Appendix C — Tool Reference

Purpose. A keyboard-side catalog of the data-recovery and digital-forensics toolbox — every major tool by category, platform, license/cost tier, and one-line purpose, with a pointer to the chapter that teaches it in depth. Chapter 36 — The Forensic Toolkit supplies the judgment (how to choose, validate, and verify); this appendix is the index you scan when you need to remember which instrument does what. Tools are listed by what they accomplish, never by brand loyalty — technology changes, principles don't.

This appendix is descriptive, not an endorsement. Inclusion does not imply a tool is validated for your task or court; that determination is yours (see Chapter 25 — The Legal Framework on Daubert/Frye, and the validation note at the end). Full command syntax for the CLI tools lives in Appendix H — Command-Line Reference; download URLs and citations live in the Bibliography; definitions are in the Glossary.


How to read this appendix

Every table uses the same four legends. Skim them once; they make the catalog dense and fast.

Category (what stage of the pipeline the tool serves):

Tag Category Pipeline stage
IMG Imaging / acquisition Acquire + preserve
HASH Hashing / integrity Preserve / verify
FS File-system analysis / all-in-one platform Analyze the disk
CARVE File carving Analyze (no metadata)
REC Data recovery (logical / RAID / physical) Restore
WINART Windows artifacts Analyze
NIXART macOS / Linux artifacts Analyze
WEB Browser / email / internet Analyze
META Metadata extraction Analyze
MEM Memory forensics Analyze the volatile
NET Network forensics Analyze the wire
MOB Mobile forensics Analyze the phone
CLOUD Cloud forensics Analyze the account
MAL Malware analysis / RE Deep end
CRYPT Encryption / password Deep end
COIN Cryptocurrency tracing Deep end
EDISC eDiscovery Legal / review
TRIAGE Live response / endpoint DFIR Acquire + analyze at scale
DISTRO Forensic OS distribution The whole bench
VALID Validation / reference data Trust, then verify

Platform: Win / Lin / mac native · X = cross-platform · (CLI) command line · (GUI) graphical · (PS) PowerShell · +HW requires dedicated hardware · web browser/server.

License / Cost (approximate list price — confirm current pricing with the vendor; tiers move):

Tier Meaning
FOSS Free and open source ($0) — source is inspectable, which is itself a courtroom asset
Free Free to use, closed source ($0)
**$** | ≤ ~$1,000 (one-time or annual)
**$$** | ~$1,000 – $5,000 | | **$$$** | ~$5,000 – $15,000
$$$$ > $15,000, enterprise/quote-based, and/or requires dedicated hardware

Deep dive: the chapter that owns the tool's full treatment. Relative-path links to each chapter are given in the intro line of every section and consolidated in the cross-reference map at the end.

Recovery vs. Forensics. Many tools below serve both disciplines; the difference is the ceremony around the tool, not the parse. A 💾 recovery technician runs PhotoRec or R-Studio to get a client's files back fast. A 🔍 forensic examiner may run the same parse but wraps it in a write-blocker, before/after hashes, a chain of custody, and dual-tool verification so the result survives court. One toolbox, two standards of proof. The category tag tells you what a tool does; only the case tells you how much ceremony it needs.


1. Imaging and acquisition (IMG)

The front of the pipeline: make a verified bit-for-bit copy so you never work on the original (the original is sacred). Full options in Appendix H; deep treatment in Chapter 14 — Forensic Acquisition; failing-media imaging in Chapter 8 — Hard Drive Recovery.

Tool Cat Platform License / Cost One-line purpose Deep dive
dd IMG X (CLI) FOSS The original raw bit-for-bit imager; copies a device to a flat .dd/.raw file Ch. 14
dcfldd IMG Lin (CLI) FOSS dd + forensics: on-the-fly hashing, progress, split output, error logging Ch. 14
dc3dd IMG Lin (CLI) FOSS DoD Cyber Crime Center patch of dd; hashing, verify, logging, wiping Ch. 14
GNU ddrescue IMG Lin (CLI) FOSS Error-tolerant imaging of failing media; mapfile resumes and retries bad areas Ch. 8
ewfacquire (libewf) IMG X (CLI) FOSS Acquire to compressed, hashed Expert Witness Format (E01/Ex01); pairs with ewfverify, ewfmount Ch. 14
Guymager IMG Lin (GUI) FOSS Fast, multithreaded GUI imager; outputs raw/E01/AFF with built-in verification Ch. 14
FTK Imager IMG Win (GUI/CLI) Free The universal free imager/previewer: image, mount, preview, export files, capture RAM Ch. 14
Magnet ACQUIRE IMG Win (GUI) Free Free disk and mobile acquisition from Magnet; raw/E01 Ch. 14
HDDSuperClone IMG/REC Lin (CLI/GUI) FOSS Open-source imaging of failing drives with advanced read strategies (ddrescue alternative) Ch. 8
DeepSpar Disk Imager IMG/REC Win +HW Commercial ($$$$) Hardware imager for unstable drives; head-level control and stable reads of failing media Ch. 8

