Cyber Security training from QA

Top 10 free tools for digital forensic investigation

QA Cyber Security Trainer, James Aguilan, lists his favourite free tools for forensic wizardry.

James Aguilan | 19 June 2018

Juniper researchers state that cybercrime will cost over 2 trillion USD to businesses by 2019. As costs go up so the demand for digital forensic experts will increase in tandem. Tools are a forensic examiner's best friend – using the right tool helps to move things faster, improve productivity and gather all the evidence. Here are my top 10 free tools to become a forensic wizard:


1. SIFT Workstation

SIFT (SANS investigative forensic toolkit) Workstation is a freely-available virtual appliance that is configured in Ubuntu 14.04. SIFT contains a suite of forensic tools needed to perform a detailed digital forensic examination. It is one of the most popular open source incident response platforms.

Download SIFT Workstation


2. Autopsy

Autopsy is a GUI-based open source digital forensic programme to analyse hard drives and smart phones efficiently. Autospy is used by thousands of users worldwide to investigate what happened in the computer. Autopsy was designed to be an end-to-end platform, with modules that come out-of-the-box and others that are available from third-parties. Some of the modules provide timeline analysis, keyword searching, data carving, Indicator of Compromise using STIX.

Download Autopsy


3. FTK Imager

FTK Imager is a data preview and imaging tool used to acquire data (evidence) in a forensically sound manner by creating copies of data without making changes to the original evidence. It saves an image of a hard disk, in one file or in segments, which may be reconstructed later on. It calculates MD5 hash values and confirms the integrity of the data before closing the files.

Download FTK Imager



DEFT is a household name when it comes to digital forensics and intelligence activities. The Linux distribution DEFT is made up of a GNU/Linux and DART (Digital Advanced Response Toolkit), a suite dedicated to digital forensics and intelligence activities. On boot, the system does not use the swap partitions on the system being analysed. During system start up there are no automatic mount scripts.

Download DEFT


5. Volatility

Also built into SIFT, Volatility is an open source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux (as of version 2.5). Forensic analysis of raw memory dump will be performed on Windows platform. The Volatility tool is used to determine that either the PC is infected or not. As we know that, the malicious programme can be extracted from the running processes from the memory dump.

Download Volatility


6. LastActivityView

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, opening open/save dialog-box, opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash and network connection and disconnection.

Download LastActivityView


7. HxD

HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size. The easy-to-use interface offers features such as searching and replacing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of files, statistics and much more.

Download HxD



CAINE offers a complete forensic environment that is organised to integrate existing software tools as software modules and to provide a friendly graphical interface. This is a digital forensics platform and graphical interface to the Sleuth Kit and other digital forensics tools.

Download CAINE


9. Redline

Redline is a free endpoint security tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. Redline can help audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history; and analyse and view imported audit data, including the ability to filter results around a given timeframe.

Download Redline


10. PlainSight

PlainSight is a versatile computer forensics environment that allows you to perform forensic operations such as: getting hard disk and partition information, extracting user and group information, examining Windows firewall configuration, examining physical memory dumps, extracting LanMan password hashes and previewing a system before acquiring it.

Download PlainSight


Whether it's for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. As such, they all provide the ability to bring back in-depth information about what's 'under the hood' of a system.

This is by no means an extensive list and may not cover everything you need for an investigation, but it's a great starting point to becoming a forensic examiner.


Visit for more information on how they can help solve the Cyber Security skills gap.


James Aguilan

James Aguilan

Cyber Security Specialist

James has worked on many high complexity eDiscovery Projects and Forensic Investigations involving civil litigation, arbitration and criminal investigations for large corporation and international law firms across UK, US, Europe and Asia. James has assisted on many notable projects involving: one of the largest acquisition and merger case of all time – a deal worth $85 billion, multijurisdictional money laundering matter for Government bodies, and national cyber threat crisis including the more recent ransomware, phishing campaigns, and network intrusion. James has comprehensive knowledge of the eDiscovery lifecycle and forensic investigation procedures in both practise and theory with deep focus and interest in Forensic Preservation and Collection and Incident Response. In addition, He holds a first class bachelor’s degree in Computer Forensics and is accredited as an ACE FTK certified examiner.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.