Appendix C — Tool Reference
Purpose. A keyboard-side catalog of the data-recovery and digital-forensics toolbox — every major tool by category, platform, license/cost tier, and one-line purpose, with a pointer to the chapter that teaches it in depth. Chapter 36 — The Forensic Toolkit supplies the judgment (how to choose, validate, and verify); this appendix is the index you scan when you need to remember which instrument does what. Tools are listed by what they accomplish, never by brand loyalty — technology changes, principles don't.
This appendix is descriptive, not an endorsement. Inclusion does not imply a tool is validated for your task or court; that determination is yours (see Chapter 25 — The Legal Framework on Daubert/Frye, and the validation note at the end). Full command syntax for the CLI tools lives in Appendix H — Command-Line Reference; download URLs and citations live in the Bibliography; definitions are in the Glossary.
How to read this appendix
Every table uses the same four legends. Skim them once; they make the catalog dense and fast.
Category (what stage of the pipeline the tool serves):
| Tag | Category | Pipeline stage |
|---|---|---|
| IMG | Imaging / acquisition | Acquire + preserve |
| HASH | Hashing / integrity | Preserve / verify |
| FS | File-system analysis / all-in-one platform | Analyze the disk |
| CARVE | File carving | Analyze (no metadata) |
| REC | Data recovery (logical / RAID / physical) | Restore |
| WINART | Windows artifacts | Analyze |
| NIXART | macOS / Linux artifacts | Analyze |
| WEB | Browser / email / internet | Analyze |
| META | Metadata extraction | Analyze |
| MEM | Memory forensics | Analyze the volatile |
| NET | Network forensics | Analyze the wire |
| MOB | Mobile forensics | Analyze the phone |
| CLOUD | Cloud forensics | Analyze the account |
| MAL | Malware analysis / RE | Deep end |
| CRYPT | Encryption / password | Deep end |
| COIN | Cryptocurrency tracing | Deep end |
| EDISC | eDiscovery | Legal / review |
| TRIAGE | Live response / endpoint DFIR | Acquire + analyze at scale |
| DISTRO | Forensic OS distribution | The whole bench |
| VALID | Validation / reference data | Trust, then verify |
Platform: Win / Lin / mac native · X = cross-platform · (CLI) command line · (GUI) graphical · (PS) PowerShell · +HW requires dedicated hardware · web browser/server.
License / Cost (approximate list price — confirm current pricing with the vendor; tiers move):
| Tier | Meaning |
|---|---|
| FOSS | Free and open source ($0) — source is inspectable, which is itself a courtroom asset |
| Free | Free to use, closed source ($0) |
| **$** | ≤ ~$1,000 (one-time or annual) | |
| **$$** | ~$1,000 – $5,000 | | **$$$** | ~$5,000 – $15,000 | |
| $$$$ | > $15,000, enterprise/quote-based, and/or requires dedicated hardware |
Deep dive: the chapter that owns the tool's full treatment. Relative-path links to each chapter are given in the intro line of every section and consolidated in the cross-reference map at the end.
Recovery vs. Forensics. Many tools below serve both disciplines; the difference is the ceremony around the tool, not the parse. A 💾 recovery technician runs PhotoRec or R-Studio to get a client's files back fast. A 🔍 forensic examiner may run the same parse but wraps it in a write-blocker, before/after hashes, a chain of custody, and dual-tool verification so the result survives court. One toolbox, two standards of proof. The category tag tells you what a tool does; only the case tells you how much ceremony it needs.
1. Imaging and acquisition (IMG)
The front of the pipeline: make a verified bit-for-bit copy so you never work on the original (the original is sacred). Full options in Appendix H; deep treatment in Chapter 14 — Forensic Acquisition; failing-media imaging in Chapter 8 — Hard Drive Recovery.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| dd | IMG | X (CLI) | FOSS | The original raw bit-for-bit imager; copies a device to a flat .dd/.raw file |
Ch. 14 |
| dcfldd | IMG | Lin (CLI) | FOSS | dd + forensics: on-the-fly hashing, progress, split output, error logging | Ch. 14 |
| dc3dd | IMG | Lin (CLI) | FOSS | DoD Cyber Crime Center patch of dd; hashing, verify, logging, wiping | Ch. 14 |
| GNU ddrescue | IMG | Lin (CLI) | FOSS | Error-tolerant imaging of failing media; mapfile resumes and retries bad areas | Ch. 8 |
| ewfacquire (libewf) | IMG | X (CLI) | FOSS | Acquire to compressed, hashed Expert Witness Format (E01/Ex01); pairs with ewfverify, ewfmount |
Ch. 14 |
| Guymager | IMG | Lin (GUI) | FOSS | Fast, multithreaded GUI imager; outputs raw/E01/AFF with built-in verification | Ch. 14 |
| FTK Imager | IMG | Win (GUI/CLI) | Free | The universal free imager/previewer: image, mount, preview, export files, capture RAM | Ch. 14 |
| Magnet ACQUIRE | IMG | Win (GUI) | Free | Free disk and mobile acquisition from Magnet; raw/E01 | Ch. 14 |
| HDDSuperClone | IMG/REC | Lin (CLI/GUI) | FOSS | Open-source imaging of failing drives with advanced read strategies (ddrescue alternative) | Ch. 8 |
| DeepSpar Disk Imager | IMG/REC | Win +HW | Commercial ($$$$) | Hardware imager for unstable drives; head-level control and stable reads of failing media | Ch. 8 |
Write-blocking is part of acquisition but is mostly a hardware category — it is owned by Chapter 5 — The Forensic Process and Chapter 14:
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| Hardware write-blockers (Tableau/Forensic series, WiebeTech/CRU, Atola) | IMG | +HW | Commercial ($$–$$$) | Physically prevent any write to source media during acquisition | Ch. 5, 14 |
Software write-blocking (Windows USBStor WriteProtect registry switch; Linux blockdev --setro, mount -o ro,noload) |
IMG | Win/Lin | Built-in (free) | OS-level write prevention when no hardware blocker is available — always validate it | Ch. 5, 14 |
Tool Tip.
