These are the 15 tools a working DFIR analyst or investigator actually uses most often — across imaging, memory, log, and network forensics.
| Category | Tool | Purpose |
|---|---|---|
| Disk Imaging & Acquisition | FTK Imager | Create forensic disk images, preview evidence safely, verify hashes. |
| Guymager | Fast, reliable disk imaging on Linux; supports E01 and raw formats. | |
| Disk & File Analysis | Autopsy / Sleuth Kit | Open-source suite for file recovery, timeline, and keyword searches. |
| X-Ways Forensics | Lightweight commercial suite for deep file system and hex analysis. | |
| Memory Forensics | Volatility 3 | Analyze RAM dumps for processes, malware, and system artifacts. |
| Network Forensics | Wireshark | Capture and analyze network traffic; identify protocols and anomalies. |
| NetworkMiner | Extracts files, images, and credentials from packet captures. | |
| Timeline & Artifact Analysis | Log2Timeline / Plaso | Build system activity timelines from diverse artifacts. |
| Timesketch | Visualize and interact with forensic timelines. | |
| Windows Artifact Parsing | KAPE | Automates rapid collection and parsing of Windows artifacts. |
| Registry Explorer / RECmd | Examine and extract Windows Registry data. | |
| Incident Response / Endpoint Collection | Velociraptor | Live response and forensic collection at scale. |
| Cyber Triage | Guided triage and scoring tool for compromised hosts. | |
| Reporting & Case Management | Hunchly | Capture and document online evidence for reports and OSINT. |
| Hashing & Verification | HashCalc / md5deep / hashcat | Verify integrity of evidence and perform hash-based searches. |
For professionals handling specific domains (mobile, cloud, IoT, SCADA, etc.), these expand your investigative capabilities: