Live Forensics Tools

Computer forensics is the research of  evidence within technological devices such as computers, tablets, cell phones for legal or investigative purposes. Through computer forensics evidence can be recovered even after deletion, physical presence of the investigated suspect or victim can be traced and more. This article focuses on a few of the most popular tools which are listed below.

Computer Forensics Tools

Deft/Deft Zero live forensic tool: is an Ubuntu based Linux distribution oriented to computer forensics and evidence harvesting which allows to block writing permissions on hard disks to prevent their modification in the process of recovering evidence. It is open source and live, so there is no need to install it.  In the main menu you can access disks utilities from which you can see the storage devices connected.
DEFT contains over 1 GB of free and open source software to afford incidents in Microsoft Windows systems. You can get Deft Zero from

Santoku live forensic tool: Santoku is a Linux distribution which, additionally to security features includes mobile forensics tools such as firmware flashing, ram, media cards and NAND imaging tools, brute forcing Android encryption, analysing Iphone backups and more. It auto detects connected mobile devices. You can run Santoku live also from a virtual machine with VMware or Virtualbox. Santoku is among the best tools for mobile forensics. You can download Santoku Linux at, from Lubuntu installations you can run the script to add Santoku features to your current system.

CAINE live forensic tool:  CAINE is  another computer forensics Linux live distro, it is among the most popular tools in computer forensics and includes top level forensics tools such as Autopsy, Dcfldd, dc3dd, Ddrescue, Dvdisaster, Exif, Foremost, FileInfo, FiWalk, Fundl 2.0, FKLook, Fod, Fatback, GCalcTool, Geany, Gparted,gtk-recordmydesktop, Galleta, Gtkhash, Guymager, HDSentinel, Hex Editor (Ghex), HFSutils, Libewf, Lnk-parse,,  Log2Timeline, liveusb,, MC, MD5deep, md5sum, Nautilus Scripts, NBTempo,  ntfs-3g, Offset_Brute_Force, Pasco, Photorec, Read_open_xm, Reglookup, Rifiuti, Rifiuti2, Readpst, Scalpel, SQLJuicer, SFDumper 2.2 , SSDeep, Stegbreak, Smartmontools, Shred and more tools.

You can get CAINE from the official website at

Volatility forensic tool: Volatility is an interesting tool to analyze and diagnose devices health after the attack was detected, it is widely used for malware and memory forensics. Despite its not a live tool itself, it is already included in all Linux distributions focused on computer forensics listed above. Volatility can be downloaded from its official website at

The Sleuth Kit forensic tool: The Sleuth Kit is a text mode suite of tools for computer forensics which allows to analyze storage device images to research and recover evidence. Despite its not a live tool itself, it is already included in all Linux distributions focused on computer forensics listed above. It supports plugins allowing you to  add modules. The Sleuth Kit can be integrated with other forensic tools. While it works from the terminal there is an intuitive user friendly graphical interface Autopsy which runs The Sleuth Kit on the background. You can get The Sleuth Kit from its official website at

Autopsy forensic tool: Autopsy contains a graphical interface for the The Sleuth Kit, allows to carry out analysis and create visually friendly reports on forensic research. It is easy to use and its features include: timeline analysis with graphical event interface, keyword research to find files with relevant terms, web artifacts to extract history, bookmarks, cookies from Firefox, Chrome and Internet Explorer. Autopsy also brings tools for data carving allowing to recover files removed from unallocated space among more. while its not a live tool itself, it is already included in all Linux distributions focused on computer forensics listed above. Autopsy is available for Linux, Mac and Windows. You can download Autopsy from its official website at


Computer forensics evolved really fast, what was formerly an impossible task today became an accessible action for regular desktop users. Most tools listed in this article have a user friendly interface making it possible for any user to carry out computer forensic tasks with the same credibility an specialist would do, credibility backed by the open source characteristic of the tools described above. Open source tools can’t be easily rejected by forensic counterpart specialists because they are transparent.

I hope you found this brief article on Live Forensic Tools useful, thank you for reading it.

About the author

David Adams

David Adams is a System Admin and writer that is focused on open source technologies, security software, and computer systems.