Finding the right tool for your forensic needs can be overwhelming. So, we have created a computer forensic tools comparison chart to aid in that decision.
Understanding a tool’s use cases and features helps users evaluate their options and choose which one best addresses their needs. There can be considerable differences between the functionality of tools, and even in the definitions used to describe them!
In an effort to clarify things, this blog post:
- Defines computer forensic tools.
- Defines different tool categories.
- Compares their features on a useful chart.
- Explores some leading examples.
Lets get started!
Jump to…
What Are Computer Forensic Tools?
Digital Investigation Lifecycle
Computer Forensic Tool Categories
Computer Forensic Tools Comparison Chart
Computer Forensic Tool Examples
Which Tool for You?
What Are Computer Forensic Tools?
Defining computer forensic tools is not an easy task. To accomplish this, we must also define computer forensics, which is often used interchangeably with digital forensics or incident response. Although used in multiple contexts, these 3 terms do have unique definitions, which we will discuss next.
But, to define computer forensic tools to the best of our ability, they are specialized software applications (or hardware) designed to conduct investigative procedures involving the examination of digital evidence recovered from hard drives, memory, and other storage devices.
For those interested in diving deeper into DFIR concepts, keep reading.
For those interested in diving into tool comparison, click here.
Cyber Triage is a computer forensic tool that specializes in rapid incident response, enabling investigators to quickly identify compromised hosts and make their next decisions fast.
Try it for 7 days.
Digital Forensics vs Computer Forensics vs Incident Response
The terms digital forensics, computer forensics, and incident response are different, and each has many interpretations (see Brett Shavers blog for a more in-depth discussion on this).
For the purpose of this article, we will be using the following definitions:
| Digital Forensics | “Digital forensics is a branch of forensic science that focuses on identifying, acquiring, processing, analysing, and reporting on data stored electronically.” |
| Computer Forensics | “In its strictest connotation, the application of computer science and investigative procedures involving the examination of digital evidence – following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony.” |
| Incident Response | The remediation or mitigation of violations of security policies and recommended practices. |
| Digital Investigation | “The process of identifying, collecting, analyzing, and interpreting digital evidence to uncover the truth behind cybercrimes, insider threats, or (…) security incidents. It transforms fragmented digital data from devices, online platforms, communication channels, and databases into actionable intelligence.” |
Computer Forensic Tools
If we want to start splitting hairs, we could point out that the definition of incident response does not specifically reference investigation, but we are not here to debate definitions. For the sake of your sanity and time, we will assume that, to mitigate security policy violations, you first need to figure out what happened, which will require an investigation.
In this blog, we are going to look at the computer forensic tools that can be used to complete that investigation, whether to prosecute a suspected murderer or determine how a network was infected with ransomware. The tools all share common features, with the primary objective of recovering information from digital electronic systems.
To investigate digital systems, we need to pull data from many types of systems, parse it in different ways, and ideally correlate it with information from many other sources. As a result, there is no single tool that will provide all the features and functionality needed to complete an entire investigation.
This makes comparing different tools very challenging.
In preparing this blog, our team has wasted hours debating the granularity of different definitions and terms. Often, without reaching a consensus. Some would say this is a hopeless task, but the marketing team has spoken, and the job must be done!
That job starts with defining the digital investigation lifecycle.
Digital Investigation Lifecycle
To meaningfully compare the tools, we (tried to) identify the key functions of the digital investigation lifecycle and assessed how much each tool addresses them. As mentioned earlier, there is no perfect tool, and no single tool will do everything you need.
| The Investigation Lifecycle |
|---|
| Identification |
| The process of determining what needs to be examined.
This can be a manual process. (Ex: During the execution of a search warrant, electronic devices may be searched to determine if they meet the terms of the warrant). It can also be automatic. (Ex: An EDR or SIEM may alert the SOC of potentially malicious activity on an endpoint). |
| Collection |
| Transferring digital artifacts from the original source into a format that can be interpreted by analysis tools.
There are 2 broad types of collection: targeted, where only specific artifacts and volatile data are collected, and “forensic imaging,” where a complete copy of all addressable storage on a disk is preserved. |
| Preservation |
| Storing the collected data in a format that allows long-term (infinite) storage and verification that the original format is unchanged.
