLEScanner.py,
-,pyssdeep.py,File Identification,Fuzzy Hashing,,,Calculates ssdeep fuzzy hash of files.,http://code.google.com/p/pyssdeep/,
swf,pySwfCarve,File Analysis,Flash,CLI,,Carve Embedded SWF Files,https://raw.github.com/Evilcry/PythonScripts/master/pySwfCarve.py,
qcow2,qemu-img,Forensics,,,,QEMU's utility that can convert its QCOW2 file format to VMDK's and raw images,,
vmdk,QuarantineVM,Forensics,Virtual Machine Analysis,,,Allows you to quarantine a VM using VIX and VDDK,http://communities.vmware.com/servlet/JiveServlet/download/38-18105/QuarantineVM.zip,
,QuickUnpack,File Analysis,Unpacking,,,,,
swf,RABCDAsm,File Analysis,Flash,,,Examine malicious Flash files,https://github.com/CyberShadow/RABCDAsm#readme,
,radare,Dissasemble,,,,Disassemble code,http://radare.org/,
-,RadioGraPhy,Forensics,Live IR,Both,,Grabs info from a Windows system & uses Team Cymru's MHR for unknown files and WinUnhide for integrity/catch hidden processes,http://www.security-projects.com/?RadioGraPhy,
,Raw2VMDK,Forensics,Disk Analysis,CLI,,Utility that generates a valid VMDK file that points to an existing raw image.,http://sourceforge.net/projects/raw2vmdk/,
pcap,RawCap,Network,Network Monitoring,CLI,,RawCap is a free command line network sniffer for Windows that uses raw sockets.,http://www.netresec.com/?page=RawCap,
jar,RAWJAR,File Analysis,Java,,,"Ear, Jar and War archive backdooring and resigning utility",https://github.com/nberthaume/RAWJAR,
pst,readpst,Forensics,Email Analysis,CLI,,Tool to extract the contents of an MS outlook .pst file,,
,Recycle Bin Parser,Forensics,,,,Parse the Recycle bin and output information on it.,http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55,
dat,regdetect,Forensics,Registry Analysis,CLI,,"Scans specified registry files for specific keys, as configured in the regdetect.ini file, and generates and output file containing specifics about the key detected. Includes regdetect.pl and regdetect.exe.",http://www.cutawaysecurity.com/blog/scripts-and-tools,
dat,RegExtract,Forensics,Registry Analysis,GUI,,Windows GUI that parses Registry hives with plugins and can export to CSV,http://www.woanware.co.uk/?page_id=209,Yes
dat,RegExtract,Forensics,Registry Analysis,GUI,,Windows registry parser with plugins similar to RegistryTRipper,http://www.woanware.co.uk/?page_id=209,Yes
dat,Registry Decoder,File Analysis,Registry Analysis,GUI,,"RegistryDecoder can do live/dead analysis.  Live allows for the safe acquisition of registry files from a live machine by forcing a system restore point, thus putting the currently active registry files into a read-only state in backup.",http://www.digitalforensicssolutions.com/registrydecoder/,
dat,Registry Ripper,Forensics,Registry Analysis,Both,,,http://code.google.com/p/winforensicaanalysis/downloads/list,
dat,Registry Viewer,File Analysis,Registry Analysis,GUI,,Access Data's Registry Viewer.,,
dat,RegLookup,File Analysis,Registry Analysis,CLI,-,"reglookup is designed to read windows registry elements and print them out to stdout in a CSV-like format. It has filtering options to  narrow the  focus of the output. This tool is designed to work with on windows NT/2K/XP/2K3 registries, though your mileage may vary.",http://projects.sentinelchicken.org/reglookup/,
-,Regshot,System,Filesystem Monitoring,GUI,,,https://sourceforge.net/projects/regshot,
,regslack,File Analysis,Registry Analysis,CLI,,,,
dat,regtln.pl,Forensics,Registry Analysis,CLI,,RegRipper plugin that generates a TSK bodyfile from any Windows registry hive,http://www.cutawaysecurity.com/blog/scripts-and-tools,
dll,RemoteDLL,File Analysis,PE Analysis,GUI,,Dll Injector/Remover Tool from Windows Process ,http://securityxploded.com/download.php#remotedll,
"exe, dll",Resource Hacker,File Analysis,PE Analysis,GUI,,"Utility to view, modify, rename, add, delete and extract resources in 32bit & 64bit Windows executables and resource files (*.res). ",http://www.angusj.com/resourcehacker/,
