Topics
Last updates
Documentation BENTO DFIR toolkit
Tools listing [2022.7] For Copyright reasons some tools are not present by default but can be easily imported by the user using the Bento menu
IMAGING
- FTK Imager Lite
- Belkasoft Acquistion Tool
- DMDE (x64)
- DMDE (x86)
- HDDRawCopy
- Magnet RAM Capture
- RamCapture x64
- RamCapture x86
- Winpmem
- ftkimager CLI x86
- AVML
- COPY:
- FastCopy (x64)
- FastCopy (x86)
- QuickHash GUI (x64)
- QuickHash GUI (x86)
- TeraCopy
- BURN:
- DeepBurner
HASHING
- HashMyFiles
- HashMyFiles x64
- SFV Ninja
- PS Hash
SYS INFO
- WinAudit
- WizTree
- HARDWARE:
- HWiNFO (x64)
- HWiNFO (x86)
- BatteryInfoView
- DevManView x86
- DevManView x64
- DiskCountersView
- FirmwareTablesView
- FirmwareTablesView x64
- SSD-Z Portable
- OPERATING SYSTEM:
- StartupRun
- WhatInStartup
- WhatInStartup x64
- DriveLetterView
- DriveLetterView x64
- DriverView
- DriverView x64
- InstalledDriversList
- InstalledDriversList x64
- InstalledPackagesView
- InstalledPackagesView64
- JRView
- ProduKey
- ProduKey x64
- SecuritySoftView
- PROCESSES:
- CrowdInspect
- AdvancedRun
- AdvancedRun x64
- AllThreadView
- AllThreadView x64
- CurrProcess
- DeviceIOView
- DeviceIOView x64
- FileAccessErrorView
- FileAccessErrorView x64
- FileActivityWatch
- FileActivityWatch x64
- FolderChangesView
- GUIPropView
- GUIPropView x64
- HeapMemView
- HeapMemView x64
- InjectedDLL
- LoadedDllsView
- LoadedDllsView x64
- Process Hacker x86
- Process Hacker x64
- ProcessActivityView x64
- ProcessTCPSummary
- ProcessTCPSummary x64
- ProcessThreadsView
- SysExporter
- SysExporter x64
- TaskSchedulerView
- TaskSchedulerView x64
- WinLister
- WinLister x64
- SEARCH:
- Search my Files
- SearchMyFiles
- SearchMyFiles x64
- UltraSearch x86
- UltraSearch x64
- SHELL:
- Windows 10 (x86)
- Windows 10 (x64)
- Windows 7 (x86)
- Windows 7 (x64)
- Windows Vista (x86)
- Windows XP (x86)
- Windows 2003 (x86)
- Windows 2000 (x86)
- SYSINTERNALS:
- AcessChk
- AccessChk64
- AccessEnum
- AdExplorer
- AdInsight
- AdInsight
- AdRestore
- Autologon
- Autoruns
- Autoruns64
- AutorunsC
- AutorunsC64
- BfIfoBgInfo64
- CasheSet
- ClockRes
- CockRes64
- Contig
- Contig4
- Coreinfo
- Ctrl2cap
- DebugView
- Desktops
- Disk Usage (DU)
- Disk Usage (DU) 64
- Disk Usage (DU.md)
- Disk Usage (DU.md) 64
- Disk2vhd
- DiskView
- EFSDump
- FindLinks
- FindLinks64
- Handle
- Handle64
- Hex2dec
- Hex2dec64
- Junction
- Junction64
- LDMDump
- ListDLLs
- LiveKd
- LiveKd64
- LoadOrder
- LoadOrder64
- LoadOrderC
- LoadOrderC64
- LogonSessions
- LogonSessions64
- MoveFile
- MoveFile pendmoves
- NotMyFault
- NotMyFault64
- NotMyFaultC
- NotMyFaultC64
- NTFSInfo
- PipeList
- PipeList64
- PortMon
- ProcDump
- ProcDump64
- Process Explorer
- Process Explorer64
- Process Monitor
- PsExec
- PsExec64
- PsFile
- Psfile64
- PsFile
- PsFile64
- PsKill
- PsKill64
