10 Best Known Forensics Tools That Works on Linux

Nowadays, computer or digital forensics is very important because of crimes related to computers, the Internet and mobiles. Pieces of evidence such as computer and digital devices contain or store sensitive information that can be useful for the forensic investigator in a particular crime or incident.

Digital forensic investigation required tools to extract desired information from the devices. Several commercial tools exist for forensic investigation however huge amount is required to buy. Open source community also contributed in this field and there are several open source tools for digital forensic field.  In this article, best tools related to digital forensic will be explored.

Before exploring well-known tools for digital forensic, following Linux distributions contained many free forensic tools.

1) SIFT  (SANS Investigative Forensic Toolkit)

An international team of forensics experts,  along SANS instructors, created the SANS Incident Forensic Toolkit (SIFT) Workstation for incident response and digital forensics use.  SIFT forensic suite  is freely available to the whole community. The free SIFT toolkit, that can match any modern incident response and forensic tool suite, which is used in SANS courses.  It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.


Features of SIFT distribution are following:

  • Ubuntu LTS 14.04 Base
  • 32/64 bit base system
  • Latest forensic tools and techniques
  • VMware Appliance ready to tackle forensics
  • Cross compatibility between Linux and Windows
  • Option to install stand-alone via (.iso) or use via VMware Player/Workstation/

2) CAINE (Computer Aided Investigative Environment)

CAINE is an Linux live distribution created as a Digital Forensics project. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.


The main objectives that CAINE distribution  aims to guarantee are the following:

  • an inter-operable environment that supports the digital investigator during the four phases of the digital investigation
  • user-friendly graphical interface
  • contains open source tools

3) KALI  (formerly Backtrack)

Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. Kali Linux is the fist choice of penetration tester and security professional. It has security tools for different purposes. Open source  tools for mobile,network and RAM analysis are available in the Kali Linux.


4) DEFT linux ( Digital Evidence & Forensics Toolkit )

DEFT is a distribution made for Computer Forensics, with the purpose of running live on systems without tampering or corrupting devices (hard disks, pendrives). It is based on GNU Linux and  it can run live (via CD/DVD or USB pendrive), installed or run as a virtual machine on VMware/Virtualbox.  DEFT is paired with DART ( known as Digital Advanced Response Toolkit), a Forensics System which can be run on Windows and contains the best tools for Forensics and Incident Response.


5) Martiux

It is a fully featured security distribution based on Debian consisting of a powerful bunch of more than 300 open source and free tools that can be used for various purposes including, but not limited to, penetration testing, ethical hacking, system and network administration, cyber forensics investigations, security testing, vulnerability analysis, and much more. It is a distribution designed for security enthusiasts and professionals, although it can be used normally as your default desktop system.


Matriux is designed to run from a Live environment like a CD / DVD or USB stick or it can easily be installed to your hard disk in a few steps. Matriux also includes a set of computer forensics and data recovery tools that can be used for forensic analysis and investigations and data retrieval.

6) Santoku

Santoku is dedicated to mobile forensics, analysis, and security, and packaged in an easy to use, Open Source platform. It is sponsored by the mobile security firm "nowsecure".


Free Forensic tools for Linux

There are several categories of computer forensics tools however, following are well-known categories:

  • Memory forensic analysis
  • Hard drive forensic analysis
  • Forensic imaging
  • Network Forensic

7) Volatility

Since that time, memory analysis has become one of the most important topics to the future of digital investigations and Volatility has become the world’s most widely used memory forensics platform.  It is well-known  memory forensics framework for incident response and malware analysis which allows to extract digital artifacts from volatile memory (RAM) dumps .Volatility has been used on some of the most critical investigations of the past decade.
Using Volatility you can extract information about running processes, open network sockets and network connections, DLL's loaded for each process, cached registry hives, process IDs, and more. It has become an indispensable digital investigation tool relied upon by law enforcement, military, academia, and commercial investigators throughout the world. Volatility framework supports both Windows and linux platform for forensic investigation

8) Linux "dd" utility

"dd" utility comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive. It is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.


9) Sleuth kit (Autopsy)

Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems (FAT,NTFS, EXT2/3 etc and raw images). Autopsy is a graphical interface  that for  Sleuth Kit (command line tool). It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching with the ability to add other modules for extended functionality.


When you launch Autopsy, you can choose to create a new case or load an existing one. To create a new case you will need to load a forensic image to start analysis and once the analysis process is complete, use the nodes on the left hand pane to choose which results to view.

10) Xplico

Xplico is an open source network forensic analysis tool. It is basically used to extract useful data from applications which use Internet and network protocols. It supports most of the popular protocols including HTTP, IMAP, POP, SMTP, SIP, TCP, UDP, TCP and others. Output data of the tool is stored in SQLite database of MySQL database. It also supports IPv4 and IPv6 both. It is already available  in  Kali Linix, DEFT, Security Onion and Matriux security distributions.


This article is about the contribution of open source in digital forensic field.  Free and best known tools related to different area of digital forensic are discussed. Several Linux distributions are listed which contains many free forensics tools.

Leave a Comment