This is a fine but significant distinction from collection. Some tools, most commonly EDRs and SIEMs, collect potential evidence from endpoints but lack a mechanism to verify their integrity and typically store data for only a short period (in some cases, 14 days or less). The most common method of preservation is the creation of a “forensic” disk image, where hashes are used to verify that the stored data is unchanged. The same approach can be used for targeted collections where only selected artifacts are retained from a system. |
| Parsing |
| The conversion of an artifact to a human-readable or interpretable format.
For example: converting a binary registry file into a hierarchically navigable view. This may (and should) also include converting binary timestamps to human-readable formats and accounting for different time zones. |
| Automated Analysis |
| The process of identifying significant events from parsed data.
This may involve searching individual items (ex: searching an event log entry for specific features) or correlating activity across multiple items to identify unusual patterns (ex: identifying a logon event that falls outside a user’s regular pattern). |
| Manual Analysis |
| A human searching the parsed data for relevant events.
This may include some level of automation (ex: running a keyword search for terms of interest or just going through events line by line). Needless to say, manual analysis is heavily dependent on the investigator’s expertise and attention to detail. |
| Reporting |
| Communicating the findings of the investigation.
Note that the intended audience can vary widely in expertise, from legal professionals with minimal computer knowledge to system administrators seeking to improve their systems’ security. |
NOTE
There are far too many definitions of the digital investigation or digital forensics lifecycle. We could bore you to tears with links to more than 20 academic papers on the topic. However, at the end of the day, it’s just semantics. If you’d like to explore different models, check out this discussion: “Getting Physical with the Digital Investigation Process,” by Carrier, Brian D., and Eugene H. Spafford.
Computer Forensic Tool Categories
Computer forensic tools can be classified into several categories. And, many tools can fall into multiple categories by fulfilling more than 1 specialized function.
Below, we break down the most popular categories, key features they provide, and some leading solutions that fulfill each.
Note that many tools perform 1 or a few specialized functions; covering all of them is beyond the scope of this article. Some useful resources for exploring these are:
- SANS: Cyber Security Tools: Digital Forensics and Incident Response
- meirwah: Awesome Incident Response: Windows Evidence Collection
| Targeted Collection | |
|---|---|
| Definition | Accelerates investigations by collecting high-value artifacts and volatile data. Can operate on live or powered-off systems. |
| Key features |
|
| Examples | Cyber Triage, Velociraptor, Kape, Unix-like Artifacts Collector (UAC) |
| Forensic Disk Imaging | |
|---|---|
| Definition | Creating a copy of all accessible data on a computer disk drive, in a format that enables verification that the copy has remained unaltered. |
| Key features |
|
| Examples | FTK Imager, Encase Imager, Guymager |
| Host Forensics | |
|---|---|
| Definition | Comprehensive suite of parsers and interpreters that processes a large number of operating system and application artifacts into a human-digestible format. |
| Key features |
|
| Examples | EnCase, Autopsy, X-Ways, FTK, Magnet Axiom |
Computer Forensic Tools Comparison Chart
| Lifecycle Stage | Cyber Triage | Magnet Axiom Cyber | Autopsy | Belkasoft X Corporate | Encase | Nuix Workstation | FTK Forensic Toolkit | X-Ways | Forensic Explorer | Velociraptor | KAPE | Binalyze | EDR |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cost1 | $3,500 | $12,000 | $0 | $14,200 | $3,500 | $20,000 to $1,000,000+ | $7,999 | $1,589 | $2,6952 | $0 | $03 | Per endpoint | Per endpoint |
| Identification | Good | Good | Good | Moderate | Very good | ||||||||
| Collection | TC | FDI, TC | FDI, TC | FDI | FDI, TC | FDI | FDI | FDI | TC | TC | FDI, TC | TC4 | |
| Preservation | TC | FDI, TC | FDI, TC | FDI | FDI, TC | FDI | FDI | FDI | FDI5 | ||||
| Parsing | Windows, Linux | Windows, Linux, MAC OS, mobile phones | Windows, Linux, MAC OS, mobile phones | Windows, Linux, MAC OS | Windows, Linux, MAC OS | Windows, Linux, MAC OS | Windows, Linux, MAC OS | Windows, Linux, MAC OS | Windows | Windows, Linux, MAC OS | Windows, Linux, MAC OS | ||
| Automated Analysis | Hash, SIGMA, Yara, AV scanning, Heuristics, User configurable rules | Hash, Sigma, Yara | Hash6 | Automation via user-developed scripting | Automation via user-developed scripting | Automation via user-developed scripting | Automation via user-developed scripting | Cisco Clam AV, CSAM image identification | Scriptable searches | Hash, Sigma | |||
| Collaboration7 | ✓ | ✓ | X | X | ✓ | ✓ | ✓ | X | X | ✓ | X | ✓ | ✓ |
| Manual Analysis | Scoring, labels, comments | Labels, comments | Labels, comments | Bookmarks8 | Comments | Labels | Bookmarks | Bookmarks | Notebooks | Bookmarks | |||
| User Interface | GUI client | Browser client | GUI client | GUI client | GUI client | GUI client | GUI client | GUI client | GUI client | Browser client | Text files | Browser client | Browser client |
Computer Forensic Tools Comparison Chart Legend
TC = Targeted Collection
FDI = Full disk imaging
1 Where prices are available, the price of a one-year base product has been listed. Some features and functionality may cost more. These numbers may not be 100% accurate, and in cases where the vendor does not advertise, prices are based on publicly available information.