- PsLoggedon
- PsLoggedon64
- PsLoglist
- PsPasswd
- PsPasswd64
- PsLoglist
- PsPasswd
- PsPasswd64
- PsPing
- PsPing64
- PsSuspend
- PsSuspend64
- RAMMap
- RegdelNull
- RegDelNull64
- Registry Usage (RU)
- Registry Usage (RU) 64
- Registry Usage (RU.md)
- Registry Usage (RU.md) 64
- RegJump
- SDelete
- SDelete64
- ShareEnum
- ShellRunas
- Sigcheck
- Sigcheck64
- Streams
- Streams64
- Sync
- Sync64
- Sysmon
- Sysmon64
- TCPVCon
- TCPView
- VMMap
- Volumeld
- Volumeld64
- Whois
- Whois64
- WinObj
- Zoomit
- ACHOIR:
- A-AChoir (x64) BUILDER
- AChoir (x86)
- AChoir (x64)
- A-AChoir (x86)
- A-AChoir (x64)
- OTHER TOOLS:
- EDD Encrypted Disk Detector
- Crowdresponse
- CyLR (x86)
- CyLR (x64)
- DFIRTriage
- FastIR Collector (x86)
- FastIR Collector (x64)
- FieldSearch
- Gkape
- IREC
- RtCA (x86)
- RtCA (x64)
- tr3secure
- tr3secure-user
- Windows Live Response Collection
- Inside Clipboard
- PC On/OFF Time
- TurnedOnTimesView
- 7-zip (x86)
- CamStudio Portable
- Don’t Sleep (x86)
- Free Virtual Keyboard
- Flogg
- MouseJiggle
- HxD Hex Editor (x86)
- HxD Hex Editor (x64)
- Notepad++
- Swiss File Knife
- TimeZonesView
LIVE IR
UTILITIES
ARTIFACTS ANALYSIS
- BROWSER:
- BrowsingHistoryView
- BrowsingHistoryView x64
- ChromeCacheView
- ChromeCookiesView
- ChromeHistoryView
- EdgeCookiesView
- FBCacheView
- FirefoxDownloadsView
- FlashCookiesView
- IECacheView
- IECookiesView
- IEHistoryView
- ImageCacheViewer
- MyLastSearch
- MZCacheView
- MZCookiesView
- MZCookiesView x64
- MZHistoryView
- MZHistoryView x64
- OperaCacheView
- SafariCacheView
- VideoCacheView
- VideoCacheView x64
- WebCacheImageInfo
- CHAT:
- LiveContactsView
- SkypeContactsView
- SkypeLogView
- EMAIL:
- OutlookAddressBookView
- OutlookAttachView
- OutlookAddressBookView x64
- OutlookAttachView x64
- OutlookStatView
- OutlookStatView x64
- FILE SYSTEM:
- AlternateStreamView
- AlternateStreamView x64
- AltStreamDump
- FoldersReport
- NTFSLinksView
- NTFSLinksView x64
- PreviousFilesRecovery
- PreviousFileRecovery x64
- ShadowCopyView
- ShadowCopyView x64
- SpecialFoldersView
- SpecialFoldersView x64
- LOG:
- EventLogChannelsView
- EventLogChannelsView x64
- EventLogSourcesView
- EventLogSourcesView x64
- FullEventLogView
- FullEventLogView x64
- MyEventViewer
- MyEventViewer x64
- WinLogOnView
- PASSWORD:
- LaZagne
- Mimikatz (x86)
- Mimikatz (x64)
- REGISTRY:
- EncryptedRegView
- EncryptedRegView x64
- RegDllView
- RegDllView x64
- RegScanner
- RegScanner x64
- ESEDatabaseView
- ExecutedProgramsList
- FavoritesView
- FileTypesMan
- FileTypesMan x64
- HotKeysList
- InstalledCodec
- InstalledCodec x64
- JumpListsView
- LastActivityView
- MUICacheView
- OpenedFilesView
- OpenedFilesView x64
- OpenSaveFilesView
- OpenSaveFilesView x64
- RecentFilesView
- ShellBagsView
- ShellExView
- ShortcutsMan
- ShortcutsMan x64
- URLProtocolView
- USB Forensic Tracker (x86)
