DC3 Tools
DC3 offers a number of open source and CUI tools and validations.
Open source tools are available on GitHub and SourceForge.

CUI tools and validations for U.S. DoD and Federal law enforcement and counterintelligence (LE/CI)
can be obtained by authorized personnel with a CAC or PIV through the DC3 Customer Portal.
All others should contact: DC3.XT.Info@us.af.mil.



DC3 Advanced Carver v1.5.1

DC3 Advanced Carver (DC3AC) is an advanced content carving tool built for speed, accuracy, and extensibility (patent no. US10853177B2). It uses advanced algorithms to salvage content that other tools are not capable of recovering.

It can recover complete files and repair fragments for multiple file formats to increase the amount of salvaged content that can be viewed. DC3AC will carve from any data it is fed, including unallocated space, memory dumps, page files, whole disk images, and damaged files in need of repair.

 Validation Available
 Last Updated: 2024-03-19

DC3 DD v7.3.1

Inspired by GNU dd, this program has several features specialized for forensic imaging.

Highlights include: input hashing, split output files, multiple output files, a progress indicator, image verification through hashing, and detailed logging.

 Last Updated: 2023-04-25

DC3 EFDetect v4.3.1

EFDetect is a tool for the detection of encrypted data. EFDetect recursively searches drives and directories for files in various encrypted formats.

Supported formats include, but are not limited to: TrueCrypt, TCSteg, TCSTEG v2, DriveCrypt, Steganos, MS Office, PDF, 7-zip, ZIP, WinRAR, EFS, and Video Padlock.