Write-blocking is part of acquisition but is mostly a hardware category — it is owned by Chapter 5 — The Forensic Process and Chapter 14:

Tool Cat Platform License / Cost One-line purpose Deep dive
Hardware write-blockers (Tableau/Forensic series, WiebeTech/CRU, Atola) IMG +HW Commercial ($$–$$$) Physically prevent any write to source media during acquisition Ch. 5, 14
Software write-blocking (Windows USBStor WriteProtect registry switch; Linux blockdev --setro, mount -o ro,noload) IMG Win/Lin Built-in (free) OS-level write prevention when no hardware blocker is available — always validate it Ch. 5, 14

Tool Tip. ewfacquire writes the E01 format that everything reads, so acquiring to E01 keeps your options open across every later tool. For a quick check that an image is sound, ewfverify image.E01 recomputes and compares the stored acquisition hash; for raw images, hashdeep (below) does the same job.


2. Hashing and integrity (HASH)

Proof an image and its recovered files are unaltered. Conceptually owned by Chapter 14 — Forensic Acquisition; fuzzy hashing recurs in Chapter 20 and Chapter 32.

Tool Cat Platform License / Cost One-line purpose Deep dive
md5sum / sha1sum / sha256sum HASH X (CLI) FOSS Compute a single file/stream digest (coreutils) Ch. 14
hashdeep / md5deep suite HASH X (CLI) FOSS Recursive, auditable hashing; audit mode (-a -k) matches a whole tree against a known hash set Ch. 14
ssdeep HASH X (CLI) FOSS Fuzzy (context-triggered piecewise) hashing to find near-duplicate / similar files Ch. 20, 32
certutil -hashfile HASH Win (CLI) Built-in (free) Native Windows hashing when nothing else is installed Ch. 14
Get-FileHash HASH Win (PS) Built-in (free) PowerShell hashing (SHA-256 default) for quick verification Ch. 14

3. File-system analysis and all-in-one platforms (FS)

The middle of the pipeline: parse partitions, file systems, and deleted entries — or run a full case from one environment. The open-source engine and the commercial suites both live here; running one of each is how you get dual-tool verification. Owned by Chapter 4 — File Systems, Chapter 6 — Logical Recovery, and surveyed in Chapter 36.

Tool Cat Platform License / Cost One-line purpose Deep dive
The Sleuth Kit (TSK) FS X (CLI) FOSS The file-system parsing engine (mmls/fsstat/fls/istat/icat/blkls…) beneath most disk tools Ch. 4, 6
Autopsy FS Win/X (GUI) FOSS The most-used free platform: TSK + ingest modules, hash sets, keyword index, timeline, reporting Ch. 6, 36
EnCase (OpenText) FS Win (GUI) Commercial ($$$$) The long-standing courtroom-standard suite; origin of the E01 format; EnScript automation Ch. 36
FTK / Forensic Toolkit (Exterro) FS Win (GUI) Commercial ($$$$) Indexed full-text search at scale on a database backend; distributed processing Ch. 36
Magnet AXIOM / AXIOM Cyber FS Win (GUI) Commercial ($$$–$$$$) | Artifact-centric analysis; Connections graph; Cyber adds remote + cloud acquisition | Ch. 36, 31 | | **X-Ways Forensics** | FS | Win (GUI) | Commercial ($$) Fast, lightweight, low-cost power-user platform; runs from USB; built on WinHex Ch. 36
WinHex (X-Ways) FS Win (GUI) Commercial ($–$$) | Hex / disk / RAM editor and the engine beneath X-Ways | Ch. 2, 36 | **The Sleuth Kit by layer** (the command tells you which abstraction you are reading — mirrors a file system's structure): | Layer | Tools | Reads | |-------|-------|-------| | Media (volume) | `mmls` `mmstat` `mmcat` | Partition table + start sectors | | File system | `fsstat` | Type, cluster size, $MFT location, layout | | File name | `fls` `ffind` | Directory entries, **including deleted (`*`)** | | Metadata / inode | `istat` `ils` `icat` `ifind` | MFT entry / inode; `icat` outputs a file **by inode** | | Data unit / block | `blkcat` `blkls` `blkstat` `blkcalc` | Raw clusters; `blkls` extracts **unallocated** space | | Whole image | `tsk_recover` `tsk_gettimes` `mactime` `img_stat` `jls`/`jcat` `srch_strings` | Bulk export, body file → timeline, journal | --- ## 4. File carving (CARVE) Recover files by **content signature** when the file system metadata is gone (formatted, overwritten MFT, raw unallocated). Signatures themselves are tabulated in [Appendix A — File Signatures Reference](appendix-a-file-signatures-reference.md); the technique is owned by [Chapter 7 — File Carving](../part-2-data-recovery/chapter-07-file-carving/index.md). | Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive | |------|-----|----------|----------------|------------------|-----------| | **PhotoRec** (CGSecurity) | CARVE | X (CLI/GUI) | FOSS | Signature carving of 480+ file types from images/unallocated, file-system-agnostic | Ch. 7 | | **foremost** | CARVE | Lin (CLI) | FOSS | Classic header/footer carver with a configurable signature config (`foremost.conf`) | Ch. 7 | | **Scalpel** | CARVE | X (CLI) | FOSS | Fast, configurable carver (foremost rewrite); database-driven signatures | Ch. 7 | | **bulk_extractor** | CARVE/MEM | X (CLI/GUI) | FOSS | File-system-blind feature scanner: emails, URLs, CCNs (Luhn-checked), GPS, **AES keys**, carved pcap | Ch. 7, 22 | > **Tool Tip.** Carving's complement is **metadata-aware recovery**: try `tsk_recover` (Ch. 6) *first* to get files the file system still describes (with their real names and paths), then carve only the unallocated remainder (`blkls … > unalloc.bin`) with PhotoRec/Scalpel. Carved files lose their original names and timestamps — that is the price of recovering structure-free. --- ## 5. Data recovery — logical, RAID, and physical (REC) The recovery shelf: get bytes back, fast and complete. These optimize for restoration; add forensic ceremony only when the matter is headed for court. Owned by [Chapter 6 — Logical Recovery](../part-2-data-recovery/chapter-06-logical-recovery/index.md), [Chapter 10 — RAID Recovery](../part-2-data-recovery/chapter-10-raid-recovery/index.md), and [Chapter 8 — Hard Drive Recovery](../part-2-data-recovery/chapter-08-hard-drive-recovery/index.md). | Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive | |------|-----|----------|----------------|------------------|-----------| | **TestDisk** (CGSecurity) | REC | X (CLI) | FOSS | Repair partition tables, rebuild boot sectors, recover lost/deleted partitions | Ch. 6 | | **PhotoRec** (CGSecurity) | REC/CARVE | X (CLI/GUI) | FOSS | Carving-based recovery when the file system is unrecoverable (see §4) | Ch. 6, 7 | | **R-Studio** (R-Tools) | REC | X (GUI) | Commercial ($) | Logical + RAID recovery across many file systems; network recovery | Ch. 6, 10 | | **UFS Explorer** (SysDev) | REC | X (GUI) | Commercial ($–$$) Logical/RAID recovery with deep support for complex and exotic file systems Ch. 6, 10
DMDE REC X (CLI/GUI) Commercial, free tier ($) Disk editor + recovery + RAID reconstruction; strong free edition Ch. 6, 10
ReclaiMe REC Win (GUI) Commercial ($) Approachable recovery with automatic RAID-parameter detection Ch. 10
PC-3000 (ACE Lab) REC Win +HW Commercial ($$$$) The professional physical-recovery system: firmware repair, head maps, stable imaging Ch. 8

