Top 21 must know Digital Forensic & Incident Response Tools

So if you are just getting your hands dirty in the world of digital forensics, then you’ve probably come to realise the endless ocean of Digital Forensics and Incident Response (DFIR) Tools. Even just the title is long… but that’s okay because I’m going to cover the top 20 must-know DFIR tools and explain what they are used for; this way you can at least start practising forensics and build your arsenal of tools from there. Just keep in mind that there is much crossover in what tools can do, so you may use two completely different tools for the same job. So, with that out of the way, let’s get started!

So first up, you can’t have a DFIR list without including FTK Imager. This is essential for obtaining a forensically sound image as it makes bit-by-bit copies in formats like .E01 (EnCase) or .ISO, preserving all timestamps, file metadata, and artifacts—critical for maintaining the chain of custody. This means any user activity, files, browser history, malware, etc., is all preserved, which is critical for investigations. FTK Imager also has the ability to mount a disk image, so if you want to browse the filesystem via the GUI you can.
Download here

KAPE is a critical tool for live system artifact collection and parsing. Unlike FTK Imager, it's designed for rapid triage of specific artifacts—browser history, registry hives, event logs—without capturing entire disk images. This speed is essential when dealing with volatile memory data; if a system shuts down before collection, critical in-memory artifacts are lost. KAPE's key strength is its ability to extract and parse data in a single workflow using batch files, reducing noise and investigation time. For example, you can target specific registry hives rather than everything, producing a refined dataset ready for analysis. It offers both GUI and command-line interfaces
Download here

Autopsy and The Sleuth Kit (TSK) are essential for forensic analysis involving filesystem examination. Autopsy is a GUI built on top of TSK's command-line toolkit, allowing you to browse forensic disk images intuitively. You can navigate the filesystem structure, deleted files, timestamps, metadata, and artifacts as you would on a live system. It's widely used in law enforcement for its accessibility. TSK's command-line tools offer a steeper learning curve, but provide speed and precision when you know your target. For instance, the fls tool can generate a complete filesystem timeline with a single command, making it invaluable for targeted investigations.
Download here

Arsenal Image Mounter is a forensic tool that mounts forensic images (E01, DD, ISO, VHD, etc.) as virtual drives in Windows, allowing you to access and analyse the contents without modifying the original evidence (write blocking) to ensure evidence integrity, essential for preserving the chain of custody. Once mounted, you can browse the filesystem, extract artefacts, and run other forensic tools directly against the mounted image as if it were a physical drive. This works seamlessly with your existing forensic toolkit—you can use RegRipper, EvtxECmd, or other parsing tools on the mounted image without additional conversion steps. Download here

DB Browser for SQLite is a GUI tool for examining SQLite databases—a format used extensively by modern applications like Chrome, Firefox, Telegram, and mobile apps to store data. During forensic analysis, you'll encounter countless SQLite databases containing user activity, messages, contacts, and application settings. This tool lets you query and browse these databases without needing command-line knowledge, making it invaluable for extracting artifacts like chat history, app usage data, and cached information that might otherwise be missed.
Download here

Network traffic is one of the most important concepts in cybersecurity, and Wireshark is the industry standard for network traffic analysis and packet capture. It allows you to inspect network communications in granular detail—examining protocols, payloads, and data flows to identify suspicious activity, data exfiltration, or command-and-control communication. During incident response, capturing live traffic or analysing PCAP files can reveal exactly what data was transmitted, to where, and when. Its filtering capabilities and protocol dissection make it essential for understanding network-based attack vectors, and you can even export any captured files that were transferred within the traffic.
Download here

If you’ve ever heard of a SIEM (Security Information and Event Management), then you’ve probably heard of Splunk. It’s one of the most well-known SIEM tools and a powerful log aggregation and analysis platform used to ingest, index, and search massive volumes of logs from multiple sources, e.g., servers, firewalls, applications, and endpoints. In incident response, Splunk helps you correlate events across systems, identify attack patterns, and create timelines of suspicious activity. Its search language (SPL) allows you to write complex queries to hunt for indicators of compromise, making it invaluable for large-scale investigations where manual log review is impractical.
Download here

Sometimes all we can obtain from a system is the data in RAM, which is extremely volatile, meaning that once the system is powered off, we lose everything. This is where memory forensics tools like Volatility come in. Volatility is the premier tool for memory forensics, extracting and analysing volatile data from RAM dumps. It can recover running processes, network connections, injected code, and malware artifacts that exist only in memory and disappear when a system shuts down. Volatility 3 is the modernised version with improved architecture and plugin support. Both versions are critical for detecting advanced threats, as malware often operates entirely in memory to avoid disk artifacts, making memory analysis essential for complete incident investigations.
Download here

Plaso (Originally called Log2Timeline) is a Python-based timeline creation tool that parses artefacts from multiple sources like filesystems, registry hives, browser history, logs and creates a unified, chronological timeline. Rather than analysing individual artefacts separately, Plaso correlates events across the entire system, revealing the sequence of user actions and system events. Its extensible architecture allows investigators to develop custom parsers for organisation-specific log formats, making it invaluable for reconstructing attack chains and understanding exactly what happened during an incident.
Download here