ewfacquirewrites the E01 format that everything reads, so acquiring to E01 keeps your options open across every later tool. For a quick check that an image is sound,ewfverify image.E01recomputes and compares the stored acquisition hash; for raw images,hashdeep(below) does the same job.
2. Hashing and integrity (HASH)
Proof an image and its recovered files are unaltered. Conceptually owned by Chapter 14 — Forensic Acquisition; fuzzy hashing recurs in Chapter 20 and Chapter 32.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| md5sum / sha1sum / sha256sum | HASH | X (CLI) | FOSS | Compute a single file/stream digest (coreutils) | Ch. 14 |
| hashdeep / md5deep suite | HASH | X (CLI) | FOSS | Recursive, auditable hashing; audit mode (-a -k) matches a whole tree against a known hash set |
Ch. 14 |
| ssdeep | HASH | X (CLI) | FOSS | Fuzzy (context-triggered piecewise) hashing to find near-duplicate / similar files | Ch. 20, 32 |
| certutil -hashfile | HASH | Win (CLI) | Built-in (free) | Native Windows hashing when nothing else is installed | Ch. 14 |
| Get-FileHash | HASH | Win (PS) | Built-in (free) | PowerShell hashing (SHA-256 default) for quick verification | Ch. 14 |
3. File-system analysis and all-in-one platforms (FS)
The middle of the pipeline: parse partitions, file systems, and deleted entries — or run a full case from one environment. The open-source engine and the commercial suites both live here; running one of each is how you get dual-tool verification. Owned by Chapter 4 — File Systems, Chapter 6 — Logical Recovery, and surveyed in Chapter 36.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| The Sleuth Kit (TSK) | FS | X (CLI) | FOSS | The file-system parsing engine (mmls/fsstat/fls/istat/icat/blkls…) beneath most disk tools |
Ch. 4, 6 |
| Autopsy | FS | Win/X (GUI) | FOSS | The most-used free platform: TSK + ingest modules, hash sets, keyword index, timeline, reporting | Ch. 6, 36 |
| EnCase (OpenText) | FS | Win (GUI) | Commercial ($$$$) | The long-standing courtroom-standard suite; origin of the E01 format; EnScript automation | Ch. 36 |
| FTK / Forensic Toolkit (Exterro) | FS | Win (GUI) | Commercial ($$$$) | Indexed full-text search at scale on a database backend; distributed processing | Ch. 36 |
| Magnet AXIOM / AXIOM Cyber | FS | Win (GUI) | Commercial ($$$–$$$$) | Artifact-centric analysis; Connections graph; Cyber adds remote + cloud acquisition | Ch. 36, 31 | | **X-Ways Forensics** | FS | Win (GUI) | Commercial ($$) | Fast, lightweight, low-cost power-user platform; runs from USB; built on WinHex | Ch. 36 |
| WinHex (X-Ways) | FS | Win (GUI) | Commercial ($–$$) | Hex / disk / RAM editor and the engine beneath X-Ways | Ch. 2, 36 | **The Sleuth Kit by layer** (the command tells you which abstraction you are reading — mirrors a file system's structure): | Layer | Tools | Reads | |-------|-------|-------| | Media (volume) | `mmls` `mmstat` `mmcat` | Partition table + start sectors | | File system | `fsstat` | Type, cluster size, $MFT location, layout | | File name | `fls` `ffind` | Directory entries, **including deleted (`*`)** | | Metadata / inode | `istat` `ils` `icat` `ifind` | MFT entry / inode; `icat` outputs a file **by inode** | | Data unit / block | `blkcat` `blkls` `blkstat` `blkcalc` | Raw clusters; `blkls` extracts **unallocated** space | | Whole image | `tsk_recover` `tsk_gettimes` `mactime` `img_stat` `jls`/`jcat` `srch_strings` | Bulk export, body file → timeline, journal | --- ## 4. File carving (CARVE) Recover files by **content signature** when the file system metadata is gone (formatted, overwritten MFT, raw unallocated). Signatures themselves are tabulated in [Appendix A — File Signatures Reference](appendix-a-file-signatures-reference.md); the technique is owned by [Chapter 7 — File Carving](../part-2-data-recovery/chapter-07-file-carving/index.md). | Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive | |------|-----|----------|----------------|------------------|-----------| | **PhotoRec** (CGSecurity) | CARVE | X (CLI/GUI) | FOSS | Signature carving of 480+ file types from images/unallocated, file-system-agnostic | Ch. 7 | | **foremost** | CARVE | Lin (CLI) | FOSS | Classic header/footer carver with a configurable signature config (`foremost.conf`) | Ch. 7 | | **Scalpel** | CARVE | X (CLI) | FOSS | Fast, configurable carver (foremost rewrite); database-driven signatures | Ch. 7 | | **bulk_extractor** | CARVE/MEM | X (CLI/GUI) | FOSS | File-system-blind feature scanner: emails, URLs, CCNs (Luhn-checked), GPS, **AES keys**, carved pcap | Ch. 7, 22 | > **Tool Tip.