Limitation. No recovery tool, at any price, recovers data that has been physically overwritten, securely wiped, or zeroed by an SSD's deterministic TRIM (Chapter 9 — SSD and Flash Recovery). When icat returns zeros and the carver finds nothing, the answer is not "buy a better tool" — it is that deleted ≠ destroyed reached its limit and the data is gone. A more expensive license does not change physics.


6. Windows artifacts (WINART)

Parse the registry, execution evidence, shortcuts, and event logs that make Windows the most artifact-rich platform. Owned by Chapter 16 — Windows Forensics and Chapter 21 — Timeline Analysis; triage collection by Chapter 15 — Live Response and Triage.

Tool Cat Platform License / Cost One-line purpose Deep dive
Eric Zimmerman (EZ) tools WINART Win (.NET) FOSS A family of focused artifact parsers → clean CSV (roster below) Ch. 16, 21
KAPE (Kroll / E. Zimmerman) WINART/TRIAGE Win (CLI/GUI) Free Targeted collection (Targets) + processing (Modules); triage at scale Ch. 15
RegRipper (H. Carvey) WINART X (Perl) FOSS Plugin-driven registry triage; the independent dual-tool check against Registry Explorer Ch. 16
Hayabusa / Chainsaw WINART X (CLI) FOSS Sigma-rule threat hunting across Windows event logs (.evtx) Ch. 16, 32

Eric Zimmerman suite roster — one artifact, one parser, CSV out (load the CSV into Timeline Explorer to filter, tag, and pin exhibits):

Parser / GUI Artifact it decodes
MFTECmd $MFT`, `$J (UsnJrnl), $LogFile`, `$Boot, $SDS
PECmd Prefetch — program execution (run count, first/last run)
LECmd / JLECmd LNK shortcuts / Jump Lists (recent files, devices)
AmcacheParser Amcache.hve — program presence + SHA-1 of executables
AppCompatCacheParser ShimCache — execution / presence evidence
SBECmd ShellBags — folder access incl. removable/deleted
SrumECmd SRUM — per-app network bytes and resource usage
RBCmd $Recycle.Bin` `$I records (deleted-file metadata)
EvtxECmd Windows Event Logs (.evtx) → CSV/JSON with field maps
WxTCmd Windows 10/11 Timeline (ActivitiesCache.db)
RECmd / Registry Explorer Registry — replays .LOG1/.LOG2 transaction logs so you see current state
SQLECmd Generic SQLite artifact extraction via community maps
Timeline Explorer Load/filter/tag/color multimillion-row CSVs
bstrings Powerful regex string search over files/images

Tool Tip. Registry Explorer replays transaction logs (.LOG1/.LOG2) that a careless extraction or a lesser tool ignores — a hive copied without its logs shows a stale view. "Which registry tool, and did you give it the logs?" is a fair cross-examination question; feeding the parser the complete hive set is the answer.