"dd, dmp",Responder CE,Forensics,Memory Analysis,,,"Rebuilds all the underlying data structures up to 6 gigabytes of RAM. This includes all physical to virtual address mappings, recreates the object manager, exposes all objects, and enables investigators to perform a complete and comprehensive computer investigation.",http://www.hbgary.com/free-tools,
,Restore Point Analyzer,Forensics,,GUI,,Mandiant's Restore Point Analyzer,,
js,Revelo,Malware,Javascript,GUI,,"JavaScript deobfuscator that works by writing the Javascript with some user-based modifcations to an HTML file, opening the file inside of the tool, and extracting deobfuscated elements using the Internet Explorer engine.",http://www.kahusecurity.com/2012/revelo-javascript-deobfuscator/,
,Rhino,,,,,,,
js,rhino-debugger,File Analysis,JavaScript,,,Deobfuscate JavaScript,http://www.mozilla.org/rhino/debugger.html,
INFO2,rifiuti,Forensics,Recycle Bin Analysis,,,Tool to see what was empties from the Windows Recycle Bin,,
-,RmvConfickerB,Malware,Conficker,-,,Conficker removal tool,http://www.virusbuster.hu/en/support/support-news/exploring-computers-infected-conficker,
-,Robocopy,Forensics,File Recovery,CLI,"Robocopy C:\<dir1> C:\<dir2> /COPYALL /E /DCOPY:T  = recursively copy dr1 to dir1 w/ all file info (ACLS, timestamps) & preserver original directories timestamps",Robusy File Copy replaces xcopy in Vista+,-,
-,Rootkit Hunter,Malware,Linux Forensics,CLI,,"Rootkit Hunter, security monitoring and analyzing tool for POSIX compliant systems.",http://sourceforge.net/projects/rkhunter/,
,rsafindkey,Cryptography,Obfuscation/Encryption,,,Find obfuscated or encrypted data,,
"rtf, doc",RTFScan,File Analysis,Microsoft Office,CLI,scan,"Tool that's able  to scan for malicious traces like shellcode, dumps embedded OLE and PE files and other data containers",http://reconstructer.org/code/OfficeMalScanner.zip,
plist,safari_bm.pl,Forensics,Mac Forensics,CLI,,Safari Bookmarks.plist file parser - Part of SFT (Safari Forensic Tools),http://jafat.sourceforge.net/files.html,
-,safari_cookie_bin.pl,Forensics,Mac Forensics,CLI,,Safari Cookies.BinaryCookies parser - Part of SFT (Safari Forensic Tools),http://jafat.sourceforge.net/files.html,
plist,safari_cookies.pl,Forensics,Mac Forensics,CLI,,Safari Cookies.plist parser - Part of SFT (Safari Forensic Tools),http://jafat.sourceforge.net/files.html,
plist,safari_downloads.pl,Forensics,Mac Forensics,CLI,,Safari Downloads.plist parser - Part of SFT (Safari Forensic Tools),http://jafat.sourceforge.net/files.html,
plist,safari_hist.pl,Forensics,Mac Forensics,CLI,,Safari History.plist parser - Part of SFT (Safari Forensic Tools),http://jafat.sourceforge.net/files.html,
db,safari_icon.pl,Forensics,Mac Forensics,CLI,,Safari icon.db/WebpageIcons.db parser - Part of SFT (Safari Forensic Tools),http://jafat.sourceforge.net/files.html,
plist,safari_top.pl,Forensics,Mac Forensics,CLI,,Safari TopSites.plist parser - Part of SFT (Safari Forensic Tools),http://jafat.sourceforge.net/files.html,
db,safari_wincache.pl,Forensics,Mac Forensics,CLI,,Safari Cache.db parser - Part of SFT (Safari Forensic Tools),http://jafat.sourceforge.net/files.html,
,sbag,Forensics,,,,sbag' is a prototype version of a ShellBag parser. The ShellBag information is a set of keys in a user registry hive (eg. ntuser.dat file) used by the Windows operating system to track user window viewing preferences.,http://tzworks.net/prototype_page.php?proto_id=14,
-,scalpel,Forensics,File Carving,CLI,,File carved forked from foremost and rewritten to increase ferformance,,
,Scout Sniper,Malware,File Identification,CLI,,A wrapper program for the Yara malware identification and classification tool and the Fuzzy Hashing program ssdeep.,http://www.cutawaysecurity.com/blog/scout-sniper,
-,sctest,Malware,Shellcode Analysis,,-Svs,Emulate shellcode,http://libemu.carnivore.it/,
