Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-forensics
A curated list of awesome forensic analysis tools and resources
https://github.com/Cugu/awesome-forensics
Last synced: 1 day ago
JSON representation
-
Collections
- AboutDFIR – The Definitive Compendium Project - Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges and more
- ForensicArtifacts.com Artifact Repository - Machine-readable knowledge base of forensic artifacts
-
Tools
-
Distributions
- Remnux - Distro for reverse-engineering and analyzing malicious software
- Tsurugi Linux - Linux distribution for forensic analysis
- WinFE - Windows Forensics enviroment
- bitscout - LiveCD/LiveUSB for remote forensic acquisition and analysis
- SANS Investigative Forensics Toolkit (sift) - Linux distribution for forensic analysis
-
Frameworks
- Autopsy - SleuthKit GUI
- dexter - Dexter is a forensics acquisition framework designed to be extensible and secure
- dff - Forensic framework
- Dissect - Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).
- hashlookup-forensic-analyser - A tool to analyse files from a forensic acquisition to find known/unknown hashes from [hashlookup](https://www.circl.lu/services/hashlookup/) API or using a local Bloom filter.
- IntelMQ - IntelMQ collects and processes security feeds
- Kuiper - Digital Investigation Platform
- Laika BOSS - Laika is an object scanner and intrusion detection system
- PowerForensics - PowerForensics is a framework for live disk forensic analysis
- TAPIR - TAPIR (Trustable Artifacts Parser for Incident Response) is a multi-user, client/server, incident response framework
- The Sleuth Kit - Tools for low level forensic analysis
- turbinia - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
- IPED - Indexador e Processador de Evidências Digitais - Brazilian Federal Police Tool for Forensic Investigations
- Wombat Forensics - Forensic GUI tool
-
IOC Scanner
- Redline - Free endpoint security tool from FireEye
- THOR Lite - Free IOC and YARA Scanner
- Fastfinder - Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashes, literal/wildcard strings, regular expressions and YARA rules
- Fenrir - Simple Bash IOC Scanner
- Loki - Simple IOC and Incident Response Scanner
- recon - Performance oriented file finder with support for SQL querying, index and analyze file metadata with support for YARA.
-
Acquisition
- Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
- CrowdResponse - A static host data collection tool by CrowdStrike
- DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
- FireEye Memoryze - A free memory forensic software
- WinTriage - Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive.
- Acquire - Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container
- artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
- ArtifactExtractor - Extract common Windows artifacts from source images and VSCs
- AVML - A portable volatile memory acquisition tool for Linux
- FastIR Collector - Collect artifacts on windows
- FIT - Forensic acquisition of web pages, emails, social media, etc.
- ForensicMiner - A PowerShell-based DFIR automation tool, for artifact and evidence collection on Windows machines.
- LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
- SPECTR3 - Acquire, triage and investigate remote evidence via portable iSCSI readonly access
- unix_collector - A live forensic collection script for UNIX-like systems as a single script.
- Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries
- Magnet RAM Capture / DumpIt - A free imaging tool designed to capture the physical memory
-
Imaging
- dc3dd - Improved version of dd
- dcfldd - Different improved version of dd (this version has some bugs!, another version is on github [adulau/dcfldd](https://github.com/adulau/dcfldd))
- FTK Imager - Free imageing tool for windows
- Guymager - Open source version for disk imageing on linux systems
-
Carving
- photorec - File carving tool
- bstrings - Improved strings utility
- bulk_extractor - Extracts information such as email addresses, creditcard numbers and histrograms from disk images
- floss - Static analysis tool to automatically deobfuscate strings from malware binaries
- swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.
-
Network Forensics
- Squey - Logs/PCAP visualization software designed to detect anomalies and weak signals in large amounts of data.
- WireShark - A network protocol analyzer
- Kismet - A passive wireless sniffer
- NetworkMiner - Network Forensic Analysis Tool
-
Windows Artifacts
- FRED - Cross-platform microsoft registry hive editor
- LastActivityView - LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.
- MFT-Parsers - Comparison of MFT-Parsers
- MFTEcmd - MFT Parser by Eric Zimmerman
- Beagle - Transform data sources and logs into graphs
- Blauhaunt - A tool collection for filtering and visualizing logon events
- Hayabusa - A a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
- LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
- PyShadow - A library for Windows to read shadow copies, delete shadow copies, create symbolic links to shadow copies, and create shadow copies
- python-evt - Pure Python parser for classic Windows Event Log files (.evt)
- RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis
- RegRippy - A framework for reading and extracting useful forensics data from Windows registry hives
- MFTExtractor - MFT-Parser
- MFTMactime - MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all.