 Validation Available
 Last Updated: 2024-01-09

Tool Name Version Last Updated Classification Validation Description
AScan 5.0 2012-07-06 UNCLASSIFIED//FOUO YES AScan looks for evidence of peer to peer (P2P) application use on personal computers/devices and provides the results in an easy to read web format. AScan helps investigators determine if P2P file sharing applications such as Limewire, Frostwire, Bearshare, Ares Galaxy, and Vuze were used to exchange information or to facilitate unauthorized activities on a computer. This information can assist with gaining insight into adversary activities and possibly lead to attribution.
DC3 iPhone Analyzer 2.0.753 2013-01-18 UNCLASSIFIED//FOUO NO The iPhone Analyzer extracts all forensically relevant data from a physical image (or iTunes backup) of an iPod, iPhone, iTouch, or an iPad. Data can include call logs, contacts, text messages, emails, pictures, keyboard logs, position data, etc.
DC3 Triage 2010-12-22 UNCLASSIFIED//FOUO YES DC3 Triage is a tool that provides agents with a fast, cursory view of pictures, movie videos, chat messages, emails, shared files, web history, web searches, system information, and other user information extracted from a hard drive or mounted image.  DC3 Triage has a user-friendly interface, which provides a better user experience over command line interfaces.  With the assistance of the graphic user interface (GUI), the user can take a quick look at the media information on the drive, which allows the examiner to determine whether a full forensic examination should occur. 
DC3_CV *Not Available UNCLASSIFIED//FOUO YES DC3_CV is used to expedite the time an examiner spends sifting through large directories of image files.  With DC3_CV, examiners can use pre-trained data sets or easily create custom datasets of a person of interest. Using these datasets, DC3_CV finds potential matches automatically and presents the findings in a built-in viewer. DC3_CV can be run via a graphical user interface or a command line.
DC3Carver 5.7 2015-08-20 UNCLASSIFIED//FOUO NO DC3Carver can be used to carve data from many types of disk space, including free space, swap (paging) files, memory dumps, slack space, and dd images. To use DC3Carver to carve these types of disk space, the examiner must first use a forensic tool to create an image file or set of files that represent the drive space.
DFIT 0.7 *Not Available UNCLASSIFIED//FOUO NO DFIT is a tool that leverages fuzzy hashing to look for files on a live computer which are either the same, or similar to, a given set of signature files. The tool uses a modified fuzzy hashing algorithm to find similar, but not necessarily identical data within files on the system.
DMAT 2010-08-26 UNCLASSIFIED//FOUO NO DMAT is a tool developed in C# to analyze memory images of 32-bit systems.  The tool is a GUI front end to Volatility (a command line memory analysis tool).  The tool also generates automated HTML reports of artifacts it can extract from the memory snapshots.  A regular expression feature is also included to allow examiners to save to disk unpacked/decrypted malware binaries, which were running in memory.  These de-obfuscated forms of malware are easier for malware analysts and reverse engineers to analyze, since no effort is needed to identify how to manually unpack these specimens.
FatBack 1.3 *Not Available UNCLASSIFIED//FOUO NO FatBack recovers deleted files from FAT12, FAT16, and FAT32 file systems. Unlike other recovery tools it runs on Linux and provides a powerful interactive mode similar to a Unix shell. Deleted files can be recovered recursively to another drive with simple one command line statements. FatBack creates a nested directory structure similar to the SUBJECT drive. Other features include logging, recovery of long file names, and recovery of hidden partitions.
FED - File Extension Dump 1.2 2004-08-12 UNCLASSIFIED//FOUO NO FED is a software tool designed for cyber-investigative field use. It can search a specified drive and copy all files that match extensions chosen by the user to another device.
File Signature Translation Utility 1 *Not Available UNCLASSIFIED//FOUO NO File Signature Translation Utility converts file signature text files to and from various formats, such that a file signature baseline can be created and maintained by FileSig Manager.
GPX Data Converter 1 *Not Available UNCLASSIFIED//FOUO NO The Garmin Nuvi GPS receiver stores its way-point and track-point data in a .gpx file format. This format is a standardized XML file format that is not compatible with common mapping tools like Microsoft MapPoint 2009. GPX Data Converter allows the user to convert a .gpx file to a .txt or .tab file that can be used with common mapping software.
HumanDetect 2.0 2007-03-02 UNCLASSIFIED//FOUO NO HumanDetect was designed to reduce the amount of time required for examiners to conduct forensic image analysis, provide intelligent data reduction capabilities, run case data in an automated fashion while indexing images, categorize and sort images based on the presence of people, and output an XML file for further examination as part of the FDE process.
IPFind 0.6 *Not Available UNCLASSIFIED//FOUO NO IPFind is a command-line tool that recursively locates all instances of Internet Protocol (IP) addresses within a target logical directory. It can generate a CSV or XML file detailing its findings.
Kazaa DatView & DBBView  2.1 *Not Available UNCLASSIFIED//FOUO YES These two tools extract and decode information from Kazaa .dat and .dbb files. Dat files contain information about partially downloaded files. DBB files contain information about completed downloads.
Meta-X Image Metadata Extractor 3 *Not Available UNCLASSIFIED//FOUO NO Meta-X Image Metadata Extractor extracts metadata from image files, including JPEG, GIF, BMP, TIF, and more. Metadata can include information about author, digital camera, editing software, and timestamps.
Modified mkisofs 1.12.1 *Not Available UNCLASSIFIED//FOUO NO MKISOFS is a UNIX program for mastering CDROM images. In the standard version of MKISOFS if you tell MKISOFS to make an image file out of 4gb of data it will produce a single 4gb image. This is not desirable because that image will not fit onto a standard CDROM. This enhanced version of MKISOFS has the ability to take the 4gb file system and produce multiple smaller images that are ready to be burned to CDs.
PCAPFAST 2.0.783 2011-08-19 UNCLASSIFIED//FOUO NO PCAPFAST is designed to process data contained in packet capture (PCAP) files conforming to the libpcap format.  The tool provides examiners and analysts with the capability to run queries and reports on captured network traffic. This capability is provided through three distinct tools: 1) PCAPIndex, 2) PCAPReport, and 3) PCAPExtract. PCAPIndex processes the PCAP file and extracts all data into a SQLite database. PCAPReport produces standard reports from the SQLite database detailing the sessions and associated data found within the network stream.  PCAPExtract provides for custom queries against the SQLite database to perform more refined analysis of data within the network stream.  PCAPFAST 2.0 will only process IPv4 packets.
PDFinder 1.0 *Not Available UNCLASSIFIED//FOUO YES PDFinder Reads and displays information about artifacts contained in Adobe PDF files. This tool scans a given file or directory and identifies PDFs inside, and then scans the individual files and outputs a report based on the metadata of any artifacts contained inside.
REcat 1.0.6 2011-09-13 UNCLASSIFIED//FOUO YES REcat is a command line utility for controlling a socket. The tool is essentially a dynamic version of the netcat tool, which can be used for protocol reverse engineering.
Shadow Volume Link Manager 1.0 *Not Available UNCLASSIFIED//FOUO YES Shadow Volume Link Manager is a software tool for finding data maintained by the Microsoft Volume Shadow Copy Service found in Windows Vista and Windows 7. Shadow volumes have been used to hide data.
StegCarver 5.7 2011-07-20 UNCLASSIFIED//FOUO YES StegCarver is a general purpose forensic carving tool with many specialized features. In addition to carving such items as videos, pictures, text, html files, web pages, PDFs, MS Office files, source code, Zips, Rars, and base64 files, it is able to identify files containing foreign language material and carves for steganography, MFT records (in RAM dumps), and inverted data. It is also able to reconstruct many types of fragmented files and is able to use DCCI-developed regular expressions to identify the location of both standard and inverted URLs, IPs, Email addresses, and phone numbers. (Other data types can be identified using custom regular expressions created by examiners.) The program also provides examiners with the ability to extract unique data types using custom headers and footers.
Video Validator 2.0 2015-08-13 UNCLASSIFIED//FOUO YES Video Validator validates carved videos and carved video fragments. Those that are identified as unplayable are discarded, reducing the number of video files that have to be examined. The program also provides the capability to storyboard all videos and video fragments that are contained in a single directory.
Yahoo! IMLook 2.1 2011-11-16 UNCLASSIFIED//FOUO YES IMLook v2.1 decrypts the Yahoo Messenger instant messaging client's log files. The files created during a chat session cannot be opened with local Windows programs because of their special file format and encryption for security protection. Contact lists, passwords and credentials are just some of the information saved during instant message conversations. IMLook 2.1 can open and read the files making the contents available for viewing or exporting.