** Carving's complement is **metadata-aware recovery**: try `tsk_recover` (Ch. 6) *first* to get files the file system still describes (with their real names and paths), then carve only the unallocated remainder (`blkls … > unalloc.bin`) with PhotoRec/Scalpel. Carved files lose their original names and timestamps — that is the price of recovering structure-free. --- ## 5. Data recovery — logical, RAID, and physical (REC) The recovery shelf: get bytes back, fast and complete. These optimize for restoration; add forensic ceremony only when the matter is headed for court. Owned by [Chapter 6 — Logical Recovery](../part-2-data-recovery/chapter-06-logical-recovery/index.md), [Chapter 10 — RAID Recovery](../part-2-data-recovery/chapter-10-raid-recovery/index.md), and [Chapter 8 — Hard Drive Recovery](../part-2-data-recovery/chapter-08-hard-drive-recovery/index.md). | Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive | |------|-----|----------|----------------|------------------|-----------| | **TestDisk** (CGSecurity) | REC | X (CLI) | FOSS | Repair partition tables, rebuild boot sectors, recover lost/deleted partitions | Ch. 6 | | **PhotoRec** (CGSecurity) | REC/CARVE | X (CLI/GUI) | FOSS | Carving-based recovery when the file system is unrecoverable (see §4) | Ch. 6, 7 | | **R-Studio** (R-Tools) | REC | X (GUI) | Commercial ($) | Logical + RAID recovery across many file systems; network recovery | Ch. 6, 10 | | **UFS Explorer** (SysDev) | REC | X (GUI) | Commercial ($–$$) | Logical/RAID recovery with deep support for complex and exotic file systems | Ch. 6, 10 |
| DMDE | REC | X (CLI/GUI) | Commercial, free tier ($) | Disk editor + recovery + RAID reconstruction; strong free edition | Ch. 6, 10 |
| ReclaiMe | REC | Win (GUI) | Commercial ($) | Approachable recovery with automatic RAID-parameter detection | Ch. 10 |
| PC-3000 (ACE Lab) | REC | Win +HW | Commercial ($$$$) | The professional physical-recovery system: firmware repair, head maps, stable imaging | Ch. 8 |
Limitation. No recovery tool, at any price, recovers data that has been physically overwritten, securely wiped, or zeroed by an SSD's deterministic TRIM (Chapter 9 — SSD and Flash Recovery). When
icatreturns zeros and the carver finds nothing, the answer is not "buy a better tool" — it is that deleted ≠ destroyed reached its limit and the data is gone. A more expensive license does not change physics.
6. Windows artifacts (WINART)
Parse the registry, execution evidence, shortcuts, and event logs that make Windows the most artifact-rich platform. Owned by Chapter 16 — Windows Forensics and Chapter 21 — Timeline Analysis; triage collection by Chapter 15 — Live Response and Triage.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| Eric Zimmerman (EZ) tools | WINART | Win (.NET) | FOSS | A family of focused artifact parsers → clean CSV (roster below) | Ch. 16, 21 |
| KAPE (Kroll / E. Zimmerman) | WINART/TRIAGE | Win (CLI/GUI) | Free | Targeted collection (Targets) + processing (Modules); triage at scale | Ch. 15 |
| RegRipper (H. Carvey) | WINART | X (Perl) | FOSS | Plugin-driven registry triage; the independent dual-tool check against Registry Explorer | Ch. 16 |
| Hayabusa / Chainsaw | WINART | X (CLI) | FOSS | Sigma-rule threat hunting across Windows event logs (.evtx) |
Ch. 16, 32 |
Eric Zimmerman suite roster — one artifact, one parser, CSV out (load the CSV into Timeline Explorer to filter, tag, and pin exhibits):
| Parser / GUI | Artifact it decodes |
|---|---|
| MFTECmd | $MFT`, `$J (UsnJrnl), $LogFile`, `$Boot, $SDS |
| PECmd | Prefetch — program execution (run count, first/last run) |
| LECmd / JLECmd | LNK shortcuts / Jump Lists (recent files, devices) |
| AmcacheParser | Amcache.hve — program presence + SHA-1 of executables |
| AppCompatCacheParser | ShimCache — execution / presence evidence |
| SBECmd | ShellBags — folder access incl. removable/deleted |
| SrumECmd | SRUM — per-app network bytes and resource usage |
| RBCmd | $Recycle.Bin` `$I records (deleted-file metadata) |
| EvtxECmd | Windows Event Logs (.evtx) → CSV/JSON with field maps |
| WxTCmd | Windows 10/11 Timeline (ActivitiesCache.db) |
| RECmd / Registry Explorer | Registry — replays .LOG1/.LOG2 transaction logs so you see current state |
| SQLECmd | Generic SQLite artifact extraction via community maps |
| Timeline Explorer | Load/filter/tag/color multimillion-row CSVs |
| bstrings | Powerful regex string search over files/images |
Tool Tip. Registry Explorer replays transaction logs (
.LOG1/.LOG2) that a careless extraction or a lesser tool ignores — a hive copied without its logs shows a stale view. "Which registry tool, and did you give it the logs?" is a fair cross-examination question; feeding the parser the complete hive set is the answer.