The Windows registry is one of the most important data sources when it comes to Windows forensics. In saying that, there is also a lot of unwanted noise, so that’s where a registry analysis tool like RegRipper comes in. RegRipper is a command-line tool that parses Windows Registry hives and extracts key forensic artefacts like user accounts, installed software, USB device history, network connections, and more. It uses plugins to target specific registry locations, outputting human-readable reports rather than raw hex data. This makes it faster than manually navigating registry hives, and its plugin architecture allows you to focus on artefacts relevant to your investigation rather than sifting through irrelevant data.
Download here

Malware is one of the biggest cybersecurity threats of all time, and understanding how it works and where it came from provides critical insights into threat actors and their level of expertise. This is where reverse engineering frameworks like Ghidra become essential. Ghidra is a reverse engineering framework developed by the NSA for analysing binary files and malware. It allows you to disassemble executables, decompile code, and understand program behaviour without access to source code. During malware analysis, Ghidra helps you identify malicious functionality, decode obfuscated code, and understand attack mechanisms. Its collaborative features also enable teams to share analysis and annotations, making it valuable for complex investigations involving custom or unknown malware.
Download here

Browsing history can be one of the first places to look when linking online activity to a suspected crime, and BrowsingHistoryView is a go-to tool for this. It extracts and displays browsing history from all major browsers (Chrome, Firefox, Edge, Safari) in a single, sortable interface. During investigations, understanding user web activity is critical for establishing timelines, identifying suspicious sites visited, or uncovering evidence of malicious downloads. The tool parses browser databases and presents timestamps, URLs, and visit counts in an easy-to-read format, making it quick to spot patterns without manually checking each browser's native history.
Download here

PhotoRec is a data recovery tool that scans storage media for deleted files by searching for file signatures (magic bytes) rather than relying on filesystem metadata. It's particularly effective for recovering deleted images, as well as documents and other files that may contain evidence. Even when files are deleted and the filesystem no longer references them, PhotoRec can often recover the raw data, making it essential for investigating systems where critical evidence has been deliberately deleted.
Download here

Sometimes, if you want to quickly check a suspicious binary for signs of malware without having to set up an entire sandbox, tools like Strings come in super handy. Strings is a command-line utility and is part of Microsoft’s Sysinternals Suite. It extracts human-readable text from binary files. During malware analysis or forensic examination, binaries often contain embedded strings—URLs, IP addresses, registry keys, error messages—that reveal functionality without requiring full disassembly. Running strings on suspicious executables or memory dumps can quickly identify indicators of compromise, command-and-control servers, or malicious behaviour, making it a fast first-pass analysis tool.
Download here

Hashcat is a high-performance password cracking tool used to recover plaintext passwords from hashes (NTLM, MD5, bcrypt, etc.). During forensic investigations, you may encounter password-protected files, encrypted volumes, or compromised user account hashes. Hashcat uses GPU acceleration and advanced attack modes (dictionary, brute-force, hybrid) to efficiently crack weak passwords, potentially granting access to encrypted evidence or revealing credentials used in attacks.
Download here

The last 5 tools are going to be command-line tools created by Eric Zimmerman. They're designed to parse large datasets and output data in a more human-readable way. The outputs are generally in .csv format, which integrates seamlessly into TimelineExplorer, another Zimmerman tool used to view large datasets that have been parsed.
All of these tools are available here.

AmCacheParser is a command-line tool that parses the Amcache. Have a registry hive on Windows and extract critical information about executed programs, drivers, and connected devices. It captures timestamps, file hashes (SHA-1), versions, and file paths—essential for incident response, malware analysis, and system activity reconstruction. A key advantage is that it reveals what was executed on a system even if files were deleted by differentiating between program entries and file entries, making it invaluable for identifying suspicious execution history.

MFTECmd is a command-line tool used to parse and analyse the NTFS Master File Table ($MFT) and related metadata files ($J, $Boot) on Windows systems to uncover detailed file system activity. This includes file creation/modification times, deleted files, and alternate data streams (ADS), all of which are critical for reconstructing file system timelines, identifying deleted evidence, and uncovering hidden data—essential for comprehensive Windows forensics.

Ever tried to run a tool to parse the registry only to encounter “dirty” hive errors? That’s where Registry Livewriter Analysis (RLA) comes in. RLA allows you to replay transaction logs against “dirty” registry hives and then puts the additional info that was in-flight back into the registry hive. Dirty hives are missing data that was “in-flight”, so they can't be parsed correctly. RLA replays transaction logs to restore this data and outputs a clean hive ready to parse with another tool like RECmd.

So now that you have “clean” registry hives after using RLA, you can use a registry parsing tool like RECmd. RECmd is the command-line version of RegistryExplorer and parses data from the Windows Registry and outputs it to a file in different formats (CSV, CSVF, JSON). You can search for specific strings, base64, values and more. It also supports processing Volume Shadow Copies (VSS) and Regex queries. You can also automate analysis using batch files—JSON files containing specific registry artefacts that RECmd can process to retrieve relevant data. This significantly streamlines analysis and saves valuable time.

EvtxECmd, also known as Evtx Explorer, is a command-line tool used to parse and analyse Windows Event Logs (.evtx files). You can run the tool against specific event log files such as Security.evtx, Application.evtx, and System.evtx to extract and analyse relevant events, or parse all event logs simultaneously. It provides the same information found in the Windows Event Viewer, but consolidates everything into categorised rows and columns in a .csv format. When opened with TimelineExplorer, this creates a single pane of glass for the data, streamlining analysis and enabling efficient data correlation.