awesome-forensics
List of libraries that can be used in forensic software. This is mostly just an extension of the overview of github.com/libyal/libyal, which is an insane collection of parsers. View a little wider: http://cugu.github.io/awesome-forensics/LIBS
| URL | Description (Language) | Last Commit | Stars | License |
|---|---|---|---|---|
| Forensic Artifact Handling | ||||
| artifactlib | Process forensic artifact definition files (Go & Python) |  |
 |
 |
| artifacts | Process forensic artifact definition files (Python) |  |
 |
 |
| High Level File System Parser | ||||
| fslib | Parse filesystems, archives and other data types (Go) |  |
 |
 |
| dfvfs | Digital Forensics Virtual File System (Python) |  |
 |
 |
| pytsk | Bindings for The Sleuth Kit (libtsk) (Python) |  |
 |
 |
| Store | ||||
| forensicstore | A forensics storage format (Go & Python) |  |
 |
 |
| acstore | Attribute Container store (Python) |  |
 |
 |
| Cross-platform Functionality | ||||
| libcdata | generic data functions (C) |  |
 |
 |
| libcdatetime | date and time functions (C) |  |
 |
 |
| libcdirectory | directory functions (C) |  |
 |
 |
| libcerror | error functions (C) |  |
 |
 |
| libcfile | file functions (C) |  |
 |
 |
| libclocale | locale functions (C) |  |
 |
 |
| libcnotify | notification functions (C) |  |
 |
 |
| libcpath | path functions (C) |  |
 |
 |
| libcsplit | split string functions (C) |  |
 |
 |
| libcthreads | threads functions (C) |  |
 |
 |
| dfdatetime | Digital Forensics date and time (Python) |  |
 |
 |
| Data Formats | ||||
| libcaes | AES encryption functions (C) |  |
 |
 |
| libfcache | generic file data cache functions (C) |  |
 |
 |
| libfcrypto | encryption formats (C) |  |
 |
 |
| libfdata | generic file data functions (C) |  |
 |
 |
| libfdatetime | for date and time formats (C) |  |
 |
 |
| libfguid | for GUID/UUID format (C) |  |
 |
 |
| libfmapi | for Message API (MAPI) data types (C) |  |
 |
 |
| libfole | for Object Linking and Embedding (OLE) data types (C) |  |
 |
 |
| libfplist | for plist formats (C) |  |
 |
 |
| libftxf | for Transactional NTFS (TxF) data types (C) |  |
 |
 |
| libftxr | for Transactional Registry (TxR) data types (C) |  |
 |
 |
| libfusn | for Update Sequence Number (USN) Journal data types (C) |  |
 |
 |
| libfvalue | generic file value functions (C) |  |
 |
 |
| libfwevt | for Windows XML Event Log (EVTX) data types (C) |  |
 |
 |
| libfwnt | for Windows NT data types (C) |  |
 |
 |
| libfwps | for Windows Property Store data types (C) |  |
 |
 |
| libfwsi | for Windows Shell Item data types (C) |  |
 |
 |
| libhmac | Hash-based Message Authentication Codes (HMAC) (C) |  |
 |
 |
| libuna | Unicode and ASCII (byte string) conversions (C) |  |
 |
 |
| File Formats | ||||
| libagdb | Windows SuperFetch database format (C) |  |
 |
 |
| libcreg | Windows 9x/Me Registry File (CREG) format (C) |  |
 |
 |
| libesedb | Extensible Storage Engine (ESE) Database File (EDB) format (C) |  |
 |
 |
| libevt | Windows Event Log (EVT) format (C) |  |
 |
 |
| libevtx | Windows XML Event Log (EVTX) format (C) |  |
 |
 |
| libexe | PE/COFF Executable (EXE) format (C) |  |
 |
 |
| libgzipf | GZIP file format (C) |  |
 |
 |
| liblnk | Windows Shortcut File (LNK) format (C) |  |
 |
 |
| libmdmp | Windows Minidump (MDMP) format (C) |  |
 |
 |
| libmsiecf | Microsoft Internet Explorer (MSIE) Cache File (index.dat) format (C) |  |
