Tools

Sdba Parser is an AutoIt tool that carves and parses Sdba memory pool tags (produced by Windows 7) from any input file. Sdba memory pool tags contain executable file paths and NTFS last written timestamps (at time of execution). ...

NetWire Log Decoder is an AutoIt tool that carves and parses (a/k/a scans, filters, and decodes) NetWire log data from files or devices. NetWire versions 1.6 and 1.7, on Windows and Linux, have been tested.

The exploitation of Windows hibernation files to “look back in time” and uncover compelling evidence is crucial to digital forensics practitioners. Hibernation Recon not only supports active memory reconstruction from Windows XP, Vista, 7, 8/8.1, 10, and 11 hibernation files, but...

HBIN Recon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry hives. Examples of HBIN Recon input include healthy Registry hives, fragmented hives, hive transaction logs, Transactional Registry (TxR) files,...

Hive Recon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely failed and extracting healthier (more intact) hives when other solutions have appeared to run successfully. Hive Recon can also extract hives...

CyberGate Keylogger Decryption Tool is a Python tool that can be used against CyberGate encrypted keylogger files to decode the cipher text and return the original plaintext that was captured by the Remote Access Trojan (RAT).

Gmail URL Decoder is a Python tool that can be used against plaintext or arbitrary raw data files in order to find, extract, and decode information from Gmail URLs related to both the new and legacy Gmail interfaces.

Many Windows®-based disk image mounting solutions mount the contents of disk images as shares or partitions, rather than complete (aka "physical or "real") disks, which limits their usefulness to digital forensics practitioners and others. Arsenal Image Mounter mounts the contents of...

Triage-Investigator® PRO is intelligent forensic triage for iOS/Android and computer investigations. Deploy to the front-line investigator to collect, analyze and report on digital evidence to prove your case. Investigate iOS, Android, Mac, Linux and Windows. TINV PRO has powerful boot capabilities, is forensically...

Triage-Investigator® is ADF's automated intelligent forensic triage tool designed for field deployment with Digital Evidence Investigator®. The software has a proven track record of providing easy and quick access to court defendable evidence. Forensic Examiners can process cases and leverage investigators to assist forensic...