7. macOS and Linux artifacts (NIXART)
The non-Windows side: plists, unified logs, FSEvents, and Apple's pattern-of-life databases. Owned by Chapter 17 — macOS and Linux Forensics; the super-timeline by Chapter 21.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| mac_apt | NIXART | X (CLI) | FOSS | macOS artifact-parsing framework (plists, unified logs, Spotlight, FSEvents) | Ch. 17 |
| APOLLO (S. Edwards) | NIXART | X (CLI) | FOSS | Apple Pattern of Life — correlates knowledgeC/biome "pattern of life" databases |
Ch. 17 |
| FSEventsParser | NIXART | X (CLI) | FOSS | Decode macOS FSEvents records (file-change history) | Ch. 17 |
| UAC (Unix-like Artifacts Collector) | NIXART/TRIAGE | Lin/mac (CLI) | FOSS | Live triage collection on Linux/macOS/ESXi/Solaris/AIX | Ch. 15, 17 |
| log2timeline / plaso | NIXART/WINART | X (CLI) | FOSS | Super-timeline engine ingesting hundreds of artifact types into one normalized timeline | Ch. 21 |
8. Browser, email, and internet (WEB)
Reconstruct web activity and mailboxes. Owned by Chapter 18 — Browser and Internet Forensics and Chapter 19 — Email, Chat, and Social Media Forensics.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| Hindsight (R. Benson) | WEB | X (CLI) | FOSS | Parse Chrome/Chromium history, downloads, cookies, sessions into a timeline | Ch. 18 |
libpff (pffexport) |
WEB | X (CLI) | FOSS | Extract Outlook PST/OST mailbox stores | Ch. 19 |
libpst (readpst) |
WEB | X (CLI) | FOSS | Convert PST to MBOX/EML for review | Ch. 19 |
| Autopsy / AXIOM web & email modules | WEB | see §3 | (see §3) | Integrated browser-history, cache, and MBOX/PST/EML parsing | Ch. 18, 19 |
9. Metadata (META)
Read the data about the data — EXIF, GPS, camera, authorship, timestamps. Owned by Chapter 20 — Photo, Video, and Document Forensics.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| ExifTool (P. Harvey) | META | X (CLI) | FOSS | The definitive read/write metadata tool for images, video, audio, PDFs, and documents | Ch. 20 |
| MediaInfo | META | X (CLI/GUI) | FOSS | Container/codec/technical metadata for audio and video files | Ch. 20 |
Tool Tip.
exiftool -a -G1 -s file.jpgdumps all tags grouped by family — the fastest way to surface GPS coordinates, the capturing device, and original-vs-modified timestamps that anchor the photo-evidence thread of anchor case #4. Read metadata; never write it on evidence.
10. Memory forensics (MEM)
The volatile machine: running processes, network connections, injected code, and encryption keys the disk never holds. Owned by Chapter 22 — Memory Forensics.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| Volatility 3 (Volatility Foundation) | MEM | X (CLI) | FOSS | The court-recognized memory-analysis standard (v2: profiles; v3: symbol tables) | Ch. 22 |
| MemProcFS (U. Frisk) | MEM | Win/Lin (CLI) | FOSS | Mount a memory image as a browsable file system; pairs with PCILeech | Ch. 22 |
| WinPmem / DumpIt / LiME / AVML | MEM | varies | FOSS | RAM acquisition: Windows (WinPmem, DumpIt), Linux (LiME), Azure/Linux (AVML) | Ch. 22 |
| Magnet RAM Capture | MEM | Win (GUI) | Free | Simple free Windows RAM acquisition | Ch. 22 |
| bulk_extractor | MEM/CARVE | X (CLI) | FOSS | Scan a RAM image for AES keys, IOCs, and features (see §4) | Ch. 22 |
11. Network forensics (NET)
The wire: capture, dissect, and reconstruct traffic. Owned by Chapter 23 — Network Forensics.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
Wireshark (+ tshark, dumpcap, editcap, mergecap, capinfos) |
NET | X (GUI/CLI) | FOSS | Deep packet capture and analysis — the network standard; tshark scripts it |
Ch. 23 |
| tcpdump / WinDump | NET | X (CLI) | FOSS | Lightweight CLI capture and BPF filtering | Ch. 23 |
| Zeek (formerly Bro) | NET | X (CLI) | FOSS | Turns raw traffic into rich connection/protocol logs for hunting at scale | Ch. 23 |
| NetworkMiner (Netresec) | NET | Win/X (GUI) | Free + Pro ($) | Host-centric pcap parsing: carve files, images, credentials, and sessions point-and-click | Ch. 23 |
| Suricata | NET | X (CLI) | FOSS | IDS/IPS with protocol logging, signature alerts, and PCAP output | Ch. 23 |
| Arkime (formerly Moloch) | NET | Lin (web) | FOSS | Large-scale full-packet capture, indexing, and search | Ch. 23 |
12. Mobile forensics (MOB)
The most personal evidence source, and the category where commercial tooling is least optional — locked bootloaders, default encryption, secure enclaves, and weekly app-format churn require funded research. Owned by Chapter 24 — Mobile Device Forensics; recovery angle in Chapter 11 — Mobile Device Recovery.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| Cellebrite UFED / Physical Analyzer | MOB | Win +HW | Commercial ($$$$) | Market-leading extraction (UFED) + decoding (Physical Analyzer); shareable UFDR output | Ch. 24, 11 |
| Cellebrite Premium | MOB | Win +HW | Commercial ($$$$) | Access to locked/encrypted devices; tightly controlled, predominantly LE | Ch. 24 |
| Cellebrite Reader | MOB | Win (GUI) | Free | Free viewer for UFDR extraction reports (share with counsel/examiners) | Ch. 24 |
