Best Software and Hardware Tools for Computer Forensics
Author: Igor Mikhailov, Specialist at the Group-IB Computer Forensics Lab
The Cyber Forensics Toolkit
Computer forensics involves examining a wide range of digital devices and data sources. Both software and hardware tools are used in these investigations—many of which are quite expensive. Not every company, let alone an individual specialist, can afford such investments. At Group-IB, we don’t cut corners on tools, which allows us to conduct high-quality and efficient investigations.
Of course, my list of top tools differs from the global standard. This is due to regional specifics—some foreign programs can’t extract data from Russian messengers or don’t support the Russian language well (especially for search tasks)—as well as export restrictions that prevent Russian specialists from using the full range of global tools.
Mobile Forensics: Hardware Solutions
- Cellebrite UFED Touch 2 – Designed for fieldwork, this solution is split into two parts:
- The proprietary Cellebrite UFED Touch 2 tablet (or UFED 4PC, a software version for computers/laptops) is used solely for data extraction.
- UFED Physical Analyzer is the software component for analyzing extracted data.
The typical workflow is to extract data in the field with the UFED Touch 2, then analyze it in the lab with UFED Physical Analyzer. This suite currently supports data extraction from the widest range of mobile devices. However, some data may be missed during analysis due to recurring bugs in the software, so it’s recommended to double-check the completeness of the analysis.
- MSAB XRY / MSAB XRY Field – A Swedish alternative to Cellebrite, designed mainly for use on stationary computers or laptops. It comes with a proprietary USB hub and a set of adapters and data cables for connecting various mobile devices. MSAB also offers hardware versions (XRY Field and XRY Kiosk) in tablet and kiosk form. This product is less common in Russia but is effective for extracting data from older mobile devices.
- Rusolut Chip-Off Solutions – Polish-made hardware for chip-off data extraction (directly from memory chips), useful for damaged or locked devices. Rusolut offers adapter kits for specific device models, including those commonly found in “Chinese phones.” However, widespread encryption in modern devices has reduced the effectiveness of chip-off methods, as extracted data is often encrypted and difficult to decrypt.
Mobile Forensics: Software Solutions
As mobile devices have become more advanced, so have the tools for analyzing them. Today, investigators are expected to extract not just contacts, SMS, MMS, call logs, and media files, but also:
- Messenger app data
- Internet browsing history
- Geolocation data
- Deleted files and other removed information
All these types of artifacts can be extracted with the following software:
- Mobile Forensic Expert – One of the best programs for analyzing data extracted from mobile devices. It allows for maximum data extraction and includes integrated viewers for SQLite databases and plist files for in-depth manual analysis. However, it’s designed for desktop use and may be uncomfortable on smaller screens. The program is sensitive to file paths—if an app’s database path changes, it may skip the database, requiring manual investigation.
- Magnet AXIOM (Magnet Forensics, Canada) and Belkasoft Evidence Center (Belkasoft, Russia) – These “all-in-one” tools can analyze both mobile devices and hard drives, extract data from cloud storage, and perform analytics on all sources. While not as powerful for mobile extraction as dedicated hardware/software, they are excellent for analysis and verifying the completeness of extracted artifacts. Both are rapidly evolving and expanding their mobile forensics capabilities.
Computer Forensics: Hardware Write Blockers
- Tableau T35U – A hardware write blocker that safely connects hard drives to a forensic workstation via USB3. It supports IDE and SATA drives (and others with adapters) and can emulate read-write operations, which is useful for analyzing drives infected with malware.
- Wiebitech Forensic UltraDock v5 – Similar to the Tableau T35U but supports more interfaces (USB3, eSATA, FireWire). It can detect ATA password-protected drives and automatically unlock DCO (Device Configuration Overlay) areas for data copying. Both blockers use USB3 for fast and convenient data cloning and analysis.
Computer Forensics: Software Solutions
Legacy Tools for Special Cases
- Encase Forensics and AccessData FTK – Once the undisputed leaders, these tools are now less competitive. Encase is still useful for investigating MacOS computers, Linux servers, and rare file formats, thanks to its powerful scripting language and extensive script library. FTK maintains strong keyword search and case analytics but is slow when processing large drives. Both can handle hundreds of terabytes of data.
Modern and Growing Solutions
- Magnet AXIOM – The current leader, covering mobile device analysis, cloud extraction, MacOS investigations, and more. Its user-friendly interface and broad functionality make it ideal for security incident investigations, including malware infections and data leaks.
- Belkasoft Evidence Center – The Russian counterpart to Magnet AXIOM, capable of extracting and analyzing data from mobile devices, cloud storage, and hard drives. It supports browser data, chats, cloud service info, encrypted files, file extraction by extension, geolocation, email, payment systems, social networks, thumbnails, system files, and logs. It also features remote data collection and integrated VirusTotal checks. The base version is affordable, with additional modules sold separately. However, the interface can be unintuitive, and training is recommended for effective use.
- X-Ways Forensics – Gaining popularity in Russia, this “Swiss Army knife” is fast, reliable, and compact. It excels at minimizing false positives during file recovery and supports email analysis, browser history, Windows logs, filtering, timeline creation, RAID reconstruction, virtual disk mounting, and malware detection. It’s especially effective for manual analysis of hard drives from DVRs and supports third-party modules via X-Tension. Downsides include a spartan interface, lack of a full SQLite viewer, and a steep learning curve.
Data Recovery: Hardware Solutions
The Russian market is dominated by ACELab, which produces hardware for analyzing, diagnosing, and recovering hard drives (PC-3000 Express, Portable, UDMA, SAS), SSDs (PC-3000 SSD), flash drives (PC-3000 Flash), and RAID arrays. ACELab’s high-quality products and pricing strategy have kept competitors at bay.
Data Recovery: Software Solutions
Despite the abundance of data recovery programs, only two stand out for their ability to reliably recover various file types across different file systems: R-Studio and UFS Explorer. Thousands of other programs fall short in functionality or performance.
Open Source Software
- Autopsy – A user-friendly tool for analyzing Windows computers and Android devices, featuring a graphical interface. Useful for investigating computer incidents.
- Photorec – One of the best free data recovery programs, offering a solid alternative to paid solutions.
- Eric Zimmerman Tools – A set of free utilities for investigating specific Windows artifacts. These tools, now available as the Kroll Artifact Parser and Extractor (KAPE), are highly effective for field incident response.
Linux-Based Distributions
- SIFT – A Linux distribution developed and maintained by the SANS Institute, specializing in cybersecurity training and incident investigation. SIFT includes up-to-date versions of free tools for data extraction and analysis and is regularly updated as part of SANS training programs.
- Kali Linux – A unique Linux distribution used for both security auditing and investigations. The book “Digital Forensics with Kali Linux” by Shiva V. N. Parasram (Packt Publishing, 2017) offers guidance on copying, investigating, and analyzing computers, drives, memory dumps, and network traffic using Kali’s built-in tools.
Conclusion
This overview is based on my hands-on experience with the hardware and software tools described, used in computer and mobile device forensic investigations. I hope this information will be useful for specialists planning to acquire tools for computer forensics and incident response.