- USB Forensic Tracker (x64)
- USBDeview
- USBDeview x64
- USBLogView
- UserAssistView
- UserProfilesView
- WinPrefetchView
- WinPrefetchView x64
- DNSQuerySniffer
- DNSQuerySniffer x64
- HTTPNetworkSniffer
- HTTPNetworkSniffer x64
- SmartSniff
- SocketSniff
- WebCookiesSniffer
- WebCookiesSniffer x64
- WebSiteSniffer
- WebSiteSniffer x64
- WhoisConnectedSniffer
- WhoisConnectedSniffer x64
- BluetoothCL
- BluetoothLogView
- BluetoothView
- WifiHistoryView
- WifiInfoView
- WirelessNetworkWatcher
- WirelessConnectionInfo
- WirelessKeyDump
- WirelessKeyDump x64
- WirelessKeyView
- WirelessKeyView x64
- WirelessNetConsole
- WirelessNetView
- AdapterWatch
- AppNetworkCounter
- AppNetworkCounter x64
- AppReadWriteCounter
- AppReadWriteCounter x64
- CurrPorts
- CurrPorts x64
- LiveTcpUdpWatch
- LiveTcpUdpWatch x64
- MACAddressView
- NetBScanner
- NetResView
- NetRouteView
- NetworkCountersWatch
- NetworkInterfacesView
- NetworkOpenedFiles
- NetworkOpenedFiles x64
- Network TrafficView
- Network TrafficView x64
- TcpLogView
- TcpLogView x64
- NIRSOFT:
- BulletsPassView
- BulletsPassView x64
- ChromePass
- CredentialsFileView
- CredentialsFileView x64
- DataProtectionDecryptor
- DataProtectionDecryptor x64
- Dialupass
- IE PassView
- LSASecrestsDump
- LSASecretsDump x64
- LSASecretsView
- LSASecretsView x64
- Mail PassView
- MessenPass
- Network Password Recovery
- Network Password Recovery x64
- None
- OperaPassView
- Password Security Scanner
- Password Fox
- Password Fox x64
- Protected Storage PassView
- PstPassword
- Remote Desktop Passview
- RouterPassView
- SniffPass
- SniffPass x64
- VaultPasswordView
- VaultPasswordView x64
- VNCPassView
- WebBrowserPassView
- SecurityXploded:
- AllInOnePasswordDecoder
- AsteriskPasswordSpy
- BrowserPasswordDecryptor
- BrowserPasswordDump
- DownloadMgrPasswordRecovery
- EmailPasswordDump
- FacebookPasswordDecryptor
- FacebookPasswordDump
- FTPPasswordDecryptor
- FTPPasswordDump
- FTPPasswordKracker
- GmailPasswordDump
- GooglePasswordDecryptor
- IMPasswordDump
- InstantPDFPasswordProtector
- InstantPDFPasswordRemover
- LDAPPasswordKracker
- MailPasswordDecryptor
- MessengerPasswordDecryptor
- MysqlPasswordAuditor
- NetworkPasswordDecryptor32
- NetworkPasswordDecryptor64
- NetworkPasswordDump32
- NetworkPasswordDump64
- OraclePasswordAuditor
- RouterPasswordAuditor
- RouterPasswordKracker
- SecurePasswordGenerator
- SkypePasswordRecovery
- SocialPasswordDecryptor
- VNCPasswordRecovery
- WiFiPasswordDecryptor
- WiFiPasswordDump
- WiFiPasswordKeyGenerator
- WindowsPasswordKracker
- STERJO:
- BrowserPasswords
- ChromeHistory
- ChromePasswords
- DecryptFileZilla
- EdgePasswords
- FirefoxPasswords
- IEPasswords
- InstagramPassword
- MailPasswords
- OperaPasswords
- PwdUnmask
- TwitterPassword
- WiFiPasswords
- WinCred
- WinVault
NETWORK
WIFI / BLUETOOTH
OTHER TOOLS