| MSAB XRY / XAMN | MOB | Win +HW | Commercial ($$$$) | Mobile extraction (XRY) + analysis (XAMN) | Ch. 24 |
| Magnet GrayKey / Verakey | MOB | Win +HW | Commercial ($$$$) | Locked-device access for iOS/Android (LE-restricted) | Ch. 24 |
| Oxygen Forensic Detective | MOB/CLOUD | Win (GUI) | Commercial ($$$$) | Mobile + cloud + drone extraction and analytics | Ch. 24 |
| Belkasoft X | MOB | Win (GUI) | Commercial ($$$) | Mobile + computer + cloud all-in-one | Ch. 24 | | **iLEAPP / ALEAPP / RLEAPP / VLEAPP** (A. Brignoni) | MOB | X (CLI/GUI) | FOSS | Free parsers for iOS / Android / returns-cloud / vehicle logs | Ch. 24, 34 | | **libimobiledevice** | MOB | X (CLI) | FOSS | Communicate with iOS devices; `idevicebackup2` logical backup | Ch. 24, 11 | | **ADB** (Android Debug Bridge) | MOB | X (CLI) | FOSS | Android device communication, backup, and logical extraction | Ch. 24, 11 | --- ## 13. Cloud forensics (CLOUD) Accounts and SaaS rather than seized hardware — acquisition is by credential, token, API, or legal process. Owned by [Chapter 31 — Cloud Forensics](../part-5-advanced-topics/chapter-31-cloud-forensics/index.md). | Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive | |------|-----|----------|----------------|------------------|-----------| | **Magnet AXIOM Cyber** | CLOUD | Win (GUI) | Commercial ($$$$) | Remote endpoint + cloud (Google/M365/etc.) acquisition and analysis | Ch. 31 | | **Cellebrite (cloud)** | CLOUD | Win | Commercial ($$$$) | Cloud-token-based account acquisition | Ch. 31 | | **Elcomsoft Cloud Explorer / Phone Breaker** | CLOUD | Win | Commercial ($$) | iCloud/Google cloud extraction with valid credentials/tokens | Ch. 31, 29 |
| Provider-native exports (Google Takeout, M365 Purview eDiscovery) | CLOUD | web | Varies | First-party data export and legal hold straight from the provider | Ch. 31 |
Legal Note. Cloud acquisition turns on authority, not technique — a token or credential does not grant lawful access by itself. Account data may sit across jurisdictions, implicating the Stored Communications Act, the CLOUD Act, and MLAT process; get the legal basis right before you collect. Doctrine is owned by Chapter 25 — The Legal Framework and tabulated in Appendix E — Legal Frameworks Reference.
14. Malware analysis and reverse engineering (MAL)
Post-incident analysis of malicious code — defensive understanding, not weaponization (Chapter 32 — Malware Forensics).
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| Ghidra (NSA) | MAL | X (GUI) | FOSS | Disassembler + decompiler; the free reverse-engineering platform | Ch. 32 |
| IDA Pro / IDA Free (Hex-Rays) | MAL | X (GUI) | Commercial ($$$$) / Free | Industry disassembler/debugger; Free tier covers the basics | Ch. 32 |
| radare2 / Rizin / Cutter | MAL | X | FOSS | Open RE framework plus a modern GUI (Cutter) | Ch. 32 |
| x64dbg | MAL | Win (GUI) | FOSS | User-mode debugger for Windows binaries | Ch. 32 |
| YARA | MAL | X (CLI) | FOSS | Pattern-matching rules to identify and classify files & malware families | Ch. 32 |
| CAPA (Mandiant) | MAL | X (CLI) | FOSS | Detect program capabilities (persistence, C2, injection) in executables | Ch. 32 |
| FLOSS (Mandiant) | MAL | X (CLI) | FOSS | Extract obfuscated and stacked strings from malware | Ch. 32 |
| Detect It Easy (DiE) | MAL | X (GUI) | FOSS | Identify packers, compilers, and file signatures | Ch. 32 |
| PEStudio | MAL | Win (GUI) | Free | Static PE triage and indicator review (no execution) | Ch. 32 |
| CAPE / Cuckoo Sandbox | MAL | Lin (web) | FOSS | Automated dynamic malware analysis in an instrumented sandbox | Ch. 32 |
15. Encryption and password recovery (CRYPT)
Attack protected files and full-disk encryption — within lawful authority. Owned by Chapter 29 — Encrypted Device Forensics.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| Hashcat | CRYPT | X (CLI) | FOSS | GPU-accelerated password/hash recovery (BitLocker, LUKS, VeraCrypt, archives, office docs) | Ch. 29 |
| John the Ripper | CRYPT | X (CLI) | FOSS | Password cracking plus a huge *2john hash-extractor family |
Ch. 29 |
| dislocker | CRYPT | Lin/mac (CLI) | FOSS | Mount/decrypt BitLocker volumes on Linux/macOS given a key or recovery password | Ch. 29 |
| Passware Kit Forensic | CRYPT | Win (GUI) | Commercial ($$–$$$) | Decrypt FDE/files/mobile; GPU + distributed attacks; memory-key extraction | Ch. 29 |
| Elcomsoft (EFDD / EDPR / EPB) | CRYPT | Win (GUI) | Commercial ($$–$$$) | Forensic disk decryptor, distributed cracking, phone breaker | Ch. 29 |
Limitation. Strong, correctly implemented encryption with a high-entropy passphrase and no recoverable key is, for practical purposes, unbreakable — and that is a feature of the math, not a gap in the tool. The realistic paths are the key (in a memory image, escrow, TPM, or recovery key), not brute force against the cipher. "The volume is encrypted and the key is unavailable; the data is inaccessible" is a valid, professional finding (know your limitations).