 |
 |
| libnk2 | Microsoft Outlook Nickfile (NK2) format (C) |  |
 |
 |
| libnsfdb | Notes Storage Facility (NSF) database file format (C) |  |
 |
 |
| libolecf | OLE 2 Compound File (OLECF) format (C) |  |
 |
 |
| libpff | Personal Folder File (PFF) format (C) |  |
 |
 |
| libregf | Windows NT Registry File (REGF) format (C) |  |
 |
 |
| libscca | Windows Prefetch File (SCCA) format (C) |  |
 |
 |
| libwtcdb | Windows (Vista/7) Explorer thumbnail cache database format (thumbcache.db) (C) |  |
 |
 |
| dfwinreg | Digital Forensics Windows Registry (dfWinReg) (Python) |  |
 |
 |
| evtx | Parser for Microsoft Event Logs (Go) |  |
 |
 |
| go-prefetch | A implementation of a prefetch parser. (Go) |  |
 |
 |
| python-evt | Parser for classic Windows Event Log files (.evt) (Python) |  |
 |
 |
| python-evtx | Parser for recent Windows Event Log files (.evtx) (Python) |  |
 |
 |
| python-registry | Parser for Windows Registry hives. (Python) |  |
 |
 |
| python-sdb | Parser for Application Compatibility Shim Databases (.sdb files) (Python) |  |
 |
 |
| In-file Formats | ||||
| libmapidb | Exchange MAPI database format (C) |  |
 |
 |
| libwrc | Windows Resource Compiler (WRC) format (C) |  |
 |
 |
| File System Formats | ||||
| libfsapfs | Apple File System (APFS) format (C) |  |
 |
 |
| libfsclfs | Common Log File System (CLFS) format (C) |  |
 |
 |
| libfsext | Extended File System (EXT) format (C) |  |
 |
 |
| libfshfs | Hierarchical File System (HFS) format (C) |  |
 |
 |
| libfsntfs | New Technology File System (NTFS) format (C) |  |
 |
 |
| libfsrefs | Resilient File System (ReFS) format (C) |  |
 |
 |
| go-ntfs | An NTFS file parser (Go) |  |
 |
 |
| python-ntfs | Library for NTFS analysis (Python) |  |
 |
 |
| Volume (System) Formats | ||||
| libbde | BitLocker drive encryption (BDE) (C) |  |
 |
 |
| libfvde | FileVault drive encryption (FVDE) (C) |  |
 |
 |
| libluksde | LUKS Disk Encryption (C) |  |
 |
 |
| libvsgpt | GUID Partition Table (GPT) volume system format (C) |  |
 |
 |
| libvshadow | Volume Shadow Snapshot (VSS) format (C) |  |
 |
 |
| libvslvm | Linux Logical Volume Manager (LVM) volume system format (C) |  |
 |
 |
| libvsmbr | Master Boot Record (MBR) volume system format (C) |  |
 |
 |
| Storage Media Image Formats | ||||
| pyaff4 | A implementation of the AFF4 standard. (Python) |  |
 |
 |
| libewf | Expert Witness Compression Format (EWF) image format (C) |  |
 |
 |
| libhibr | Windows Hibernation File (hiberfil.sys) format (C) |  |
 |
 |
| libmodi | Mac OS disk image formats (C) |  |
 |
 |
| libodraw | optical disc (split) RAW image format (bin/cue, iso/cue) (C) |  |
 |
 |
| libphdi | Parallels Hard Disk image format (C) |  |
 |
 |
| libqcow | QEMU Copy-On-Write (QCOW) image format (C) |  |
 |
 |
| libsmdev | storage media devices (C) |  |
 |
 |
| libsmraw | (split) RAW image format (C) |  |
 |
 |
| libvhdi | Virtual Hard Disk (VHD) image format (C) |  |
 |
 |
| libvmdk | VMware Virtual Disk (VMDK) format (C) |  |
 |
 |
| aff4 | Advanced Forensic File Format 4 (Python (& C)) |  |
 |
 |
| c-aff4 | An AFF4 C++ implementation. (C++) |  |
 |
 |
| Utility Libraries | ||||
| libbfio | basic file input/output abstraction (C) |  |
 |
 |
| libsigscan | binary signature scanning (C) |  |
 |
 |
| libtableau | read metadata from Tableau(TM) forensic bridges (write blockers) (C) |  |
 |
 |