,sdhash,File Identification,Fuzzy Hashing,,,,,
"exe, dll, ocx, sys",SearchAndCollect,Malware,File Identification,CLI,,Search and collect executable files (Windows PE file format only) recursively from a parent directory and store in one centralized directory.,https://github.com/IOActive/SearchAndCollect,
-,Secure Erase,Forensics,Disk Wiping,CLI,,"HDDerase.exe is a DOS-based utility that securely erases ""sanitizes"" all data on ATA hard disk drives in Intel architecture computers (PCs).",http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml,
-,sha1sum,Cryptography,Obfuscation/Encryption,CLI,,,,
-,ShadowExplorer,Forensics,Volume Shadow Copies,GUI,,ShadowExplorer allows you to browse the Shadow Copies created by the Windows Vista/7 Volume Shadow Copy Service.,http://www.shadowexplorer.com/downloads.html,Yes
-,Shell Detect,Malware,Shellcode Analysis,CLI,,"Tool to detect presence of Shell Code within a file or network stream. You can either provide raw binary file or network stream file as input to this tool.  The technique used in this tool is very simple. It reads the data from the file and try to run it. If the shellcode calls any LoadLibrary() function then it will report that it found a shellcode. This tool actually hooks the LoadLibrary() API and return SUCCESS if the hook is hit. There are lot of missing stuff in this tool. As the author mentioned in the webpage, don’t try to run it in your development machine. It actually RUNS the shellcode. ",http://www.securityxploded.com/shell-detect.php,
,Shellcode2exe,Online Help,File Analysis,-,,,http://sandsprite.com/shellcode_2_exe.php,
dat,ShimCacheParser.py,Forensics,Filesystem Analysis,CLI,,Tool for reading the Application Compatibility Shim Cache stored in the Windows registry.,https://raw.github.com/mandiant/ShimCacheParser/master/ShimCacheParser.py,
-,ShoNuff,Online Help,Reconnaissance,-,,WHOIS Master!,http://whoisthemaster.org/,
-,shred,Forensics,Disk Wiping,CLI,shred -z -v -n1 <dev>,*nix program for wiping files/disks,,
-,sigcheck.exe,File Analysis,File Authenticity,CLI,"sigcheck -e -s -u = only search for EXE's, recursively & only display unsigned ones",Verify that images are digitally signed and dump version information with this simple command-line utility.,technet.microsoft.com/en-us/sysinternals/bb897441,
,sigfind,File Analysis,Partition Indentification/Recovery,CLI,-,Used to search a source file for a binary value at given offsets.  Can also identify deleted or missing partitions.,,
wmdb,SimpleCarver,File Analysis,Database,,-,"Tool to extract contents from the CurrentDatabase_327.wmdb file, a database associated with the Windows 7 Windows Media Player.",http://www.simplecarver.com/,
,Skype Parser,Forensics,,,,Parse Skype Logs,http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55,
,skypeex,Memory,,CLI,,Extracts Skype artifacts from a memory dump.,http://csitraining.co.uk/skypex.aspx,
,SmartSniff,Network,Network Monitoring,GUI,,,http://www.nirsoft.net/utils/smsniff.html,
,sorter,File Analysis,File Identification,CLI,-,Extracts and sorts files based on their file type as determined by analysis of the file's content.  It can also look up hashes of extracted files and perform file extension verification,,
js,SpiderMonkey,File Analysis,JavaScript,,,Deobfuscate JavaScript,https://developer.mozilla.org/en/SpiderMonkey,
pcap,SplitCap,Network,Log Analysis,CLI,,SplitCap is a free open source pcap file splitter,http://www.netresec.com/?page=SplitCap,
"pcap, log, evt, evtx",splunk,Forensics,Log Analysis,GUI,, *500mb/day for free*,http://www.splunk.com/,Yes
,SQL Light Manager,,,,,,,
,srch_strings,,,CLI,-,A standalone version of the strings commands.,,
-,ssdeep,File Identification,Fuzzy Hashing,CLI,,"Performs context triggered piecewise hashes, or fuzzy hashing, to help identify similar files.",,
