Labs

• AppSec
• Security
• CTFs
• Malware Analysis
• Android Security
• Hacking
• Honeypots
• Incident-Response
• Pentesting
• YARA
• Infosec
• Social Engineering

Carving

• photorec - File carving tool
• floss - Static analysis tool to automatically deobfuscate strings from malware binaries
• bulk_extractor - Extracts information such as email addresses, creditcard numbers and histrograms from disk images
• bstrings - Improved strings utility
• swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.

Network Forensics

• WireShark - A network protocol analyzer
• Squey - Logs/PCAP visualization software designed to detect anomalies and weak signals in large amounts of data.
• NetworkMiner - Network Forensic Analysis Tool
• Kismet - A passive wireless sniffer
• RustNet - A cross-platform network monitoring terminal UI providing real-time visibility into network connections

Distributions

• Remnux - Distro for reverse-engineering and analyzing malicious software
• Tsurugi Linux - Linux distribution for forensic analysis
• WinFE - Windows Forensics enviroment
• bitscout - LiveCD/LiveUSB for remote forensic acquisition and analysis
• SANS Investigative Forensics Toolkit (sift) - Linux distribution for forensic analysis

Imaging

• FTK Imager - Free imageing tool for windows
• dcfldd - Different improved version of dd (this version has some bugs!, another version is on github [adulau/dcfldd](https://github.com/adulau/dcfldd))
• dcfldd - Different improved version of dd (this version has some bugs!, another version is on github [adulau/dcfldd](https://github.com/adulau/dcfldd))
• Guymager - Open source version for disk imageing on linux systems
• dc3dd - Improved version of dd
• 4n6pi - Forensic disk imager, designed to run on a Raspberry Pi, powered by libewf
• acquirepi - Successor to 4n6pi, scalable forensic disk imager, designed to run on a Raspberry Pi, powered by libewf

Acquisition

• Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
• CrowdResponse - A static host data collection tool by CrowdStrike
• DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
• FireEye Memoryze - A free memory forensic software
• WinTriage - Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive.
• Magnet RAM Capture / DumpIt - A free imaging tool designed to capture the physical memory
• Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries
• AVML - A portable volatile memory acquisition tool for Linux
• LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
• FastIR Collector - Collect artifacts on windows
• artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
• ArtifactExtractor - Extract common Windows artifacts from source images and VSCs
• Acquire - Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container
• FIT - Forensic acquisition of web pages, emails, social media, etc.
• ForensicMiner - A PowerShell-based DFIR automation tool, for artifact and evidence collection on Windows machines.
• SPECTR3 - Acquire, triage and investigate remote evidence via portable iSCSI readonly access
• unix_collector - A live forensic collection script for UNIX-like systems as a single script.
• UFADE - Extract files from iOS devices on Linux and MacOS. Mostly a wrapper for pymobiledevice3. Creates iTunes-style backups and advanced logical backups.
• ALEX - Extract files from ADB devices on Windows, Linux and MacOS. Mostly a wrapper for adbutils.
• TriageHasher - A flexible hashing tool designed for triage collections on Windows, Linux and MacOS. Only hash files with a given extension and location.
• Hashment - Python forensic tool to analyze, dump, and recover deleted files from YAFFS2 partitions.
• LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD

IOC Scanner

• Redline - Free endpoint security tool from FireEye
• THOR Lite - Free IOC and YARA Scanner
• Fastfinder - Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashes, literal/wildcard strings, regular expressions and YARA rules
• Loki - Simple IOC and Incident Response Scanner
• Fenrir - Simple Bash IOC Scanner
• recon - Performance oriented file finder with support for SQL querying, index and analyze file metadata with support for YARA.