2 Perpetual license with 12 months of updates.
3 Free for non-commercial use.
4 Forensic collection capabilities are generally available as an add-on for an additional charge.
5 Only supports dd and EWF2 formats. dd is not considered to be a forensic container, and EWF2.
6 With purchase of Cyber Triage extension.
7 This is generally only available with specific versions of the software. Generally, less expensive single-user versions are also available.
8 Bookmarks can be assigned to single or multiple items; in most (all?) cases, they will include a single label and a description.
Computer Forensic Tool Examples
Cyber Triage
Known for: Rapid analysis and scoring.
Cyber Triage is an automated investigation platform that provides agentless remote data collection and Windows, Linux, and memory support. It uses a range of techniques, including internal heuristics, hash analysis, Yara scanning, Sigma rule processing, and malware analysis to identify signs of malicious activity on the endpoint. It specializes in rapid incident response, enabling investigators to quickly identify compromised hosts and make their next decisions fast. The tool is able to support between 80% and 95% of incident response investigation requirements, and it also has a “team” version that allows multiple investigators to collaborate on the same case.
The platform is the first to use Automated Analysis with internal heuristics, YARA rules, Sigma rules through Hayabusa, and Reversing Labs hash analysis and malware scanning to score “Suspicious” and “Bad” items for prioritization during investigations. It also uses a correlation engine to identify related events after an item is scored as “Bad” or “Suspicious.”
To facilitate analysis (both manual and automated), Cyber Triage normalizes information in parsed artifacts to enable connections between individual events.
For collection, the tool uses a standalone Collector that can easily be deployed via EDR, RMM, or even USB! It uses an adaptive collection approach that processes key source files (e.g., Event Logs, Prefetch, Registry) on the system and collects related files and executables for further analysis.
| Pros | Cons |
|---|---|
| Fast: Median collection time is under 30 minutes, and median parsing time is 11 minutes. | Targeted collection does not provide access to raw disk searching and file carving. |
| Information is normalized, allowing grouping of all related information into a single searchable location. E.g., all processes run on the system in a single table. | Focuses on operating system artifacts, with limited support for applications. |
Try Cyber Triage free for 7 days here.
Magnet AXIOM Cyber
Known for: Parsing many artifacts.
Magnet AXIOM Cyber is a comprehensive digital investigations tool offering remote data collection, Windows, Mac, and Linux support, integration with Verakey for mobile data extraction, and cloud deployment.
This tool aids investigations with artifact analysis, providing data visualizations for comprehensive timelines and easy artifact pivoting, allowing investigators to perform deep dive investigations. AXIOM Cyber uses YARA rule hits, MITRE ATT&CK mappings, active known connections, and known malicious files by hash sets matching to flag IOCs and present them in an IOC dashboard for review.
Forensic disk imaging can be performed with the free tool Magnet Acquire, while targeted collections are performed via an agent.