-,sslyze,Pentest,SSL,CLI,,"A Fast and Full-Featured SSL Scanner – it enables Better, faster scanning to analyze the configuration of SSL servers.",http://sslyze.googlecode.com/files/sslyze-0.4_src.zip,
-,Streams.exe,Forensics,Alternate Data Streams,CLI,,,http://technet.microsoft.com/en-us/sysinternals/bb897440,
com,strings,,,,,,,
-,stunnel,Network,,CLI,,Wrap network traffic with SSL,http://www.stunnel.org/,
pdf,swf_mastah.py,File Analysis,Flash,CLI,swf_mastah.py -o <file.pdf>,Utilizes Peepdf and allows you to extract SWF/JS from PDF files ,https://github.com/9b/pdfxray_public/blob/master/builder/swf_mastah.py,
swf,SWFDump,File Analysis,Flash,CLI,swfdump -Ddu <file.swf> > out.txt,Tool that shows the contents of the SWF file.  Part of SWFTools.,http://www.swftools.org/,
swf,SWFScan,File Analysis,Flash,GUI,-,"SWFScan can analyze any SWF file regardless of the Flash Player version for which it was targeted or version of ActionScript with which it was authored. Whether the SWF is located on your local computer or available via a public URL, SWFScan will decompile the bytecode and perform static analysis on it to understand the application's behavior and then check for known security issues.",http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167,
swf,swfscan,File Analysis,Flash,CLI,,HP's fantastic SWFScan Adobe Flash de-compile tool and basic 'security scanner,http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit-Down/SWFScan-FREE-Flash-decompiler/ba-p/5440167#.UEoDaZZyNwE,
swf,SWFTools,File Analysis,Flash,,,A collection of utilities for working with Adobe Flash files (SWF files).,http://www.swftools.org/,
exe,SysAnalyzer,Malware,Filesystem Analysis,GUI,,"An automated malcode run time analysis application that monitors various aspects of system and process states. (API logging, system snapshots, process analyzer)",http://www.woodmann.com/collaborative/tools/index.php/SysAnalyzer,
-,TamperData,Network,Website Tampering,GUI,,Control web traffic,https://addons.mozilla.org/en-US/firefox/addon/tamper-data/,
"tgz, gz, tbz, tbz2, bz1, bz",tar,,,,xzf,,,
,tcdiscover.py,,,,,Searches for TrueCrypt containers.,,
-,tchunt.exe,Cryptography,Obfuscation/Encryption,CLI,,,http://16s.us/TCHunt/index.php,
pcap,tcpbridge,Network,PCAP Analysis,CLI,,Included in the Tcpreplay suite - bridge two network segments with the power of tcprewrite,http://tcpreplay.synfin.net/,
pcap,tcpcapinfo,Network,PCAP Analysis,CLI,,Included in the Tcpreplay suite - raw pcap file decoder and debugger,http://tcpreplay.synfin.net/,
pcap,tcpdump,Network,Network Monitoring,CLI,sudo tcpdump -w <out.pcap>,,http://www.tcpdump.org/,
pcap,tcpflow,Network,Network Monitoring,CLI,,"A program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored ‘tcpdump’ packet flows.",http://afflib.org/software/tcpflow,
pcap,tcpprep,Network,PCAP Analysis,CLI,,Included in the Tcpreplay suite - multi-pass pcap file pre-processor which determines packets as client or server and creates cache files used by tcpreplay and tcprewrite,http://tcpreplay.synfin.net/,
pcap,tcpreplay,Network,PCAP Analysis,CLI,tcpreplay --intf1=eth0 sample.pcap,Included in the Tcpreplay suite - replays pcap files at arbitrary speeds onto the network ,http://tcpreplay.synfin.net/,
pcap,tcpreplay-edit,Network,PCAP Analysis,CLI,,Included in the Tcpreplay suite - replays & edits pcap files at arbitrary speeds onto the network,http://tcpreplay.synfin.net/,
pcap,tcprewrite,Network,PCAP Analysis,CLI,,Included in the Tcpreplay suite - pcap file editor which rewrites TCP/IP and Layer 2 packet headers,http://tcpreplay.synfin.net/,
,tcpview,Network,,,,,,
,TestDisk,Forensics,Partition Indentification/Recovery,CLI,,Used to recover partitions.,http://www.cgsecurity.org/wiki/TestDisk,
,ThreatExpert,Online Help,File Analysis,-,,"ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.",http://www.threatexpert.com/threats.aspx,