• Forensics tools on Wikipedia
• Eric Zimmerman's Tools

Frameworks

• Autopsy - SleuthKit GUI
• Dissect - Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).
• Kuiper - Digital Investigation Platform
• Laika BOSS - Laika is an object scanner and intrusion detection system
• IntelMQ - IntelMQ collects and processes security feeds
• The Sleuth Kit - Tools for low level forensic analysis
• turbinia - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
• PowerForensics - PowerForensics is a framework for live disk forensic analysis
• dff - Forensic framework
• dexter - Dexter is a forensics acquisition framework designed to be extensible and secure
• IPED - Indexador e Processador de Evidências Digitais - Brazilian Federal Police Tool for Forensic Investigations
• hashlookup-forensic-analyser - A tool to analyse files from a forensic acquisition to find known/unknown hashes from [hashlookup](https://www.circl.lu/services/hashlookup/) API or using a local Bloom filter.
• Wombat Forensics - Forensic GUI tool
• TAPIR - TAPIR (Trustable Artifacts Parser for Incident Response) is a multi-user, client/server, incident response framework
• Autopsy - SleuthKit GUI
• OpenRelik - Forensic platform to store file artifacts and run workflows
• AIFT - AIFT (AI Forensic Triage) parses evidence using dissect and generates AI-assisted forensic reports.

Windows Artifacts

• FRED - Cross-platform microsoft registry hive editor
• LastActivityView - LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.
• MFT-Parsers - Comparison of MFT-Parsers
• MFTEcmd - MFT Parser by Eric Zimmerman
• Beagle - Transform data sources and logs into graphs
• Hayabusa - A a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
• LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
• NTFSTool - Complete NTFS forensics tool
• RegRippy - A framework for reading and extracting useful forensics data from Windows registry hives
• python-evt - Pure Python parser for classic Windows Event Log files (.evt)
• RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis
• MFTExtractor - MFT-Parser
• NTFS USN Journal parser
• RecuperaBit - Reconstruct and recover NTFS data
• python-ntfs - NTFS analysis
• Blauhaunt - A tool collection for filtering and visualizing logon events
• PyShadow - A library for Windows to read shadow copies, delete shadow copies, create symbolic links to shadow copies, and create shadow copies
• MFTMactime - MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all.
• MFT-Parsers - Comparison of MFT-Parsers
• NTFS journal parser

Mobile Forensics

• ArtEx - Artifact Examiner for iOS Full File System extractions
• MobSF - An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
• Andriller - A software utility with a collection of forensic tools for smartphones
• ALEAPP - An Android Logs Events and Protobuf Parser
• iOS Frequent Locations Dumper - Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/
• MEAT - Perform different kinds of acquisitions on iOS devices
• OpenBackupExtractor - An app for extracting data from iPhone and iPad backups.
• iLEAPP - An iOS Logs, Events, And Plists Parser

Internet Artifacts

• ChromeCacheView - A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
• unfurl - Extract and visualize data from URLs
• hindsight - Internet history forensics for Google Chrome/Chromium
• chrome-url-dumper - Dump all local stored infromation collected by Chrome
• IE10Analyzer - This tool can parse normal records and recover deleted records in WebCacheV01.dat.
• WinSearchDBAnalyzer - This tool can parse normal records and recover deleted records in Windows.edb.
• Wayback-Archive - Download complete websites from the Wayback Machine with full asset preservation for offline viewing.

Timeline Analysis

• Timeline Explorer - Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
• timesketch - Collaborative forensic timeline analysis
• DFTimewolf - Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
• plaso - Extract timestamps from various files and aggregate them
• timeliner - A rewrite of mactime, a bodyfile reader

Disk image handling

• xmount - Convert between different disk image formats
• libewf - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
• Disk Arbitrator - A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
• imagemounter - Command line utility and Python package to ease the (un)mounting of forensic disk images
• PancakeViewer - Disk image viewer based in dfvfs, similar to the FTK Imager viewer

Decryption

• hashcat - Fast password cracker with GPU support
• John the Ripper - Password cracker

Picture Analysis

• Ghiro - A fully automated tool designed to run forensics analysis over a massive amount of images
• sherloq - An open-source digital photographic image forensic toolset
• Ghiro - A fully automated tool designed to run forensics analysis over a massive amount of images

Metadata Forensics

• ExifTool
• pdf-parser - Parse and analyze PDF files to extract metadata and identify malicious content
• Metagoofil - Metadata harvester for extracting metadata from public documents
• oletools - Tools to analyze Microsoft OLE2 files and MS Office documents for malware analysis and forensics
• FOCA - FOCA is a tool used mainly to find metadata and hidden information in the documents
• mat2 - Metadata removal tool, supporting a wide range of commonly used file formats
• EXIF Editor - browser, privacy first EXIF Viewer/Editor/Analysis tool (Zero Sign Up). Home to the The EXIF Guide, and The EXIF Quiz.

