Live Forensics Tools

This article is an introduction to the most popular live forensics operating systems and tools.

Computer forensics is the research of evidence within technological devices such as computers, tablets, cell phones, etc. for legal or investigative purposes.

Through computer forensics, evidence can be recovered even after deletion and even a suspect or victim’s physical geolocation can be traced among more possibilities.

This article focuses on a few of the most popular tools which are listed below.

Note: This article was originally written in 2018 and updated in 2022 including the new software.

Tsurugi Linux

Tsurugi Linux is an Ubuntu 20.04 TLS based Linux distribution developed for forensic purposes. This Ubuntu based distribution is designed for Digital Forensics and Incident Response as well as for Open Source Intelligence.

There are 3 available Tsurugi versions. Tsurugi LAB is the full version including all features. Tsurugi Acquire is a light version optimized to boot the devices and for mass storage devices. Contrary to Tsurugi LAB, this version is based on Debian 10. Tsurugi Acquire can be stored in the RAM. The third version, Tsurugi Bento, includes hundreds of portable applications to execute the forensic and incident response tasks.

Download link:

Santoku Live Forensic Tool

Santoku is a Linux distribution which, additionally to security features, includes mobile forensics tools such as firmware flashing, ram, media cards and NAND imaging tools, brute force for Android encryption, analyzing Iphone backups, and more.

It auto detects the connected mobile devices. You can run the Santoku live also from a virtual machine with VMware or Virtualbox.

Santoku is among the best tools for mobile forensics.

Download link:
Instructions for Ubuntu users:

Kali Linux (Forensics Mode)

The pentesting Kali Linux distribution includes a forensics mode that users can select upon boot.

Under the forensics mode, the device hard drive remains untouched as well as the swap partition. Automounting for external devices is disabled also for CDs.

Download link:

CAINE Live Forensic Tool

CAINE is another computer forensics Linux live distro. It is among the most popular tools in computer forensics and includes top level forensics utilities such as Autopsy, Dcfldd, dc3dd, Ddrescue, Dvdisaster, Exif, Foremost, FileInfo, FiWalk, Fundl 2.0, FKLook, Fod, Fatback, GCalcTool, Geany, Gparted,gtk-recordmydesktop, Galleta, Gtkhash, Guymager, HDSentinel, Hex Editor (Ghex), HFSutils, Libewf, Lnk-parse,, Log2Timeline, liveusb,, MC, MD5deep, md5sum, Nautilus Scripts, NBTempo, ntfs-3g, Offset_Brute_Force, Pasco, Photorec, Read_open_xm, Reglookup, Rifiuti, Rifiuti2, Readpst, Scalpel, SQLJuicer, SFDumper 2.2 , SSDeep, Stegbreak, Smartmontools, Shred, and more tools.

Download link:

Helix E-Fense Live Response

This live forensics tool developed for USB flash drives was designed to collect volatile data before a computer shuts down. All data are stored in the USB flash drive. This is one of the most recommended tools for the first approach to the device to be researched.

Download link:

Volatility Forensic Tool

Volatility is an interesting tool to analyze and diagnose the device health after an attack was detected. It is widely used against malware attacks and memory forensics.

Despite its not a live tool itself, it is already included in all Linux distributions which is focused on computer forensics listed previously.

Download link:

LiME (Linux Memory Extractor)

LiME is a kernel module which allows to collect the information from the volatile memory in Linux devices including Android devices. It enables you to fully capture the memory while reducing the interaction between the user and the system.

Download link:

SIFT Workstation

This is a free collection of tools to carry out the forensic and incident response tasks at a professional level. Although this was included in this list, SIFT is not a live tool but it can be installed on virtual machines.

Download link:

Autopsy Forensic Tool

Autopsy contains a graphical interface for the Sleuth Kit, allowing you to carry out analysis and create visually friendly reports on forensic research.

It is easy to use and its features include: timeline analysis with graphical event interface, keyword research to find files with relevant terms, web artifacts to extract history, bookmarks, cookies from Firefox, Chrome, and Internet Explorer.

Autopsy also brings tools for data carving, allowing to recover the files which were removed from unallocated space among more.

While it’s not a live tool itself, it is already included in all Linux distributions focused on computer forensics listed above. Autopsy is available for Linux, mac, and Windows.

Download link:


Computer forensics evolved really fast. What was formerly an impossible task became an accessible action for regular desktop users today.

Most tools that are listed in this article have a user friendly interface, making it possible for any user to carry out the computer forensic tasks with the same credibility that a specialist would do: credibility backed by the open source characteristic of the tools described. Open source tools can’t be easily rejected by forensic counterpart specialists because they are transparent. This may represent an advantage before tools with hidden sources.

As its title says, this article is focused on live tools, but some installable alternatives were included because of their amazing functionalities. Keep in mind that Linux compatible tools will definitely be useful for some mobile devices containing Linux based systems.

Thank you for reading this article which describes the most popular live forensics tools. Keep following us for more professional Linux related content.

About the author

David Adams

David Adams is a System Admin and writer that is focused on open source technologies, security software, and computer systems.