16. Cryptocurrency investigation (COIN)
Follow the money across public ledgers and attribute addresses. Owned by Chapter 33 — Cryptocurrency Investigation.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| Chainalysis (Reactor / KYT) | COIN | web | Commercial ($$$$) | Blockchain tracing and attribution; LE/enterprise | Ch. 33 |
| TRM Labs | COIN | web | Commercial ($$$$) | Blockchain intelligence and transaction tracing | Ch. 33 |
| Elliptic | COIN | web | Commercial ($$$$) | Crypto compliance and tracing | Ch. 33 |
| Maltego | COIN | X (GUI) | Free + Commercial ($$) | Link-analysis/OSINT graphing with cryptocurrency transforms | Ch. 33 | | **GraphSense** | COIN | Lin (web) | FOSS | Open-source cryptoasset analytics platform | Ch. 33 | | **Public block explorers** (Etherscan, Blockstream, mempool.space) | COIN | web | Free | Manual transaction tracing on the public ledger | Ch. 33 | --- ## 17. eDiscovery (EDISC) Process, review, and produce in litigation — the 📜 legal end of the pipeline. Owned by [Chapter 25 — The Legal Framework](../part-4-legal-framework-and-reporting/chapter-25-the-legal-framework/index.md). | Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive | |------|-----|----------|----------------|------------------|-----------| | **Relativity / RelativityOne** | EDISC | web | Commercial ($$$$) | The dominant litigation review/processing/production platform | Ch. 25 | | **Nuix** | EDISC | Win (GUI) | Commercial ($$$$) | High-volume processing and investigation engine | Ch. 25 | | **Logikcull / Everlaw / Disco** | EDISC | web | Commercial ($$$) | Cloud eDiscovery review for smaller matters and firms | Ch. 25 |
18. Live response and endpoint DFIR (TRIAGE)
Collect and analyze at speed and scale — across one machine or a fleet — respecting the order of volatility. Owned by Chapter 15 — Live Response and Triage Forensics.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| KAPE | TRIAGE/WINART | Win (CLI/GUI) | Free | Targeted artifact collection + processing; the field triage standard (see §6) | Ch. 15 |
| Velociraptor | TRIAGE | X (web/CLI) | FOSS | Fleet-scale endpoint hunting and collection via VQL — KAPE on a thousand machines | Ch. 15 |
| GRR Rapid Response | TRIAGE | Lin (web) | FOSS | Remote live forensics at scale (Google) | Ch. 15 |
| osquery | TRIAGE | X (CLI) | FOSS | Query endpoints' live state like a SQL database | Ch. 15 |
| CyLR | TRIAGE | Win (CLI) | FOSS | Fast live artifact collection into an archive | Ch. 15 |
| Redline (Mandiant) | TRIAGE/MEM | Win (GUI) | Free | Host investigation, IOC collection, and triage | Ch. 15, 22 |
19. Forensic OS distributions (DISTRO)
Preconfigured Linux images that bundle most of the open-source bench into a ready lab. Owned by Chapter 37 — Building a Forensic Lab.
| Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| SIFT Workstation (SANS) | DISTRO | Lin | FOSS | Ubuntu DFIR distro bundling TSK, Volatility, plaso, and most open tools above | Ch. 37 |
| CAINE | DISTRO | Lin (live) | FOSS | Forensic live distro with write-blocking by default | Ch. 37 |
| Tsurugi Linux | DISTRO | Lin (live) | FOSS | DFIR/OSINT live distro | Ch. 37 |
| REMnux | DISTRO/MAL | Lin | FOSS | Malware-analysis distro (pairs with the §14 tools) | Ch. 32, 37 |
| Paladin (SUMURI) | DISTRO | Lin (live) | Free | Imaging-focused live forensic distro | Ch. 37 |
20. Validation and reference data (VALID)
You do not trust a tool because it is popular or expensive — you trust it because it has been validated against known data, and you verify load-bearing findings with a second tool. These are the references that make that defensible; the discipline is owned by Chapter 36 and practice images are catalogued in Appendix J — Practice Images and Lab Setup.
