CTFs and Challenges

• Champlain College DFIR CTF
• CyberDefenders
• Forensics CTFs
• MalwareTech Challenges
• MalwareTraffic Analysis
• Precision Widgets of North Dakota Intrusion
• MagnetForensics CTF Challenge
• MemLabs

Steganography

• Forensic challenges - Mindmap of forensic challenges
• OpenLearn - Digital forensic course

Labs

• Android Security
• AppSec
• CTFs
• Hacking
• Honeypots
• Incident-Response
• Malware Analysis
• Security
• Infosec
• Pentesting
• Social Engineering
• YARA

Blogs

• FlashbackData
• Netresec
• roDigitalForensics
• SANS Forensics Blog
• Zena Forensics

Books

• The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory
• The Practice of Network Security Monitoring - Understanding Incident Detection and Response
• Recommended Readings
• Network Forensics: Tracking Hackers through Cyberspace - Learn to recognize hackers’ tracks and uncover network-based evidence

File System Corpora

• Digital Forensic Challenge Images - Two DFIR challenges with images
• Digital Forensics Tool Testing Images
• Hacking Case (4.5 GB NTFS Image)
• The CFReDS Project

Labs

• BlueTeam.Lab - Blue Team detection lab created with Terraform and Ansible in Azure.

Other

• /r/computerforensics/ - Subreddit for computer forensics
• ForensicPosters - Posters of file system structures

Twitter

• @4n6ist
• @aheadless
• @AppleExaminer - Apple OS X & iOS Digital Forensics
• @carrier4n6 - Brian Carrier, author of Autopsy and the Sleuth Kit
• @CindyMurph - Detective & Digital Forensic Examiner
• @forensikblog - Computer forensic geek
• @HECFBlog - SANS Certified Instructor
• @Hexacorn - DFIR+Malware
• @hiddenillusion
• @iamevltwin - Mac Nerd, Forensic Analyst, Author & Instructor of SANS FOR518
• @jaredcatkinson - PowerShell Forensics
• @maridegrazia - Computer Forensics Examiner
• @sleuthkit
• @williballenthin
• @XWaysGuide
• @inginformatico - DFIR analyst and enthusiast
• @Belkasoft
• @blackbagtech
• @iamevltwin - Mac Nerd, Forensic Analyst, Author & Instructor of SANS FOR518
• @jaredcatkinson - PowerShell Forensics
• @Hexacorn - DFIR+Malware
• @hiddenillusion

Web

• ForensicsFocus
• Insecstitute Resources

Acquisition

• Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
• CrowdResponse - A static host data collection tool by CrowdStrike
• DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
• Magnet RAM Capture - A free imaging tool designed to capture the physical memory
• WinTriage - Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive.
• artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
• ArtifactExtractor - Extract common Windows artifacts from source images and VSCs
• AVML - A portable volatile memory acquisition tool for Linux
• FastIR Collector - Collect artifacts on windows
• LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
• unix_collector - A live forensic collection script for UNIX-like systems as a single script.
• Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries
• FireEye Memoryze - A free memory forensic software

Carving

• photorec - File carving tool
• bstrings - Improved strings utility
• bulk_extractor - Extracts information such as email addresses, creditcard numbers and histrograms from disk images
• floss - Static analysis tool to automatically deobfuscate strings from malware binaries
• swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.

Decryption

• hashcat - Fast password cracker with GPU support
• John the Ripper - Password cracker

Disk image handling

• xmount - Convert between different disk image formats
• Disk Arbitrator - A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
• imagemounter - Command line utility and Python package to ease the (un)mounting of forensic disk images
• libewf - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
• PancakeViewer - Disk image viewer based in dfvfs, similar to the FTK Imager viewer

Distributions

• Remnux - Distro for reverse-engineering and analyzing malicious software
• Tsurugi Linux - Linux distribution for forensic analysis
• WinFE - Windows Forensics enviroment
• bitscout - LiveCD/LiveUSB for remote forensic acquisition and analysis
• SANS Investigative Forensics Toolkit (sift) - Linux distribution for forensic analysis

Docker Forensics

• dof (Docker Forensics Toolkit) - Extracts and interprets forensic artifacts from disk images of Docker Host systems
• Docker Explorer

Frameworks

• Autopsy - SleuthKit GUI
• dff - Forensic framework
• dexter - Dexter is a forensics acquisition framework designed to be extensible and secure
• hashlookup-forensic-analyser - A tool to analyse files from a forensic acquisition to find known/unknown hashes from [hashlookup](https://www.circl.lu/services/hashlookup/) API or using a local Bloom filter.
• IntelMQ - IntelMQ collects and processes security feeds
• Kuiper - Digital Investigation Platform
• Laika BOSS - Laika is an object scanner and intrusion detection system
• PowerForensics - PowerForensics is a framework for live disk forensic analysis
• The Sleuth Kit - Tools for low level forensic analysis
• turbinia - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
• IPED - Indexador e Processador de Evidências Digitais - Brazilian Federal Police Tool for Forensic Investigations
• Wombat Forensics - Forensic GUI tool
• Autopsy - SleuthKit GUI