7. macOS and Linux artifacts (NIXART)

The non-Windows side: plists, unified logs, FSEvents, and Apple's pattern-of-life databases. Owned by Chapter 17 — macOS and Linux Forensics; the super-timeline by Chapter 21.

Tool Cat Platform License / Cost One-line purpose Deep dive
mac_apt NIXART X (CLI) FOSS macOS artifact-parsing framework (plists, unified logs, Spotlight, FSEvents) Ch. 17
APOLLO (S. Edwards) NIXART X (CLI) FOSS Apple Pattern of Life — correlates knowledgeC/biome "pattern of life" databases Ch. 17
FSEventsParser NIXART X (CLI) FOSS Decode macOS FSEvents records (file-change history) Ch. 17
UAC (Unix-like Artifacts Collector) NIXART/TRIAGE Lin/mac (CLI) FOSS Live triage collection on Linux/macOS/ESXi/Solaris/AIX Ch. 15, 17
log2timeline / plaso NIXART/WINART X (CLI) FOSS Super-timeline engine ingesting hundreds of artifact types into one normalized timeline Ch. 21

8. Browser, email, and internet (WEB)

Reconstruct web activity and mailboxes. Owned by Chapter 18 — Browser and Internet Forensics and Chapter 19 — Email, Chat, and Social Media Forensics.

Tool Cat Platform License / Cost One-line purpose Deep dive
Hindsight (R. Benson) WEB X (CLI) FOSS Parse Chrome/Chromium history, downloads, cookies, sessions into a timeline Ch. 18
libpff (pffexport) WEB X (CLI) FOSS Extract Outlook PST/OST mailbox stores Ch. 19
libpst (readpst) WEB X (CLI) FOSS Convert PST to MBOX/EML for review Ch. 19
Autopsy / AXIOM web & email modules WEB see §3 (see §3) Integrated browser-history, cache, and MBOX/PST/EML parsing Ch. 18, 19

9. Metadata (META)

Read the data about the data — EXIF, GPS, camera, authorship, timestamps. Owned by Chapter 20 — Photo, Video, and Document Forensics.

Tool Cat Platform License / Cost One-line purpose Deep dive
ExifTool (P. Harvey) META X (CLI) FOSS The definitive read/write metadata tool for images, video, audio, PDFs, and documents Ch. 20
MediaInfo META X (CLI/GUI) FOSS Container/codec/technical metadata for audio and video files Ch. 20

Tool Tip. exiftool -a -G1 -s file.jpg dumps all tags grouped by family — the fastest way to surface GPS coordinates, the capturing device, and original-vs-modified timestamps that anchor the photo-evidence thread of anchor case #4. Read metadata; never write it on evidence.


10. Memory forensics (MEM)

The volatile machine: running processes, network connections, injected code, and encryption keys the disk never holds. Owned by Chapter 22 — Memory Forensics.

Tool Cat Platform License / Cost One-line purpose Deep dive
Volatility 3 (Volatility Foundation) MEM X (CLI) FOSS The court-recognized memory-analysis standard (v2: profiles; v3: symbol tables) Ch. 22
MemProcFS (U. Frisk) MEM Win/Lin (CLI) FOSS Mount a memory image as a browsable file system; pairs with PCILeech Ch. 22
WinPmem / DumpIt / LiME / AVML MEM varies FOSS RAM acquisition: Windows (WinPmem, DumpIt), Linux (LiME), Azure/Linux (AVML) Ch. 22
Magnet RAM Capture MEM Win (GUI) Free Simple free Windows RAM acquisition Ch. 22
bulk_extractor MEM/CARVE X (CLI) FOSS Scan a RAM image for AES keys, IOCs, and features (see §4) Ch. 22

11. Network forensics (NET)

The wire: capture, dissect, and reconstruct traffic. Owned by Chapter 23 — Network Forensics.

Tool Cat Platform License / Cost One-line purpose Deep dive
Wireshark (+ tshark, dumpcap, editcap, mergecap, capinfos) NET X (GUI/CLI) FOSS Deep packet capture and analysis — the network standard; tshark scripts it Ch. 23
tcpdump / WinDump NET X (CLI) FOSS Lightweight CLI capture and BPF filtering Ch. 23
Zeek (formerly Bro) NET X (CLI) FOSS Turns raw traffic into rich connection/protocol logs for hunting at scale Ch. 23
NetworkMiner (Netresec) NET Win/X (GUI) Free + Pro ($) Host-centric pcap parsing: carve files, images, credentials, and sessions point-and-click Ch. 23
Suricata NET X (CLI) FOSS IDS/IPS with protocol logging, signature alerts, and PCAP output Ch. 23
Arkime (formerly Moloch) NET Lin (web) FOSS Large-scale full-packet capture, indexing, and search Ch. 23

12. Mobile forensics (MOB)

The most personal evidence source, and the category where commercial tooling is least optional — locked bootloaders, default encryption, secure enclaves, and weekly app-format churn require funded research. Owned by Chapter 24 — Mobile Device Forensics; recovery angle in Chapter 11 — Mobile Device Recovery.

