Top 10 Free DFIR Tools for 2023

Work Tips

DFIR tools allow a qualified DFIR investigator to gather essential clues while preserving the business continuity with minimal disruption. The objective is to discover whether a breach has taken place, what are the circumstances surrounding it, who is behind it, and similar. Above all, the aim should be to salvage what can be saved and prevent a cyber security incident from becoming a full-blown cyber security disaster.

To avoid having to spend countless hours manually traversing the system and network architecture when searching for answers, these digital forensics tools will drastically speed up the process. Best of all, they come with an open source license, meaning they are free to use forever, even for commercial purposes.

In case you’d like to know more about the topic at hand, we suggest you read some of the previous articles we’ve published, including our introduction to DFIR and a more in-depth guide where we focus on the 6 phases of a cyber security incident response plan.

With that out of the way, here are the top 10 free DFIR tools you can use to increase the quality, speed, and accuracy of any cyber security incident investigation:


Being of French origin, the full name of DFIR ORC stands for “Outil de Recherche de Compromission”. DFIR ORC was written in C++ and the project is still being maintained to this very day. Its core features allow you to collect essential clues to solving a crime, including:

  • Event logs
  • MFT
  • Registry hives

The key thing to keep in mind is that DFIR ORC is not suitable for analyzing data; rather, you are meant to use it for collecting a forensically sound image snapshot without disrupting the production environment. Note that in order to use this fully scalable open source digital forensic tool, you must build and configure it first, which some may consider as it has a steep learning curve. However, once properly configured, using it shouldn’t be that difficult.

This DFIR cyber forensics tool is particularly suitable for use on larger Microsoft Windows databases. However, you should keep in mind it doesn’t have the capacity to identify whether the target operating system has been compromised. It only collects data which must then be sent to a qualified digital forensics database specialist.

After you’re done collecting the database data, you can then use advanced digital forensic tools such as SalvationDATA’s DBF to analyze it and determine where the hierarchical connections lie, which can help you crack a case you’re investigating. In case the database is password-protected, DBF will help you bypass it with ease. On top of it all, you don’t need to be tech-savvy to use it, and it works on all types of databases, including relational and non-relational.


2. Aurora Incident Response

If you’re looking for a tool that’s geared towards DFIR cyber security scenarios, consider taking a look at Aurora Incident Response. In essence, this is a powerful graphical tool that will help you visualize when an incident has taken place, what the order of events was, and how they’re all interconnected, which is something similar to what SalvationDATA’s Digital Forensic Lab can do (except better and much more refined).

With Aurora Incident Response, you can finally kiss those hard-to-visualize spreadsheets goodbye and replace them with a lateral movement and visual timeline that helps you pinpoint how individual events may be interconnected. Suitable for small and large-scale DFIR incident investigations alike, this is one of the most powerful DFIR tools that will help you:

  • Track findings
  • Generate reports
  • Manage tasks
  • Visualize findings

Since the tool is in constant development, you can count on several updates and functionality improvements in the future. It’s available for:

  • Windows
  • macOS
  • Linux


3. EZ Tools

Given how traversing through a wealth of data that resides in Windows computers can often be an insurmountable challenge, the talented crew at SANS Institute has released EZ Tools, a powerful set of DFIR tools that will cut down the length of the investigation to a mere fraction it would take doing it the traditional way. In fact, its developers promise the digital forensics tool has the capacity to reduce the time of investigation down to mere minutes if you know how to use it correctly.

As you can see from the screenshot below, this is a command-line tool. Unfortunately, this means you’re going to have to be proficient with a bit more IT knowledge than a GUI-based tool would require. Thankfully, the official site lists helpful tutorials on how to make the most of it, provided that you have the time to learn its intricacies and apply them to the case you’re working on.

If, however, you’re looking for something more user-friendly, we invite you to take a look at SalvationDATA’s product catalog where you will find cutting-edge solutions suitable for all sorts of digital forensic investigations that have to do with databases, recordings, and video files, smartphones, computer systems, big data, and much more.


4. Diffy

Diffy is the result of development and research by Netflix’s Security Intelligence and Response Team (SIRT). Unlike some of the other free DFIR tools we’ve mentioned, this one serves the specialized purpose of analyzing a compromised instance that’s running in the cloud and deciding on your next move.

In case you’re planning to come to the bottom of what happened in a Linux instance running on AWS, this is the perfect solution, and it’s also compatible with other cloud providers. It supports the following environments:

  • AWS
  • Local
  • osquery

But why is it called Diffy? As you’ll soon find out, the way it was named was not a fluke; this tool allows you to identify the differences between instances so you can conclude whether any of them was altered in any way.

Usage scenarios include helping you see which instances are:

  • Listening to a suspicious port
  • Leaning on a strange kernel module
  • Running weird processes
  • Feature an unusual crontab entry


5. Cold Disk Quick Response (CDQR)

Cold Disk Quick Response or CDQR for short is a free DFIR tool developed by Alan Orlikoski. It integrates Plaso as an efficient disk image parsing solution that can also automatically generate reports, which may remind you of SalvationDATA’s DRS and its reporting feature that automatically produces reports that are sustainable in court.