db,Thumbnail Database Viewer,Forensics,Graphics,GUI,,Tool which enables you to view thumbnail cache which is used by Windows to speed up the display of thumbnails in folders,http://www.itsamples.com/thumbnail-database-viewer.html,
,TitanEngine,File Analysis,Unpacking,CLI,-,,http://www.reversinglabs.com/products/TitanEngine.php,
-,tmfs,Forensics,Mac Forensics,CLI,"tmfs /mnt/hfs-root /mnt/tm-root -ouid=$(id -u my_user),gid=$(id -g my_user),allow_other",Time Machine File System is a read-only virtual filesystem which helps you to read your Apple's time machine backup,https://github.com/abique/tmfs,
-,triage-ir,Forensics,Live IR,CLI,,Automatically collect information from a system that needs basic triage functions performed upon it. (requires Sysinternals),https://code.google.com/p/triage-ir/,
-,trid,File Analysis,File Identification,,,Identify file type,http://mark0.net/soft-trid-e.html,
pcap,Tshark,Network,PCAP Analysis,CLI,tshark -r <file> -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | sort | uniq -c | sort -n,,,
-,TSK,Forensics,Forensic Suite,CLI,,,,
-,tsk-xview.exe,Forensics,Alternate Data Streams,CLI,,,http://code.google.com/p/malwarecookbook,
,unbup,File Analysis,Anti-Virus,CLI,,Programs to unquarantine McAfee BUP files.,"https://raw.github.com/OpenSecurityResearch/unbup/master/UnBup.sh
https://raw.github.com/OpenSecurityResearch/unbup/master/UnBup.pl",
-,URLVoid,Online Help,Website Inspection,-,,Check Reputation of Domains and Subdomains,http://urlvoid.com/,
dat,USBDeviceForensics,File Analysis,Registry Analysis,,,USBDeviceForensics is an application to extract numerous bits of information regarding USB devices.,http://www.woanware.co.uk/?page_id=45,Yes
-,usp,Forensics,Removable Media Analysis,CLI,,Tool to find USB device artifacts on an NTFS volume,,
,vbindiff,File Analysis,,,,Compare binary files,http://www.cjmweb.net/vbindiff/,
vdi,vboxmange,Forensics,,,,VirtualBox's CLI that can convert its VDI file format to VMDK's and raw images,,
"exe,dll",verify-sgs,File Analysis,Certificates,CLI,,"Provides a python fingerprinter class to compute all manner of hashes on files (for now, 'generic' hashes on all files, and Authenticode compliant hashes on PE/COFF files). Also provides a validator class to check Authenticode signatures.",https://code.google.com/p/verify-sigs/,
vmdk,VFAE,File Analysis,Virtual Machine Analysis,,,VMDK Forensic Artifact Extractor (VFAE) is a windows based tool that extracts files from VMDK images running the Windows operating system.,http://sourceforge.net/projects/vfae/,
-,virustotal-search.py,Malware,File Analysis,CLI,,Script to take a list of hashes  and search against VT's DB and produce a CSV output with all info,http://blog.didierstevens.com/2012/05/21/searching-with-virustotal/,
-,VMFS,Forensics,Virtual Machine Analysis,CLI,,The Open Source VMFS Driver enables read-only access to files and folders on partitions formatted with the Virtual Machine File System (VMFS).,http://code.google.com/p/vmfs/,
vmdk,VMware Disk Mount Utility,Forensics,Virtual Machine Analysis,CLI,,Included in the VDDK and required for LiveView,http://www.vmware.com/support/developer/vddk/,
,Vmware vCenter Converter,,,,,Allows you to perform physical to virtual machine conversions as well as conversions between virtual machine formats,https://www.vmware.com/tryvmware/?p=converter,
,volafox,Memory,Mac Forensics,,,Memory Analyzer for Mac OS X for python 2.x,http://code.google.com/p/volafox/,
"dmp, raw, vmem",Volatility,Memory,Memory Analysis,CLI,,,https://www.volatilesystems.com/default/volatility,
-,vsc-parser,Forensics,Volume Shadow Copies,CLI,,"vsc-parser demonstrates the ripping VSCs Practitioner Method. The collection of scripts: automating VSC access, obtaining operating system information, obtaining information about the VSCs’ files, and extracting information from registry hives.",http://code.google.com/p/jiir-resources/downloads/list,
