Eliminate Blind Spots in Digital Forensics

Exploit electronic evidence in unique and powerful ways with the full suite of Arsenal tools!

All Arsenal Subscriptions Include All Our Tools

Arsenal Image Mounter Arsenal Image Mounter

Many Windows®-based disk image mounting solutions mount the contents of disk images as shares or partitions, rather than complete (aka "physical or "real") disks...

Hibernation Recon Hibernation Recon

The exploitation of Windows hibernation files to “look back in time” and uncover compelling evidence is crucial to digital forensics practitioners...

Registry Recon Registry Recon

Registry forensics has long been relegated to analyzing only readily accessible Windows Registries, often one at a time, in a needlessly time-consuming...

HBIN Recon HBIN Recon

HBIN Recon identifies and parses Windows Registry hive bins (hbins) from any input. Hive bins are essentially the building blocks of Registry...

Hive Recon Hive Recon

Hive Recon extracts Registry hives from Windows hibernation and crash dump files, often extracting hives when other solutions have completely...

ODC Recon ODC Recon

ODC Recon extracts documents and metadata from the Office Document Cache (ODC) by parsing the FSD files contained within each ODC...

LevelDB Recon LevelDB Recon

LevelDB Recon parses LevelDB files (ldb, log, and sst extensions) more comprehensively and reliably than other tools we have evaluated...

Buy Now
Product Showcase

ARSENAL IMAGE MOUNTER

Easily Launch Virtual Machines from Disk Images

And much, much more...

  • Mount raw, forensic, and virtual machine disk images as complete (aka "real") disks on Windows

  • Windows authentication and DPAPI bypass within virtual machines

  • Launch a BitLockered Disk Image into a Virtual Machine

  • Launch virtual machines directly from Volume Shadow Copies

Tour Arsenal Image Mounter
Buy Now

Arsenal’s Open Source Digital Forensics Tools

Backstage Parser

Backstage Parser is a Python tool that can be used to parse the contents of Microsoft Office files found in the “\BackstageinAppNavCache” path.

GITHUB
Cybergate Log Decrypt

CyberGate Keylogger Decryption Tool is a Python tool that can be used against CyberGate encrypted keylogger files to decode the cipher text and return the original plaintext that was captured by the Remote Access Trojan (RAT).

GITHUB
Gmail URL Decoder

Gmail URL Decoder is a Python tool that can be used against plaintext or arbitrary raw data files in order to find, extract, and decode information from Gmail URLs related to both the new and legacy Gmail interfaces.

GITHUB
NetWire Log Decoder

NetWire Log Decoder is an AutoIt tool that carves and parses (a/k/a scans, filters, and decodes) NetWire log data from files or devices. NetWire versions 1.6 and 1.7, on Windows and Linux, have been tested.

GITHUB
Sdba Parser

Sdba Parser is an AutoIt tool that carves and parses Sdba memory pool tags (produced by Windows 7) from any input file. Sdba memory pool tags contain executable file paths and NTFS last written timestamps (at time of execution).

GITHUB
NwStacks

NwStacks is an AutoIt tool that assists with NetWire stack analysis. This tool (and other information on its GitHub project) is associated with the article "Forensic Analysis of the NetWire Stack" in Digital Forensics Magazine Issue 52.

GITHUB

Pricing & Plans

Each of our subscription options includes access to all the Arsenal tools, both those that exist now and those we release while the subscription is active! Pick the subscription that works for you without the hassle of maintenance fees.

1 Year Plan
$756
~ $63/mo | Save 3%

    • Email Support

    • Renew Annually

    • Locked-in Discount

Buy Now

3 Year Plan

$2,129

~ $59/mo | Save 9%

5 Year Plan

$3,315

~ $55/mo | Save 15%

View Pricing & Plan Details
Prices shown in USD and without tax.

Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.