September 6, 2018

Popular Forensic Software

I’ve detailed on some of the more popular forensic software.

Has to be mentioned first. If the FBI uses this product, you know its good. Forensic Toolkit (FTK for short) is software from Access Data was one for the first software tools I learned, it’s an extremely common software to have in the forensic field – its used at places like the FBI. I like it because it is very straight forward easy to use graphical interface or GUI. Some of its other advantages include being able to analyze data from different sources / different type of image file types such as .E01, SMART, AFF, and Raw formats. It can connect to a database to have central repository of information. This is helpful if you want to store password hashes which can take up a great deal of space. “FTK utilizes KFF hash library with 45 million hashes” ( This is the repository for when the programs needs to decrypt / crack passwords.

SANS / SIFT Workstation-
The SIFT Workstation is a free open source grouping of forensics tools. “SIFT workstation is playing an essential role for the Brazilian national prosecution office, especially due to Brazilian government budgetary constraints.” ( Some of the notable benefits are that it has a lot of python scripts included and has memory analysis tools like Rekall and Volatility Framework as well has a timeline tool (log2timeline) which shows attacks over a time frame.

“EnCase is quite outstanding – it is capable of breaking down complex file structures for examination, such as the registry files, dbx & pst files, thumbs db etc” (Atom, 2011). I like that EnCase has scripting abilities to allow automation. It also mentions it can do some mobile device analysis like Cellebrite. But some of the negatives regarding this software is its higher learning curve and that it works over a network which causes some latency issues. There is also not a free option of this software like others and has a pretty steep price tag of around 3,600 dollars per year, but it comes with support.

DEFT stands for Digital Evidence & Forensics Toolkit according to their website (, where it can also be downloaded. To be honest, I’m not quite as familiar with this software. It been mentioned many times during my investigation for forensic software and I had to familiarize with myself a little more as to why it kept being mentioned. It is used by the military and police forces around the world. Some of the features that make it very popular in the forensics community is because it runs in RAM and can be put / launched from a flash drive. It also receives regular updates which would help with the ever-evolving threats landscape.

While the previous 4 software’s were all very common Cellebrite is different in that it is used specifically for extracting data from mobile devices / cell phones. Cell phones provide a unique challenge simply based on the extensive number of devices. Even between similar mobile devices such as the iPhone 5 vs. 5s vary on how someone could get a forensic image of the device. Cellebrite has won the “Phone Forensic Hardware Tool of the Year” award for 5 years in a row (Cellebrite, 2013) Its interesting to point out how good / skilled this company is, the Bloomberg website (Benmeleh, 2016) points out that U.S. Federal Bureau of Investigation (FBI) worked with Israel’s Cellebrite Mobile Synchronization Ltd. to crack the iPhone used in the shooting last year in San Bernardino, California.

FORENSIC TOOLKIT (FTK). Retrieved from
SIFT Workstation. Retrieved from
Atom. (2011, April 7). Advantages and Disadvantages of FTK and EnCase. Retrieved from
Cellebrite. (2013, July 16). Cellebrite UFED Wins 5th Consecutive Forensic 4cast Award for Phone Forensic Hardware and Software Tools of the Year. Retrieved from
Benmeleh, Y. (2016 March 30). FBI Worked With Israel’s Cellebrite to Crack iPhone. Retrieved from