Steganography

• Sonicvisualizer
• Zsteg - A steganographic coder for WAV files
• Steghide - is a steganography program that hides data in various kinds of image and audio files
• Wavsteg - is a steganography program that hides data in various kinds of image and audio files

Live Forensics

• osquery - SQL powered operating system analytics
• mig - Distributed & real time digital forensics at the speed of the cloud
• grr - GRR Rapid Response: remote live forensics for incident response
• Linux Expl0rer - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
• UAC - UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
• POFR - The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System.
• InnerWarden - Security agent with built-in forensic capture (process state, network connections, memory maps, hidden process detection via direct /proc reads)

Docker Forensics

• Docker Explorer
• dof (Docker Forensics Toolkit) - Extracts and interprets forensic artifacts from disk images of Docker Host systems

OS X Forensics

• OSXAuditor
• mac_apt (macOS Artifact Parsing Tool) - Extracts forensic artifacts from disk images or live machines
• APFS Fuse - A read-only FUSE driver for the new Apple File System
• MacLocationsScraper - Dump the contents of the location database files on iOS and macOS
• macMRUParser - Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format
• OSX Collect
• OSX Collect

Memory Forensics

• volatility - The memory forensic framework
• inVtero.net - High speed memory analysis framework
• Rekall - Memory Forensic Framework
• MemProcFS - An easy and convenient way of accessing physical memory as files a virtual file system.
• KeeFarce - Extract KeePass passwords from memory
• VolUtility - Web App for Volatility framework

Management

• iris - Collaborative Incident Response platform
• dfirtrack - Digital Forensics and Incident Response Tracking application, track systems
• Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads
• Catalyst - Catalyst is an open source security automation and ticket system

Blogs

• Zena Forensics
• FlashbackData
• Netresec
• SANS Forensics Blog
• SecurityAffairs - blog by Pierluigi Paganini
• This Week In 4n6 - Weekly updates for forensics

Books

• The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory
• Recommended Readings
• Network Forensics: Tracking Hackers through Cyberspace - Learn to recognize hackers’ tracks and uncover network-based evidence
• The Practice of Network Security Monitoring - Understanding Incident Detection and Response
• Recommended Readings

Web

• ForensicsFocus
• SANS Digital Forensics
• Insecstitute Resources
• Forensics StartMe by Stark 4N6
• Forensics StartMe by Stark 4N6

File System Corpora

• Digital Forensic Challenge Images - Two DFIR challenges with images
• Digital Forensics Tool Testing Images
• The CFReDS Project
• Hacking Case (4.5 GB NTFS Image)

Other

• /r/computerforensics/ - Subreddit for computer forensics
• ForensicPosters - Posters of file system structures
• CybersecurityGuide – Digital Forensics Careers - Guide on skills, certs, and career paths in cyber forensics.
• SANS Posters - Free posters provided by SANS

Labs

• BlueTeam.Lab - Blue Team detection lab created with Terraform and Ansible in Azure.

Steganography

• Forensic challenges - Mindmap of forensic challenges
• OpenLearn - Digital forensic course
• Training material - Online training material by European Union Agency for Network and Information Security for different topics (e.g. [Digital forensics](https://www.enisa.europa.eu/topics/training-and-exercises/trainings-for-cybersecurity-specialists/online-training-material/technical-operational#digital_forensics), [Network forensics](https://www.enisa.europa.eu/topics/training-and-exercises/trainings-for-cybersecurity-specialists/online-training-material/technical-operational#network_forensics))

CTFs and Challenges

• BelkaCTF - CTFs by Belkasoft
• CyberDefenders
• DefCon CTFs - archive of DEF CON CTF challenges.
• Forensics CTFs
• MalwareTech Challenges
• MalwareTraffic Analysis
• NW3C Chanllenges
• Precision Widgets of North Dakota Intrusion
• MalwareTech Labs
• MagnetForensics CTF Challenge
• MemLabs