Linux Forensics Tools

Disk Imaging and Analysis

dd	Creates raw disk and memory images.

dcfldd	An enhanced version of dd with hashing and logging support.

ewf-tools	Creates and processes Expert Witness Format (EWF) disk images.

guymager	A GUI-based disk imaging tool for Linux.

parted	Command-line tool for managing and analyzing disk partitions.

gparted	A GUI-based partition editor. Useful for non-destructive analysis.

testdisk	Recovers lost partitions and repairs disk structures.

Log Analysis

log2timeline	Part of Plaso, generates a timeline from system and application logs.

journalctl	Forensic analysis of systemd logs.

syslog-ng	Collects and processes logs for centralized analysis.

logwatch	Summarizes and reports log file activity.

Network Forensics

wireshark	GUI-based network traffic analyzer.

tcpdump	Command-line packet capture tool.

ngrep	Network traffic search tool, similar to grep.

netcat	Basic network investigation and data transfer.

dsniff	Captures passwords and other data from network traffic.

NetworkMiner	Extracts files, credentials, and metadata from network captures.

tshark	Command-line version of Wireshark.

Bro/Zeek	A powerful network monitoring framework for detailed traffic analysis.

Timeline and Correlation Analysis

Plaso	Framework for log timeline generation and correlation.

mactime	Parses timeline data from forensic tools like sleuthkit.

Timesketch	Web-based collaborative timeline analysis tool.