Tool Cat Platform License / Cost One-line purpose Deep dive
Cellebrite UFED / Physical Analyzer MOB Win +HW Commercial ($$$$) Market-leading extraction (UFED) + decoding (Physical Analyzer); shareable UFDR output Ch. 24, 11
Cellebrite Premium MOB Win +HW Commercial ($$$$) Access to locked/encrypted devices; tightly controlled, predominantly LE Ch. 24
Cellebrite Reader MOB Win (GUI) Free Free viewer for UFDR extraction reports (share with counsel/examiners) Ch. 24
MSAB XRY / XAMN MOB Win +HW Commercial ($$$$) Mobile extraction (XRY) + analysis (XAMN) Ch. 24
Magnet GrayKey / Verakey MOB Win +HW Commercial ($$$$) Locked-device access for iOS/Android (LE-restricted) Ch. 24
Oxygen Forensic Detective MOB/CLOUD Win (GUI) Commercial ($$$$) Mobile + cloud + drone extraction and analytics Ch. 24
Belkasoft X MOB Win (GUI) Commercial ($$$) | Mobile + computer + cloud all-in-one | Ch. 24 | | **iLEAPP / ALEAPP / RLEAPP / VLEAPP** (A. Brignoni) | MOB | X (CLI/GUI) | FOSS | Free parsers for iOS / Android / returns-cloud / vehicle logs | Ch. 24, 34 | | **libimobiledevice** | MOB | X (CLI) | FOSS | Communicate with iOS devices; `idevicebackup2` logical backup | Ch. 24, 11 | | **ADB** (Android Debug Bridge) | MOB | X (CLI) | FOSS | Android device communication, backup, and logical extraction | Ch. 24, 11 | --- ## 13. Cloud forensics (CLOUD) Accounts and SaaS rather than seized hardware — acquisition is by credential, token, API, or legal process. Owned by [Chapter 31 — Cloud Forensics](../part-5-advanced-topics/chapter-31-cloud-forensics/index.md). | Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive | |------|-----|----------|----------------|------------------|-----------| | **Magnet AXIOM Cyber** | CLOUD | Win (GUI) | Commercial ($$$$) | Remote endpoint + cloud (Google/M365/etc.) acquisition and analysis | Ch. 31 | | **Cellebrite (cloud)** | CLOUD | Win | Commercial ($$$$) | Cloud-token-based account acquisition | Ch. 31 | | **Elcomsoft Cloud Explorer / Phone Breaker** | CLOUD | Win | Commercial ($$) iCloud/Google cloud extraction with valid credentials/tokens Ch. 31, 29
Provider-native exports (Google Takeout, M365 Purview eDiscovery) CLOUD web Varies First-party data export and legal hold straight from the provider Ch. 31

Legal Note. Cloud acquisition turns on authority, not technique — a token or credential does not grant lawful access by itself. Account data may sit across jurisdictions, implicating the Stored Communications Act, the CLOUD Act, and MLAT process; get the legal basis right before you collect. Doctrine is owned by Chapter 25 — The Legal Framework and tabulated in Appendix E — Legal Frameworks Reference.


14. Malware analysis and reverse engineering (MAL)

Post-incident analysis of malicious code — defensive understanding, not weaponization (Chapter 32 — Malware Forensics).

Tool Cat Platform License / Cost One-line purpose Deep dive
Ghidra (NSA) MAL X (GUI) FOSS Disassembler + decompiler; the free reverse-engineering platform Ch. 32
IDA Pro / IDA Free (Hex-Rays) MAL X (GUI) Commercial ($$$$) / Free Industry disassembler/debugger; Free tier covers the basics Ch. 32
radare2 / Rizin / Cutter MAL X FOSS Open RE framework plus a modern GUI (Cutter) Ch. 32
x64dbg MAL Win (GUI) FOSS User-mode debugger for Windows binaries Ch. 32
YARA MAL X (CLI) FOSS Pattern-matching rules to identify and classify files & malware families Ch. 32
CAPA (Mandiant) MAL X (CLI) FOSS Detect program capabilities (persistence, C2, injection) in executables Ch. 32
FLOSS (Mandiant) MAL X (CLI) FOSS Extract obfuscated and stacked strings from malware Ch. 32
Detect It Easy (DiE) MAL X (GUI) FOSS Identify packers, compilers, and file signatures Ch. 32
PEStudio MAL Win (GUI) Free Static PE triage and indicator review (no execution) Ch. 32
CAPE / Cuckoo Sandbox MAL Lin (web) FOSS Automated dynamic malware analysis in an instrumented sandbox Ch. 32

15. Encryption and password recovery (CRYPT)

Attack protected files and full-disk encryption — within lawful authority. Owned by Chapter 29 — Encrypted Device Forensics.