| Resource | Cat | Provided by | Cost | One-line purpose | Deep dive |
|---|---|---|---|---|---|
| NIST CFTT (Computer Forensics Tool Testing) | VALID | NIST | Free | Specifications + test reports for tool categories (imaging, write-block, carving, mobile…) | Ch. 36 |
| NIST CFReDS (Computer Forensic Reference Data Sets) | VALID | NIST | Free | Reference images with known ground truth for validation and practice | Ch. 36, App. J |
| NSRL (RDS hash sets) | VALID | NIST | Free | Known-software hashes to exclude known-good files and confirm known ones | Ch. 36 |
| Project VIC / CAID | VALID | LE consortia | Restricted (LE) | Known-CSAM hash sets enabling hash-based handling that minimizes human exposure | Ch. 28 |
| Digital Corpora (S. Garfinkel) | VALID | Digital Corpora | Free | Practice corpora (govdocs1, m57-Patents) and disk images | App. J |
| SWGDE guidelines / ISO/IEC 17025 | VALID | SWGDE / ISO | Free / accreditation | Validation-testing standards; accredited labs must document method/tool validation | Ch. 36, 37 |
Ethics Note. The Project VIC / CAID hash sets exist to identify known illegal material by hash, without a human re-viewing the content — both to make the review tractable and, deliberately, to limit how much an examiner must look at. That is a designed-in mitigation of the secondary trauma this work carries. Configure these hash sets first in any case where contraband may be in scope. Mandatory reporting (18 U.S.C. §2258A), scope discipline, and examiner well-being are owned by Chapter 28 — Ethics. The human cost is real.
Evidence and image formats at a glance
The container, not just the tool, determines what your next tool can read. Keep this next to the keyboard:
| Extension(s) | Format | Read / written by | Notes |
|---|---|---|---|
.dd .raw .img .001 |
Raw bitstream | Everything | Flat, uncompressed; largest but universally readable |
.E01 .E02… |
EnCase Expert Witness Format (EWF) | EnCase, FTK, X-Ways, Autopsy, libewf, TSK | Compressed, hashed, embedded metadata, segmented |
.Ex01 |
EnCase EWF v2 (EnCase 7+) | EnCase, X-Ways, libewf | Newer EWF variant (optional AES) |
.L01 .Lx01 |
EnCase logical evidence | EnCase, X-Ways | Container of selected files with metadata, not a full disk |
.AD1 |
AccessData logical image | FTK / FTK Imager | Logical custom-content image |
.aff4 |
Advanced Forensics Format 4 | pyaff4 and supporting tools | Modern; supports sparse, layered, and cloud sources |
.vmdk .vhd(x) .vdi |
Virtual disks | Most suites; Arsenal Image Mounter | Image or mount VMs directly |
.dmg |
Apple disk image | macOS, several suites | macOS acquisition/target |
.UFDR |
Cellebrite report package | Cellebrite Reader / Physical Analyzer | Shareable mobile extraction report |
.raw .lime .vmem .dmp |
Memory images | Volatility, MemProcFS | RAM captures (.vmem = VMware; .dmp = crash dump) |
.pcap .pcapng |
Packet capture | Wireshark/tshark, Zeek, NetworkMiner, tcpdump | Network evidence |
Quick-invocation cheat sheet
A minimal, copy-near-it starter for the CLI workhorses. Illustrative — never run against original evidence; work on verified copies. Full flags and many more tools are in Appendix H — Command-Line Reference.
# ── ACQUIRE (behind a write-blocker) ──────────────────────────────────────────
ewfacquire -t /ev/case01/disk -c best -d sha256 /dev/sdX # → E01, compressed+hashed
dcfldd if=/dev/sdX of=/ev/case01/disk.dd hash=sha256 hashlog=disk.hashes bs=4M
ddrescue -d -r3 /dev/sdX failing.img failing.map # failing media (resumable)
# ── VERIFY INTEGRITY ──────────────────────────────────────────────────────────
ewfverify disk.E01 # recompute vs. stored hash
hashdeep -r -c sha256 ./recovered > recovered.hashes # recursive, auditable
hashdeep -a -k baseline.hashes -r ./recovered # audit a tree vs. known set
# ── FILE SYSTEM (The Sleuth Kit) — mmls offset is in 512-byte SECTORS ─────────
mmls disk.E01 # find partition start sectors
fls -o 1024000 -r -p disk.E01 # list files incl. deleted (*)
istat -o 1024000 disk.E01 5830 # one entry: metadata + MACB
icat -o 1024000 disk.E01 5830-128-3 > out/recovered.xlsx # recover a file BY inode
tsk_recover -e -o 1024000 disk.E01 ./export # bulk export (alloc+unalloc)
blkls -o 1024000 disk.E01 > unalloc.bin # extract unallocated for carving
# ── CARVE (metadata is gone) ──────────────────────────────────────────────────
photorec unalloc.bin # interactive signature carving
scalpel -o carve_out unalloc.bin # config-driven carver
bulk_extractor -o bx_out disk.E01 # features: email/url/ccn/gps/aes_keys
# ── METADATA · NETWORK · MEMORY ───────────────────────────────────────────────
exiftool -a -G1 -s photo.jpg # all tags, grouped (GPS/camera/times)
tshark -r cap.pcapng -Y 'http.request.method=="POST"' \
-T fields -e ip.dst -e http.host -e http.request.uri # extract HTTP POSTs
vol -f mem.raw windows.pslist # Volatility 3: processes
The Windows-side one-liner every examiner runs reflexively — confirm two tools recovered byte-identical content:
# Same artifact recovered by two independent tools must hash-match (working copies only).
$a = (Get-FileHash -Algorithm SHA256 .\autopsy_out\recovered.xlsx).Hash
$b = (Get-FileHash -Algorithm SHA256 .\xways_out\recovered.xlsx).Hash
if ($a -eq $b) { "AGREE $a" } else { "CONFLICT A=$a B=$b -- investigate" }
Template: tool and version log
Record every tool and its exact version in your case notes — version numbers are part of the chain of custody because results can differ across versions. Drop this block into the methodology section of your report (Chapter 26 — The Forensic Report); the chain-of-custody and report forms are in Appendix F.