Magnet AXIOM Cyber provides many features and functions. With tuning, it can perform at moderate speeds; however, the parsing process does not fall into the rapid category.
| Pros | Cons |
|---|---|
| Data visualizations for evidence timelines and connections. | Limited threat intelligence resources result in more manual analysis. |
| Uses AI to review chat and picture evidence for sensitive data. | Expensive comparatively. |
| Able to parse a very large range of operating systems and application artifacts, including mobile devices and cloud sources. | Slow (mentioned above). |
Autopsy
Known for: Most popular open source forensic analysis platform.
Autopsy is a free, open-source tool designed to be an end-to-end platform, shipped with modules and the option to add others from third parties.
Modules can provide timeline analysis, hash filtering, keyword search, data carving, malware scanning, and web artifact and multimedia extraction. Because of the tool’s open-source nature, it is customizable and has a strong associated community for help and development. However, it also requires more manual effort with limited built-in automation.
Developed by the same team that built Cyber Triage, it integrates with Cyber Triage to create a comprehensive forensic analysis platform.
| Pros | Cons |
|---|---|
| Free and open-source. | Dependent upon community support. |
| Very customizable with options to produce customized modules. | Limited support for mobile. |
Belkasoft X Corporate
Known for: Comprehensive collaboration platform.
Belkasoft X is a digital forensics tool that supports mobile, computer, memory, and cloud data for extraction and analysis using Belkasoft R for remote acquisition and Belkasoft N for incident investigations.
Belkasoft X offers advanced data extraction and artifact recovery with forensic imaging to preserve evidence in its original state. The tool also recently incorporated AI chat to bring up the top 3 relevant artifacts for investigative inquiries. Known for its amount of features, the tool can have a steep learning curve, especially for the more advanced features.
It supports YARA and Sigma rules and uses hashset analysis to identify malicious items, shown in a separate tab for review, where users can further analyze using timelines and data visualizations.
Belkasoft X forensic (limited to law enforcement use) includes data collection and analysis from vehicle and drone devices.
| Pros | Cons |
|---|---|
| Read-only export option. | Users have reported lagging issues with larger datasets. |
| Data visualizations for connections. | Limited automation requiring manual clicking to reach the desired result. |
| Parses a wide range of operating systems and application artifacts. | Steep learning curve for advanced features. |
EnCase
Known for: One of the original forensic tools.
EnCase is a staple digital forensics tool known for supporting a wide array of devices to obtain data, its promise of maintaining data integrity, and claims of “court-approved” despite the fact that there is no such thing. It is primarily focused on disk analysis and ingesting/parsing full disk images. There is also an enterprise version that supports remote analysis of endpoints via an agent.
The tool allows investigators to use Enscripts for automated code as well as EnCase’s guided workflows for artifact analysis. Previously known for its deep-dive artifact capabilities, OpenText has begun to incorporate (as of 2024) its Artifact Explorer, which continues the “artifact-first” workflow by reducing the number of clicks and time spent searching to find relevant artifacts.
| Pros | Cons |
|---|---|
| Enscripts to automate repetitive tasks and parsing of new artifacts. | Steep learning curve. |
| Advanced data carving for deep dive capabilities. | Limited export format options. |
Nuix Workstation
Known for: Fast search of large (massive) data.
Nuix‘s original claim to fame was its ability to parse many email database formats and perform high-speed searching. This foundation makes it a solid candidate to handle large and complex datasets and interpret unstructured data at scale. Although it processes large datasets, users can gain immediate insights by reviewing and searching while Nuix continues processing.
It uses data-link analysis to uncover hidden connections and provide relationship mapping displayed using interactive data visualizations. It’s also known to support 1000+ file types as well as an extensive list of devices.
In addition, the core forensic analysis platform, Nuix, also develops EDR and data analytics products.
| Pros | Cons |
|---|---|
| Handles large data sets. | Steep learning curve. |
| Parses many data formats and sources. | Resource-intensive and expensive. |
Which Tool for You?
Computer forensic tools are essential to most digital investigations as they are used for data collection and recovery, artifact analysis, investigative platforms, and reporting of data from hard drives, memory, and other storage devices.
With so many digital forensic tools available, an exhaustive list of all options is not feasible. However, understanding the categories a tool falls into, the investigation process, and a look into some options is the first step.
For a computer forensic tool that specializes in rapid incident response, enabling investigators to quickly identify compromised hosts and make their next decisions fast, try Cyber Triage. You can try it for free for 7 days here.