Tool Cat Platform License / Cost One-line purpose Deep dive
Hashcat CRYPT X (CLI) FOSS GPU-accelerated password/hash recovery (BitLocker, LUKS, VeraCrypt, archives, office docs) Ch. 29
John the Ripper CRYPT X (CLI) FOSS Password cracking plus a huge *2john hash-extractor family Ch. 29
dislocker CRYPT Lin/mac (CLI) FOSS Mount/decrypt BitLocker volumes on Linux/macOS given a key or recovery password Ch. 29
Passware Kit Forensic CRYPT Win (GUI) Commercial ($$–$$$) Decrypt FDE/files/mobile; GPU + distributed attacks; memory-key extraction Ch. 29
Elcomsoft (EFDD / EDPR / EPB) CRYPT Win (GUI) Commercial ($$–$$$) Forensic disk decryptor, distributed cracking, phone breaker Ch. 29

Limitation. Strong, correctly implemented encryption with a high-entropy passphrase and no recoverable key is, for practical purposes, unbreakable — and that is a feature of the math, not a gap in the tool. The realistic paths are the key (in a memory image, escrow, TPM, or recovery key), not brute force against the cipher. "The volume is encrypted and the key is unavailable; the data is inaccessible" is a valid, professional finding (know your limitations).


16. Cryptocurrency investigation (COIN)

Follow the money across public ledgers and attribute addresses. Owned by Chapter 33 — Cryptocurrency Investigation.

Tool Cat Platform License / Cost One-line purpose Deep dive
Chainalysis (Reactor / KYT) COIN web Commercial ($$$$) Blockchain tracing and attribution; LE/enterprise Ch. 33
TRM Labs COIN web Commercial ($$$$) Blockchain intelligence and transaction tracing Ch. 33
Elliptic COIN web Commercial ($$$$) Crypto compliance and tracing Ch. 33
Maltego COIN X (GUI) Free + Commercial ($$) | Link-analysis/OSINT graphing with cryptocurrency transforms | Ch. 33 | | **GraphSense** | COIN | Lin (web) | FOSS | Open-source cryptoasset analytics platform | Ch. 33 | | **Public block explorers** (Etherscan, Blockstream, mempool.space) | COIN | web | Free | Manual transaction tracing on the public ledger | Ch. 33 | --- ## 17. eDiscovery (EDISC) Process, review, and produce in litigation — the 📜 legal end of the pipeline. Owned by [Chapter 25 — The Legal Framework](../part-4-legal-framework-and-reporting/chapter-25-the-legal-framework/index.md). | Tool | Cat | Platform | License / Cost | One-line purpose | Deep dive | |------|-----|----------|----------------|------------------|-----------| | **Relativity / RelativityOne** | EDISC | web | Commercial ($$$$) | The dominant litigation review/processing/production platform | Ch. 25 | | **Nuix** | EDISC | Win (GUI) | Commercial ($$$$) | High-volume processing and investigation engine | Ch. 25 | | **Logikcull / Everlaw / Disco** | EDISC | web | Commercial ($$$) Cloud eDiscovery review for smaller matters and firms Ch. 25

18. Live response and endpoint DFIR (TRIAGE)

Collect and analyze at speed and scale — across one machine or a fleet — respecting the order of volatility. Owned by Chapter 15 — Live Response and Triage Forensics.

Tool Cat Platform License / Cost One-line purpose Deep dive
KAPE TRIAGE/WINART Win (CLI/GUI) Free Targeted artifact collection + processing; the field triage standard (see §6) Ch. 15
Velociraptor TRIAGE X (web/CLI) FOSS Fleet-scale endpoint hunting and collection via VQL — KAPE on a thousand machines Ch. 15
GRR Rapid Response TRIAGE Lin (web) FOSS Remote live forensics at scale (Google) Ch. 15
osquery TRIAGE X (CLI) FOSS Query endpoints' live state like a SQL database Ch. 15
CyLR TRIAGE Win (CLI) FOSS Fast live artifact collection into an archive Ch. 15
Redline (Mandiant) TRIAGE/MEM Win (GUI) Free Host investigation, IOC collection, and triage Ch. 15, 22

19. Forensic OS distributions (DISTRO)

Preconfigured Linux images that bundle most of the open-source bench into a ready lab. Owned by Chapter 37 — Building a Forensic Lab.

