Thunderbird

Email Forensics Tool - Thunderbird

Thunderbird Email Forensics Tool is a dedicated solution for analyzing and investigating email data from Mozilla Thunderbird. It allows forensic professionals to extract and examine emails, attachments, metadata, and even deleted messages, making it a valuable tool for digital investigations. Unlike standard email viewers, this tool enables direct analysis of MBOX and Maildir file formats, providing access to crucial details such as timestamps, sender and recipient information, and message headers. It also includes advanced recovery options to retrieve emails that may have been deleted or corrupted.

To ensure the integrity of the investigation, the tool operates in a read-only mode, preventing any accidental modifications to the original data. Investigators can use powerful search and filtering options to quickly locate relevant emails based on keywords, date ranges, or specific contacts. Additionally, it offers the ability to generate detailed forensic reports, which are essential for legal cases and compliance audits. This tool is widely used in cybercrime investigations, corporate audits, and incident response cases, making it a reliable choice for professionals handling email-based evidence.

 
The Sleuth Kit Tools

MemProcFS

Digital Forensics Tool - MemProcFS

MemProcFS is a forensic tool designed for real-time memory analysis by mounting RAM dumps as a virtual file system. Unlike traditional memory forensics tools that require manual data extraction, MemProcFS organizes memory structures into a readable file-based format, making it easier for investigators to analyze system artifacts.

The tool supports Windows memory dumps and provides access to key forensic data such as running processes, open network connections, registry hives, and loaded modules. By dynamically translating raw memory into structured files, MemProcFS allows for faster investigations without requiring extensive scripting or database queries.

MemProcFS is particularly useful for detecting malicious activity, including hidden processes and injected code, making it valuable in malware investigations and incident response. Since it operates in read-only mode, it ensures that the original memory dump remains unaltered, preserving forensic integrity. Often used alongside tools like Volatility, MemProcFS offers an efficient and interactive approach to memory forensics, making it a useful tool for forensic professionals and cybersecurity analysts.

 
The Sleuth Kit Tools

PhotoRec

Digital Forensics Tool - PhotoRec

PhotoRec is a well-known open-source tool designed for recovering lost files from a variety of storage devices. Unlike many recovery tools that rely on file system metadata, PhotoRec scans the disk at a deeper level, identifying file signatures to recover lost documents, images, videos, and other types of data—even from damaged or reformatted drives.

The tool supports multiple file systems, including FAT, NTFS, exFAT, HFS+, and ext, making it a versatile option for forensic investigators and data recovery specialists. It works with hard drives, USB flash drives, memory cards, and even optical media like CDs and DVDs. To ensure forensic integrity, PhotoRec operates in read-only mode, preventing any modifications to the original data source.

PhotoRec is commonly used in digital forensics, incident response, and personal data recovery. While it has a command-line interface, the step-by-step recovery process is straightforward, making it accessible to both experienced professionals and casual users. As a free and open-source tool, it remains a valuable resource for anyone needing to recover lost or deleted data.

 
The Sleuth Kit Tools

Autopsy Forensics

Digital Forensics Tool - Autopsy Forensics

Autopsy is a widely used open-source digital forensic tool designed for analyzing hard drives, disk images, and mobile devices. Known for its user-friendly interface, it provides investigators with a powerful yet accessible way to examine digital evidence. Law enforcement agencies, cybersecurity professionals, and forensic analysts rely on Autopsy for tasks like recovering deleted files, analyzing user activity, and identifying potential threats.

The tool supports various disk image formats, including E01, AFF, and raw, allowing investigators to uncover hidden partitions, metadata, and other crucial forensic artifacts. Built-in features include keyword searching, timeline analysis, and hash matching to detect known malicious files. Autopsy also offers email analysis and registry examination, making it a versatile choice for digital investigations.

A key advantage of Autopsy is its modular design, allowing users to integrate additional plugins for enhanced functionality. It also automates reporting, making case documentation more efficient. Whether used for incident response, criminal investigations, or corporate forensics, Autopsy provides a reliable and cost-effective alternative to commercial forensic software.

The Sleuth Kit Tools

Volatility3

Digital Forensics Tool - Volatility3

Volatility 3 (Volatility3) is a powerful open-source memory forensics tool designed to analyze RAM captures from compromised systems. It is the latest version of the well-known Volatility framework, rebuilt for better performance, flexibility, and compatibility with modern operating systems.

Unlike traditional forensic tools that focus on disk analysis, Volatility3 specializes in extracting critical data from memory dumps, such as running processes, open network connections, loaded drivers, registry entries, and even traces of fileless malware. This makes it especially useful for detecting advanced threats like rootkits and in-memory attacks that leave little to no trace on the hard drive.

Built with Python 3, Volatility3 offers improved modularity, allowing investigators to create custom plugins for specific forensic needs. It supports memory dumps from Windows, Linux, and macOS, making it a versatile tool for incident response, malware analysis, and cybersecurity investigations. The tool is widely used by law enforcement, security professionals, and forensic analysts to uncover key evidence and generate detailed reports that can be used in legal proceedings.

 
The Sleuth Kit Tools

vshadowmount

Digital Forensics Tool - vshadowmount (ubuntu)

vshadowmount is a specialized forensic utility designed to mount and analyze Volume Shadow Copies (VSS) in Linux environments, particularly Ubuntu. Volume Shadow Copies are snapshots of data created by the Windows Volume Shadow Copy Service (VSS) at specific points in time. These snapshots are invaluable in digital forensics because they often contain historical versions of files, deleted data, or evidence of system changes that are no longer present on the live system.