Apply for a Free Trial Now!

CDQR has the capacity to identify items with similar characteristics and group them together to make the investigation smoother and more efficient. The design of this command-line-based tool is centered around the Live Response Model, allowing you to focus on what’s most important. Once the tool is done analyzing, you can view results in one of the following formats:

  • JSON
  • CSV
  • ElasticSearch

Note that CDQR is based on Python 3, meaning you should ideally have some prior experience with the programming language to make the most of it. However, everything you need to know can be learned on the project’s official GitHub website, where you’ll also get a chance to learn about its configuration options.


6. Cortex

During a digital forensics investigation, one of the most common situations you’ll encounter is how to analyze observables, and Cortex is one of the rare DFIR tools specifically designed to mitigate the problem. One of the core concepts of its design is to allow you to analyze a mass of data you’ve collected using a single tool rather than having to rely on using a combination of multiple tools.

So what are observables? The list includes:

  • Domain names
  • Hashes
  • URLs
  • IP addresses
  • Email addresses
  • Files
  • etc.

Through an interactive interface, you’ll be able to analyze all of them and more, thus having a powerful free digital forensics and incident response tool in your arsenal. By using the REST API, digital forensic analysts also have the option of automating some of the workflows. The good news is that Cortex features a front-end interface, so learning how to use it properly shouldn’t take too much time.

Furthermore, it integrates roughly 40 third-party analyzers, including the one provided by VirusTotal.


7. Intezer

Intezer is one of the multi-purpose DFIR tools that you can utilize during a digital forensics investigation. Not only does it let you take a proactive approach to threat hunting, but also points you in the right direction by weeding out any false positives you may encounter along the way.

To give you a better general overview of what Intezer can do, it comes down to:

  • Tracking track actors
  • Discovering malware
  • Identifying similar events in the past
  • Analyzing files
  • Checking URLs
  • Assessing a profile risk
  • Identifying false positives

If you ever find yourself in the midst of a phishing investigation, Intezer is one of the top DFIR tools for the job. This will give you valuable insights into what led to the situation and let you reverse engineer it to gather valuable clues.

Intezer Analyze

8. TheHive Project

TheHive Project is, as the authors themselves describe it, a security incident response for the masses. In other words, this is an open-source DFIR cyber security tool with a neat-looking GUI that lets DFIR investigators do their job swiftly, securely, and effectively.

As described on the official website, TheHive Project lets you:

  • Collaborate: Thanks to the built-in live stream functionality, digital forensic experts can collaborate with law enforcement officers in an investigation.
  • Elaborate: Through accurate industry metrics, fully automate tedious and repetitive tasks, and tag important pieces of evidence.
  • Act: Add observables to a case or send out alerts directly from the platform. Through industry insights, you will be able to identify DFIR security threats and speed up the pace of the investigation.
  • Write: Create your very own analyzer using any programming language of your choosing.
  • Run: Import several observables at once. Then, you can analyze them, parse them, or display them any way you want.
  • Execute: Explore the implemented analyzers such as VirusTotal, Google Safe Browsing, Shodan, Onyphe, PassiveTotal, Joe Sandbox, DomainTools, and many others.

Edit Case Template

9. Kansa

Kansa is a modular DFIR incident response framework written in PowerShell. With the help of user-contributed modules, it allows you to collect data in the event of a data breach and provide you with much-needed incident response support.

Since it’s command-line-based, some prior technical experience is recommended, although it can be learned. With Kansa, you will be able to discover not only what systems have been (or are) under attack, but also swiftly respond to them. Since it comes with an open source license, it’s free to use without restrictions.

Alongside the core script, you will also get access to several collector modules and add-on scripts that will help you analyze the data gathered during an investigation. One of its key advantages is that it makes collecting data from several sources easier, which aligns with the philosophy of SalvationDATA’s Digital Forensic Lab.

Contact us to apply for a Free Trial Now!

While both will help you accomplish similar objectives, Digital Forensic Lab is far less technically demanding to use and also comes with 24/7 support that will help you resolve any obstacles you may be facing along the way, which is something no open source digital forensics solution can offer.

10. CAPEv2

If you want to contain malware or test whether the files are infected in a safe and isolated environment, CAPEv2 is the answer. What makes it so great is the fact that it comes with automated malware unpacking features and config extraction, which is bound to save you some valuable time during an investigation.

To safely isolate and analyze malware payload during a DFIR incident response, CAPEv2 employs several techniques, including:

  • DLL injection
  • Process hollowing
  • Shellcode injection
  • Process doppelganging

CAPEv2 has the capacity to detect many malware families, including:

  • TrickBot
  • Emotet
  • Screech
  • TSCookie
  • Ursnif
  • RedLeaf
  • and more

Capev2 Sandbox


Thanks to DFIR tools, finding the answers to a cyber incident has never been easier. Best of all, this is a constantly-evolving space, so we can expect even more innovation in the years to come.

But for right now, these are our top recommendations, suitable for multiple scenarios.

Take your pick!