Tool Cat Platform License / Cost One-line purpose Deep dive
SIFT Workstation (SANS) DISTRO Lin FOSS Ubuntu DFIR distro bundling TSK, Volatility, plaso, and most open tools above Ch. 37
CAINE DISTRO Lin (live) FOSS Forensic live distro with write-blocking by default Ch. 37
Tsurugi Linux DISTRO Lin (live) FOSS DFIR/OSINT live distro Ch. 37
REMnux DISTRO/MAL Lin FOSS Malware-analysis distro (pairs with the §14 tools) Ch. 32, 37
Paladin (SUMURI) DISTRO Lin (live) Free Imaging-focused live forensic distro Ch. 37

20. Validation and reference data (VALID)

You do not trust a tool because it is popular or expensive — you trust it because it has been validated against known data, and you verify load-bearing findings with a second tool. These are the references that make that defensible; the discipline is owned by Chapter 36 and practice images are catalogued in Appendix J — Practice Images and Lab Setup.

Resource Cat Provided by Cost One-line purpose Deep dive
NIST CFTT (Computer Forensics Tool Testing) VALID NIST Free Specifications + test reports for tool categories (imaging, write-block, carving, mobile…) Ch. 36
NIST CFReDS (Computer Forensic Reference Data Sets) VALID NIST Free Reference images with known ground truth for validation and practice Ch. 36, App. J
NSRL (RDS hash sets) VALID NIST Free Known-software hashes to exclude known-good files and confirm known ones Ch. 36
Project VIC / CAID VALID LE consortia Restricted (LE) Known-CSAM hash sets enabling hash-based handling that minimizes human exposure Ch. 28
Digital Corpora (S. Garfinkel) VALID Digital Corpora Free Practice corpora (govdocs1, m57-Patents) and disk images App. J
SWGDE guidelines / ISO/IEC 17025 VALID SWGDE / ISO Free / accreditation Validation-testing standards; accredited labs must document method/tool validation Ch. 36, 37

Ethics Note. The Project VIC / CAID hash sets exist to identify known illegal material by hash, without a human re-viewing the content — both to make the review tractable and, deliberately, to limit how much an examiner must look at. That is a designed-in mitigation of the secondary trauma this work carries. Configure these hash sets first in any case where contraband may be in scope. Mandatory reporting (18 U.S.C. §2258A), scope discipline, and examiner well-being are owned by Chapter 28 — Ethics. The human cost is real.


Evidence and image formats at a glance

The container, not just the tool, determines what your next tool can read. Keep this next to the keyboard:

Extension(s) Format Read / written by Notes
.dd .raw .img .001 Raw bitstream Everything Flat, uncompressed; largest but universally readable
.E01 .E02 EnCase Expert Witness Format (EWF) EnCase, FTK, X-Ways, Autopsy, libewf, TSK Compressed, hashed, embedded metadata, segmented
.Ex01 EnCase EWF v2 (EnCase 7+) EnCase, X-Ways, libewf Newer EWF variant (optional AES)
.L01 .Lx01 EnCase logical evidence EnCase, X-Ways Container of selected files with metadata, not a full disk
.AD1 AccessData logical image FTK / FTK Imager Logical custom-content image
.aff4 Advanced Forensics Format 4 pyaff4 and supporting tools Modern; supports sparse, layered, and cloud sources
.vmdk .vhd(x) .vdi Virtual disks Most suites; Arsenal Image Mounter Image or mount VMs directly
.dmg Apple disk image macOS, several suites macOS acquisition/target
.UFDR Cellebrite report package Cellebrite Reader / Physical Analyzer Shareable mobile extraction report
.raw .lime .vmem .dmp Memory images Volatility, MemProcFS RAM captures (.vmem = VMware; .dmp = crash dump)
.pcap .pcapng Packet capture Wireshark/tshark, Zeek, NetworkMiner, tcpdump Network evidence

Quick-invocation cheat sheet

A minimal, copy-near-it starter for the CLI workhorses. Illustrative — never run against original evidence; work on verified copies. Full flags and many more tools are in Appendix H — Command-Line Reference.

# ── ACQUIRE (behind a write-blocker) ──────────────────────────────────────────
ewfacquire -t /ev/case01/disk -c best -d sha256 /dev/sdX      # → E01, compressed+hashed
dcfldd if=/dev/sdX of=/ev/case01/disk.dd hash=sha256 hashlog=disk.hashes bs=4M
ddrescue -d -r3 /dev/sdX failing.img failing.map             # failing media (resumable)

# ── VERIFY INTEGRITY ──────────────────────────────────────────────────────────
ewfverify disk.E01                                           # recompute vs. stored hash
hashdeep -r -c sha256 ./recovered > recovered.hashes         # recursive, auditable
hashdeep -a -k baseline.hashes -r ./recovered               # audit a tree vs. known set

# ── FILE SYSTEM (The Sleuth Kit) — mmls offset is in 512-byte SECTORS ─────────
mmls disk.E01                                               # find partition start sectors
fls   -o 1024000 -r -p disk.E01                             # list files incl. deleted (*)
istat -o 1024000 disk.E01 5830                              # one entry: metadata + MACB
icat  -o 1024000 disk.E01 5830-128-3 > out/recovered.xlsx   # recover a file BY inode
tsk_recover -e -o 1024000 disk.E01 ./export                 # bulk export (alloc+unalloc)
blkls -o 1024000 disk.E01 > unalloc.bin                     # extract unallocated for carving