-,VSCtoolset.exe,Forensics,Volume Shadow Copies,GUI,,A GUI developed for executing batch files against one or more volume shadow copies.  ,http://dfstream.blogspot.com/p/vsc-toolset.html,
-,vssadmin,Forensics,Volume Shadow Copies,CLI,vssadmin list shadows,Displays current volume shadow copy backups and all installed shadow copy writers and providers.,-,
pdf,Walker,,,GUI,,Examines the structure of PDF files.,http://code.google.com/p/origami-pdf/,
,WebMER,,,,,"The WebMER (Minimum Escalations Requirements) collects McAfee Product data from your computer so that the problem could be analyzed and resolved by the McAfee's Technical Support Team. Includes (registry details, file version details, files, event logs, process details)",,
"js, pdf, swf",Wepawet,Online Help,File Analysis,-,,Wepawet is a framework for the analysis of web-based threats.,http://wepawet.iseclab.org/,
-,wget,,,CLI,,Retrieve websites,,
dmp,win32/64.dd,Memory,Memory Analysis,CLI,win32.dd /c 0,Part of MoonSols Windows Memory Toolkit that captures a memory image either over the network of locally.,http://www.moonsols.com/products/,
,WinMHR,Malware,Anti-Virus,GUI,,WinMHR uses Team Cymru's acclaimed Malware Hash Registry to quickly find malicious files residing or running on your computer. ,http://www.team-cymru.org/Services/MHR/WinMHR/,
pcap,Wireshark,Network,Network Monitoring,GUI,,,http://www.wireshark.org/,
dat,WRR (MiTeC Windows Registry Recovery),File Analysis,Registry Analysis,GUI,,"This application allows to read files containing Windows NT,2K,XP,2K3 registry hives. It extracts many useful information about configuration and windows installation settings of host machine. Registry hive can be exported into REGEDIT4 format. ",http://www.mitec.cz/,
-,xandora,Online Help,File Analysis,-,,Suspicious File Analyzer,http://www.xandora.net/xangui/,
-,xcopy,Forensics,File Recovery,CLI,xcopy c:\<dir1> c:\<dir2> /s /e /I /h = copy dir1 to dir2 with all files/subfolders including ones w/ hidden/system attributes & empty dirs,Replaced copy command but not present in Vista+,,
pdf,xdpdf,File Analysis,PDF,,,Designed to quickly and transparently render inert potentially malicious parts of a PDF document traversing a Microsoft Exchange server. ,http://code.google.com/p/xdpdf/,
-,Xmount,Forensics,Disk Analysis,,,Similar to AFFuse/MountEWF but also presents the contents of the container as a VirtualBox or VMWare format disk image.,https://www.pinguin.lu/index.php,
-,xor,Cryptography,File Analysis,CLI,,A simple xor program,https://raw.github.com/OpenSecurityResearch/unbup/master/xor.pl,
-,xorsearch,,Obfuscation/Encryption,CLI,xorsearch -s http,Find obfuscated or encrypted data,http://blog.didierstevens.com/programs/xorsearch/,
-,xortool,,Obfuscation/Encryption,,,Find obfuscated or encrypted data,https://github.com/hellman/xortool,
"exe, dll",xPELister,Malware,PE Analysis,,,PE Viewer/Editor and has integrated RepairPE module.,,
pcap,xplico,Network,File Analysis,GUI,,Internet traffic decoder,http://www.xplico.org/,
"swf,cwf",xxxswf.py,File Analysis,Flash,CLI,xxswf.py -sxd -y rules.yar -r <folder>,Examine malicious Flash files,http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html,
doc,xxxswf.py,File Analysis,Microsoft Office,CLI,xxxswf.py -xd <file>,Examine malicious Flash files,http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html,
-,YARA,Malware,File Identification,CLI,,YARA is a tool aimed at helping malware researchers to identify and classify malware samples.,http://code.google.com/p/yara-project/,
-,yara-normalize,Malware,File Identification,CLI,,"Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made} To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.",https://github.com/chrislee35/yara-normalize,
dat,YARU,Forensics,Registry Analysis,GUI,,A minimal version of a registry viewer,http://tzworks.net/prototype_page.php?proto_id=3,
-,Zulu,Online Help,Website Inspection,-,,URL Risk Analyzer,http://zulu.zscaler.com/,