 

Unlike traditional tools that require a Windows environment to access VSS, vshadowmount allows forensic investigators to mount and analyze Volume Shadow Copies directly in Ubuntu. This makes it an essential tool for cross-platform forensic investigations, enabling examiners to work with Windows-based evidence in a Linux environment.

 
The Sleuth Kit Tools

ewfinfo

Digital Forensics Tool - ewfinfo (expert witness format)

ewfinfo is a specialized forensic utility designed to extract and display metadata from disk images stored in the Expert Witness Format (EWF), commonly referred to as the EnCase Image File Format. While many forensic tools focus on mounting or analyzing disk images, ewfinfo is uniquely tailored to provide detailed insights into the contents and integrity of EWF files. This makes it an indispensable tool for forensic investigators who need to verify the authenticity of evidence, extract case-related metadata, or troubleshoot issues with EWF files.

As part of the libewf library—an open-source project that provides tools for reading and writing EWF files—ewfinfo is widely used in digital forensics to ensure the integrity of forensic images. It plays a critical role in supporting the chain of custody by delivering verifiable metadata, which is essential for maintaining the credibility of evidence in legal and investigative contexts.

 
 
The Sleuth Kit Tools

Nirlauncher

Digital Forensics Tool - Nirlauncher by Nirsoft

Nirlauncher is a comprehensive suite of more than 200 portable utility tools developed by NirSoft, designed to assist in system administration, network monitoring, and forensic investigations. These lightweight tools include password recovery, internet browsing history retrieval, network traffic analysis, and system information gathering. 

NirLauncher provides a centralized interface to easily access and launch the tools, which are especially useful for IT professionals and digital forensics analysts to troubleshoot and diagnose issues on Windows systems. Since all the utilities are portable, they can be run from external drives without installation, making NirLauncher an ideal choice for live system investigation.

The suite is commonly used in forensics to gather evidence related to user activity, network configurations, and system-level changes, with outputs that can be saved and analyzed further in post-incident reviews or legal cases.

The Sleuth Kit Tools

Use Cases: Retrieving Security Questions

NirLauncher is a collection of tools and one of them that is valuable for forensics investigation is Password Recovery Tools, which might be used to unlock the suspect’s system.

Here, we can see the “SecurityQuestionsView”.

 To use this tool, right click and “run as administrator”.

Then, select “Load security questions from an external drive.”

Then, load the SYSTEm registry key from C:\Windows\system32\config

fred

Digital Forensics Tool - FRED

Forensics Registry Editor (FRED) is a specialized tool designed for in-depth analysis and editing of the Windows registry in a forensic context. This tool allows investigators to examine, modify, and export registry keys and values from live systems or offline registry hives extracted from suspect machines. FRED provides detailed insights into registry changes, user activity, and system configurations critical for digital forensics investigations. By working with snapshots of the registry, FRED enables timeline reconstruction and aids in identifying potential indicators or compromise (IoCs) or malicious persistence mechanisms. The tool’s user-friendly interface and export capabilities make it suitable for both live forensics and post-incident investigations, providing comprehensive reports that can be used for further analysis or as evidence in legal proceedings.

Forensics Registry Editor

Just like a regular registry editor, like registry explorer by Eric Zimmeman himself this tool works the same. Registry hives are located in C:\Windows\system32\config, with its simple drag and draft capability forensics investigator will be able to view the content easily.

 

The Sleuth Kit Tools

Arsenal Image Mounter

Digital Forensics Tool - Arsenal Image Mounter

Arsenal Image Mounter (AMI) is a powerful forensic tool for mounting and analyzing disk images. Unlike traditional disk mounting tools, AIM allows forensics investigators to mount disk images (including E01, VHD, VMDK, and raw formats) directly into the Windows kernel as complete disk devices, ensuring that the mounted images behave exactly like physical disks. This enables forensic professionals to perform advanced analysis, such as retrieving hidden data, unallocated space, or deleted files that standard mounting methods might overlook.

AIM supports various write-protection options to prevent any modifications to the original disk images, ensuring forensic integrity throughout the analysis. The tool is often used with other forensics software for profound evidence investigation, making it ideal for incident response, digital forensics investigations, and legal proceedings. With Arsenal Image Mounter, users can also mount snapshots of virtual machine disks, making it a versatile solution for investigating physical and virtual environments. The detailed logs and reports generated during mounting sessions can be exported for further forensics analysis and case documentation.

Arsenal Image Mounter: Mounting Disk Image

Go to File > Mount Disk Image

Select Disk Image File, usually disk image has E01, VHD, VMDK file extensions.

Arsenal Image Mounter: Ensuring Disk Integrity

Read-only mode ensures disk integrity by preventing any modifications to the data stored on the disk. This safeguards the system from unintended changes, file corruptions, or malicious attacks, ensuring that the original state of the data is preserved.

In forensics investigations, mounting a disk as read-only ensures that the evidence remains untouched, which is crucial for maintaining its validity in court. This method guarantees that the digital evidence can be trusted and upheld in legal proceedings by preventing alterations.

Since the disk is used in Windows systems, we assume the file system is NTFS which explains the 512 sector size.

Arsenal Image Mounter: Interpreting the Output

The tool identifies the disk as PhysicalDrive1 with a size of 18GB and detects the presence of Volume Shadow Copies. These shadow copies are snapshots created by the Windows Volume Shadow Copy Service(VSS), which can provide valuable forensic evidence by allowing access to previous versions of files or deleted data.

The Sleuth Kit Tools