Here is a list of 13 free computer forensic software. The list is not exhaustive but serves to illustrate what digital forensic tools are and what can be done with them:

List of free forensic software

Below you will find a list of 13 free forensic software. This is not an exhaustive list, but it serves to illustrate what digital forensic tools are and what you can do with them. In some cases, you will find toolkits that group together several tools to facilitate the use of all the features of related software. While there are some differences between digital forensic tools, the bottom line is that they offer myriad options for collecting data during an investigation. It is also worth noting that the field of digital forensics is evolving rapidly with the constant release of new tools and features that adapt to ever-evolving devices.


With so many offerings, it can be difficult to choose the perfect tool for your needs.

When choosing a digital forensic tool, expertise is a critical component to think about. Some tools are designed for people with basic skills, while others require more advanced knowledge. It is advisable to compare your current skills with those required by the tool, so that you can choose the most effective tool that you are able to use.

Here is the list of 13 free forensic software:

Free Hex Editor Neo


Free Hex Editor Neo is the fastest binary file editor optimized for the Windows platform, developed by HHD Software Ltd. It is distributed under the “Freemium” model which provides all basic editing functions for free.

The basic features are as follows: Type, Cut, Copy, Paste, Fill, Delete, Insert, Import and Export, as well as having advanced features as well. Overwrite and insert modes are supported. You can also exchange binary hexadecimal data with other applications through the clipboard. This free binary file editing utility also offers the following features: Unlimited Undo/Redo; GoTo Offset; saving/loading operation history; 32bit/64bit patching; search/replace of hexadecimal/octal/float/double data and binary codes; grouping by bytes, words, double words, quadruple words.

Freeware Hex Editor Neo is extremely useful for viewing, editing and analyzing hexadecimal data in large files and disks. For example, if you want to search and replace a text/hexadecimal/binary pattern in a 1GB – 1TB file, you will find no competitors for this product.

SLoad Free Hex Editor Neo now and start editing binaries in seconds!

Sans sift

An Ubuntu-based Live CD, called the SANS Investigative Forensic Toolkit (SIFT), has all the tools you need to do a forensic investigation or incident response. It allows you to analyze RAW (dd), Advanced Forensic Format (AFF), and Expert Witness Format (E01) evidence formats. SIFT comes with a number of tools, including log2timeline, Scalpel, Waste and many more. These programs can be used to create a timeline from system logs, hack data files and examine the recycle bin.

More than 200 forensics, incident response and pentesting tools are already pre-installed on SIFT Workstation. The latest versions of many fan-favorite tools have been released, including RegRipper, Plaso/log2timeline, and Volatility. The legacy forensic project repository, installed alongside the latest tools, has long been one of the good things about SIFT. When dealing with damaged drives or partitions, programs like ddrescue and testdisk have proven to be really useful. You can use CyberChef's web interface and malware analysis tools like pdf-parser, UPX and radare2, for all your decryption needs. The Sleuth Kit and the amazing libyal libraries, which are pre-installed, are essential forensic tools that make it easy to access file system forensics and analyze different formats such as Windows Volume Shadow.

Download SansSift

Crowd Strike Crowd Response

CrowdResponse is a lightweight console application that can be used as part of an incident response scenario to collect contextual information such as job list, scheduled tasks or Shim Cache. You can also scan the host for malware and report any indicators of compromise.

To run CrowdsResponse, extract the ZIP file and launch a command prompt with administrative privileges. Navigate to the folder where the CrowdResponse*.exe process resides and enter the command parameters. You need to include at least the output path and the "tool" you want to use to collect the data. For a complete list of "tools", type CrowdResponse64.exe in the command prompt and you will see a list of supported tool names and example parameters.

Details on usage and reported results can be found in the CrowdResponse User Guide.pdf file included in the download.

Download Crowd Strike Crowd Response


Xplico is widely used and is installed in major digital forensics and penetration testing distributions.

Xplico is an open source network forensic analysis (NFAT) software. It has the ability to extract application data from Internet traffic (for example, Xplico can extract an email message from POP, IMAP or SMTP traffic). It is also highly adaptable software as it supports a multitude of protocols (eg HTTP, SIP, IMAP, TCP, UDP), TCP reassembly and has the ability to output data to a MySQL or SQLite database.