TOOL & VERSION LOG (attach to case notes / CoC)
Case: ____________________ Examiner: ____________________ Date: ___________
Evidence item / image: __________________________ Acq. SHA-256: ____________
┌─────────────────────────┬───────────┬───────────────┬──────────────────────────┐
│ Tool │ Version │ Validated? │ Used for (artifact/finding)│
├─────────────────────────┼───────────┼───────────────┼──────────────────────────┤
│ FTK Imager │ 4.7.x │ CFTT + self │ Acquisition → disk01.E01 │
│ The Sleuth Kit │ 4.12.1 │ CFReDS + self │ Deleted-file recovery │
│ X-Ways Forensics │ 21.x │ self │ Dual-tool verify (hash ✓) │
│ Registry Explorer │ x.x │ self │ USBSTOR first/last connect│
│ Volatility 3 │ 2.x │ self │ Memory: pslist / netscan │
│ ____________________ │ ________ │ _____________ │ _________________________ │
└─────────────────────────┴───────────┴───────────────┴──────────────────────────┘
Dual-tool confirmations (finding → tool A / tool B → matching SHA-256):
1) ____________________________________________________________________________
2) ____________________________________________________________________________
Conflicts found and resolved (a conflict is information, not a nuisance): ________
Choosing from this catalog (pointer)
The catalog answers "which tool does X?" It does not answer "which tool should I use here?" — that is judgment, and it is owned by Chapter 36 — The Forensic Toolkit. The short version, for the keyboard:
- Start from the evidence and the question, not the brand. Disk → §3/§4/§5; phone → §12; RAM → §10; packets → §11; account → §13.
- Decide recovery vs. forensics. Recovery optimizes for getting bytes back; forensics adds write-blocking, hashing, chain of custody, and dual-tool verification for court.
- Match the budget. A real career can start at $0 (Autopsy/TSK, Volatility, Wireshark, bulk_extractor, EZ tools, PhotoRec/TestDisk, ExifTool — all on a SIFT/CAINE workstation). Buy commercial for scale, support, currency, and — for mobile and cloud — capability you cannot get free.
- Match the court. Prefer validated (CFTT/CFReDS), widely accepted, explainable tools; you must be able to defend on the stand what the tool did and why you trust it (Chapter 27 — Expert Testimony).
- Verify load-bearing findings with a second, independent tool — ideally one open-source and one commercial, from different codebases. When two independent tools agree, the finding is robust; when they disagree, you have found something to run to ground before it reaches the report.
Legal Note. Under Daubert, your tool choice is evidence about testability, error rate, standards, and general acceptance. "I used The Sleuth Kit and confirmed with X-Ways; both are widely used, TSK's source is open, and CFTT has tested the relevant function" speaks directly to admissibility. "I used a tool I can't fully explain" invites exclusion. Choosing court-recognized, validated tools is building admissibility in from the first command — doctrine in Chapter 25; the certifications that signal tool competence in Appendix I — Certification Roadmap.
Cross-reference: deep dives by chapter
Where each category is taught in full (relative links):
- Storage & file systems — Ch. 2 (data storage) · Ch. 3 (storage tech/RAID) · Ch. 4 (file systems)
- Process, acquisition, hashing — Ch. 5 (forensic process) · Ch. 14 (acquisition)
- Recovery & carving — Ch. 6 (logical) · Ch. 7 (carving) · Ch. 8 (hard drive) · Ch. 9 (SSD/TRIM) · Ch. 10 (RAID) · Ch. 12 (ransomware)
- Triage & OS artifacts — Ch. 15 (live/triage) · Ch. 16 (Windows) · Ch. 17 (macOS/Linux)
- Internet, metadata, timeline — Ch. 18 (browser) · Ch. 19 (email/chat) · Ch. 20 (photo/video/doc) · Ch. 21 (timeline)
- Volatile, network, mobile — Ch. 22 (memory) · Ch. 23 (network) · Ch. 24 (mobile) · Ch. 11 (mobile recovery)
- Legal, reporting, ethics — Ch. 25 (legal) · Ch. 26 (report) · Ch. 27 (testimony) · Ch. 28 (ethics)
- Advanced — Ch. 29 (encryption) · Ch. 30 (anti-forensics) · Ch. 31 (cloud) · Ch. 32 (malware) · Ch. 33 (crypto) · Ch. 34 (IoT/vehicle) · Ch. 35 (AI/deepfakes)
- Toolkit, lab, career — Ch. 36 (toolkit/judgment) · Ch. 37 (lab) · Ch. 38 (capstone) · Ch. 39 (certifications)
Related appendices: A — File Signatures · B — Python Forensics Toolkit · D — Artifact Locations · E — Legal Frameworks · F — Chain of Custody & Report Templates · G — File-System Reference · H — Command-Line Reference · I — Certification Roadmap · J — Practice Images & Lab Setup · Glossary · Bibliography
One line to carry forward: the tool does not testify — you do; this catalog names the instruments, but your understanding and judgment are what the instruments serve.