Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-incident-response
https://github.com/gold1029/awesome-incident-response
Last synced: 4 days ago
JSON representation
-
IR tools Collection
-
All in one Tools
- Digital Forensics Framework - DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response
- Kolide Fleet - Kolide Fleet is a state of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Kolide delivers fast answers to big questions.
- MIG - Mozilla Investigator (MIG) is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security
- Osquery - with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the *incident-response pack* help you detect and respond to breaches
- Doorman - Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness
- Falcon Orchestrator - Falcon Orchestrator by CrowdStrike is an extendable Windows-based application that provides workflow automation, case management and security response functionality.
- GRR Rapid Response - GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent
- Limacharlie - an endpoint security platform. It is itself a collection of small projects all working together, and gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment allowing you to manage and push additional modules into memory to extend its functionality
- MozDef - The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers
- nightHawk - the nightHawk Response Platform is an application built for asynchronus forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections.
- Envdb - Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location
- Belkasoft Evidence Center - The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps
- FIDO - Fully Integrated Defense Operation (FIDO) by Netflix is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them
- CimSweep - CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows
- CIRTkit - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes
-
Books
- Dfir intro - By Scott J. Roberts
-
Communities
- augmentd - Community driven site provididing a list of searches that can be implemented in and executed with a variety of common security tools.
- Sans DFIR mailing list - Mailing list by SANS for DFIR
-
Evidence Collection
- Live Response Collection - The Live Response collection by BriMor Labs is an automated tool that collects volatile data from Windows, OSX, and *nix based operating systems
-
Incident Management
- SCOT - Sandia Cyber Omni Tracker (SCOT) is an Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user
- Demisto - Demisto community edition(free) offers full Incident lifecycle management, Incident Closure Reports, team assignments and collaboration, and many integrations to enhance automations (like Active Directory, PagerDuty, Jira and much more...)
- Cyphon - Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.
-
Linux Distributions
- ADIA - The Appliance for Digital Investigation and Analysis (ADIA) is a VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.
- DEFT - The Digital Evidence & Forensics Toolkit (DEFT) is a Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection
- NST - Network Security Toolkit - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional
- PALADIN - PALADIN is a modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included
-
Memory Analysis Tools
- KnTList - Computer memory analysis tools
- Memoryze for Mac - Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however
- Rekall - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples
- WindowsSCOPE - another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory
- Responder PRO - Responder PRO is the industry standard physical memory and automated malware analysis solution
- Rekall - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples
-
OSX Evidence Collection
- Knockknock - Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX
-
Other Tools
- Crits - a web-based tool which combines an analytic engine with a cyber threat database
- SearchGiant - a commandline utility to acquire forensic data from cloud services
- Cortex - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.
-
Playbooks
- IR Workflow Gallery - Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download
- PagerDuty Incident Response Documentation - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on [GitHub](https://github.com/PagerDuty/incident-response-docs).
-
Process Dump Tools
- Microsoft User Mode Process Dumper - The User Mode Process Dumper (userdump) dumps any running Win32 processes memory image on the fly
- PMDump - PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process
-
Sandboxing/reversing tools
- Cuckoo - Open Source Highly configurable sandboxing tool
- Hybrid-Analysis - Hybrid-Analysis is a free powerful online sandbox by Payload Security
- Malwr - Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox
-
Videos
- The Future of Incident Response - Presented by Bruce Schneier at OWASP AppSecUSA 2015
-
Windows Evidence Collection
- Binaryforay - list of free tools for win forensics (http://binaryforay.blogspot.co.il/)
- Fidelis ThreatScanner - Fidelis ThreatScanner is a free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only.
- RegRipper - Regripper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis
- TRIAGE-IR - Triage-IR is a IR collector for Windows
-
Programming Languages
Categories
Sub Categories