-
Mobile Forensics
- ArtEx - Artifact Examiner for iOS Full File System extractions
-
Internet Artifacts
- ChromeCacheView - A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
-
Timeline Analysis
- Timeline Explorer - Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
-
Disk image handling
- xmount - Convert between different disk image formats
-
Decryption
- hashcat - Fast password cracker with GPU support
- John the Ripper - Password cracker
-
Picture Analysis
- Ghiro - A fully automated tool designed to run forensics analysis over a massive amount of images
-
Metadata Forensics
-
Steganography
-
Live Forensics
- grr - GRR Rapid Response: remote live forensics for incident response
- Linux Expl0rer - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
- mig - Distributed & real time digital forensics at the speed of the cloud
- osquery - SQL powered operating system analytics
- POFR - The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System.
- UAC - UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
-
Memory Forensics
- inVtero.net - High speed memory analysis framework
- KeeFarce - Extract KeePass passwords from memory
- MemProcFS - An easy and convenient way of accessing physical memory as files a virtual file system.
- Rekall - Memory Forensic Framework
- volatility - The memory forensic framework
- VolUtility - Web App for Volatility framework
-
Learn Forensics
-
Steganography
- Forensic challenges - Mindmap of forensic challenges
- OpenLearn - Digital forensic course
- Training material - Online training material by European Union Agency for Network and Information Security for different topics (e.g. [Digital forensics](https://www.enisa.europa.eu/topics/training-and-exercises/trainings-for-cybersecurity-specialists/online-training-material/technical-operational#digital_forensics), [Network forensics](https://www.enisa.europa.eu/topics/training-and-exercises/trainings-for-cybersecurity-specialists/online-training-material/technical-operational#network_forensics))
-
CTFs and Challenges
- BelkaCTF - CTFs by Belkasoft
- CyberDefenders
- DefCon CTFs - archive of DEF CON CTF challenges.
- Forensics CTFs
- MalwareTech Challenges
- MalwareTraffic Analysis
- NW3C Chanllenges
- Precision Widgets of North Dakota Intrusion
- ReverseEngineering Challenges
- MagnetForensics CTF Challenge
-
-
Resources
-
Web
-
Blogs
- FlashbackData
- Netresec
- SANS Forensics Blog
- SecurityAffairs - blog by Pierluigi Paganini
- Zena Forensics
- This Week In 4n6 - Weekly updates for forensics
-
Books
- Recommended Readings
- The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory
- The Practice of Network Security Monitoring - Understanding Incident Detection and Response
- Network Forensics: Tracking Hackers through Cyberspace - Learn to recognize hackers’ tracks and uncover network-based evidence
-
File System Corpora
- Digital Forensic Challenge Images - Two DFIR challenges with images
- Digital Forensics Tool Testing Images
- The CFReDS Project
- Hacking Case (4.5 GB NTFS Image)
-
Other
- /r/computerforensics/ - Subreddit for computer forensics
- SANS Posters - Free posters provided by SANS
-
-
Related Awesome Lists
Programming Languages
Sub Categories
Acquisition
17
Frameworks
14
Windows Artifacts
14
CTFs and Challenges
10
Labs
8
Live Forensics
6
IOC Scanner
6
Blogs
6
Memory Forensics
6
Carving
5
Distributions
5
File System Corpora
4
Imaging
4
Books
4
Steganography
4
Network Forensics
4
Web
3
Other
2
Decryption
2
Disk image handling
1
Timeline Analysis
1
Mobile Forensics
1
Metadata Forensics
1
Picture Analysis
1
Internet Artifacts
1
Keywords
dfir
19
security
16
forensics
14
incident-response
11
awesome
6
digital-forensics
6
python
6
awesome-list
5
cybersecurity
5
linux
4
list
4
threat-hunting
3
rust
3
forensic-analysis
3
malware
3
forensics-tools
3
investigation
2
solaris
2
shell
2
script
2
openbsd
2
live-response
2
freebsd
2
computer-forensics
2
intrusion-detection
2
blueteam
2
security-automation
2
ntfs
2
threat
2
ioc
2
incident
2
automation
2
forensics-investigations
2
dfir-automation
2
memory-forensics
2
malware-analysis
2
hacking
2
android
2
windows
2
graph
2
alerts
1
nsrllookup
1
nsrl
1
hashlookup
1
hayabusa
1
hunting
1
logs
1
bloom-filter
1
response
1
dissect
1