Forensic Toolkit Free Download

Posted on


The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. It can match any current incident response and forensic tool suite. SIFT demonstrates that advanced incident response capabilities and deep-dive digital forensic techniques can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Who Created the SIFT?

Elcomsoft Ios Forensic Toolkit Download

Rob Lee created the original SIFT Workstation in 2007 to support forensic analysis in the SANS FOR508 class. Over the years, he and a small team have continually updated the SIFT Workstation for use in class, as well as for the wider community as a public resource. With over 125,000 downloads to date, the SIFT Workstation continues to be one of the most popular open-source incident-response and digital forensic offerings available.

  • EnCase Forensic. An effective tool for digital forensic investigation. EnCase® Forensic, the industry-standard computer investigation solution, is for forensic practitioners who need to conduct efficient, forensically sound data collection and investigations using a repeatable and defensible process.
  • Forensic Toolkit. Computer forensics are slowly becoming a thing in companies. 14+ Best Audio Voice Tools Download Reviews; 6+ Free.
  • Nov 19, 2021 FTK Imager is a forensic toolkit i developed by AccessData that can be used to get evidence. It can create copies of data without making changes to the original evidence. This tool allows you to specify criteria, like file size, pixel size, and data type, to reduce the amount of irrelevant data.
  • Jul 18, 2021 Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices. It has been developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus project along with a.

Offered as an open source and free project, the SIFT Workstation is used in the following incident response courses at SANS:

Download Android-Free-Forensic-Toolkit for free. The development place of AFFT, a toolkit to automatically acquire. AFFT is a toolkit designed to automate the gathering of evidence from Android devices and apps. It is currently at Alpha stages and supports only a limited number of apps.

  • Enterprise-Class Incident Response course (FOR608 - set to debut in 2021)

'Even if SIFT were to cost tens of thousands of dollars, it would still be a very competitive product,' says Alan Paller, director of research at SANS. 'At no cost, there is no reason it should not be part of the portfolio in every organization that has skilled incident responders.'

'The SIFT Workstation has quickly become my ‘go to’ tool when conducting an exam. The powerful open source forensic tools in the kit on top of the versatile and stable Linux operating system make for quick access to most everything I need to conduct a thorough analysis of a computer system,' said Ken Pryor, GCFA, who has run countless cases supporting a variety of forensic and incident response priorities.

Key new SIFT Workstation features include:

  • Ubuntu LTS 20.04 Base
  • 64-bit base system
  • Better memory utilization
  • Auto-DFIR package update and customizations
  • Latest forensic tools and techniques
  • VM Appliance ready to tackle forensics
  • Cross compatibility between Linux and Windows
  • Option to install/upgrade stand-alone system via SIFT-CLI installer
  • Expanded Filesystem Support

SIFT Workstation Capabilities

A key tool during incident response, helping incident responders identify and contain advanced threat groups. The SIFT provides robust capabilities for analyzing file systems, network evidence, memory images, and more.

File system support

  • iso9660 (ISO9660 CD)
  • hfs (HFS+)
  • raw (Raw Data)
  • swap (Swap Space)
  • memory (RAM Data)
  • fat12 (FAT12)
  • fat16 (FAT16)
  • fat32 (FAT32)
  • ext2 (EXT2)
  • ext3 (EXT3)
  • ext4 (EXT4)
  • ufs1 (UFS1)
  • ufs2 (UFS2)

Evidence Image Support

  • raw (Single raw file (dd))
  • aff (Advanced Forensic Format)
  • afd (AFF Multiple File)
  • afm (AFF with external metadata)
  • afflib (All AFFLIB image formats (including beta ones))
  • ewf (Expert Witness format (encase))
  • split raw (Split raw files) via affuse
  • affuse - mount 001 image/split images to view single raw file and metadata
  • split ewf (Split E01 files) via
  • - mount E01 image/split images to view single raw file and metadata
  • ewfmount - mount E01 images/split images to view single raw file and metadata
  • vmdk
  • vhd/vhdx
  • qcow

Incident Response Support

  • Rapid Scripting and Analysis
  • Threat Intelligence and Indicator of Compromise Support
  • Threat Hunting and Malware Analysis Capabilities

Software Includes:

  • Plaso/log2timeline (Timeline Generation Tool)
  • Rekall Framework (Memory Analysis)
  • Volatility Framework (Memory Analysis)
  • 3rd Party Volatility Plugins
  • bulk_extractor
  • afflib
  • afflib-tools
  • ClamAV
  • dc3dd
  • imagemounter
  • libbde
  • libesedb
  • libevt
  • libevtx
  • libewf
  • libewf-tools
  • libewf-python
  • libfvde
  • libvshadow
  • lightgrep
  • Qemu
  • regripper and plugins
  • SleuthKit
  • Hundreds of additional tools

SIFT Workstation and REMnux Compatibility

REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. REMnux is used in SANS FOR610: Reverse Engineering Malware.

REMnux can be added into a SIFT Workstation installation. To install REMnux, first install the SIFT Workstation using the instructions found above. Then, follow these instructions to add the REMnux components.

Free download games

SIFT Workstation How-Tos and Resources

Reporting Issues

Please report all issues, bugs, and feature requests to the GitHub project page, located here:

SIFT Workstation Testimonials

SIFT workstation is playing an essential role for the Brazilian national prosecution office, especially due to Brazilian government budgetary constraints. Its incident response and forensic capabilities are bundled in a way that allows an investigation to be conducted much faster than it would take if not having the right programs grouped on such a great Linux distribution. The new version, which will be bootable, will be even more helpful. I'd highly recommend SIFT for government agencies or other companies as a first alternative, for acquisition and analysis, from the pricey forensics software available on the market.

- Marcelo Caiado, M.Sc., CISSP, GCFA, EnCE

What I like the best about SIFT is that my forensic analysis is not limited because of only being able to run an incident response or forensic tool on a specific host operating system. With the SIFT VM Appliance, I can create snapshots to avoid cross-contamination of evidence from case to case, and easily manage system and AV updates to the host OS on my forensic workstation. Not to mention, being able to mount forensic images and share them as read-only with my host OS, where I can run other forensic tools to parse data, stream-lining the forensic examination process.

- Brad Garnett
  • Forensic Toolkit
by AccessData Group, Inc.
Total downloads:5,420 (15 last week)
Latest version:


Elcomsoft Ios Forensic Toolkit Free Download

The version of Forensic Toolkit is available as a free download on our software library. The latest installation package that can be downloaded is 2 GB in size.

Also the program is known as 'AccessData Forensic Toolkit', 'AccessData Forensic Toolkit Client', 'AccessData Forensic Toolkit DEMO'. Our antivirus analysis shows that this download is clean. The most popular versions of the software 5.1, 5.0 and 4.2.

The actual developer of the program is AccessData Group, Inc. This PC software works fine with 32-bit and 64-bit versions of Windows XP/Vista/7/8/10. Ftk.exe, ftk.bak.exe or FTK2.exe are the default file names to indicate this program's installer. The program lies within Development Tools, more precisely IDE.

From the developer:

Forensic Toolkit is a court-accepted digital investigations platform built for speed, stability and ease of use. It provides comprehensive processing and indexing up front, so filtering and searching is faster than with any other product. The database-driven, enterprise-class architecture allows you to handle massive data sets.

You may want to check out more software, such as Forensic Explorer, SQLite Forensic Explorer or Oxygen Forensic SQLite Viewer, which might be similar to Forensic Toolkit.