Autopsy
Autopsy Autopsy is the all-encompassing forensic workstation that sifts through disk images for artifacts like deleted files, browser caches, and chat logs, presenting them in a navigable tree with keyword carving and hash lookups. Load your evidence, run ingest modules, and generate reports with timelines for court-ready overviews. Open-source and modular, it's the intuitive investigator's hub for dissecting drives without getting lost in the bits.
Explore →The Sleuth Kit
The Sleuth Kit The Sleuth Kit is the foundational file system forensics library with CLI tools like fls and icat to recover and carve artifacts from NTFS or EXT4 partitions, uncovering hidden partitions or slack space secrets. Script it for batch extractions of timelines or metadata, feeding outputs to GUIs for visualization. Open-source and robust, it's the precision pick for analysts extracting structure from chaotic storage.
Explore →RegRipper
RegRipper RegRipper is the registry excavator that parses Windows hives for user artifacts like recent files, USB history, and typed URLs, outputting structured timelines for behavioral profiling. Point it at NTUSER.dat or SYSTEM files via Perl, selecting plugins for targeted pulls like LNK analysis. Open-source and plugin-packed, it's the keyhole surgeon for unlocking user stories from the hive's depths.
Explore →Plaso Artifact Parsers
Plaso Artifact Parsers Plaso's artifact parsers are the event harvesters that extract structured data from logs, configs, and app files into timelines, capturing everything from Chrome history to Android SMS for cross-platform IR. Configure parsers via YAML for custom sources, ingesting into super-timelines for correlation. Open-source and extensible, it's the aggregator that turns disparate artifacts into a cohesive incident mosaic.
Explore →Bulk Extractor
Bulk Extractor Bulk Extractor is the non-file-aware carver that scans raw images for artifacts like emails, URLs, and CCNs using regex streams, ignoring FS boundaries for exhaustive pulls. Run it on dumps to generate feature files for stats or exports, tuning scanners for your hunt. Open-source and parallel-fast, it's the indiscriminate miner for unearthing hidden gems in unstructured data.
Explore →NirSoft Utilities
NirSoft Utilities NirSoft Utilities is the portable suite of artifact viewers for Windows, from browser password dumps to USBDeview for device histories, each a standalone EXE for quick triage on live systems. Grab a tool like BrowsingHistoryView, point to your profile, and export timelines without installs. Free and lightweight, it's the grab-bag gadgeteer for examiners cherry-picking user artifacts on the go.
Explore →Wevtx
Wevtx Wevtx is the Windows Event Log parser that decodes .evtx files into human-readable timelines, filtering for security events like logons or GPO changes to spotlight insider actions. Use its CLI for batch processing, outputting XML or CSV for SIEM feeds or reports. Open-source and event-focused, it's the log whisperer for analysts decoding system stories from event noise.
Explore →Artifact Viewer (Magnet AXIOM)
Artifact Viewer (Magnet AXIOM) Magnet AXIOM's Artifact Viewer is the polished categorizer that groups extracted items like chat threads or GPS tracks into browsable categories, with scoring for relevance in mobile or cloud forensics. Process your image in the free trial, then filter artifacts by timeline or keyword for focused reviews. Commercial with trial, it's the organized archivist for pros streamlining evidence hunts.
Explore →Rekall Artifact Extraction
Rekall Artifact Extraction Rekall's artifact extraction pulls structured data from memory dumps, like process command lines or registry values, feeding them into timelines for malware behavior mapping. Query via REPL for ad-hoc pulls, combining with plugins for deep dives into injected artifacts. Open-source and memory-native, it's the volatile vault-keeper for examiners reclaiming clues from RAM's fleeting grasp.
Explore →DFIR Artifact Parser