Imaging

• dc3dd - Improved version of dd
• Guymager - Open source version for disk imageing on linux systems
• FTK Imager - Free imageing tool for windows
• dcfldd - Different improved version of dd (this version has some bugs!, another version is on github [adulau/dcfldd](https://github.com/adulau/dcfldd))

Internet Artifacts

• ChromeCacheView - A small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache
• chrome-url-dumper - Dump all local stored infromation collected by Chrome
• hindsight - Internet history forensics for Google Chrome/Chromium
• unfurl - Extract and visualize data from URLs

IOC Scanner

• THOR Lite - Free IOC and YARA Scanner
• Fastfinder - Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashes, literal/wildcard strings, regular expressions and YARA rules
• Fenrir - Simple Bash IOC Scanner
• Loki - Simple IOC and Incident Response Scanner

Live Forensics

• grr - GRR Rapid Response: remote live forensics for incident response
• Linux Expl0rer - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
• mig - Distributed & real time digital forensics at the speed of the cloud
• osquery - SQL powered operating system analytics
• POFR - The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System.
• UAC - UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.

Management

• dfirtrack - Digital Forensics and Incident Response Tracking application, track systems
• Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads

Memory Forensics

• inVtero.net - High speed memory analysis framework
• KeeFarce - Extract KeePass passwords from memory
• MemProcFS - An easy and convenient way of accessing physical memory as files a virtual file system.
• Rekall - Memory Forensic Framework
• volatility - The memory forensic framework
• VolUtility - Web App for Volatility framework

Metadata Forensics

• ExifTool
• FOCA - FOCA is a tool used mainly to find metadata and hidden information in the documents

Mobile Forensics

• ArtEx - Artifact Examiner for iOS Full File System extractions
• Andriller - A software utility with a collection of forensic tools for smartphones
• ALEAPP - An Android Logs Events and Protobuf Parser
• iLEAPP - An iOS Logs, Events, And Plists Parser
• iOS Frequent Locations Dumper - Dump the contents of the StateModel#.archive files located in /private/var/mobile/Library/Caches/com.apple.routined/
• MEAT - Perform different kinds of acquisitions on iOS devices
• MobSF - An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
• OpenBackupExtractor - An app for extracting data from iPhone and iPad backups.

Network Forensics

• WireShark - A network protocol analyzer
• NetworkMiner - Network Forensic Analysis Tool
• Kismet - A passive wireless sniffer

OS X Forensics

• APFS Fuse - A read-only FUSE driver for the new Apple File System
• mac_apt (macOS Artifact Parsing Tool) - Extracts forensic artifacts from disk images or live machines
• MacLocationsScraper - Dump the contents of the location database files on iOS and macOS
• macMRUParser - Python script to parse the Most Recently Used (MRU) plist files on macOS into a more human friendly format
• OSXAuditor
• OSX Collect

Picture Analysis

• Ghiro - A fully automated tool designed to run forensics analysis over a massive amount of images
• sherloq - An open-source digital photographic image forensic toolset

Steganography

• Wavsteg - is a steganography program that hides data in various kinds of image and audio files
• Zsteg - A steganographic coder for WAV files
• Steghide - is a steganography program that hides data in various kinds of image and audio files

Timeline Analysis

• Timeline Explorer - Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
• DFTimewolf - Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
• plaso - Extract timestamps from various files and aggregate them
• timeliner - A rewrite of mactime, a bodyfile reader
• timesketch - Collaborative forensic timeline analysis

Windows Artifacts

• FRED - Cross-platform microsoft registry hive editor
• LastActivityView - LastActivityView by Nirsoftis a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.
• MFT-Parsers - Comparison of MFT-Parsers
• MFTEcmd - MFT Parser by Eric Zimmerman
• Beagle - Transform data sources and logs into graphs
• LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
• python-evt - Pure Python parser for classic Windows Event Log files (.evt)
• RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis
• RegRippy - A framework for reading and extracting useful forensics data from Windows registry hives
• MFTExtractor - MFT-Parser
• MFT-Parsers - Comparison of MFT-Parsers
• NTFS journal parser
• NTFS USN Journal parser
• RecuperaBit - Reconstruct and recover NTFS data
• python-ntfs - NTFS analysis

• Forensics tools on Wikipedia
• Eric Zimmerman's Tools