Eliminate Blind Spots in Digital Forensics

Exploit electronic evidence in unique and powerful ways with the full suite of Arsenal tools!

All Arsenal Subscriptions Include All Our Tools

Many Windows®-based disk image mounting solutions mount the contents of disk images as shares or partitions, rather than complete (aka "physical or "real") disks...

The exploitation of Windows hibernation files to “look back in time” and uncover compelling evidence is crucial to digital forensics practitioners...

Registry forensics has long been relegated to analyzing only readily accessible Windows Registries, often one at a time, in a needlessly time-consuming...

HBIN Recon identifies and parses Windows Registry hive bins (hbins) and loose hive bin records from any input.

Hive Recon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely...

ODC Recon extracts documents and metadata from the Office Document Cache (ODC) by parsing the FSD files contained within each ODC...

LevelDB Recon parses LevelDB files (ldb, log, and sst extensions) more comprehensively and reliably than other tools we have evaluated...

Swap Recon performs brute-force decompression of modern Windows swap.

Product Showcase

ARSENAL IMAGE MOUNTER

Easily Launch Virtual Machines from Disk Images

And much, much more...

  • Mount raw, forensic, and virtual machine disk images as complete (aka "real") disks on Windows

  • Windows authentication and DPAPI bypass within virtual machines

  • Launch a BitLockered Disk Image into a Virtual Machine

  • Launch virtual machines directly from Volume Shadow Copies

Arsenal’s Open Source Digital Forensics Tools

Backstage Parser is a Python tool that can be used to parse the contents of Microsoft Office files found in the “\BackstageinAppNavCache” path.

GITHUB

CyberGate Keylogger Decryption Tool is a Python tool that can be used against CyberGate encrypted keylogger files to decode the cipher text and return the original plaintext that was captured by the Remote Access Trojan (RAT).

GITHUB

Gmail URL Decoder is a Python tool that can be used against plaintext or arbitrary raw data files in order to find, extract, and decode information from Gmail URLs related to both the new and legacy Gmail interfaces.

GITHUB

NetWire Log Decoder is an AutoIt tool that carves and parses (a/k/a scans, filters, and decodes) NetWire log data from files or devices. NetWire versions 1.6 and 1.7, on Windows and Linux, have been tested.

GITHUB

Sdba Parser is an AutoIt tool that carves and parses Sdba memory pool tags (produced by Windows 7) from any input file. Sdba memory pool tags contain executable file paths and NTFS last written timestamps (at time of execution).

GITHUB

NwStacks is an AutoIt tool that assists with NetWire stack analysis. This tool (and other information on its GitHub project) is associated with the article "Forensic Analysis of the NetWire Stack" in Digital Forensics Magazine Issue 52.

GITHUB

Pricing & Plans

Each of our subscription options includes access to all the Arsenal tools, both those that exist now and those we release while the subscription is active! Pick the subscription that works for you without the hassle of maintenance fees.

1 Year Plan
$756
~ $63/mo | Save 3%
    • Email Support

    • Purchase Annually

    • Locked-in Discount

3 Year Plan

$2,129

~ $59/mo | Save 9%

5 Year Plan

$3,315

~ $55/mo | Save 15%

Prices shown in USD and without tax.

Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.