Disk Tools & Data Capture

You can access forensic software for disk tools and data capture.

Arsenal Image Mounter

Mounts disk images as complete disks in Windows, giving access to Volume Shadow Copies, etc.


Disk2vhd is a utility that creates VHD versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs).


The current version of DumpIt supports from Windows XP until Windows 10 64-bits, and provides extra information during the acquisition such as displaying the Directory Table Base and the address of the debugging data structures.

EnCase Forensic Imager

Create EnCase evidence files and EnCase logical evidence files.

Encrypted Disk Detector

Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes.

FAT32 Format

Enables large capacity disks to be formatted as FAT32.

Forensics Acquisition of Websites

The reference software for the forensic acquisition of web pages. Recognized by forensic communities around the world as a valuable tool to crystallize web pages.

FTK Imager

Imaging tool, disk viewer and image mounter.


Guymager is a free forensic imager for media acquisition. Its main features are: Runs under Linux, Makes full usage of multi-processor machines. Generates flat (dd), EWF (E01) and AFF images, supports disk cloning.

Live RAM Capturer

Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to reliably extract the entire contents of computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit builds are available in order to minimize the tool’s footprint as much as possible.


NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic.


Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls.

Magnet RAM Capture

Magnet Ram Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.


OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.


OSFMount allows you to mount local disk image files (bit-for-bit copies of an entire disk or disk partition) in Windows as a physical disk or a logical drive letter.


Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level.