# ── CARVE (metadata is gone) ──────────────────────────────────────────────────
photorec unalloc.bin                                        # interactive signature carving
scalpel  -o carve_out unalloc.bin                           # config-driven carver
bulk_extractor -o bx_out disk.E01                           # features: email/url/ccn/gps/aes_keys

# ── METADATA · NETWORK · MEMORY ───────────────────────────────────────────────
exiftool -a -G1 -s photo.jpg                               # all tags, grouped (GPS/camera/times)
tshark -r cap.pcapng -Y 'http.request.method=="POST"' \
       -T fields -e ip.dst -e http.host -e http.request.uri  # extract HTTP POSTs
vol -f mem.raw windows.pslist                              # Volatility 3: processes

The Windows-side one-liner every examiner runs reflexively — confirm two tools recovered byte-identical content:

# Same artifact recovered by two independent tools must hash-match (working copies only).
$a = (Get-FileHash -Algorithm SHA256 .\autopsy_out\recovered.xlsx).Hash
$b = (Get-FileHash -Algorithm SHA256 .\xways_out\recovered.xlsx).Hash
if ($a -eq $b) { "AGREE  $a" } else { "CONFLICT  A=$a  B=$b  -- investigate" }

Template: tool and version log

Record every tool and its exact version in your case notes — version numbers are part of the chain of custody because results can differ across versions. Drop this block into the methodology section of your report (Chapter 26 — The Forensic Report); the chain-of-custody and report forms are in Appendix F.

TOOL & VERSION LOG                                  (attach to case notes / CoC)
Case: ____________________   Examiner: ____________________   Date: ___________
Evidence item / image: __________________________   Acq. SHA-256: ____________
┌─────────────────────────┬───────────┬───────────────┬──────────────────────────┐
│ Tool                    │ Version   │ Validated?    │ Used for (artifact/finding)│
├─────────────────────────┼───────────┼───────────────┼──────────────────────────┤
│ FTK Imager              │ 4.7.x     │ CFTT + self   │ Acquisition → disk01.E01  │
│ The Sleuth Kit          │ 4.12.1    │ CFReDS + self │ Deleted-file recovery     │
│ X-Ways Forensics        │ 21.x      │ self          │ Dual-tool verify (hash ✓) │
│ Registry Explorer       │ x.x       │ self          │ USBSTOR first/last connect│
│ Volatility 3            │ 2.x       │ self          │ Memory: pslist / netscan  │
│ ____________________    │ ________  │ _____________ │ _________________________ │
└─────────────────────────┴───────────┴───────────────┴──────────────────────────┘
Dual-tool confirmations (finding → tool A / tool B → matching SHA-256):
  1) ____________________________________________________________________________
  2) ____________________________________________________________________________
Conflicts found and resolved (a conflict is information, not a nuisance): ________

Choosing from this catalog (pointer)

The catalog answers "which tool does X?" It does not answer "which tool should I use here?" — that is judgment, and it is owned by Chapter 36 — The Forensic Toolkit. The short version, for the keyboard:

  1. Start from the evidence and the question, not the brand. Disk → §3/§4/§5; phone → §12; RAM → §10; packets → §11; account → §13.
  2. Decide recovery vs. forensics. Recovery optimizes for getting bytes back; forensics adds write-blocking, hashing, chain of custody, and dual-tool verification for court.
  3. Match the budget. A real career can start at $0 (Autopsy/TSK, Volatility, Wireshark, bulk_extractor, EZ tools, PhotoRec/TestDisk, ExifTool — all on a SIFT/CAINE workstation). Buy commercial for scale, support, currency, and — for mobile and cloud — capability you cannot get free.
  4. Match the court. Prefer validated (CFTT/CFReDS), widely accepted, explainable tools; you must be able to defend on the stand what the tool did and why you trust it (Chapter 27 — Expert Testimony).
  5. Verify load-bearing findings with a second, independent tool — ideally one open-source and one commercial, from different codebases. When two independent tools agree, the finding is robust; when they disagree, you have found something to run to ground before it reaches the report.

Legal Note. Under Daubert, your tool choice is evidence about testability, error rate, standards, and general acceptance. "I used The Sleuth Kit and confirmed with X-Ways; both are widely used, TSK's source is open, and CFTT has tested the relevant function" speaks directly to admissibility. "I used a tool I can't fully explain" invites exclusion. Choosing court-recognized, validated tools is building admissibility in from the first command — doctrine in Chapter 25; the certifications that signal tool competence in Appendix I — Certification Roadmap.


Cross-reference: deep dives by chapter

Where each category is taught in full (relative links):

Related appendices: A — File Signatures · B — Python Forensics Toolkit · D — Artifact Locations · E — Legal Frameworks · F — Chain of Custody & Report Templates · G — File-System Reference · H — Command-Line Reference · I — Certification Roadmap · J — Practice Images & Lab Setup · Glossary · Bibliography

One line to carry forward: the tool does not testify — you do; this catalog names the instruments, but your understanding and judgment are what the instruments serve.