Download Xplica

Helix3 Free


E-fense Elix-3 offers attractive options to meet your computer forensics and cyber security needs.

If you need network-wide visibility to protect against malicious behavior, policy violations, and hacking, Helix3 Enterprise is for you.

If, on the other hand, you need to acquire Internet history, passwords and RAM data, the most suitable is Live Response.

If you are looking for the original and free Helix (2009R1), click the link below

Download Helix3 Free

Paladin Forensic Suite

PALADIN is a modified "live" Linux distribution based on Ubuntu that simplifies various forensic tasks properly through the PALADIN Toolbox. PALADIN is available in 64-bit and 32-bit versions.

Virtualization is now included in PALADIN PRO with CARBON VFS.

PALADIN PRO now includes CARBON pre-installed for examiners who wish to test the software.

Download Paladin Forensic Suite

USB Historian

Analyze USB connection history.

Microsoft Windows operating systems record artifacts when USB removable storage devices (thumb drives, iPods, digital cameras, external HDDs, etc.) are connected. These artifacts are found in Plug and Play (PnP) log files and the Windows Registry.

For a forensic investigator dealing with data theft, movement or access, this tool can play a vital role in the investigation.

Contains a cached copy of the USB IDs from If available, VID/PID values ​​are searched to provide additional information about the device.

Parses the computer name to help locate USB devices used on multiple computers.

View over 20 attributes

Guided analysis

Analyze SetupAPI logs (and backup logs).

It is capable of parsing multiple NTUSER.DAT files at a time.

Requirements: Microsoft .NET Framework v4.0

Free for personal and commercial use

Download USB Historian

MAGNET Encrypted Disk Detector

MAGNET Encrypted Disk Detector is a command-line tool that allows you to quickly and non-intrusively check for encrypted volumes on a computer system during incident response. You may then decide to investigate further and determine whether a live capture is necessary to protect and preserve evidence that would otherwise be lost if the plug were pulled.

Encrypted Disk Detector scans a system's local physical drives for TrueCrypt, PGP®, VeraCrypt, Check Point-related processes, SafeBoot, or Bitlocker® encrypted volumes.

Download Magnet Encrypted Disk Detector


Wireshark is the world's leading network protocol analyzer. It allows you to see what is happening on the network at a microscopic level. It is the de facto (and often de jure) standard in many industries and educational institutions.

Wireshark's development thrives on the input of networking experts from around the world. It is the continuation of a project started in 1998.

Download Wireshark

Network Miners

NetworkMiner is an open source network forensics software that extracts files, images, emails and passwords, from network traffic captured in PCAP files. NetworkMiner can also be used to capture network traffic in real time by sniffing a network interface. Detailed information about each IP address in the analyzed network traffic is aggregated into a network host inventory, which can be used for passive resource discovery and to get an overview of which devices are communicating. NetworkMiner was primarily designed to run on Windows, but can also be used on Linux and macOS.

Since the first release in 2007, NetworkMiner has become a popular tool among incident response teams and law enforcement agencies. Today NetworkMiner is used by companies and organizations all over the world.

Download Network Miner


Older versions (and sometimes new test releases) are available in the Nmap release archive (and really old ones are in dist-old). For more demanding users, GPG detached signatures and SHA-1 hashes for each release are available in the sigs directory (verification instructions). Before downloading, be sure to read the relevant sections for your platform from the Nmap Installation Guide. The most important changes (features, bug fixes, etc.) of each version of Nmap are described in the Changelog.

Download npcap


CAINE or Computer Aided Investigative Environment is an open-source platform used in forensics. The software, which is distributed by Linux/GNU, offers functionality in the process of forensic investigation, collection, examination, analysis and preservation.

Caine offers a complete forensic environment that can integrate with existing software. It also works with a smooth and easy to use interface.

CAINE is highly regarded for its accuracy and that is why many experts use this software.

It can also do cloning. For this purpose, applications such as Clonezilla are used. With this cloning feature, you can create backup software and computer images without restrictions.

An important feature of Caine is that it brings together different software for all types of analysis.

Download Caine


MVT is one of the best forensic software for iOS and Android that allows you to read encrypted backups and discover traces of malware that may be present in the system. Among the data made available, you will also find the list of apps that are installed on your smartphone.

Download MVT

Here you can find others Free Forensic Tools

error: Content is protected !!